Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

19 September 2015 | 2,574 views

Weevely 3 – Weaponized PHP Web Shell

Check For Vulnerabilities with Acunetix

Weevely is a command line weaponized PHP web shell dynamically extended over the network at runtime and is designed for remote administration and pen testing. It provides a telnet-like console through a PHP script running on the target, even in restricted environments.

The low footprint agent and over 30 modules shape an extensible framework to administrate, conduct a pen-test, post-exploit, and audit remote web accesses in order to escalate privileges and pivot deeper in the internal networks.

Weevely 3 - Weaponized PHP Web Shell

The remote agent is a very low footprint PHP script that receives dynamically injected code from the client, extending the client functionalities over the network at run-time. The agent code is polymorphic and hardly detectable by AV and HIDS. The communication is covered and obfuscated within the HTTP protocol using steganographic techniques.

We did mention Weevely a couple of years back at v1.0: Weevely – PHP Stealth Tiny Web Shell

Module Features

  • Shell/PHP telnet-like network terminal
  • Common server misconfigurations auditing
  • SQL console pivoting on target
  • HTTP traffic proxying through target
  • Mount target file system to local mount point
  • Conduct network scans pivoting on target
  • File upload and download
  • Spawn reverse and direct TCP shells
  • Bruteforce services accounts
  • Compress and decompress zip, gzip, bzip2 and tar archives

What’s New

  • Basic Windows support
  • OS X Support
  • Python requirements.txt
  • Encoding support for sql_console
  • Output redirection and inverse grep for file_grep
  • Run actions on start depending from the session load
  • Proxy and SOCKS support
  • Unset session variables
  • Show session variables

Weevely also provides python API which can be used to develop your own module to implement internal audit, account enumerator, sensitive data scraper, network scanner, make the modules work as a HTTP or SQL client and do a whole lot of other cool stuff.

You can download Weevely here:


Or read more here.


17 September 2015 | 1,697 views

Kid Gets Arrested For Building A Clock – World Goes NUTS

So, today we have a tale of the fabled American knee-jerk reaction, this time to a 14 year old Muslim boy who made a cool clock and brought it to school. He got arrested, cuffed and fingerprinted – over a science project. Yah, arrested for building a clock.

That seems like a slightly harsh reaction, perhaps because his name is Ahmed? Or he’s Muslim? Or 9/11 was just a few days ago? Or all of the factors combined, and the fact his clock bleeped in class.

Kid Gets Arrested For Building A Clock - World Goes NUTS

The coolest part? He was arrested wearing a NASA t-shirt.

Texas police have decided not to charge a 14-year-old Muslim boy who was arrested for bringing a homemade clock to school.

Officials at MacArthur High School in Irving alerted police because they thought the device was a “hoax bomb”.

Ahmed Mohamed’s arrest has been sharply criticised, and the boy has received an outpouring of support including an invitation to the White House.

Ahmed’s family believes he was detained because of his name.

“We have always had an outstanding relationship with the Muslim community,” Irving Police Department chief Larry Boyd said on Wednesday. “Incidents like this present challenges. We want to learn how we can move forward and turn this into a positive.”

The boy was placed in handcuffs and fingerprinted. He was released after it was determined there was no threat.

Zuck posted his support for Ahmed too.

You’ve probably seen the story about Ahmed, the 14 year old student in Texas who built a clock and was arrested when he…

Posted by Mark Zuckerberg onWednesday, 16 September 2015

You can see the stream of support for the kid, and the rallying against the cause with the Twitter hashtag #IStandWithAhmed

It’s turned into quite something with POTUS, Hilary Clinton, the US Secretary of Education and many many more getting involved.

Under the hashtag “#IstandwithAhmed,” thousands of Twitter users praised the boy’s initiative and questioned why he was detained including Nasa scientists and US President Barack Obama.

“Cool clock, Ahmed. Want to bring it to the White House? We should inspire more kids like you to like science. It’s what makes America great,” Mr Obama wrote on Twitter.

The Council on American-Islamic Relations says it is investigating the incident.

Ahmed said that he had made a clock at home and brought it to school to show his engineering teacher. He said his engineering teacher had congratulated him but advised him “not to show any other teachers”.

Check out the Tweet from POTUS.

There’s a good in-depth articly by CNN here as well: Muslim teen Ahmed Mohamed creates clock, shows teachers, gets arrested

It’s all getting very intense.

Source: BBC

15 September 2015 | 5,310 views

BackBox Linux – Penetration Testing LiveCD

BackBox is a Linux distribution based on Ubuntu – a penetration testing LiveCD. It has been developed to perform penetration tests and security assessments. Designed to be fast, easy to use and provide a minimal yet complete desktop environment, thanks to its own software repositories, always being updated to the latest stable version of the most used and best known ethical hacking tools.

BackBox Linux - Penetration Testing LiveCD

The most recent release is BackBox Linux 4.3, the latest stable build of the project’s Ubuntu-based distribution containing a collection of utilities designed to perform penetration testing and forensic analysis tasks.

The main aim of BackBox is providing an alternative, highly customizable and well performing system. BackBox uses the light window manager Xfce.

It includes some of the most used security and analysis Linux tools, aiming for a wide spread of goals, ranging from web application analysis to network analysis, from stress tests to sniffing, also including vulnerability assessment, computer forensic analysis and exploitation.

Part of the power of this distribution comes from its Launchpad repository core, constantly updated to the latest stable version of the most known and used ethical hacking tools.

What’s New

  • Preinstalled Linux Kernel 3.16
  • New Ubuntu 14.04.2 base
  • Ruby 2.1
  • Installer with LVM and Full Disk Encryption options
  • Handy Thunar custom actions
  • RAM wipe at shutdown/reboot
  • System improvements
  • Upstream components
  • Bug corrections
  • Performance boost
  • Improved Anonymous mode
  • Predisposition to ARM architecture (armhf Debian packages)
  • Predisposition to BackBox Cloud platform
  • New and updated hacking tools: beef-project, btscanner, dirs3arch, metasploit-framework, ophcrack, setoolkit, tor, weevely, wpscan, etc.

System Requirements

  • 32-bit or 64-bit processor
  • 512 MB of system memory (RAM)
  • 6 GB of disk space for installation
  • Graphics card capable of 800×600 resolution
  • DVD-ROM drive or USB port (2 GB)

Upgrade Instructions

To upgrade from a previous version (BackBox 4.x) follow these instructions:

You can download Backbox 4.3 here:

x86 – backbox-4.3-i386.iso (torrent)
x86_64 – backbox-4.3-amd64.iso (torrent)

Or read more here.

12 September 2015 | 3,179 views

AIDE – Advanced Intrusion Detection Environment

AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker, it was initially developed as a free replacement for Tripwire licensed under the terms of the GNU General Public License (GPL).

AIDE - Advanced Intrusion Detection Environment

How it Works

Aide takes a “snapshot” of the state of the system, register hashes, modification times, and other data regarding the files defined by the administrator. This “snapshot” is used to build a database that is saved and may be stored on an external device for safekeeping.

When the administrator wants to run an integrity test, the administrator places the previously built database in an accessible place and commands Aide to compare the database against the real status of the system. Should a change have happened to the computer between the snapshot creation and the test, Aide will detect it and report it to the administrator. Alternatively, Aide can be configured to run on a schedule and report changes daily using scheduling technologies such as cron, which is the default behavior of the Debian Aide package.[2]

This is mainly useful for security purposes, given that any malicious change which could have happened inside of the system would be reported by Aide.


  • Supported message digest algorithms: md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool
  • Supported file attributes: File type, Permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime
  • Support for Posix ACL, SELinux, XAttrs and Extended file system attributes if support is compiled in
  • Plain text configuration files and database for simplicity
  • Powerful regular expression support to selectively include or exclude files and directories to be monitored
  • Gzip database compression if zlib support is compiled in
  • Stand alone static binary for easy client/server monitoring configurations

Aide is also included in a lot of distros, so for example on Debian and Ubuntu you can just install it straight with aptitude install aide.

You can download the latest stable version of Aide (0.15.1) source code here:


Or read more here.

10 September 2015 | 1,456 views

WhatsApp Web vCard Vulnerability Exposed 200M Users

So it seems there was a lot of noise about the WhatsApp Web vCard Vulnerability with over 200 Million people using the desktop version of WhatsApp – it’s a fairly large cache of users to go after.

Disclosed by Check Point security, the vulnerability is exploited by sending a vCard contact containing malicious code to a WhatsApp Web user.

WhatsApp Web vCard Vulnerability Exposed 200M Users

The vulnerability lies in the improper filtering of contact cards using the popular vCard format, thankfully WhatsApp reacted fairly fast on this.

A vulnerability discovered in WhatsApp Web, the web-based extension of the WhatsApp mobile application, can be exploited by attackers to trick users into executing arbitrary code on their machines.

Discovered by Check Point security researcher Kasif Dekel, the vulnerability can be exploited by simply sending a vCard contact card containing malicious code to a WhatsApp user. As soon as the seemingly innocent vCard is opened in WhatsApp Web, the malicious code in it can run on the target machine.

This vulnerability allows cybercriminals to compromise the affected computer by distributing all types of malware, including ransomware, bots, and remote access tools (RATs), Check Point’s researcher explains.

The underlying issue lies in the improper filtering of contact cards that are sent using the popular ‘vCard’ format. “By manually intercepting and crafting XMPP requests to the WhatsApp servers, it was possible to control the file extension of the contact card file,” the Check Point researcher explained in a blog post.

An attacker can inject a command in the name attribute of the vCard file, separated by the ‘&’ character. Windows automatically tries to run all lines in the file, including the injection line, when the vCard is opened.

The vulnerability is fixed and has been since August 27th, which is rapid considering the vulnerability was only disclosed to them on August 21st. Public disclosure came this week on September 8th.

You can read the full report from Check Point here: WhatsApp “MaliciousCard” Vulnerabilities Allowed Attackers to Compromise Hundreds of Millions of WhatsApp Users

This attack does not require XMPP interception of crafting, due to the fact that anyone can create such a contact with an injected payload, directly on the phone, Check Point notes. As soon as the contact is ready, the attacker only needs to share it through the WhatsApp client to unsuspicious users.

Check Point also explains that WhatsApp failed to validate the vCard format or the contents of the file, and that even an exe file could have been sent this way. Even more, malware could have been attached to a displayed icon, opening a vast world of opportunity for cybercriminals and scammers

Over the past several years, WhatsApp has grown to become one of the popular messaging services on mobile phones, with over 900 million users as of this month, and it has extended to the desktop as well, where it has over 200 million users.

WhatsApp Web provides users with access to all of the messages that they have sent or received, including includes images, videos, audio files, locations and contact cards, and keeps all content synchronized with the phone, so that users can access it on both desktop and mobile devices.

Additionally, the web-based interface allows users to view all of the sent or received attachments, as long as they are accessible through the mobile application, including images, audio and video files, location info, and contact cards.

It’s cute how they tried to come up with a catchy name too like HeartBleed or LogJam – they went with ‘MaliciousCard’.

It’s rather surprising more companies or bad guys aren’t going after messaging services as they have such immense user bases (Over 900 Million for WhatsApp). Or perhaps they are, and there’s a bunch of zero-days out there no one knows about yet. That is very possible.

Source: Security Week

08 September 2015 | 6,432 views

Gcat – Python Backdoor Using Gmail For Command & Control

Gcat is a stealthy Python backdoor that uses Gmail as a command and control server. It’s fairly basic right now, but it’s an interesting proof of concept and if the community got behind it and contributed some new features it could be a pretty powerful piece of kit.

Gcat - Python Backdoor Using Gmail For Command & Control

Feature wise it doesn’t have that much, you can’t upload files yet, but you can execute shellcode, download files and capture screenshots.

But as a concept it’s great, e-mail traffic? How many organisations will block that, especially to Google servers. Way less conspicuous than the typical IRC traffic.


For this to work you need:

  • A Gmail account (Use a dedicated account! Do not use your personal one!)
  • Turn on “Allow less secure apps” under the security settings of the account

This repo contains two files:

  • gcat.py a script that’s used to enumerate and issue commands to available clients
  • implant.py the actual backdoor to deploy

In both files, edit the gmail_user and gmail_pwd variables with the username and password of the account you previously setup.

You’re probably going to want to compile implant.py into an executable using Pyinstaller.


Using Gcat

Once you’ve deployed the backdoor on a couple of systems, you can check available clients using the list command:

The output is a UUID string that uniquely identifies the system and the OS the implant is running on

Let’s issue a command to an implant:

Here we are telling 90b2cd83-cb36-52de-84ee-99db6ff41a11 to execute ipconfig /all, the script then outputs the jobid that we can use to retrieve the output of that command

Lets get the results!

Upcoming Features

  • Multi-platform support
  • Command to upload files
  • Transport crypto & obfuscation

You can download Gcat here:


Or read more here.

04 September 2015 | 1,756 views

Microsoft Data Harvesting Backported To Windows 7 & 8

So as a follow up to our recent article about the rather lax Windows 10 default privacy settings, Microsoft has decided that even if you aren’t upgrading – they want your data anyway.

Microsoft Backports Data Harvesting To Windows 7 & 8

The most complete cloud indeed, made up of telemetry from your machines. Microsoft is back-porting the data harvesting portions of Windows 10 to both Windows 7 and Windows 8 – nice eh? And yah, Microsoft data harvesting? Not really surprising to be honest.

We recently mused, half seriously, whether the entire point of the Windows 10 upgrade was to harvest your personal information. With Microsoft suffering from a serious case of Google envy, perhaps it felt it had some catching up to do.

Now Microsoft is revamping the user-tracking tools in Windows 7 and 8 to harvest more data, via some new patches.

All the updates can be removed post-installation – but all ensure the OS reports data to Microsoft even when asked not to, bypassing the hosts file and (hence) third-party privacy tools. This data can include how long you use apps, and which features you use the most, snapshots of memory to investigate crashes, and so on.

The updates are KB3068708 (“Update for customer experience and diagnostic telemetry” and mandatory) KB3075249 (“Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7”) and KB3080149 (also an “Update for customer experience and diagnostic telemetry”, both optional).

In my experience backports generally only exist in the *nix World, so Microsoft is upping their game here backporting Windows 10 ‘features’ into older operating systems, all seamlessly delivered via the patching system. The only example I really remember was a bunch of stuff from Windows Vista being backported to Windows XP when SP3 was released.

If people are only installing security updates, they might not get these as one is optional and two will show up under recommended.

The notes explain that diagnostic telemetry data is sent to settings-win.data.microsoft.com ( over SSL. Privacy advocates note that the OS is hardwired to use that hostname, so trying to override the IP address it resolves to using your PC’s hosts file won’t work.

The tools relate to Microsoft’s CEIP (‘customer experience improvement program’). Disabling the monitoring tools is complicated, requiring tweaks via both the policy editor, and at application level.

If you’re not bothered by anonymised data being sent to Microsoft (or mobile data caps) then the telemetry elevations probably won’t bother you.

Microsoft’s creepy robo-buddy “contextual operating service”, Cortana – which has caused much of the privacy concerns, even though it’s fairly well explained – remains an exclusive to Windows 10 and Windows 8.1 Phone.

If you want details on how to disable the snooping, check here: Microsoft intensifies data collection on Windows 7 and 8 systems

Not super tough to stop it, but it would be nice to be asked in the first place.

Source: The Register

31 August 2015 | 4,260 views

Tiger – Unix Security Audit & Intrusion Detection Tool

Tiger is a Unix security audit tool that can be use both for auditing and as an intrusion detection system. It supports multiple Unix platforms and it is free and provided under a GPL license. Unlike other tools, Tiger needs only POSIX tools and is written entirely in shell language.

Tiger has some interesting features that merit its resurrection, including a modular design that is easy to expand, and its double edge, it can be used as an audit tool and a host intrusion detection system tool.

Tiger - Unix Security Audit & Intrusion Detection Tool

Free Software intrusion detection is currently going many ways, from network IDS (with Snort), to the kernel (LIDS, or SNARE for Linux and Systrace for OpenBSD, for example), not mentioning file integrity checkers (many of these: aide, integrit, samhain, tripwire…) and logcheckers (even more of these, check the Log Analysis pages). But few of them focus on the host-side of intrusion detection fully.

Tiger complements these tools and also provides a framework in which all of them can work together. Tiger is not a logchecker, nor it focused in integrity analysis. It does “the other stuff”, it checks the system configuration and status. Read the manpage for a full description of checks implemented in Tiger. A good example of what Tiger can do is, for example, check_findeleted, a module that can determine which network servers running in a system are using deleted files (because libraries were patched during an upgrade but the server’s services not restarted).

There are other similar tools, but most of them focus on privilege escalation:

LinEnum – Linux Enumeration & Privilege Escalation Tool
Lynis v1.6.0 Released For Download – Linux Security Auditing Tool
unix-privesc-check – Unix/Linux User Privilege Escalation Scanner

You can download Tiger here:


Or read more here.

06 August 2015 | 4,026 views

Windows 10 Privacy – Just Installed? Read This

So no big surprise here but there’s some issues with the default settings in regards to Windows 10 Privacy, if you run through the express install without customizing settings the defaults a little suspect.

Windows 10 Privacy - Just Installed? Read This

A lot of Windows 7 and Windows 8 users have already opted in to the automatic (and free) upgrade to the latest operating system from Microsoft – Windows 10, so I would imagine this effects a lot of people.

Here’s a quick FYI: if you installed Windows 10, and in a rush to try out Microsoft’s new operating system, you clicked through the default settings without looking, you may want to look again.

If you value your privacy, or have a distrust of Microsoft, you probably want to make sure some or all of the settings are flipped to off. These include things like sending “typing and inking” data to Microsoft’s servers, and letting apps identify you by your unique advertising ID number.

Your physical whereabouts and your web browser history, plus your contacts and calendar records, are also phoned home to Redmond. Your PC will even let other computers download updates from it, and potentially share your Wi-Fi network with strangers.

There’s a handy guide to the settings you need to look out for during the install and afterwards. On an installed system, find the Settings app and select Privacy to see all the controls.

You probably want to turn Cortana off, unless you find it really useful, and don’t forget to opt-out of personalized ads (more info here).

Some of the features, which are on by default, have their uses: for example, SmartScreen is supposed to stop you from downloading malware or visiting websites known to be infecting PCs, assuming you’re using Internet Explorer and apps from the Windows Store. And sending odd-looking executable files to Windows Defender so they can be scanned for malware improves security for everyone using Windows 10.

So yah, no surprise it’s phoning home to Redmond – but the amount of data shared might be more than you are comfortable with, especially coming from Windows 7 (which doesn’t really share anything). I can’t say I’m familiar enough with Windows 8 to comment on its privacy settings or issues.

Here’s the guide to the settings and how to protect yourself – https://fix10.isleaked.com/

But the company tells the press: “Windows does not collect personal information without your consent. To effectively provide Windows as a service, Microsoft gathers some performance, diagnostic and usage information that helps keep Windows and apps running properly. Microsoft uses this information to identify problems and develop fixes.”

Yes, these are interesting features – perhaps even useful. It would be fantastic, though, if there was more information upfront about the services before we decide to enable them, as opposed to forcing them on us and hoping we won’t notice or care. We’re all adults, and we know what it feels like when someone is trying to pull a fast one on us.

And Windows 10 feels like it’s trying to pull a fast one on a lot of us.

Before the Microsoft apologists get too upset, there are similar defaults in OS X and some flavors of Linux. Google Android and Chrome are also pretty aggressive with your data. It always pays to check the default settings.

As mentioned, it’s also not super uncommon and we reported on the Mac OS X Yosemite Spotlight Privacy issue before, Chrome, Android and certain versions of Linux also phone a fair amount of data home.

As always, check the defaults and ensure you choose the settings that protect you to a degree you’re comfortable with.

Source: The Register

05 August 2015 | 8,335 views

FruityWifi – Wireless Network Auditing Tool

FruityWifi is an open source wireless network auditing tool, it allows the user to deploy advanced attacks by directly using the web interface or by sending messages to it. Initially the application was created to be used with the Raspberry-Pi, but it can be installed on any Debian based system.

FruityWifi - Wireless Network Auditing Tool

Tested in Debian, Kali Linux, Kali Linux ARM (Raspberry Pi), Raspbian (Raspberry Pi), Pwnpi (Raspberry Pi), Bugtraq.

What’s New

With the new version, it is possible to install external modules. This functionality gives the user more flexibility and the FruityWifi can be customized. The modules can be added or removed anytime using the on-line repository.

Now it is possible to use FruityWifi combining multiple networks and setups:

  • Ethernet <--> Ethernet,
  • Ethernet <--> 3G/4G,
  • Ethernet <--> Wifi,
  • Wifi <--> Wifi,
  • Wifi <--> 3G/4G, etc.

Within the new options on the control panel we can change the AP mode between Hostapd or Airmon-ng allowing to use more chipsets like Realtek.

It is possible customize each one of the network interfaces which allows the user to keep the current setup or change it completely. It also has a new interface, new modules, Realtek chipsets support, Mobile Broadband (3G/4G) support, a new control panel, and more.


  • Hostapd Karma
  • URLsnarf
  • DNSspoof
  • Kismet
  • Squid (code injection capabilities)
  • SSLstrip (code injection capabilities)
  • nmap
  • mdk3
  • ngrep
  • Captive Portal
  • Nessus
  • Ettercap
  • Tcpdump
  • AutoSSH
  • Supplicant
  • 3G/4G

You can download FruityWifi v2.2 here:


Or read more here.