Jump to content

flyingpoptartcat

Active Members
  • Posts

    49
  • Joined

  • Last visited

Posts posted by flyingpoptartcat

  1. 3rd revision:

    my($a,$b,$c,$r);($a,$b,$c)=f();sub t{$r=caller if eval{ord(71)};};local $d="\xAA\x79\x53\x54\x44\x4f\x55\x54";"\xAA\x79"=~m/\xAA\x79/;
    t($&);my @z=('0','5','6','4',rand(10),'0','','3','8','4');$d=~s///;for($i=$z[int(4+(.714287*7))];$i<125;$i=$i+5){$c=$a+=$b;$a=$b;$b=$c;__("\x0A");}
    sub __{$xz=pop;syswrite $d,"$c$xz"};sub f{return("\x30"+("\x31")*(((1-1)+1)/(1*1)-1)-(int(48*0.020833333))),
    $b=(int(((ord " ")+1)*("0.0434782" ))),$c="\x5C\x78".(4+("\x2D". 1)).(0),,,,,,,,,,,,,};
    

    UPDATED

  2. how's my obfuscation?

    my($a, $b, $c);($a,$b,$c) =	 floor();local $d=					 "\x53\x54\x44\x4f\x55\x54";my @z=('0','5','6','4',rand(10),'0','','3','8','4');
    for($i=$z[int(4+(.714287*7))];$i<25;$i++){$c=	 $a+$b ;$a=$b;$b=$c;syswrite		 $d,"$c\x0A";}
    sub floor{return ("\x30"+ (	 "\x31")*(((1-1)+1)/(1*1))		 -(int(48*0.020833333))),
    $b=(int((20+1)*("0.0434782" ) )),$c = "\x".(4						 +("\x2D". 1)).(0),,,,,,,,,,,,,};
    

    this perl script simply prints the fibonachi sequence.

    alright perl writers how did i do?

    post you own obfuscated Fibonachi sequence. interested in what techniques i have not thought of. an tips?

    purely accedmic.

  3. well USUALLY an AV looks at two things: all know past virus's and comparing it to the file it's scanning and it's behavior (like deleteing files etc). most AVs scan files when they are written to and when they are executed

  4. Ok, I figured -R would send HEAD requests, as that's a good way to check if a file exists. I see what you are doing with the Content-Range though, that is pretty neat. That way only bytes 0 through 1 get returned. Although, it does process the whole php page, meaning the 404/403 script will block it. Would it be difficult to add a flag to send HEADs instead of GETs?

    http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html 9.4

    well I would have to make a subroutine to make requests and check whether the flag is set every time a request is made. so yes it would be hard. and you might want to use regex when checking the url to avoid evasions like ././././././passwords.txt?tgvfjhgvjhg=rgtrf444

  5. So I got to rethinking how I block web scanners, and had an idea for putting some code in my custom 404 page. Here is the run down of my idea.

    http://pastebin.com/Nf2YyAGe

    It blocks any IP that visits those pages(if they don't exist that is). I'm going to try your tool against that idea, and let you know the results. I'm not sure if PHP code will run on a HEAD command, but if it doesn't, that could be one way to bypass my idea.

    Edit: The custom 404/403 method does work against your tool. This includes ninja mode.

    neet idea! If you want a good list of things to block goto Web-Sorrow_v(version number)/DB/small-tests.db and open in text editor. In Web-Sorrow -ninja does NOT make other scans stealthy It Itself is a scan that uses very few requests. BTW I've just updated web-sorrow to v1.3.7

  6. I hadn't tried it out, I was just suggesting based on how I detect scans, the fact that yours does that puts it above most. I see scans from w00tw00t all the time, to the point where I started blocking IPs in iptables that scan my server for vulnerabilities, and made taunting 404 messages. :P

    Well thank you. btw custom 404 pages are always fun to see

  7. The major thing that gives away a web scan is how they don't really throttle the scan. I drop most web scans just by putting a SYN rate limit in my IPTABLES. It works with port scans and SYN floods too. I would look into HTTP 1.1 Keep Alive as it lets you keep the same connection to check multiple pages. This would stop you from getting picked up by the same rules that keep other easily avoidable attacks left out in the cold.

    If you want to use stealth try -ninja

    Also Web-Sorrow uses Connection caching aka all on one socket. Don't forget to update I posted this thread awhile ago

  8. Hello bro ...this is what i got on nmap scan,the ISP.in is the web url of internet service provider,this were i got confused,when i type his external ip(xxx.xxx.xx.) it shows details of his ISP.

    Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-03-17 09:25 GST

    NSE: Loaded 63 scripts for scanning.

    NSE: Script Pre-scanning.

    Initiating Ping Scan at 09:25

    Scanning xxx.xxx.xx.x [4 ports]

    Completed Ping Scan at 09:25, 0.06s elapsed (1 total hosts)

    Initiating Parallel DNS resolution of 1 host. at 09:25

    Completed Parallel DNS resolution of 1 host. at 09:25, 0.11s elapsed

    Initiating SYN Stealth Scan at 09:25

    Scanning ABTS-KK-Static-009.15.xxx.xxx.ISP.in(xxx.xxx.xx.x) [1000 ports]

    Discovered open port 80/tcp on xxx.xxx.xx.x

    Completed SYN Stealth Scan at 09:25, 4.05s elapsed (1000 total ports)

    Initiating Service scan at 09:25

    Scanning 1 service on ABTS-KK-Static-xxx.xx.xxx.xxx.ISP.in (xxx.xx.xxx.x)

    Completed Service scan at 09:26, 5.01s elapsed (1 service on 1 host)

    Initiating OS detection (try #1) against ABTS-KK-Static-009.xx.xxx.xxx.ISP.in (xxx.xxx.xx)

    Retrying OS detection (try #2) against ABTS-KK-Static-009.15.166.122.ISP.in )xx.xxx.xxx

    Initiating Traceroute at 09:26

    Completed Traceroute at 09:26, 9.09s elapsed

    NSE: Script scanning xxx.xxx.xx.x.

    Initiating NSE at 09:26

    Completed NSE at 09:26, 12.96s elapsed

    Nmap scan report for ABTS-KK-Static-009.xx.xxx.xxx.isp.in (xxx.xxx.xx.x)

    Host is up (0.0078s latency).

    Not shown: 999 filtered ports

    PORT STATE SERVICE VERSION

    80/tcp open http?

    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

    OS fingerprint not ideal because: Missing a closed TCP port so results incomplete

    No OS matches for host

    TRACEROUTE (using port 80/tcp)

    HOP RTT ADDRESS

    1 ... 30

    NSE: Script Post-scanning.

    Read data files from: /usr/local/bin/../share/nmap

    OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

    Nmap done: 1 IP address (1 host up) scanned in 38.44 seconds

    Raw packets sent: 2244 (102.196KB) | Rcvd: 535 (21.420KB)

    btw you should update your nmap version!

×
×
  • Create New...