Sunday, December 31, 2017
Naivecoin: a tutorial for building a cryptocurrency
The project that we will build in this tutorial is called “Naivecoin”. The programming language is Typescript. The Naivecoin is in some terms an extension to the Naivechain - blockchain in 200 lines of code.
https://lhartikk.github.io/
https://lhartikk.github.io/
Monday, December 25, 2017
suricata Error: datalink type 65535 not yet supported in module DecodeAFP solution
<Error> - [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 65535 not yet supported in module DecodeAFP
Solution:
Edit suricata-4.0.3/src/source-af-packet.c. I changed default datalink type to raw. That solved my problem.
Solution:
Edit suricata-4.0.3/src/source-af-packet.c. I changed default datalink type to raw. That solved my problem.
suricata-4.0.3/src/source-af-packet.c:
2295 TmEcode DecodeAFP(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
2296 {
2297 SCEnter();
2298 DecodeThreadVars *dtv = (DecodeThreadVars *)data;
2299
2300 /* XXX HACK: flow timeout can call us for injected pseudo packets
2301 * see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
2302 if (p->flags & PKT_PSEUDO_STREAM_END)
2303 return TM_ECODE_OK;
2304
2305 /* update counters */
2306 DecodeUpdatePacketCounters(tv, dtv, p);
2307
2308 /* If suri has set vlan during reading, we increase vlan counter */
2309 if (p->vlan_idx) {
2310 StatsIncr(tv, dtv->counter_vlan);
2311 }
2312
2313 /* call the decoder */
2314 switch (p->datalink) {
2315 case LINKTYPE_ETHERNET:
2316 DecodeEthernet(tv, dtv, p,GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2317 break;
2318 case LINKTYPE_LINUX_SLL:
2319 DecodeSll(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2320 break;
2321 case LINKTYPE_PPP:
2322 DecodePPP(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2323 break;
2324 case LINKTYPE_RAW:
2325 DecodeRaw(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2326 break;
2327 case LINKTYPE_NULL:
2328 DecodeNull(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2329 break;
2330 default:
2331 // SCLogError(SC_ERR_DATALINK_UNIMPLEMENTED, "Error: datalink type %" PRId32 " not yet supported in module DecodeAFP", p->datalink);
2332 // DecodePPP(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2333 DecodeRaw(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2334 // DecodeEthernet(tv, dtv, p,GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2335 break;
2336 }
Monday, December 4, 2017
Stack overflows: possible return addresses
English Windows XP SP 2 User32.dll:
JMP ESP 0x77db41bc
JMP ESP 0x77db41bc
English Windows XP SP 1 User32.dll:
JMP ESP 0x77d718fc
JMP ESP 0x77d718fc
English Windows 2003 SP0 and SP1 User32.dll:
JMP ESP 0x77d74adc
JMP ESP 0x77d74adc
English Windows 2000 SP 4 User32.dll:
JMP ESP 0x77e3c256
JMP ESP 0x77e3c256
French Windows XP Pro SP2:
JMP ESP 0x77d8519f
JMP ESP 0x77d8519f
German/Italian/Dutch/Polish Windows XP SP2:
JMP ESP 0x77d873a0
JMP ESP 0x77d873a0
Spainish Windows XP Pro SP2:
JMP ESP 0x77d9932f
JMP ESP 0x77d9932f
French/Italian/German/Polish/Dutch Windows 2000 Pro SP4:
JMP ESP 0x77e04c29
JMP ESP 0x77e04c29
French/Italian/Chineese Windows 2000 Server SP4:
JMP ESP 0x77df4c29
JMP ESP 0x77df4c29
Friday, December 1, 2017
Thursday, November 9, 2017
Linux Privilege Escalation Scripts
LinEnum
http://www.rebootuser.com/?p=1758
This tool is great at running through a heap of things you should check on a Linux system in the post exploit process. This include file permissions, cron jobs if visible, weak credentials etc. The first thing I run on a newly compromised system.
LinuxPrivChecker
http://www.securitysift.com/download/linuxprivchecker.py
This is a great tool for once again checking a lot of standard things like file permissions etc. The real gem of this script is the recommended privilege escalation exploits given at the conclusion of the script. This is a great starting point for escalation.
g0tmi1k’s Blog
http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Not so much a script as a resource, g0tmi1k’s blog post here has led to so many privilege escalations on Linux system’s it’s not funny. Would definitely recommend trying out everything on this post for enumerating systems.
windows file sharing operations
list all active connections:
net use
remove all active connections:
net use * /delete
remove specific connection
net use \\<ip>\<share> /delete
add connection
net use \\<ip>\<share> /user:domain/username <password> /persistent:yes
make symbolic link for file share
mklink /d c:\temp\<localpath> \\<ip>\<share>
net use
remove all active connections:
net use * /delete
remove specific connection
net use \\<ip>\<share> /delete
add connection
net use \\<ip>\<share> /user:domain/username <password> /persistent:yes
make symbolic link for file share
mklink /d c:\temp\<localpath> \\<ip>\<share>
Sunday, October 15, 2017
php reverse shell
Remote file inclusion açıkları için kullanabileceğiniz bir araç.
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
netcat ile dinlediğiniz bir porta geri dönüş yapması için 'python -m SimpleHTTPServer 80' ile servis ederek erişim sağlayabilirsiniz.
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
netcat ile dinlediğiniz bir porta geri dönüş yapması için 'python -m SimpleHTTPServer 80' ile servis ederek erişim sağlayabilirsiniz.
Friday, September 29, 2017
linux command line filter for ip address matches
$ cat file.log |grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |sort -u
Thursday, September 7, 2017
SEP: how can we detect 'application and device control feature' enabled on a sep client machine
Aşağıda bu kontrolü yapabileceğiniz birden fazla yöntem paylaşıyorum. İstediğiniz şekilde sonuç alamazsanız uygun zamanınızda beraber gözatabiliriz.
1.
Kurulum paketinizde yer alan setAid.ini dosyada yer alan;
Application Control and Device Control yükleneceği anlamına gelir bu şekilde kontrol edebilirsiniz.
Monitors -> Logs -> Application and Device Control,
Monitors -> Logs -> Log type: Application and Device Control -> Advanced Settings -> Event Type: Application Control Driver -> View Log
sc query sysplant
komutu ile application and device control tarafından kullanılan servis durumunu sorgulayabilirsiniz.
1.
Kurulum paketinizde yer alan setAid.ini dosyada yer alan;
"DCMain=1"
Application Control and Device Control yükleneceği anlamına gelir bu şekilde kontrol edebilirsiniz.
Örnek ekran görüntüleri:
Setup paketimi extract ettiğimdeki dosya içeriği:
2.
Diğer bir yöntem olarak aşağıdaki logları analiz ederek bunu tespit edebilirsiniz.
Monitors -> Logs -> Application and Device Control,
Monitors -> Logs -> Log type: Application and Device Control -> Advanced Settings -> Event Type: Application Control Driver -> View Log
3.
sc query sysplant
komutu ile application and device control tarafından kullanılan servis durumunu sorgulayabilirsiniz.
Örnek:
Tuesday, September 5, 2017
Komut satırından ram model ve hız bilgileri öğrenme
Windows komut satırından memory'ye ilişkin detay bilgiler öğrenme:
wmic MemoryChip get BankLabel, Capacity, MemoryType, TypeDetail, Speed
BankLabel Capacity MemoryType Speed TypeDetail
BANK 0 4294967296 24 1600 128
BANK 2 4294967296 24 1600 128
wmic MemoryChip get BankLabel, Capacity, MemoryType, TypeDetail, Speed
BankLabel Capacity MemoryType Speed TypeDetail
BANK 0 4294967296 24 1600 128
BANK 2 4294967296 24 1600 128
https://msdn.microsoft.com/en-us/library/windows/desktop/aa394347(v=vs.85).aspx
Monday, September 4, 2017
bWAPP: insecure web application testing box
bWAPP, or a buggy web application, is a free and open source deliberately insecure web application.
It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.
bWAPP prepares one to conduct successful penetration testing and ethical hacking projects.
What makes bWAPP so unique? Well, it has over 100 web vulnerabilities!
It covers all major known web bugs, including all risks from the OWASP Top 10 project.
It covers all major known web bugs, including all risks from the OWASP Top 10 project.
Wednesday, August 16, 2017
Linux sistemin ping response dönüşünü engelleme
Aşağıdaki iptables komutu ile bunu gerçekleştirebilirsiniz.
iptables -I INPUT -p icmp --icmp-type echo-request -j REJECT
Tuesday, August 15, 2017
Wednesday, August 2, 2017
Symantec Endpoint Protection: SEPM üzerinden Sep Client nasıl disable hale getirilir?
SEPM ve client arasındaki haberleşme smc servisi sayesinde bina edilir. Eğer bu servis SEPM aracılığıyla kapatılırsa aradaki iletişim kesileceği için yeniden başlatılamaz. Dolasıyla bu SEPM üzerinden client tarafındaki servisin kapatılması tavsiye edilmez.
Symantec Endpoint Protection: client tarafında tanımlanan exception tanımları nasıl kontrol edilir?
SEPM (Symantec Enterprise Protection Manager) aracılığıyla tanımlanan exception tanımları client tarafında nasıl kontrol edilir?
Eğer windows kullanıyorsanız bu için açağıdaki registery yollarını kontrol edebilirsiniz.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Directory\Admin
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Symantec\SymantecEndpoint
Protection\AV\Exclusions.
Version: 14MP2
Symantec Endpoint Protection: SEPM Clients ekranında nasıl search yapılır?
Client ekranında nasıl search yapılır?
Kalabalık client listesini yönetirken sıkça yönetilen bir soru bu. Bunun için sol menüde yer alan search clients yönlendirmesini kullanabilirsiniz.
Kalabalık client listesini yönetirken sıkça yönetilen bir soru bu. Bunun için sol menüde yer alan search clients yönlendirmesini kullanabilirsiniz.
Version: 14MP2
Saturday, July 29, 2017
Thursday, July 27, 2017
ZFS on Linux v0.7.0 released
[zfs-announce] v0.7.0 released
http://list.zfsonlinux.org/pipermail/zfs-announce/2017-July/000015.htmlSunday, July 23, 2017
Extremely Fast MySQL Backup and Restore Using Mydumper/Myloader
Mydumper and Myloader are utility software programs that allow you to perform extremely fast and reliable multi-threaded MySQL backup and restore which is written in the C programming language.
It was initially developed by MySQL engineers who later moved to Facebook. Mydumper is approximately 10 times faster than the mysqldump tools typically used for backups.
https://wplobster.com/extremely-fast-mysql-backup-restore-using-mydumpermyloader/
ssh based vpn solution: xiringuito
SSH-based "VPN for poors"
VPN made easy! No configuration. No VPN servers. No hassle. Just plug and use!
This is the "VPN without VPN" software done using nice built-in capabilities of SSH.
Tuesday, July 18, 2017
Tuesday, June 13, 2017
free, automated, and open Certificate Authority
Let’s Encrypt is a free, automated, and open Certificate Authority.
Ücretsiz güvenlik sertifikası edinebileceğiniz bir site.
Detaylar için aşağıdaki adresi inceleyebilirsiniz.
Tuesday, June 6, 2017
How to scan new FC LUNS and SCSI disks in Red Hat
Red Hat kullanılan sistemde multipath lun'ları taramak için uyguladığımız adımlar:
Aşağıdaki script'teki host0, host1, host2, host3 olarak belirttiğim ve tarama yaptığım aygıtlarını ihtiyacınıza göre düzenlemelisiniz. Örneğin, eğer sisteminizde host4 aygıtı bulunuyorsa bunu da eklemelisiniz.
Platform:
RHEL 6.5 x86_64
Code:
#!/bin/bash
##
# e-mail: aokany[at]gmail.com
##
mpathconf --disable
rm -fr /etc/multipath.conf
rm -fr /etc/multipath/bindings
service multipathd stop
sleep 3
echo "- - -" > /sys/class/scsi_host/host0/scan
echo "1" > /sys/class/fc_host/host0/issue_lip
echo "- - -" > /sys/class/scsi_host/host1/scan
echo "1" > /sys/class/fc_host/host1/issue_lip
echo "- - -" > /sys/class/scsi_host/host2/scan
echo "1" > /sys/class/fc_host/host2/issue_lip
echo "- - -" > /sys/class/scsi_host/host3/scan
echo "1" > /sys/class/fc_host/host3/issue_lip
mpathconf --enable
service multipathd start
fdisk -l |grep Disk |grep -v ident
Aşağıdaki script'teki host0, host1, host2, host3 olarak belirttiğim ve tarama yaptığım aygıtlarını ihtiyacınıza göre düzenlemelisiniz. Örneğin, eğer sisteminizde host4 aygıtı bulunuyorsa bunu da eklemelisiniz.
Platform:
RHEL 6.5 x86_64
Code:
#!/bin/bash
##
# e-mail: aokany[at]gmail.com
##
mpathconf --disable
rm -fr /etc/multipath.conf
rm -fr /etc/multipath/bindings
service multipathd stop
sleep 3
echo "- - -" > /sys/class/scsi_host/host0/scan
echo "1" > /sys/class/fc_host/host0/issue_lip
echo "- - -" > /sys/class/scsi_host/host1/scan
echo "1" > /sys/class/fc_host/host1/issue_lip
echo "- - -" > /sys/class/scsi_host/host2/scan
echo "1" > /sys/class/fc_host/host2/issue_lip
echo "- - -" > /sys/class/scsi_host/host3/scan
echo "1" > /sys/class/fc_host/host3/issue_lip
mpathconf --enable
service multipathd start
fdisk -l |grep Disk |grep -v ident
WWDC 2017
Apple WWDC etkinliğinde yeniliklerini tanıttı.
IOS 11 ve donanım güncellemeleriyle ilgili detayları aşağıdaki adreste bulabilirsiniz.
https://techcrunch.com/events/wwdc-2017/
IOS 11 ve donanım güncellemeleriyle ilgili detayları aşağıdaki adreste bulabilirsiniz.
https://techcrunch.com/events/wwdc-2017/
Saturday, May 27, 2017
libtins: packet crafting and sniffing library
libtins is a high-level, multiplatform C++ network packet sniffing and crafting library.
Its main purpose is to provide the C++ developer an easy, efficient, platform and endianness-independent way to create tools which need to send, receive and manipulate network packets.
It uses a BSD-2 license and it's hosted at github.
High level != inefficient
libtins was designed keeping efficiency in mind at all times. In fact, it is one of the fastest packet sniffing and interpretation libraries available. The benchmark section contains some actual measurements of how fast it works.
http://libtins.github.io/
Its main purpose is to provide the C++ developer an easy, efficient, platform and endianness-independent way to create tools which need to send, receive and manipulate network packets.
It uses a BSD-2 license and it's hosted at github.
High level != inefficient
libtins was designed keeping efficiency in mind at all times. In fact, it is one of the fastest packet sniffing and interpretation libraries available. The benchmark section contains some actual measurements of how fast it works.
http://libtins.github.io/
Thursday, March 30, 2017
Cuckoo Sandbox
What is it?
In three words, Cuckoo Sandbox is a malware analysis system.
In other words, you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.
Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization.
In these evolving times, detecting and removing malware artifacts is not enough: it's vitally important to understand how they operate in order to understand the context, the motivations and the goals of a breach, for better protecting in the future
Cuckoo Sandbox is a free software that automated the task of analyzing any malicious file under Windows, OS X, Linux, and Android.
In three words, Cuckoo Sandbox is a malware analysis system.
In other words, you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.
Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization.
In these evolving times, detecting and removing malware artifacts is not enough: it's vitally important to understand how they operate in order to understand the context, the motivations and the goals of a breach, for better protecting in the future
Cuckoo Sandbox is a free software that automated the task of analyzing any malicious file under Windows, OS X, Linux, and Android.
Volatile memory extraction utility framework
Volatility Framework - Volatile memory extraction utility framework
The Volatility Framework is a completely open collection of tools,
implemented in Python under the GNU General Public License, for the
extraction of digital artifacts from volatile memory (RAM) samples.
The extraction techniques are performed completely independent of the
system being investigated but offer visibilty into the runtime state
of the system. The framework is intended to introduce people to the
techniques and complexities associated with extracting digital artifacts
from volatile memory samples and provide a platform for further work into
this exciting area of research.
Capture Live RAM
Belkasoft Live RAM Capturer is a tiny free forensic tool that allows to reliably extract the entire contents of computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system. Separate 32-bit and 64-bit builds are available in order to minimize the tool’s footprint as much as possible. Memory dumps captured with Belkasoft Live RAM Capturer can be analyzed with Live RAM Analysis in Belkasoft Evidence Center. Belkasoft Live RAM Capturer is compatible with all versions and editions of Windows including XP, Vista, Windows 7, 8 and 10, 2003 and 2008 Server.
Why Memory Dump Is the First Thing To Do During the Acquisition
Memory dumps are a valuable source of ephemeral evidence and volatile information. Memory dumps may contain passwords to encrypted volumes (TrueCrypt, BitLocker, PGP Disk), account login credentials for many webmail and social network services such as Gmail, Yahoo Mail, Hotmail; Facebook, Twitter, Google Plus; file sharing services such as Dropbox, Flickr, SkyDrive, etc.
Thursday, March 16, 2017
Find ORACLE_HOME
sqlplus>
SQL > var OH varchar2(200);
SQL > EXEC dbms_system.get_env('ORACLE_HOME', :OH) ;
SQL > PRINT OH
Wednesday, February 22, 2017
ifconfig.me: connection test
curl ifconfig.me
Get your external IP address
curl ifconfig.me/ip -> IP Adress
curl ifconfig.me/host -> Remote Host
curl ifconfig.me/ua ->User Agent
curl ifconfig.me/port -> Port
Get your external IP address
curl ifconfig.me/ip -> IP Adress
curl ifconfig.me/host -> Remote Host
curl ifconfig.me/ua ->User Agent
curl ifconfig.me/port -> Port
TheFatRat v1.8 - Easy Tool For Generate Backdoor with Msfvenom
What is TheFatRat ?
An easy tool to generate backdoor with msfvenom (a part from metasploit framework) and easy tool to post exploitation attack like browser attack,dll . This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most AV software protection .
An easy tool to generate backdoor with msfvenom (a part from metasploit framework) and easy tool to post exploitation attack like browser attack,dll . This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most AV software protection .
trojan-dropper: Dr0p1t-Framework
Features
Works with Windows and Linux
Adding malware after downloading it to startup
Adding malware after downloading it to task scheduler
Finding and killing the antivirus before running the malware
Running a custom (batch|powershell|vbs) file you have
choosen before running the malware
In running powershell scripts it can bypass execution policy
Using UPX to compress the dropper after creating it
Choose an icon for the dropper after creating it
https://github.com/D4Vinci/Dr0p1t-Framework
Subscribe to:
Posts (Atom)