|
|
Wednesday, May 6, 2020
November 2019 Connector
TYPES OF HACKER
1-Script Kiddies-They are just download overused software & watch youtube video on how to use it. Script kiddies don't care about hacking.
2-White Hat-They are the good guys of the hacker world. They also known as Ethical Hacker.
3-Black Hat-They finds bank or other companies with weak security and steal money or credit card information. They also known as cracker. They are dangerous because they are illegal to gain unauthorized access.
4-Gray Hat-They don't steal money or information sometimes they deface a website or they don't help people for good.
5-Green Hat-These are the hacker "noobz" but unlike Script Kiddies.They care about Hacking and strive to become full-blown hacker.
6-Red Hat-These are the vigilantes of the hacker world. They are like White Hats in that they halt Black Hats but these folks are downright SCARY to those who have ever tried so much as penetrest.
7-Blue Hat-If a Script Kiddy took revenge he/she might become a Blue Hat.Most Blue Hats are noobz.They have no desire to learn.
Related word
- Hacking Social
- Viral Hacking
- Hacking Games
- Mindset Hacking Español
- Hacking Web Technologies Pdf
- Hacking Wifi
- Hacking Y Forensic Desarrolle Sus Propias Herramientas En Python Pdf
- Growth Hacking Madrid
- Ethical Hacking
- Seguridad Y Hacking
- Foro Hacking
- Hacking To The Gate
- Software Hacking
- Master Hacking Etico
- Growth Hacking Instagram
Tuesday, May 5, 2020
Vulcan DoS Vs Akamai
In the past I had to do several DoS security audits, with múltiples types of tests and intensities. Sometimes several DDoS protections were present like Akamai for static content, and Arbor for absorb part of the bandwith.
One consideration for the DoS/DDoS tools is that probably it will loss the control of the attacker host, and the tool at least has to be able to stop automatically with a timeout, but can also implement remote response checks.
In order to size the minimum mbps needed to flood a service or to retard the response in a significant amount of time, the attacker hosts need a bandwith limiter, that increments in a logarithmic way up to a limit agreed with the customer/isp/cpd.
There are DoS tools that doesn't have this timeouts, and bandwith limit based on mbps, for that reason I have to implement a LD_PRELOAD based solution: bwcontrol
Although there are several good tools for stressing web servers and web aplications like apache ab, or other common tools used for pen-testing, but I also wrote a fast web flooder in c++ named wflood.
As expected the most effective for taking down the web server are the slow-loris, slow-read and derivatives, few host were needed to DoS an online banking.
Remote attacks to database and highly dynamic web content were discarded, that could be impacted for sure.
I did another tool in c++ for crafting massive tcp/udp/ip malformed packets, that impacted sometimes on load balancers and firewalls, it was vulcan, it freezed even the firewall client software.
The funny thing was that the common attacks against Akamai hosts, where ineffective, and so does the slow-loris family of attacks, because are common, and the Akamai nginx webservers are well tunned. But when tried vulcan, few intensity was enough to crash Akamai hosts.
Another attack vector for static sites was trying to locate the IP of the customer instead of Akamai, if the customer doesn't use the Akamai Shadow service, it's possible to perform a HTTP Host header scan, and direct the attack to that host bypassing Akamai.
And what about Arbor protection? is good for reducing the flood but there are other kind of attacks, and this protection use to be disabled by default and in local holidays can be a mess.
Related word
How Do I Get Started With Bug Bounty ?
How do I get started with bug bounty hunting? How do I improve my skills?
These are some simple steps that every bug bounty hunter can use to get started and improve their skills:
Learn to make it; then break it!
A major chunk of the hacker's mindset consists of wanting to learn more. In order to really exploit issues and discover further potential vulnerabilities, hackers are encouraged to learn to build what they are targeting. By doing this, there is a greater likelihood that hacker will understand the component being targeted and where most issues appear. For example, when people ask me how to take over a sub-domain, I make sure they understand the Domain Name System (DNS) first and let them set up their own website to play around attempting to "claim" that domain.
Read books. Lots of books.
One way to get better is by reading fellow hunters' and hackers' write-ups. Follow /r/netsec and Twitter for fantastic write-ups ranging from a variety of security-related topics that will not only motivate you but help you improve. For a list of good books to read, please refer to "What books should I read?".
Join discussions and ask questions.
As you may be aware, the information security community is full of interesting discussions ranging from breaches to surveillance, and further. The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do. There are two very popular bug bounty forums: Bug Bounty Forum and Bug Bounty World.
Participate in open source projects; learn to code.
Go to https://github.com/explore or https://gitlab.com/explore/projects and pick a project to contribute to. By doing so you will improve your general coding and communication skills. On top of that, read https://learnpythonthehardway.org/ and https://linuxjourney.com/.
Help others. If you can teach it, you have mastered it.
Once you discover something new and believe others would benefit from learning about your discovery, publish a write-up about it. Not only will you help others, you will learn to really master the topic because you can actually explain it properly.
Smile when you get feedback and use it to your advantage.
The bug bounty community is full of people wanting to help others so do not be surprised if someone gives you some constructive feedback about your work. Learn from your mistakes and in doing so use it to your advantage. I have a little physical notebook where I keep track of the little things that I learnt during the day and the feedback that people gave me.
Learn to approach a target.
The first step when approaching a target is always going to be reconnaissance — preliminary gathering of information about the target. If the target is a web application, start by browsing around like a normal user and get to know the website's purpose. Then you can start enumerating endpoints such as sub-domains, ports and web paths.
A woodsman was once asked, "What would you do if you had just five minutes to chop down a tree?" He answered, "I would spend the first two and a half minutes sharpening my axe."
As you progress, you will start to notice patterns and find yourself refining your hunting methodology. You will probably also start automating a lot of the repetitive tasks.
Continue readingThese are some simple steps that every bug bounty hunter can use to get started and improve their skills:
Learn to make it; then break it!
A major chunk of the hacker's mindset consists of wanting to learn more. In order to really exploit issues and discover further potential vulnerabilities, hackers are encouraged to learn to build what they are targeting. By doing this, there is a greater likelihood that hacker will understand the component being targeted and where most issues appear. For example, when people ask me how to take over a sub-domain, I make sure they understand the Domain Name System (DNS) first and let them set up their own website to play around attempting to "claim" that domain.
Read books. Lots of books.
One way to get better is by reading fellow hunters' and hackers' write-ups. Follow /r/netsec and Twitter for fantastic write-ups ranging from a variety of security-related topics that will not only motivate you but help you improve. For a list of good books to read, please refer to "What books should I read?".
Join discussions and ask questions.
As you may be aware, the information security community is full of interesting discussions ranging from breaches to surveillance, and further. The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do. There are two very popular bug bounty forums: Bug Bounty Forum and Bug Bounty World.
Participate in open source projects; learn to code.
Go to https://github.com/explore or https://gitlab.com/explore/projects and pick a project to contribute to. By doing so you will improve your general coding and communication skills. On top of that, read https://learnpythonthehardway.org/ and https://linuxjourney.com/.
Help others. If you can teach it, you have mastered it.
Once you discover something new and believe others would benefit from learning about your discovery, publish a write-up about it. Not only will you help others, you will learn to really master the topic because you can actually explain it properly.
Smile when you get feedback and use it to your advantage.
The bug bounty community is full of people wanting to help others so do not be surprised if someone gives you some constructive feedback about your work. Learn from your mistakes and in doing so use it to your advantage. I have a little physical notebook where I keep track of the little things that I learnt during the day and the feedback that people gave me.
Learn to approach a target.
The first step when approaching a target is always going to be reconnaissance — preliminary gathering of information about the target. If the target is a web application, start by browsing around like a normal user and get to know the website's purpose. Then you can start enumerating endpoints such as sub-domains, ports and web paths.
A woodsman was once asked, "What would you do if you had just five minutes to chop down a tree?" He answered, "I would spend the first two and a half minutes sharpening my axe."
As you progress, you will start to notice patterns and find yourself refining your hunting methodology. You will probably also start automating a lot of the repetitive tasks.
Reversing Pascal String Object
There are many goodware and malware developed in pascal, and we will see that the binary generated by the pascal compilers is fascinating, not only because the small and clean generated binaries, or the clarity of the pascal code, but also the good performance. In Linux we have Lazarus which is a good free IDE like Delphi and Kylix the free pascal IDE for windows.
The program:
program strtest;
var
cstr: array[0..10] of char;
s, s2: ShortString;
begin
cstr := 'hello world';
s := cstr;
s2 := 'test';
WriteLn(cstr + ' ' + s + ' ' + s2);
end.
We are going to compile it with freepascal and lazarus, and just the binary size differs a lot:
lazarus 242,176 btytes 845 functions
freepascal 32,256 bytes 233 functions
turbopascal 2,928 bytes 80 functions (wow)
And surprisingly turbopascal binaries are extremely light.
Lets start with lazarus:
And our starting point is a function called entry that calls the console initialization and retrieve some console configurations, and then start a labyrinth of function calls.
On functions 10000e8e0 there is the function that calls the main function.
I named execute_param2 because the second param is a function pointer that is gonna be executed without parameters, it sounds like main calling typical strategy.
And here we are, it's clearly the user code pascal main function.
What it seems is that function 100001800 returns an string object, then is called its constructor to initialize the string, then the string is passed to other functions that prints it to the screen.
This function executes the method 0x1c0 of the object until the byte 0x89 is a null byte.
What the hell is doing here?
First of all let's create the function main:
Simply right button create function:
After a bit of work on Ghidra here we have the main:
Note that the struct member so high like 0x1b0 are not created by default, we should import a .h file with an struct or class definition, and locate the constructor just on that position.
The mysterious function was printing byte a byte until null byte, the algorithm the compiler implemented in asm is not as optimized as turbopascal's.
In Windbg we can see the string object in eax after being created but before being initialized:
Just before executing the print function, the RCX parameter is the string object and it still identical:
Let's see the constructor code.
The constructor address can be guessed on static walking the reverse-cross-references to main, but I located it in debugging it in dynamic analysis.
The constructor reads only a pointer stored on the string object on the position 0x98.
And we have that the pointer at 0x98 is compared with the address of the literal, so now we know that this pointer points to the string.
The sentence *string_x98 = literal confirms it, and there is not memory copy, it only points reusing the literal.
There are two ways to follow the references in Ghidra, one is [ctrl] + [shift] + F but there is other trick which is simply clicking the green references texts on the disassembly.
At the beginning I doubted and put the name possible_main, but it's clearly the pascal user code main function.
The char array initialization Is converted by freepascal compiler to an runtime initialization using mov instructions.
Reducing the coverage on dynamic we arrive to the writeln function:
EAX helds a pointer to a struct, and the member 0x24 performs the printing. In this cases the function can be tracked easily in dynamic executing the sample.
And lands at 0x004059b0 where we see the WriteFile, the stdout descriptor, the text and the size supplied by parameter.
there is an interesting logic of what happens if WriteFile() couldn't write all the bytes, but this is other scope.
Lets see how this functions is called and how text and size are supplied to figure out the string object.
EBX helds the string object and there are two pointers, a pointer to the string on 0x18 and the length in 0x18, lets verify it on windbg.
And here we have the string object, 0x0000001e is the length, and 0x001de8a68 is the pointer.
Thanks @capi_x for the pascal samples.
The program:
program strtest;
var
cstr: array[0..10] of char;
s, s2: ShortString;
begin
cstr := 'hello world';
s := cstr;
s2 := 'test';
WriteLn(cstr + ' ' + s + ' ' + s2);
end.
We are going to compile it with freepascal and lazarus, and just the binary size differs a lot:
lazarus 242,176 btytes 845 functions
freepascal 32,256 bytes 233 functions
turbopascal 2,928 bytes 80 functions (wow)
And surprisingly turbopascal binaries are extremely light.
Lets start with lazarus:
Logically it imports from user32.dll some display functions, it also import the kernel32.dll functions and suspiciously the string operations of oleaut32.dll
On functions 10000e8e0 there is the function that calls the main function.
And here we are, it's clearly the user code pascal main function.
What it seems is that function 100001800 returns an string object, then is called its constructor to initialize the string, then the string is passed to other functions that prints it to the screen.
What the hell is doing here?
First of all let's create the function main:
After a bit of work on Ghidra here we have the main:
Note that the struct member so high like 0x1b0 are not created by default, we should import a .h file with an struct or class definition, and locate the constructor just on that position.
The mysterious function was printing byte a byte until null byte, the algorithm the compiler implemented in asm is not as optimized as turbopascal's.
In Windbg we can see the string object in eax after being created but before being initialized:
Just before executing the print function, the RCX parameter is the string object and it still identical:
Let's see the constructor code.
The constructor address can be guessed on static walking the reverse-cross-references to main, but I located it in debugging it in dynamic analysis.
The constructor reads only a pointer stored on the string object on the position 0x98.
The sentence *string_x98 = literal confirms it, and there is not memory copy, it only points reusing the literal.
Freepascal
The starting labyrinth is bigger than Lazarus so I had to begin the maze from the end, searching the string "hello world" and then finding the string references:
There are two ways to follow the references in Ghidra, one is [ctrl] + [shift] + F but there is other trick which is simply clicking the green references texts on the disassembly.
At the beginning I doubted and put the name possible_main, but it's clearly the pascal user code main function.
The char array initialization Is converted by freepascal compiler to an runtime initialization using mov instructions.
Reducing the coverage on dynamic we arrive to the writeln function:
EAX helds a pointer to a struct, and the member 0x24 performs the printing. In this cases the function can be tracked easily in dynamic executing the sample.
And lands at 0x004059b0 where we see the WriteFile, the stdout descriptor, the text and the size supplied by parameter.
there is an interesting logic of what happens if WriteFile() couldn't write all the bytes, but this is other scope.
Lets see how this functions is called and how text and size are supplied to figure out the string object.
EBX helds the string object and there are two pointers, a pointer to the string on 0x18 and the length in 0x18, lets verify it on windbg.
And here we have the string object, 0x0000001e is the length, and 0x001de8a68 is the pointer.
Thanks @capi_x for the pascal samples.
Continue reading
Monday, May 4, 2020
How To Start | How To Become An Ethical Hacker
Are you tired of reading endless news stories about ethical hacking and not really knowing what that means? Let's change that!
This Post is for the people that:
- Have No Experience With Cybersecurity (Ethical Hacking)
- Have Limited Experience.
- Those That Just Can't Get A Break
OK, let's dive into the post and suggest some ways that you can get ahead in Cybersecurity.
I receive many messages on how to become a hacker. "I'm a beginner in hacking, how should I start?" or "I want to be able to hack my friend's Facebook account" are some of the more frequent queries. Hacking is a skill. And you must remember that if you want to learn hacking solely for the fun of hacking into your friend's Facebook account or email, things will not work out for you. You should decide to learn hacking because of your fascination for technology and your desire to be an expert in computer systems. Its time to change the color of your hat 😀
I've had my good share of Hats. Black, white or sometimes a blackish shade of grey. The darker it gets, the more fun you have.
If you have no experience don't worry. We ALL had to start somewhere, and we ALL needed help to get where we are today. No one is an island and no one is born with all the necessary skills. Period.OK, so you have zero experience and limited skills…my advice in this instance is that you teach yourself some absolute fundamentals.
Let's get this party started.
- What is hacking?
Hacking is identifying weakness and vulnerabilities of some system and gaining access with it.
Hacker gets unauthorized access by targeting system while ethical hacker have an official permission in a lawful and legitimate manner to assess the security posture of a target system(s)There's some types of hackers, a bit of "terminology".
White hat — ethical hacker.
Black hat — classical hacker, get unauthorized access.
Grey hat — person who gets unauthorized access but reveals the weaknesses to the company.
Script kiddie — person with no technical skills just used pre-made tools.
Hacktivist — person who hacks for some idea and leaves some messages. For example strike against copyright.
- Skills required to become ethical hacker.
- Curosity anf exploration
- Operating System
- Fundamentals of Networking
Friday, May 1, 2020
Toy Soldiers, Part 1: Ronin
 |
| Seven samurai, painted and ready to fight! |
Having taken the plunge into miniatures gaming with games like 7TV, Doctor Who: Exterminate!, and Mythic Battles: Pantheon, I wanted to find a samurai themed game to indulge my love of Kurosawa movies, and Ronin: Skirmish Wargames in the age of the Samurai looked like just the thing, although it was another year after buying the rulebook before I got around to buying and painting enough samurai miniatures to play the game with.
After assembling some suitable terrain (mostly of the print-and-play, cut-and-assemble variety) we finally set up to play a game, a simple "defend the bridge" scenario with bloodthirsty bandits on one side and noble Koryu (sword fighting teachers and students) on the other.
At the start of a hand-to-hand battle, each player secretly chooses a number of tokens based on the experience level of his characters. There are two different tokens to choose from: attack or defense. Once the die rolling starts, these tokens can be spent to improve a character's chance of attacking or defending successfully. What this amounts to is that players are forced to choose whether they want to focus on defense, attack, or try to balance out the two.
As with most games of this type, ranged attackers have the huge advantage of being able to attack from a distance (and in this game they get to attack first), but the game balances that by giving them fewer opportunities to increase their chance of hitting, and it also takes into account the slow reload times of ranged weapons from this time period.
Games are scenario based, usually with a specific goal for one side or the other rather than just "run to the middle and fight," and the game does a good job of allowing for narrative actions like looting bodies and picking up objects. It also has a whole system covering morale and the idea that if the fight is going badly, the troops might start running away.
We really enjoyed the game, and my only complaint isn't really a flaw in the game but an element that could be seen by many as a plus. The game doesn't come with pre-made character cards like its more commercial cousins tend to. Players are given example character types, with options for different weapons and abilities. Character stats are then copied onto a simple roster form for use during play. It works fine and is well suited to this style of game, but at the same time (and this is a very superficial criticism) it's an element of the game that is dry and uninteresting. Additionally, the hand writing and pre-game decision making makes it more difficult to just jump in and start playing, which means we won't get this game to the table very often.
Rating: 3 (out of 5) A great game system that works fine as-is, but could benefit from some more lavish support materials and a shorter prep time.
- Ronin: Skirmish Wargames in the Age of the Samurai official website
- Ronin: Skirmish Wargames in the Age of the Samurai on BoardGameGeek
Shoot Your Goo, Fun Puzzle Platformer Made With FTEQW In 48H!
Shoot Your Goo is (despite its name) a family friendly puzzle platformer made in just 48h for the GMTK Game Jam 2019. It could be described as a mix of Angry Birds and mini-golf, but see for yourself:
The source-code can be found here, and you can head over to InsideQC to discuss with the creators.
The team who made this has become quite proficient in turning out interesting game prototypes (Bloodletter, Escape from Space etc.) with the very cool FTEQW engine... a much advanced Quake1 derived engine (unofficial developer's documentation on the QuakeWiki & source code).
There are also a few other interesting projects with FTEQW, such as CubiQuake, FreeCS, and it has even gotten to the point of being nearly ready as a functional drop in replacement engine for Xonotic.
Semi-OT: Trenchbroom, the modern take on Quake engine mapping is continuing with great improvements and should be on your list to check out for sure
Discuss on our forums here.
The source-code can be found here, and you can head over to InsideQC to discuss with the creators.
The team who made this has become quite proficient in turning out interesting game prototypes (Bloodletter, Escape from Space etc.) with the very cool FTEQW engine... a much advanced Quake1 derived engine (unofficial developer's documentation on the QuakeWiki & source code).
There are also a few other interesting projects with FTEQW, such as CubiQuake, FreeCS, and it has even gotten to the point of being nearly ready as a functional drop in replacement engine for Xonotic.
Semi-OT: Trenchbroom, the modern take on Quake engine mapping is continuing with great improvements and should be on your list to check out for sure
Discuss on our forums here.
Subscribe to:
Posts (Atom)