Uma das maneiras de identificar o usuário do Skype no tráfego interceptado é por sua solicitação de atualização do Skype.
Verifica o Skype para uma nova versão ao iniciar o aplicativo. A solicitação HTTP parecida com esta:
Connect to [url]http://ui.skype.com/ui/0/4.2.0.169./en/getlatestversion?ver=4.2.0.169&uhash=1f225837a162ebe937bc50a5c9f82ddf5[/url]
GET /ui/0/4.2.0.169./en/getlatestversion?ver=4.2.0.169&uhash=1[U]f225837a162ebe937bc50a5c9f82ddf5[/U]
onde "f225837a162ebe937bc50a5c9f82ddf5" (sem as aspas),é o MD5("Skyper” + username). Ignore a 1 na frente dele. Por exemplo, se o nome de usuário Skype é teste.skype007 o hash MD5 de “Skyperteste.skype007″ é f225837a162ebe937bc50a5c9f82ddf5.
Embora não ofereça uma maneira direta para "decifrar" os valores de hash interceptada, uma lista pesquisável dos valores de hash para todos os possíveis/prováveis nomes de usuários do Skype é simplesmente o suficiente para pre-decriptar os valores.
@firebitsbr
sexta-feira, 15 de abril de 2011
Site de Busca rápida de informações - www.123people.com
Você pode usar da seguinte maneira:
Pesquisa a nível mundial
http://www.123people.com/s/mauro+risonho/world
Um país em específico
http://www.123people.com/s/mauro+risonho/brazil
Pesquisa a nível mundial
http://www.123people.com/s/mauro+risonho/world
Um país em específico
http://www.123people.com/s/mauro+risonho/brazil
Arachni - Scanner/Pentest for Web Applications
Arachni is a feature-full, modular, high-performance Ruby framework
aimed towards helping penetration testers and administrators evaluate
the security of web applications.
Arachni is smart, it trains itself by learning from the HTTP responses
it receives during the audit process.
Unlike other scanners, Arachni takes into account the dynamic nature
of web applications and can detect changes caused while travelling
through the paths of a web application's cyclomatic complexity.
This way attack/input vectors that would otherwise be undetectable
by non-humans are seamlessly handled by Arachni.
Finally, Arachni yields great performance due to its asynchronous HTTP
model (courtesy of Typhoeus).
Thus, you'll only be limited by the responsiveness of the server under
audit and your available bandwidth.
Links
------------
Homepage: http://github.com/zapotek/arachni
News: Zapotek's train of thought… » Arachni
Documentation: http://github.com/Zapotek/arachni/wiki
Code Documentation: Arachni - Web Application Security Scanner Framework
Google Group: Arachni - Web Application Security Scanner Framework | Google Groups
Author: Tasos “Zapotek” Laskos
Twitter: Tasos Laskos (Zap0tek) on Twitter
Copyright: 2010
License: GNU General Public License v2
Download link for your convenience:
http://github.com/Zapotek/arachni/downloads
I’m glad to announce the v0.2.1
release of the Arachni
Web Application Security Scanner
Framework.
This release brings many improvements, optimisations, new features and
components;
a list of which you can find in the ChangeLog.
(File: CHANGELOG)
We have new modules, plug-in support, modular path extractors for the
Spider,
XMLRPC Client/Server interfaces and probably more stuff I’m currently
incapable of recalling.
The new plug-in functionality has been used to implement a passive proxy and
an automated login plug-in allowing for scripted, form based,
authentication.
Using the passive proxy you can selectively choose the pages you want to
audit
by browsing them, login to the web-application and enable Arachni to
audit AJAX based web pages
by allowing it to see what your browser sees.
The AutoLogin plug-in enables the framework to log-in to a given web
application
before the scanning process starts and alleviates the need to go through
the hassle
of creating and setting your own cookie-jar.
The new XMLRPC services allow for remote and distributed –agent-like–
deployment of Arachni.
Moreover, there’s basic integration
with the
Metasploit framework
enabling pen testers to exploit vulnerabilities discovered by Arachni
in an assisted or completely automated manner — depending on user
preference and/or type of vulnerability.
(File: EXPLOITATION)
With the new release, I’d like to also introduce the Arachni Google
Group.
If you’re hacking or using Arachni and have a related question don’t
hesitate to drop us a line.
(Arachni - Web Application Security Scanner Framework | Google Groups)
aimed towards helping penetration testers and administrators evaluate
the security of web applications.
Arachni is smart, it trains itself by learning from the HTTP responses
it receives during the audit process.
Unlike other scanners, Arachni takes into account the dynamic nature
of web applications and can detect changes caused while travelling
through the paths of a web application's cyclomatic complexity.
This way attack/input vectors that would otherwise be undetectable
by non-humans are seamlessly handled by Arachni.
Finally, Arachni yields great performance due to its asynchronous HTTP
model (courtesy of Typhoeus).
Thus, you'll only be limited by the responsiveness of the server under
audit and your available bandwidth.
Links
------------
Homepage: http://github.com/zapotek/arachni
News: Zapotek's train of thought… » Arachni
Documentation: http://github.com/Zapotek/arachni/wiki
Code Documentation: Arachni - Web Application Security Scanner Framework
Google Group: Arachni - Web Application Security Scanner Framework | Google Groups
Author: Tasos “Zapotek” Laskos
Twitter: Tasos Laskos (Zap0tek) on Twitter
Copyright: 2010
License: GNU General Public License v2
Download link for your convenience:
http://github.com/Zapotek/arachni/downloads
I’m glad to announce the v0.2.1
Framework.
This release brings many improvements, optimisations, new features and
components;
a list of which you can find in the ChangeLog.
(File: CHANGELOG)
We have new modules, plug-in support, modular path extractors for the
Spider,
XMLRPC Client/Server interfaces and probably more stuff I’m currently
incapable of recalling.
The new plug-in functionality has been used to implement a passive proxy and
an automated login plug-in allowing for scripted, form based,
authentication.
Using the passive proxy you can selectively choose the pages you want to
audit
by browsing them, login to the web-application and enable Arachni to
audit AJAX based web pages
by allowing it to see what your browser sees.
The AutoLogin plug-in enables the framework to log-in to a given web
application
before the scanning process starts and alleviates the need to go through
the hassle
of creating and setting your own cookie-jar.
The new XMLRPC services allow for remote and distributed –agent-like–
deployment of Arachni.
Moreover, there’s basic integration
Metasploit framework
enabling pen testers to exploit vulnerabilities discovered by Arachni
in an assisted or completely automated manner — depending on user
preference and/or type of vulnerability.
(File: EXPLOITATION)
With the new release, I’d like to also introduce the Arachni Google
Group.
If you’re hacking or using Arachni and have a related question don’t
hesitate to drop us a line.
(Arachni - Web Application Security Scanner Framework | Google Groups)
Hyenae – Platform independent packet generator
Hyenae is a highly flexible platform independent network packet generator. It allows you to reproduce several MITM, DoS and DDoS attack scenarios, comes with a clusterable remote daemon and an interactive attack assistant.
Features:
ARP-Request flooding
ARP-Cache poisoning
PPPoE session initiation flooding
Blind PPPoE session termination
ICMP-Echo flooding
ICMP-Smurf attack
ICMP based TCP-Connection reset
TCP-SYN flooding
TCP-Land attack
Blind TCP-Connection reset
UDP flooding
DNS-Query flooding
DHCP-Discover flooding
DHCP starvation attack
DHCP-Release forcing
Cisco HSRP active router hijacking
Pattern based packet address configuration
Intelligent address and address protocol detection
Smart wildcard-based randomization
Daemon for setting up remote attack networks
links: Hyenae | Download Hyenae software for free at SourceForge.net
@firebitsbr
Features:
ARP-Request flooding
ARP-Cache poisoning
PPPoE session initiation flooding
Blind PPPoE session termination
ICMP-Echo flooding
ICMP-Smurf attack
ICMP based TCP-Connection reset
TCP-SYN flooding
TCP-Land attack
Blind TCP-Connection reset
UDP flooding
DNS-Query flooding
DHCP-Discover flooding
DHCP starvation attack
DHCP-Release forcing
Cisco HSRP active router hijacking
Pattern based packet address configuration
Intelligent address and address protocol detection
Smart wildcard-based randomization
Daemon for setting up remote attack networks
links: Hyenae | Download Hyenae software for free at SourceForge.net
@firebitsbr
Dranzer - fuzz testing ActiveX controls
Attackers frequently take advantage of vulnerabilities in ActiveX controls to compromise systems using Microsoft Internet Explorer. A programming or design flaw in an ActiveX control can allow an attacker to execute arbitrary code by convincing a user to view a specially crafted web page. Since 2000, we have seen a significant increase in vulnerabilities in ActiveX controls.
We have developed Dranzer, a tool that enables users to examine effective techniques for fuzz testing ActiveX controls. By testing a large number of ActiveX controls, we can provide some insight into the current state of ActiveX security. When we discover new vulnerabilities, we practice responsible disclosure principles and perform the necessary remediation steps.
We have released Dranzer as an open source project on SourceForge to help developers of ActiveX test their controls in their development processes and to invite community participation in making Dranzer a more effective tool. Users must agree to the terms of a license before installing the tool.
link: Dranzer
@firebitsbr
We have developed Dranzer, a tool that enables users to examine effective techniques for fuzz testing ActiveX controls. By testing a large number of ActiveX controls, we can provide some insight into the current state of ActiveX security. When we discover new vulnerabilities, we practice responsible disclosure principles and perform the necessary remediation steps.
We have released Dranzer as an open source project on SourceForge to help developers of ActiveX test their controls in their development processes and to invite community participation in making Dranzer a more effective tool. Users must agree to the terms of a license before installing the tool.
link: Dranzer
@firebitsbr
MySqloit is a SQL Injection takeover tool focused on LAMP/WAMP
MySqloit is a SQL Injection takeover tool focused on LAMP (Linux, Apache,MySql,PHP) and WAMP (Linux, Apache,MySql,PHP) platforms. It has the ability to upload and execute metasploit shellcodes through the MySql SQL Injection vulnerabilities.
Attackers performing SQL injection on a MySQL-PHP platform must deal with several limitations and constraints. For example, the lack of multiple statements in one query makes MySQL an unpopular platform for remote code execution, compared to other platforms. This tool is written to demostrate how remote code execution can be performed on a database connector that do not support stack queries.
Platform supported
1) Linux
Key Features
1) SQL Injection detection using time based injection method
2) Database fingerprint
2) Web server directory fingerprint
3) Payload creation and execution
Usage
./mysqloit -h
link: http://code.google.com/p/mysqloit/
@firebitsbr
Attackers performing SQL injection on a MySQL-PHP platform must deal with several limitations and constraints. For example, the lack of multiple statements in one query makes MySQL an unpopular platform for remote code execution, compared to other platforms. This tool is written to demostrate how remote code execution can be performed on a database connector that do not support stack queries.
Platform supported
1) Linux
Key Features
1) SQL Injection detection using time based injection method
2) Database fingerprint
2) Web server directory fingerprint
3) Payload creation and execution
Usage
./mysqloit -h
link: http://code.google.com/p/mysqloit/
@firebitsbr
Dff - Digital Forensics Framework
Digital Forensics Framework
Dff is a simple but powerful open source tool with a flexible module system which will help you in your digital forensics works, including files recovery due to error or crash, evidence research and analysis, etc. The source code is written in C++ and Python, allowing performances and great extensibility.
Although dff is quite young, it already provides a robust architecture and some handy modules. You could download and try it via the Dowload page. Source code, Debian packages and even windows setup are available. Any contribution, suggestion or remark are welcome !
hex.jpg
Why this project?
Nowadays computer forensic analysis tools are mainly large proprietary software developed by some well-known companies.
Few free and open source tools offers the same type of fully integrated software, most of them are implemented as stand alone tools. Although some framework exists, they are not very user or developer friendly. That is why we decided to develop this tool as a free and open source and multi-platform framework.
This project follows three main goals :
Modularity. In contrary to the monolithic model, the modular model is based on an a host and many modules. This modular conception presents two advantages : it permits to improve rapidly the software and to split easily tasks for developers
Scriptability, it is obvious that the ability to be scripted gives more flexibility to a tool, but it enables automation and gives the possibility to extend features
Genericity, the project tries to remain OS independent. We want to help people where they are ! Letting them choose any Operating System to use this software
Links: DFF : Open Source software for computer forensics & eDiscovery
@firebitsbr
Dff is a simple but powerful open source tool with a flexible module system which will help you in your digital forensics works, including files recovery due to error or crash, evidence research and analysis, etc. The source code is written in C++ and Python, allowing performances and great extensibility.
Although dff is quite young, it already provides a robust architecture and some handy modules. You could download and try it via the Dowload page. Source code, Debian packages and even windows setup are available. Any contribution, suggestion or remark are welcome !
hex.jpg
Why this project?
Nowadays computer forensic analysis tools are mainly large proprietary software developed by some well-known companies.
Few free and open source tools offers the same type of fully integrated software, most of them are implemented as stand alone tools. Although some framework exists, they are not very user or developer friendly. That is why we decided to develop this tool as a free and open source and multi-platform framework.
This project follows three main goals :
Modularity. In contrary to the monolithic model, the modular model is based on an a host and many modules. This modular conception presents two advantages : it permits to improve rapidly the software and to split easily tasks for developers
Scriptability, it is obvious that the ability to be scripted gives more flexibility to a tool, but it enables automation and gives the possibility to extend features
Genericity, the project tries to remain OS independent. We want to help people where they are ! Letting them choose any Operating System to use this software
Links: DFF : Open Source software for computer forensics & eDiscovery
@firebitsbr
upgrade IDA Pro 5.0 Freeware Version
IDA Pro 5.0 Freeware Version
The IDA Pro Disassembler and Debugger is an interactive, programmable, extendible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X. IDA Pro has become the de-facto standard for the analysis of hostile code, vulnerability research and COTS validation. See this executive overview for a summary of its features and uses.
http://95.211.133.202/files/idafree50.exe
@firebitsbr
The IDA Pro Disassembler and Debugger is an interactive, programmable, extendible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X. IDA Pro has become the de-facto standard for the analysis of hostile code, vulnerability research and COTS validation. See this executive overview for a summary of its features and uses.
http://95.211.133.202/files/idafree50.exe
@firebitsbr
Windbg - Graphical 32-bit/64-bit debugger
WinDbg is a multipurpose debugger for Microsoft Windows, distributed on the web by Microsoft. It can be used to debug user mode applications, drivers, and the operating system itself in kernel mode. It is a GUI application, but has little in common with the more well-known, but less powerful, Visual Studio Debugger. WinDbg can be used for debugging kernel-mode memory dumps, created after what is commonly called the Blue Screen of Death which occurs when a bug check is issued. It can also be used to debug user-mode crash dumps. This is known as Post-mortem debugging.WinDbg also has the ability to automatically load debugging symbol files (e.g., PDB files) from a server by matching various criteria (e.g., timestamp, CRC, single or multiprocessor version). This is a very helpful and time saving alternative to creating a symbol tree for a debugging target environment. If a private symbol server is configured, the symbols can be correlated with the source code for the binary. This eases the burden of debugging problems that have various versions of binaries installed on the debugging target by eliminating the need for finding and installing specific symbols version on the debug host. Microsoft has a public symbol server that has most of the public symbols for Windows 2000 and later versions of Windows (including service packs).
Recent versions of WinDbg have been distributed as part of the free Debugging Tools for Windows suite, which shares a common debugging engine between WinDbg and command line debuggers like KD, CDB, and NTSD. This means that most commands will work in all alternative versions without modification, allowing users to use the style of interface with which they are most comfortable. (WinDbg - Wikipedia, the free encyclopedia)
• Graphical 32-bit/64-bit debugger from Microsoft
• For user-mode and kernel-mode debugging
• Also local kernel debugging
link:Driver Developer Resources: Debugging Tools for Windows
docs:
http://windbg.info/
How to install Windbg and get your first memory dump - Speaking of which... - Site Home - MSDN Blogs
Driver Developer Resources: Debugging Tools for Windows
@firebitsbr
Recent versions of WinDbg have been distributed as part of the free Debugging Tools for Windows suite, which shares a common debugging engine between WinDbg and command line debuggers like KD, CDB, and NTSD. This means that most commands will work in all alternative versions without modification, allowing users to use the style of interface with which they are most comfortable. (WinDbg - Wikipedia, the free encyclopedia)
• Graphical 32-bit/64-bit debugger from Microsoft
• For user-mode and kernel-mode debugging
• Also local kernel debugging
link:Driver Developer Resources: Debugging Tools for Windows
docs:
http://windbg.info/
How to install Windbg and get your first memory dump - Speaking of which... - Site Home - MSDN Blogs
Driver Developer Resources: Debugging Tools for Windows
@firebitsbr
snmp-mibs-downloader
Install and manage Management Information Base (MIB) files
This package ships the IETF RFCs containing MIB files and a script which
extracts them to be used by Simple Network Management libraries. The script
can be used to update some MIBs to the latest version or to download extra
vendor MIBs.
These MIBs can be useful for programs like wireshark or snmpget to enable
them to translating the received information into human readable text.
This package ships the IETF RFCs containing MIB files and a script which
extracts them to be used by Simple Network Management libraries. The script
can be used to update some MIBs to the latest version or to download extra
vendor MIBs.
These MIBs can be useful for programs like wireshark or snmpget to enable
them to translating the received information into human readable text.
Passifist is a tool for passive network discovery
Passifist is a tool for passive network discovery. It could be used for a number of different things, but was mainly written to discover hosts without actively probing a network. The tool analyzes broadcast traffic and has a plugin architecture through which it dissects and reports services found.
Information like SQL servers or Terminal servers in the network can be determined simply by analyzing SMB broadcasts packets. The TFTP plugin can identify broadcasting Cisco routers and the IPX plugin dissects IPX-SAP traffic.
Passifist has been tested on various Linux distributions, on FreeBSD, OpenBSD and on Sun Solaris. It may or may not run on any other libpcap-aware platform.
The inital version has support for the following protocols/plugins:
CDP – Cisco Discovery Protocol
CIM – Compaq Insight Manager
HSRP – Hot Standby Routing Protocol
IPX – The IPX protocol
NETOP – Netop Remote Control
SMB – SMB and Netbios
TFTP – Trivial File Transfer Protocol
MSOFFXMAC – Microsoft Office X for Macintosh
The results can be stored using the following storage providers:
TXT – Text file
ADVTXT – A separate logfile is created for each protocol
MYSQL – MySQL RDBMS
MSSQL – MS Sql Server RDBMS
GENSQL – Generic SQL script provider
This is yet another tool written in my sparetime where focus has been on functionality rather than on security.
That said please let me know of any security related conditions or other bugs you find in the code. patrik@cqure.net
Changes
1.0.0 -> 1.0.1 fixes problem building pcap filter
1.0.1 -> 1.0.4 numerous bugfixes
1.0.4 -> 1.0.6 numerous bugfixes and improvements
1.0.6 -> 1.0.8 updated mssql code. Added Office X dissesector
Download passifist_src_1.0.8.tgz
Information like SQL servers or Terminal servers in the network can be determined simply by analyzing SMB broadcasts packets. The TFTP plugin can identify broadcasting Cisco routers and the IPX plugin dissects IPX-SAP traffic.
Passifist has been tested on various Linux distributions, on FreeBSD, OpenBSD and on Sun Solaris. It may or may not run on any other libpcap-aware platform.
The inital version has support for the following protocols/plugins:
CDP – Cisco Discovery Protocol
CIM – Compaq Insight Manager
HSRP – Hot Standby Routing Protocol
IPX – The IPX protocol
NETOP – Netop Remote Control
SMB – SMB and Netbios
TFTP – Trivial File Transfer Protocol
MSOFFXMAC – Microsoft Office X for Macintosh
The results can be stored using the following storage providers:
TXT – Text file
ADVTXT – A separate logfile is created for each protocol
MYSQL – MySQL RDBMS
MSSQL – MS Sql Server RDBMS
GENSQL – Generic SQL script provider
This is yet another tool written in my sparetime where focus has been on functionality rather than on security.
That said please let me know of any security related conditions or other bugs you find in the code. patrik@cqure.net
Changes
1.0.0 -> 1.0.1 fixes problem building pcap filter
1.0.1 -> 1.0.4 numerous bugfixes
1.0.4 -> 1.0.6 numerous bugfixes and improvements
1.0.6 -> 1.0.8 updated mssql code. Added Office X dissesector
Download passifist_src_1.0.8.tgz
PWNtcha - captcha decoder
PWNtcha stands for "Pretend We’re Not a Turing Computer but a Human Antagonist", as well as PWN capTCHAs. This project’s goal is to demonstrate the inefficiency of many captcha implementations.
For an overview on why visual captchas are a bad idea, see Matt May’s excellent presentation, Escape from CAPTCHA, as well as the W3C’s Inaccessibility of Visually-Oriented Anti-Robot Tests working draft.
link: http://caca.zoy.org/wiki/PWNtcha
@firebitsbr
For an overview on why visual captchas are a bad idea, see Matt May’s excellent presentation, Escape from CAPTCHA, as well as the W3C’s Inaccessibility of Visually-Oriented Anti-Robot Tests working draft.
link: http://caca.zoy.org/wiki/PWNtcha
@firebitsbr
Captcha Breaker
This howto will take you through using Captcha Breaker to break a given
captcha. This howto covers only how to use the solvers once you already have
image files. This howto does NOT cover how to extract that file from a web
site, nor how to enter the text back.
At the end, you will pass your image file to the breaker and the last line of
output will be the text (with *'s for unrecognized characters):
$ ./rogers samples/HJQ1QX.gif
[...]
[Rotter] Dims
[Rotter] rows 2
[Rotter] cols 136
HJQ1QX
link: http://churchturing.org/captcha-dist/
@firebitsbr
captcha. This howto covers only how to use the solvers once you already have
image files. This howto does NOT cover how to extract that file from a web
site, nor how to enter the text back.
At the end, you will pass your image file to the breaker and the last line of
output will be the text (with *'s for unrecognized characters):
$ ./rogers samples/HJQ1QX.gif
[...]
[Rotter] Dims
[Rotter] rows 2
[Rotter] cols 136
HJQ1QX
link: http://churchturing.org/captcha-dist/
@firebitsbr
Oficina de Análise de Malware
No Sábado, dia 16 de Abril de 2011, o Ranieri Romera, analista de ameaças senior da Trend Micro, vai realizar uma oficina de 4 horas sobre Análise de Malware no Garoa Hacker Clube.
A participação é gratuita, mas os participantes devem inscrever-se previamente, além de prover os recursos de hardware e software necessários para a oficina. Para informações mais detalhadas, continue lendo esta página.
Tabela de conteúdo
1 Programa
2 Local
3 Participantes
4 Próxima Turma
5 Pré Requisitos
5.1 Conhecimento
5.2 Hadware / Software
Programa
Uma introdução falando sobre a análise de Malware, pontuando o que é estático, comportamental e analise de código.
Análise estática
hash
strings
identificação do compilador/packer
teste em multiplas engines de AV
uso de sites de pesquisa para coleta de informações
Análise comportamental
Preparação de um ambiente para analise
Monitorar recursos do sistema (FS/registradores/rede/etc)
Interagindo com sistema
emulando serviços (web/ftp/irc/smtp)
disparando "gatilhos" / forçando determinadas situações
Uso de sandbox
Análise de código
Estrutura de uma arquivo executável
Registradores / EP / OEP / IAT / etc
A mudança de paradigma na leitura do código de baixo nível
OllyDBG
IdaPro
Analisando o código
Patch
Unpacking manual
Todos os temas acima incluem teoria e prática.
Horário: das 13h as 17h (Atenção: precisamos alterar o horário, antecipando a oficina em uma hora)
Local
Garoa Hacker Clube:Sede
Participantes
Se você quer participar desta oficina, edite o wiki (para evitar spam, é necessário cadastrar-se) e coloque seu nome abaixo do último desta lista. O uso de uma numeração manual é proposital, para maior controle da ordem das inscrições.
A oficina será realizada na área de convivência da Casa de Cultura Digital, no térreo. Tentaremos organizar o local para caber o máximo de pessoas na oficina, e estimamos que conseguiremos colocar até 20 pessoas, sentadas nos puffs ou cadeiras. Provavelmente não teremos tomadas para todos, portanto traga o seu notebook já carregado para facilitar. As pessoas serão dispostas respeitando a ordem das inscrições.
Se você desistir de comparecer, retire o seu nome da lista.
Acompanhe as conversas sobre os preparativos para a oficina na lista do Garoa e aqui pelo site. O Garoa é como coração de mãe, mas precisamos garantir um mínimo de conforto e espaço para todos. Se necessário, precisaremos criar uma segunda turma, o que nos deixaria muito contentes pela receptividade e por ter despertado o interesse de todos.
1. Anchises (OBS: Vou ceder meu lugar. Enquanto o pessoal ficar na oficina, eu estarei na cozinha tomando cerveja)
2. Alberto Fabiano
3. DQ
4. Luciano Ramalho (não poderei participar)
5. Gustavo Fonseca
6. Oda
7. TechkNighT
8. Félix
9. Anderson
10. Camilo
11. Alan Jumpi
12. Anderson dos Santos Silva (mr4nd3r50n)
13. Ronaldo P. Lima
14. Cleber Souza
15. Gabriel Cavalcante
16. Rodrigo Rodrigues da Silva (aka pitanga)
17. Mauro Risonho de Paula Assumpção (aka firebits)
18. Lucas Baldini
19. Raphael Prudencio (a.k.a. raph0x88@DcLabs)
20. Sérgio Pelissari (aka primehaxor@DcLabs)
21. Kaname
22. Sergio Ferreira Jr
Próxima Turma
23. Joe Pimentel
24. Henrique Cesar Ulbrich
25. Gustavo Lima
26. Fabrício Soares de Oliveira
27. Wagner de Paula Rodrigues
28. Moretti
29. Ricardo de Jesus
30. José Carlos
31. Marcos Tupinambá
32. Cleiton Alves (clandestine)
33. Matheus P. F. Gomes (hardvision)
34. Filipe Moura
35. Caio
Pré Requisitos
Conhecimento
Arquitetura de computadores
Noções de Algoritmos / Programação
Conhecimento básico das instruções assembly dos processadores x86
Hadware / Software
Os requisitos de hardware e software são de responsabilidade do aluno.
Notebook (Qualquer SO)
VMWare workstation (pode ser a versão trial - válida por 30 dias)
Maquinas virtuais:
Windows XP (sem anti-virus)
GNU/Linux (qualquer distribuição)
Software de captura de tráfego de rede (tcpdump, snoop, snort, etc)
Servidor WEB (ou software que emule)
Obs. Um amigo me perguntou se não podia se o vmplayer, como achei a pergunta válida vou postar a respota aqui também.
O principal motivo de vmware workstation é a capacidade do snapshot, o que facilita a vida como veremos ;-)
Obs2: Trazer o seu equipamento com os softwares e VMs acima previamente instalados e configurados, para economizarmos tempo.
A participação é gratuita, mas os participantes devem inscrever-se previamente, além de prover os recursos de hardware e software necessários para a oficina. Para informações mais detalhadas, continue lendo esta página.
Tabela de conteúdo
1 Programa
2 Local
3 Participantes
4 Próxima Turma
5 Pré Requisitos
5.1 Conhecimento
5.2 Hadware / Software
Programa
Uma introdução falando sobre a análise de Malware, pontuando o que é estático, comportamental e analise de código.
Análise estática
hash
strings
identificação do compilador/packer
teste em multiplas engines de AV
uso de sites de pesquisa para coleta de informações
Análise comportamental
Preparação de um ambiente para analise
Monitorar recursos do sistema (FS/registradores/rede/etc)
Interagindo com sistema
emulando serviços (web/ftp/irc/smtp)
disparando "gatilhos" / forçando determinadas situações
Uso de sandbox
Análise de código
Estrutura de uma arquivo executável
Registradores / EP / OEP / IAT / etc
A mudança de paradigma na leitura do código de baixo nível
OllyDBG
IdaPro
Analisando o código
Patch
Unpacking manual
Todos os temas acima incluem teoria e prática.
Horário: das 13h as 17h (Atenção: precisamos alterar o horário, antecipando a oficina em uma hora)
Local
Garoa Hacker Clube:Sede
Participantes
Se você quer participar desta oficina, edite o wiki (para evitar spam, é necessário cadastrar-se) e coloque seu nome abaixo do último desta lista. O uso de uma numeração manual é proposital, para maior controle da ordem das inscrições.
A oficina será realizada na área de convivência da Casa de Cultura Digital, no térreo. Tentaremos organizar o local para caber o máximo de pessoas na oficina, e estimamos que conseguiremos colocar até 20 pessoas, sentadas nos puffs ou cadeiras. Provavelmente não teremos tomadas para todos, portanto traga o seu notebook já carregado para facilitar. As pessoas serão dispostas respeitando a ordem das inscrições.
Se você desistir de comparecer, retire o seu nome da lista.
Acompanhe as conversas sobre os preparativos para a oficina na lista do Garoa e aqui pelo site. O Garoa é como coração de mãe, mas precisamos garantir um mínimo de conforto e espaço para todos. Se necessário, precisaremos criar uma segunda turma, o que nos deixaria muito contentes pela receptividade e por ter despertado o interesse de todos.
1. Anchises (OBS: Vou ceder meu lugar. Enquanto o pessoal ficar na oficina, eu estarei na cozinha tomando cerveja)
2. Alberto Fabiano
3. DQ
4. Luciano Ramalho (não poderei participar)
5. Gustavo Fonseca
6. Oda
7. TechkNighT
8. Félix
9. Anderson
10. Camilo
11. Alan Jumpi
12. Anderson dos Santos Silva (mr4nd3r50n)
13. Ronaldo P. Lima
14. Cleber Souza
15. Gabriel Cavalcante
16. Rodrigo Rodrigues da Silva (aka pitanga)
17. Mauro Risonho de Paula Assumpção (aka firebits)
18. Lucas Baldini
19. Raphael Prudencio (a.k.a. raph0x88@DcLabs)
20. Sérgio Pelissari (aka primehaxor@DcLabs)
21. Kaname
22. Sergio Ferreira Jr
Próxima Turma
23. Joe Pimentel
24. Henrique Cesar Ulbrich
25. Gustavo Lima
26. Fabrício Soares de Oliveira
27. Wagner de Paula Rodrigues
28. Moretti
29. Ricardo de Jesus
30. José Carlos
31. Marcos Tupinambá
32. Cleiton Alves (clandestine)
33. Matheus P. F. Gomes (hardvision)
34. Filipe Moura
35. Caio
Pré Requisitos
Conhecimento
Arquitetura de computadores
Noções de Algoritmos / Programação
Conhecimento básico das instruções assembly dos processadores x86
Hadware / Software
Os requisitos de hardware e software são de responsabilidade do aluno.
Notebook (Qualquer SO)
VMWare workstation (pode ser a versão trial - válida por 30 dias)
Maquinas virtuais:
Windows XP (sem anti-virus)
GNU/Linux (qualquer distribuição)
Software de captura de tráfego de rede (tcpdump, snoop, snort, etc)
Servidor WEB (ou software que emule)
Obs. Um amigo me perguntou se não podia se o vmplayer, como achei a pergunta válida vou postar a respota aqui também.
O principal motivo de vmware workstation é a capacidade do snapshot, o que facilita a vida como veremos ;-)
Obs2: Trazer o seu equipamento com os softwares e VMs acima previamente instalados e configurados, para economizarmos tempo.
Oficina de Análise de Malware-Divulgação
Para informações completas sobre o evento, veja Oficina de Análise de Malware.
No Sábado, dia 16 de Abril de 2011, o Ranieri Romera (@rromera), analista de ameaças senior da Trend Micro, vai realizar uma oficina de 4 horas sobre Análise de Malware no Garoa Hacker Clube.
Os temas gerais abordados na oficina, que envolverá tanto teoria quanto prática, serão: introdução à análise de malware, análise estática, análise comportamental e análise de código.
Espera-se que os participantes tenham algum conhecimento prévio de arquitetura de computadores, noções de algoritmos e programação e conhecimento básico das instruções assembly dos processadores x86. Os participantes devem levar computador próprio com os softwares necessários já instalados (maiores informações na página do evento).
A participação é gratuita, mas é necessário fazer inscrição prévia através do site do Garoa Hacker Clube.
Sobre o Garoa
Garoa Hacker Clube é um espaço aberto e colaborativo que proporciona a infraestrutura necessária para que entusiastas de tecnologia realizem projetos em diversas áreas, como segurança, hardware, eletrônica, robótica, espaçomodelismo, software, biologia, música, artes plásticas ou o que mais a criatividade permitir.
Em outras palavras, o Garoa é um laboratório comunitário que segue a Ética Hacker, tendo espírito agregador, convergente e inspirador. No hackerspace, entusiastas de tecnologia colaboram, socializam e compartilham o espaço físico, ferramentas, materiais de construção, projetos e ideias.
Criado em meados de 2010, o Garoa se concretizou após mais de um ano de amadurecimento de ideias através da Internet, e no momento está instalado em um espaço físico próprio, que pode ser usufruido por todos.
O Garoa é uma entidade sem fins lucrativos, mantida principalmente por contribuições de seus membros, além de doações.
Saiba mais: http://garoa.net.br
Oficina de Análise de Malware
Local: Garoa Hacker Clube
Endereço: Rua Vitorino Carmilo, 459 - Santa Cecília - São Paulo, SP, Brasil - CEP 01153-000
Data: 16/04/2011
Horário: 13h às 17h
Página do evento: http://garoa.net.br/wiki/Oficina_de_Análise_de_Malware
Participação gratuita. É necessário fazer inscrição prévia para dimensionarmos o espaço.
fonte: http://garoa.net.br/wiki/Oficina_de_Análise_de_Malware/Divulgação
No Sábado, dia 16 de Abril de 2011, o Ranieri Romera (@rromera), analista de ameaças senior da Trend Micro, vai realizar uma oficina de 4 horas sobre Análise de Malware no Garoa Hacker Clube.
Os temas gerais abordados na oficina, que envolverá tanto teoria quanto prática, serão: introdução à análise de malware, análise estática, análise comportamental e análise de código.
Espera-se que os participantes tenham algum conhecimento prévio de arquitetura de computadores, noções de algoritmos e programação e conhecimento básico das instruções assembly dos processadores x86. Os participantes devem levar computador próprio com os softwares necessários já instalados (maiores informações na página do evento).
A participação é gratuita, mas é necessário fazer inscrição prévia através do site do Garoa Hacker Clube.
Sobre o Garoa
Garoa Hacker Clube é um espaço aberto e colaborativo que proporciona a infraestrutura necessária para que entusiastas de tecnologia realizem projetos em diversas áreas, como segurança, hardware, eletrônica, robótica, espaçomodelismo, software, biologia, música, artes plásticas ou o que mais a criatividade permitir.
Em outras palavras, o Garoa é um laboratório comunitário que segue a Ética Hacker, tendo espírito agregador, convergente e inspirador. No hackerspace, entusiastas de tecnologia colaboram, socializam e compartilham o espaço físico, ferramentas, materiais de construção, projetos e ideias.
Criado em meados de 2010, o Garoa se concretizou após mais de um ano de amadurecimento de ideias através da Internet, e no momento está instalado em um espaço físico próprio, que pode ser usufruido por todos.
O Garoa é uma entidade sem fins lucrativos, mantida principalmente por contribuições de seus membros, além de doações.
Saiba mais: http://garoa.net.br
Oficina de Análise de Malware
Local: Garoa Hacker Clube
Endereço: Rua Vitorino Carmilo, 459 - Santa Cecília - São Paulo, SP, Brasil - CEP 01153-000
Data: 16/04/2011
Horário: 13h às 17h
Página do evento: http://garoa.net.br/wiki/Oficina_de_Análise_de_Malware
Participação gratuita. É necessário fazer inscrição prévia para dimensionarmos o espaço.
fonte: http://garoa.net.br/wiki/Oficina_de_Análise_de_Malware/Divulgação
Assinar:
Postagens (Atom)