Jump to content

rukov

Active Members
  • Posts

    1123
  • Joined

  • Last visited

  • Days Won

    16

Everything posted by rukov

  1. Webapps occasionaly need to create tokens that are hard to guess. For example for session tokens or CSRF tokens, or in forgot password functionality where you get a token mailed to reset your password. These tokens should be cryptographically secure, but are often made by calling rand() multiple times and transforming the output to a string. This post will explore how hard it is to predict a token made with rand(). How rand works In PHP, the function rand() creates pseudorandom numbers. The initial state of the random number generator (the seed) is set with srand. If you don’t call srand yourself, PHP seeds the random number generator with some hard to guess number when you call rand. The seed passed to srand totally determines the string of numbers that rand will generate. The random number generator keeps a state that is initially set by srand and then changed every time you call rand. This state is specific to the process, so two processes typically return different numbers for rand. On Windows this state has a size of 32 bits and can be directly set using srand. On Linux the state is 1024 bits. Our example program Our example program is EZChatter, a small toy program put together in a day. It does use CSRF tokens, but does not a very good job at creating them securily: public static function gen($len = 5) { $token = ''; while($len--){ $choose = rand(0, 2); if ($choose === 0) $token .= chr(rand(ord('A'), ord('Z'))); else if($choose === 1) $token .= chr(rand(ord('a'), ord('z'))); else $token .= chr(rand(ord('0'), ord('9'))); } return $token; } As you can see it first calls rand to determine whether to use an uppercase letter, lowercase letter or number, and then again to pick a specific letter or number. Every time we request the index.php page we get a new CSRF token, so we can request as many as we want. Our job is to predict tokens that have been handed out to other users, so we can do a CSRF attack on them. Seed cracking As we said the random number series is totally defined by the seed, so we can simply try every possible number as argument for srand to get the random number generator in the right state. Note that on Linux this will only work if the server process is fresh. If the server process has already seen a lot of rand calls, we need to do the same amount in our cracking program to get the same state. On Windows, the state of the random number generator is the same as the argument to srand, so you don’t need a fresh process. If we got a token from a fresh process, the following PHP script can be used to crack it: for ($i = 0; $i < PHP_INT_MAX; $i++) { srand($i); if (Token::gen(10) == "2118Jx9w3e") { die("Found: $i \n"); } } To search the 4294967295 possible arguments to srand, this will take approximately 12 hours. However, since PHP just calls the glibc rand function, we can reimplement the PHP code as C and speed things up. I have made two versions, one that calls the glibc rand and one that mimics the Windows rand. It is basically the PHP code from token.php, a copy paste of some macro’s from PHP’s ext/standard/rand.c, and a loop to go through every possible seed. This will take about 10 minutes for the Windows version and a couple of hours for the Linux version. Once completed, you have the random number generator in the same state and you can keep generating the same tokens as on the server. By comparing your own generated tokens with the tokens the server returns you know which tokens have been handed out to other users, and you can start your attack. State cracking on Linux On Windows, cracking the argument to srand and cracking the state of the random number generator turn out to be the same thing, but on Linux they are different. The glibc rand() keeps a series of numbers, and determines the next state like this: state = state[i-3] + state[i-31] return state >> 1 So every output is approximately the summed output from 3 and 31 calls ago. Consider the following series of tokens: 6ZF5kNgonV 9h3byovpGR gGt0A94U92 Now, the next rand will be determining whether it will be an uppercase letter, lowercase letter or number. This is determined by the outcomes of rand 3 and 31 calls ago. That’s the last 9 in gGt0A94U92 and the y in 9h3byovpGR. So we expect the next output of rand(0, 2) to be approximately ⌊10/10 + 25/26 × 3⌋ = 2 mod 3, so that means we get a number. Let’s see if we can predict that number. The next calls to rand that determines the number is determined by the rand from 3 calls ago, a number, and the rand of 31 calls ago, a lowercase letter. The number will thus be between ⌊2/3 + 1/3 × 10⌋ = 0 mod 10 and ⌊3/3 + 2/3 × 10⌋ = 6 mod 10. We thus expect the number to be between 0 and 6. It turns out to be 4: 43J2d2ew31 As you can see we can not accurately predict the next token using this method, but it is also clear that the we can predict so much about it that you can hardly call it random. It may also be possible to crack the whole state of the glibc random number generator given enough tokens, although I have not tried this. Conclusion Tokens should be created using a cryptographically secure random number generator. If they are made with rand, the state of the random number generator can be cracked trivially in many cases, and tokens can be predicted. On Linux it is a little bit harder to predict tokens, but this does still not give secure tokens. The random number generator on Windows is particularly easy to exploit, since any state of the random number generator can be cracked within minutes. Sursa
      • 5
      • Upvote
      • Like
  2. rukov

    RancherOS

    The smallest, easiest way to run Docker in production at scale. Everything in RancherOS is a container managed by Docker. This includes system services such as udev and rsyslog. RancherOS includes only the bare minimum amount of software needed to run Docker. This keeps the binary download of RancherOS to about 25MB. Everything else can be pulled in dynamically through Docker. How this works Everything in RancherOS is a Docker container. We accomplish this by launching two instances of Docker. One is what we call the system Docker which runs as PID 1. System Docker then launches a container that runs the user Docker. The user Docker is then the instance that gets primarily used to create containers. We created this separation because it seemed logical and also it would really be bad if somebody did docker rm -f $(docker ps -qa) and deleted the entire OS. https://github.com/rancher/os http://rancher.com/rancher-os/
      • 2
      • Upvote
  3. ERank Booster is a freeware, complete and essential SEO software that enables you to perform cheapest and effective way to website ranking promotion and web position to the success in Search Engine and Alexa. Easily see a quick overview of the SEO operations of any of your websites via Traffic Builder and Backlink Builder tool. This includes your Alexa traffic rank, the number of pages that you have indexed from your site in Google, Yahoo and Bing; your top 5 pages and lots more. It's magical software can easily sending traffic and real visitors to your website is at least 180 countries and simultaneously optimization 4 keywords in the search engine. If you 're looking for a website url and keywords in a specific language search engine to be introduced, this tool the best possible solution for your purposes. Other advantages can be pointed out that you can determine which country will send traffic to your website or from the which country optimize operations to be performed.. Finally, this software is a handy application that will help you with one of the biggest asset and that’s traffic! The ERank Booster software will improve Alexa rankings but it will also help increase your Google listings as well! When Google indexes your site, it will see in your log that you are receiving loads of hits thus giving your site more listing results simply because the Googlebot thinks your site must be relevant so it increase your results! To sum it up the ERank Booster will help increase your online business! Do not forget that ERank Booster software uses very little bandwidth. However, when using Traffic Builder or Backlink Builder, disable show images in your browser! Fix https://transfer.sh/dAm78/erankbooster.rar
  4. Online Lead Finder 3.5.18 cu toate modulele activate http://recordit.co/NwPNaA22ty
  5. @Maximus are un program de vanzare.
  6. https://transfer.sh/HCsm1/extract-any-mail.rar
  7. Fix https://transfer.sh/AEoAt/expired-article-hunter.rar
  8. Daca il vrei exact pe Extract Any Mail te pot rezolva.
  9. Decentralized Software‑Based File Storage Platform
  10. La Multi Ani ! alaturi de cei dragi tie.
  11. Ban.Libertatea nu are pret.
  12. Este ilegal ceea ce ceri si o sa iei ban @hades
  13. Ban irc bot https://malwr.com/analysis/NjAyYjYzMWFmMDMzNGNiN2FlYzgyMWVmYTM3OTJkMzY/
  14. Ban contine TAR Downloader.
  15. NOTICE: This post just For Security Proffesional and Computer Security Research Only! Use at your own RISK! This will make a linux machine into a Trojan Horse, and by that I mean we’ll add a line to rc.local that starts autossh to create a reverse tunnel. with menu Function: + NAME: Enter the name you wish to associate with this container. + TAG: Enter the tag you wish to associate with this container. + SSH_PORT_EXPOSED: This is the port on the ssh host that is exposed. Enter the SSH_PORT_EXPOSED you wish to associate with this container. + SSH_PORT_HIDDEN: This is the hidden port on the ssh host you will connect to reverse tunnel back to our trojan. Enter the SSH_PORT_HIDDEN you wish to associate with this container. + SSH_PORT_MONITOR: This is the monitor port. Enter the SSH_PORT_MONITOR you wish to associate with this container. + SSH_HOST: This is the host the trojan will call out to and make the reverse tunnel at. Enter the SSH_HOST you wish to associate with this container. Installation: git clone https://github.com/joshuacox/mkTrojanHorse cd <your clone folder> make Download https://github.com/joshuacox/mkTrojanHorse
  16. http://www.greyhathacker.net/docs/OfficeDLLhijacking.zip
  17. rukov

    JexBoss

    JexBoss - Jboss verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server. Requirements Python <= 2.7.x Installation To install the latest version of JexBoss, please use the following commands: git clone https://github.com/joaomatosf/jexboss.git cd jexboss python jexboss.py Features The tool and exploits were developed and tested for versions 3, 4, 5 and 6 of the JBoss Application Server. The exploitation vectors are: /jmx-console tested and working in JBoss versions 4, 5 and 6 /web-console/Invoker tested and working in JBoss versions 4 /invoker/JMXInvokerServlet tested and working in JBoss versions 4 and 5 Usage example Check the file "demo.png" $ git clone https://github.com/joaomatosf/jexboss.git $ cd jexboss $ python jexboss.py https://site-teste.com ** Checking Host: https://site-teste.com ** * Checking web-console: [ OK ] * Checking jmx-console: [ VULNERABLE ] * Checking JMXInvokerServlet: [ VULNERABLE ] Download https://github.com/joaomatosf/jexboss
  18. Yahoo Email ID Extractor is an expert in getting email ids from Yahoo mail account. It has all the latest & essential option equipped in it that make harvesting of Email ids easy. Users can extract email ids from folders of Yahoo mail like Inbox, sent, draft, etc. with the given options. Along with that there are also options available to harvest email ids from fields like To, From, CC, BCC, etc. So you have the freedom to harvest email ids from all sections of Yahoo mail account. This Email Ids harvester also caters choice to save the list of Email ids extracted from Yahoo mail account. You can save the IDs either in Excel (.CSV format) & Text (.TXT format) to utilize them in future. The tool is also furnished with option to restrict duplicate ids from getting downloaded. If you don’t want duplicate ids just tick on the option ‘Do Not List Duplicate Emails’ & the software will restrain duplicate ids. So this culminates your hectic job of removing duplicate ids from the list. These features, speed & accuracy make it the best email ids harvester from Yahoo mail account. Key Feature: Fetch Email Ids from Yahoo mail account. It can extract email ids from folders of Yahoo mail like Inbox, sent, etc. Also get email ids from fields like CC, BCC, To, From, etc. The tool gives choice to save the email ids either in .CSV or in .TXT format. Even users can restrict duplicate ids from downloading. It is very easy to operate & can be easily used in daily office work. System Requirement Win XP, Vista, Win7, Win8 .NET Framework 2.0 Download http://rghost.net/7tl5fyfbs portabil
  19. @zeroabsolut daca urmareai posturile mele anterioare vedeai ca eu nu postez tampenii. Cat despre .net framework Mailbag: What version of the .NET Framework is included in what version of the OS? - Aaron Stebner's WebLog - Site Home - MSDN Blogs
  20. De cand si pana cand windows 7 vine cu .net framework 4 preinstalat? http://recordit.co/KjQW0EmS8q
  21. Incercati acum si sa aveti .net framework instalat.
  22. Este o versiune recenta.Poate aveti nevoie Zippyshare.com
×
×
  • Create New...