Archive | March, 2016

BetterCap – Modular, Portable MiTM Framework


BetterCAP is a powerful, modular, portable MiTM framework that allows you to perform various types of Man-In-The-Middle attacks against the network. It can also help to manipulate HTTP and HTTPS traffic in real-time and much more.

BetterCap - Modular, Portable MiTM Framework


BetterCap has some pretty impressive Spoofing abilities with multiple host discovery (just launch the tool and it will start discovery), ARP spoofing, DNS spoofing and ICMP doubledirect spoofing.

The other tool similar to this would be: MITMf – Man-In-The-Middle Attack Framework and specfically for SSL you have sslsniff v0.7 – SSL Man-In-The-Middle (MITM) Tool.

BetterCap MiTM Features

Some of the main features include:

  • Full and half duplex ARP spoofing.
  • The first real ICMP DoubleDirect spoofing implementation.
  • Configurable DNS spoofing.
  • Realtime and completely automatized host discovery.
  • Realtime credentials harvesting for protocols such as HTTP(S) POSTed data, Basic and Digest Authentications, FTP, IRC, POP, IMAP, SMTP, NTLM ( HTTP, SMB, LDAP, etc ) and more.
  • Fully customizable network sniffer.
  • Modular HTTP and HTTPS transparent proxies with support for user plugins + builtin plugins to inject custom HTML code, JS or CSS files and URLs.
  • SSLStripping with HSTS bypass.
  • Builtin HTTP server.

Why BetterCap not Ettercap?

Ettercap still has some plus points like you can see connections and raw pcap stuff, but it’s not all relevant to everyone. Mostly it’s showing its’ age and BetterCap doesn’t have the below cons:


  • Ettercap was a great tool, but it’s old
  • Ettercap filters do not work most of the times
  • Ettercap filters are outdated
  • Ettercap filters are hard to implement due to the implementation language.
  • Ettercap is unstable on big networks (try host discovery on a network bigger than /24)
  • Ettercap is hard to extend or add modules to unless you’re a C/C++ developer.
  • Ettercap’s and MITMf’s ICMP spoofing is completely useless in 2016.
  • Ettercap does not provide a builtin and modular HTTP(S) transparent proxy.
  • Ettercap does not provide a smart and fully customizable credentials sniffer.

You can download BetterCap via the Ruby gem system so:

Then:

Kali Linux also has bettercap packaged, install it and all dependencies on the latest version of Kali using this:

Or read more here.

Posted in: Networking Hacking Tools

Topic: Networking Hacking Tools


Latest Posts:


Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.


Mac OS X Ransomware KeRanger Is Linux Encoder Trojan


So there’s been a fair bit of noise this past week about the Mac OS X Ransomware, the first of its’ kind called KeRanger. It also happens to be the first popular Mac malware of any form for some time.

It’s also a lesson to all the Apple fanbois that their OS is not impervious and this was bundled with legit software (Transmission) and bypassed the Gatekeeper protection as it was signed with a legit cert.

Mac OS X Ransomware KeRanger

It turns out, basically it’s just the Linux Encoder Trojan (the first Linux ransomware trojan) re-purposed for Macs, as well OS X is a *nix variant based on OpenBSD with a fancy window manager.

The world’s first fully functional OS X ransomware, KeRanger, is really a Mac version of the Linux Encoder Trojan, according to new research from Romanian security software firm Bitdefender.

The infected OS X torrent update carrying KeRanger looks virtually identical to version 4 of the Linux Encoder Trojan that has already infected thousands of Linux servers this year.

KeRanger spread via an infected version of an otherwise legitimate open source BitTorrent application, Transmission. The tainted version (2.90) was available for download between March 4 and March 5, 2016 and came signed with a legitimate developer certificate.

Apple’s OS X ships with a security feature called Gatekeeper, allowing users to restrict which sources they can install applications from in order to minimize the likelihood of deploying a malicious app. The default setting allows users to install applications from the Mac App Store or applications that are digitally signed by a developer.

By using a developer certificate to sign their wares, the crooks behind KeRanger were able to circumvent Apple’s GateKeeper control. Apple has since revoked the misused certificate, which was issued to a Turkish firm, so the immediate panic is over.

However, similar attacks along the same lines might easily re-appear, so merely disallowing unsigned software from running on Macs is no defense.


It’s a pretty nasty form of cyber-bullying, and well as we wrote before, if you do get hit there’s not a lot you can do. Even the FBI Recommends Crypto Ransomware Victims Just Pay.

The developer cert used to sign the dodgy version of Tranmission has been revoked, but it just goes to show the system is not flawless and this could easily happen again.

KeRanger isn’t the first Mac malware with the capability to circumvent Gatekeeper. For example, three years ago the same trick was used in a trojan (KitM.A) found on computers belonging to Angolan civil rights activists, Bitdefender reports.

“Once the infected installer is executed, the Trojan connects to the command and control centers via TOR and retrieves an encryption key,” explained Catalin Cosoi, chief security strategist at Bitdefender.

“After encryption finishes, the KeRanger ransomware creates a file called README_FOR_DECRYPT.txt, which holds the information on how the victim should pay the ransom. The encryption functions are identical to those deployed by the Linux Encoder Trojan and have the same names.”

Six months ago, only Windows and Android smartphone users needed to worry about ransomware, but that has changed more recently so that Linux server admins and even Mac users need to be wary of potential attack. Windows remains the target of the greatest number of different ransomware strains and the main locus of the problem, as it is for other types of malware.

The developers behind the Linux Encoder malware have either expanded to OS X or have licensed their code to a cybercrime group specializing in OS X attacks, according to Bitdefender.

I’m pretty sure no one reading this site will get caught out by this kind of thing, but if you did well that mistake is gonna cost you over $400USD.

Be wary, and do inform your Apple loving friends and family members that the bad guys feel like it’s worth targeting them now, the free-love, no anti-virus party is over.

Source: The Register

Posted in: Apple, Malware

Topic: Apple, Malware


Latest Posts:


Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.


DIRB – Domain Brute-forcing Tool


DIRB is a Web Content Scanner AKA a domain brute-forcing tool. It looks for existing (and/or hidden) Web Objects, it works by launching a dictionary based attack against a web server and analysing the responses.

DIRB - Domain Brute-forcing Tool


What is DIRB?

DIRB comes with a set of preconfigured attack word-lists for easy usage but you can use your custom word-lists. Also it can sometimes can be used as a classic CGI scanner, but do remember this is a content scanner not a vulnerability scanner.

There are other tools with similar functionalities such as:

Patator – Multi-threaded Service & URL Brute Forcing Tool
dirs3arch – HTTP File & Directory Brute Forcing Tool
DirBuster – Brute Force Directories & Files Names

And tools that can accomplish the same or similar things like:

Wfuzz v1.4 Released for Download – Bruteforcing & Fuzzing Web Applications

DIRB Usage For Domain Brute-forcing

You can download DIRB the domain brute force tool here:

dirb222.tar.gz

Or read more here.

Posted in: Hacking Tools

Topic: Hacking Tools


Latest Posts:


Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.


AuthMatrix for Burp Suite – Web Authorisation Testing Tool


AuthMatrix a web authorisation testing tool built as an extension to Burp Suite that provides a simple way to test authorisation in web applications and web services. With AuthMatrix, testers focus on thoroughly defining tables of users, roles, and requests for their specific target application upfront. These tables are displayed through the UI in a similar format to that of an access control matrix commonly built in various threat modelling methodologies.

AuthMatrix - Test Web Authorisation

Once the tables have been assembled, testers can use the simple click-to-run interface to efficiently run all combinations of roles and requests. Testers can then confirm their results with an easy to read, color-coded interface indicating any authorisation vulnerabilities detected in the system. Additionally, the extension provides the ability to save and load target configurations for simple regression testing.

Usage

  • Create users that fit these various roles and check all roles that the user belongs to. If a user is part of multiple roles, check each role individually.
  • From another area of Burp Suite (i.e. Target tab, Repeater Tab, etc) right click a request and select “Send to AuthMatrix.” This will create a new item in the second table of the interface. Multiple requests can be added all at once by selecting several requests from within the Target tab.
  • In the second table of AuthMatrix, check all roles that are authorised to make each request.
  • Create a regex based on the expected response behavior of the request to determine if the action has succeeded. Common regexes include HTTP Response headers, success messages within the body, or other variations within the body of the page.
  • Generate session tokens for each user via a web browser or the repeater tab and enter them into the correct field within the first table.
  • Click Run to run all requests or right click several messages and select run. Observe that the adjacent table will show color-coded results, red indicating the request did not return expected results and may indicate a vulnerability.

You can download AuthMatrix here:

AuhtMatrix.py

Or read more here.

Posted in: Hacking Tools, Web Hacking

Topic: Hacking Tools, Web Hacking


Latest Posts:


Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.


DROWN Attack on TLS – Everything You Need To Know


So SSL in general is having a rough time lately, now with the SSLv2 DROWN attack on TLS. And this is not long after Logjam and a while since Heartbleed, POODLE and FREAK.

DROWN is a cross-protocol attack that can decrypt passively collected TLS sessions from up-to-date clients and stands for Decrypting RSA with Obsolete and Weakened eNcryption.

DROWN Attack

DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication.

The full technical paper is available here: drown-attack-paper.pdf [PDF]

In some ways this is just a new, improved, stronger version of the earlier Bleichenbacher attack.

A typical scenario requires the attacker to observe 1,000 TLS handshakes, then initiate 40,000 SSLv2 connections and perform 250 offline work to decrypt a 2048-bit RSA TLS cipher-text.

If any other server uses the same private key and allows SSLv2 connections, even for completely different protocol, you could be vulnerable. Many companies reuse the same certificate and key on their web and email servers, for instance. In this case, if the email server supports SSLv2 and the web server does not, an attacker can take advantage of the email server to break TLS connections to the web server.

Ouch.


In a worst case scenario and with adequate processing power, this could mean a real time man-in-the-middle attack is possible.

Am I vulnerable?

If you have any servers, anywhere with SSLv2 enabled – then yes. If you share private keys (that includes with a CDN provider, mail server, DNS server etc) you could be in worse trouble. Even if your web server doesn’t have SSLv2 enabled, you are still vulnerable.

How do I protect myself

For most of Linux bods, OpenSSL already released a patched version of their library last Tuesday – if you haven’t already installed it please do so ASAP.

On Ubuntu it’s as simple as doing aptitude update; aptitude safe-upgrade -y; and then restarting all relevant services, or simply rebooting.

Check your OpenSSL build date – it should be February 29th for you to be safe:

For nginx, newer versions disable SSLv2 by defauly anyway, but if you want to be sure use the following:

And for Apache:

So go and patch, and if you’re not sure about the implications of this attack I suggest regenerating your private keys, regenerate new SSL certs and install those after patching and blocking SSLv2 from all your services.

The official site for the attack can be found here: https://drownattack.com/

More Reading

Reddit: The DROWN Attack
One-third of all HTTPS websites open to DROWN attack
DROWN Vulnerability Hits SSL/TLS, but It’s No Heartbleed

Posted in: Cryptography, Exploits/Vulnerabilities

Topic: Cryptography, Exploits/Vulnerabilities


Latest Posts:


Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.


Cyborg Hawk Linux – Linux Hacking Distro


Cyborg Hawk Linux is a Ubuntu based Linux Hacking Distro also know as a Pentesting Linux Distro it is developed and designed for ethical hackers and penetration testers. Cyborg Hawk Distro can be used for network security and assessment and also for digital forensics. It also has various tools suited to the testing of Mobile Security and Wireless infrastructure.

Cyborg Hawk Linux - Linux Hacking Distro


It’s clearly not as performant, advanced or polished as something like Kali – but it’s a good start and I hope the developers keep working on it and rope in some higher level security engineers to work on the OS optimization and driver stack.

Cyborg Hawk Linux Features

Cyborg Linux has quite an extensive set of modifications based on a Ubuntu subsystem with its own customised PPA repository.

The features are as follows:

  • More than 750+ penetration testing tools included.
  • Cyborg Hawk is totally Free and always will be.
  • Can be used as live OS with full capability.
  • Exploitation Toolkit, Stress Testing, Reverse Engineering, Forensics, Mobile Security & Wireless Security.
  • Full virtual machine support in version v1.1.
  • Now comes with its own repository.
  • Reliable and stable.
  • Various Wireless devices support.
  • Well sorted menu, everything organised in a logical manner.
  • The kernel is patched from injection.

Cyborg Hawk Linux Hacking Tool Categories

The 750 or so tools are grouped roughly in the menu in the following categories:

  • Information Gathering
  • Vulnerability Assessment
  • Exploitation
  • Privilege Escalation
  • Maintaining Access
  • Documentation & Reporting
  • Reverse Engineering
  • Stress Testing
  • Forensics
  • Wireless Security
  • RFID/NFC
  • Hardware Hacking
  • VoIP Analysis
  • Mobile Security
  • Malware Analysis

Cyborg Hawk Download

You can download Cyborg Hawk Linux here:

cyborg-hawk-linux-v-1.1.iso

Or read more here.

Posted in: Hacking Tools

Topic: Hacking Tools


Latest Posts:


Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.