|
I found an easier way to retrieve malware over Tor on Windows, using free open-source software. Tallow uses Tor and WinDivert to redirect network connections over the Tor network. After starting Tallow, press the Tor button:
Then you can use wget on Windows:
Onion services can be accessed too:
By default, Tallow only allows TCP connections on port 80 and 443 (Force web-only). Disable this toggle if you need to access other ports. Didier Stevens |
DidierStevens 649 Posts ISC Handler Feb 25th 2018 |
| Thread locked Subscribe |
Feb 25th 2018 4 years ago |
Quote:DEBUG output created by Wget 1.11.4 on Windows-MSVC. Only fools use a completely outdated and vulnerable version of wget to retrieve malware. Complete fools let their vulnerable version of wget send its version per "User-Agent:" to servers which may take advantage of its vulnerabilities. |
Anonymous |
| Quote |
Feb 26th 2018 4 years ago |
|
And an ultra fool believes (because it's not thinking) that User Agent is the straw that broke the camel's back. Happy fooling.
|
Tony 2 Posts |
| Quote |
Feb 26th 2018 4 years ago |
|
sorry
|
Netmanzim 69 Posts |
| Quote |
Feb 26th 2018 4 years ago |
|
any explanation for this: https://www.virustotal.com/en/file/e89cd0892cb9375aec69c0099f3adee38183623c78ee134ec245b315397bbd87/analysis/1519661994/
https://reqrypt.org/download/TallowBundle-1.0-install.exe ?????? |
Netmanzim 69 Posts |
| Quote |
Feb 26th 2018 4 years ago |
Quoting Netmanzim:any explanation for this: https://www.virustotal.com/en/file/e89cd0892cb9375aec69c0099f3adee38183623c78ee134ec245b315397bbd87/analysis/1519661994/ Not "any", but "many" explanations: 1. the executable installer is vulnerable, it allows escalation of privilege; 2. the PE checksum stored in the header differs from the actual checksum; 3. no authenticode signature, so no proof of authenticity possible. Stay far away from such crap! |
Anonymous |
| Quote |
Feb 27th 2018 4 years ago |
Quoting Tony:And an ultra fool believes (because it's not thinking) that User Agent is the straw that broke the camel's back. Happy fooling. Except for complete idiots straw does not replace an argument; not even a full-grown strawmen does, although these are routinely used to brake camels backs. |
Anonymous |
| Quote |
Feb 28th 2018 4 years ago |
|
Never seen quite such a pissing match in the diaries before.
I'm pretty sure most people coding malware sites are one of several things: A. Lazy B. Not as smart as you give them credit for. C. 85% cut and paste D. Did I say lazy? Yes they are mainly just that lazy. Hardly doubt that the sheeple they are hoarding in, or planning on give them cause to write a header user agent directive and/or subroutine Besides.... From https://www.gnu.org/software/wget/manual/wget.html ‘-U agent-string’ ‘--user-agent=agent-string’ Identify as agent-string to the HTTP server. The HTTP protocol allows the clients to identify themselves using a User-Agent header field. This enables distinguishing the WWW software, usually for statistical purposes or for tracing of protocol violations. Wget normally identifies as ‘Wget/version’, version being the current version number of Wget. However, some sites have been known to impose the policy of tailoring the output according to the User-Agent-supplied information. While this is not such a bad idea in theory, it has been abused by servers denying information to clients other than (historically) Netscape or, more frequently, Microsoft Internet Explorer. This option allows you to change the User-Agent line issued by Wget. Use of this option is discouraged, unless you really know what you are doing. Specifying empty user agent with ‘--user-agent=""’ instructs Wget not to send the User-Agent header in HTTP requests. |
jACKtheRipper 67 Posts |
| Quote |
Mar 1st 2018 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
