Nytro

Nu am avut timp si nu o sa il analizez, sa vad ce face practic, dar am vazut ca are mai multe componente scrise in limbaje de programare diferite, foloseste openssl, functii din librariile de la Yahoo! Messenger, face logarea prin user si parola pe yahoo, de asemenea si prin token, citeste ETS ia Yahoo! User ID din Registry... Asta stiu pentru ca m-am uitat prin executabil cu Notepad++. In mod normal as lua Process Monitor, Wireshark si l-as rula in conditii sigure. Poate face cineva asta... Daca nu are ce face.

Ajung 5 GB, teoretic, pentru Slackware de exemplu nu prea ajung pentru o instalare full, dar pentru Ubuntu ajung. Dar tot teoretic ar trebui sa iti faci si o partitie swap de dimensiunea dublul RAM-ului. Insa eu nu am, dar nici nu imi trebuie, am scos cam tot ce se putea scoate, nu prea am umblat la module, insa merge foarte bine.

Da, te pune sa alegi. De exemplu LILO: Iar Windows-ul va aparea deasupra Linux-ului. Dar nu stiu ce boot loader are Ubuntu.

Partitia in care instalezi trebuie sa fie ext2, ext2, ext4 sau altele suportate de Linux. Stergi partitia E si o creezi din nou ca ext4 de exemplu. Apoi instalezi pe E Linuxul. Sa instalezi si boot loader-ul.

Deci e un alt "1337" tipic romanesc. Pe scurt HOT. Unul dintre cei care fura si ne fac o reclama negativa imensa in strainatate... Am dreptate?

Esti gay? Probabil... In fine, trebuie sa dau banuri mai lungi... Asa, vreo 5-6 ani pana mai cresti si tu, te mai maturizezi si nu mai esti atat de ratat.

La mine la sectie, intr-o comuna din judetul Valcea, la sectie speciala, au venit 97 de oameni. Si pe primul loc a iesit Geoana, la egalitate cu Basescu si Antonescu la un loc. Si cam peste tot prin judetul Valcea a fost asa. Am inteles ca prin Moldova s-a votat mult Basescu. Deci nu cred ca Antonescu avea prea multe sanse. Cat despre parlamentul unicameral si parlamentul cu maxim 300 de membrii, s-a votat in proportie de 80% da. Se fraudeaza in sectiile mari, si nu asa, trimitand oameni... Ci cu ajutorul presedintilor de sectii. Acestia merg cu rezultatele voturilor la prefectura si le depun. Unde am fost eu nici nu se poate pune problema de acest lucru...

Programul decat a fost modat de demonico ala, "are voie". El l-a modificat si l-a facut din nou nedetectabil. Dar cred ca tot al meu arata mai frumos... PS: Poza aia cred ca e de prin clasa a X-a.

Am fost in Comitetul Biroului Electoral la o sectie. Lumea habar nu are ce si pe cine voteaza...

Daca toti sunt hoti, macar votati pe cineva in afara de "cei trei grei".

Mergeti la vot! Nu imi pasa pe cine votati, dar mergeti la vot. Votul vostru conteaza. Desigur, pueti sa nu votati gandindu-va ca astfel nu veti avea nici o vina in legatura cu viitorul vostru, dar de ce sa decida altii pentru voi?

Eu o sa il invat. Vreau sa mai invat si Perl, Python si ASP. Dar nu la nivel de expert, sa imi fac idee, sa stiu sa lucrez in ele.

Ca tot s-a redeschis subiectul, am cateva intrebari: 1) Cate flotari puteti face? Eu am facut maxim 40, nu cred ca pot face mai multe. 2) Puteti face flotari intr-o mana? Eu am facut vreo 10, dar pot numai cu mana dreapta. 3) Poate face careva tractiuni cu o mana doar? Eu nu pot, dar am facut cu o mana, si de la cealalta mana doar un deget. Daca mai am intrebari mai postez. PS: Nu am mai fost la sala de 2-3 saptamani si tot am probleme cu spatele. De luni ma duc iar.

Pe scurt: noul milw0rm. http://www.exploit-db.com/ © Offensive Security 2009

Specific romanilor: Toata lumea "stie tot", cand de fapt nimeni nu stie nimic. Toti vorbesc despre asta fara sa stie mai nimic. Cum spunea profesorul meu de istorie: "Daca intrebi pe cineva despre fizica nucleara sau despre fizica cuantica o sa inceapa sa iti "explice" tot felul de teorii stupide personale, mai rar o sa gasesti pe cineva care sa raspunda simplu: 'nu stiu nimic'...".

Care ar fi scopul ei? Ce "Linux Hacking"? Ce sa apara acolo?

Pfff, ce cauta RST printre jegurile alea de site-uri?

Cred ca il aveam si eu in lista pe acel domn, i-am dat ignore, desigur.

http://msdn.microsoft.com/en-us/library/ms740673%28VS.85%29.aspx Functiile: http://msdn.microsoft.com/en-us/library/ms741394%28VS.85%29.aspx

Sub XP, bateria tine mai mult decat sub Windows 7 de Mina Hutterer | 13 noiembrie 2009 Desi noul sistem de operare Microsoft atrage printr-un design nou si o ergonomie mai buna decat Windows Vista (si cu siguranta mai atragatoare decat Windows XP), acei utilizatori care sunt mai interesati de durata de viata a bateriei este posibil sa prefere in continuare vechiul XP. O serie de teste realizate de Laptop Mag au demonstrat ca utilizatorii de netbook obtin o durata mai mare de activitate a bateriei in Windows XP decat in Windows 7. Testele au demonstrat ca bateriile netbook-urilor care ruleaza Windows XP au "tinut" cu 47 de minute mai mult decat cele ale netbook-urilor cu Windows 7. NU trebuie omis faptul ca W7 este un sistem de operare mai costisitor ca resurse decat venerabilul XP. Windows 7 ofera o interfata grafica plina de efecte si are mai multe procese care ruleaza in fundal, ceea ce explica durata mai scurta intre doua incarcari ale bateriei. Este posibil insa ca bateria sa tina mai mult sub W7 daca efectele grafice Aero si indexarea (care presupune acces frecvent la hard disk) sunt oprite.

Vazand cat de cautate inca sunt aceste coduri, am decis sa fac un pack cu ele. Le-am gasit pe 2 site-uri. Nu garantez ca nu sunt infectate, in nici un caz nu le-am testat. Am decis sa le postez pentru ca nu mai joc Counter-Strike de mult timp. Descarcand aceste coduri, iti demonstrezi singur ca esti ratat. Citeste Coduri.txt din arhiva. Codurile sunt: -rw-rw-rw- 1 root root 197275 2009-11-15 20:33 AbsoHack 9.0.0.rar -rw-r--r-- 1 root root 105198 2009-11-15 20:26 Aim-Hack-Wall.zip -rw-r--r-- 1 root root 258545 2009-11-15 20:26 BaDBoYv4.2.zip -rw-r--r-- 1 root root 99226 2009-11-15 20:27 CDDisabler4.33.4b.rar -rw-r--r-- 1 root root 185892 2009-11-15 20:25 CN Hack Final.rar -rw-r--r-- 1 root root 1337042 2009-11-15 20:27 CS_OGCFXv3.3.rar -rw-r--r-- 1 root root 81675 2009-11-15 20:25 HLGL2.rar -rw-r--r-- 1 root root 105763 2009-11-15 20:24 MPH Leis 05.rar -rw-r--r-- 1 root root 115338 2009-11-15 20:23 MPH UNHEIL Release 01 Leis r06.rar -rw-r--r-- 1 root root 460882 2009-11-15 20:27 OGCBeginsv11Publicv2.3.rar -rw-r--r-- 1 root root 10373 2009-11-15 20:25 OGC_Glhack27.rar -rw-r--r-- 1 root root 216387 2009-11-15 20:25 OGC_Owned.rar -rw-r--r-- 1 root root 117049 2009-11-15 20:25 OGZ_Remake.rar -rw-r--r-- 1 root root 199767 2009-11-15 20:24 Pure Ring0-Hack.rar -rw-r--r-- 1 root root 46181 2009-11-15 20:27 RingDingDing.rar -rw-r--r-- 1 root root 160021 2009-11-15 20:26 YaMH-v2.0.zip -rw-r--r-- 1 root root 142970 2009-11-15 20:25 YaMHCsCodNou.rar -rw-r--r-- 1 root root 91678 2009-11-15 20:27 aimbot.rar -rw-r--r-- 1 root root 146381 2009-11-15 20:25 biolaPEG.rar -rw-r--r-- 1 root root 532116 2009-11-15 20:25 bonns.rar -rw-r--r-- 1 root root 146381 2009-11-15 20:26 cs-biolapeg.rar -rw-r--r-- 1 root root 532116 2009-11-15 20:26 cs-bonns.rar -rw-r--r-- 1 root root 185892 2009-11-15 20:26 cs-cn-hack-final.rar -rw-r--r-- 1 root root 81675 2009-11-15 20:26 cs-hlgl2.rar -rw-r--r-- 1 root root 10373 2009-11-15 20:26 cs-ogc-glhack27.rar -rw-r--r-- 1 root root 216387 2009-11-15 20:26 cs-ogc-owned.rar -rw-r--r-- 1 root root 117049 2009-11-15 20:26 cs-ogz-remake.rar -rw-r--r-- 1 root root 20781 2009-11-15 20:26 cs-serenity-aimbot.rar -rw-r--r-- 1 root root 138298 2009-11-15 20:24 misanthrop hook v4.rar -rw-r--r-- 1 root root 20781 2009-11-15 20:25 serenity_aimbot.rar -rw-r--r-- 1 root root 136495 2009-11-15 20:26 super-simple-wall-v4.3.zip -rw-r--r-- 1 root root 36068 2009-11-15 20:26 unban-cs-16-scoate-ban-ul-de-pe-server.zip -rw-r--r-- 1 root root 302756 2009-11-15 20:27 ustlehookv1.o.rar Download: hxxp://www.speedyshare.com/files/19310755/Coduri.rar hxxp://www.netdrive.ws/252674.html Password: plm Enjoy copii fara viitor.

Cu placere. Concluzia e simpla: Daca nu ai ce face cu banii si vrei sa lucrezi in domeniul IT, fa acele cursuri. De fapt, cred ca vor fi utile si daca nu vei lucra in domeniul IT, dar banii tot trebuie sa ii dai.

Download: http://www.ngssoftware.com/papers/StoppingAutomatedAttackTools.pdf

Hacking CSRF Tokens using CSS History Hack Credits: http://securethoughts.com/2009/07/hacking-csrf-tokens-using-css-history-hack/ Update: Security researchers Sirdarckcat and Gareth were kind enough to share the code for a pure CSS based CSRF token finder here . This is stealthier than my PoC below, which used a combination of both JS and CSS. So, it will still work even if you disable javascript and you are not safe anymore . To make this PoC more responsive to the client, you need to use multiple CSS stylesheets using the import command. The only problem I see with this pure CSS based approach is there will be network latency involved with large key spaces because your large CSS stylesheet will need to be downloaded by your browser. I was thinking about the problem of Cross Site Request Forgery and current mitigation strategies used in the Industry. In many of the real world applications I have tested so far, I see the use of random tokens appended as part of url. If the request fails to provide any token or provide a token with incorrect value, then the request is rejected. This prevents CSRF or any cross domain unauthorized function execution. Uptil now, it was considered infeasible for an attacker to discover your CSRF token using Brute Force Attacks on the server. The reasons being: It generates lot of noise on the network and is slow. So most probably an IDS or Web App Firewall will pick up the malicious behavior and block your ip. For example, a Base16 CSRF token of length 5 characters (starting with a character) will generate approximately 393,216 requests. Many applications are programmed to invalidate your session after it detects more than a certain number of requests with invalid token values. E.g. 30. I am going to change this belief by showing you a technique to quicky find csrf tokens without generating alerts. This technique is a client side attack, so there is almost no network traffic generated and hence, your server and IDS/Web App Firewalls won’t notice it at all. This attack is based on the popular CSS History Hack found by Jeremiah Grossman 3 years ago. In this exploit, we discover the csrf token by brute forcing the various set of urls in browser history. We will try to embed different csrf token values as part of url and check if the user has visited that url. If yes, there is a good chance that the user is either using the same CSRF token in the current active session or might have used that token in a previous session. Once we have a list of all such tokens, we can just try our csrf attack on the server using that small list. Currently this attack is feasible for tokens with length of 5 characters or shorter. I tried it on a base16 string of length 5 and was able to brute force the entire key space in less than 2 minutes. Some of the prerequisites for this attack to work are either CSRF token remains the same for a particular user session. e.g. csrf token=hash(session_id) OR CSRF token submitted in older forms for the same session is accepted. Many times, this is the case as it enhances user experience and allows using forward and back browser buttons. Proof of Concept is available here. Before running the PoC, you need to change the url and csrftoken paramater values. For testing using the defaults, you need to first visit one of the following urls, e.g. SecureThoughts by Inferno [change b59fe to any 5-digit base 16 string starting with a character, i.e.greater than a0000] SecureThoughts by Inferno [which is 301 redirect to previous url]. Note: SecureThoughts by Inferno and SecureThoughts by Inferno are treated differently while storing in browser history. A sample run will look like this – For making this attack unfeasible, Server-Side Solution (for developers): Make your CSRF tokens long enough (8 or more chars) to be unfeasible for a CLIENT SIDE attack. The ever-increasing processing power will make this attack feasible for longer tokens as well. Store your CSRF token as part of hidden form field, rather than putting in url. Use a different random token for every form submission and not accept any obsolete token, even for the same session. [*]Client-Side Solution (for your customers/users): Use a browser plugin such as SafeHistory, which defends against visited-link-based tracking techniques. Use the private browsing mode in your browser. And last, but not the least, XSS obliterates all the CSRF protections possible. So, get rid of XSS first. I would like to thank Jeremiah for providing his insightful feedback on this post.

METASPLOIT UNLEASHED - MASTERING THE FRAMEWORK This free information security training is brought to you in a community effort to promote awareness and raise funds for underprivileged children in East Africa. Through a heart-warming effort by several security professionals, we are proud to present the most complete and in-depth open course about the Metasploit Framework. This is the free online version of the course. If you enjoy it and find it useful, we ask that you make a donation to the HFC (Hackers For Charity), $4.00 will feed a child for a month, so any contribution is welcome. We hope you enjoy this course as much as we enjoyed making it. The "full" version of this course includes a PDF guide (it has the same material as the wiki) and a set of flash videos which walk you though the modules. Due to recent changes in the Metasploit Framework, and the ongoing development process, we are waiting for the MSF to stabilize and to have its full feature set to be implemented. We will announce the release of the MSFU videos once they are ready, Stay Tuned! http://www.offensive-security.com/metasploit-unleashed/