Download cheat extreme hack for cs go. Cheat for CS:GO ExtrimHack. What are cheats for?

Updated

extreme hack for cs go

• AimBot

  - automatic aiming at the body, head, legs, depends on how you set it up

• WallHack

  - you can see the enemy through the walls

• triggerbot

  - fires automatically when the scope is aimed at the enemy

Starting the cheat:

• Turn on cs go
• We launch an extreme hack for cs go
• Activate the cheat in the game by pressing "Insert" or "SHIFT + F5"

extreme hack for cs go

Perform a DoS attack using hash collisions

Solution

As far as I remember, the topic of DoS attacks in Easy Hack was quite covered in many tasks - in any case, the main typical attacks. But no, I remember something else. Therefore, get acquainted - Hash Collision DoS. I must say right away that this topic itself is quite extensive and exciting in many different aspects, so we will start with a general theory on our fingers.

So, hash is the result of a hash function (aka a convolution function), which is nothing more than “converting an input data array of arbitrary length to an output bit string of a fixed length using a deterministic algorithm” (according to Wiki). That is, we give as input, for example, a string of any length, and we get a certain length at the output (in accordance with the bit depth). At the same time, for the same input line, we get the same result. This thing is quite familiar to all of us: it is MD5, SHA-1, and various checksums (CRC).

Collisions are when different inputs have the same hash value after the function has run. Moreover, it is important to understand that collisions are inherent in all hash functions, since the number of final values, by definition, is less (it is “limited” by the bit depth) of the “infinite” number of input values.

Another question is how to get such input values ​​that would lead to collisions. For strong hash functions (such as MD5, SHA-1), in theory, only direct enumeration of possible input values ​​will help us. But such functions are very slow. Non-crypto-hard hash functions often allow you to calculate input values ​​that generate collisions (more on that in a few paragraphs).

Theoretically, it is the possibility of deliberate generation of collisions that is the basis for performing a denial of service (DoS) attack. The actual methods will differ, and we will take web technologies as a basis.

Most modern programming languages ​​(PHP, Python, ASP.NET, JAVA), oddly enough, quite often use “inside themselves” precisely non-crypto-resistant hash functions. The reason for this, of course, is high speed the latter. One of the typical places of application is associative arrays, they are also hash tables. Yes, yes, the same ones - storing data in the "key - value" format. And as far as I know, it is from the key that the hash is calculated, which will subsequently be an index.

But the most important thing is that when adding a new one, searching for and removing an element from a hash table without collisions, each of the actions is quite fast (counts as O (1)). But in the presence of collisions, a number of additional operations take place: line-by-line comparisons of all key values ​​in a collision, rebuilding tables. Performance drops significantly, significantly (O(n)).

And if we now remember that we can calculate an arbitrary number of keys (n), each of which will lead to a collision, then theoretically adding n elements (key - value) will cost O(n^2), which can lead us to the long-awaited DoS.

In practice, to organize an increased load on the system, we need the ability to create an associative array, in which the number of keys with the same hashes will be measured in hundreds of thousands (or even more). Imagine the load on the percent when it needs to insert one more value into such a giant list and each time carry out a line-by-line comparison of the keys ... Tin-tin. But two questions arise: how to get such a large number of colliding keys? And how can we force the system under attack to create associative arrays of this size?

As already mentioned, for the first question we can calculate them. Most languages ​​use one of the variations of the same hash function. For PHP5, this is DJBX33A (from Daniel J. Bernstein, X33 - multiply by 33, A - addition).

Static inline ulong zend_inline_hash_func(const char *arKey, uint nKeyLength) ( register ulong hash = 5381; for (uint i = 0; i< nKeyLength; ++i) { hash = hash * 33 + arKey[i]; } return hash; }

As you can see, it is very simple. We take the hash value, multiply it by 33 and add the value of the key symbol. And this is repeated for each character of the key.

Java uses almost the same thing. The only difference is that the initial hash value is 0, and that the multiplication occurs by 31 instead of 33. Or another option - in ASP.NET and PHP4 - DJBX33X. This is still the same function, only instead of adding with the value of the key character, the XOR function is used (hence the X at the end).

At the same time, the DJBX33A hash function has one property that comes from its algorithm and helps us a lot. If, after the hash function, string1 and string2 have the same hash (collision), then the result of the hash function, where these strings are substrings but are at the same positions, will collide. That is:

Hash(String1)=hash(String2) hash(xxxString1zzz)=hash(xxxString2zzz)

For example, from the strings Ez and FY, which have the same hash, we can get EzEz, EzFY, FYEz, FYFY, whose hashes are also colliding.

Thus, as you can see, we can quickly and easily calculate any number of values ​​with a single DJBX33A hash value. You can read more about generation.

It is worth noting that this principle does not work for the DJBX33X (that is, with XOR), which is logical, but a different approach works for it, which also allows you to generate a lot of collisions, although it requires a lot of money due to brute in a small amount. By the way, I did not find practical implementations of the DoS tools for this algorithm.

With that, I hope everything is clear. Now the second question is about how to make applications create such large associative arrays.

In fact, everything is simple: we need to find a place in the application where it would automatically generate such arrays for our input data. Most universal way is sending a POST request to a web server. Most "languages" automatically add all the input parameters from the request into an associative array. Yes, yes, just the $_POST variable in PHP gives access to it. By the way, I would like to emphasize that in the general case, we don’t care if this variable itself is used (to access POST parameters) in a script / application (the exception seems to be ASP.NET), since it is important that the web server passed the parameters to the handler of a particular language and there they were automatically added to the associative array.

Now some numbers to confirm to you that the attack is very severe. They are from 2011, but the essence has not changed much. On an Intel i7 processor in PHP5 500 KB collisions will take 60 sec, on Tomcat 2 MB - 40 min, for Python 1 MB - 7 min.

Of course, it is important to note here that almost all web technologies have restrictions on the execution of a script or request, on the size of the request, which makes the attack somewhat more difficult. But we can roughly say that the flow of requests to the server with a channel filling up to 1 Mbps will allow almost any server to be suspended. Agree - very powerful and at the same time simple!

In general, vulnerabilities associated with collisions in hash functions and their exploitation have surfaced since the early 2000s for various languages, but it hit the web hard just in 2011, after the publication of a practical research from the n.runs company. Vendors have already released various patches, although it must be said that the “penetration” of the attack is still high.

I would just like to draw attention to how vendors tried to protect themselves and why this is sometimes not enough. In fact, there are two main approaches. The first is to implement protection at the language level. "Protection" consists in changing the hashing function, more precisely, a random component is added to it, without knowing which we simply cannot create such keys that generate collisions. But not all vendors went for it. So, as far as I know, Oracle abandoned the fix in Java 1.6 and introduced randomization only from the middle of the 7th branch. Microsoft has implemented a fix in ASP.NET since version 4.5. The second approach (which was also used as a workaround) was to limit the number of parameters in the request. In ASP.NET it is 1000, in Tomcat it is 10,000. Yes, you can’t cook porridge with such values, but is such protection sufficient? Of course, it seems to me that not - we still have the opportunity to push our data with collisions to some other place, which will also be automatically processed by the system. One of the clearest examples of such a place is various XML parsers. In the Xerces parser for Java, associative arrays (HashMap) are used to the fullest when parsing. And at the same time, the parser must first process everything (that is, push the structure into memory), and then produce various business logic. Thus, we can generate a normal XML request containing collisions and send it to the server. Since the parameter will actually be one, then the protection for counting the number of parameters will be passed.

But back to the simple POST version. If you want to test your site or someone else's, then there is a minimalistic tool for this or the Metasploit module - auxiliary/dos/http/hashcollision_dos. Well, in case, after my explanation, there are questions or you just love cats, then here is the version in pictures.

A task

Organize reverse shell

Solution

We haven't touched on this topic for a long time. It is, in general, understandable: there is nothing conceptually new in my recent times did not meet. But still, this task is typical for pentests. After all, finding a bug, exploiting it is not the whole point, in any case, you will need the ability to remotely control the server - that is, a shell.

One of the important points of this method is invisibility from any IDS, as well as “permeability”, or something. The second point is related to the fact that usually broken hosts do not stick out directly, but are located inside the corporate network or in the DMZ, that is, behind a firewall, NAT or something else. Therefore, if we simply open a port with a shell on our victim, then we will not be able to connect there. Almost always, reverse shells are better, since they connect to us themselves and there is no need to open ports. But there are also difficult situations. One of the most “breakable” shells is the DNS shell, since our communication with the shell does not take place directly, but through the corporate DNS server (through queries to our domain). But even this method does not always work, so you have to get out. In the same Metasploit there is an interesting reverse shell. At startup, it tries to connect over the entire range of TCP ports to our server, trying to find a hole in the firewall rules. May work in certain configurations.

Also, an interesting PoC was introduced relatively recently. As a basis for data transfer, not TCP or UDP is used, but the transport protocol - SCTP. This protocol itself is quite young and came from telephony from telecoms. It is a somewhat optimized version of TCP. As protocol chips, one can single out: reducing delays, multithreading, support for data transfer over several interfaces, more secure connection establishment, and something else.

What is most interesting for us is that it is supported in many operating systems. Mostly *nix, but newer Windows seem to support it out of the box too (although I couldn't find actual confirmation). Of course, not super high-tech, but such a shell is probably not so easily detected by IDSs, which is a plus for us. In general, we wind on a mustache, and we take the shell itself.

A task

Stop DoS with amplification attacks

Solution

We have already touched upon such a topic as amplification of DDoS attacks more than once in Easy Hack. Their essence is that an attacker can send a request to a certain service on behalf of the victim, and the response will be sent much (many times) larger in size. These attacks are possible primarily due to the fact that the UDP protocol itself does not involve establishing a connection (there is no handshake, as in TCP), that is, we can replace the sender's IP, and due to the fact that many services are very "chatty" (answer significantly larger than the request) and work "without" authentication (more precisely, there is no connection establishment at a higher level).

In general, there was a lot of hype on the topic of DNS amplification attacks on the Web not so long ago. In my memory, the last such attack used NTP services. The numbers were outrageous - hundreds of gigabits ... But I wanted to return to this topic in order to emphasize an important thing: that this is a deep problem that is unlikely to be fixed in the coming years. The problem is primarily with UDP, and there is no point in "fixing" specific protocols - DNS, NTP, and so on (although more secure default configurations would be helpful). After all, similar amplification attacks can be carried out using the SNMP protocol (with the standard community string - public) or NetBIOS, or less well-known protocols, such as Citrix. You can also add various network games. Yes, many of them (for example, Half-Life, Counter-Strike, Quake) also use UDP as a transport, and through them we can also DDoS someone. You can also add video streaming services here.

Prolexic has released a number of small studies on both typical and "new" attack methods. The interest of the research lies in the selection of specific commands for various protocols that can be used for an attack, in the calculation of attack amplification factors (the ratio of the response size to the size of the request), as well as in the PoC tool that can be used to carry them out.

A task

Intercept DNS with Bitsquating

Solution

Do not pay attention to the strange statement of the problem. Some time ago we already briefly touched on this topic, now we will stop in more detail. But let's go in order, from the classics.

You, like any other Internet user, sometimes, probably, drive the name of the desired site into the address bar. And sometimes it happens that you make a mistake in the name and end up instead of the youtube.com you are interested in on yuotube.com. Or eternal misunderstandings with first-level domains - vk.com or vk.ru? So, the technique, when a certain set of domain names is registered, which are somewhat different from the attacked one, is called typosquatting. By registering them, a hacker can make an exact copy of the attacked site, and then sit and wait for the wrong visitors to arrive. And in many cases, he can even get a legal certificate signed by a trusted certificate authority. That is, it is very easy to organize excellent phishing that the average user cannot expose.

But all this is not very interesting, not “beautiful”. A much more interesting "find" was presented at Black Hat Las Vegas 2011 by a researcher named Artem Dinaburg. Very, very unexpectedly, but it turns out that computers are also wrong. It may happen that for some reason one or two bits change from 0 to 1 somewhere or vice versa, and that's it - we already have a new request ... But I'm getting ahead of myself.

The study says that computers make mistakes and this happens very often. And most importantly, this applies, in fact, to all computers (servers, smartphones, network devices, laptops) and has nothing to do with their brokenness. The main source of errors is RAM. And in a more general sense. In addition to those chips that are in your device, there is also a processor cache, a hard drive cache and a network card, and so on.

Why do errors appear? There are many reasons - from minor malfunctions to elevated temperatures (even for a while) or exposure to various kinds radiation. Thus, the chance of changing the value of some bit in some string stored in memory becomes high. Yes, of course, there is ECC memory (with error correction), but its use is not so common, especially in embedded devices, smartphones and device caches.

But back to the chances of error. Oddly enough, there are some “statistics” about this (see screenshot). The main characteristic is FIT (Failures in time), where 1 FIT is equal to one error per one billion hours of operation. The worst result is 81,000 FIT per 1 Mb of memory (1 error in 1.4 years), and the best is 120 FIT per 1 Mb of memory (1 error in 950 years). Yes, these results, it would seem, are not impressive, but if we take into account that we have more than 1 Mbit of memory, and take the average value of 4 GB as a basis, then even best memory(120 FIT) we get three bugs per month. (I didn’t personally count, and the reason for the calculations in bits, not bytes, is incomprehensible to me, so let’s hope for the correctness of the calculations.)

But what if we expand these calculations to all devices on the Internet? The author takes as a basis the number of devices in the amount of 5 billion and the average amount of memory is 128 MB. Now the averages are probably even higher. It turns out:

• 5x10^9 x 128 Mb = 5.12 x 10^12 Mb - the total amount of memory;

• 5.12 x 10^12 Mbps x 120 FIT= 614,400 errors/hour.

The figures, of course, are “on average for the ward”, but they tell us something! Okay, we realized that there are a lot of mistakes, but a reasonable question is what is all this for?

The researcher came up with a way to take advantage of this - the bitsquating technique. It is similar to typosquating, but names that differ by one or two bits from the correct name are taken as the basis for choosing a domain. For example, Microsoft.com and mic2soft.com. Instead of r, there is 2. Because r is 01110010, and 2 (as a symbol) is 00110010, that is, the second unit is replaced by zero.

Thus, when some device makes a mistake and tries to resolve the domain name mic2soft.com instead of microsoft.com, it will already get to us. Well, subdomains, respectively, will also come to us.

On the other hand, let's remember that errors appear and can change something in memory at different times and in different parts of memory. This is not always related to domain names. In addition, a number of errors can be cut off by checking the integrity in various protocols.

There are also problems with registering domains with a bit shift. Firstly, when changing some bits, we get into the area of ​​special characters, and such domain names cannot be registered. Secondly, memory errors can result in more than a single bit change, and therefore it is hardly possible to register all domains for all combinations.

But-but-but ... there are many reservations, but the main fact remains - the technique works. Artem registered several dozen domains and for six months followed the requests that came to him. In total, about 50 thousand requests were collected. On average, there were 60 connections per day from unique IPs (but there were also jumps up to 1000). At the same time, he claims that these are logs without random visits of spiders, scanners and other things.

The statistics turned out to be the most interesting - that most of the HTTP requests (90%) came with an incorrect Host header (equivalent to a DNS request). And this means that the errors did not occur as a result of an incorrect DNS resolution, but as a result of errors on the pages. That is, a page was saved in some cache, an error in memory affected some link in it, and therefore the browser began to try to load data from an incorrect resource ...

Mdaa. Agree, the technique smacks of madness :), but it works. I highly recommend that you familiarize yourself with other statistics presented in this work.

Thank you for your attention and successful knowledge of the new!

A very interesting cheat called ExtrimHack for CS:GO from a Russian developer. At the time of publication, it is not detected by VAC anti-cheat. Includes the following popular features: AimBot, WallHack, TriggerBot, RadarHack and more…

Description of functions.
AimBot (Aim bot) - Automatic aiming at the enemy exactly in the head. (The cheat has an auto-aim setting for the head, neck or body)
WallHack (ESP, WallHack or BH) - Helps to detect enemies through any walls at a distance, in addition, displays the number of lives and armor of the enemy.
TriggerBot (Trigger bot) - Automatically starts shooting as soon as you aim at the enemy.

Instructions for installing / launching the cheat.

1. Turn on cheat. To do this, run the .exe file ExtrimHack.exe
2. Run Counter-Strike Global Offensive.
3. Wait for the game to load completely and click "Start Cheat | Start Cheat»

The cheat itself will be injected and the Anti-cheat bypass will be activated. After that, you only need to select the functions you need. You can collapse the cheat menu by pressing the Insert, Home, End keys.

KFG cheat is stored here:
C:\Users\username\AppData\Roaming\ExtrimTeam\Settings.cfg

Rate it!

Click on a star to rate the article.