terça-feira, setembro 11, 2012
domingo, setembro 09, 2012
DEFCON 16: Nmap: Scanning the Internet
Speaker: Fyodor, Hacker, Insecure.Org
The Nmap Security Scanner was built to efficiently scan large networks, but Nmap's author Fyodor has taken this to a new level by scanning millions of Internet hosts as part of the Worldscan project. He will present the most interesting findings and empirical statistics from these scans, along with practical advice for improving your own scan performance. Additional topics include detecting and subverting firewall and intrusion detection systems, dealing with quirky network configurations, and advanced host discovery and port scanning techniques. A quick overview of new Nmap features will also be provided.
For more information visit: http://bit.ly/defcon16_information
To download the video visit: http://bit.ly/defcon16_videos
Exploiting the Windows Domain
A common recommendation I often come across is that Internet-facing systems should not be a part of an active Windows domain. As an exercise of interest, I have decided to look at this topic a little deeper and explore what advantage (if any) access to a domain member really provides.
In this scenario I will demonstrate how to gain privilege within a Windows domain using only the tools available on a default Windows install. I will be working under the assumption that:
Next, because I am working from a domain member, I can query the domain controller and check whether it’s aware of any additional domains:
*Note: It is often advantageous to target other domains such as those used for testing and development. These environments will often contain hosts where less emphasis is placed on security.
Next I am interested in knowing what hosts exist on the domain. For this, I can query the domain controller:
Depending on the size of the network this listing can get quite large. I have redirected the output into a text file to prevent continually query the domain controller.
*Note: This command will not typically respond with every Windows host on the network. Only hosts available via NETBIOS are known to the domain controller.
Because I’m on a Windows domain, I can be fairly certain some machines will have file sharing turned on. Large networks are often host to a myriad of file shares with “interesting” data on them. It’s not uncommon to find personally identifiable information or even login credentials sitting on workstation or server shares.
To obtain a list of systems with active shares I can query each domain member by using:
This command will loop over the file containing the domain members (obtained from the previous command) and query each host for open shares. Any errors (i.e. inaccessible systems) are discarded.
As previously mentioned, in some cases you may get lucky and find exactly what you’re looking for within these shares. For the sake of this exercise, however, let’s assume there was nothing interesting found.
Next I am interested in what users and groups exist on the domain. The goal here is to elevate my privileges on the domain (remember, I only have ‘User’ rights on one system thus far). To obtain a list of domain users and groups I can query the domain controller as follows:
Once this information is gathered I want to look for “interesting” user accounts. Usernames containing the words “temp”, “test”, “tst”, “tmp”, "helpdesk", "ftp" are all of interest here as testing and temporary accounts often have simple passwords.
If there are no stand-out usernames in the list above I can direct my efforts on querying the groups:
The domain controller can then be queried to dump the users belonging to that group:
*NOTE: I have chosen to target non-administrative accounts here as they typically have weaker passwords. However, it is certainly not unheard of to have weak passwords on account belonging to “Domain Admins”. Always worth checking :)
Having chosen a number of domain users to target I can now attempt to compromise these accounts through password guessing. I can accomplish this through SMB connection attempts against a host on the domain. Which host I choose here doesn’t matter as authentication occurs against the domain controller and not the host itself.
This script will loop over a list of targeted usernames (in users.txt) and try simple password attempts against each account from the passwords.txt file. Success.txtwill keep a log of successful password guesses. Keep in mind here I am only targeting the low hanging fruit. Only a few passwords are being attempted for each account as to not lock out any accounts.
With a small adaptation this script I can choose to target every account in the entire domain:
Here I am scanning the entire domain for accounts that use their username as their password. This is sometimes known as a horizontal password scan.
The benefits of horizontal scanning become apparent in environments with a large user base. An increase in the number of accounts often improves the chances of discovering an account with a weak password. The chance of locking out an account is also significantly decreased as only a small number of password guesses are attempted against each account.
The above script could also be tweaked to guess the password of the default local administrative account (RID 500) on the current machine. Providing this account is active, it cannot be locked out (meaning infinite password guesses).
Once credentials have been acquired for a domain account the next step is to find out what access the account has. Indeed, it may be the case that only a particular service on a particular host is accessible from the captured account.
The next step in this process is to find out what services are available on the domain. This would be quite simple with nmap... but remember, we don’t have access to any third-party tools! To get around this I have adapted Ed Skoudis’ FTP command line port scanner:
This script attempts to make a connection to each port in ports.txt (I've chose 21\ftp) for every domain member in hosts.txt (found at the beginning of this exercise). It uses the built-in Windows FTP client to read in commands (-s flag) from commands.txt to make each connection. Logging information is stored insuccess.txt.
Once the available network services have been mapped I can then attempt to exploit / gain access to these services:
In this post I have demonstrated several examples of how domain membership can be abused to gain privilege on a Windows' domain. Due to the inherent verbose nature of Windows’ domains, attackers have the advantage of gaining valuable information about a target network in a relatively short period of time. That said, however, a skilled attacker always has (and always will) be able to penetrate a network’s defences regardless of having domain membership or not.
Fonte: Defence in Depth
In this scenario I will demonstrate how to gain privilege within a Windows domain using only the tools available on a default Windows install. I will be working under the assumption that:
- I have access to a public terminal (or something similar) with up-to-date anti-virus.
- I do not have administrative access on the host.
- I do not have access to any third-party tools.
nbtstat –A <IP-Address>
net config workstation
Next, because I am working from a domain member, I can query the domain controller and check whether it’s aware of any additional domains:
net view /domain
*Note: It is often advantageous to target other domains such as those used for testing and development. These environments will often contain hosts where less emphasis is placed on security.
Next I am interested in knowing what hosts exist on the domain. For this, I can query the domain controller:
net view /domain:<DOM> > hosts.txt
Depending on the size of the network this listing can get quite large. I have redirected the output into a text file to prevent continually query the domain controller.
*Note: This command will not typically respond with every Windows host on the network. Only hosts available via NETBIOS are known to the domain controller.
Because I’m on a Windows domain, I can be fairly certain some machines will have file sharing turned on. Large networks are often host to a myriad of file shares with “interesting” data on them. It’s not uncommon to find personally identifiable information or even login credentials sitting on workstation or server shares.
To obtain a list of systems with active shares I can query each domain member by using:
for /f %i in (hosts.txt) do @(net view \\%i >> shares.txt 2>nul)
This command will loop over the file containing the domain members (obtained from the previous command) and query each host for open shares. Any errors (i.e. inaccessible systems) are discarded.
As previously mentioned, in some cases you may get lucky and find exactly what you’re looking for within these shares. For the sake of this exercise, however, let’s assume there was nothing interesting found.
Next I am interested in what users and groups exist on the domain. The goal here is to elevate my privileges on the domain (remember, I only have ‘User’ rights on one system thus far). To obtain a list of domain users and groups I can query the domain controller as follows:
net user /domain > users.txt
net group /domain > groups.txt
Once this information is gathered I want to look for “interesting” user accounts. Usernames containing the words “temp”, “test”, “tst”, “tmp”, "helpdesk", "ftp" are all of interest here as testing and temporary accounts often have simple passwords.
type users.txt | find “test”
If there are no stand-out usernames in the list above I can direct my efforts on querying the groups:
type groups.txt | find “helpdesk”
The domain controller can then be queried to dump the users belonging to that group:
net group “helpdesk” /domain
*NOTE: I have chosen to target non-administrative accounts here as they typically have weaker passwords. However, it is certainly not unheard of to have weak passwords on account belonging to “Domain Admins”. Always worth checking :)
Having chosen a number of domain users to target I can now attempt to compromise these accounts through password guessing. I can accomplish this through SMB connection attempts against a host on the domain. Which host I choose here doesn’t matter as authentication occurs against the domain controller and not the host itself.
for /f %i in (users.txt) do @(for /f %j in (passwords.txt) do @(echo Trying %i:%j... >> success.txt && net use \\wombat /u:%i %j 1>>success.txt && net use \\wombat /del))
This script will loop over a list of targeted usernames (in users.txt) and try simple password attempts against each account from the passwords.txt file. Success.txtwill keep a log of successful password guesses. Keep in mind here I am only targeting the low hanging fruit. Only a few passwords are being attempted for each account as to not lock out any accounts.
With a small adaptation this script I can choose to target every account in the entire domain:
for /f %i in (users.txt) do @( echo Trying %i:%j... >> success.txt && net use \\wombat /u:%i %i 1>>success.txt && net use \\wombat /del)
Here I am scanning the entire domain for accounts that use their username as their password. This is sometimes known as a horizontal password scan.
The benefits of horizontal scanning become apparent in environments with a large user base. An increase in the number of accounts often improves the chances of discovering an account with a weak password. The chance of locking out an account is also significantly decreased as only a small number of password guesses are attempted against each account.
The above script could also be tweaked to guess the password of the default local administrative account (RID 500) on the current machine. Providing this account is active, it cannot be locked out (meaning infinite password guesses).
Once credentials have been acquired for a domain account the next step is to find out what access the account has. Indeed, it may be the case that only a particular service on a particular host is accessible from the captured account.
The next step in this process is to find out what services are available on the domain. This would be quite simple with nmap... but remember, we don’t have access to any third-party tools! To get around this I have adapted Ed Skoudis’ FTP command line port scanner:
for /f %i in (hosts.txt) do @(for /f %j in (ports.txt) do @(echo Checking %i:%j... & echo %i:%j >> success.txt & echo open %i %j > commands.txt & echo quit >> commands.txt & ftp -n -s:commands.txt 1>>success.txt))
This script attempts to make a connection to each port in ports.txt (I've chose 21\ftp) for every domain member in hosts.txt (found at the beginning of this exercise). It uses the built-in Windows FTP client to read in commands (-s flag) from commands.txt to make each connection. Logging information is stored insuccess.txt.
Once the available network services have been mapped I can then attempt to exploit / gain access to these services:
In this post I have demonstrated several examples of how domain membership can be abused to gain privilege on a Windows' domain. Due to the inherent verbose nature of Windows’ domains, attackers have the advantage of gaining valuable information about a target network in a relatively short period of time. That said, however, a skilled attacker always has (and always will) be able to penetrate a network’s defences regardless of having domain membership or not.
Fonte: Defence in Depth
Into to Metasploit - Jeremy Druin
Into to Metasploit - Jeremy Druin
This is the 5th in a line of classes Jeremy Druin will be giving on pen-testing and web app security featuring Mutillidae for the Kentuckiana ISSA. This one covers Metasploit.
Details:
Video Tutorials: www.youtube.com/user/webpwnized
Video Index URL: http://www.irongeek.com/i.php?page=videos/web-application-pen-testing-tutorials-with-mutillidae
YouTube Channel: http://www.youtube.com/user/webpwnized
Twitter Updates: @webpwnized
Video Index URL: http://www.irongeek.com/i.php?page=videos/web-application-pen-testing-tutorials-with-mutillidae
YouTube Channel: http://www.youtube.com/user/webpwnized
Twitter Updates: @webpwnized
Notes:Vulnerability Exploitation
Metasploit Exploit Framework
a. Framework
i. Exploits
• Sorted by OS and/or Software
ii. Payloads
• Singles
o Communications and function entangled
• Stagers
o Load stage and handle communications
• Stages (note: Inplement shell, upexec, vncinject, meterpreter, etc.)
o meterpreter
o shell
o vnc
o mssql_payload
o psexec
iii. Post Exploit Modules
iv. Auxillary Modules
v. Interfaces
1. msfconsole
1. search <type>:<value> <string>
2. help
3. use
4. show <what to show>
i. payloads
ii. exploits
iii. post
iv. auxillary
v. <more>
2. Metasploit Community Edition
a. Framework
i. Exploits
• Sorted by OS and/or Software
ii. Payloads
• Singles
o Communications and function entangled
• Stagers
o Load stage and handle communications
• Stages (note: Inplement shell, upexec, vncinject, meterpreter, etc.)
o meterpreter
o shell
o vnc
o mssql_payload
o psexec
iii. Post Exploit Modules
iv. Auxillary Modules
v. Interfaces
1. msfconsole
1. search <type>:<value> <string>
2. help
3. use
4. show <what to show>
i. payloads
ii. exploits
iii. post
iv. auxillary
v. <more>
2. Metasploit Community Edition
Download from:
Fonte: irongeek
The Guide to Backtrack - Hakin9 on Demand
The Guide to Backtrack - Hakin9 on Demand

For PenTest new subscribers we offer Guide to BackTrack 5 as an add-on. Subscribe to PenTest now and mail us aten@pentestmag.com with "Guide to BackTrack 5" in the title to get the e-book.
Fonte: pentestmag.com
Digital Works [ Circuit Design - Emulation ]
| In Arduino

http://electronics-lab.com/downloads/schematic/002/index. html
Windows Server 2012
Boa Noite! Vamos testa? O.o rs...
Microsoft has released Windows Server 2012, which expands the definition of a server operating system, with new advancements in virtualization, storage, networking and automation.

System requirment for Microsoft Windows Server 2012
- Processor performance depends not only on the clock frequency of the processor, but also on the number of processor cores and the size of the processor cache. The following are the processor requirements for this product:
Minimum: 1.4 GHz 64-bit processor - The following are the estimated RAM requirements for this product:
Minimum: 512 MB - The following are the estimated minimum disk space requirements for the system partition.
Minimum: 32 GB
Ther are many changes in 2012 which we have srted studing. Evaluation copy is avilable so what are you waiting for. [ Click here ] to read more and download a copy of Microsoft Windows Server 2012.
Fonte: pentestit.com (:
SEGUNDA-FEIRA, 27 DE AGOSTO, 2012
Ele descobriu uma vulnerabilidade no Java para os quais não existe remendo , que está a ser explorada por atacantes, e cujo código é público. 's o pior cenário possível .
Ainda não se sabe muito sobre a vulnerabilidade, uma vez que não teve tempo para fazer um estudo exaustivo, mas foram relatados por agora coloca-nos o pior cenário possível .
FireEye descobriu um servidor com um frasco. Que explorava uma vulnerabilidade. Então, alguém sabe e está usando a falha. Através de um domínio de terceiro nível dinâmico (aa24.net) e servidor de web-mail de uma empresa chinesa (que provavelmente foi atacado), é (ainda) a distribuição de malware, graças a esta decisão em Java.
Através de um índice na " reunião "do servidor, de modo ofuscado Javascript, o malware está sendo distribuídoé esta:
e
O problema afeta a versão mais recente do Java em seu ramo 7, até sua "Update 6 ". Não afeta o ramo 6, que ainda está de pé, mas está em período de " extinção ". Ele funciona em todos os principais navegadores e EMET mesmo ativo.
Embora os pesquisadores que descobriram que não oferecem detalhes, um terceiro lançou uma prova de conceito para explorar a falha, o que abriu a porta para qualquer um poderia explorar . O código é simples, limpo, funcional e confiável. Compilar e lançar. Logo depois, ele foi apresentado como um módulo em Metasploit. Essa licença para qualquer atacante pode começar a distribuir seus malwares própria (provavelmente durante os próximos dias, você pode ver na Blackhole mania exploit kit entre os atacantes).Se, como já dissemos mais de uma vez, a máquina virtual Java vantagem não atual é que a maioria dos criadores de malware para distribuir suas amostras, esta vulnerabilidade permite que " o mercado aberto "também entre atual.
![]() |
Extrato do código. Jar |
Na ausência de um adesivo eficaz, não há nenhuma maneira simples para aliviar o problema . A melhor prática é desativar o Java no navegador. Ninguém sabe quando a Oracle vai resolver o problema. O seu ciclo de atualização trimestral, sugere que até 16 de outubro não pode parcheen o problema muito sério. Desde então, a Oracle não costuma emitir patches fora do ciclo. Raramente tem feito com sua base de dados, seu principal produto. Mas certamente não com Java desde que ele pertence.
Em abril de 2010 Tavis Ormandy e Ruben Santamarta descobriu uma falha de segurança grave no JRE. A Ormandy da Oracle disse que não foi considerada grave o suficiente para publicar qualquer coisa antes do prazo fixado. Uma semana depois, eles lançaram um patch fora do ciclo (Java 6 Update 20), que não estabelecer a correção da vulnerabilidade. Eles tiveram que provar que não parava falha ocorrer, mas não houve confirmação oficial.
Algumas semanas atrás, escreveu em um-a-dia, um título que (obviamente nos levando certas licenças) afirmou: "Se você não atualizar o Java, estão infectados ". Com a intenção de chamar a atenção para o fato de que uma grande parte dos agressores foram aproveitando muito recentes falhas enormes em Java e que a maneira mais eficaz de defender foi atualizado. Estamos vivendo dia a dia no laboratório. Agora podemos acrescentar que,mesmo se ele é atualizado com medidas extras de segurança, como o EMET, há um risco de um invasor executar código no sistema .
Mais informações:
Zero-Day Temporada ainda não acabou
Java 7 informações sobre vulnerabilidades 0-day e mitigação.
Java Deployment Toolkit realiza a validação insuficiente de Parâmetros
[0 dias] Java Web Start injeção de linha de comando arbitrário - "-XXaltjvm" dll carga arbitrária
Dom About Face: Fora do Ciclo de patches críticos falha Java Update
Fonte: Sergio de los Santos [ Homepage ]
HitbSecConf 2012
wget -Fr http://1xpixel.com.ar/666/