Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18772

  • Joined

  • Last visited

  • Days Won

    729

 Content Type 

Everything posted by Nytro

  1. Nytro
    Writing shellcode for Linux and *BSD Author: Daniele Mazzocchio Last update: Apr 26, 2005 Latest version: Writing shellcode for Linux and *BSD - Table of contents Table of Contents 1. Introduction...................................................................................................................................... 2 2. Linux system calls............................................................................................................................ 3 2.1 int 0x80...................................................................................................................................... 3 2.2 libc............................................................................................................................................. 4 3. *BSD system calls............................................................................................................................6 4. Writing the shellcode........................................................................................................................7 4.1 In assembler............................................................................................................................... 7 4.2 In C............................................................................................................................................ 9 5. Spawning a shell.............................................................................................................................11 6. Shellcode analysis.......................................................................................................................... 15 6.1 Trust is good............................................................................................................................ 15 6.2 ...but control is better............................................................................................................... 15 7. Appendix........................................................................................................................................ 19 7.1 References................................................................................................................................19 7.2 Bibliography............................................................................................................................ 19 Download: http://www.shell-storm.org/papers/files/442.pdf
  2. Nytro
    Understanding Windows Shellcode skape mmiller a hick.org Last modified: 12/06/2003 Contents 1 Foreword 3 2 Introduction 4 3 Shellcode Basics 5 3.1 System Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2 Finding kernel32.dll . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2.1 PEB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2.2 SEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.2.3 TOPSTACK . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.3 Resolving Symbol Addresses . . . . . . . . . . . . . . . . . . . . . 11 3.3.1 Export Directory Table . . . . . . . . . . . . . . . . . . . 11 3.3.2 Import Address Table (IAT) . . . . . . . . . . . . . . . . 13 4 Common Shellcode 15 4.1 Connectback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.2 Portbind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 5 Advanced Shellcode 29 5.1 Download/Execute . . . . . . . . . . . . . . . . . . . . . . . . . . 29 6 Staged Loading Shellcode 39 6.1 Dynamic File Descriptor Re-use . . . . . . . . . . . . . . . . . . . 39 6.2 Static File Descriptor Re-use . . . . . . . . . . . . . . . . . . . . 42 6.3 Egghunt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 6.4 Egghunt (syscall) . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 6.5 Connectback IAT . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 7 Conclusion 49 8 Detailed Shellcode Analysis 50 8.1 Finding kernel32.dll . . . . . . . . . . . . . . . . . . . . . . . . . 50 8.1.1 PEB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 8.1.2 SEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 8.1.3 TOPSTACK . . . . . . . . . . . . . . . . . . . . . . . . . 53 1 8.2 Resolving Symbol Addresses . . . . . . . . . . . . . . . . . . . . . 54 8.2.1 Export Table Enumeration . . . . . . . . . . . . . . . . . 54 8.3 Common Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . 56 8.3.1 Connectback . . . . . . . . . . . . . . . . . . . . . . . . . 56 8.3.2 Portbind . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 8.4 Advanced Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . 71 8.4.1 Download/Execute . . . . . . . . . . . . . . . . . . . . . . 71 8.5 Staged Loading Shellcode . . . . . . . . . . . . . . . . . . . . . . 81 8.5.1 Dynamic File Descriptor Re-use . . . . . . . . . . . . . . 81 8.5.2 Egghunt . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 8.5.3 Egghunt (syscall) . . . . . . . . . . . . . . . . . . . . . . . 88 Download: http://www.hick.org/code/skape/papers/win32-shellcode.pdf http://projectshellcode.com/downloads/http___www.hick.org_code_skape_papers_win32-shellcode.pdf
  3. Nytro
    Return Oriented Programming CSCI 6621: Network Security Week 11, Lecture 21: Tuesday, 04/04/2011 Daniel Bilar University of New Orleans Department of Computer Science Spring 2011 Goals today • Review: Buffer overflow, format string • Return Oriented Programming – Chain together sequences (‘gadgets’) ending in RET – Can use good code chunks as ‘alphabet’, string together to get for bad code • Some similarities to an antigram (form of anagram) Within earshot ‡ I won't hear this – Build “gadgets” for load?store, arithmetic, logic, control flow, system calls – Attack can perform arbitrary computation using no injected code at all Some slides gratefully adapted from Shacham BH 08 presentation (UCSD) Download: http://shell-storm.org/papers/files/779.pdf
  4. Nytro
    X86/WIN32 REVERSE ENGINEERING CHEATSHEET Instructions GENERAL PURPOSE 32BIT REGISTERS ADD <dest>, <source> Adds <source> to <dest>. <dest> may be a register or memory. <source> may EAX Contains the return value of a function call. Be a register, memory or immediate value. ECX Used as a loop counter. "this" pointer in C++. CALL <loc> Call a function and return to the next instruction when finished. <proc> EBX General Purpose may be a relative offset from the current location, a register or memory addr. EDX General Purpose CMP <dest>, <source> Compare <source> with <dest>. Similar to SUB instruction but does not ESI Source index pointer Modify the <dest> operand with the result of the subtraction. EDI Destination index pointer DEC <dest> Subtract 1 from <dest>. <dest> may be a register or memory. ESP Stack pointer DIV <divisor> Divide the EDX:EAX registers (64?bit combo) by <divisor>. <divisor> may be EBP Stack base pointer a register or memory. Download: http://shell-storm.org/papers/files/797.pdf
  5. Nytro
    Defeating DEP through a mapped file by Homeostasie (Nicolas.D) Contents 1. Introduction............................................................................................................3 2. Description of the attack scenario..........................................................................4 3. Building a ROP exploit..........................................................................................7 3.1. Step 1 - Open a file containing our shellcode ......................................................................7 3.2. Step 2 - Craft mmap() parameters into the stack..................................................................9 3.2.1. ROP chaining for crafting the first argument to 0......................................................10 3.2.2. ROP chaining for crafting the second and the fourth argument to 1..........................12 3.2.3. ROP chaining for crafting the third argument to 4.....................................................13 3.2.4. ROP chaining for crafting the fifth argument to “fd” value (file descriptor).............14 3.2.5. ROP chaining for crafting the sixth argument to 0.....................................................14 3.3. Step 3 – Call mmap() and jump on the mapped area..........................................................15 4. Conclusion...........................................................................................................18 Download: http://shell-storm.org/papers/files/800.pdf
  6. Nytro
    Autor: Nytro Data: 03.12.2011 Ultimele zile pe Yahoo! Messenger au fost foarte "interesante". Vreau sa lamuresc oarecum lumea, sa explic atat "povestea" cat si cateva detalii tehnice pe intelesul tuturor. Povestea: Pe scurt, de ceva timp exista o problema de securitate in Yahoo! Messenger, o problema care se stia de ceva timp de anumite persoane si care nu a fost facuta publica un timp, problema care, pe langa alte "facilitati", oferea atacatorului posibilitatea de a schimba statusul oricarui utilizator de Yahoo! Messenger (versiunea 11-11.5). Chiar daca problemele au aparut acum in jur de 2 zile pentru utilizaotrii de rand, soft pentru a schimba statusul exista de mai mult timp, insa nu aflasera de el "prietenii" nostri dragi. Mai intai a aparut un soft, destul de bine facut, numit "Y! Disruption". Programul e acesta: Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] Acest program a fost facut public pe un forum cu multi membri, cea mai mare dintre ei niste script-kiddies, adica persoane extrem de interesate de astfel de lucruri penibile, ce in ochii lor sunt numite "hacking". Astfel de persoane folosesc tot felul de programe in special pentru a fura parole sau alte informatii si aceste persoane sunt de vina pentru faptul ca acest program a devenit atat de "popular". Partea oarecum placuta e ca nu au ajuns extrem de multi romani in posesia sa, insa sunt o gramada de persoane care il au. Ideea e simpla: cu doua clickuri poti schimba statusul cuiva, deci nu trebuie sa fii tocmai un inginer pentru a face acest lucru. De aceea si aceasta popularitate a programului. Apoi a aparut problema: niste persoane pasionate de lucruri ca "yahoo invisible detector", pasionate de Yahoo!, au creat o versiune online a acestui program - Ymland. Chiar mai mult, au creat ei ID-urile de pe care se trimit datele (o sa revin cu detalii mai jos), iar copiii enervanti trebuie doar sa specifice un ID si un status, apoi sa apese un buton si gata, se schimba statusul. Moral vorbind, ar fi cateva concluzii de tras de catre cei care au avut statusul schimbat, principala fiind ca aveti persoane in lista de messenger, cunoasteti persoane care nu sunt tocmai genul de prieteni pe care si i-ar dori oricine. Apoi e ideea schimbatului statusului, lucru extrem de usor de realizat si cu rezultate extrem de "marete". Practic e ceva ce "se vede", si din acest motiv stupid au aparut multi ratati care au inceput sa schimbe statusuri. Ai facut si tu asta? Imi pare rau pentru tine daca ai mai mult de 15 ani, nu e tocmai un motiv de mandrie si tot un ratat ramai. Modul de functionare nu e deloc complicat, insa implementarea sa necesita destule cunostinte. Pe scurt, pasii care se executa pentru a se schimba statusul: 1. Se foloseste un ID de messenger de pe care se vor trimite datele, e nevoie de un ID si de o parola (orice cont de Yahoo!) 2. Se logheaza acel ID (numit bot) - cei de la Ymland au creat ei astfel de boti si ii folosesc 3. Acel bot incearca sa trimita un fisier, iar datele pe care le trimite sunt modificate 4. "Victimei" i se deschide o casuta noua de messenger in care botul respectiv incearca sa trimita fisierul 5. Datele modificate, contin un cod simplu HTML care se executa deoarece conversatiile de messenger apar intr-o "pagina" (sa zicem), aceeasi folosita de Internet Explorer 6. codul HTML apeleaza o functie folosita de Yahoo! Messenger, numita "SetCustonStatus" care schimba practic statusul Pentru a nu fi o astfel de "victima", poti face in principal doua lucruri: 1. Din messenger, din bara de meniu, click pe Messenger, apoi Preferences, mergeti la Ignore list, bifati "Ignore anyone who is not in my Yahoo! Contacts", click pe Apply apoi Ok. De ce va ajuta asta? Dupa cum spuneam mai sus, exista un bot care trimite acele date. Acel bot, desigur, poate sa fie un ID din lista voastra, dar astfel veti sti cine "va vrea raul", dar de cele mai multe ori sunt ID-uri aleatoare, create special pentru asa ceva. Practic, nu aveti acel ID in lista, deci daca bifati acea casuta, acel ID nu va putea sa va trimita acele date. Probleme pot sa apara daca doriti sa discutati cu persoane pe care nu le aveti in lista, pentru ca ele nu va vor putea contacta. 2. Folositi un alt client pentru Yahoo! Messenger. Eu va recomand sa folositi Pidgin, il puteti descarca de aici: Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] , mie imi place foarte mult si are niste facilitati extraordinare. Exista si alternative: Trilian - Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] , Digsby - Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] si probabil altele. Problema nu mai apare deoarece acele programe nu folosesc acea "pagina" - frame - folosita de Yahoo! messenger, deci codul nu se poate executa. Partea tehnica: Nu e ceva complicat si oricine poate intelege ce se intampla practic, cum functioneaza aceste programe. Pentru inceput trebuie sa vorbim despre YMSG. Yahoo! Messenger, foloseste TCP (Transfer Control Protocol) ca protocol de comunicatie pe portul 5050, insa la nivel de aplicatie Yahoo! a definit un protocol special numit YMSG (va las sa ghiciti de la ce vine). Pe scurt, protocolul reprezinta regulile dupa care sunt trimise datele de Yahoo! Messenger astfel incat sa fie interpretate corect de destinatar. Partea oarecum buna, este ca acest protocol nu este public, dar e cunoscut in detalii oameni interesati. Ca idee, voi descrie procesul de logare in 3 pasi folosit de messenger: 1. Yahoo! Messenger se conecteaza la un server Yahoo! ca 67.195.187.213 - cs214.msg.ac4.yahoo.com si trimite un pachet YMSG (un pachet cu o strcutura bine stabilita, pachet ce contine de exemplu versiunea protocolului, dimensiunea pachetului si alte lucruri) care pe langa headerul YMSG contine doar ID-ul (doar ID-ul, fara parola sau altceva) pe care se doreste logarea. 2. Serverul trimite ca raspuns pe langa ID, o valoare calculata dupa un anumit algoritm specific Yahoo! 3. Yahoo! Messenger pe baza acelei valori, calculeaza folosind parola, dupa un anumit algormitm, doua valori pe care le trimite serverului, iar daca aceste valori sunt in regula, ID-ul e logat Screenshot-uri pentru fiecare pas: 1. Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] 2. Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] 3. Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] Complet: Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] Pe acelasi principiu functioneaza si acest principiu functioneaza atat programul respectiv, cat si implementarea online a acestui "truc". Programul si scriptul folosit de ymland, logheaza un bot astfel, iar cu acel bot incearca sa trimita un fisier. Ce incearca sa trimita programul: Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] Deci codul e simplu: Code: <form><iframe onload="SetCustonStatus('Status nou');"></iframe></form> Problema este la ce face Yahoo! Messenger cu acest cod. Cum spuneam mai sus, foloseste frame-ul de la Internet Explorer pentru a reda conversatiile. Adica genereaza un HTML in functie de datele trimise/primite si se foloseste de ieframe.dll - pagina de continut din Internet Explorer (e un ActiveX Control, usor de folosit) si afiseaza acel HTML. In screenshot-ul de mai jos nu am facut decat sa modific cateva proproetati ale ferestrei respective pentru a se vedea mai clar acest lucru: Fereastra conversatii: Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] Am reusit dupa ceva chin sa obtin codul HTML al unei ferestre de messenger. Arata cam asa: Code: <BODY style="BACKGROUND: #fff" class=" IM" bottomMargin=0 background="" leftMargin=0 rightMargin=0 scroll=no topMargin=0 bgColor=white><BR style="DISPLAY: none"> <DIV id=ConversationBody class=" "> <DIV style="DISPLAY: none" id=RecentHistory></DIV> ................................................. Ceea ce ne intereseaza pe noi, este modul in care genereaza el codul HTML cand se trimite un fisier. Arata cam asa: ================================================== ================================================== ======= Code: <TABLE id=FT_YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA= class=prompt border=0 cellSpacing=0 cellPadding=0> <TBODY> <TR> <TD vAlign=top width="1%"><IMG class=icon src="file:///C:/Program%20Files/Yahoo!/Messenger/TEMPFTICON_YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=.JPG"></TD> <TD> <DIV id=FT_description_YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=> <H3>poyo_vl is sending you 1 photo:</H3></DIV> <DIV id=FT_list_or_progress_YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=>22222.JPG (189 KB) <BR></DIV> <DIV id=FT_action_YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=><A onclick='$InlineAction("ft_action,YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=,1");return false' href="file:///c://#"><B>Save As...</B></A> (Alt+Shift+A) <A onclick='$InlineAction("ft_action,YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=,2");return false' href="file:///c://#"><B>Decline</B></A> (Alt+Shift+D)</DIV></TD></TR></TBODY></TABLE> ================================================== ================================================== ======= Exemplul e pentru o imagine, dar nu e dificil de inteles. Pentru imaginea care se primeste, se salveaza un thumbnail temporar: Code: <TD vAlign=top width="1%"><IMG class=icon src="file:///C:/Program%20Files/Yahoo!/Messenger/TEMPFTICON_YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=.JPG"></TD> Mesajul care se afiseza (ce_requ_wa este un ID pentru teste), si dimensiunea fisierului: Code: <H3>ce_requ_wa is sending you 1 photo:</H3></DIV> <DIV id=FT_list_or_progress_YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=>22222.JPG (189 KB) <BR></DIV> Insa ceea ce ne intereseaza pe noi este: Code: <A onclick='$InlineAction("ft_action,YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=,1");return false' href="file:///c://#"><B>Save As...</B></A> Un screenshot explicativ: Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] Dupa cum puteti vedea in screenshot, "YzBjNThiMmVlZmY1ODVhZWJmNzQ0ZTRlNzIyNjQ0NTA=" este valoarea cheii 265 din pachetul de transfer al fisierului. Ei bine, acel program si implementarea sa in PHP (cel mai probabil), modifica acea valoare la valoarea: Code: <form><iframe onload="SetCustonStatus('Status nou');"></iframe></form> Si practic acest cod apeleaza functia SetCustonStatus() folosita de Yahoo! Messenger pentru a schimba statusul. Functia respectiva e definita astfel: Code: function SetCustomStatus(a){$Invoke(22,a)} Iar functia $Invoke este definita astfel: Code: function $Invoke(b,a){YAHOO.Msgr.Host.invokeCommand(b,a)} Si tot asa, poveseta cu JavaScriptul se complica, e 05:17 AM si imi e lene sa intru in detalii, oricum nu e nimic interesant. Tot ce trebuie sa stim e ca la apelul acestei functii se schimba statusul. Aveti aici un screenshot cu o parte din cod: Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] Am vazut ca si echipele de antivirusi s-au sesizat in aceasta privinta si mi-a placut de baietii de la BitDefender care au facut o prezentare tehnica a problemei, insa eu am vrut sa explic mai pe larg si pe intelesul tuturor. Aveti aici articolul lor: Doar utilizatorii inregistrati pot vedea linkurile. [ Click aici pentru a te inregistra ] Ei bine, cred ca este de ajuns. Sper ca v-a fost util. // Nyto @ Romanian Security Team
  7. Nytro
    Update zilnic: https://www.facebook.com/rstforum
  8. Nytro
    Hak5 WiFi Hacking Workshop Part 1.1 This time on the show, part 1 of our WiFi from-the-ground-up series. Darren presents a wireless workshop at the Noisebridge hackerspace in San Francisco. If you're into Hak5 you'll love our new show by hosts Darren Kitchen and Shannon Morse. Check out Revision3 > HakTip Whether you're a beginner or a pro, Revision3 > HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more. And let's not forget to mention that you can follow us on Hak5 (Hak5) on Twitter and Hak5 | Facebook, http://revision3.com/hak5/follow to the show and get all your Hak5 goodies, including the infamous wifi-pineapple over at HakShop — Welcome . If you have any questions or suggestions please feel free to contact us at feedback@hak5.org. Hak5 WiFi Hacking Workshop Part 1.2 Published on Jul 19, 2012 by Hak5Darren This time on the show, part 1 of our WiFi from-the-ground-up series. Darren presents a wireless workshop at the Noisebridge hackerspace in San Francisco. If you're into Hak5 you'll love our new show by hosts Darren Kitchen and Shannon Morse. Check out Revision3 > HakTip Whether you're a beginner or a pro, Revision3 > HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more. And let's not forget to mention that you can follow us on Hak5 (Hak5) on Twitter and Hak5 | Facebook, http://revision3.com/hak5/follow to the show and get all your Hak5 goodies, including the infamous wifi-pineapple over at HakShop — Welcome . If you have any questions or suggestions please feel free to contact us at feedback@hak5.org. Hak5 WiFi Hacking Workshop Part 1.3 Published on Jul 19, 2012 by Hak5Darren This time on the show, part 1 of our WiFi from-the-ground-up series. Darren presents a wireless workshop at the Noisebridge hackerspace in San Francisco. If you're into Hak5 you'll love our new show by hosts Darren Kitchen and Shannon Morse. Check out Revision3 > HakTip Whether you're a beginner or a pro, Revision3 > HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more. And let's not forget to mention that you can follow us on Hak5 (Hak5) on Twitter and Hak5 | Facebook, http://revision3.com/hak5/follow to the show and get all your Hak5 goodies, including the infamous wifi-pineapple over at HakShop — Welcome . If you have any questions or suggestions please feel free to contact us at feedback@hak5.org. Hak5 WiFi Hacking Workshop Part 2.1 Published on Jul 25, 2012 by Hak5Darren This time on the show, part 2 of our WiFi from-the-ground-up series. Darren presents a wireless workshop at the Noisebridge hackerspace in San Francisco. Hak5 WiFi Hacking Workshop Part 2.2 Published on Jul 25, 2012 by Hak5Darren This time on the show, part 2 of our WiFi from-the-ground-up series. Darren presents a wireless workshop at the Noisebridge hackerspace in San Francisco. Hak5 WiFi Hacking Workshop Part 2.3 Hak5 WiFi Hacking Workshop Part 2.3 Published on Jul 25, 2012 by Hak5Darren This time on the show, part 2 of our WiFi from-the-ground-up series. Darren presents a wireless workshop at the Noisebridge hackerspace in San Francisco. Hak5 WiFi Hacking Workshop Part 3.1 Published on Jul 31, 2012 by Hak5Darren This time on the show, the conclusion of our WiFi from-the-ground-up series. Darren presents a wireless workshop at the Noisebridge hackerspace in San Francisco. Hak5 WiFi Hacking Workshop Part 3.2 Published on Jul 31, 2012 by Hak5Darren This time on the show, the conclusion of our WiFi from-the-ground-up series. Darren presents a wireless workshop at the Noisebridge hackerspace in San Francisco. Hak5 WiFi Hacking Workshop Part 3.3 Published on Jul 31, 2012 by Hak5Darren This time on the show, the conclusion of our WiFi from-the-ground-up series. Darren presents a wireless workshop at the Noisebridge hackerspace in San Francisco.
  9. Nytro
    [h=1]DeepSec 2010: LTE Radio Interface and its Security Mechanism by Herbert Koblmiller[/h] Published on Jul 30, 2012 by Sicherheitsforschung LTE Radio Interface structure and its security mechanism Herbert Koblmiller, T.B.A. LTE is using complete different Radio Architecture than GSM and UMTS and tries to simplify its Procedure- and Layer structure in order to improve data throughput and latency. Getting rid of the signalling overhead of UMTS but being comparable robust to GSM will possibly the path for LTE to become the successor for the next centuries. This could mean that security mechanism in the radio interface have to be flexible to future developments like LTE advanced.
  10. Nytro
    [h=1]nullcon Goa 2012: Application security cost management - By Ketan Vyas[/h] Published on Aug 1, 2012 by nullOxOO Increasing awareness about cost of data breach, regulatory compliance requirements and operational risk have increased spending for application security however economic downturn brought back the buzz word "do more with less". Security in development lifecycle hits budgetary constraints. This session will cover alternatives for business leader to achieve desired level of application security at rationalized cost.
  11. Nytro
    [h=1]DEFCON 15: LAN Protocol Attacks Part 1 - Arp Reloaded[/h] Uploaded by ChRiStIaAn008 on Jan 29, 2011 Speaker: Jesse "x30n" D'Aguanno Praetorian Global & Digital Revelation Ever wanted to hijack a connection between machines on a LAN, deny service between a host you're attacking and a log server or intrusion detection system, or maybe wanted to sniff traffic on a switched network? Now you can! Er, wait... You already could with the ARP attacks we all know and love. While these network attacks are quite effective, they do have their weaknesses, as well as security controls to help prevent them. In this talk I will build on the previous research in this field and introduce new, more reliable attacks against the ARP protocol which are much less identifiable and able to protect against. For more information visit: http://bit.ly/defcon15_information To download the video visit: Index of defcon-15-video - Good.net
  12. Nytro
    [h=1]25c3: OnionCat -- A Tor-based Anonymous VPN[/h] Uploaded by ChRiStIaAn008 on Dec 10, 2010 Speakers: Daniel Haslinger, Bernhard Fischer Building an anonymous Internet within the Internet OnionCat manages to build a complete IP transparent VPN based on Tor's hidden services, provides a simple well-known interface and has the potential to create an anonymous global network which could evolve to a feature- and information-rich network like we know the plain Internet today. Tor provides so-called "Hidden Services". These are services which are location hidden within the Tor network. This means that not only users are hidden but also services (destination). Tor manages this by assigning virtual addresses to them, so-called .onion-URLs. Tor builds all connections based on them. Unfortunately, access to hidden services is currently not very user-friendly which makes them unattractive although they could provide high privacy in today's world. OnionCat provides an IP-transparent service which does on-demand connections to designated hidden services. This is a Tor-specific virtual private network (VPN). Because of its IP-transparency any client program can use hidden services without further workarounds. This talk is about OnionCat in general, gives a brief introduction into its internals and application examples. More information about the 25th Chaos Communication Congress can be found via the Chaos Communication Congress website: 25C3: 25th Chaos Communication Congress Source: Conference Recordings - 25C3 Public Wiki
  13. Nytro

    Wpa2-psk

    Nytro replied to nslrocket's topic in Cosul de gunoi

    Postasei la Tutoriale Video, nu vad tutorialul video.
  14. Nytro
    [h=3]CVE-2012-2808 : Android 4.0.4 DNS poisoning vulnerability Exposed[/h]Posted On 7/25/2012 12:19:00 PM By THN Security Analyst Android's DNS resolver is vulnerable to DNS poisoning due to weak randomness in its implementation. Researchers Roee Hay & Roi Saltzman from IBM Application Security Research Group demonstrate that how an attacker can successfully guess the nonce of the DNS request with a probability thatis su cient for a feasible attack. Android version 4.0.4 and below are Vulnerable to this bug. Weakness in its pseudo-random number generator (PRNG), which makes DNS poisoning attacks feasible. DNS poisoning attacks may endanger the integrity and con dentiality of the attacked system. For example, in Android, the Browser app can be attacked in order to steal the victim's cookies of a domain of the attacker's choice. If the attacker manages to lure the victim to browse to a web page controlled by him/her, the attacker can use JavaScript, to start resolving non-existing sub-domains. Upon success, a sub-domain points to the attacker's IP, which enables the latter to steal wild card cookies of the attacked domain, and even set cookies. In addition, a malicious app instantiate the Browser app on the attacker's malicious web-page. If the attacker knows the PID (for example, a malicious app can access that information), the attack expected time can be reduced furthermore. Vulnerability dubbed as "CVE-2012-2808" Android 4.1.1 has been released, and patches are available on AOSP. The random sample is now pulled from /dev/urandom, which should have adequate entropy by the time network activity occurs. Sursa: CVE-2012-2808 : Android 4.0.4 DNS poisoning vulnerability Exposed | The Hacker News
  15. Nytro
    [h=1]Introduction to Parallel Computing[/h] [TABLE=width: 100%] [TR] [TD]Author: Blaise Barney, Lawrence Liver[/TD] [TD=align: right][/TD] [/TR] [/TABLE] [h=2]Table of Contents[/h] [LIST=1] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#Abstract"]Abstract[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#Overview"]Overview[/URL] [LIST=1] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#Whatis"]What is Parallel Computing?[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#WhyUse"]Why Use Parallel Computing?[/URL] [/LIST] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#Concepts"]Concepts and Terminology[/URL] [LIST=1] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#Neumann"]von Neumann Computer Architecture[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#Flynn"]Flynn's Classical Taxonomy[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#Terminology"]Some General Parallel Terminology[/URL] [/LIST] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#MemoryArch"]Parallel Computer Memory Architectures[/URL] [LIST=1] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#SharedMemory"]Shared Memory[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#DistributedMemory"]Distributed Memory[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#HybridMemory"]Hybrid Distributed-Shared Memory[/URL] [/LIST] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#Models"]Parallel Programming Models[/URL] [LIST=1] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#ModelsOverview"]Overview[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#ModelsShared"]Shared Memory Model[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#ModelsThreads"]Threads Model[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#ModelsMessage"]Distributed Memory / Message Passing Model[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#ModelsData"]Data Parallel Model[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#Hybrid"]Hybrid Model[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#SPMD-MPMD"]SPMD and MPMP[/URL] [/LIST] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#Designing"]Designing Parallel Programs[/URL] [LIST=1] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#DesignAutomatic"]Automatic vs. Manual Parallelization[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#DesignUnderstand"]Understand the Problem and the Program[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#DesignPartitioning"]Partitioning[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#DesignCommunications"]Communications[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#DesignSynchronization"]Synchronization[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#DesignDependencies"]Data Dependencies[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#DesignLoadBalance"]Load Balancing[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#DesignGranularity"]Granularity[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#DesignIO"]I/O[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#DesignCosts"]Limits and Costs of Parallel Programming[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#DesignPerformance"]Performance Analysis and Tuning[/URL] [/LIST] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#Examples"]Parallel Examples[/URL] [LIST=1] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#ExamplesArray"]Array Processing[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#ExamplesPI"]PI Calculation[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#ExamplesHeat"]Simple Heat Equation[/URL] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#ExamplesWave"]1-D Wave Equation[/URL] [/LIST] [*][URL="https://computing.llnl.gov/tutorials/parallel_comp/#References"]References and More Information[/URL] [/LIST] [TABLE=width: 100%] [TR] [TD=bgcolor: #98ABCE] Abstract [/TD] [/TR] [/TABLE] This tutorial is the first of eight tutorials in the 4+ day "Using LLNL's Supercomputers" workshop. It is intended to provide only a very quick overview of the extensive and broad topic of Parallel Computing, as a lead-in for the tutorials that follow it. As such, it covers just the very basics of parallel computing, and is intended for someone who is just becoming acquainted with the subject and who is planning to attend one or more of the other tutorials in this workshop. It is not intended to cover Parallel Programming in depth, as this would require significantly more time. The tutorial begins with a discussion on parallel computing - what it is and how it's used, followed by a discussion on concepts and terminology associated with parallel computing. The topics of parallel memory architectures and programming models are then explored. These topics are followed by a series of practical discussions on a number of the complex issues related to designing and running parallel programs. The tutorial concludes with several examples of how to parallelize simple serial programs. Tutorial: https://computing.llnl.gov/tutorials/parallel_comp/
  16. Nytro
    [h=1]Joe Stewart on APTs and Cyber Espionage[/h]August 1, 2012, 3:17PM by Dennis Fisher Podcast and Downloads digital_underground_101.mp3 Dennis Fisher speaks with Joe Stewart of the Dell SecureWorks Counter Threat Unit about his team’s new research on the landscape of APT malware families, who is behind the use of these tools and how poorly prepared most organizations are for attacks by these crews. *Podcast audio courtesy of sykboy65 Sursa: Joe Stewart on APTs and Cyber Espionage | threatpost
  17. Nytro
    [h=1]Seeing Through Walls With a Wireless Router[/h] Wi-Spy Click here to see this amazing image even larger. Kevin Hand In the 1930s, U.S. Navy researchers stumbled upon the concept of radar when they noticed that a plane flying past a radio tower reflected radio waves. Scientists have now applied that same principle to make the first device that tracks existing Wi-Fi signals to spy on people through walls. Wi-Fi radio signals are found in 61 percent of homes in the U.S. and 25 percent worldwide, so Karl Woodbridge and Kevin Chetty, researchers at University College London, designed their detector to use these ubiquitous signals. When a radio wave reflects off a moving object, its frequency changes—a phenomenon called the Doppler effect. Their radar prototype identifies frequency changes to detect moving objects. It’s about the size of a suitcase and contains a radio receiver composed of two antennas *and a signal-processing unit. In tests, they have used it to determine a person’s location, speed and direction—even through a one-foot-thick brick wall. Because the device itself doesn’t emit any radio waves, it can’t be detected. Wi-Fi radar could have domestic applications ranging from spotting intruders to unobtrusively monitoring children or the elderly. It could also have military uses: The U.K. Ministry of Defence has funded a study to determine whether it could be used to scan buildings during urban warfare. With improvements, Woodbridge says, the device could become sensitive enough to pick up on subtle motions the ribcage makes during breathing, which would allow the radar to detect people who are standing or sitting still. See image above for how it'll work. 1. MOVING SUBJECT When Wi-Fi radio waves bounce off a moving object, their frequency changes. If, for example, a person is moving toward the Wi-Fi source, the reflected waves’ frequency increases. If a person is moving away from the source, the frequency decreases. 2. REGULAR OL' ROUTER A Wi-Fi Internet router already in the room fills the area with radio waves of a specific frequency, usually 2.4 or 5 gigahertz. 3. BASELINE SIGNAL One antenna of the radar system tracks the baseline radio signal in the room. 4. SHIFTED SIGNAL A second antenna detects radio waves that have reflected off of moving objects, which changes their frequency. 5. PERP, SPOTTED By comparing the two antennas’ signals, the computer calculates the object’s location to within a few feet as well as its speed and direction. [h=2]BREATHE EASY[/h] Breathe Easy: It’s possible to detect a person’s breathing rate by surrounding him with radio waves. Neal Patwari’s wireless engineering group at the University of Utah designed a network of 20 inexpensive radio transmitters that are placed around a patient’s bed. Then they created an algorithm that detects a stationary person’s breaths better than current detectors do. Patwari plans to upgrade the algorithm by the end of the year to filter out body movements too. The system could someday be used in hospitals in place of tubes and masks. —Elbert Chu Sursa: Seeing Through Walls With a Wireless Router | Popular Science
  18. Nytro
    New Trojan “Aida1” has been Identified 2012-07-28 Hi After we ran our new Security Tool “Venak Could Technology” ( it’s not on public now, it’s on Maintenance ) we identified new Trojan called “Aida1” This Trojan used new Social engineering techniques to force computer users to execute the Trojan by user’s Rights click; also the Trojan has been spread By local Iranian Video Services ( “Aka Iranian YouTube” ) www.aparat.com As you can see the Trojan used lots of Enumeration Functions like Files and process and Etc. The attacker or attackers upload some free videos there and then attached this Trojan into comments part. MD5: 9c7002442ee10ee02d338e96708fb619 SHA1: dfdd88fc876d43a612d152e8c866619289255ff8 SHA256: a163d452b3d91e195ed9ece81ad5df331ca56a93baf488750079dd9776bf3913 Also Aida1’s Trojan used Internet Explorer Rights to bypass user’s Firewalls or Internet Security tools. Attackers sent a Message for someone – Aida is name of a Female Girl in Persian language We identified the other version of same Style worm which is used same trick to bypass most Anti Viruses and Internet Security solutions. As you well know most of Anti Viruses will be monitor the .exe files for hunting worms, but this worm will be Ran on “.Tso” file extension not “.exe” The system administrators or power user could not capable to detect the worm via Security tools like Task manager or Process explorer or anti Rootkits. PID 3748 is the Target Worm ( Process Explorer Can’t Verify that because it used the unusual Character ) But it is very similar to the original windows Service. The Worm’s file extension is “.Tso” not “.exe” – Venak and Avenak MPS Edition result If you had any comments and Questions you can ask it Via our Support Team at idea@u0vd.org or Support@u0vd.org Past week “Mehdi” or “Madi” worm was detected worldwide, this week “Aida1” ,we remembered the Alice and Bob ! , what the Nice Couples in Virus World ! Thanks, Support Team. Sursa: http://u0vd.org/index3.htm
  19. Nytro
    Cineva capabil sa faca acele tool-uri.
  20. Nytro
    Ba, Alina Dumitru a reprezentat cu SUCCES Romania la Jocurile Olimpice, si FIIND ACCIDENTATA a reusit sa castige medalia de ARGINT. Pula bleaga, Badea asta, pe langa faptul ca vorbeste mult si prost, ce pula mea a facut?
  21. Nytro
    [h=1]NIST Draft Guide to Malware Incident Prevention and Handling[/h]Tuesday, July 31, 2012 NIST announces the public comment release of Draft Special Publication 800-83 (SP) Revision 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops. Malware is the most common external threat to most hosts, causing widespread damage and disruption and necessitating extensive recovery efforts within most organizations. This publication provides recommendations for improving an organization’s malware incident prevention measures. It also gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones. Draft SP 800-83 Revision 1 updates the original SP 800-83, which was released in 2005. NIST request comments on draft SP 800-83 Revision 1 by Friday, August 31, 2012. Please send comments to 800-83comments@nist.gov, with the subject "SP 800-83 Comments" Downloiad the NIST Draft Guide to Malware Incident Prevention and Handling here: Guide to Malware Incident Prevention.pdf Sursa: NIST Draft Guide to Malware Incident Prevention and Handling
  22. Nytro
    Demonstrati-ne tuturor ca se poate. Imi place ca aveti initiativa. Bafta!
  23. Nytro
    [h=1]DeepSec 2010: Detection of Hardware Keyloggers[/h] Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Fabian Mihailowitsch, Independent Researcher Hardware keyloggers are tiny devices that are plugged between a computer keyboard and a computer. They are available for PS/2 as well as USB keyboards. Once plugged, they are able to record all key strokes and store them using an internal memory. Current models have various megabytes of memory, store the recorded data encrypted, support timestamping of the keyboard events and some even can transfer the key strokes wireless. However the main focus of hardware keyloggers is to stay undetected. Most manufacturers promote their models cannot be detected by software and thus have an advantage over software based keyloggers. But not just the manufacturers' claim hardware keyloggers to be undetectable, even the common belief is they cannot be detected. However that's not correct. Hardware keyloggers make slight changes to the interaction between the keyboard and the computer. These changes can be detected by software and used to determine whether a hardware keylogger is present or not. For example some USB keyloggers change the USB signaling rate or act as USB hub. These changes are quite obvious and can be detected easily. When trying to detect PS/2 keyloggers, things gets more difficult. Nevertheless it is possible. For example whenever PS/2 keyloggers tap the wire actively (this means the data is redirected via the microcontroller of the keylogger), this influences the transfer rate between the keyboard controller (KBC) on the motherboard and the microprocessor of the keyboard. Measuring this time delay, PS/2 hardware keyloggers can be detected too. During the talk an introduction to hardware keyloggers will be given. This introduction covers their features, how they work and gives a short market overview. Afterwards various techniques will be described to detect hardware keyloggers. Some of them are theoretical as they didn't work for the tested models. However others are practical and can be used in real case scenarios. For each technique a detailed presentation will be given, explaining the basic idea, the necessary technical background and the results in practice. Finally a proof of concept tool will be released, that implements some of the techniques to detect PS/2 and USB hardware keyloggers. For more information visit: Schedule - DeepSec IDSC 2010 Europe - Vienna, November 23-26, 2010 To download the video visit: DeepSec 2010 on Vimeo
  24. Nytro
    [h=1]DeepSec 2010: DIY Malware Analysis with Minibis by Aaron Kaplan and Christian Wojner[/h] DYI malware analysis with Minibis Aaron Kaplan & Christian Wojner, CERT.at This talk will show people how to use Minibis - the "mini Anubis" - massmalware analyzer. Since most malware is still easily run-time analyzable via virtualization, we can extract a wealth of knowledge via mass malware analysis. Participants will learn how to crunch through large numbers of malware samples and extract any information they seek such as resolved domain names, the top registry changes, etc. L. Aaron Kaplan and Christian Wojner work at CERT.at, the national CERT of Austria.
  25. Nytro
    [h=1]DeepSec 2010: LTE Radio Interface and its Security Mechanism[/h] Published on Jul 30, 2012 by Sicherheitsforschung LTE Radio Interface structure and its security mechanism Herbert Koblmiller, T.B.A. LTE is using complete different Radio Architecture than GSM and UMTS and tries to simplify its Procedure- and Layer structure in order to improve data throughput and latency. Getting rid of the signalling overhead of UMTS but being comparable robust to GSM will possibly the path for LTE to become the successor for the next centuries. This could mean that security mechanism in the radio interface have to be flexible to future developments like LTE advanced.
×
×
  • Create New...