In 2016 Your Wireless Keyboard Security Still SUCKS – KeySniffer

Find your website's Achilles' Heel


So you’d probably imagine that Wireless Keyboard Security is a 1998 problem and you shouldn’t even have to worry about that any more. And you’d be wrong – two-thirds of wireless keyboards, from MAJOR manufacturers are not even vaguely secure.

In 2016 Your Wireless Keyboard Security Still SUCKS - KeySniffer

It turns out, in 2016 when cryptography is mainstream, open-source and fairly easy to implement with proven libraries for every language – wireless keyboards still communicate in plain text.

Millions of low-cost wireless keyboards are susceptible to a vulnerability that reveals private data to hackers in clear text.

The vulnerability – dubbed KeySniffer – creates a means for hackers to remotely “sniff” all the keystrokes of wireless keyboards from eight manufacturers from distances up to 100 metres away.

“When we purchase a wireless keyboard we reasonably expect that the manufacturer has designed and built security into the core of the product,” said Bastille Research Team member Marc Newlin, responsible for the KeySniffer discovery. “Unfortunately, we tested keyboards from 12 manufacturers and were disappointed to find that eight manufacturers (two thirds) were susceptible to the KeySniffer hack.”

The keyboard manufacturers affected by KeySniffer include: Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec. Vulnerable keyboards are always transmitting, whether or not the user is typing. Consequently, a hacker can scan for vulnerable devices at any time.


And yah, this vulnerability has a name, it’s called KeySniffer and it even has a a fancy website too:

http://www.keysniffer.net/

This is not the first time similar flaws have been exposed, and fortunately (because all the wireless stuff I use is Logitech) Logitech is not vulnerable to KeySniffer.

Wireless keyboards have been the focus of security concerns before. In 2010, the KeyKeriki team exposed weak XOR encryption in certain Microsoft wireless keyboards. Last year Samy Kamkar’s KeySweeper exploited Microsoft’s vulnerabilities. Both of those took advantage of shortcomings in Microsoft’s encryption.

The KeySniffer discovery is different in that it reveals that manufacturers are actually producing and selling wireless keyboards with no encryption at all. Bluetooth keyboards and higher-end wireless keyboards from manufacturers including Logitech, Dell, and Lenovo are not susceptible to KeySniffer.

Bastille notified affected vendors to provide them the opportunity to address the KeySniffer vulnerability prior to going public on Tuesday. Most, if not all, existing keyboards impacted by KeySniffer cannot be upgraded and will need to be replaced, it warns.

Do remember, these are lower end keyboards – so most of us here probably wouldn’t be using them. Unless you have a HTPC or home-media center, you probably have an el-cheapo wireless keyboard on that.

But you’re also not typing sensitive information on it (apart from your Netflix login) so it doesn’t really matter.

Source: The Register


Tags: , , , , , , ,

Posted in: Exploits/Vulnerabilities, Hardware Hacking | Add a Comment

WOL-E – Wake On LAN Security Testing Suite

Find your website's Achilles' Heel


WOL-E is a suite of tools for Wake on LAN security testing related to the WOL features of network attached computers, this is now enabled by default on many Apple computers.

WOL-E - Wake On LAN Security Testing Suite

This allows you to easily scan for Apple devices on a network (based on their MAC addresses).

Features

These tools include:

  • Bruteforcing the MAC address to wake up clients
  • Sniffing WOL attempts on the network and saving them to disk
  • Sniffing WOL passwords on the network and saving them to disk
  • Waking up single clients (post sniffing attack)
  • Scanning for Apple devices on the network for WOL enabling
  • Sending bulk WOL requests to all detected Apple clients

Usage

You can download WOL-E here:

wol-e_2.0.orig.tar.gz

Or read more here.


Tags: , , , , , , , ,

Posted in: Hacking Tools, Network Hacking | Add a Comment

dnmap – Distributed Nmap Framework

Your website & network are Hackable


dnmap is a distributed Nmap framework which can hand off Nmap scans to several clients. It reads an already created file with Nmap commands and send those commands to each client connected to it.

The framework use a client/server architecture. The server knows what to do and the clients do it. All the logic and statistics are managed in the server. Nmap output is stored on both server and client.

dnmap - Distributed Nmap Framework

Usually you would want this if you have to scan a large group of hosts and you have several different internet connections (or friends that want to help you).

Features of the framework

Clients can be run on any computer on Internet. Do not have to be local cluster or anything.
Is uses TLS protocol for encryption.

dnmap_server features

  • If the server goes down, clients continue trying to connect until the server gets back online.
  • If the server goes down, when you put it up again it will send commands starting from the last command given before the shutdown. You do not need to remember where it was.
  • You can add new commands to the original file without having to stop the server. The server will read them automatically.
  • If some client goes down, the server will remember which command it was executing and it will re-schedule it for later.
  • It will store every detail of the operations in a log file.
  • It shows real time statistics about the operation of each client, including:
    • Number of commands executed
    • Last time seen
    • Uptime
    • Version of the client
    • If the client is being run as root or not.
  • It calculates the amount of commands executed per minute
  • The historic average of the amount of commands executed per minute
  • The status of the client (Online, Offline, Executing or Storing)
  • You can choose which port to use. Defaults to 46001

dnmap_client features

  • If the server goes down, it keeps connecting to it until it’s up again.
  • Strip strange characters from the command sent by the server. Tries to avoid command injection vulns.
  • It only executes the Nmap command. It deletes the command send by the server and changes it by a known Nmap binary in the system.
  • You can pick an alias for your user.
  • You can change which port to connect to.
  • If the command sent by the server does not have a -oA option, the client add it anyway to the command, so it will always have a local copy of the output.

Security

This framework is NOT intended to be secure or to be used by people you do not trust. As the client will execute any Nmap command you send, the client is trusting you. This was created so your friends can help you in the scan, or to use all your computers at the same time.

The client does not need to be run as root, but be aware that most Nmap scan types need the client to be run as root. If some of your clients are not root, you can still send them TCP connect type of scans for example. But this should be done by you in the Nmap commands file.

You can download dnmap here:

dnmap_v0.6.tgz

Or read more here.


Tags: , , , , , , , , ,

Posted in: Hacking Tools, Network Hacking | Add a Comment

Everything You Need To Know About Web Shells

Find your website's Achilles' Heel


So let’s talk about Web Shells, something many of us are already familiar with, but to level the field – what is a web shell?

A web shell is a script that can be uploaded to a web server to enable remote administration of the machine. Infected web servers can be either Internet-facing or internal to the network, where the web shell is used to pivot further to internal hosts.

Everything You Need To Know About Web Shells

We have written about various web shell implementations and tools such as:

Weevely 3 – Weaponized PHP Web Shell
A Collection of Web Backdoors & Shells – cmdasp cmdjsp jsp-reverse php-backdoor
InsomniaShell – ASP.NET Reverse Shell Or Bind Shell

And various other mentions here and there.

Now, Acunetix has come out with a great, really comprehensive 5 part article about web shells which covers:

Which covers pretty much everything apart from the really advanced stuff, an introduction and then obviously PHP as it’s still the most widespread language for commonly installed CMS packages (WordPress, Joomla, Drupal etc), then hiding your web shells, what you can do with web shells and finishing with detecting and preventing the installation of web shells.

A web-shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access on an already compromised web application. A web-shell itself cannot attack or exploit a remote vulnerability, so it is always the second step of an attack (this stage is also referred to as post-exploitation).

An attacker can take advantage of common vulnerabilities such as SQL injection, remote file inclusion (RFI), FTP, or even use cross-site scripting (XSS) as part of a social engineering attack in order to upload the malicious script. The common functionality includes but is not limited to shell command execution, code execution, database enumeration and file management.

From – Part 1

And the series to conclude:

As we have seen, coding and using a web-shell is not difficult. Unfortunately, many web servers are setup in such a way where even a simple script is enough to cause significant damage. This is the main reason as to why there are thousands of publicly available web-shells. The fact that so many variations exist, make it difficult for intrusion detection and intrusion prevention systems (IDS/IPS) to detect them; especially if they are using signatures to detect such web shells. Some web-shells are very sophisticated and they are almost impossible to be detected, even with behavioral analysis.

Having said this, early on in this article series, we had established that web-shells are post-exploitation tools. This means that the best way to prevent exploitation, is to prevent them from being uploaded in the first place.

From – Part 1

My best tip, if you’re a WordPress user to prevent the usage of PHP based exploits and/or web shell is to add this to your nginx config file:

So yah, read all 5 parts and you’ll have to been to Web Shell starter school.

Then go and explore this repo to find all kinds of web shells in different languages – https://github.com/tennc/webshell

Enjoy!


Tags: , , , , , , , , , , ,

Posted in: Advertorial, Web Hacking | Add a Comment
DMitry - Deepmagic Information Gathering Tool

DMitry – Deepmagic Information Gathering Tool

DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU) Linux Command Line program coded purely in C with the ability to gather as much information as possible about a host. DMitry has a base functionality with the ability to add new functions, the basic functionality of DMitry allows for information to be gathered about a target […]

Tags: , , , , , , , ,

Posted in: Hacking Tools, Network Hacking, Web Hacking | Add a Comment
Automater - IP & URL OSINT Analysis

Automater – IP & URL OSINT Tool For Analysis

Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. Given a target (URL, IP, or HASH) or a file full of targets Automater will return relevant results from sources like the following: IPvoid.com, Robtex.com, Fortiguard.com, unshorten.me, Urlvoid.com, Labs.alienvault.com, ThreatExpert, VxVault, and VirusTotal. By […]

Tags: , , , , , , , ,

Posted in: Hacking Tools, Network Hacking | Add a Comment
Android Malware Giving Phones a Hummer

Android Malware Giving Phones a Hummer

So Android Malware has always been quite a problem, especially with it being so easy to install random .apk files and the proliferation of 3rd party app stores. Also so many people with rooted phones and the fact that software installed can root your phone and take complete control. The current worry is the Hummer […]

Tags: , , , , , , , , ,

Posted in: Malware | Add a Comment
Exploit Reliability Testing System

ERTS – Exploit Reliability Testing System

ERTS or Exploit Reliability Testing System is a Python based tool to calculate the reliability of an exploit based on the number of times the exploit is able to control EIP register with the desired address/value. It’s created to help you code reliable exploits and take the manual parts out of running and re-running exploits […]

Tags: , , , , , , ,

Posted in: Exploits/Vulnerabilities, Programming | Add a Comment
OpenIOC - Sharing Threat Intelligence

OpenIOC – Sharing Threat Intelligence

OpenIOC is an open framework for sharing threat intelligence, sophisticated threats require sophisticated indicators. In the current threat environment, rapid communication of pertinent threat information is the key to quickly detecting, responding and containing targeted attacks. OpenIOC is designed to fill a void that currently exists for organizations that want to share threat information both […]

Tags: , , , , , , ,

Posted in: Countermeasures, Security Software | Add a Comment
Up1 - Client Side Encrypted Image Host

Up1 – Client Side Encrypted Image Host

Up1 is a client side encrypted image host that that can also encrypt text, and other data, and then store them, with the server knowing nothing about the contents. It has the ability to view images, text with syntax highlighting, short videos, and arbitrary binaries as downloadables. How it Works Before an image is uploaded, […]

Tags: , , , , , , , ,

Posted in: Cryptography, Privacy | Add a Comment