n1p

Yes, you may need to initiate a connection from the internal network/PCs. However NAT routers may also have running services that can exploited (remote administration/ftp). They may also forward ports to services on the client PC that may be exploited.

Check out the link provided. It will answer your questions  😛

Have a look at http://honeyclient.org/trac/wiki/VMHardeningGuide to further reassure you. Although, I would imagine you are ok as it is. The AV on the virtual machine may not let you run malware on it. I usually dont have one for my malware lab.

EH oriented selection of teams may be a nice idea.

Nice… That looks like it will be an interesting few days. Good to get a taste of those courses.

It should work in C:Documents and Settingsusernamedata.txt on XP. Linux would be /home/username/data.txt

Give that a try and report back. If you want to run it against some malicious sites. Just go to google and locate some of the malicious ones are there. Quite a few!

I also use Malware Domain List…. Ensure you are in VM though and hardening…[Read more]

Yes, I second that. You will roughly have the character length and possible variations. You obviously entered the pass twice to change it, so you cant be that far wrong. With this in mind you can significantly reduce the required searchable keyspace. So stick with it…

You could also try having a few more beers and trying again. Might get…[Read more]

Yeah I’d like to know that too  ::)

Or you could just patch it yourself as I did…

Audio and VM issues are a known issue and appear quite a bit in the forum. It also comes quite a bit in the IRC channel!

May be slow to fix it. I highlighted a bug with Hydra and HTTP-Post that was 1 year old and raised in Pre-Final, but still appears in final.

Hey,

That is no problem at all. I actually enjoy reversing this stuff (sadly!). If you need any assistance just shout. If I can, I will document my steps for analysing javascript and that.

I would highly suggest looking at spidermonkey/rhino. Especiallu Didier Stevens’ version of spidermonkey. The implementation is specifically for this task.

Requiring a user-agent and referrer are usually done to prevent researchers like us from simply using wget to grab pages!

So they will look to see if you are using firefox and coming from a google search etc.

Yes, I have never seen a mutating js before. Nice to come across. Thanks for that oldgrue.

That main page is now serving a photo blog of some sort. Seems to be updating as I analyse it  😮

Some further analysis leads to that page I displayed earlier. Using correct referrer, user-agent I can then get some more malicious code. Which mutates on every request. Structure is the same everytime, but functions and variables become mangled.…[Read more]

It’s not a noob question and I’ve seen many experience not ask these kind of questions and get infected 😛

First off, welcome to the forums.

From the screenshot, it seems that they do in fact provide some malware samples. I would also imagine they warn that the module includes live samples and to take appropriate care.

Certainly, move them to…[Read more]

Yeah sure, soon as I get some spare time I will run through something briefly. Can you provide any background info on this? Was it a compromised site or just something you came across?

Hey,

Close enough. The script below is the stripped down one with junk removed. It simply uses a body onload() to redirect user unawares to another page. On that further page is more malicious code. This checks to see if you have come from a search engine and delivers an exploit. I  can investigate this further if you want a tutorial/further…[Read more]

Yeah you need to see what context it is being run in. Function J is not being called yet and it doesnt do much as yet.

The variable j evaluates to “replace”. Which I’d imagine will be used to deobfuscate some hex later on using a regular expression. Possibly the B variable you can see. Look out for an eval function. Change that to a print and run…[Read more]

May be valuable to those who offer holistic security services and specifically focus on Wireless as part of an audit. Only the quality of the content of the course will prove its worth I’d imagine. The design side of things, I’m not so sure about 😛

Yeah stick with python 2.5,.6. Dont think 3 is in full circulation yet and some apps like w3af, immunity debugger do not support it as yet

I am just in the process of finalising the exploit tutorial for you. Should be up tomorrow when I get the time. Was busier than I thought.

Will post link to PDF in tutorials, so everyone on EH can benefit 🙂

Hope it helps,
n1p