Nytro

[h=1]PowerSploit: A PowerShell Post-Exploitation Framework![/h] July 23, 2012 By Mayuresh At first, there was Syringe from SecureState. It was expanded upon and a slightly more featured PowerShell-based code/DLL injection utility – Powersyringe. The same author – Matt Graeber – improved upon it again to program PowerSploit. So, PowerSploit is a series of Microsoft PowerShell scripts that can be used in post-exploitation scenarios during authorized penetration tests. It retains much of the same functionality of Powersyringe but each payload is divided into a separate script according to functionality. Additionally, the PowerSyringe code was completely rewritten from scratch. All scripts are now in conformance with proper PowerShell verb-noun agreement and are entirely memory-resident (thanks to certain internal .NET methods and reflection)! PowerSploit also features improved error handing, allowing error handlers to pick up on every fault! [h=2]PowerSploit is comprised of the following scripts:[/h] Inject-Dll: Inject-Dll injects a Dll into the process ID of your choosing. Inject-Shellcode: Inject-Shellcode injects shellcode into the process ID of your choosing or within PowerShell locally. It supports windows/meterpreter/reverse_http and windows/meterpreter/reverse_https payloads too! Encrypt-Script: Encrypt-Script will encrypt a script (or any text file for that matter) and output the results to a minimally obfuscated script – evil.ps1. Get-GPPPassword: Get-GPPPassword retrieves the plaintext password for accounts pushed through Group Policy in groups.xml. Used with permission from @obscuresec (obscuresec). Invoke-ReverseDnsLookup: Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test. Get-PEHeader: Get-PEHeader is the newest in-memory and on-disk PE parsing utility. Get-PEArchitecture: Get-PEArchitecture returns the architecture for which an executable was compiled. Get-DllLoadPath: Get-DllLoadPath returns the path from which Windows will load a Dll for the given executable. Get-ILDisassembly: Disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm. So you can see that in addition to a lot of general purpose scripts, you have a lot of scripts that allow you to work with portable executable’s (PE’s) and reverse engineering (RE). Since this is an open source project, all of this can surely be improved upon. A writing style guide also has been provided by the author on the GitHub page, with the 3 clause BSD license, where this project is hosted. [h=3]Download PowerSploit:[/h]PowerSploit.zip and project home page. Sursa: PowerSploit: A PowerShell Post-Exploitation Framework! — PenTestIT

[h=1]Mom arrested for hacking school computers, tweaking her kids' grades[/h]by Lisa Vaas on July 23, 2012 A US mother is facing six felony counts for allegedly hacking into her children's school computer, changing their grades, and accessing the school's human resources system to open thousands of personnel files that contained contracts, employee reports and other information. The mother, Catherine Venusto, 45, from New Tripoli, Pennsylvania, worked as a secretary for the Northwestern Lehigh School District from 2008 through April 2011 and has at least two children in the district, according to the District Attorney's office. Venusto is accused of changing her daughter's grade from an F to an M for "medical," of allegedly boosting her son's grade of 98 percent to 99 percent, and of using the superintendent's information to log onto the district email system and to access Northwestern Lehigh's human resources system. According to Lehigh Valley Live.com, Venusto allegedly used the superintendent's password 110 times over the course of a year and a half to conduct the mischief. Authorities told news outlets that Venusto also used the information of nine other Northwestern Lehigh employees, most of whom were in the guidance department, to access computer systems. According to Lehigh Valley Live, officials first suspected a problem in January after the high school principal told superintendent Dr. Mary Anne Wright that teachers didn't understand why she was checking their computer-based gradebooks. Wright told the principal that she hadn't looked at the books. That's when the jig was up. The district immediately shut down the student information system, quickly initiated steps to bolster security, and turned the matter over to state police, Wright told Lehigh Valley Live: "Within three hours of suspecting unauthorized access, email, student information system and the district shared drive were shut down until we were able to fully identify the issue. New security measures were put in place before the systems were accessed again by staff, students or parents." Venusto is facing three counts each of unlawful use of a computer and computer trespass, which are third-degree felonies. She was arraigned on Wednesday and released on $30,000 unsecured bail, which she'll only have to pay if she fails to appear in court for her preliminary hearing on July 26. If she's convicted, Venusto could face a maximum of 42 years in prison or a $90,000 fine, District Attorney's office spokeswoman Debbie Garlicki told ABC News Radio. Garlicki said that the maximum penalty on each count is seven years or a $15,000 fine. The school district may well have acted promptly to clamp down systems and improve security after they discovered the trespassing and tinkering, but the plain fact is that leading up to this incident, employees seemed to play fast and loose with security. Perhaps it's necessary for a superintendent's secretary to know her boss's login information. Even if it is, it's hard to imagine why Wright failed to change her password after Venusto left her job. This is a good reminder that a password that walks out the door inside the brain of an ex-employee (as well as a current employee, insider-threat-wise) could well come back to haunt us. Sursa: Mom arrested for hacking school computers, tweaking her kids’ grades | Naked Security

Nu e foarte popular, dar eu am lucrat si lucrez (la munca) cu astfel de dispozitive, si chestia asta poate fi foarte utila.

Oricum, genial gandit...

[h=1]Qubes 1.0 Release Candidate 1![/h] July 22, 2012 By Mayuresh Our first post regarding the Qubes OS can be found here. Yesterday, the much anticipated – Qubes 1.0 Release Candidate 1 was released! This release is expected to essentially be identical to the final 1.0 release, which will likely follow in the coming weeks, except for some minor, cosmetic fixes. “Qubes implements Security by Isolation approach. To do this, Qubes utilizes virtualization technology, to be able to isolate various programs from each other, and even sandbox many system-level components, like networking or storage subsystem, so that their compromise don’t affect the integrity of the rest of the system. Qubes lets the user define many security domains implemented as lightweight Virtual Machines (VMs), or “AppVMs”. E.g. user can have “personal”, “work”, “shopping”, “bank”, and “random” AppVMs and can use the applications from within those VMs just like if they were executing on the local machine, but at the same time they are well isolated from each other. Qubes supports secure copy-and-paste and file sharing between the AppVMs, of course.” [h=2]Changes made to Qubes:[/h] A much improved Qubes Manager, that now allows to configure and manage almost every aspect of the Qubes system using a simple and intuitive GUI. All the VMs are now based on Fedora 17 template. Cleaned up and improved command lines tools for both Dom0 and for the VMs. Updated Dom0 and VM kernels are now based on 3.2.7-pvops kernel, which offer better hardware and power management support. Convenient menu improvements, that include e.g. a handy icon for launching a Disposable Web browser in a Disposable VM. Support for “yum proxy”, which smartly allows to update packages in a template VM (or other updateable VM), without requiring to grant general HTTP access for this VM. This has been a problem before, as the Fedora repos use hundreds of mirrored yum servers, and it wasn’t possible to setup a single rule in the firewall VM to allow only access to the yum servers, and nothing else. Now, this is possible, and the primary application is to prevent user mistakes, e.g. against using the temaplate VM for Web Browsing. We also added support for an opt-in fullscreen mode for select VMs. Plus lots of other improvements and fixes under the hood. As can be seen in the wiki, there has been over 200 tickets closed as part of the work on this release! [h=3]Download Qubes:[/h]Qubes 1.0 Release Candidate 1 - Qubes-R1-rc1-x86_64-DVD.iso/Qubes-R1-rc1-x86_64-DVD.torrent Sursa: Qubes 1.0 RC 1! — PenTestIT

[h=1]Java the Hutt meets CVE-2012-1723: the Evil Empire strikes back[/h]by Aleksandr Matrosov Senior Malware Researcher In one of my previous posts I described how the CVE-2012-1889 vulnerability (CVE2012-1889: MSXML use-after-free vulnerability) works, but the Java exploitation process is too easy for the bad guys not to revisit it. The attacker does not have to think about problems with ASLR/DEP, SafeSEH and other security mechanisms included in the latest versions of Microsoft Windows. All the tricks for bypassing security mechanisms make the exploitation process more unstable and are not universal across platforms. [heap-spray results from JS/Exploit.CVE-2012-1889] Previous, the Java vulnerability most commonly used for mass exploitation in popular exploit kits was CVE-2012-0507 (Blackhole, CVE-2012-0507 and Carberp). This vulnerability uses a logical bug in AtomicReferenceArray by using the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. CVE-2012-1723 is an interesting vulnerability, based on a bug in the Java HotSpot VM with the bytecode verifier where an invalid optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checking. The vulnerability allows malware a way to evade the JRE (Java Runtime Environment) sandbox, so that it can load additional java classes in order to perform malicious actions. CVE-2012-1723 is a cross-platform vulnerability and can be used to attack all platforms with an actual JVM (Java Virtual Machine) version. In the cases of both CVE-2012-0507 and CVE-2012-1723 the vulnerabilities were made public by Michael ‘mihi’ Schierl. These vulnerabilities are of a similar nature, using bugs in the logic of JVM components in order to work. Today, CVE-2012-1723 multiplatform exploitation code was made public by publishing it in the Metasploit Framework repository (java_verifier_field_access.rb). ESET products already detect the CVE-2012-1723 vulnerability as JS/Exploit.CVE-2012-1723. The exploit for CVE-2012-1723 (New Java Exploit to Debut in BlackHole Exploit Kits) is already included in the latest update of the BlackHole exploit kit. It has already ceased to be a zero-day vulnerability, but in practice Java exploits constitute a large percentage of successful attacks even after a patch has been released. BlackHole is now the most common exploit kit, and a license for one year with support costs $1,500 on the cyber crime marketplace. The exploitation code packs the following object structure into a JAR (Java archive file): So as to provide execution of a malicious payload, an additional 100 static fields in class C2 were crafted and assigned a NULL value. At the next stage of exploitation another 100 instances of class C3 non-static confuse methods are generated. This operation looks like this in java bytecode: At the next step of exploitation the confuse method is called many times and results in the execution of malicious code. This code executes by loader class and provides additional classes loading in an escalated privilege context and performing operations that enable evasion of the sandbox mechanism. When the Java code is decompiled these operations look like this: At the final stage of exploitation a new application domain is built which executes outside the sandbox and runs a malicious java applet without security checks. The Java platform is particularly interesting to attackers at this moment because vulnerabilities are continually being found, and exploitation looks easier than exploitation of native, platform-specific applications where operating system security mechanisms may get in their way. A working exploit for a known Java vulnerability may take a few days to develop, whereas it may take a few weeks to develop exploitation code for a native application. Aleksandr Matrosov, Security Intelligence Team Lead Sursa: Java exploit CVE-2012-1723 and the Blackhole exploit kit | ESET ThreatBlog

Linux 3.5 released [TABLE] [TR] [TD=class: lp]From[/TD] [TD=class: rp]Linus Torvalds <>[/TD] [/TR] [TR] [TD=class: lp]Date[/TD] [TD=class: rp]Sat, 21 Jul 2012 15:16:00 -0700[/TD] [/TR] [TR] [TD=class: lp]Subject[/TD] [TD=class: rp]Linux 3.5 released[/TD] [/TR] [/TABLE] Ok, not a lot happened since -rc7. There's a number of MIPS commits (for some reason MIPS has had a horrible track record with the -rc time schedule, I suspect I should just stop pulling late in the game), but most of the rest is pretty small. A couple of dm/md fixes, some gma500 work, make kgdb 'dmesg' command work again, some networking fixes, some xfs and cifs noise, yadda yadda. About 50% of the patch is actually the SPEAr clock name renaming that is just some search-and-replace. The shortlog is appended if you're interested in the details. And as usual, this obviously means that the merge window for 3.6 is open, although I hope people will spend a little bit of time testing and beating on 3.5 before pushing on with the merge window. And as mentioned earlier, if you are a (probably European) maintainer, and will be gone most of August, I'd rather you just delay the whole thing until 3.7 rather than send me a merge request for 3.6 and then effectively disappear for the next few weeks. And if 3.6 ends up smaller as a result of vacation details like that, it's fine. Linus Aaditya Kumar (1): mm: fix lost kswapd wakeup in kswapd_stop() Aaro Koskinen (1): MIPS: cmpxchg.h: Add missing include Al Viro (1): ext4: fix duplicated mnt_drop_write call in EXT4_IOC_MOVE_EXT Alan Cox (5): sch_sfb: Fix missing NULL check gma500: Fix lid related crash gma500: move the ASLE enable gma500,cdv: Fix the brightness base ax25: Fix missing break Alexander Duyck (2): ixgbe: DCB and SR-IOV can not co-exist and will cause hangs ixgbevf: Fix panic when loading driver Amir Hanania (1): net: Fix memory leak - vlan_info struct Anders Kaseorg (1): fifo: Do not restart open() if it already found a partner Anirban Chakraborty (1): MAINTAINERS: Changes in qlcnic and qlge maintainers list Anton Vorontsov (4): kdb: Revive dmesg command printk: Remove kdb_syslog_data printk: Implement some unlocked kmsg_dump functions kdb: Switch to nolock variants of kmsg_dump functions Artem Bityutskiy (1): UBIFS: fix a bug in empty space fix-up Benjamin Tissoires (1): HID: hid-multitouch: add support for Zytronic panels Bing Zhao (1): mwifiex: fix Coverity SCAN CID 709078: Resource leak (RESOURCE_LEAK) Bjørn Mork (1): net: qmi_wwan: add ZTE MF60 Boaz Harrosh (5): ore: Fix NFS crash by supporting any unaligned RAID IO ore: Remove support of partial IO request (NFS crash) ore: Unlock r4w pages in exact reverse order of locking pnfs-obj: don't leak objio_state if ore_write/read fails pnfs-obj: Fix __r4w_get_page when offset is beyond i_size Bruce Allan (1): e1000e: fix test for PHY being accessible on 82577/8/9 and I217 Christoph Hellwig (2): xfs: prevent recursion in xfs_buf_iorequest xfs: do not call xfs_bdstrat_cb in xfs_buf_iodone_callbacks Cloud Ren (1): atl1c: fix issue of transmit queue 0 timed out Dan Carpenter (4): sony-laptop: fix sony_nc_sysfs_store() sony-laptop: fix a couple signedness bugs ideapad: uninitialized data in ideapad_acpi_add() rbd: endian bug in rbd_req_cb() Daniel Nicoletti (1): HID: add battery quirk for Apple Wireless ANSI Danny Kukawka (1): MIPS: BMIPS: Fix duplicate header inclusion. Dave Chinner (2): xfs: really fix the cursor leak in xfs_alloc_ag_vextent_near xfs: don't defer metadata allocation to the workqueue David Daney (2): netdev/phy: Fixup lockdep warnings in mdio-mux.c MIPS: Properly align the .data..init_task section. Deepak Sikri (2): stmmac: Fix for nfs hang on multiple reboot stmmac: Fix for higher mtu size handling Dmitry Eremin-Solenikov (1): MAINTAINERS: reflect actual changes in IEEE 802.15.4 maintainership Dong Aisheng (2): pinctrl: pinctrl-imx: only print debug message when DEBUG is defined pinctrl: pinctrl-imx6q: add missed mux function for USBOTG_ID Douglas Leung (1): MIPS: Fix decoding of c0_config1 for MIPSxx caches with 32 ways per set. Eliad Peller (1): mac80211: destroy assoc_data correctly if assoc fails Emmanuel Grumbach (1): iwlegacy: don't mess up the SCD when removing a key Eric Dumazet (6): net: dont use __netdev_alloc_skb for bounce buffer netem: add limitation to reordered packets net: cgroup: fix out of bounds accesses gianfar: fix potential sk_wmem_alloc imbalance IPoIB: fix skb truesize underestimatiom net: respect GFP_DMA in __netdev_alloc_skb() Eric Paris (2): SELinux: include definition of new capabilities SELinux: do not check open perms if they are not known to policy Eric W. Biederman (2): bonding: Manage /proc/net/bonding/ entries from the netdev events bonding: debugfs and network namespaces are incompatible Ezequiel Garcia (1): cx25821: Remove bad strcpy to read-only char* Federico Fuga (1): rpmsg: fix dependency on initialization order Florian Fainelli (2): MIPS: perf: Fix build error caused by unused counters_per_cpu_to_total() MIPS: BCM63XX: Fix BCM6368 IPSec clock bit Frank Kunz (1): HID: add Sennheiser BTD500USB device support Ganesan Ramalingam (1): MIPS: Netlogic: MSI enable fix for XLS Gao feng (2): cgroup: fix panic in netprio_cgroup net: cgroup: fix access the unallocated memory in netprio cgroup Geert Uytterhoeven (7): mn10300: fix "pull clearing RESTORE_SIGMASK into block_sigmask()" fallout m32r: remove duplicate definition of PTRACE_O_TRACESYSGOOD m32r: fix pull clearing RESTORE_SIGMASK into block_sigmask() fallout m32r: fix 'fix breakage from "m32r: use generic ptrace_resume code"' fallout m32r: consistently use "suffix-$(...)" m32r: add memcpy() for CONFIG_KERNEL_GZIP=y m32r: make memset() global for CONFIG_KERNEL_BZIP2=y Hans Verkuil (1): v4l2-dev: forgot to add VIDIOC_DV_TIMINGS_CAP. Jayachandran C (2): MIPS: Netlogic: Fix PCIX irq on XLR chips MIPS: Netlogic: Fix TLB size of boot CPU. Jeff Layton (3): cifs: on CONFIG_HIGHMEM machines, limit the rsize/wsize to the kmap space cifs: when CONFIG_HIGHMEM is set, serialize the read/write kmaps cifs: always update the inode cache with the results from a FIND_* John Stultz (1): ntp: Fix STA_INS/DEL clearing bug Jozsef Kadlecsik (1): netfilter: ipset: timeout fixing bug broke SET target special timeout value Julia Lawall (3): drivers/isdn/mISDN/stack.c: remove invalid reference to list iterator variable net/rxrpc/ar-peer.c: remove invalid reference to list iterator variable drivers/net/ethernet/broadcom/cnic.c: remove invalid reference to list iterator variable Julian Anastasov (1): ipvs: fix oops in ip_vs_dst_event on rmmod Leonid Yegoshin (3): MIPS: Don't panic on 5KEc. MIPS: Fix race condition with FPU thread task flag during context switch. MIPS: Malta may also be equipped with MIPS64 R2 processors. Lin Ming (1): ipvs: fix oops on NAT reply in br_nf context Linus Torvalds (2): Make wait_for_device_probe() also do scsi_complete_async_scans() Linux 3.5 Marco Chiappero (1): sony-laptop: notify userspace of GFX switch position changes Marek Szyprowski (1): mm: cma: fix condition check when setting global cma area Mark Rustad (1): tcm_fc: Fix crash seen with aborts and large reads Mattia Dongili (5): sony-laptop: use an enum for SNC event types sony-laptop: store battery care limits on batteries sony-laptop: add lid backlight support for handle 0x143 sony-laptop: input initialization should be done before SNC sony-laptop: correct find_snc_handle failure checks Michael Chan (2): cnic: Don't use netdev->base_addr bnx2: Fix bug in bnx2_free_tx_skbs(). Michael Kerrisk (1): PM: Rename CAP_EPOLLWAKEUP to CAP_BLOCK_SUSPEND Mikulas Patocka (3): dm raid1: fix crash with mirror recovery and discard dm thin: do not send discards to shared blocks dm raid1: set discard_zeroes_data_unsupported Narendra K (1): ixgbevf: Prevent RX/TX statistics getting reset to zero Neil Horman (1): sctp: Fix list corruption resulting from freeing an association on a list NeilBrown (3): md: fix bug in handling of new_data_offset md: avoid crash when stopping md array races with closing other open fds. md/raid1: close some possible races on write errors during resync Olaf Hering (1): kexec: update URL of kexec homepage Pablo Neira Ayuso (1): netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down Paul Moore (1): cipso: don't follow a NULL pointer when setsockopt() is called Prathyush K (1): ARM: dma-mapping: modify condition check while freeing pages Rabin Vincent (1): mm: cma: don't replace lowmem pages with highmem Rafael J. Wysocki (1): Remove SYSTEM_SUSPEND_DISK system state Ralf Baechle (5): MIPS: Provide a symbol for the legacy performance counter interrupt. MIPS: MT: Fix indentation damage. MIPS: SMTC: Spelling and grammar corrections. MIPS: Fix typo multipy -> multiply MIPS: Oprofile: Fix build as a module. Roland Dreier (2): target: Clean up returning errors in PR handling code target: Fix range calculation in WRITE SAME emulation when num blocks == 0 Rustad, Mark D (1): net: Statically initialize init_net.dev_base_head Sachin Prabhu (1): Initialise mid_q_entry before putting it on the pending queue Sage Weil (1): libceph: fix messenger retry Sasha Levin (2): ieee802154: verify packet size before trying to allocate it NFC: Prevent NULL deref when getting socket name Sebastian Andrzej Siewior (1): MIPS: PCI: Move fixups from __init to __devinit. Simon Wunderlich (1): batman-adv: check incoming packet type for bla Sjur Brændeland (1): caif: Fix access to freed pernet memory Stanislaw Gruszka (2): rt2x00usb: fix indexes ordering on RX queue kick iwlegacy: always monitor for stuck queues Stefan Roese (1): ARM: SPEAr600: Fix timer interrupt definition in spear600.dtsi Steven J. Hill (4): MIPS: Clean-up GIC and vectored interrupts. MIPS: Add support for the M14Kc core. MIPS: Refactor 'clear_page' and 'copy_page' functions. MIPS: Malta: Change start address to avoid conflicts. Takashi Iwai (1): intel_ips: blacklist HP ProBook laptops Thomas Gleixner (1): timekeeping: Add missing update call in timekeeping_resume() Thomas Huehn (1): mac80211: correct size the argument to kzalloc in minstrel_ht Tushar Dave (1): e1000e: Correct link check logic for 82571 serdes Uwe Kleine-König (1): mips: mark const init data with __initconst instead of __initdata Vincent Wen (1): MIPS: Fix Magic SysRq L kernel crash. Vipul Kumar Samar (9): clk:spear1340:Fix: Rename clk ids within predefined limit clk:spear1310:Fix: Rename clk ids within predefined limit Clk:spear3xx:Fix: Rename clk ids within predefined limit Clk:spear6xx:Fix: Rename clk ids within predefined limit ARM: SPEAr13xx: Fix Interrupt bindings clk: SPEAr1340: Fix clk enable register for uart1 and i2c1. Clk: SPEAr1340: Update sys clock parent array ARM: dts: SPEAr320: Fix compatible string ARM: dts: SPEAr320: Boot the board in EXTENDED_MODE Yan, Zheng (1): rbd: Fix ceph_snap_context size calculation Yinghai Lu (1): bootmem: make ___alloc_bootmem_node_nopanic() really nopanic Yoichi Yuasa (4): mips: fix bug.h build regression MIPS: BCM47xx: Fix BCMA_DRIVER_PCI_HOSTMODE config dependencies MIPS: Cavium: Fix duplicate ARCH_SPARSEMEM_ENABLE in kconfig. MIPS: Fix bug.h MIPS build regression Yong Zhang (8): MIPS: Octeon: delay enable irq to ->smp_finish() MIPS: BMIPS: delay irq enable to ->smp_finish() MIPS: SMTC: delay irq enable to ->smp_finish() MIPS: Yosemite: delay irq enable to ->smp_finish() MIPS: call ->smp_finish() a little late MIPS: call set_cpu_online() on cpu being brought up with irq disabled MIPS: smp: Warn on too early irq enable MIPS: sync-r4k: remove redundant irq operation Sursa: https://lkml.org/lkml/2012/7/21/114

[h=1]Power Pwn: This DARPA-funded power strip will hack your network[/h]Summary: The Power Pwn may look like a power strip, but it's actually a DARPA-funded hacking tool for launching remotely-activated Wi-Fi, Bluetooth, and Ethernet attacks. If you see one around the office, make sure to ask if it's supposed to be there. By Emil Protalinski for Zero Day | July 22, 2012 The Power Pwn may look like an ordinary power strip, maybe with an included surge protector, but it's far from it. Network administrators and IT staff in general need to be wary of this one: it can do much more than meets the eye. The Defense Advanced Research Projects Agency (DARPA)'s Cyber Fast Track program helped funded the development of the Power Pwn. Pwnie Express, which developed the $1,295 gizmo, says it's "a fully-integrated enterprise-class penetration testing platform." That's great, but the company also notes its "ingenious form-factor" (again, look at the above picture) and "highly-integrated/modular hardware design," which to me translates to: it's the perfect tool for hacking a corporate network. So what do you get after you drop more than a grand for the device? Check out the list of features: Onboard high-gain 802.11b/g/n wireless. Onboard high-gain Bluetooth (up to 1000'). Onboard dual-Ethernet. Fully functional 120/240v AC outlets!. Includes 16GB internal disk storage. Includes external 3G/GSM adapter. Includes all release 1.1 features. Fully-automated NAC/802.1x/RADIUS bypass. Out-of-band SSH access over 3G/GSM cell networks!. Text-to-Bash: text in bash commands via SMS! . Simple web-based administration with "Plug UI". One-click Evil AP, stealth mode, & passive recon. Maintains persistent, covert, encrypted SSH access to your target network [Details]. Tunnels through application-aware firewalls & IPS. Supports HTTP proxies, SSH-VPN, & OpenVPN. Sends email/SMS alerts when SSH tunnels are activated. Preloaded with Debian 6, Metasploit, SET, Fast-Track, w3af, Kismet, Aircrack, SSLstrip, nmap, Hydra, dsniff, Scapy, Ettercap, Bluetooth/VoIP/IPv6 tools, & more. Unpingable and no listening ports in stealth mode. To summarize that for you, the Power Pwn can launch remotely-activated Wi-Fi, Bluetooth, and Ethernet attacks to identify network weaknesses. You can send commands via a convenient Web interface, accessible through the unit's built-in 3G radio, or directly to the device via text message. In fact, if you're feeling really lazy, you can use Apple's Siri voice-recognition software to send it instructions. It's something "you can just plug in and do a full-scale penetration test from start to finish," Pwnie Express CEO Dave Porcello told Wired. "The enterprise can use stuff like this to do testing more often and more cheaply than they’re doing it right now." He also said 90 percent of the company's clients are commercial or federal organizations. What's the other 10 percent? That's what you should be worried about. The good news is you still have time to get the word out. The Power Pwn is currently available for pre-order, but its estimated ship date is September 30, 2012. Sursa: Power Pwn: This DARPA-funded power strip will hack your network | ZDNet

[h=1]Clipcaptcha: An Open Source CAPTCHA Provider Impersonation Tool![/h] July 21, 2012 By Mayuresh Our last post in connection with CAPTCHA or Completely Automated Public Turing test to tell Computers and Humans Apart was on the offensive side, trying to break it – Stiltwalker. Today’s post was submitted via the Submit Your Tool option by Mr. Gursev Singh Kalra – Clipcaptcha, a open source tool programmed in Python to provide extensible and signature based CAPTCHA Provider impersonation. Again, this tool will be officially released with the Black Hat USA 2012 Arsenal. Clipcaptcha can be used to exploit certain vulnerabilities to bypass CAPTHCA provider protection. It based off Moxie Marlinspike’s sslstrip codebase. According to the author, certain vulnerabilities affect almost every CAPTCHA provider including reCAPTCHA, opencaptcha and captchator. These vulnerabilities can be exploited to completely bypass the protection offered by CAPTCHA providers. Depending on its mode of operation Clipcaptcha may approve, reject or forward the CAPTCHA verification requests. It maintains an easy to edit XML configuration file that it queries to identify CAPTCHA provider request formats and render corresponding responses. [h=2]Clipcaptcha permitted operational modes:[/h] Monitor Mode: Signature based CAPTCHA provider detection is performed and all CAPTCHA validation requests are logged to a local file. The CAPTCHA validation requests and corresponding responses are allowed to complete without any modifications. Avalanche Mode: Success response is returned on the matching CAPTCHA provider for all validation requests. It is recommended to not run clipcaptcha in this mode as a surge in successful account creation or registrations may be detected. Stealth Mode: Stealth is the recommended mode for running clipcaptcha. This mode relies on the fact that all CAPTCHA validation API.s need to send user supplied CAPTCHA solution to the CAPTCHA providers for validation. clipcaptcha banks on this behavior to operate stealthily and return Success status only for the requests that contain a secret string. In its current implementation, clipcaptcha parses the entire CAPTCHA validation request (initial line, headers and body) and returns success if the secret string is found or allows the request to complete without any modifications. DoS Mode: Failure response is returned for all CAPTCHA validation requests. This leads to a Denial of Service condition on the target web application for all forms that require CAPTCHA validation. Random Mode: Random Success and Failure responses are returned as per the matching CAPTCHA provider for all validation requests and exits only as a teaser mode. Once the clipcaptcha instance starts running, all CAPTCHA validation requests will be taken care of by clipcaptcha. It also has this Signature based CAPTCHA provider detection, which dictates that CAPTCHA providers are basically HTTP based custom web services, that accept CAPTCHA validation requests in a particular format and respond with finite set of responses that allow the clients to make Boolean choices to allow or disallow the request. This allows clipcaptcha to take advantage of this finite and predictable request and response data set to implement signature based request detection and response system. This open source tool requires Python 2.5 or newer with the Twisted Python Module. Setting up Clipcaptcha is a four step process which is effectively underlined in the document that accompany the tool. Executing it is also pretty simple: clipcaptcha.py < mode > -l < listeningPort > That is all and you are ready to bypass CAPTCHA providers! [h=3]Download Clipcaptcha:[/h]Clipcaptcha v0.1 – clipcaptcha-v0.1.zip Sursa: Clipcaptcha: A CAPTCHA Provider Impersonation Tool! — PenTestIT

Parola pe care o folose?ti, dar nu o ?tii [TABLE=class: contentpaneopen] [TR] [TD]Scris de Scientia.Ro [/TD] [/TR] [TR] [TD=class: createdate] Sâmb?t?, 21 Iulie 2012 17:19 [/TD] [/TR] [/TABLE] hiar ?i cea mai sofisticat? metod? de securizare a unui echipament electronic poate fi dep??it?, for?ându-l pe cel care ?tie parola s? o dezv?luie. Dar dac? parola ar fi stocat? în creier, f?r? ca de?in?torul s? o poat? dezv?lui, chiar dac? ar încerca? Aceasta este promisiunea unei noi tehnici care combin? criptografia cu neuro?tiin?a. În testele ini?iale, voluntarii au înv??at o parol?, ulterior folosind-o pentru a trece un test, dar ei nu au putut s? o identifice atunci când li s-a cerut. Ideea se bazeaz? pe principiul înv???rii implicite, un proces prin care omul poate înv??a în mod incon?tient anumite succesiuni de ac?iuni. Hristo Bojinov, de la Universitatea Stanford din California, SUA ?i colegii acestuia au creat un joc în care juc?torii intercepteaz? obiecte care cad, prin ap?sarea unei taste. Obiectele apar într-una din cele 6 pozi?ii disponibile, pentru fiecare pozi?ie fiind disponibil? o tast?. F?r? ca juc?torii s? ?tie, pozi?iile în care erau pozi?ionate obiectele nu erau mereu aleatorii. În cadrul jocului era ascuns? o secven?? de 30 de pozi?ii succesive care se repeta de peste 100 de ori pe timpul celor 30-45 de minute, cât dura jocul. Juc?torii au f?cut pu?ine erori atunci când au ajuns la aceast? succesiune de taste, în multiple runde, iar aceast? deprindere a persistat vreme de 2 s?pt?mâni, când ace?tia au fost testa?i. Rezultatele sugereaz? c? jocul poate forma baza unui sistem de securitate. Juc?torii vor înv??a o succesiune unic? în sesiunea ini?ial? a jocului, iar apoi o pot folosi jucând acela?i joc. Curios, studii anterioare au ar?tat c? oamenii nu pot reda succesiuni înv??ate în acest fel. Dar acest fenomen al înv???rii implicite este unul pe care-l experiment?m zilnic: gândi?i-v?, de exemplu, la modul în care omul poate include noi cuvinte în mod corect într-o propozi?ie f?r? a fi con?tient de regulile gramaticale care stau la baza folosirii limbajului. O persoan? poate încerca s? descopere o succesiune de ac?iuni, înv??at? dup? modelul de mai sus, for?ând posesorul acesteia s? joace un joc similar ?i s? observe acele secven?e din joc în care se fac cele mai pu?ine erori. Dar pentru c? succesiunea const? din 30 de taste accesate în ?ase pozi?ii diferite, ?ansele de a g?si succesiunea de taste este mic?. Creatorii acestui model cred c? testarea a 100 de utilizatori timp de un an, non-stop, ar însemna o probabilitate de 1 la 60.000 de cazuri de determinare a succesiunii corecte de taste. Sistemul are nevoie de a fi mult mai "user-friendly" înainte de a fi folosit la scar? comercial?. Ca ?i alte sisteme de securitate, ar putea fi spart prin metodele clasice, ca spargerea secven?ei de autentificare a utilizatorului. Din aceste motive, Bojinov spune c? modelul s?u este mult mai probabil s? fie folosit în activit??i de mare risc, unde prezen?a fizic? a posesorului de parol? este necesar?, cum ar fi accesarea unei capabilit??i militare ori nucleare. Sistemul descris mai sus are avantaje în compara?ie cu metodele biometrice, care se bazeaz? pe recunoa?terea unor tr?s?turi unice, cum ar fi "amprenta" irisului. "Autentificarea (în cazul metodei biometrice, n.tr.) nu cere vreun efort explicit din partea utilizatorului" crede Ari Juels, director al Laboratoarelor RSA, Cambridge, Massachusetts. "Dac? timpul cerut pentru antrenament ?i autentificare poate fi redus, atunci unele dintre beneficiile metodei biometrice, care nu presupune vreun efort ?i nici riscul pierderii parolei, pot fi cuplate cu unele op?iuni care lipsesc, cum ar fi posibilitatea de a înlocui un sistem biometric ce a fost compromis". Sursa: Parola pe care o folose?ti, dar nu o ?tii

[h=1]The Best Hacking Film You Haven't Seen (Yet)[/h] Robert Vamosi, Contributor When was the last time you saw a good documentary about the origins of computer hacking? Well, , a new documentary film from a young filmmaker named Jeremy Zerechak comes really close to being both accurate and entertaining while at the same time scaring the pants off anyone who doesn’t yet know that computer data is eternal and can be stolen by the wrong people if we’re not careful. So it is fitting that the documentary, which is only available in limited release right now, will be shown next Friday at DefCon, the world’s largest hacker conference and this year also celebrating its 20th anniversary. Code2600 is a rich visual history of computer hacking’s past as told by some of its principal participants. The film opens with news of a Soviet satellite orbiting the earth in the late 1950s. The United States, which once thought itself on top of the world in technology, found itself behind. Suddenly, says Zerechak, the US military was keen on computer technology. He points out that in the 60s and 70s the military had all the best high-grade computer equipment, but after the computer revolution of the 80s and 90s that was no longer the case, with the military today buying off-the-shelf mobile devices. Somewhere in those intermediate 60 years of military history we have the origins of computer hacking. Like Steven Levy’s 1984 classic book Hackers, the film explores early computer hackers who studied the original wired telephone switching system. One hacker, John Draper, discovered that the sound produced by an inexpensive Capt’n Crunch cereal toy whistle could interrupt the normal AT&T long-distance billing process. This 2600 hertz tone (hence the title of Zerechak’s documentary) was very important to early hackers, known as Phone Phreaks, who wanted to access fast computers on the other side of the world without paying long distance charges. AT&T, at great expense, began to change its switching system. Around the same time, the Homebrew Computer Club was starting in the San Francisco Bay Area. Member Bob Lash remembers a young Steve Wozniak showing off his early Apple computers – along with everyone else who was also building their own computers at the time. There was a lot of trial and error. But smart people where able to do very sophisticated things at home. Throughout the film, Zerechak uses classic footage to capture a moment or to make a point. One reoccurring sequence is the 1950s black and white footage of Dr. Claude Shannon, mathematician, cryptographer and the father of information theory, with his metal mouse and its square maze. This was one of the first experiments in artificial intelligence, demonstrating how Theseus, his robotic mouse, could learn and adapt to a rapidly changing environment. This is an obvious metaphor for computer hackers who probe the phone networks, and later the Internet, simply wondering what is connected to what. In one of his interview segments, Marcus Ranum, Chief Security Officer at Tenable Security, says that in the early days there was limited addressing. In other words, without a Google search, you had to know where on the Internet you wanted to go. Or, like the metal mouse, you had to search until you found something new or interesting. Often, you used your phone modem to find other phone modems. In looking for computers set with default “guest” accounts, hackers used war dialing — randomly dialing phone numbers until they got a computer on the other end — to access corporate or military computers. At the time, says Ranum, system administrators would laugh at logs that showed 800 attempts for access using the default word “guest.” But that was when the Internet was still an intimate community of military, academics, and a few curious hackers, barely a few years removed from the days of the early ARPANET that predates today’s Internet. The upcoming shift, from in invite-only world to what we have today, is important; that’s when hackers realized they were no longer alone on the Internet and had to go underground. Jeff Moss, founder of Black Hat and DefCon, describes in one of his interview segments growing up in the Bay Area in the 1980s and having one of the first affordable home computers that, with a modem, connected over the phone to various bulletin boards. He says that he could connect and no one would know his true identity or age; he would only be judged by what he wrote. For a 14 year old boy, Moss says it was liberating to be able to talk about sex and drugs. Then in the early 1990s, Moss says AOL, Prodigy, and CompuServe destroyed the local community bulletin board, opening up what had been an exclusive neighborhood of thought and discussion to the entire world. It created a gold rush—it gave us spamming and phishing which both got started only once the masses starting surfing the net. It also threatened to push the curious hacker community into a dark corner — until Moss founded DefCon in the summer of 1992. DefCon is a real-world computer bulletin board where communities of hackers and law enforcement talk openly about the Internet with an eye toward fixing what is broken. Not every computer hacker is malicious; Moss makes the point that there are good plumbers and bad plumbers. And not all famous computer hackers are ex-felons like Kevin Mitnick. Zerechak’s film includes footage of the Boston-based L0pht Heavy Industries members testifying before Congress in May of 1998, saying confidently that they had the knowledge to take down the Internet in 30 minutes (but also that they wouldn’t do it). Today, one of the original members of L0pht, Peiter Zatko aka “Mudge,” works for DARA. Another, Joe Grand aka “Kingpin,” runs a hardware design studio in San Francisco. And even Moss, who wasn’t part of Lopht, has served on President Obama’s Homeland Security Advisory Council and is today ICANN’s Chief Security Officer. Sursa: The Best Hacking Film You Haven't Seen (Yet) - Forbes

Linux iotop: Check What’s Stressing And Increasing Load On Your Hard Disks by Vivek Gite on July 20, 2012 The iotop command is top like utility for disk I/O. It watches I/O usage information output by the Linux kernel (requires v2.6.20 or later) and displays a table of current I/O usage by processes or threads on the system. This post expalins how to install and use iotop to find out what's stressing (or program names) on your hard drives under Linux operating systems. Install iotop Use the yum command to install iotop under RHEL / CentOS Linux, enter: # yum install iotop Sample outputs: Loaded plugins: auto-update-debuginfo, product-id, protectbase, rhnplugin, subscription-manager Updating certificate-based repositories. Unable to read consumer identity 0 packages excluded due to repository protections Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package iotop.noarch 0:0.3.2-3.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================= Installing: iotop noarch 0.3.2-3.el6 rhel-x86_64-server-6 49 k Transaction Summary ============================================================================================================================================================================================= Install 1 Package(s) Total download size: 49 k Installed size: 0 Is this ok [y/N]: y Downloading Packages: iotop-0.3.2-3.el6.noarch.rpm | 49 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : iotop-0.3.2-3.el6.noarch 1/1 Installed products updated. Verifying : iotop-0.3.2-3.el6.noarch 1/1 Installed: iotop.noarch 0:0.3.2-3.el6 Complete! Debian / Ubuntu Linux user try apt-get command as follows to install the same: $ sudo apt-get install iotop Sample outputs: [sudo] password for vivek: Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: iotop 0 upgraded, 1 newly installed, 0 to remove and 12 not upgraded. Need to get 26.5 kB of archives. After this operation, 168 kB of additional disk space will be used. Get:1 http://debian.osuosl.org/debian/ squeeze/main iotop all 0.4-2+squeeze1 [26.5 kB] Fetched 26.5 kB in 1s (17.0 kB/s) Selecting previously deselected package iotop. (Reading database ... 256274 files and directories currently installed.) Unpacking iotop (from .../iotop_0.4-2+squeeze1_all.deb) ... Processing triggers for man-db ... Setting up iotop (0.4-2+squeeze1) ... Processing triggers for python-support ... How do I use iotop command? iotop command displays columns for the I/O bandwidth read and written by each process/thread during the sampling period. It also displays the percentage of time the thread/process spent while swapping in and while waiting on I/O. For each process, its I/O priority (class/level) is shown. In addition, the total I/O bandwidth read and written during the sampling period is displayed at the top of the interface. Type the following command to run iotop (must run as root): $ sudo iotop OR # iotop Sample outputs: iotop: Linux Disk I/O Monitor Command Fig.01: iotop: Linux Disk I/O Monitor Command in Action However, I recommend that you start iotop with --only option to see only processes or threads actually doing I/O, instead of showing all processes or threads (you can set this mode dynamically too see keyboard shortcut o for more info): # iotop --only Sample outputs: iotop: Linux Disk I/O Tools To See Process Eating Disk I/O Fig.02: Only See Process Eating Your Disk I/O Other supported options by iotop command: -o, --only Only show processes or threads actually doing I/O, instead of showing all processes or threads. This can be dynamically toggled by pressing o. -b, --batch Turn on non-interactive mode. Useful for logging I/O usage over time. -n NUM, --iter=NUM Set the number of iterations before quitting (never quit by default). This is most useful in non-interactive mode. -d SEC, --delay=SEC Set the delay between iterations in seconds (1 second by default). Accepts non-integer values such as 1.1 seconds. -p PID, --pid=PID A list of processes/threads to monitor (all by default). -u USER, --user=USER A list of users to monitor (all by default) -P, --processes Only show processes. Normally iotop shows all threads. -a, --accumulated Show accumulated I/O instead of bandwidth. In this mode, iotop shows the amount of I/O processes have done since iotop started. -k, --kilobytes Use kilobytes instead of a human friendly unit. This mode is useful when scripting the batch mode of iotop. Instead of choosing the most appropriate unit iotop will dis- play all sizes in kilobytes. -t, --time Add a timestamp on each line (implies --batch). Each line will be prefixed by the current time. -q, --quiet suppress some lines of header (implies --batch). This option can be specified up to three times to remove header lines. -q column names are only printed on the first iteration, -qq column names are never printed, -qqq the I/O summary is never printed. Important keyboard shortcuts for iotop command Hit the left and right arrow keys to change the sorting. Hit r to reverse the sorting order. Hit o only to see processes or threads actually doing I/O, instead of showing all processes or threads. Hit p only show processes. Normally iotop shows all threads. Hit a display accumulated I/O instead of bandwidth. In this mode, iotop shows the amount of I/O processes have done since iotop started. Ht i to change the priority of a thread or a process' thread(s) i.e. ionice. Hot q to quit iotop. Check out related media Sursa: Linux iotop: Check What’s Stressing And Increasing Load On Your Hard Disks

Mie imi place cand ne certam (tipam unu la altu) pe teme foarte tehnice, ca bypass-ul la DEP sau la ASLR, cand spunem prostii, dar ne credem, si intotdeauna noi avem dreptate

[h=1]ClubHACK Magazine July 2012![/h] July 20, 2012 By Mayuresh ClubHACK has released the July 2012 version of their magazine. It is the first Indian “Hacking” Magazine. This 30th issue discusses topics such as PHP shells, DirBuster, Secure Android Coding and much more. [h=2]Contents of ClubHACK Magazine July 2012:[/h] Tech Gyan: PHP Shells PHP shells are used by Blackhats to maintain persistence into a compromised machine, typically a webserver. A “shell” is the common name given to a Command Line Interface (CLI) used to interact with the Operating System, even at low level. The usage requires the knowledge of a discrete set of commands that are often different among different Operating Systems (e.g. Unix/DOS). After a successful breach into a vulnerable system, the attacker could adopt a “Shell” as a payload in order to taking control of the victim system. Legal Gyan: Section 66E – Punishment for violation of Privacy Policy In some of the latest articles we have focused on the areas of data privacy, due diligence to be observed by the companies handling sensitive personal data, etc. But, not much has been spoken/written on violation of person’s privacy. I.e. ensuring privacy on an individual at the places where he/she under the normal circumstances expects to be in a private environment. Tool Gyan: OWASP DirBuster – Bruteforcing the Web DirBuster is a multi-threaded Java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these. This tool is written by James Fisher and now an OWASP’s Project, licensed under LGPL. Mom’s Guide: Private Browsing While trying to read what “private browsing” means, I came across its page in Wikipedia. It has a very interesting definition. It reads as follows: Privacy mode or “private browsing” is a term that refers to privacy features in some web browsers. Historically speaking, web browsers store information such as browsing history, images, videos and text within cache. In contrast, privacy mode can be enabled so that the browser does not store this information for selected browsing sessions. Code Gyan: Basics of Android Secure Coding Android is an OS designed for Smart phones. The phones are meant for office productivity apps, games, social networks etc. The phone comes pre-installed with a selection of system applications, e.g., phone dialer, address book, but the platform gives ample opportunities for the developers to create their own applications and publish into the huge android market, so called the “Play Store”. Matriux Vibhag: MITM with Ettercap Hello readers, we are back with our tutorials on Matriux, due to some unwanted circumstances we weren’t able to be a part of last month’s issue. However we promise to provide our continued support and help to the users. This month we are going to cover a basic tutorial of Man-In-The-Middle (MITM) attack using Ettercap by ARP spoofing technique. Special Feature: Impact of Cybercrime on Businesses IT security is more important for businesses than ever. A study that was carried out by the Ponemon Institute has revealed that businesses lacking in IT security could be losing over £200,000. The study, entitled “Impact of Cybercrime on Businesses”, surveyed 2,618 C-level IT security and executive personnel with the aim of finding out what everyone has in common. The survey spanned the United States, United Kingdom, Hong Kong, Brazil and Germany. It was found that in the latter country, cyber-attacks cost businesses more than anywhere else, with the average cost being around $298,359. The average cost that cyber-attacks will have on companies in the United States is $276,671, if they are successfully carried out. Download: http://chmag.in/issue/jul2012.pdf Sursa: 'ClubHACK Magazine July 2012!' — PenTestIT

"The amount of hackers per m*m (metru patrat) is too damn high"

Si, cum functioneaz, cum schimba icon-ul?

Cum s? m?re?ti pozele, f?r? s? pierzi detaliile Aurelian Mihai - 19 iul 2012 Procedeul v?zut pân? acum doar în filmele poli?iste, în care specialistul laboratorului de investiga?ii reconstruia ca prin minune orice imagine neclar? ap?sând câteva taste în fa?a unui PC extrem de sofisticat, ob?inând în câteva secunde portretul unui suspect sau num?rul de înmatriculare al unui vehicul, este acum realitate ?i aproape la îndemâna oricui. În lumea real? procedeul se nume?te super-resolu?ion ?i poate fi abordat în dou? moduri diferite. Prima abordare presupune existen?a unei secven?e video din care s? prelu?m mai multe imagini succesive care surprind acela?i obiect, urmând ca un filtru software s? extrag? cât mai multe detalii cu putin?? din care s? construiasc? o singur? imagine mai clar?. A doua abordare func?ioneaz? cu o singur? imagine surs? ?i presupune folosirea unor tehnici de procesare avansate, prin care se analizeaz? con?inutul imaginii c?utând elemente similare, care pot fi combinate pentru reconstruirea detaliilor neclare. Pentru a în?elege mai bine acest procedeu, imagina?i-v? o poz? abia descifrabil? cu un peisaj din ora?, în care apar cl?diri, str?zi asfaltate, un afi? cu text aproape ilizibil, etc. Majoritatea obiectelor din imagine au un aspect distinctiv, ce urmeaz? un anumit tipar: textura asfaltului, liniile c?r?mizilor de pe peretele c?dirii, forma literelor de pe afi?. În majoritatea cazurilor, detaliile abia vizibile urmeaz? un tipar repetitiv, dar cu varia?ii subtile la nivel de sub-pixel ?i dimensiunea elementelor individuale, în func?ie de cum sunt pozi?ionate obiectele în spa?iul tridimensional. Filtrul super-resolu?ion separ? din imagine cele mai reprezentative detalii, generând un veritabil puzzle cu modele de texturi , care serve?te apoi la reconstruc?ia detaliilor estompate din imaginea surs?. Pe scurt, cu procedeul super-resolution putem transforma o poz? neclar? sau de rezolu?ie mic?, într-o imagine mai bine detaliat? , redat? la o rezolu?ie mai mare decât originalul. Tehnologia super-resolution, dezvoltat? de Institutul Weizmann de cercet?ri ?tiin?ifice,func?ioneaz? atât cu imagini statice dar ?i secven?e video, dând cele mai bune rezultate cu scenele care con?in multe detalii cu tipar repetitiv. Tehnica Weizmann func?ioneaz? desp?r?ind mai întâi imaginea original? într-un puzzle de imagini mai mici, fiecare m?surând doar câ?iva pixeli. Elementele individuale ale acestui puzzle sunt comparate între ele c?utând detalii cu aspect asem?n?tor. Atunci când sunt g?site dou? sau mai multe texturi asem?n?toare, este posibil? recompunerea &unei texturi mai clare decât originalul. Toate fragmentele de texturi rezultate sunt folosite apoi la reconstruc?ia imaginii originale. Procedeul nu este chiar perfect ?i poate genera detalii false, percepute ca artefacte în imagine ?i vizibile mai ales la reconstruc?ia detaliilor fine, abia vizibile în imaginea surs?. Tehnologia super-resolu?ion se prezint? ca o modalitate mai avansat? de m?rire a imaginilor, cu rezultate mult superioare calitativ fa?? de tehnicile clasice implementate în aplica?iile de editare imagine. O a doua utilitate poate fi în domeniul cre?terii eficien?ei tehnicilor de compresie video ?i imagine. Din p?cate procedeul super-resolu?ion are ?i un inconvenient major: este foarte intensiv din punct de vedere al cerin?elor de procesare ?i prea lent pentru a fi aplicat în timp real (de exemplu pentru îmbun?t??irea imaginilor afi?ate în browserul web sau filme pe YouTube). Exist? totu?i speran?e ca procesarea în timp real s? fie în cele din urm? posibil? cu ajutorul acceler?rii prin GPU, folosind una sau mai multe pl?ci video performate. Sursa: Cum s? m?re?ti pozele, f?r? s? pierzi detaliile

Example: [h=1]Compilers[/h][h=3]Alex Aiken, Professor[/h]This course will discuss the major ideas used today in the implementation of programming language compilers. You will learn how a program written in a high-level language designed for humans is systematically translated into a program written in low-level assembly more suited to machines! https://www.coursera.org/course/compilers [h=1]Cryptography[/h][h=3]Dan Boneh, Professor[/h]Learn about the inner workings of cryptographic primitives and how to apply this knowledge in real-world applications! https://www.coursera.org/course/crypto -------------------------------------------------------------- ALL courses: https://www.coursera.org/courses

Iei, exista seriale care sa imi placa si mie

[h=2]Hello World in C without libraries or similar dependencies[/h]2012-07-12 Sometimes it's fun to forget about why an Undefined Behavior in C is bad and just write some code that works here & now, but not necessarily will work tomorrow (with a different compiler version or different compiler settings) or in another place (another platform/system/architecture). A few weeks ago I had a chance to do such fun coding due to a thread "Hello world bez bibliotek i asm" (eng: "Hello world without libraries or asm") on a Polish programming forum - the thread creator was asking if it's possible to create a program writing out "Hello World" without using any libraries (including includes) or inline assembly. While at the beginning the thread was still about proper C, it soon moved to low-level code (still written as C) that depended on the underlying system, CPU architecture or even the way the compiler does its job. In this post I present my idea on how to write out "Hello World" to a GNU/Linux console; also it might be worth to take a look at the thread itself (I guess you won't need to know Polish just to look at C code ;>). The post below was originally published (in Polish) on forum 4programmers.net in the "Hello world bez bibliotek i asm" (link) thread. --post start-- A piece of code from me - please note that I wanted to demonstrate a method and not create an always-working-code The code was written to work on linux (32-bits x86) but you can use the same method on 64-bits or on Windows both 32- and 64-bits. The code does not use any libraries (it doesn't even look for any in the memory) and there is no inline assembly/etc (well, no direct or explicit inline assembly/etc ;>). I've placed the explanation of the method below the code. volatile unsigned int something_wicked_this_way_comes( int a, int b, int c, int d) { a ^= 0xC3CA8900; b ^= 0xC3CB8900; c ^= 0xC3CE8900; d ^= 0x80CDF089; return a+b+c+d; } void* find_the_witch(unsigned short witch) { unsigned char *p = (unsigned char*)something_wicked_this_way_comes; int i; for(i = 0; i < 50; i++, p++) { if(*(unsigned short*)p == witch) return (void*)p; } return (void*)0; } typedef void (*gadget)() __attribute__((fastcall)); int main(void) { gadget eax_from_esi_call_int = (gadget)find_the_witch(0xF089); gadget set_esi = (gadget)find_the_witch(0xCE89); gadget set_ebx = (gadget)find_the_witch(0xCB89); gadget set_edx = (gadget)find_the_witch(0xCA89); if(!eax_from_esi_call_int) return 1; if(!set_esi) return 3; if(!set_ebx) return 4; if(!set_edx) return 5; set_edx(12), set_ebx(1), set_esi(4); eax_from_esi_call_int("Hello World\n"); return 0; } This code uses a method really similar to the JIT-language exploitation techniques when the memory is protected via XD/NX/XN/DEP/etc - i.e. I tried to implicitly place in executable memory a couple of "gadgets" (think: ret2libc or return oriented programming - gynvael.coldwind//vx.log) and then use them to make a syscall call into the kernel (so, there are no libraries needed at all, but of course there is interaction with the environment, i.e. the Linux kernel). These gadgets are places in the something_wicked_with_way_comes function as the constants used in XORs. a ^= 0xC3CA8900; b ^= 0xC3CB8900; c ^= 0xC3CE8900; d ^= 0x80CDF089; The above C code on assembly / machine code level might look like this (compiled using gcc; disassembled using objdump afair): [...] 6: 35 00 89 ca c3 xor eax,0xc3ca8900 b: 89 45 08 mov DWORD PTR [ebp+0x8],eax e: 8b 45 0c mov eax,DWORD PTR [ebp+0xc] 11: 35 00 89 cb c3 xor eax,0xc3cb8900 16: 89 45 0c mov DWORD PTR [ebp+0xc],eax 19: 8b 45 10 mov eax,DWORD PTR [ebp+0x10] 1c: 35 00 89 ce c3 xor eax,0xc3ce8900 21: 89 45 10 mov DWORD PTR [ebp+0x10],eax 24: 8b 45 14 mov eax,DWORD PTR [ebp+0x14] 27: 35 89 f0 cd 80 xor eax,0x80cdf089 [...] So, if we would disassemble the code with a slight misalignment (one or two bytes) we would get a code that differs a little: 6: 35 00 89 ca c3 ? mov edx, ecx ; ret 11: 35 00 89 cb c3 ? mov ebx, ecx ; ret 1c: 35 00 89 ce c3 ? mov esi, ecx ; ret 27: 35 89 f0 cd 80 ? mov eax, esi ; int 0x80 Thanks to the above I'm certain that in this case the needed gadgets do reside in memory (of course if the compiler would work in a slightly different way the opcodes might never show up; but in this specific compilation-case they did). Going further into the code, I use the find_the_witch function to actually find these gadgets in memory in the something_wicked_this_way_comes function (the argument for the scanning function are the two first bytes of a gadget I'm looking for represented as uint16_t (little endian)). gadget eax_from_esi_call_int = (gadget)find_the_witch(0xF089); gadget set_esi = (gadget)find_the_witch(0xCE89); gadget set_ebx = (gadget)find_the_witch(0xCB89); gadget set_edx = (gadget)find_the_witch(0xCA89); One more important thing - here's the gadget type: typedef void (*gadget)() attribute((fastcall)); It has two essential features: 1. The unspecified amount of arguments denoted by the C's () (please note that in C++ () means (void), but in C it's closer to (...)). 2. The fastcall convention thanks to which the function arguments will be places in the general purpose registers and not on the stack (in case of the first few arguments of course) - in this specific case the first argument is always placed in the ecx register (the gadgets are designed to use this fact). After that I "construct" a simple assembly-like hello world using the gadgets I have: set_edx(12), set_ebx(1), set_esi(4); eax_from_esi_call_int("Hello World\n"); This will be executed as following: (main) mov ecx, 12 mov eax, set_edx call eax (gadget) mov edx, ecx ret (main) ... ... ... (gadget) ... int 0x80 Or, skipping the parts from the main() function: [gadget 1] mov edx, 12 (length of the string) [gadget 2] mov ebx, 1 (stdout) [gadget 3] mov esi, 4 (sys_write) [handled by fastcall] mov ecx, address "Hello World\n" [gadget 4] mov eax, esi [gadget 4] int 0x80 Of course I'm missing a C3 (ret) after the int 0x80 (no place left in a 4-byte gadget) so the program will crash AFTER writing out "hello world". However it would be fairly simple to fix this Test: $ gcc -m32 test.c -O0 $ ./a.out Hello World Segmentation fault (core dumped) $ --post stop-- An elegant fix to the Segmentation fault problem was posted by Azarien in the same thread - he created another function called graceful_exit where, using the existing gadgets, he invoked the exit syscall. And then he added the call to this function in the something_wicked_this_way_comes just after d ^= 0x80CDF089; - thanks to this after the gadget 89 F0 CD 80 is executed the CPU will execute whatever is next after the CD 80 (int 0x80) and that would be the call to the graceful_exit function. The said patch looks like this (Azarien's changes are yellow; there was another change in the patch - the gadget type declaration was moved to the top of the file but I'll skip this in the listing): void graceful_exit() { set_ebx(0); set_esi(1); eax_from_esi_call_int(0); } volatile unsigned int something_wicked_this_way_comes( int a, int b, int c, int d) { a ^= 0xC3CA8900; b ^= 0xC3CB8900; c ^= 0xC3CE8900; d ^= 0x80CDF089; graceful_exit(); return a+b+c+d; } As said, very elegant solution It's worth also taking a look at MSM's post and the discussion underneath it (in Polish) - MSM's method uses the commonly known (in RE/shellcoding) technique of looking up kernel32 address in the loaded DLLs list in PEB, finding the GetProcAddress in the import tables and acquiring the addresses of all API functions required to print out "Hello World" (that being said, it kinda relies on some libraries; still, fun to look at). And that's that. Cheers ;> Comment: 2012-07-12 17:15:11 = tehnicaorg { $ uname -a | cat b.c && gcc b.c -Wall -std=c99 -nostdlib && ./a.out char _start[] __attribute__ ((section(".text#"))) = { 0xE8, 0x0D, 0x00, 0x00, 0x00, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 0x20, 0x57, 0x6F, 0x72, 0x6C, 0x64, 0x21, 0x0A, 0x5E, 0x31, 0xC0, 0x89, 0xC2, 0xFF, 0xC0, 0x89, 0xC7, 0xB2, 0x0D, 0x0F, 0x05, 0x48, 0x31, 0xFF, 0x6A, 0x3C, 0x58, 0x0F, 0x05}; Hello World! The variant without -nostdlib parameter is similar, but it also has a main(): [...] int main(void) { ((void (void))a)(); return 0; } } Sursa: gynvael.coldwind//vx.log

Am actualizat pagina de Facebook: Course subscription Traffic Sniffing, Not Botnet, May Have Led to Android Spam Run [RST] Y!M IMified php bot pyLauncher | Windows Application Launcher Video Spin Blaster v 2.85 DEC Alpha Linux <= 3.0 local root exploit Linux Kernel <= 2.6.37 local privilege escalation Android < 2.3.6 PowerVR SGX Privilege Escalation Exploit Exploit Mitigations in Android Jelly Bean 4.1 Totul despre noul Microsoft Office 2013: de la design pana la cloud Microsoft Windows Shell Command Injection - MS12-048 (CVE-2012-0175) Top 10: The Web Application Vulnerability Scanners Benchmark, 2012 Backtrack Wireless: Packet Sniffing si Injecting Android Security shielded with full ASLR implementation Cracking RDP Backtrack5 Linux Developers Step Up to the Secure Boot Challenge Apple's App Store bypassed by Russian hacker, leaving developers out of pocket PdfStreamDumper 0.9.320 Hacking pentru gadgeturile proprii: rooting, jailbreak, modding 3D printer helps pick locks in high-end security handcuffs Bug in Skype Lands Conversations in Wrong Windows How Google is becoming an extension of your mind Microsoft Disables Windows Sidebar and Gadgets to Keep Users Safe Profiles in Linux: H. Peter Anvin https://www.facebook.com/rstforum Daca aveti sugestii de topicuri pentru pagina, dati-mi PM.

Frumos

[h=1]Linux Developers Step Up to the Secure Boot Challenge[/h]By Katherine Noyes, PCWorld Jul 17, 2012 3:15 am The prospect of Windows 8's planned Secure Boot restrictions has caused no end of controversy in the Linux world, where distributors and users of the free and open source operating system have been struggling to figure out just what it's all going to mean for those who don't embrace Windows. It wasn't long ago that the Free Software Foundation spoke out for a second time on the topic, but recently there have been signs that a broader effort is in the works in the Linux community. “The purpose of this email is to widen the pool of people who are playing with UEFI Secure boot,” began a message late last month from James Bottomley, chair of the Linux Foundation's Technical Advisory Board. Based on Intel's Tianocore It turns out Bottomley has created a platform Linux developers can use to get around Secure Boot--specifically, a boot system based on Intel's Tianocore, which is an open source implementation of the Unified Extensible Firmware Interface (UEFI). The Intel Tianocore project just recently added the Secure Boot facility to its UEFI ROM images, he noted. Also posted in a repository by Bottomley are a set of tools that can be used to sign EFI binaries, he said. “The current state is that I've managed to lock down the Secure Boot virtual platform with my own PK and KEK and verified that I can generate signed EFI binaries that will run on it (and that it will refuse to run unsigned efi binaries),” Bottomley explained. “Finally I've demonstrated that I can sign elilo.efi ... and have it boot an unsigned Linux kernel when the platform is in secure mode (I've booted up to an initrd root prompt).” 'Far From Rock Solid' The Linux Foundation Technical Advisory Board began looking into the situation “because it turns out to be rather difficult to lay your hands on real UEFI Secure Boot enabled hardware,” Bottomley pointed out. This new contribution, however, is still “very alpha,” he warned. “The Tianocore firmware that does Secure Boot is only a few weeks old, and the sbsigning tools weren't really working up until yesterday, so this is very far from rock solid.” Still, after two distributions each made an early--and controversial--attempt at proposing a solution, it's exciting to see this new, higher-level effort. As Bottomley notes, this new virtual platform could give the various Linux distributions a new basis for experimentation that will help them come up with innovative solutions of their own. Sursa: Linux Developers Step Up to the Secure Boot Challenge | PCWorld Business Center

[h=1]AttacksTargeting Activists Uses Blackshades Trojan[/h]Tuesday, July 17, 2012 Article by Eva Galperin and Morgan Marquis-Boire Since March of this year, EFF has reported extensively on the ongoing campaign to use social engineering to install surveillance software that spies on Syrian activists. Syrian opposition activists have been targeted using several Trojans, including one disguised as a Skype encryption tool and others disguised as revolutionary documents. As we've tracked these ongoing campaigns, patterns have emerged that link certain attacks to one another, indicating that the same actors, or groups of actors are responsible. More than a dozen of these attacks have installed versions of the same remote access tool, DarkComet RAT, and reported back to the same IP address in Syrian address space. DarkComet RAT's increasingly close association with pro-Syrian-government malware, combined with the Human Rights Watch report on the Assad regime's network of torture centers, may have motivated the project's sole developer to shut it down, declaring his intention to work on an alternative tool that more closely resembles VNC and requires administrative access to install. Pro-Syrian government hackers appear to have moved on to another remote access tool: Blackshades Remote Controller, whose capabilities include keystroke logging and remote screenshots. EFF reported on the use of this tool in malware targeting officers of the Free Syrian Army on June 19th. Similar command and control domains suggest that this campaign is being carried by the same actors responsible for the fake YouTube attack we reported in March, which lured Syrian activists in by advertising pro-opposition videos, stole their YouTube login credentials by asking them to log in before leaving a comment, and installed surveillance malware disguised as an Adobe Flash Player update. A new campaign, using Blackshades Remote Controller, has been discovered via a message sent from a compromised Skype account to an individual working with the Syrian opposition, seen in the screenshot below. Roughly translated, the message reads: "There is a person who hates you, and keeps talking about you. I took a screenshot of the conversation. Please beware of this person, as he knows you personally. This is a screenshot of the conversation." ?? Clicking on this link--(http://14wre.co.za/new.zip - now dead because the malicious software has been removed)--provided new.zip, which unzipped to new.pif. 430f220ee9b3083b43347918dbda3051145734e243e92b966a99990376c21eb8 new.pif This malware attempts to connect to the command and control server at: alosh66.servecounterstrike.com. While the DNS provider for this domain has been notified and the domain has been disabled, the last IP address that this domain resolved to was 31.9.48.11. The subdomain "alosh66" appeared in the command and control domains of the two other campaigns EFF has described above. This sample drops the following files: C:\Documents and Settings\Administrator\Templates\THEMECPL.exe, a copy of the malware itself copied to the templates folder, shown in the screenshot below. C:\Documents and Settings\Administrator\Local Settings\Temp\sppnp.exe, BlackShades RAT, shown in the screenshot below. This is very similar to the previous installation detailed by Citizen Lab. And C:\Documents and Settings\Administrator\Application Data\demo.exe, a version of AppLaunch.exe, the Microsoft ClickOnce Launcher, shown in the screenshot below, along with the keylogger file, C:\Documents and Settings\Administrator\Application Data\data.dat. If you see these files on your computer, you have been infected with BlackShades If your computer is infected, deleting the above files or using anti-virus software to remove the Trojan does not guarantee that your computer will be safe or secure. This malware gives an attacker the ability to execute arbitrary code on the infected computer. There is no guarantee that the attacker has not installed additional malicious software while in control of the machine. Some anti-virus vendors recognize this malware as BlackShades Remote Controller. You may try updating your anti-virus software, running it, and using it to remove the Trojan if it comes up, but the safest course of action is to re-install the OS on your computer and change the passwords to any accounts you have logged into since the time of infection. EFF urges Syrian activists to be especially cautious when downloading files over the Internet, even in links that are purportedly sent by friends. While Syrians have become increasingly sophisticated in their privacy and security practices, pro-Syrian-government actors have also increased the frequency and sophistication of their campaigns. In light of disturbing reports documenting the use of torture by Syrian security forces in detention facilities across the country, the need for caution is greater than ever. Cross-posted from Electronic Frontier Foundation Sursa: AttacksTargeting Activists Uses Blackshades Trojan