91
Recent Posts
92
Projects and Discussion / Windows bully project
« Last post by Untitled00 on February 24, 2016, 08:22:12 pm »I left a project 5 years ago, i thought I had something interesting but never shared with anyone... so I'm here to tell you what I found and I want to hear if it's something worth sharing or just a retarded project not even worth mentioning.
Windows bully:
-The core: Brute force local users-passwords (windows from Vista to 10 SAM not working with AD) without needing privileges in fact the proof of concept is tested from the default guest user attacking a local admin, at a speed of 1Million tests in around 7 minutes, and i think at some point i doubled the speed in a i7, (i'm reading my old notes so it might not be 100% accurate)
-Additional: if the current user had admin privileges it executed a LSASS dump and used mimikatz to extract passwords in 1 second, if it didn't the brute force started.
-Had some aditional features but first i want to see how people react to the core idea.
So the idea was, walking with it in a USB or sth and executing it to get a specific user password as fast as possible.
Things that i want to know, i never heard of a method that could brute force local SAM at that speed without needing privileges... i know there is some vulns of privilege escalation in the wild... but still want to hear thoughts.
Untitled00
Windows bully:
-The core: Brute force local users-passwords (windows from Vista to 10 SAM not working with AD) without needing privileges in fact the proof of concept is tested from the default guest user attacking a local admin, at a speed of 1Million tests in around 7 minutes, and i think at some point i doubled the speed in a i7, (i'm reading my old notes so it might not be 100% accurate)
-Additional: if the current user had admin privileges it executed a LSASS dump and used mimikatz to extract passwords in 1 second, if it didn't the brute force started.
-Had some aditional features but first i want to see how people react to the core idea.
So the idea was, walking with it in a USB or sth and executing it to get a specific user password as fast as possible.
Things that i want to know, i never heard of a method that could brute force local SAM at that speed without needing privileges... i know there is some vulns of privilege escalation in the wild... but still want to hear thoughts.
Untitled00
93
General discussion / Re: Your favorite Coding/Hacking/Gaming Music?
« Last post by r4kk00n on February 24, 2016, 07:25:02 pm »This playlist is good background noise:
https://www.youtube.com/watch?v=2qKMY6VDk1U&list=PLF2104B81764D5F0A
https://www.youtube.com/watch?v=2qKMY6VDk1U&list=PLF2104B81764D5F0A
94
General discussion / Your favorite Coding/Hacking/Gaming Music?
« Last post by codder_227 on February 24, 2016, 06:49:07 pm »An interesting question 
My favorites are
Hacking/Coding : https://www.youtube.com/watch?v=B0ptVVjOGZY&ebc=ANyPxKpIiXpF1a7wtgnij3qskR_S2zRnY7mL6RBYPPhcQsrAEzPSuL4wlCzFJzB2-dOKZGk3YHD7lS0S77q4ASNFi4RunpattA
Gaming: https://www.youtube.com/watch?v=oGTbiXEeb_c
And yours?
My favorites are
Hacking/Coding : https://www.youtube.com/watch?v=B0ptVVjOGZY&ebc=ANyPxKpIiXpF1a7wtgnij3qskR_S2zRnY7mL6RBYPPhcQsrAEzPSuL4wlCzFJzB2-dOKZGk3YHD7lS0S77q4ASNFi4RunpattA
Gaming: https://www.youtube.com/watch?v=oGTbiXEeb_c
And yours?
95
C - C++ / Re: Interface Programming using C's gtk libraries
« Last post by matias on February 24, 2016, 02:27:15 pm »Contributing to the development is not my goal, no. I just see how easy things seem to be done in other languages, and how learning those things in C often gives you a wider understanding of the entire topic in question.
Take structures for example. In my case, it took me a few weeks to finally understand all their applications and how to use them (and I'm still struggling sometimes); pointers to structures, array of structures, functions returning pointers to structures, etc.
In Java, they call them Classes and Objects, tell you a little about the notation, and that's it, at least so far... And I'm not saying Java is a bad programming languaje, not at all. I'm saying: "If it is that easy in Java, sure there must be some badass code in C behind it"
My end goal is to learn it.
Take structures for example. In my case, it took me a few weeks to finally understand all their applications and how to use them (and I'm still struggling sometimes); pointers to structures, array of structures, functions returning pointers to structures, etc.
In Java, they call them Classes and Objects, tell you a little about the notation, and that's it, at least so far... And I'm not saying Java is a bad programming languaje, not at all. I'm saying: "If it is that easy in Java, sure there must be some badass code in C behind it"
My end goal is to learn it.
96
Tutorials / Harvesting Emails with SimplyEmail
« Last post by spike on February 24, 2016, 01:10:37 pm »Harvesting Emails with SimplyEmail
Collecting a list of emails is always a priority when doing reconnaissance on an organization, group, or even just an individual. Many times when you go whaling (phishing a single person, like an executive), the only way you can get your target to take a peek at your awesome website, is by coaxing them with an email.
Lots of folks already know about theHarvester for harvesting lists of emails. I always run a script that condenses the output from theHarvester, goog-mail, goohost, and metasploits auxiliary/gather/search_email_collector. Today, we are going to take a look at a new email collection tool called SimplyEmail.
SimplyEmail improves on theHarvester by making the searches individual modules. This makes it significantly easier to add to. In version 1.2 (latest at time of writing) there are 26 modules including searches of:
* Github
* Google
* Yahoo
* Flickr
* PasteBin
* PGP
* Reddit
* Linkedin
* Exalead
* And more...
Install
Install by doing:
The Setup.sh file will pull down the dependencies and install them for you. Then we can test that it is installed by listing the modules with:
Usage:
To then run all modules against your target do:
or in verbose.
If we add the -s flag for no scope, it will return any emails that are mentioned on the pages. Use this one carefully if you are doing a spear phishing engagement, it could have lots of false positives. Could be useful if going after a small org. You would have to manually verify that they are addresses for the people you are targeting afterwards.
One of the awesome options of SimplyEmail is -verify flag. This will look up the MX server and verify that the email is valid. Keep in mind that at this point you are sending packets to your target environment.
Another interesting option is the -n flag. I'm not positive what this flag does, but I'm pretty sure that it creates an address name by mangling usernames and then testing it against the target MX server.
Results:
Control group:
I selected an organization of interest to me and decided to do some test runs. My homebrew script that uses theHarvester, goog-mail, goohost, and metasploits auxiliary/gather/search_email_collector returned 46 emails. I normally only do manual false positive testing to make sure that the emails are valid. Accuracy varies.
SimplyEmail tests:
Running the tool, several errors popped up, especially ones from beautifulsoup. I don't think they effected the performance and were ignored. Also, I did not have a canar.io API key, so while running all of the modules, it was skipped over.
1. Running the following returned 62 emails:
2. Running with the -s option returned 148,104 results. However, they were emails from pretty much everywhere including hotmail, MIT, and verizon. Lots of potential false positives. Tens of thousands of them.
3. I ran with both of the following and didn't see much difference between them. I couldn't tell if the -n flag was useful but the -verify definitely got rid of some of the false positives. I ended up with 30 valid emails, that I didn't have to manually verify.
Conclusion:
For now, I am running both my homebrew and SimplyEmail to collect email lists, then comparing the output. I may try to either integrate it into my script or perhaps over time, as SimplyEmail becomes more feature rich, out right replace my script. The verbose flag was not very useful for simply scraping email, the tool is plenty verbose in it's default state. It may be more useful when developing a module. The following is the command that I recommend to run from now on when using SimplyEmail, play with the flags and see if anything reveals some missed data. If doing a blackbox test, remember that the verify option will send packets to the targets MX server. Remember, it's better to have one loud bang, than a long creaking noise. Don't keep verifying lists of emails, get a good list and run with it.
Collecting a list of emails is always a priority when doing reconnaissance on an organization, group, or even just an individual. Many times when you go whaling (phishing a single person, like an executive), the only way you can get your target to take a peek at your awesome website, is by coaxing them with an email.
Lots of folks already know about theHarvester for harvesting lists of emails. I always run a script that condenses the output from theHarvester, goog-mail, goohost, and metasploits auxiliary/gather/search_email_collector. Today, we are going to take a look at a new email collection tool called SimplyEmail.
SimplyEmail improves on theHarvester by making the searches individual modules. This makes it significantly easier to add to. In version 1.2 (latest at time of writing) there are 26 modules including searches of:
* Github
* Yahoo
* Flickr
* PasteBin
* PGP
* Exalead
* And more...
Install
Install by doing:
Code: [Select]
git clone https://github.com/killswitch-GUI/SimplyEmail.git
cd ./SimplyEmail
./Setup.shThe Setup.sh file will pull down the dependencies and install them for you. Then we can test that it is installed by listing the modules with:
Code: [Select]
./SimplyEmail.py -l
Usage:
To then run all modules against your target do:
Code: [Select]
./SimplyEmail.py -all -e example.comor in verbose.
Code: [Select]
./SimplyEmail.py -all -v -e example.comIf we add the -s flag for no scope, it will return any emails that are mentioned on the pages. Use this one carefully if you are doing a spear phishing engagement, it could have lots of false positives. Could be useful if going after a small org. You would have to manually verify that they are addresses for the people you are targeting afterwards.
Code: [Select]
./SimplyEmail.py -all -v -e example.com -s
One of the awesome options of SimplyEmail is -verify flag. This will look up the MX server and verify that the email is valid. Keep in mind that at this point you are sending packets to your target environment.
Code: [Select]
./SimplyEmail.py -all -v -verify -e example.comAnother interesting option is the -n flag. I'm not positive what this flag does, but I'm pretty sure that it creates an address name by mangling usernames and then testing it against the target MX server.
Code: [Select]
./SimplyEmail.py -all -v -verify -n -e example.comResults:
Control group:
I selected an organization of interest to me and decided to do some test runs. My homebrew script that uses theHarvester, goog-mail, goohost, and metasploits auxiliary/gather/search_email_collector returned 46 emails. I normally only do manual false positive testing to make sure that the emails are valid. Accuracy varies.
SimplyEmail tests:
Running the tool, several errors popped up, especially ones from beautifulsoup. I don't think they effected the performance and were ignored. Also, I did not have a canar.io API key, so while running all of the modules, it was skipped over.
1. Running the following returned 62 emails:
Code: [Select]
./SimplyEmail.py -all -e example.com2. Running with the -s option returned 148,104 results. However, they were emails from pretty much everywhere including hotmail, MIT, and verizon. Lots of potential false positives. Tens of thousands of them.
Code: [Select]
./SimplyEmail.py -all -v -e example.com -s3. I ran with both of the following and didn't see much difference between them. I couldn't tell if the -n flag was useful but the -verify definitely got rid of some of the false positives. I ended up with 30 valid emails, that I didn't have to manually verify.
Code: [Select]
./SimplyEmail.py -all -v -verify -e example.com
./SimplyEmail.py -all -v -verify -n -e example.com
Conclusion:
For now, I am running both my homebrew and SimplyEmail to collect email lists, then comparing the output. I may try to either integrate it into my script or perhaps over time, as SimplyEmail becomes more feature rich, out right replace my script. The verbose flag was not very useful for simply scraping email, the tool is plenty verbose in it's default state. It may be more useful when developing a module. The following is the command that I recommend to run from now on when using SimplyEmail, play with the flags and see if anything reveals some missed data. If doing a blackbox test, remember that the verify option will send packets to the targets MX server. Remember, it's better to have one loud bang, than a long creaking noise. Don't keep verifying lists of emails, get a good list and run with it.
Code: [Select]
./SimplyEmail.py -all -verify -e example.com97
Reverse Engineering / Re: [Advanced Challenge] Virus, Infection Strategy Analysis
« Last post by Deque on February 24, 2016, 09:08:07 am »That screenshot is from Detect It Easy (DiE).
Apart from that, there is RDG Packer Detector which also offers entropy scanning, but DiE seems to be the best.
Oh, I used DiE before, but I didn't see its Entropy features (for whatever reason). Thank you!
98
Hacking and Security / Re: Decrypting PDF Password
« Last post by Trevor on February 24, 2016, 05:05:36 am »Funny you say that, I remember when one of Elcomsoft's developers were so good, they made available a decrypter tool that did precisely what you asking for, the only difference is I do not think we had 128 bit encryption in those days. I remember reading that the poor guy got arrested when he visited the U.S.A. for some conference. I just wish I could remember his name but the tool bypassed all passwords and decrypted the document no matter what. He was a genius and I am sure he still us today.
It was the Russian Dmitry Sklyarov. Details on wiki
Answering the original question:
Sometimes decrypting passwords can be super easy due to a faulty implementation in encryption.
One such software is DRMsoft Pdf to EXE Encrypter where inspite of the password protection, it can be decrypted due to use of XOR encraption.
99
Assembly - Embedded / Assembly, a hidden art? (Beginners Guidance)
« Last post by Erra on February 24, 2016, 01:50:02 am »Sup everyone I just thought I could share my opinions on Assembly. In modern times, computers tend to derail from the hackers' friend 32 Bit Intel assembly. However, when I began learning Assembly I did it because I had an idea of what one could do with such skill besides make code that can otherwise be written in C/C++. But fret not, if you are a computer engineer you could program the logic of a chip using assembly given the amount of time and effort you devote to such a project. In fact, one can even grab a Raspberry Pi and practice programming the architecture of a Quadcom Processor that can likewise be found in modern cellphones that use Android. In my opinion assembly is becoming more and more hardware based, and if you're tech savy, you can do some pretty nasty stuff with it.
The reason I made this post is to present a brief guide on where to start learning since I had some trouble myself trying to get into the matter. If you feel like learning assembly, I recommend starting out with MIPS (Millions of Instructions Per Second) with Quasar Distant,
https://www.youtube.com/watch?v=u5Foo6mmW0I&list=PL5b07qlmA3P6zUdDf-o97ddfpvPFuNa5A
who presents a very nice 32 Bit assembly language thats probably not used anymore, and after you're satisfied, you can get started with other architectures. The key to all of this is to realize the kind of processor you're working with , like if you're going to try and work with intel processors, and you have a 64 bit computer I highly recommend grabbing a copy of Ray Seyfarth's book on the subject, it's really great I am currently using it myself:
http://rayseyfarth.com/
For the Broadcom processor architecture you might want to grab a Raspberry Pi and a copy of Bruce Smith's Raspberry Pi assembly:
http://www.amazon.com/Raspberry-Assembly-Language-RASPBIAN-Beginners/dp/1492135283
For the good old x86 - 32 bit intel assembly, you might want to grab a copy of Assembly Language step by step 3rd edition:
http://www.amazon.com/Assembly-Language-Step---Step-Programming/dp/0470497025/ref=sr_1_1?s=books&ie=UTF8&qid=1456274751&sr=1-1&keywords=assembly
Although the textbook is extremely lengthy and thick, and you wont really write any code until like chapter 7, if you stick through it, you can master 32 bit easy peasy. With that being said I wish whoever decides to join the assembly coding community a happy coding exprience, good luck!~
The reason I made this post is to present a brief guide on where to start learning since I had some trouble myself trying to get into the matter. If you feel like learning assembly, I recommend starting out with MIPS (Millions of Instructions Per Second) with Quasar Distant,
https://www.youtube.com/watch?v=u5Foo6mmW0I&list=PL5b07qlmA3P6zUdDf-o97ddfpvPFuNa5A
who presents a very nice 32 Bit assembly language thats probably not used anymore, and after you're satisfied, you can get started with other architectures. The key to all of this is to realize the kind of processor you're working with , like if you're going to try and work with intel processors, and you have a 64 bit computer I highly recommend grabbing a copy of Ray Seyfarth's book on the subject, it's really great I am currently using it myself:
http://rayseyfarth.com/
For the Broadcom processor architecture you might want to grab a Raspberry Pi and a copy of Bruce Smith's Raspberry Pi assembly:
http://www.amazon.com/Raspberry-Assembly-Language-RASPBIAN-Beginners/dp/1492135283
For the good old x86 - 32 bit intel assembly, you might want to grab a copy of Assembly Language step by step 3rd edition:
http://www.amazon.com/Assembly-Language-Step---Step-Programming/dp/0470497025/ref=sr_1_1?s=books&ie=UTF8&qid=1456274751&sr=1-1&keywords=assembly
Although the textbook is extremely lengthy and thick, and you wont really write any code until like chapter 7, if you stick through it, you can master 32 bit easy peasy. With that being said I wish whoever decides to join the assembly coding community a happy coding exprience, good luck!~
100
Hacking and Security / Re: 24 Hour Hack - 99 000'th post
« Last post by xpress1 on February 24, 2016, 01:16:39 am »I'm pretty new here but I would totally be up for this. Sounds fun 