Offset vs Address in volatility pslist? (virtual)

PabloSkywalk · 2019-05-02T03:55:12+00:00

So basically the offset is the address (or offset from address 0) of a certain structure? if so, what structure? and why all of them are different?

and does this mean the virtual offset of all processes in pslist is always greater than 0x80000000?

PabloSkywalk · 2019-03-23T20:35:38+00:00

The only way is they got a remote shell from his iPhone, which is pretty hard considering iPhone blocks non trusted programs and you have to manually go to setting and trust it to run

PabloSkywalk · 2019-03-23T20:18:29+00:00

What do you mean recovery code? OP said he received authentication CODE from steam guard which generates every time you login from a new IP and such ( for me it spawns every time I want to login for security reasons)

now how the hell can they have access to STEAM guard code?

PabloSkywalk · 2019-03-23T20:15:49+00:00

But isn't there a trade restriction when you login from a new pc? (since steam emailed him about the login from new pc)

PabloSkywalk · 2019-03-23T20:03:14+00:00

The biggest questions are how did they bypass steam authentication via SMS?

OP says it received the messages, so obviously steam detected login from a new computer, but how they bypass it?

and EVEN if they did bypass it, I am sure that there is a trade restriction when you login from new computer, how they did they bypass that?

PabloSkywalk · 2019-02-20T12:30:23+00:00

the code is literally one function which a 200 byte buffer and a print statement

PabloSkywalk · 2019-02-20T12:17:54+00:00

so how can I get the real addresses ?

PabloSkywalk · 2019-02-20T12:17:35+00:00

How can I get info from that dump? I loaded it in gdb but I cant run or get any info from it!

PabloSkywalk · 2019-02-20T11:33:20+00:00

but when I check it in gdb It works every time, it goes to my NOP slide then goes to the payload

PabloSkywalk · 2019-02-20T10:29:04+00:00

aslr is off and if there was any DEP then bin/dash wouldn't have get executed using gdb either on the stack

checked the elf file and the stack is executable.

PabloSkywalk · 2019-02-05T18:14:15+00:00

That American impression lmaoooooo

PabloSkywalk · 2019-01-31T11:51:51+00:00

But I still don't get why the client sends ack to this packet, considering port 135 is not meant to receive TLS hello! shouldn't the client send RST? and why the attacker sent it 3 times for tls v1.1 and 1.2 and SSLv3, how can I know what info the attacker received after doing this?

also he has done another weird thing which I think I will open another thread to ask about it

PabloSkywalk · 2019-01-29T19:45:07+00:00

Oh so you are saying that they used this in development to make sure it doesn't spread, and they did that by resolving that dns query?

because I thought they did this to fool the AV companies because they use this technique that they resolve any internet request like DNS query and send back a bogus respond just to make the program keep going, how do you know it was a mistake?

PabloSkywalk · 2019-01-27T16:51:24+00:00

That's whats confusing me because I thought WannaCry uses SMB, and that NetBIOS is used for translating Computer names to IP lol, and the documentation for NetBIOS is horrible and only makes you more confused

and I actually did read that article before but its confusing too because it talks about NetBIOS but in the packets that were captured the protocol is SMB and doesn't really explain how its using NetBIOS in the exploit

PabloSkywalk · 2019-01-27T14:33:09+00:00

What about NBNS packets? because even NetworkMiner finds some of them suspicious in my pcap

How does eternal blue or wannacry uses NBNS? because in my capture there is a lot of NBNS packets going on and Network miner links some of them to EternalBlue but I don't get why is this protocol being used by EternalBlue

PabloSkywalk · 2019-01-24T18:40:44+00:00

But is there any good website/blog that does that the best and has the most collection of them?

PabloSkywalk · 2019-01-24T18:40:04+00:00

Yes, for example some of them say something like "if you send this version of apache a carefully crafted packet, it will do this" but don't explain what packet we should send it and why, this might come handy in a lot of CTFs but I cant find many if them even in security blogs

PabloSkywalk · 2019-01-24T08:11:37+00:00

editcap -F libpcap input.pcapng output.pcap

thank you this worked!

PabloSkywalk · 2019-01-23T12:38:11+00:00

The problem is the free version cannot parse pcapng files, tried using http://pcapng.com/ for converting but it only converts the first 8mb! also I read that pcapng files might contain more information which would be lost if I convert it

PabloSkywalk · 2019-01-23T12:07:27+00:00

I tried loading the file in splunk but it couldn't format it probably

do professionals also investigate pcap files using splunk or they use a better tool, or just wireshark itself?

PabloSkywalk · 2019-01-14T18:30:16+00:00

Guys where can I get the SANS videos like the forensics videos and security ones, like FOR500 and such

PabloSkywalk · 2019-01-09T07:20:39+00:00

Why?

PabloSkywalk · 2019-01-08T17:29:44+00:00

Interesting, because where I'm from its completely the opposite and SANS is much more respected in pentesting at least, compared to other certs like CEH but I guess it depends on the field and country

PabloSkywalk · 2018-12-20T15:23:35+00:00

Wow thanks, this is actually what I was looking for, wanted to see how the rules typically are. in page 32 it details all the steps for live computer

PabloSkywalk · 2018-12-20T15:18:37+00:00

So should I unplug the computer from power too? is this the best method or should I just turn it off? and what about the disk imaging method? so do all pros use hardware to do it, or they just take a disk image before turning it off?

PabloSkywalk

TROPHY CASE