Friday, November 21, 2014

Welcome to the google hacking database


http://www.exploit-db.com/google-dorks/

Welcome to the google hacking database

We call them 'googledorks': Inept or foolish people as revealed by Google. Whatever you call these fools, you've found the center of the Google Hacking Universe!

Search Google Dorks


Latest Google Hacking Entries

Date Title Category
2014-11-19 intext:"Please Authenticate" intitle:Pea... Pages containing login portals
2014-11-18 ext:txt inurl:gov intext:"Content-Type: text/... Files containing juicy info
2014-11-17 ext:msg OR ext:eml site:gov OR site:edu Files containing juicy info
2014-11-03 inurl:CHANGELOG.txt intext:drupal intext:"SA-... Vulnerable Servers
2014-11-03 inurl:robots.txt intext:CHANGELOG.txt intext:disal... Vulnerable Servers
2014-10-21 filetype:log intext:org.apache.hadoop.hdfs Files containing juicy info
2014-10-15 inurl:cgi-bin/mailgraph.cgi Various Online Devices
2014-10-14 inurl:logon.html "CSCOE" Pages containing login portals
2014-10-09 (intext:mail AND intext:samAccountName) AND (filet... Files containing juicy info
2014-10-09 intext:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 AN... Files containing juicy info

Google Hacking Database Categories


Footholds (31)
Examples of queries that can help a hacker gain a foothold into a web server

Files containing usernames (17)
These files contain usernames, but no passwords... Still, google finding usernames on a web site..

Sensitive Directories (74)
Google's collection of web sites sharing sensitive directories. The files contained in here will vary from sesitive to uber-secret!

Web Server Detection (72)
These links demonstrate Google's awesome ability to profile web servers..

Vulnerable Files (61)
HUNDREDS of vulnerable files that Google can find on websites...

Vulnerable Servers (80)
These searches reveal servers with specific vulnerabilities. These are found in a different way than the searches found in the "Vulnerable Files" section.

Error Messages (77)
Really retarded error messages that say WAY too much!

Files containing juicy info (312)
No usernames or passwords, but interesting stuff none the less.

Files containing passwords (175)
PASSWORDS, for the LOVE OF GOD!!! Google found PASSWORDS!

Sensitive Online Shopping Info (10)
Examples of queries that can reveal online shopping info like customer data, suppliers, orders, creditcard numbers, credit card info, etc

Network or vulnerability data (63)
These pages contain such things as firewall logs, honeypot logs, network information, IDS logs... all sorts of fun stuff!

Pages containing login portals (289)
These are login pages for various services. Consider them the front door of a website's more sensitive functions.

Various Online Devices (244)
This category contains things like printers, video cameras, and all sorts of cool things found on the web with Google.

Advisories and Vulnerabilities (1971)
These searches locate vulnerable servers. These searches are often generated from various security advisory posts, and in many cases are product or version-specific.

Thursday, November 20, 2014

How to test SMTP operations using Telnet














How to test SMTP operations using Telnet

1. Telnet into Exchange server hosting IMS service using TCP port 25.
Command is telnet 25

2. Turn on local echo on your telnet client so that you can see what you are typing.
On Win 9x and NT 3.5/4.0 Telnet client this done by selecting the "preferences" from the "terminal" pull down menu, and checking the local echo radio button.  For Windows 2000 telnet client, issue command "set local_echo", from the telnet command prompt.

3. Issue the following smtp command sequence

helo                
response should be as follows
250 OK

mail from:
response should be as follows
250 OK - mail from

rcpt to:
response should be as follows
250 OK - Recipient

data
response should be as follows
354 Send data.  End with CRLF.CRLF

To:
From:
Subject:
.
response should be as follows
250 OK

quit

Monday, November 17, 2014

Thursday, November 6, 2014

CryptoWall Virus


























So i got the pleasure of meeting this wonderful virus today while at work. I would sat this is one that beat me, i was only able to reformat to remove. i can say i tried everything though, every application from www.Bleepingcomputer.com and most AV scans i could find.

So what is CryptoWall?

CryptoWall is a file-encrypting ransomware program that was released around the end of April 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. The media is commonly confusing CryptoWall with the CryptoLocker infection, when it is much more similar to the CryptoDefense ransomware. The most apparent similarity being that CryptoWall's Decryption Service is almost identical to the one for CryptoDefense. In October 2014, the malware developers released a new version of CryptoWall called CryptoWall 2.0.

When you are first infected with CryptoWall it will scan your computer for data files and "encrypt" them using RSA encryption so they are no longer able to be opened. Once the infection has encrypted the files on your computer drives it will open a Notepad window that contains instructions on how to access the CryptoWall Decryption Service where you can pay a ransom to purchase a decryption program. The ransom cost starts at $500 USD and after 7days goes up to $1,000. This ransom must be paid in Bitcoins and sent to a Bitcoin address that changes per infected user.

CryptoWall Ransom Note








































CryptoWall is distributed via emails with ZIP attachments that contain executables that are disguised as PDF files. These PDF files pretend to be invoices, purchase orders, bills, complaints, or other business communications. When you double-click on the fake PDF, it will instead infect your computer with the CryptoWall infection and install malware files either in the %AppData% or %Temp% folders. Once infected the installer will start to scan your computer's drives for data files that it will encrypt. When the infection is scanning your computer it will scan all drive letters on your computer including removable drives, network shares, or even DropBox mappings. In summary, if there is a drive letter on your computer it will be scanned for data files by CryptoWall.

When CryptoWall detects a supported data file it will encrypt it and then add the full path to the file as a value under the HKEY_CURRENT_USER\Software\\CRYPTLIST Registry key. It will also create the DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.URL or INSTALL_TOR.URL if infected with CryptoWall 2.0, and DECRYPT_INSTRUCTION.HTML files in each folder that files were encrypted and in the Windows desktop. The DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION.HTML file contain information about what happened to your data and the DECRYPT_INSTRUCTION.URL is a browser shortcut to your assigned decryption page on the infection's decryption service, which is discussed later in this guide.

When the infection has finished scanning your computer it will also delete all of the Shadow Volume Copies that are on the affected computer. It does this because you can potentially use shadow volume copies to restore your encrypted files. The command that is run to clear the Shadow Volumes is:

"C:\Windows\SYsWOW64\cmd.exe" /C "C:\Windows\Sysnative\vssadmin.exe" Delete Shadows /All /Quiet

Now that your computer's data has been fully encrypted, it will display the DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION.HTML files that was created on your Desktop. These files contain information about what has happened to your data and instructions on how to pay the ransom. In most cases, once CryptoWall launches this document it will remove the infection files from your computer as they are no longer necessary.


Information about CryptoWall 2.0

In October 2014 the malware developers released CryptoWall 2.0, which resolved some problems in the original version. These changes include developer run Web-to-TOR gateways, unique bitcoin addresses for each victim, and secure deletion of original unencrypted files. These changes are described below:

Unique bitcoin payment addresses - The original CryptoWall utilized the same bitcoin payment address for many of its victims. This allowed people to steal the payment transactions from other victim's payments and use them towards their own ransom payment. By utilizing unique payment addresses for each victim it is no longer possible to steal other people's ransom payments.

Developer run Web-to-TOR gateways - In the past, the CryptoWall developers were utilizing other organization's Web-to-TOR gateways so that victims could access their payment servers that are located on TOR. When these organizations discovered that CryptoWall was utilizing them, they blacklisted the CryptoWall payment servers so that could not be reached. To resolve this, the CryptoWall developers appear to have created their own gateways to TOR. These gateways are currently operating under the following domains: tor4pay.com, pay2tor.com, tor2pay.com, and pay4tor.com.

Secure deletion of original data files - When the CryptoWall originally encrypted a file it would simply delete the original version. This made it sometimes possible to use data recovery tools to restore the original unencrypted files. CryptoWall 2.0 now utilizes a secure deletion method that makes it no longer possible to recover your files via data recovery tools.


Sample of the txt file:

What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 2.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1.https://paytordmbdekmizq.torsona.com/1hoxegs
2.https://paytordmbdekmizq.poltornik.com/1hoxegs
3.https://paytordmbdekmizq.dogotor.com/1hoxegs
4.https://paytordmbdekmizq.torforlove.com/1hoxegs

If for some reasons the addresses are not available, follow these steps:
1.Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: paytordmbdekmizq.onion/1hoxegs
4.Follow the instructions on the site.


IMPORTANT INFORMATION:
Your personal page: https://paytordmbdekmizq.torsona.com/1hoxegs
Your personal page (using TOR): paytordmbdekmizq.onion/1hoxegs
Your personal identification number (if you open the site (or TOR 's) directly): 1hoxegs