β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦list 3 ransomware real decrytors :
https://www.nomoreransom.org/en/decryption-tools.html
https://www.softpedia.com/get/Antivirus/Removal-Tools/Trend-Micro-Ransomware-File-Decryptor.shtml
https://noransom.kaspersky.com/
https://www.avast.com/en-us/ransomware-decryption-tools
https://www.emsisoft.com/ransomware-decryption-tools/free-download
https://www.mcafee.com/enterprise/en-us/downloads/free-tools/ransomware-decryption.html
https://www.quickheal.com/free-ransomware-decryption-tool/
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦list 3 ransomware real decrytors :
https://www.nomoreransom.org/en/decryption-tools.html
https://www.softpedia.com/get/Antivirus/Removal-Tools/Trend-Micro-Ransomware-File-Decryptor.shtml
https://noransom.kaspersky.com/
https://www.avast.com/en-us/ransomware-decryption-tools
https://www.emsisoft.com/ransomware-decryption-tools/free-download
https://www.mcafee.com/enterprise/en-us/downloads/free-tools/ransomware-decryption.html
https://www.quickheal.com/free-ransomware-decryption-tool/
β β β Uππ»βΊπ«Δπ¬πβ β β β
softpedia
Trend Micro Ransomware File Decryptor Download Free (Windows) - 1.0.0.1668 | Softpedia
Download Trend Micro Ransomware File Decryptor 1.0.0.1668 - An anti-ransomware application that tries to unlock infected files on your computer, providing support for various ransomware families
Forwarded from UNDERCODE NEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Network hacking exercice:
This is a short introduction on methods that use neural networks in an offensive manner (bug hunting, shellcode obfuscation, etc.) and how to exploit neural networks found in the wild (information extraction, malware injection, backdooring, etc.).
0 - Last Layer Attack
1 - Backdooring
2 - Extracting Information
3 - Brute Forcing
4 - Neural Overflow
5 - Malware Injection
6 - Neural Obfuscation
7 - Bug Hunting
8 - GPU Attack
Download:
https://github.com/Kayzaks/HackingNeuralNetworks
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Network hacking exercice:
This is a short introduction on methods that use neural networks in an offensive manner (bug hunting, shellcode obfuscation, etc.) and how to exploit neural networks found in the wild (information extraction, malware injection, backdooring, etc.).
0 - Last Layer Attack
1 - Backdooring
2 - Extracting Information
3 - Brute Forcing
4 - Neural Overflow
5 - Malware Injection
6 - Neural Obfuscation
7 - Bug Hunting
8 - GPU Attack
Download:
https://github.com/Kayzaks/HackingNeuralNetworks
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - Kayzaks/HackingNeuralNetworks: A small course on exploiting and defending neural networks
A small course on exploiting and defending neural networks - Kayzaks/HackingNeuralNetworks
Forwarded from UNDERCODE NEWS
This is what causes the most issues with radiation and 2020 and oldest smartphones.
#Bugs #Analytiques
#Bugs #Analytiques
Forwarded from UNDERCODE NEWS
Exposure that 2020 Apple TV will be launched on December 8, equipped with A12Z chip.
#Leaks #Technologies
#Leaks #Technologies
β β β Uππ»βΊπ«Δπ¬πβ β β β
A POC Windows crypto-ransomware (Academic)
Run in Background (or not)
Encrypt files using AES-256-CTR(Counter Mode) with random IV for each file.
Multithreaded.
RSA-4096 to secure the client/server communication.
Includes an Unlocker.
Optional TOR Proxy support.
Use an AES CTR Cypher with stream encryption to avoid load an entire file into memory.
Walk all drives by default.
Docker image for compilation.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) git clone github.com/mauri870/ransomware
2) cd ransomware
If you have Docker skip to the next section.
3) You need Go at least 1.11.2 with the $GOPATH/bin in your $PATH and $GOROOT pointing to your Go installation folder. For me:
export GOPATH=~/gopath
export PATH=$PATH:$GOPATH/bin
export GOROOT=/usr/local/go
4) Build the project require a lot of steps, like the RSA key generation, build three binaries, embed manifest files, so, let's leave make do your job:
make deps
make
5) You can build the server for windows with make -e GOOS=windows.
Docker
6) ./build-docker.sh make
β β β Uππ»βΊπ«Δπ¬πβ β β β
A POC Windows crypto-ransomware (Academic)
Run in Background (or not)
Encrypt files using AES-256-CTR(Counter Mode) with random IV for each file.
Multithreaded.
RSA-4096 to secure the client/server communication.
Includes an Unlocker.
Optional TOR Proxy support.
Use an AES CTR Cypher with stream encryption to avoid load an entire file into memory.
Walk all drives by default.
Docker image for compilation.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) git clone github.com/mauri870/ransomware
2) cd ransomware
If you have Docker skip to the next section.
3) You need Go at least 1.11.2 with the $GOPATH/bin in your $PATH and $GOROOT pointing to your Go installation folder. For me:
export GOPATH=~/gopath
export PATH=$PATH:$GOPATH/bin
export GOROOT=/usr/local/go
4) Build the project require a lot of steps, like the RSA key generation, build three binaries, embed manifest files, so, let's leave make do your job:
make deps
make
5) You can build the server for windows with make -e GOOS=windows.
Docker
6) ./build-docker.sh make
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - mauri870/ransomware: A POC Windows crypto-ransomware (Academic). Now Ransom:Win32/MauriCrypt.MK!MTB
A POC Windows crypto-ransomware (Academic). Now Ransom:Win32/MauriCrypt.MK!MTB - mauri870/ransomware
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Catch bad SQL queries :
#Hacking
1) download https://github.com/burrito-brothers/shiba
2) Install in a Rails / ActiveRecord project using bundler. Note: this gem is not designed to be run on production. It should be required after minitest/rspec.
# Gemfile
3) gem 'shiba', :group => :test, :require => 'shiba/setup'
If your application lazy loads gems, you will to manually require it.
# config/environments/test.rb or test/test_helper.rb
require 'shiba/setup
4) To get started, try out shiba locally. To verify shiba is actually running, you can run your tests with SHIBA_DEBUG=true.
# Install
bundle
# Run some tests using to generate a SQL report
5) rake test:functional
rails test test/controllers/users_controller_test.rb
SHIBA_DEBUG=true ruby test/controllers/users_controller_test.rb
# 1 problematic query detected
# Report available at /tmp/shiba-explain.log-1550099512
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Catch bad SQL queries :
#Hacking
1) download https://github.com/burrito-brothers/shiba
2) Install in a Rails / ActiveRecord project using bundler. Note: this gem is not designed to be run on production. It should be required after minitest/rspec.
# Gemfile
3) gem 'shiba', :group => :test, :require => 'shiba/setup'
If your application lazy loads gems, you will to manually require it.
# config/environments/test.rb or test/test_helper.rb
require 'shiba/setup
4) To get started, try out shiba locally. To verify shiba is actually running, you can run your tests with SHIBA_DEBUG=true.
# Install
bundle
# Run some tests using to generate a SQL report
5) rake test:functional
rails test test/controllers/users_controller_test.rb
SHIBA_DEBUG=true ruby test/controllers/users_controller_test.rb
# 1 problematic query detected
# Report available at /tmp/shiba-explain.log-1550099512
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - burrito-brothers/shiba: Catch bad SQL queries before they cause problems in production
Catch bad SQL queries before they cause problems in production - GitHub - burrito-brothers/shiba: Catch bad SQL queries before they cause problems in production
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦HOW TO FIX A HACKED DRUPAL WEBSITE ??
Step 1: Make a forensic copy of the site
Once you are sure that you've been hacked you should stop everything and make a forensic copy of it. Some people prefer to literally yank the network cable and power cable from the server, though that obviously isn't always appropriate and doesn't work for all environments (cloud, anyone?). If you can, this forensic copy could be an operating system level snapshot of the server(s) involved. Otherwise, go for a copy of the database and files. Store one copy to media that can't be modified like a CD or DVD.
Step 2: Decide to keep, rollback, rebuild, or throw the site away.
"Keeping" a site requires you to spend a lot of time and effort reviewing it. You may decide, depending on the nature of the site, that it is perfectly acceptable to throw it away or rebuild it. Perhaps the needs of the site have shifted and you were planning to rebuild it already. Perhaps it was for an event that has come and gone and you can make a static copy or just delete it all. Even if you've decided to rebuild or delete a site you aren't done with this process, but at least you've cut out a lot of the work in remediation. You may not be able to make this decision or may change your mind based on investigation you do as part of remediation. Start the process by considering this question and it may help ease your life. If you know the specific date that your site was hacked, you may be able to rebuild the site easily simply by using an older database and file backup (you make those and keep them around, right?).
Sidebar: Documentation and learning
One of the first things you should do is open two scratch pads. One for documenting everything you've discovered and that you're doing NOW. If you notice an important detail proving how the attackers got in, add the source of the information and as much of that information as you can. The second document is for things you want to do to harden your site that you think of as you go through the process. You may realize a lot of things you can do to make it harder for attackers, but their not easy or critical enough to do right now. Save those valuable ideas for later.
Step 3: Who should you notify?
You should start deciding who you need to notify about the issue. If your site had users and you believe your site was completely taken over then private content like their email address, IP address and anything else private on the site is compromised. In some locations you are legally bound to inform people of this exposure (e.g. in the case of sites requiring HIPAA or PCI Compliance), if not also morally bound.
If you are not the owner of the site, you should consider which stakeholders to inform. Visitors of the site might have been exposed to malware. The owner should be involved in decision making.
Depending on the nature of the site and who you suspect attacked it, you may wish to notify one or more law enforcement groups. Many local law enforcement groups are poorly equipped for dealing with these kinds of issues. But perhaps they will be able to help or refer your case to another law enforcement group.
Step 4: Should you take the site offline?
Again, depending on the nature of the site you may wish to take it offline. If you suspect that it is actively being used to distribute malware, send spam, or as a pivot point for further attacks then taking it offline and installing a placeholder will at least prevent further damage.
Note that taking the site offline likely does tip the attackers that you are aware of their presence.
If you don't take the site offline at the webserver level:
Make sure you've got your forensic copy and then delete out all sessions.
If you suspect passwords have been changed, you can update them to new values using a query like this:
update users set pass = concat('ZZZ', sha(concat(pass, md5(rand()))));
Users will be able to use the password reset tool to change their password.
π¦HOW TO FIX A HACKED DRUPAL WEBSITE ??
Step 1: Make a forensic copy of the site
Once you are sure that you've been hacked you should stop everything and make a forensic copy of it. Some people prefer to literally yank the network cable and power cable from the server, though that obviously isn't always appropriate and doesn't work for all environments (cloud, anyone?). If you can, this forensic copy could be an operating system level snapshot of the server(s) involved. Otherwise, go for a copy of the database and files. Store one copy to media that can't be modified like a CD or DVD.
Step 2: Decide to keep, rollback, rebuild, or throw the site away.
"Keeping" a site requires you to spend a lot of time and effort reviewing it. You may decide, depending on the nature of the site, that it is perfectly acceptable to throw it away or rebuild it. Perhaps the needs of the site have shifted and you were planning to rebuild it already. Perhaps it was for an event that has come and gone and you can make a static copy or just delete it all. Even if you've decided to rebuild or delete a site you aren't done with this process, but at least you've cut out a lot of the work in remediation. You may not be able to make this decision or may change your mind based on investigation you do as part of remediation. Start the process by considering this question and it may help ease your life. If you know the specific date that your site was hacked, you may be able to rebuild the site easily simply by using an older database and file backup (you make those and keep them around, right?).
Sidebar: Documentation and learning
One of the first things you should do is open two scratch pads. One for documenting everything you've discovered and that you're doing NOW. If you notice an important detail proving how the attackers got in, add the source of the information and as much of that information as you can. The second document is for things you want to do to harden your site that you think of as you go through the process. You may realize a lot of things you can do to make it harder for attackers, but their not easy or critical enough to do right now. Save those valuable ideas for later.
Step 3: Who should you notify?
You should start deciding who you need to notify about the issue. If your site had users and you believe your site was completely taken over then private content like their email address, IP address and anything else private on the site is compromised. In some locations you are legally bound to inform people of this exposure (e.g. in the case of sites requiring HIPAA or PCI Compliance), if not also morally bound.
If you are not the owner of the site, you should consider which stakeholders to inform. Visitors of the site might have been exposed to malware. The owner should be involved in decision making.
Depending on the nature of the site and who you suspect attacked it, you may wish to notify one or more law enforcement groups. Many local law enforcement groups are poorly equipped for dealing with these kinds of issues. But perhaps they will be able to help or refer your case to another law enforcement group.
Step 4: Should you take the site offline?
Again, depending on the nature of the site you may wish to take it offline. If you suspect that it is actively being used to distribute malware, send spam, or as a pivot point for further attacks then taking it offline and installing a placeholder will at least prevent further damage.
Note that taking the site offline likely does tip the attackers that you are aware of their presence.
If you don't take the site offline at the webserver level:
Make sure you've got your forensic copy and then delete out all sessions.
If you suspect passwords have been changed, you can update them to new values using a query like this:
update users set pass = concat('ZZZ', sha(concat(pass, md5(rand()))));
Users will be able to use the password reset tool to change their password.
HOW TO FIX A HACKED DRUPAL WEBSITE 2
Step 5: Begin investigating the attack
Whatever tipped you off to the fact that you were compromised is the first step in investigating the attack. If your page content was changed, spam emails were sent, information stolen and used for some purpose, malware uploaded to the site, whatever the compromise is - consider how the attacker could have achieved that. List out every way you can think of that someone could make that change. There are two goals to this exercise: first, you'll help pin down how you got attacked so you can close that hole. Second, you'll identify other things the attacker could have done based on the means they used to attack your site. Try to be creative and don't throw out any possibilities as "too hard" or "technically impossible" - your attacker was probably creative and your site may not work exactly as you think it does.
Once you have a list of ways, start trying to pin down which is most likely. Which requires the least effort? What evidence would there be for each one? Do you see examples of that evidence? For each method, is the attack a reasonable thing for someone to do if they had that kind of access? Does one require so much effort that it's not worth it?
When in doubt, ask for help from a colleague that may have more experience with IT and web application security. Sometimes the simple excercise of talking it through with another person will surface additional ideas. Additionally, you should review the OWASP Top 10 list to make sure you're aware of all the various types of attacks. Finally, you find it helpful to search the internet to see if there are others experiencing a similar breach. Often times these attacks are performed by bots that scan a large quantity of websites, so there may be some known signatures to look for as well as solutions to correct and/or mitigate the vulnerability.
If you're lucky, one or two of the potential ways to break in will be the obvious choice. So, block that weakness!
Sidebar: Attackers Have Workflows Too
Just like you have a workflow for building a site, attackers have workflows for attacking a site. Loosely speaking, the first step that matters to you is when they have broken into the site. There is often a software bot and/or group of people who are working on this piece and they are not necessarily the people who will exploit the site. Once they have established a foothold, the next step may not come for days or months.
Next is learning about the site and deciding what to do with it. If the site houses a large number of accounts or sensitive data then that is a resource. If it's on a big private network then that becomes something new to explore and exploit. Maybe it's just a clean IP to use to send spam. Maybe it gets a lot of traffic and is a good point to use to distribute malware. If it's got a high search engine rank it can be a place from which to link to other sites and earn search-engine reputation.
Once the potential value of your site is understood it's time to start exploiting it. Attackers may do multiple things at the same time: start by exfiltrating the email/password list and then leave some malware and search-engine links. If your content is particularly sensitive they may copy it and then clean up their tracks so you don't suspect any data was stolen.
If you see signs of a break-in but not of any damage, perhaps you stopped the process early, or perhaps they abused the site in ways that don't leave traces and then haven't done anything else.
Reference-git2020
β β β Uππ»βΊπ«Δπ¬πβ β β β
Step 5: Begin investigating the attack
Whatever tipped you off to the fact that you were compromised is the first step in investigating the attack. If your page content was changed, spam emails were sent, information stolen and used for some purpose, malware uploaded to the site, whatever the compromise is - consider how the attacker could have achieved that. List out every way you can think of that someone could make that change. There are two goals to this exercise: first, you'll help pin down how you got attacked so you can close that hole. Second, you'll identify other things the attacker could have done based on the means they used to attack your site. Try to be creative and don't throw out any possibilities as "too hard" or "technically impossible" - your attacker was probably creative and your site may not work exactly as you think it does.
Once you have a list of ways, start trying to pin down which is most likely. Which requires the least effort? What evidence would there be for each one? Do you see examples of that evidence? For each method, is the attack a reasonable thing for someone to do if they had that kind of access? Does one require so much effort that it's not worth it?
When in doubt, ask for help from a colleague that may have more experience with IT and web application security. Sometimes the simple excercise of talking it through with another person will surface additional ideas. Additionally, you should review the OWASP Top 10 list to make sure you're aware of all the various types of attacks. Finally, you find it helpful to search the internet to see if there are others experiencing a similar breach. Often times these attacks are performed by bots that scan a large quantity of websites, so there may be some known signatures to look for as well as solutions to correct and/or mitigate the vulnerability.
If you're lucky, one or two of the potential ways to break in will be the obvious choice. So, block that weakness!
Sidebar: Attackers Have Workflows Too
Just like you have a workflow for building a site, attackers have workflows for attacking a site. Loosely speaking, the first step that matters to you is when they have broken into the site. There is often a software bot and/or group of people who are working on this piece and they are not necessarily the people who will exploit the site. Once they have established a foothold, the next step may not come for days or months.
Next is learning about the site and deciding what to do with it. If the site houses a large number of accounts or sensitive data then that is a resource. If it's on a big private network then that becomes something new to explore and exploit. Maybe it's just a clean IP to use to send spam. Maybe it gets a lot of traffic and is a good point to use to distribute malware. If it's got a high search engine rank it can be a place from which to link to other sites and earn search-engine reputation.
Once the potential value of your site is understood it's time to start exploiting it. Attackers may do multiple things at the same time: start by exfiltrating the email/password list and then leave some malware and search-engine links. If your content is particularly sensitive they may copy it and then clean up their tracks so you don't suspect any data was stolen.
If you see signs of a break-in but not of any damage, perhaps you stopped the process early, or perhaps they abused the site in ways that don't leave traces and then haven't done anything else.
Reference-git2020
β β β Uππ»βΊπ«Δπ¬πβ β β β
Forwarded from UNDERCODE NEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SCRIPTING UTILITIES :
* [IDC Functions Doc](https://www.hex-rays.com/products/ida/support/idadoc/162.shtml)
* [Using IDAPython to Make your Life Easier](http://researchcenter.paloaltonetworks.com/tag/idapython/)
* [Introduction to IDA Python](https://tuts4you.com/download.php?view.3229)
* [The Beginner's Guide to IDA Python](https://leanpub.com/IDAPython-Book)
* [IDA Plugin Contest](https://www.hex-rays.com/contests/)
* [onehawt IDA Plugin List](https://github.com/onethawt/idaplugins-list)
* [pefile Python Library](https://github.com/erocarrera/pefile)
git resources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SCRIPTING UTILITIES :
* [IDC Functions Doc](https://www.hex-rays.com/products/ida/support/idadoc/162.shtml)
* [Using IDAPython to Make your Life Easier](http://researchcenter.paloaltonetworks.com/tag/idapython/)
* [Introduction to IDA Python](https://tuts4you.com/download.php?view.3229)
* [The Beginner's Guide to IDA Python](https://leanpub.com/IDAPython-Book)
* [IDA Plugin Contest](https://www.hex-rays.com/contests/)
* [onehawt IDA Plugin List](https://github.com/onethawt/idaplugins-list)
* [pefile Python Library](https://github.com/erocarrera/pefile)
git resources
β β β Uππ»βΊπ«Δπ¬πβ β β β
Leanpub
The Beginner's Guide to IDAPython
Forwarded from UNDERCODE NEWS
