Aerosol

Windows free useful tools. Check it: KC Softwares

BlueScreenView scans all your minidump files created during 'blue screen of death' crashes, and displays the information about all crashes in one table. For each crash, BlueScreenView displays the minidump filename, the date/time of the crash, the basic crash information displayed in the blue screen (Bug Check Code and 4 parameters), and the details of the driver or module that possibly caused the crash (filename, product name, file description, and file version). Features Automatically scans your current minidump folder and displays the list of all crash dumps, including crash dump date/time and crash details. Allows you to view a blue screen which is very similar to the one that Windows displayed during the crash. BlueScreenView enumerates the memory addresses inside the stack of the crash, and find all drivers/modules that might be involved in the crash. BlueScreenView also allows you to work with another instance of Windows, simply by choosing the right minidump folder (In Advanced Options). BlueScreenView automatically locate the drivers appeared in the crash dump, and extract their version resource information, including product name, file version, company, and file description. For those who use Windows at a daily basis I suggest to take a closer look at the NirSoft Suite. Useful for many things, including security. Source: HERE

@dr.d3v1l de ce te mai chinui cu ei bre daca iti tot da "duplicat" On:felicitari si la mai multe.

Nu e cine stie ce... sincer, e folositor fiindca nu stau tu sa faci manual dar in rest e acelasi lucru pe care il poti face tu manual daca ai emailul.( Search box ) Spokeo http://www.spokeo.com/email-search/search?g=email_lullar_text_0131&e=email@yahoo.com Hi5 http://www.hi5.com/friend/processBrowseSearch.do?searchText=email@yahoo.com Multiply http://multiply.com/search/people?query=email@yahoo.com MySpace http://www.myspace.com/search/people?q=email@yahoo.com Flickr http://www.flickr.com/search/people/?q=email@yahoo.com Foursquare https://foursquare.com/search?q=email PhotoBucket http://photobucket.com/images/email@yahoo.com Friendster http://www.friendster.com/search?utf8=%E2%9C%93&name=email@yahoo.com Picturetrail http://www.picturetrail.com/gallery/view?username=email@yahoo.com&Submit.x=0&Submit.y=0&Submit=Go Tagged http://www.tagged.com/search_results.html?search_term=email@yahoo.com&searchbtn=Search&search_type=keyword Bebo http://www.bebo.com/c/search?SearchTerm=email@yahoo.com Perfspot http://www.perfspot.com/search.asp?q=email@yahoo.com iLike http://www.ilike.com/user/email@yahoo.com Wayn http://www.wayn.com/waynsearches.html?wci=quicksearch&phrase=email@yahoo.com Zorpia http://search.zorpia.com/search/zorpians/?keywords=email@yahoo.com&type=zorpians Dek-d http://my1.dek-d.com/email Search Results for Must Login Webs Facebook http://www.facebook.com/search/results.php?q=email@yahoo.com Google Plus https://plus.google.com/s/email/people LinkedIn http://www.linkedin.com/search/fpsearch?type=people&keywords=email Search Results from Username Guessing Instagram https://instagram.com/email Pinterest https://pinterest.com/email Badoo https://badoo.com/email Picasa https://picasaweb.google.com/email Twitter http://twitter.com/#!/search/email@yahoo.com Twitpic http://twitpic.com/search#q=email@yahoo.com&type=mixed&page=1 YouTube http://www.youtube.com/results?search_query=email@yahoo.com Blogger http://email.blogspot.com Tumblr http://www.tumblr.com/blog/email. Oricum nice post.

AIR-GAPPED SYSTEMS, WHICH are isolated from the Internet and are not connected to other systems that are connected to the Internet, are used in situations that demand high security because they make siphoning data from them difficult. Air-gapped systems are used in classified military networks, the payment networks that process credit and debit card transactions for retailers, and in industrial control systems that operate critical infrastructure. Even journalists use them to prevent intruders from remotely accessing sensitive data. To siphon data from an air-gapped system generally requires physical access to the machine, using removable media like a USB flash drive or a firewire cable to connect the air-gapped system directly to another computer. But security researchers at Ben Gurion University in Israel have found a way to retrieve data from an air-gapped computer using only heat emissions and a computer’s built-in thermal sensors. The method would allow attackers to surreptitiously siphon passwords or security keys from a protected system and transmit the data to an internet-connected system that’s in close proximity and that the attackers control. They could also use the internet-connected system to send malicious commands to the air-gapped system using the same heat and sensor technique. In a video demonstration produced by the researchers, they show how they were able to send a command from one computer to an adjacent air-gapped machine to re-position a missile-launch toy the air-gapped system controlled. The proof-of-concept attack requires both systems to first be compromised with malware. And currently, the attack allows for just eight bits of data to be reliably transmitted over an hour—a rate that is sufficient for an attacker to transmit brief commands or siphon a password or secret key but not large amounts of data. It also works only if the air-gapped system is within 40 centimeters (about 15 inches) from the other computer the attackers control. But the researchers, at Ben Gurion’s Cyber Security Labs, note that this latter scenario is not uncommon, because air-gapped systems often sit on desktops alongside Internet-connected ones so that workers can easily access both. The method was developed by Mordechai Guri, Gabi Kedma and Assaf Kachlon and overseen by their adviser Yuval Elovici. The research represents just a first step says Dudu Mimran, chief technology officer at the lab, who says they plan to present their findings at a security conference in Tel Aviv next week and release a paper describing their work later on. “We expect this pioneering work to serve as the foundation of subsequent research, which will focus on various aspects of the thermal channel and improve its capabilities,” the researchers note in their paper. With additional research, they say they may be able to increase the distance between the two communicating computers and the speed of data transfer between them. In their video demonstration, they used one computer tower to initiate a command to an adjacent computer tower representing an air-gapped system. But future research might involve using the so-called internet of things as an attack vector—an internet-connected heating and air conditioning system or a fax machine that’s remotely accessible and can be compromised to emit controlled fluctuations in temperature. How It Works Computers produce varying levels of heat depending on how much processing they’re doing. In addition to the CPU, the graphics-processing unit and other motherboard components produce significant heat as well. A system that is simultaneously streaming video, downloading files and surfing the internet will consume a lot of power and generate heat. To monitor the temperature, computers have a number of built-in thermal sensors to detect heat fluctuations and trigger an internal fan to cool the system off when necessary or even shut it down to avoid damage. The attack, which the researchers dubbed BitWhisper, uses these sensors to send commands to an air-gapped system or siphon data from it. The technique works a bit like Morse code, with the transmitting system using controlled increases of heat to communicate with the receiving system, which uses its built-in thermal sensors to then detect the temperature changes and translate them into a binary “1” or “0.” To communicate a binary “1” in their demonstration for example, the researchers increased the heat emissions of the transmitting computer by just 1 degree over a predefined timeframe. Then to transmit a “0” they restored the system to its base temperature for another predefined timeframe. The receiving computer, representing the air-gapped system, then translated this binary code into a command that caused it to reposition the toy missile launcher. The researchers designed their malware to take into consideration normal temperature fluctuations of a computer and distinguish these from fluctuations that signal a system is trying to communicate. And although their malware increased the temperature by just one degree to signal communication, an attacker could increase the temperature by any amount as long as it’s within reason, to avoid creating the suspicion that can accompany an overactive computer fan if the computer overheats. Communication can also be bi-directional with both computers capable of transmitting or receiving commands and data. The same method, for example, could have been used to cause their air-gapped system to communicate a password to the other system. The malware on each system can be designed to search for nearby PCs by instructing an infected system to periodically emit a thermal ping—to determine, for example, when a government employee has placed his infected laptop next to a classified desktop system. The two systems would then engage in a handshake, involving a sequence of “thermal pings” of +1C degrees each, to establish a connection. But in situations where the internet-connected computer and the air-gapped one are in close proximity for an ongoing period, the malware could simply be designed to initiate a data transmission automatically at a specified time—perhaps at midnight when no one’s working to avoid detection—without needing to conduct a handshake each time. The time it take to transmit data from one computer to another depends on several factors, including the distance between the two computers and their position and layout. The researchers experimented with a number of scenarios—with computer towers side-by-side, back-to-back and stacked on top of each other. The time it took them to increase the heat and transmit a “1” varied between three and 20 minutes depending. The time to restore the system to normal temperature and transmit a “0” usually took longer. Other Air-Gap Hacking Techniques This isn’t the only way to communicate with air-gapped systems without using physical media. Past research by other teams has focused on using acoustic inaudible channels, optical channels and electromagnetic emissions. All of these, however, are unidirectional channels, meaning they can be used to siphon data but not send commands to an air-gapped system. The same Ben Gurion researchers previously showed how they could siphon data from an air-gapped machine using radio frequency signals and a nearby mobile phone. That proof-of-concept hack involved radio signals generated and transmitted by an infected machine’s video card, which could be used to send passwords and other data over the air to the FM radio receiver in a mobile phone. The NSA reportedly has been using a more sophisticated version of this technique to not only siphon data from air-gapped machines in Iran and elsewhere but also to inject them with malware, according to documents leaked by Edward Snowden. Using an NSA hardware implant called the Cottonmouth-I, which comes with a tiny embedded transceiver, the agency can extract data from targeted systems using RF signals and transmit it to a briefcase-sized relay station up to 8 miles away. There’s no evidence yet that the spy agency is using heat emissions and thermal sensors to steal data and control air-gapped machines— their RF technique is much more efficient than thermal hacking. But if university researchers in Israel have explored the idea of thermal hacking as an attack vector, the NSA has likely considered it too. Source

Salut, @Gecko uitate la avatar sus are ,,Subway Writer" de asta am zis ca ma copiaza.

Many of us probably think that what is the benefit of tracking a mail, so why should I care, right? Wrong! Everyone is stealing or trying to steal as much data as possible. Today, information is worth everything. Companies send you emails they’ve already got vetted. The one who do such activities can see when you open a mail, what you click after that and what is your location. They track emails by adding small images or pixels that inform them about your data. These tracking tools work once you click the mail, so the only method to stop being tracked by anyone is not by opening that mail. The question here is how one can know if the mail is the safe one or the tracked one before opening it. Today I came across a tool called “Ugly Email” which will do this job for you. Ugly email checks all your emails and exposes the ones being tracked. Each tracked mail is shown with an “evil eye” to easily recognize such emails. Currently, this works by detecting pixels from Yesware, Streak, MailChimp, Mandrill, Bananatag and Postmark. They are actively working on adding more. Here are the simple steps to make it work: Step 1: Open your Google Chrome browser on your PC. Step 2: Click this link to install Ugly Email to save yourself from tracked emails. Step 3: Click “Add to Chrome” in the new tab and you are good to go. Step 4: The next time you receive an e-mail, a tiny eye symbol will be there. It is an indication if it is vetted by any tracking tool. Note: This tool only works with Gmail and is currently available as a Chrome extension. They are working to add Firefox support very soon. Some of you might not see eye symbol on any of your e-mail, that’s because you got no vetted mails. Source

The Packet Let's look at the packet. That's the thing that makes the internet work, lots of data goes on those, anywhere from 20bytes to 65335 bytes. However, in practice packets are usually around 600 bytes in size. That data stores a lot of info; some is redundant, some is needed, and some is 0'd out. There's a header, a body, extra space, and then error check and footer. It's actually kind of easy to end up with a couple screwed up bits in a packet (obviously not every packet is screwed up, but its not 1 out of every million either). Changing a little bit of the Packet What packet steganography is about is changing a couple of bits over a couple of packets. Similar to image steganography, it's almost impossible to detect (in small quantities) (assuming feds are downloading all the data) as packets are not known to all be made equally. I'm going to quickly give an example. Game A wants to send packet [00010101010001000010101010...000010101011000101...] to Game Server 3. However, you can copy that packet and then resend a slightly modified one, which will look like: [00010101010001000010101010...111110101001001000...] Since a massive amount of data is constantly being sent back and forth from the server to you, the packets can be modified a decent amount so information is carried, but one doesn't have to break the checksum by modifying too many bytes. Multiply 40 bits over a couple thousand packets, and a decent amount of data can be sent covertly from you to the server. What's the best part of this? If you hack servers that get a lot of traffic, it's almost impossible to tell who sent what modded packets to the server even if all of the data is logged because every single packet appears to be legitimate. While there is a decent amount of modded data transferred you can't just go and start downloading ripped movies with this. The point of packet steganography isn't to anonymize your downloads, but to send little messages over networks that won't be found by normal means. Obviously, if person A tries to send messages to person B, A won't send them directly. Instead, he could keep them in an encrypted part of a server. When person B wants to see the message, he unlocks the message by passing the correct key. Psuedocode example using MS Maplestory packets are nice, because they used to be pretty obvious as to what was going on. After the packet header the data of A)what action you were doing and (if a message) what the message was. The message was in plaintext hexidecimal format. Using the code below, we are going to edit a little character of every single message. To anyone looking at the packet it still appears to be a normal message, just with a small typing error. However, to the server and to you, the message really is no longer a message anymore. It's a specific set of instructions. The first couple of whispers to some random person validates to the server that you are the IP to grab the packets from. The final whisper (or packet) the server sees is a specific command to the server. It could be wipe the program on it, it could be tell these servers to do x, y, and z, or it could just be telling the server that there is going to be a new pattern to look out for, and at what certain time. Code for your side: public Whatever{ //obviously it depends for whatever server you hacked into, and what app communicates with the server, but for now lets pretend we hacked into a maplestory server //cool thing about MS is that the packets are pretty easy to understand //yes I realize I am turning Java into a scripting language below, but w/e public void initContact{ for(int i=0; i<10; i++){ String x=scan.grabPacket(); x=x.substring(0,12)+Integer.toHexString(i)+Integer.toHexString(i)+x.substri?ng(14,x.length()); XClass.sendPacket(x); //totally possible if string x winds up being a valid packet, which it is since it's just hex //obviously you have to make a sendPacket method if(scan.nextPacket.equals(neededPacket) XClass.sendPacket(endPacket(Action, Type, IP, Add_Instruct) else System.out.println("Connection was unable to be made"); } } public String endPacket(String x1, String x2, String x3, String x4){ return grabHeader() + " 3A BB 0C FF 2D "+mod(x1)+" "+mod(x2)+" 3C "+mod(x3)+" 85 26 "+mod(x4)+grabFooter(); } } Code for the server(the server is not constantly loading all packets, it only works for a specific amount of time): import everything2.etc //you have to watch out the data storage for this one class ServerInner{ public void acceptEverything() { //kills program in 2 minutes long num = 2 * 60 * 1000; //min*sec*milli Timer t = new Timer(); t.schedule( new TimerTask(){public void run(){} }, num); // no this isn't a legit method, you'd want to use outside resources for this part //but at least the method dies in the two minute timeframe XClass.storeAllPackets(); } public void sortThrough(PacketList P, Method a){ int x=p.length() for(int i=0; i<p.length(); i++){ if(!a.follows(p.get(i))){ p.rem(i); i--; } } //after that method runs, the only packets left should be from you //obviously it is theoretically possible someone else did the exact same as you, so you'd then check them for(int i=0; i<p.length(); i++){ if(!a.check(p.get(i))){ p.rem(i); i--; } } //now all that's left is the correct one } public void finishUP(){ if(p.length()>0){ //translates the info packet from the correct IP if an ip was gathered translate(XClass.nextPacketFrom(p.get1IP()), a); //runs whatever it got run(); } //wipes all data that was stored, logs in database StartClass.wipe(); } } Rough Example in Real Life Application Packet steganography can also be used for sending out instructions to a botnet since you don't really need to send that much information to tell x to DDOS y, now do you? Here's a rough guide of how you'd accomplish communicate through your bots to start a DDOS attack w/ packet steganoraphy, from the setting up the server to the attacking the kid who beat you in MW3 1) Find a good server that has a decent amount of traffic, but nothing too sketchy. 2) Get root access on this server. 3) Download wireshark if you don't already have it. 4a)Write your program to test the wireshark logs to find a pattern in packet anomalies (you figure this one out on your own ). 4b)Write the program that can send out edited packets from your machine. 5) Set up another program that connects the wireshark program with your botnet server. 6) Set up a last program that wipes your traces of you fucking off with the server. 7) Run 6 and leave the shell you set up if you want (I suggest keeping some part of it intact though, depends on what you want to do). 8) Set up a couple more of these steno servers. 9) Realize that you can now send instructions easily but make it look like its a normal connection. Want to ddos server agh554? Connect with one of those servers and send the right kind of packets for a little while. Next thing you know your DDOS servers will be connecting with each other to get the details down and start the attack at the time specified. Because of the way the information is transferred from you to the server it'll be hard to trace the botnet back to you and then convict you as the one who pulled the strings behind a DDOS of a n00b MW3 player. I know that a couple people already do this, but now you know how too. Ending Thoughts (Read it though) So why the hell does this matter? A) all the data will look legitimate you can send it from different sources and it doesn't really matter as long as the packets are getting screwed correctly C) You think it's easy to look through every single packet sent to a server that gets a lot of traffic for the past 4ish months and then find the packets that link with the pattern? D) can be used for stuff other than botnets i) You can send encryption keys through this and then wipe the programs you installed. ii) anonymous communcation E) MITM attacks don't matter unless the MITM got your src(look at number 4) Problems with this? 1) Server gets taken by the feds. They won't be too happy about this 2) A wingding manages to replicate the correct stream, and then gives out commands for your server. This is something you'll just have to accept. Anonymity is what we are going for, too many traces = too many chances of someone finding a link 3) No well known VPNs allow packet modification at the moment. 4) if the feds got your SRC since you and 800 other skids are using the same program, and they catch you are modding packets, you're kinda screwed if they catch you redhanded 5) "I don't get it" Solutions to the problems 1) If modded packets are the only connections between your bots and your servers, its a lot harder to trace since the server has a massive amount of people using it 2) Nothing really, make it so it can't easily be replicated 3) wait for it [breathing intensifies] 4) Don't be a skid 5) See above. Or, read the links at the bottom of the page, learn something interesting, and prove to me that there are users with brains here Credits: TF

1 With what shall we commune this evening? Neighbors, please join me in reading this eighth release of the International Journal of Proof of Concept or Get the Fuck Out, a friendly little collection of articles for ladies and gentlemen of distinguished ability and taste in the field of software exploitation and the worship of weird machines. If you are missing the first seven issues, we the editors suggest pirating them from the usual locations, or on paper from a neighbor who picked up a copy of the first in Vegas, the second in S˜ao Paulo, the third in Hamburg, the fourth in Heidelberg, the fifth in Montr´eal, the sixth in Las Vegas, or the seventh from his parents’ inkjet printer during the Thanksgiving holiday. We begin our show tonight in Section 2 with something short and sweet, an executable poem by Morgan Reece Phillips. Funny enough, 0xAA55 is also Pastor Laphroaig’s favorite number! We continue in Section 3 with another brilliant article from Micah Elizabeth Scott. Having bought a BD-RW burner, and knowing damned well that a neighbor doesn’t own what she can’t open, Micah reverse engineered that gizmo. Sniffing the updater taught her how to dump the firmware; disassembling that firmware taught her how to patch in new code; and, just to help the rest of us play along, she wrapped all of this into a fancy little debugging console that’s far more convenient than the sorry excuse for a JTAG debugger the original authors of the firmware most likely used. In Section 4, Pastor Laphroaig warns us of the dangers that lurk in trusting The Experts, and of one such expert whose witchhunt set back the science of biology for decades. This article is illustrated by Boris Efimov, may he rot in Hell. In Section 5, Eric Davisson describes the internals of TCP/IP as a sermon against the iniquity of the abstraction layers that—while useful to reduce the drudgery of labor—also cloud a programmer’s mind and keep him from seeing the light of the hexdump world. Ange Albertini is known to our readers for short and sweet articles that quickly describe a clever polyglot file in a page or two. In Section 6, he finally presents us with a long article, a listing of dozens of nifty tricks that he uses in PoCkGTFO, Corkami, and other projects. Study it carefully if you’d like to learn his art. In Section 7, BSDaemon and Pirata extend the RDRAND trick of PoCkGTFO 3:6—with devilish cunning and true buccaneer daring—to actual Intel hardware, showing us poor landlubbers how to rob not only unsuspecting virtual machines but also normal userland and kernel applications that depend on the new AES-NI instructions of their precious randomness—and much more. Quick, hide your AES! Luckily, our neighborly pirates show how. Section 8 introduces us to Ryan O’Neill’s Extended Core File Snapshots, which add new sections to the familiar ELF specification that our readers know and love. Recently, Pastor Laphroaig hired Count Bambaata on as our Special Correspondent on NASCAR. After his King Midget stretch limo was denied approval to compete at the Bristol Motor Speedway, Bambaata fled to Fordlandia, Brazil in a stolen—the Count himself says “liberated”—1957 Studebaker Bulletnose in search of the American Dream. When asked for his article on the race, Bambaata sent us by WEFAX a collection of poorly redacted expense reports1 and a lovely little rant on Baudrillard, the Spirit of the 90’s, and a world of turncoat swine. You can find it in Section 9. Section 11 is the latest from Ben Nagy, a peppy little parody of Hacker News and New–Media Web 2.0 Hipster Fashion Accessorized Cybercrime in the style of Gilbert and Sullivan. Sing along, if you like! Finally, in Section 12 we do what churches do best and pass around the old collection plate. We don’t need alms of Dollars or Euros, so send those to Hackers for Charity in Uganda.2 Rather, we pass the plate to ask for your doodles and your sketches, your crazy ideas that work well enough to prove the concept, well enough to light up the mind, well enough to inspire the next lady or gentleman to do something clever and strange. Read more: http://www.exploit-db.com/docs/pocorgtfo07.pdf

Have you ever been on a pentest, or troubleshooting a customer issue, and the "next step" was to capture packets on a Windows host? Then you find that installing winpcap or wireshark was simply out of scope or otherwise not allowed on that SQL, Exchange, Oracle or other host? It used to be that this is when we'd recommend installing Microsoft's Netmon packet capture utility, but even then lots of IT managers would hesitate about using the "install" word in association with a critical server. Well, as they say in networking (and security as well), there's always another way, and this is that way. "netsh trace" is your friend. And yes, it does exactly what it sounds like it does. Type "netsh trace help" on any Windows 7 Windows Server 2008 or newer box, and you'll see the following: C:\>netsh trace help The following commands are available: Commands in this context: ? - Displays a list of commands. convert - Converts a trace file to an HTML report. correlate - Normalizes or filters a trace file to a new output file. diagnose - Start a diagnose session. dump - Displays a configuration script. help - Displays a list of commands. show - List interfaces, providers and tracing state. start - Starts tracing. stop - Stops tracing. Of course, in most cases, tracing everything on any production box is not advisable - especially if it's your main Exchange, SQL or Oracle server. We'll need to filter the capture, usually to a specific host IP, protocol or similar. You can see more on this here: netsh trace show capturefilterhelp One of the examples in this output shows you how t o e.g. 'netsh trace start capture=yes Ethernet.Type=IPv4 IPv4.Address=157.59.136.1' You could also add Protocol=TCP or UDP and so on.. Full syntax and notes for netsh trace can be found here: https://technet.microsoft.com/en-us/library/dd878517 For instance, the following session shows me capturing an issue with a firewall that I'm working on. Note that you need admin rights to run this, the same as any capture tool. In a pentest you would likely specify an output file that isn't in the users' directory. C:\>netsh trace start capture=yes IPv4.Address=192.168.122.2 Trace configuration: ------------------------------------------------------------------- Status: Running Trace File: C:\Users\Administrator\AppData\Local\Temp\NetTraces\NetTrace .etl Append: Off Circular: On Max Size: 250 MB Report: Off When you are done capturing data, it's time to stop it: C:\> netsh trace stop Correlating traces ... done Generating data collection ... done The trace file and additional troubleshooting information have been compiled as "C:\Users\Administrator\AppData\Local\Temp\NetTraces\NetTrace.cab". File location = C:\Users\Administrator\AppData\Local\Temp\NetTraces\NetTrace.etl Tracing session was successfully stopped. c:\ The cool thing about this is that it doesn't need a terminal session (with a GUI, cursor keys and so on). If all you have is a metasploit shell, netsh trace works great! If this is a capture for standard sysadmin work, you can simply copy the capture over to your workstation and proceed on with analysis. If this is a pentest, a standard copy might still work (remember, we're on a Microsoft server), but if you need netcat type function to exfiltrate your capture, take a look at PowerCat (which is a netcat port in PowerShell). Next, open the file (which is in Microsoft's ETL format) in Microsoft's Message Analyzer app - which you can install on your workstation rather than the server we ran the capture on ( Download Microsoft Message Analyzer from Official Microsoft Download Center ). Message Analyzer has a surprisingly nice interface and some decent packet parsing, you might be able to wrap up your analysis just in this tool (see below). If you do need another packet analysis tool, it's easy to a File / Save As / Export, and save as a PCAP file that Wireshark, tcpdump, SNORT, ngrep, standard python or perl calls, or any other standard tool can read natively. Or you can convert to PCAP using PowerShell (of course you can). A short, simple script to do this might look like: $s = New-PefTraceSession -Path “C:\output\path\spec\OutFile.Cap” -SaveOnStop $s | Add-PefMessageProvider -Provider “C:\input\path\spec\Input.etl” $s | Start-PefTraceSession This Powershell cmdlet is not available in Windows 7 - you'll need Windows 8, or Server 2008 or newer (This script was found at So you want to use Wireshark to read the netsh trace output .etl? - The troubleshooters and problem solvers... - Site Home - TechNet Blogs ) If 'netsh trace' has solved an interesting problem for you, or was the tool that got you some interesting data in a pentest, please, use our comment form to let us know how you used it (within your NDA of course!) ====================== - some extra information to prevent confusion: on Windows 7, the NETSH TRACE command is only available on the 64-bit version of NETSH so in case it tells you the TRACE command is not available then just make sure to run the 64-bit version... c:\>netsh trace The following command was not found: trace. c:\>run -l netsh 1) CHOSEN: netsh.exe [C:\Windows\SysWOW64] 2) netsh.exe [C:\Windows\winsxs\amd64_microsoft-windows-netsh_31bf3856ad364e35_6.1.7600.16385_none_bb95e7e51189d8f9] 3) windows - What appid should I use with netsh.exe- - Stack Overflow.url [F:\AWS\Sec] c:\>run -1 netsh trace Running: C:\Windows\SysWOW64\netsh.exe: The following command was not found: trace. c:\>run -2 netsh trace Running: C:\Windows\winsxs\amd64_microsoft-windows-netsh_31bf3856ad364e35_6.1.7600.16385_none_bb95e7e51189d8f9\netsh.exe: ? - convert - Converts a trace file to an HTML report. correlate - Normalizes or filters a trace file to a new output file. diagnose - Start a diagnose session. dump - help - show - List interfaces, providers and tracing state. start - Starts tracing. stop - Stops tracing. Source: HERE

Free PC Diagnostics Tool ESET SysInspector is an easy to use diagnostic tool that helps troubleshoot a wide range of system issues. Coming either as a free, standalone application, as well as, integrated into ESET NOD32 Antivirus and ESET Smart Security, it captures critical and detailed information about your computer. Solve Problems While best used to track down the presence of malicious code, ESET SysInspector also comes in handy when resolving issues related to: Running processes and services Presence of suspicious and unsigned files Software issues Hardware incompatibility Outdated or malfunctioning drivers An unpatched operating system Broken registry entries Suspicious network connections Easily Identify Problems ESET SysInspector assigns each entry a color-coded risk level. Simply move the slider to filter out the most severe issues you want to prioritize. Additionally, the "Compare Logs" functionality allows you to keep track of system modifications simplifying the process of identifying potential problems. System requirements Operating Systems: Windows 8/7/Vista/XP/2000, Windows Server 2012/2008R2/2008/2003/2000 Processor Architecture: i386 (Intel®80386), amd64 (x86-64) Memory: 38 MB More Information For more information please consult the following pages: ESET SysInspector Frequently Asked Questions ESET SysInspector Changelog Link: ESET :: SysInspector :: Free PC Diagnostic Tool

Link: Proxies.txt at Share Send

O sa impart contul meu personal cu voi ( Trimiteti PM si o sa va dau User + Pass) - Peste 10 posturi (No troll / offtopic ) - Cel putin 2/3 luni vechime. - Nu postati aici, imi trimiteti PM! Cine nu respecta aceste conditii sa nu se oboseasca. M-am gandit sa fac o fapta buna fiindca eu nu prea il folosesc. Am trimis contul lui: - @B10S Cine mai doreste sa-mi dea PM.

Author: Pavel Odintsov pavel.odintsov at gmail.com My Twitter License: GPLv2 FastNetMon - A high performance DoS/DDoS and netflowk load analyzer built on top of multiple packet capture engines (netmap, PF_RING, sFLOW, Netflow, PCAP). What can we do? We can detect hosts in our own network with a large amount of packets per second/bytes per second or flow per second incoming or outgoing from certain hosts. And we can call an external script which can notify you, switch off a server or blackhole the client. Why did we write this? Because we can't find any software for solving this problem in the open source world! Install manual for any Linux Install manual for FreeBSD Install manual for Mac OS X Install manual for Slackware Features: Can process incoming and outgoing traffic Can trigger block script if certain IP loads network with a large amount of packets per second Can trigger block script if certain IP loads network with a large amount of bytes per second Can trigger block script if certain IP loads network with a large amount of flows per second netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type) PF_RING ZC/DNA support (wire speed processing on tens of MPPS but needs license) Can process sFLOW v5 Can process NetFlow v5, v9, ipfix Can use PCAP for packet sniffing Can work on mirror/SPAN ports Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode Can work on server/soft-router Can detect DoS/DDoS in 1-2 seconds Tested up to 10GE with 5-6 Mpps on Intel i7 2600 with Intel Nic 82599 Complete plugin support Supported platforms: Linux (Debian 6/7, CentOS 6/7, Ubuntu 12+) FreeBSD 9, 10, 11 Mac OS X Yosemite What is "flow" in FastNetMon terms? It's one or multiple udp, tcp, icmp connections with unique src IP, dst IP, src port, dst port and protocol. Main program screen image: Example for cpu load on Intel i7 2600 with Intel X540/82599 NIC on 400 kpps load: Example deployment scheme: Example of first notification: subject: Myflower Guard: IP xx.xx.xx.xx blocked because incoming attack with power 120613 pps body: IP: XX.XX.XX.XX Initial attack power: 98285 packets per second Peak attack power: 98285 packets per second Attack direction: outgoing Incoming traffic: 62 mbps Outgoing traffic: 65 mbps Incoming pps: 66628 packets per second Outgoing pps: 98285 packets per second Incoming flows: 16 Outgoing flows: 16 Incoming UDP xx.xx.xx.xx:33611 < 216.239.32.109:53 729021 bytes 5927 packets xx.xx.xx.xx:33611 < 216.239.34.109:53 231609 bytes 1883 packets xx.xx.xx.xx:33611 < 216.239.36.109:53 728652 bytes 5924 packets xx.xx.xx.xx:33611 < 216.239.38.109:53 414387 bytes 3369 packets xx.xx.xx.xx:38458 < 216.239.32.109:53 724347 bytes 5889 packets xx.xx.xx.xx:38458 < 216.239.34.109:53 222753 bytes 1811 packets xx.xx.xx.xx:38458 < 216.239.36.109:53 729267 bytes 5929 packets xx.xx.xx.xx:38458 < 216.239.38.109:53 383514 bytes 3118 packets xx.xx.xx.xx:42279 < 216.239.32.109:53 687201 bytes 5587 packets xx.xx.xx.xx:42279 < 216.239.34.109:53 248091 bytes 2017 packets xx.xx.xx.xx:42279 < 216.239.36.109:53 737508 bytes 5996 packets xx.xx.xx.xx:42279 < 216.239.38.109:53 321276 bytes 2612 packets xx.xx.xx.xx:51469 < 216.239.32.109:53 735663 bytes 5981 packets xx.xx.xx.xx:51469 < 216.239.34.109:53 237267 bytes 1929 packets xx.xx.xx.xx:51469 < 216.239.36.109:53 735663 bytes 5981 packets xx.xx.xx.xx:51469 < 216.239.38.109:53 318570 bytes 2590 packets Outgoing UDP xx.xx.xx.xx:33611 > 216.239.32.109:53 531309 bytes 6107 packets xx.xx.xx.xx:33611 > 216.239.34.109:53 531222 bytes 6106 packets xx.xx.xx.xx:33611 > 216.239.36.109:53 531222 bytes 6106 packets xx.xx.xx.xx:33611 > 216.239.38.109:53 531222 bytes 6106 packets xx.xx.xx.xx:38458 > 216.239.32.109:53 527220 bytes 6060 packets xx.xx.xx.xx:38458 > 216.239.34.109:53 527133 bytes 6059 packets xx.xx.xx.xx:38458 > 216.239.36.109:53 527133 bytes 6059 packets xx.xx.xx.xx:38458 > 216.239.38.109:53 527220 bytes 6060 packets xx.xx.xx.xx:42279 > 216.239.32.109:53 539052 bytes 6196 packets xx.xx.xx.xx:42279 > 216.239.34.109:53 539052 bytes 6196 packets xx.xx.xx.xx:42279 > 216.239.36.109:53 539139 bytes 6197 packets xx.xx.xx.xx:42279 > 216.239.38.109:53 539139 bytes 6197 packets xx.xx.xx.xx:51469 > 216.239.32.109:53 532701 bytes 6123 packets xx.xx.xx.xx:51469 > 216.239.34.109:53 532701 bytes 6123 packets xx.xx.xx.xx:51469 > 216.239.36.109:53 532701 bytes 6123 packets xx.xx.xx.xx:51469 > 216.239.38.109:53 532788 bytes 6124 packets Example of second notification: subject: Myflower Guard: IP xx.xx.xx.xx blocked because incoming attack with power 120613 pps body: IP: xx.zz.xx.1 2014-11-21 08:01:11.419798 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419799 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419816 xx.xx.xx.xx:51469 > 216.239.36.109:53 protocol: udp flags: size: 87 bytes 2014-11-21 08:01:11.419837 216.239.38.109:53 > xx.xx.xx.xx:33611 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419838 216.239.34.109:53 > xx.xx.xx.xx:33611 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419859 216.239.38.109:53 > xx.xx.xx.xx:42279 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419877 xx.xx.xx.xx:51469 > 216.239.38.109:53 protocol: udp flags: size: 87 bytes 2014-11-21 08:01:11.419884 216.239.38.109:53 > xx.xx.xx.xx:33611 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419891 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419906 216.239.38.109:53 > xx.xx.xx.xx:33611 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419907 216.239.38.109:53 > xx.xx.xx.xx:42279 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419908 216.239.38.109:53 > xx.xx.xx.xx:42279 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419916 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419917 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419929 216.239.38.109:53 > xx.xx.xx.xx:33611 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419961 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419962 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419963 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419963 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes To enable sFLOW simply specify IP of server with installed FastNetMon and specify port 6343. To enable netflow simply specify IP of server with installed FastNetMon and specify port 2055. How I can help project? Test it! Share your experience Share your improvements Test it with different equipment Create feature requests Link: https://github.com/FastVPSEestiOu/fastnetmon

Vane is a GPL fork of the now non-free popular WordPress vulnerability scanner WPScan. --------------------------------------------------------------------------------------------- ########## #Prerequisites# ########### Windows not supported Ruby => 1.9 RubyGems Git ############# ##Installing on: # ############# Debian/Ubuntu $ sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev $ git clone https://github.com/delvelabs/vane.git $ cd vane $ sudo gem install bundler && bundle install --without test development Fedora sudo yum install libcurl-devel git clone https://github.com/delvelabs/vane.git cd vane sudo gem install bundler && bundle install --without test development Archlinux pacman -Sy ruby pacman -Sy libyaml git clone https://github.com/delvelabs/vane.git cd vane sudo gem install bundler && bundle install --without test development gem install typhoeus gem install nokogiri Mac OS X git clone https://github.com/delvelabs/vane.git cd vane sudo gem install bundler && bundle install --without test development ----------------------------------------------------------------------------------------- KNOWN ISSUES Typhoeus segmentation fault Update cURL to version => 7.21 (may have to install from source) See Error 404 (Not Found)!!1 Proxy not working Update cURL to version => 7.21.7 (may have to install from source). Installation from sources : Grab the sources from http://curl.haxx.se/download.html Decompress the archive Open the folder with the extracted files Run ./configure Run make Run sudo make install Run sudo ldconfig cannot load such file -- readline Run sudo aptitude install libreadline5-dev libncurses5-dev Then, open the directory of the readline gem (you have to locate it) cd ~/.rvm/src/ruby-1.9.2-p180/ext/readline ruby extconf.rb make make install See http://vvv.tobiassjosten.net/ruby-on-rails/fixing-readline-for-the-ruby-on-rails-console/ for more details VANE ARGUMENTS --update Update to the latest revision --url | -u The WordPress URL/domain to scan. --force | -f Forces WPScan to not check if the remote site is running WordPress. --enumerate | -e [option(s)] Enumeration. option : u usernames from id 1 to 10 u[10-20] usernames from id 10 to 20 (you must write [] chars) p plugins vp only vulnerable plugins ap all plugins (can take a long time) tt timthumbs t themes vp only vulnerable themes at all themes (can take a long time) Multiple values are allowed : '-e tt,p' will enumerate timthumbs and plugins If no option is supplied, the default is 'vt,tt,u,vp' --exclude-content-based '' Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied You do not need to provide the regexp delimiters, but you must write the quotes (simple or double) --config-file | -c Use the specified config file --follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not --wp-content-dir WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed --wp-plugins-dir Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed --proxy <[protocol://]host:port> Supply a proxy (will override the one from conf/browser.conf.json). HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given (format host:port), HTTP will be used --proxy-auth username:password Supply the proxy login credentials (will override the one from conf/browser.conf.json). --basic-auth username:password Set the HTTP Basic authentication --wordlist | -w Supply a wordlist for the password bruter and do the brute. --threads | -t The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json) --username | -U Only brute force the supplied username. --help | -h This help screen. --verbose | -v Verbose output. VANE EXAMPLES - Do 'non-intrusive' checks: ruby vane.rb --url www.example.com - Do wordlist password brute force on enumerated users using 50 threads: ruby vane.rb --url www.example.com --wordlist darkc0de.lst --threads 50 - Do wordlist password brute force on the 'admin' username only: ruby vane.rb --url www.example.com --wordlist darkc0de.lst --username admin - Enumerate installed plugins: ruby vane.rb --url www.example.com --enumerate p VANETOOLS ARGUMENTS --help | -h This help screen. --Verbose | -v Verbose output. --update | -u Update to the latest revision. --generate_plugin_list [number of pages] Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150) --gpl Alias for --generate_plugin_list --check-local-vulnerable-files | --clvf <local directory> Perform a recursive scan in the <local directory> to find vulnerable files or shells VANETOOLS EXAMPLES - Generate a new 'most popular' plugin list, up to 150 pages: ruby vanetools.rb --generate_plugin_list 150 - Locally scan a WordPress installation for vulnerable files or shells : ruby vanetools.rb --check-local-vulnerable-files /var/www/wordpress/ ======================================================= Download: https://github.com/delvelabs/vane Source: HERE

wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications. The application fingerprinting is based on checksums and string matching of known files for different versions of CMSes. This results in a score being calculated for each detected CMS and its versions. Each detected CMS is displayed along with the most probable version(s) of it. The score calculation is based on weights and the amount of "hits" for a given checksum. wig also tries to guess the operating system on the server based on the 'server' and 'x-powered-by' headers. A database containing known header values for different operating systems is included in wig, which allows wig to guess Microsoft Windows versions and Linux distribution and version. wig features: CMS version detection by: check sums, string matching and extraction Lists detected package and platform versions such as asp.net, php, openssl, apache Detects JavaScript libraries Operation system fingerprinting by matching php, apache and other packages against a values in wig's database Checks for files of interest such as administrative login pages, readmes, etc Currently the wig's databases include 28,000 fingerprints Reuse information from previous runs (save the cache) Implement a verbose option Remove dependency on 'requests' Support for proxy Proper threading support Included check for known vulnerabilities Requirements wig is built with Python 3, and is therefore not compatible with Python 2. There are various other tools which perform similar functions such as CMS identification and issue detection: – CMSmap – Content Management System Security Scanner – Droopescan – Plugin Based CMS Security Scanner – WhatWeb – Identify CMS, Blogging Platform, Stats Packages & More – BlindElephant – Web Application Fingerprinter – Web-Sorrow v1.48 – Version Detection, CMS Identification & Enumeration – Wappalyzer – Web Technology Identifier (Identify CMS, JavaScript etc.) – WPScan – WordPress Security/Vulnerability Scanner How it works The default behavior of wig is to identify a CMS, and exit after version detection of the CMS. This is done to limit the amount of traffic sent to the target server. This behavior can be overwritten by setting the '-a' flag, in which case wig will test all the known fingerprints. As some configurations of applications do not use the default location for files and resources, it is possible to have wig fetch all the static resources it encounters during its scan. This is done with the '-c' option. The '-m' option tests all fingerprints against all fetched URLs, which is helpful if the default location has been changed. Help Screen usage: wig.py [-h] [-l INPUT_FILE] [-n STOP_AFTER] [-a] [-m] [-u] [--no_cache_load] [--no_cache_save] [-N] [--verbosity] [--proxy PROXY] [-w OUTPUT_FILE] [url] WebApp Information Gatherer positional arguments: url The url to scan e.g. http://example.com optional arguments: -h, --help show this help message and exit -l INPUT_FILE File with urls, one per line. -n STOP_AFTER Stop after this amount of CMSs have been detected. Default: 1 -a Do not stop after the first CMS is detected -m Try harder to find a match without making more requests -u User-agent to use in the requests --no_cache_load Do not load cached responses --no_cache_save Do not save the cache for later use -N Shortcut for --no_cache_load and --no_cache_save --verbosity, -v Increase verbosity. Use multiple times for more info --proxy PROXY Tunnel through a proxy (format: localhost:8080) -w OUTPUT_FILE File to dump results into (JSON) Example of run: $ ./wig.py example.com dP dP dP dP .88888. 88 88 88 88 d8' `88 88 .8P .8P 88 88 88 d8' d8' 88 88 YP88 88.d8P8.d8P 88 Y8. .88 8888' Y88' dP `88888' WebApp Information Gatherer Redirected to http://www.example.com. Continue? [Y|n]: TITLE --- HTML TITLE --- IP 255.255.255.256 SOFTWARE VERSION CATEGORY Drupal 7.28 | 7.29 | 7.30 | 7.31 | 7.32 CMS ASP.NET 4.0.30319.18067 Platform Microsoft-HTTPAPI 2.0 Platform Microsoft-IIS 6.0 | 7.0 | 7.5 | 8.0 Platform Microsoft Windows Server 2003 SP2 | 2008 | 2008 R2 | 2012 Operating System SOFTWARE VULNERABILITIES LINK Drupal 7.28 7 http://cvedetails.com/version/169265 Drupal 7.29 3 http://cvedetails.com/version/169917 Drupal 7.30 3 http://cvedetails.com/version/169916 URL NOTE CATEGORY /login/ Test directory Interesting URL /login/index_form.html ASP.NET detailed error Interesting URL /robots.txt robots.txt index Interesting URL /test/ Test directory Interesting URL _______________________________________________________________________________ Time: 15.7 sec Urls: 351 Fingerprints: 28989 Link: https://github.com/jekyc/wig

SWATd lets you configure 'sensors' that check your PC's external environment. When enough sensors 'fail', SWATd will run a script for you. Sensors are commands or scripts that get executed repeatedly. A sensor is said to fail when its exit code makes a transition from zero (working) to non-zero (not working). This makes configuration easy and powerful. For example, you can make a sensor that checks if your website is online, and then make a command to alert you when the sensor fails. SWATd was originally written as a tool to defend against theft by criminals or to detect when your computer is captured by police. For example, you can set a sensor to detect if your WiFi network is in range, and when it goes out of range, automatically unmount encrypted volumes. So if someone steals your laptop from your house, your files will be safe. Since SWATd only counts the failure when the sensor changes from a "WiFi in range" state to a "WiFi out of range" state, if you use your laptop somewhere else, you don't need to worry about disabling SWATd every time you leave your house. WARNING: While this may be helpful for some, there are significant risks. For one, in some countries, including the United States, you could go to jail on obstruction of justice charges just for running SWATd, even though you are innocent. Second, SWATd is not perfect: law enforcement or a smart thief can still dump your RAM, thus getting your encryption keys, before doing anything that would make a sensor fail. Use with caution, and consult an attorney first. It's most likely the case that if you find yourself needing to rely on SWATd, then you have already lost. Building and Installing To build SWATd, cd into the source code directory and run make. This will create a swatd executable. If you want to install it as a daemon, refer to your operating system's manuals. To run SWATd from a terminal (non-daemon), pass the -s option. Arch Linux To install SWATd on Arch Linux, copy swatd into /usr/bin: # make # install swatd /usr/bin/ Create the configuration file (See the Configuration section below): # mkdir /etc/swatd # chmod 700 /etc/swatd # vim /etc/swatd/swatd.conf If you want SWATd to start when you boot, add the following to /etc/systemd/system/swatd.service. [Unit] Description=SWATd [Service] Type=forking PIDFile=/var/run/swatd.pid ExecStart=/usr/bin/swatd -p /var/run/swatd.pid Restart=on-abort [Install] WantedBy=multi-user.target Then run: # systemctl enable swatd.service # systemctl start swatd.service You can check the status of SWATd by running: # systemctl status swatd.service Read SWATd's log entries by running: # journalctl /usr/bin/swatd Debian To install SWATd on Debian, copy swatd into /usr/bin: # make # install swatd /usr/bin/ Create the configuration file (See the Configuration section below): # mkdir /etc/swatd # chmod 700 /etc/swatd # vim /etc/swatd/swatd.conf Then copy swatd.init to /etc/init.d/ and enable it: # cp swatd.init /etc/init.d/swatd # update-rc.d swatd defaults Configuration By default, SWATd looks for a configuration file in /etc/swatd/swatd.conf. Alternatively, you can provide a configuration file path to SWATd with the -c option. In any case, the configuration file must not be world writable, or SWATd will refuse to run. The configuration file syntax is extremely simple. There are only three options: interval, threshold, and execute. To set a value for one of the options, begin a line with its name, followed by a colon, followed by the value. Everything after a '#' is treated as a comment (ignored). Blank lines are ignored. All other lines define a sensor command. interval is the number of seconds to wait between sensor checks. threshold is the number of sensors that must fail before assuming you are being raided. execute is the command to execute when you are being raided. Here is an example configuration file: # This configuration makes SWATd continually check if /tmp/foobar exists. If # /tmp/foobar stops existing (goes from existing to not existing), SWATd will # write some text to the file /tmp/ran. # ============================================================================= # The number of seconds to wait between sensor checks. # ============================================================================= interval: 30 # ============================================================================= # The number of sensors that must 'fail' at the same time. # ============================================================================= threshold: 1 # ============================================================================= # The command to execute when 'threshold' sensors fail. # ============================================================================= execute: echo "haiii" > /tmp/ran # ============================================================================= # Sensor commands. # A sensor has 'failed' when the exit code transisions from zero to non-zero. # If a sensor's exit code is transitions from zero to 255, the command will be # executed immediately regardless of the 'threshold' setting, and the failure # count will not be incremented. # WARNING: Sensor commands MUST terminate. # ============================================================================= test -e /tmp/foobar Link: https://github.com/defuse/swatd

Zer0 is a user friendly file deletion tool with a high level of security. With Zer0, you'll be able to delete files and to prevent file recovery by a 3rd person. So far, no user reported an efficient method to recover a file deleted by Zer0. Features User friendly HMI : Drag'n'drop, 1 click and the job is done ! High security file deletion algorithm Multithreaded application core : Maximum efficiency without freezing the application. Internationalization support. DOWNLOAD LINK :- KC Softwares

Configuring libcurl 7.41.0 with OpenSSL for Visual Studio 2013 In this tutorial I will go over configuring Visual Studio for seamless usage with the libcurl 7.41.0 and OpenSSL libraries. I have included references to articles found related to the compilation and common issues. What is curl? curl is a command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, Gopher, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB, SMTP, SMTPS, Telnet and TFTP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, HTTP/2, cookies, user+password authentication (Basic, Plain, Digest, CRAM-MD5, NTLM, Negotiate and Kerberos), file transfer resume, proxy tunneling and more. Required tools & libraries 1.] Visual Studio 2013 for Desktop (Ultimate, Team, etc) 2.] ActivePerl 5.20.1 3.] 7-Zip 9.20 for Extracting tar.gz 4.] OpenSSL 1.0.2 5.] curl 7.41.0 Compiling OpenSSL static libraries OpenSSL has made it quite easy with integrating Perl and Visual Studio to compile right from the Visual Studio Command Prompt. 1.] Verify ActivePerl 5.20.1 and Visual Studio 2013 are correctly installed. 2.] Download and extract OpenSSL with 7-Zip, in this example we will use: C:\openssl 3.] Open the Visual Studio Developer Command Prompt 4.] Start -> All Programs -> Visual Studio 2013 -> Visual Studio Tools -> Developer Command Prompt for VS2013 5.] Make sure to run as administrator in case there any file permission errors while executing Perl Now, we are ready to configure OpenSSL, as said there is no major changes that need made to make this function without issue. We have a few options depending on the specifics of your target base, in this case, I am going to deploy 32 bit static libraries as they work fine on the x64 based processor line. 1.] In the command prompt, change to the directory you extracted OpenSSL, I used c:\openssl. 2.] cd c:\openssl Type the build that best suits your needs, you can just copy the following and it should execute without problem. Building the 32-bit static libraries perl Configure VC-WIN32 --prefix=C:\Build-OpenSSL-VC-32 ms\do_ms nmake -f ms\nt.mak nmake -f ms\nt.mak install Building the 32-bit static libraries with debug symbols perl Configure debug-VC-WIN32 --prefix=C:\Build-OpenSSL-VC-32-dbg ms\do_ms nmake -f ms\nt.mak nmake -f ms\nt.mak install Building the 64-bit static libraries perl Configure VC-WIN64A --prefix=C:\Build-OpenSSL-VC-64 ms\do_win64a nmake -f ms\nt.mak nmake -f ms\nt.mak install Building the 64-bit static libraries with debug symbols perl Configure debug-VC-WIN64A --prefix=C:\Build-OpenSSL-VC-64-dbg ms\do_win64a nmake -f ms\nt.mak nmake -f ms\nt.mak install After executing it may take a minute, but will output your includes and static libraries afterwords. perl util/copy.pl "out32\openssl.exe C:\Build-OpenSSL-VC-32\bin" Copying: out32/openssl.exe to C:/Build-OpenSSL-VC-32/bin/openssl.exe perl util/mkdir-p.pl "C:\Build-OpenSSL-VC-32\ssl" created directory `C:/Build-OpenSSL-VC-32/ssl' perl util/copy.pl apps\openssl.cnf "C:\Build-OpenSSL-VC-32\ssl" Copying: apps/openssl.cnf to C:/Build-OpenSSL-VC-32/ssl/openssl.cnf perl util/copy.pl "out32\ssleay32.lib" "C:\Build-OpenSSL-VC-32\lib" Copying: out32/ssleay32.lib to C:/Build-OpenSSL-VC-32/lib/ssleay32.lib perl util/copy.pl "out32\libeay32.lib" "C:\Build-OpenSSL-VC-32\lib" Copying: out32/libeay32.lib to C:/Build-OpenSSL-VC-32/lib/libeay32.lib Note: * If you are trying to link your libraries and receive an error relating to ml64, then your Visual Studio isn't configured as x64, you will need to go in the OpenSSL folder and delete the tmp32 folder and recompile as a 32 bit library, if this folder is not deleted you will continue to receive errors. 1.] After it's compiled, go to the output directory, example, C:\Build-OpenSSL-VC-32. 2.] Open your Visual Studio C directory, example, C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC. 3.] Copy and merge the 'lib' and 'include' directory from the OpenSSL output directory into the 'C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC' directory. You are done with the OpenSSL portion. Compiling libcurl static libraries Now, that you have that done. We will need to configure libcurl. It has been made quite simple if you download the latest build, it comes with Visual Studio 2013 projects included. 1.] Extract libcurl 2.] Open libcurl folder, then go to: projects -> Windows -> VC12 3.] Open 'curl-all.sln' 4.] Go to Build -> Uncheck 'curlsrc' as we don't need this. 5.] Under 'libcurl', Choose LIB Release - LIB OpenSSL, as it will bind a static library that does not require exported DLLs. After it's done compiling, go to the 'curl-7.41.0' directory. Copy and merge the 'include' folder from there with 'C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC' as we did in the previous steps while setting up OpenSSL. There will also be a 'build' folder in the root of the 'curl-7.41.0' directory. build -> Win32 -> VC12 -> LIB Release - LIB OpenSSL Copy the file 'libcurl.lib' into the 'lib' folder located at 'C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC'. Since these are static libraries, not all functions from Windows have been previously exported. You will still need to link against 'Ws2_32.lib' and 'Wldap32.lib' for specific functions of 'libcurl' in Visual Studio, however you will not need any external DLL files. Make sure to define 'CURL_STATICLIB' in your Preprocessor Definitions. If you are having linker errors, try going to your Project Properties -> Linker -> Additional Dependencies in your Visual Studio project. Add the following: libcurl.lib libeay32.lib ssleay32.lib ws2_32.lib wldap32.lib You should be good to go after this. Example source for Visual Studio 2013.. #include "stdafx.h" #include <windows.h> #include <stdio.h> #include <curl\curl.h> int main(void) { CURL *curl; CURLcode res; curl = curl_easy_init(); if (curl) { curl_easy_setopt(curl, CURLOPT_URL, "http://example.com"); /* example.com is redirected, so we tell libcurl to follow redirection */ curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); /* Perform the request, res will get the return code */ res = curl_easy_perform(curl); /* Check for errors */ if (res != CURLE_OK) fprintf(stderr, "curl_easy_perform() failed: %s\n", curl_easy_strerror(res)); /* always cleanup */ curl_easy_cleanup(curl); } return 0; } References: http://developer.covenanteyes.com/building-openssl-for-visual-studio/ Source: sludg3 @ TF

Not the best but was thinking about making a patch just for fun and educational reasons. Trial: Antivirus Downloads | ESET Internet Security Software Downloads :: Detail :: ESET NOD32 Antivirus 8 Reg Part: Source: E0F @ TF

La multi ani @em sa fi sanatos, tot ce-ti doresti si cat mai multa bautura.

First discovered XLS - 3f7118a2ff787e61b5d18ba0591a29f90349d8ab93aa7d005cdf833f8c9895b2 Dropped file - 69cd44995cd8705f9d21cecc978b6a646eefb9872761844fd33b05b7ac2f0767 other samples: 0b75e6364bb63043cf60c8adc98a5749b5167322f8951b128b56768158e3f576 578bb18c52242192d6404f3263930f0992dc6babbcbdd72f393228de036a0ea5 f0f83d8a8eb7737a92212fe0a13045a3f867c580a47191a048465cd1efb41905 9bec8af624f7df5eeb8d0b072ad8914dded727cb0a58ebf45a9e4df9d7bdf8fd a9b7c289cea29941b0c4c0e2809d703f934dbcc29c13b4bc900b0ee973108984 Download Pass: infected

I searched and did not see this posted here yet, sorry if I missed it. C2 domain: cybercrime[.]rocks C2 URI struct: /cryptotolarance/add.php?hwid=[redacted]&winversion=[kernelversion]&pswd=[redacted] Panel: hxxp://cybercrime[.]rocks/cryptotolarance/login.php Payment onion returned from C2 on 3-18-15: iupfnqg2uaigwoei I have not done any debugging/RE on this, but it seems to check Geoloc (api.wipmania.com) and if US is returned does not carry out part of its functionality. Suricata rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Exaction Cryptolocker CnC Beacon"; flow:established,to_server; content:".php?"; http_uri; content:"hwid="; http_uri; content:"winversion="; http_uri; fast_pattern:only; content:"pswd="; http_uri; content:!"Referer|3a|"; http_header; reference:md5,b5ea8f65bd7845aeaf0732b8aacacc86; classtype:trojan-activity; sid:1; rev:1;) Download Pass: infected Source

Despite anti-skimmer ATM Lobby access control system available in the market, we have seen a number of incidents in recent years where criminals used card skimmers at ATM doors. Few years back, cyber criminals started using card skimmers on the door of the ATM vestibule, where customers have to slide their credit or debit cards to gain access to the ATM. The typical ATM Skimming devices are used by fraudsters capture both magnetic stripe data contained on the back of a debit or credit card as well as the PIN number that is entered by the customer when using the ATM. In recent case discussed by Brian, cyber criminal installed the card skimming device on the ATM Lobby Card Access Control and a pinhole hidden camera pointed at the ATM's keyboard. Basically, it's an ATM skimmer that requires no modification to the ATM. The card skimmer hidden on the ATM door records the debit and credit card information, and the pinhole camera records the PIN number the victim enters. Using this information, a thief can easily run you out of cash in a matter of minutes. PROTECT YOURSELF FROM CARD SKIMMERS The easiest way to protect yourself is simply to cover the keypad with your other hand when you enter your PIN or simply use a different card (any gift card or store card with a magnetic stripe) to open the lobby doors. Also, if keyboard of the ATM looks different, do not use that ATM. If you think your password or PIN has been compromised, change it immediately. Make sure to check your financial reports regularly and for any strange activity and in case of unusual patterns of transactions, inform your bank immediately. NEXT GENERATION CARDLESS ATMs To ensure users secure transaction over ATM, a Canadian bank have come forward to adopt and launch the U.S.'s biggest cardless ATM network that allows its customers to withdraw cash within seconds without the need of any debit or credit cards, but only their smartphones. BMO Harris Bank says there is no need to enter PIN and instead of swiping the card, customers have to sign into mobile banking app "Mobile Cash", hold their smartphones over the QR code on the ATM screen and the cash gets delivered. Source

China finally admits it has special cyber warfare units — and a lot of them. From years China has been suspected by U.S. and many other countries for carrying out several high-profile cyber attacks, but every time the country strongly denied the claims. However, for the first time the country has admitted that it does have cyber warfare divisions – several of them, in fact. In the latest updated edition of a PLA publication called The Science of Military Strategy, China finally broke its silence and openly talked about its digital spying and network attack capabilities and clearly stated that it has specialized units devoted to wage war on computer networks. An expert on Chinese military strategy at the Center for Intelligence Research and Analysis, Joe McReynolds told TDB that this is the first time when China has explicit acknowledged that it has secretive cyber-warfare units, on both the military as well as civilian-government sides. CHINESE CYBER WARFARE UNITS According to McReynolds, China has three types of operational military units: Specialized military forces to fight the network -- The unit designed to carry out defensive and offensive network attacks. Groups of experts from civil society organizations -- The unit has number of specialists from civilian organizations – including the Ministry of State Security (its like China’s CIA), and the Ministry of Public Security (its like FBI) – who are authorized to conduct military leadership network operations. External entities -- The unit sounds a lot like hacking-for-hire mercenaries and contains non-government entities (state-sponsored hackers) that can be organized and mobilized for network warfare operations. According to experts, all the above units are utilized in civil cyber operations, including industrial espionage against US private companies to steal their secrets. CHINESE CYBER UNIT 61398 In 2013, American private security firm Mandiant published a 60-page report that detailed about the notorious Chinese hacking group 'Unit 61398', suspected of waging cyber warfare against American companies, organizations and government agencies from or near a 12-story building on the outskirts of Shanghai. The UNIT 61398 also targeted a number of government agencies and companies whose databases contain vast and detailed information about critical United States infrastructure, including pipelines, transmission lines and power generation facilities. MOST WANTED CHINESE HACKERS Last year, the United States filed criminal charges against five Chinese military officials, named Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, for hacking and conducting cyber espionage against several American companies. The alleged hackers were said to have worked with the PLA’s Unit 61398 in Shanghai. Among spying on U.S companies and stealing trade secrets, they had also accused for stealing information about a nuclear power plant design and a solar panel company’s cost and pricing data. Source