Todo se Comparte

Exploiting phpMyadmin

2009-11-29T19:45:00.001-04:00

articulo http://www.informit.com/articles/printerfriendly.aspx?p=1407358

FireFuzzer - Fuzzing Tool has been Released A Penetration Testing tool intended to find vulnerabilities in Web Pages especially Buffer Overflow and XS

2009-11-29T19:38:00.000-04:00

A Penetration Testing tool intended to find vulnerabilities in Web Pages especially Buffer Overflow and XSS

Firefuzzer is expected to perform black-box scans over the web pages. It will target the web page URL which is passed as an argument via command line and will mark the textboxes within the HTML forms to inject unacceptable data. Then, FireFuzzer will inject random textual data and submit the forms to see whether Exceptions are generated.

Intended vulnerabilities expected to be targeted include:
Buffer Overflow
Database Injection (SQL Injections)
File Handling Errors (fopen, readfile…)
XSS (Cross Site Scripting) Injection

Download: http://code.google.com/p/firefuzzer/downloads/list

Video demonstration: http://www.youtube.com

Busqueda Y destruccion de prioridad en envio de email

2009-11-29T19:11:00.001-04:00

PDF Metasploit Social Engineering Exploit
Malicious PDF Email Attack

Check this out as well: Using Metasploit Payloads the "Awesome"-way

10 Web Application Fuzzing Tools

2009-11-26T13:59:00.000-04:00

External Tool Links:
1. http://www.immunitysec.com/resources-freesoftware.shtml
2. http://www.owasp.org/index.php/OWASP...rab_NG_Project
3. http://www.portswigger.net/intruder/
4. http://wapiti.sourceforge.net/
5. http://rfuzz.rubyforge.org/
6. http://www.owasp.org/index.php/Categ...Fuzzer_Project
7. http://www.spidynamics.com/products/...ect/index.html
8. http://www.sensepost.com/research/suru/
9. http://www.watchfire.com/products/appscan/appscan.aspx
10. http://michaeldaw.org/projects/asp-auditor-v2/

busqueda google

2009-11-26T13:44:00.001-04:00

inurl:"id=" & intext:"Warning: mysql_fetch_assoc()

inurl:"id=" & intext:"Warning: mysql_fetch_array()

inurl:"id=" & intext:"Warning: mysql_num_rows()

inurl:"id=" & intext:"Warning: session_start()

inurl:"id=" & intext:"Warning: getimagesize()

inurl:"id=" & intext:"Warning: is_writable()

inurl:"id=" & intext:"Warning: getimagesize()

inurl:"id=" & intext:"Warning: Unknown()

inurl:"id=" & intext:"Warning: session_start()

inurl:"id=" & intext:"Warning: mysql_result()

inurl:"id=" & intext:"Warning: pg_exec()

inurl:"id=" & intext:"Warning: mysql_result()

inurl:"id=" & intext:"Warning: mysql_num_rows()

inurl:"id=" & intext:"Warning: mysql_query()

inurl:"id=" & intext:"Warning: array_merge()

inurl:"id=" & intext:"Warning: preg_match()

inurl:"id=" & intext:"Warning: ilesize()

inurl:"id=" & intext:"Warning: filesize()

inurl:"id=" & intext:"Warning: require()

busqueda de web vulnerable en rep.dom

2009-11-26T13:32:00.002-04:00

Good dork:

site:.do inurl:.asp?id=

site:.org inurl:.asp?id=
site:.com inrul:.aspx?=
site:.do inurl:.asp?cid=

Aspx Shells

2009-11-26T13:29:00.001-04:00

http://snapstar.t35.com/k2/web2.rar

pass = $$snapstar22

Mpack, PHP Malware Kit

2009-11-26T13:24:00.001-04:00

Mpack, PHP Malware Kit

el paquete comerciar cuesta 500 dolar pero para ustedes sera gratis

I Have had this in my Rapidshare account for a while, i thought i would post it here.
http://rapidshare.com/files/127876811/MPack_Toolkit_v0.94.rar

Password is "Infected"

Immunity Canvas 6.23

2009-11-26T13:22:00.000-04:00

just got it fully working, here is a pic.

Quote:

Immunity CANVAS Professional Immunity's CANVAS makes available hundreds of exploits, an automated exploitation system, and a comprehensive, reliable exploit development framework to penetration testers and security professionals worldwide. To see CANVAS in action please see our movies.
Cost License:
Current Price: $1450
- one license allows up to 10 users/installations
- includes one quarter of updates and support
- unrestricted (no target IP address limitations)
- full source code
- Your use of CANVAS Professional does not expire when your support period is over.

Monthly Updates and Support: $730.00 per quarter
Early Updates and Support: $8995.00 per quarter

Supported Platforms and Installations
- Windows (requires Python & PyGTK)
- Linux
- MacOSX (requires PyGTK)
- All other Python environments such as mobile phones and commercial Unixes (command line version only supported, GUI may also be available)

Architecture
- CANVAS Professional's completely open design allows a team to adapt CANVAS Professional to their environment and needs.
Documentation
- all documentation is delivered in the form of demonstration movies
- exploit modules have additional information windows

Exploits
- currently over 400 exploits, an average of 4 exploits added every monthly release
- Immunity carefully selects vulnerabilities for inclusion as CANVAS exploits. Top priorities are high-value vulnerabilities such as remote, pre-authentication, and new vulnerabilities in mainstream software.
- Exploits span all common platforms and applications

Payload Options
- to provide maximum reliability, exploits always attempt to reuse socket
- if socket reuse is not suitable, connect-back is used
- subsequent MOSDEF session allows arbitrary code execution, and provides a listener shell for common actions (file management, screenshots, etc)
- bouncing and split-bouncing automatically available via MOSDEF
- adjustable covertness level

Exploit Delivery
- regular monthly updates made available via web
- exploit modules and CANVAS engine are updated simultaneously
- customers reminded of monthly updates via email

Exploit Creation Time
- exploits included in next release as soon as they are stable

Effectiveness of Exploits
- all exploits fully QA'd prior to release
- exploits demonstrated via flash movies
- exploit development team available via direct email for support

Ability to make Custom Exploits
- unique MOSDEF development environment allows rapid exploit development

Development
- CANVAS is a platform that is designed to allow easy development of other security products. Examples include Gleg, Ltd's VulnDisco and the Argeniss Ultimate 0day Exploits Pack.

Here is download Link

Code:

http://rapidshare.com/files/127888061/Imcan6.23.zip

Mars Bank Database 1.1 (Last) Features Banks database with search, filter and sorting possibilities. Contains 11 databases in one: - US banks ABA

2009-11-26T13:20:00.001-04:00

Mars Bank Database 1.1 (Last)

Features

Banks database with search, filter and sorting possibilities. Contains 11 databases in one:
- US banks ABA numbers (25,871 records)
- US banks routing numbers (26,197 records)
- MasterCard bank identification numbers (17,297 records)
- VISA bank identification numbers (35,154 records)
- American Express bank identification numbers (1,215 records)
- US ZIP codes (70,884 records)
- US busy phones (11,784 records)
- Social Security Numbers regions (678 records)
- US Dial Area Codes (249 records)
- US states (65 records)
- UK states (114 records)
Bank Identification Number, BIN - first 6 digits from card number. You can identify any credit/debit card.

For ABA numbers, database has these kind of data:
ABA number, bank name, bank address, bank city, bank state, bank zip, bank phone.
For routing numbers:
routing number, bank name, bank city, bank state, bank phone.
For MasterCard BINs:
BIN, bank name, bank country, bank phone.
For VISA BINs:
BIN, bank name, bank country, card type 1, card type 2, bank phone.
For American Express BINs:
BIN, bank country (always USA), card type (gold, optima, platinum...), bank phone.
For US ZIP codes:
city, state, ZIP code, county.
For US busy phones:
state, city, phone.
For SSN regions:
first 3-digits of SSN, state.
For US Dial Area Codes:
3-digit code, states where this code used
For US states:
state (2 letters), state full name.
For UK states:
state name, country (England, Ireland, Scotland...).

It's possible to make search, filter or sort base by any of this field or some fields together.
Also you can add any notes with some text formatting and colors. This text will be auto saved.
Program supports skins and includes 24 themes. Also it's possible to use .msstyles themes.

Download
Code:
http://www.mars-soft.net/files/MarsBanksBase11.exe

[CC'V] Credit Cards Generators (AIO)

2009-11-26T13:16:00.000-04:00

[CC'V] Credit Cards Generators (AIO)

++In This AIO are 21 Generators: ++
++12 Generators with American Credit Cards and 9 Generators with German Credit Cards . ++
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++
++American Credit Card Generators are: ++
++ American Express card generator v1 beta1 ++
++ Card Tool 1.4 ++
++ CC 2 Bank 1.2 ++
++ CC Generator PROBE ++
++ CC Generator 1.1 ++
++ CC Maker ++
++ Credit Wizard v1.1 ++
++ Credit Master v4.0 ++
++ CC 2 Retriever ++
++ Fraud3r v1.0 Credit Card and ID Generator ++
++ Verify all 4 types of the major credit cards (MC,Visa,Amex and Discover) ++
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++
++German Credit Cards Generators are: ++
++ Citi Bank 1.0 ++
++ CN-Security CCGetV1.1 (Albanian Author) ++
++ Hypo Konto Creator 1.0 ++
++ Konto Master 1.1 ++
++ Perso Generator 0.3 ++
++ Perso Generator 1.0 ++
++ Call Ya Generator ++
++ Credit Card Generator V2 by TheCracker (Albanian Author) ++
++ Generator Final (Albanian Author) ++
++ CC Generator by mix2mix (Albanian Author) ++

Descargar: CC-GeN_SBy-aSt.exe - File Shared from Box.net - Free Online File Storage

Core Impact Pro.+full

2009-11-26T09:35:00.000-04:00

this is V4, and its laim, but it works...

http://rapidshare.com/files/86961467/core_impact_4.rar

Canvas : A Comprehensive Exploitation Framework

2009-11-26T09:29:00.000-04:00

descargalo gratis

http://rapidshare.com/files/111449535/Immunity.Canvas.v5.0.RETAIL-UNiQUE.rar

Curso básico de tecnología RFiD

2009-11-21T20:11:00.001-04:00

Este curso (disponible en idioma inglés unicamente) nos permitirá comprender qué es la tecnología de identificación por radiofrecuencia (RFiD) y como es utilizada en la actualidad.

Entre los temas más importantes que veremos podemos citar:

Introducción a la tecnología RFiD
Historia
Códigos de barra
Qué son los tags RFiD
Sistemas RFiD
Tipos de tags
Frecuencias de operación
Estándares
Seguridad y privacidad

Además incluye una serie de cuestionarios para ejercitar lo aprendido.

http://www.4shared.com/file/78332445/10e29ca9/Free_RFID_Course.html

RFiD: Identificación por radiofrecuencia

2009-11-21T20:09:00.001-04:00

RFID (siglas de Radio Frequency IDentification, en español Identificación por radiofrecuencia) es un sistema de almacenamiento y recuperación de datos remoto que usa dispositivos denominados etiquetas, transpondedores o tags RFID. El propósito fundamental de la tecnología RFID es transmitir la identidad de un objeto (similar a un número de serie único) mediante ondas de radio. Las tecnologías RFID se agrupan dentro de las denominadas Auto ID (Automatic Identification, o Identificación Automática).

Las etiquetas RFID son unos dispositivos pequeños, similares a una pegatina, que pueden ser adheridas o incorporadas a un producto, animal o persona. Contienen antenas para permitirles recibir y responder a peticiones por radiofrecuencia desde un emisor-receptor RFID. Las etiquetas pasivas no necesitan alimentación eléctrica interna, mientras que las activas sí lo requieren. Una de las ventajas del uso de radiofrecuencia (en lugar, por ejemplo, de infrarrojos) es que no se requiere visión directa entre emisor y receptor. Seguir leyendo en Wikipedia…

En internet encontramos muchas notas de aplicación de estos sistemas de identificación. El siguiente paquete contiene:

La identificación por radiofrecuencia
La tecnología de identificación por radiofrecuencia
Sistema de control de acceso con RFID
Tecnología y aplicaciones de RFiD
Presentación RFiD
Control de un lector RFiD mediante microcontrolador

http://www.4shared.com/file/77163477/1e1d97b1/RFiD.html

Building a RFID reader

2009-11-21T20:06:00.000-04:00

Building a RFID reader

I put together this web page to document my quest in building my own RFID reader. It was a fun journey for me, so stay tight and enjoy the ride.

RFID cards are commonly used for access control and bus/train tickets. They are convenient because no direct contact is required to transfer information to and from the card. The card itself is powered by the RFID reader, so there is no battery to change.

For my experiments, I'm using a HID ISOProx card. These cards are the simplest of all RFID cards as they only stores a single serial number and uses no encryption. The carrier frequency is 125KHz.

The first step is to see if I can make a very simple reader. I know the RFID cards is powered by the magnetic field emitted by the RFID reader. The RFID tags transfers information back to the reader by loading the magnetic field, which cause the RFID reader to sense the change in load.

The most common design for RFID reader is to use a series resonate circuit. This consists of a single inductor and a capacitor excited by a low impedance voltage source. If the Q of the circuit is high enough, the voltage at the sampling point will exceed that of the supplied voltage. When the RFID sends a one by loading the magnetic field, this causes the Q of the circuit to drop. The result is a in small change in voltage at the sampling point.

I created a simple reader by finding a coil in my junk pile and a pile of capacitors. Using a function generator as the signal source and oscilloscope attached at the sampling point, I can turn the frequency on the function generator until I find the resonant point of the circuit. I continue to swap the capacitor in this circuit to find the resonant frequency I'm looking for. This frequency is equal to:

For some reason, I confused my self and started the design with 150kHz in mind instead of 125kHz. The RFID tags responds just fine at this higher frequency, so I kept the design as is since I'm too lazy to go back and redesign the entire circuit.

With this simple setup, I manage to see that the RFID tag changes the loading either 4 or 5 carrier frequency cycle. Since the signal should be AC with no DC signal, I assume the transmitted data is at a frequency of 150kHz / 8 = 18.75kHz or 150kHz / 10 = 15kHz. This is the point I found some really useful website that contain some nice information on RFIDs.
http://instruct1.cit.cornell.edu/courses/ee476/FinalProjects/s2006/cjr37/Website/index.htm
The tag seems to encode the data using FSK. The two frequencies are used to represent a 1 and a 0.

With these information in hand, I go ahead and start designing my own antenna inductor. Since I'm still stuck with the idea of using 150kHz carrier frequency, I did the calculation and figured out that I need 160uH of inductance with 10nF of capacitor. I use the following equation to estimate the number of turns I need for the coil:

Where x, y is the length and width of the coil, h is the height and b is the thickness of the conducting part of the coil. I use x=y=6cm, h=1cm and b=0.3cm. The number turns out to be 34. I wrap the coil on a paper box I found, which is how I extracted the x and y. The finished coil is extracted and secured with tape.

To fine tune the resonant frequency of the entire system, I decided to just play with the capacitance. Using the function generator to sweep for the peak output observed with the scope, I played with the size of the capacitor until the peak response of the resonant circuit is at 150kHz. The capacitor that did the trick is 0.056uF. Unless my capacitor has a larger capacitance than it's marking, the coil I made must have a inductance higher than 160uH.

The next stage is to design the analog circuit. I use the trusty TL062 as my OPAMP of choice (Since I got a pile of these little OPAMP). The frequency involved in this project is quite low, so the low frequency performance of this OPAMP should not be an issue. Since I'm always lazy to put a complex circuit together, I elected to use the simplest design I can come up with. So the idea is to use a simple diode detector. The detected voltage goes through the first OP amp configured as a inverting amplifier with low pass frequency response. This will remove bulk of the carrier frequency. The next stage of the analog circuit is to extract the FSK signal. The simplest circuit I come up with is a resonant band pass circuit with a center frequency around 17kHz. This costs me one OPAMP only. The circuit is designed with SPICE, which the plot of the frequency response is shown at the end of the page.

The output of the bandpass signal is than feed directly into the PIC microprocessor. The processor I choose for this project is the good old trusty PIC16F628A. With an onchip comparator, I can feed the output from the OPAMP directly into the PIC and extract the digital signal.

The decoding of the FSK signal is done in software, which is really nice since there is no increase to BOM.

To decode the FSK signal, I implemented a subroutine that uses TMR0 to track the time past between the changes detected on the output of the onchip comparator. No interrupt is used, instead, the routine keeps looping until a change in state is detected. The loop that does the detection takes about three CPU cycle to run through, thus, depending on when the change occurred, there is an maximum error of 3 cycles.

Anyone who knows about the PIC hardware might ask why don't I use the onchip compare capture module. Unfortunately, I used the PWM module to generate the 150KHz carrier signal. The capture hardware shares resource with the PWM module, so only one function can be activated at a time.

To get a picture of how the FSK signal looks like after being digitized, I add a debug mode where it will capture the number of CPU cycle taken between each change in incoming signal. Due to the limitation of the onchip memory, only 80+64 data points is captured. This is not long enough to decode the data, but is sufficient to paint a picture of how the signal looks like. Putting the signal though the Open Office Calc to generate the following plot:
Debug mode output, right after the Duty cycle counter:

In this plot, the number on the Y axes is the time taken(in CPU cycles) between each change of state on the incoming signal. I decided 85 is a fairly good number to decide if the incoming data is a zero or a one. Later on, I decided to change the decoding routine to count the time taken between each rising edge in the signal (Since the signal has zero DC component, and this will save me more memory by recoding 1 bit of data instead of 2). Thus, the constant used in the PIC firmware end up using 170 (2 x 85).

The decoded sequence of data looks like:

 0000000000000000000000001111111111111111000001111110000001111100000011111000000111111 ... ...  111111000001111110000001111100000011111111110000000000001111111111100000011111000000000000 ...  0000001111110000001111111111000000111111000000000000000000000000111111111111111100000

You can see the data starts with a lot of zeros, following a quite a number of ones than the actual data. The entire sequence continue to repeat.

I know the signal is encoded with Manchester coding, so from the signal, I can make the following conclusion:

 1. The signal starts with a sequence of zero larger than 20 zeros  2. The second sequence is always a string of ones lasting for at least 15 bits  3. Each bit lasts 10 to 12 zeros or ones  3. The bit is a zero if there is no change in signal state during the bit time

A quick picture can be drawn:

 111111000001111110000001111100000011111111110000000000001111111111100000011111000000000000  -----------|-----------|----------|_________|___________|__________|----------|___________       1           1           1         0          0          0           1           0

With these rules in mind, I added the function to decode the data.

As a summary of how the entire system looks like, I put together this summary diagram:
Overall block diagram:

Schematic:

Currently, I set the Vcc to 10V, +5V is extracted from Vcc using a simple 78L05 voltage regulator. The Vref is set to half of logic voltage supply at 2.5V, this is accomplished using a simple resistor divider consists of two 4.7k resistor. Source Code:
Revision 1 May 1st, 2007 - Initial release
Revision 2 May 5st, 2007 - Revision 2
Feature added:
Auto start, triggered with pin PB7 set to high
Beeper support, output on pin 4
Full automatic card detect, use command 6

MIren Lector-Magnetico

2009-11-21T19:47:00.002-04:00

Este proyecto es un lector de tarjetas magnéticas experimental y está formado a partir de un mecánismo lector magnético. Esta unidad provee el cabezal magnético de lectura en un soporte mecánico junto a un amplificador de señal de bajo nivel. Además posee tres líneas de señal: presencia de tarjeta, reloj, y datos. Cuando se activa la lectura de una tarjeta se genera un consumo de 50mA sobre 5V.

Los datos provenientes desde la unidad lectora tienen un formato parecido a “track-2″. Esto es 4 bits más un dato de paridad impar. Los datos obtenidos se convierten fácilmente a código ASCII añadiendo una cabecera HEX-30 a cada palabra.

El microcontrolador PIC12F675 es otra de las piezas fundamentales de este proyecto. El par de resistores de 10k sobre los pines GP0 y GP1 están para permitir la programación “in-circuit” via un protoclip.

Como dato relevante, las tarjetas de credito y muchas otras del tipo comercial utilizan el sistema de datos “track-2″ para transmitir la información.

http://www.4shared.com/file/138424216/e3313bec/Lector-Magnetico.html

http://www.allelectronics.com/make-a-store/item/MCR-12/MAGNETIC-CARD-READER/-/1.html

manual hack .cfm? and .asp Shops.

2009-11-21T18:58:00.000-04:00

This is a Tutorial to hack .cfm? and .asp Shops.

You should look up some sql commands if u encounter an error it really helps!
SQL for server Error:
Error Diagnostic Information
ODBC Error Code = 37000 (Syntax error or access violation)
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ".

Thanks For Repling

CODE
http://rapidshare.com/files/93306375/042187203199.rar.html

Use the tool(s):
CODE
http://icswc.yurx.com/good/
http://toolhackvn.net/tool/
http://www.darktoolz.org/hacktool/

etc..
etc...

Enjoy hacking those cvv2's!!

Vulnerability Exploitation Tools

2009-10-29T09:21:00.003-04:00

estoy son algunos programas para explotar vulneravilidades

Metasploit Framework : Hack the Planet

Core Impact : An automated, comprehensive penetration testing product

Canvas : A Comprehensive Exploitation Framework

Web Application Attack and Audit Framework

http://www.computec.ch/projekte/atk/?s=download
http://www.securityforest.com/wiki/index.php/Exploitation_Framework_Download

alguna idea

2009-10-25T14:11:00.000-04:00

alguna persona tiene alguna idea de como crackear esto?

aguilas.com.do

karino:8f90b9ce7af2d738767f6a0d071d3aa9:V4nJfMmrVzDncqSZdhBYA4qUniPjJ7Lm

Contact Information:

Name: 5

Phone: 6

Mobile: 7

Email: 8

http://ligadom.com

Luis Tejada:1becff7e8fd676b054805b23404504c6:uoCuhCHDdFneCi1i81meD3o4bWYFPMuD

Algunos Scam y Letter .

2009-10-25T09:02:00.002-04:00

Bueno aqui les dejo varios scam y alguna letter tambien para que saquen sus login.

Letter, ehmm me olvidaba que uno amigo no sabia que era letter wn, bueno letter es la carta de engaño que se envia al usuario, creo que lo defini en otro post, readddddddd.

Scam Rapidshare.com

http://rapidshare.com/files/277971327/Scam.rapidshare.ByZatanaZ.rar

Scam Megaupload.com

http://rapidshare.com/files/277971549/Scam.Megaupload.ByZatanaZ.rar

Scam Hotmail.com

http://rapidshare.com/files/277971679/Scam.Hotmail.ByZatanaZ.rar

Scam Gmail.com

http://rapidshare.com/files/277971786/Scam.gmail.byZatanaZ.rar

Scam Fotolog.com

http://rapidshare.com/files/277972131/Scam.Fotolog.byZatanaZ.rar

Letter Windows Messenger 10

http://rapidshare.com/files/277972592/letter.Messenger10bY.ZatanaZ.html.rar">

Letter Hotmail

http://rapidshare.com/files/277973280/hotmailletterByZatanaZ.html.rar

Es todo. Salu2

Password : La de siempre.

mailer de Zatanez

2009-10-25T09:00:00.001-04:00

Que es un Mailer ?

Por si estas metiéndote recién en estos temas un Mailer es básicamente para mandar E-Mails masivamente, con datos falsos del remitente, esta codeado general mente en .php y también sirve para enviar las famosas letter, estas son las cartas o E-Mailsanzuelos que te llevan al Scam.