fping is a program like ping which uses the Internet Control Message Protocol (ICMP) echo request to determine if a target host is responding.
fping differs from ping in that you can specify any number of targets on the command line, or specify a file containing the lists of targets to ping. Instead of sending to one target until it times out or replies, fping will send out a ping packet and move on to the next target in a round-robin fashion. In the default mode, if a target replies, it is noted and removed from the list of targets to check; if a target does not respond within a certain time limit and/or retry limit it is designated as unreachable.
fping also supports sending a specified number of pings to a target, or looping indefinitely (as in ping). Unlike ping, fping is meant to be used in scripts, so its output is designed to be easy to parse.
The binary named fping6 is the same as fping, except that it uses IPv6 addresses instead of IPv4.
−a Show systems that are alive.
−A Display targets by address rather than DNS name.
−b n Number of bytes of ping data to send. The minimum size (normally 12) allows room for the data that fping needs to do its work (sequence number, timestamp). The reported received data size includes the IP header (normally 20 bytes) and ICMP header (8 bytes), so the minimum total size is 40 bytes. Default is 56, as in ping. Maximum is the theoretical maximum IP datagram size (64K), though most systems limit this to a smaller, system-dependent number.
−B n In the default mode, fping sends several requests to a target before giving up, waiting longer for a reply on each successive request. This parameter is the value by which the wait time is multiplied on each successive request; it must be entered as a floating-point number (x.y). The default is 1.5.
−c n Number of request packets to send to each target. In this mode, a line is displayed for each received response (this can suppressed with −q or −Q). Also, statistics about responses for each target are displayed when all requests have been sent (or when interrupted).
−C n Similar to −c, but the per-target statistics are displayed in a format designed for automated response-time statistics gathering.
shows the response time in milliseconds for each of the five requests, with the "−" indicating that no response was received to the fourth request.
−d Use DNS to lookup address of return ping packet. This allows you to give fping a list of IP addresses as input and print hostnames in the output.
−D Add Unix timestamps in front of output lines generated with in looping or counting modes (−l, −c, or −C).
−e Show elapsed (round-trip) time of packets.
−f Read list of targets from a file. This option can only be used by the root user.
-g Generate a target list from a supplied IP netmask, or a starting and ending IP. Specify the netmask or start/end in the targets portion of the command line.
−h Print usage message.
−i n The minimum amount of time (in milliseconds) between sending a ping packet to any target (default is 25).
−l Loop sending packets to each target indefinitely. Can be interrupted with Ctrl-C; statistics about responses for each target are then displayed.
−m Send pings to each of a target host’s multiple interfaces.
−n Same as −d.
−p <n> In looping or counting modes (−l, −c, or −C), this parameter sets the time in milliseconds that fping waits between successive packets to an individual target. Default is 1000.
−q Quiet. Don’t show per-probe results, but only the final summary. Also don’t show ICMP error messages.
−Q n Like −q, but show summary results every n seconds.
−r n Retry limit (default 3). This is the number of times an attempt at pinging a target will be made, not including the first try.
−s Print cumulative statistics upon exit.
−S addr Set source address.
−I if Set the interface (requires SO_BINDTODEVICE support)
−t n Initial target timeout in milliseconds (default 500). In the default mode, this is the amount of time that fping waits for a response to its first request. Successive timeouts are multiplied by the backoff factor.
−T n Ignored (for compatibility with fping 2.4).
−u Show targets that are unreachable.
−O n Set the typ of service flag ( TOS ). n can be either decimal or hexadecimal (0xh) format.
−v Print fping version information.
−H n Set the IP TTL field (time to live hops).
You can download fping 3 here:
Or read more here.
So you’d probably imagine that Wireless Keyboard Security is a 1998 problem and you shouldn’t even have to worry about that any more. And you’d be wrong – two-thirds of wireless keyboards, from MAJOR manufacturers are not even vaguely secure.
It turns out, in 2016 when cryptography is mainstream, open-source and fairly easy to implement with proven libraries for every language – wireless keyboards still communicate in plain text.
Millions of low-cost wireless keyboards are susceptible to a vulnerability that reveals private data to hackers in clear text.
The vulnerability – dubbed KeySniffer – creates a means for hackers to remotely “sniff” all the keystrokes of wireless keyboards from eight manufacturers from distances up to 100 metres away.
“When we purchase a wireless keyboard we reasonably expect that the manufacturer has designed and built security into the core of the product,” said Bastille Research Team member Marc Newlin, responsible for the KeySniffer discovery. “Unfortunately, we tested keyboards from 12 manufacturers and were disappointed to find that eight manufacturers (two thirds) were susceptible to the KeySniffer hack.”
The keyboard manufacturers affected by KeySniffer include: Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec. Vulnerable keyboards are always transmitting, whether or not the user is typing. Consequently, a hacker can scan for vulnerable devices at any time.
And yah, this vulnerability has a name, it’s called KeySniffer and it even has a a fancy website too:
This is not the first time similar flaws have been exposed, and fortunately (because all the wireless stuff I use is Logitech) Logitech is not vulnerable to KeySniffer.
Wireless keyboards have been the focus of security concerns before. In 2010, the KeyKeriki team exposed weak XOR encryption in certain Microsoft wireless keyboards. Last year Samy Kamkar’s KeySweeper exploited Microsoft’s vulnerabilities. Both of those took advantage of shortcomings in Microsoft’s encryption.
The KeySniffer discovery is different in that it reveals that manufacturers are actually producing and selling wireless keyboards with no encryption at all. Bluetooth keyboards and higher-end wireless keyboards from manufacturers including Logitech, Dell, and Lenovo are not susceptible to KeySniffer.
Bastille notified affected vendors to provide them the opportunity to address the KeySniffer vulnerability prior to going public on Tuesday. Most, if not all, existing keyboards impacted by KeySniffer cannot be upgraded and will need to be replaced, it warns.
Do remember, these are lower end keyboards – so most of us here probably wouldn’t be using them. Unless you have a HTPC or home-media center, you probably have an el-cheapo wireless keyboard on that.
But you’re also not typing sensitive information on it (apart from your Netflix login) so it doesn’t really matter.
Source: The Register
WOL-E is a suite of tools for Wake on LAN security testing related to the WOL features of network attached computers, this is now enabled by default on many Apple computers.
This allows you to easily scan for Apple devices on a network (based on their MAC addresses).
These tools include:
- Bruteforcing the MAC address to wake up clients
- Sniffing WOL attempts on the network and saving them to disk
- Sniffing WOL passwords on the network and saving them to disk
- Waking up single clients (post sniffing attack)
- Scanning for Apple devices on the network for WOL enabling
- Sending bulk WOL requests to all detected Apple clients
root@kali:~# wol-e -h
[*] WOL-E 1.0
[*] Wake on LAN Explorer - A collection a WOL tools.
[*] by Nathaniel Carew
Waking up single computers.
If a password is required use the -k 00:12:34:56:78:90 at the end of the above command.
wol-e -m 00:12:34:56:78:90 -b 192.168.1.255 -p <port> -k <pass>
Sniffing the network for WOL requests and passwords.
All captured WOL requests will be displayed on screen and written to /usr/share/wol-e/WOLClients.txt.
wol-e -s -i eth0
Bruteforce powering on WOL clients.
wol-e -a -p <port>
Place the address ranges into the bfmac.lst that you wish to bruteforce.
They should be in the following format:
Default port: 9
Detecting Apple devices on the network for WOL enabling.
This will output to the screen and write to /usr/share/wol-e/AppleTargets.txt for detected Apple MAC's.
Attempt to wake all detected Apple targets in /usr/share/wol-e/AppleTargets.txt.
This will send a single WOL packet to each client in the list and tell you how many clients were attempted.
You can download WOL-E here:
Or read more here.
dnmap is a distributed Nmap framework which can hand off Nmap scans to several clients. It reads an already created file with Nmap commands and send those commands to each client connected to it.
The framework use a client/server architecture. The server knows what to do and the clients do it. All the logic and statistics are managed in the server. Nmap output is stored on both server and client.
Usually you would want this if you have to scan a large group of hosts and you have several different internet connections (or friends that want to help you).
Features of the framework
Clients can be run on any computer on Internet. Do not have to be local cluster or anything.
Is uses TLS protocol for encryption.
- If the server goes down, clients continue trying to connect until the server gets back online.
- If the server goes down, when you put it up again it will send commands starting from the last command given before the shutdown. You do not need to remember where it was.
- You can add new commands to the original file without having to stop the server. The server will read them automatically.
- If some client goes down, the server will remember which command it was executing and it will re-schedule it for later.
- It will store every detail of the operations in a log file.
- It shows real time statistics about the operation of each client, including:
- Number of commands executed
- Last time seen
- Version of the client
- If the client is being run as root or not.
- It calculates the amount of commands executed per minute
- The historic average of the amount of commands executed per minute
- The status of the client (Online, Offline, Executing or Storing)
- You can choose which port to use. Defaults to 46001
- If the server goes down, it keeps connecting to it until it’s up again.
- Strip strange characters from the command sent by the server. Tries to avoid command injection vulns.
- It only executes the Nmap command. It deletes the command send by the server and changes it by a known Nmap binary in the system.
- You can pick an alias for your user.
- You can change which port to connect to.
- If the command sent by the server does not have a -oA option, the client add it anyway to the command, so it will always have a local copy of the output.
This framework is NOT intended to be secure or to be used by people you do not trust. As the client will execute any Nmap command you send, the client is trusting you. This was created so your friends can help you in the scan, or to use all your computers at the same time.
The client does not need to be run as root, but be aware that most Nmap scan types need the client to be run as root. If some of your clients are not root, you can still send them TCP connect type of scans for example. But this should be done by you in the Nmap commands file.
You can download dnmap here:
Or read more here.
So let’s talk about Web Shells, something many of us are already familiar with, but to level the field – what is a web shell? A web shell is a script that can be uploaded to a web server to enable remote administration of the machine. Infected web servers can be either Internet-facing or internal […]
DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU) Linux Command Line program coded purely in C with the ability to gather as much information as possible about a host. DMitry has a base functionality with the ability to add new functions, the basic functionality of DMitry allows for information to be gathered about a target […]
Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. Given a target (URL, IP, or HASH) or a file full of targets Automater will return relevant results from sources like the following: IPvoid.com, Robtex.com, Fortiguard.com, unshorten.me, Urlvoid.com, Labs.alienvault.com, ThreatExpert, VxVault, and VirusTotal. By […]
So Android Malware has always been quite a problem, especially with it being so easy to install random .apk files and the proliferation of 3rd party app stores. Also so many people with rooted phones and the fact that software installed can root your phone and take complete control. The current worry is the Hummer […]
ERTS or Exploit Reliability Testing System is a Python based tool to calculate the reliability of an exploit based on the number of times the exploit is able to control EIP register with the desired address/value. It’s created to help you code reliable exploits and take the manual parts out of running and re-running exploits […]
OpenIOC is an open framework for sharing threat intelligence, sophisticated threats require sophisticated indicators. In the current threat environment, rapid communication of pertinent threat information is the key to quickly detecting, responding and containing targeted attacks. OpenIOC is designed to fill a void that currently exists for organizations that want to share threat information both […]