835 Posts In Total


Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

Propaganda is the last-ditch effort to unite morality with interests. Fascism is the abandonment or transformation of morality to serve interests.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. Cross Site Scripting (XSS) Vulnerability Payload List

You need to stop blaming your parents for the way you turned out. Your parents probably did the best they could for you.

Hello everyone! Until seeing this blog from _n1ghtw0lf, I did not know that we can use YARA rules for configuration extraction. He wrote a YARA rule for dotnet samples using dotnet and a custom module. Then, it is inspired me to do the same thing for other kinds of samples besides samples that are written in dotnet. However, I could not find any module that gets the data at the given offset. Thus, I decided to write my own helper. Also, I will give an example YARA rule that uses this module to extract the Danabot sample’s configuration. Configuration Extraction with YARA

If you opened the sample in JEB decompiler, you will find classes names are obfuscated and contains nop code which makes the analysis of the code more harder and it’s an indicator that the sample is packed. So we need to get the decrypted payload. We will use this script with Frida to get the payload. Technical analysis of Alien Android malware

QR codes are 2-dimensional bar codes that encode arbitrary text strings. A common use of QR codes is to encode URLs so that people can scan a QR code (for example, on an advertising poster, building roof, volleyball bikini, belt buckle, or airplane banner) to load a web site on a cell phone instead of having to ’type’ in a URL.

QR codes are encoded using Reed-Solomon error-correcting codes, so that a QR scanner does not have to see every pixel correctly in order to decode the content. The error correction makes it possible to introduce a few errors (fewer than the maximum that the algorithm can fix) in order to make an image. QArt Codes

CVE-2021-1961 is a vulnerability I discovered in the communication protocol of Qualcomm’s TrustZone (QSEE). It allows you to corrupt memory management data in the protocol, which I exploited into instructing the TrustZone to modify the Android kernel memory, thus achieving arbitrary read/write primitives over physical memory addresses. I turned this powerful primitive into a reliable exploit that works out of the box without the need to be adapted per device/version. Attacking the Android kernel using the Qualcomm TrustZone

In order to improve the resiliency of their network at the routing level, network administrators use the FHRP family of protocols in most cases. However, in most cases, the configuration of FHRP protocols is left by default, which opens the way for exploitation.

FHRP (First Hop Redundancy Protocol) — is a family of network protocols that allows multiple physical routers to share/maintain a single virtual IP address, in order to increase the fault tolerance of the local network. This virtual address will be assigned as the default gateway address for the end hosts. The most common FHRP class protocols are HSRP, VRRP and GLBP, the security of which I will discuss in this article. FHRP Nightmare. Pentesting redundancy systems like a devil

The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics and checklist, which is mapped OWASP Mobile Risk Top 10 for conducting pentest. MobileApp-Pentest-Cheatsheet

They wake up in the morning and look at their phone. They scroll through social media for a few hours and then get out of bed. They go to the kitchen and make themselves some breakfast, but they don’t really eat it. They just stare at it and then eventually throw it away. They sit down at their computer and start to work on some project or another, but they can’t focus. Their mind keeps wandering and they can’t seem to get anything done. They give up and start to watch TV, but they can’t concentrate on that either. They just keep scrolling through their phone or looking at pictures on the internet. They don’t really interact with other people, except for when they have to. They just go through the motions of life, but they don’t really feel alive.

This is an secure SMS encryption and tunneling app for those who would like to implement E-2-E Encryption to their SMS communications. SpiderSMS

Detect It Easy, or abbreviated “DIE” is a program for determining types of files.

“DIE” is a cross-platform application, apart from Windows version there are also available versions for Linux and Mac OS.

Many programs of the kind (PEID, PE tools) allow to use third-party signatures. Unfortunately, those signatures scan only bytes by the pre-set mask, and it is not possible to specify additional parameters. As the result, false triggering often occur. More complicated algorithms are usually strictly set in the program itself. Hence, to add a new complex detect one needs to recompile the entire project. No one, except the authors themselves, can change the algorithm of a detect. As time passes, such programs lose relevance without the constant support.

Detect It Easy has totally open architecture of signatures. You can easily add your own algorithms of detects or modify those that already exist. This is achieved by using scripts. The script language is very similar to JavaScript and any person, who understands the basics of programming, will understand easily how it works. Possibly, someone may decide the scripts are working very slow. Indeed, scripts run slower than compiled code, but, thanks to the good optimization of Script Engine, this doesn’t cause any special inconvenience. The possibilities of open architecture compensate these limitations. Detect-It-Easy

Identify anything. pyWhat easily lets you identify emails, IP addresses, and more. Feed it a .pcap file or some text and it’ll tell you what it is!

Imagine this: You come across some mysterious text 0x52908400098527886E0F7030069857D2E4169EE7 or dQw4w9WgXcQ and you wonder what it is. What do you do?

Well, with what all you have to do is ask what “0x52908400098527886E0F7030069857D2E4169EE7” and what will tell you!

what’s job is to identify what something is. Whether it be a file or text! Or even the hex of a file! What about text within files? We have that too! what is recursive, it will identify everything in text and more! pyWhat - identify anything

Passion comes and goes like a storm,
for now calm and healing.
That’s fine.
But don’t go without for too long.

One, if not the main, challenge with producing good intelligence is to have access to the right information at the right moment. The right telemetry from the right angle helps you to detect and dig out the right signal. Sometimes, in order to obtain good telemetry, you need a bit of luck.

The story we are writing here will try to explain how, from a simple mistake made by an operator, we managed to collect and exploit a lot of precious information from a “Fast Flux” network called BraZZZerS Fast Flux between end of 2018 and 2022. An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure

If we unzip the sample and explore the AndroidManifest.xml, we see that the entry point com.sdktools.android.MainActivity is not found in the code of the sample. This an indication of a packed sample. You can identify the packing technique using droidlysis or APKiD. If we use droidlysis, We can see the it the sample uses DexClassLoader, malware uses JsonPacker packer. So we need to get the decrypted payload of the sample. We will use Frida to get the decrypted payload. We will install the sample on the Android studio as an emulator and by using WSL on my host we will launch Frida to start the malicious APP to get the payload. Then we pull the payload to our host from the emulator. Technical analysis of Hydra Android malware

Last summer I bought a 2021 Hyundai Ioniq SEL. It is a nice fuel-efficient hybrid with a decent amount of features like wireless Android Auto/Apple CarPlay, wireless phone charging, heated seats, & a sunroof.

One thing I particularly liked about this vehicle was the In-Vehicle Infotainment (IVI) system. As I mentioned before it had wireless Android Auto which seemed to be uncommon in this price range, and it had pretty nice, smooth animations in its menus which told me the CPU/GPU in it wasn’t completely underpowered, or at least the software it was running wasn’t super bloated. How I Hacked my Car

The Service Host process or svchost.exe is one the most notorious processes out there. It got a bad reputation for being ‘malicious’ due to mostly two factors, one is malware impersonating it and the other is good old ‘Task Manager’.

Because of the way task manager was designed in the old days (and to some extent today), it never gave much details into processes on the system and especially ‘special’ processes like svchost.exe. So by using the task manager to see what processes are opened, you’ll get a bunch of svchost.exe processes with the description ‘Host Process for Windows Services’. Without any information about the services that are hosted in it. So it only took malware two additional steps to make itself look legitimate.Demystifying the SVCHOST.EXE Process and Its Command Line Options

We’re all puppets, some of us just happen to see the strings.