14 Best Hacking Websites to Learn Ethical Hacking From Basic

• SecTools.Org: List of 75 security tools based on a 2003 vote by hackers.
• SecurityFocus: Provides security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.
• KitPloit: Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security.
• Hacked Gadgets: A resource for DIY project documentation as well as general gadget and technology news.
• Phrack Magazine: Digital hacking magazine.
• NFOHump: Offers up-to-date .NFO files and reviews on the latest pirate software releases.
• DEFCON: Information about the largest annual hacker convention in the US, including past speeches, video, archives, and updates on the next upcoming show as well as links and other details.
• The Hacker News: The Hacker News — most trusted and widely-acknowledged online cyber security news magazine with in-depth technical coverage for cybersecurity.
• HackRead: HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance, and Hacking News with full-scale reviews on Social Media Platforms.
• Exploit DB: An archive of exploits and vulnerable software by Offensive Security. The site collects exploits from submissions and mailing lists and concentrates them in a single database.
• Metasploit: Find security issues, verify vulnerability mitigations & manage security assessments with Metasploit. Get the worlds best penetration testing software now.
• Hakin9: E-magazine offering in-depth looks at both attack and defense techniques and concentrates on difficult technical issues.
• Packet Storm: Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers.
• Black Hat: The Black Hat Briefings have become the biggest and the most important security conference series in the world by sticking to our core value: serving the information security community by delivering timely, actionable security information in a friendly, vendor-neutral environment.

How To Crack A Password

What is Password Cracking?

Password cracking is the process of attempting to gain Unauthorized access to restricted systems using common passwords or algorithms that guess passwords. In other words, it's an art of obtaining the correct password that gives access to a system protected by an authentication method.

Password cracking employs a number of techniques to achieve its goals. The cracking process can involve either comparing stored passwords against word list or use algorithms to generate passwords that match

In this Tutorial, we will introduce you to the common password cracking techniques and the countermeasures you can implement to protect systems against such attacks.

Topics covered in this tutorial

• What is password strength?
• Password cracking techniques
• Password Cracking Tools
• Password Cracking Counter Measures
• Hacking Assignment: Hack Now!

What is password strength?

Password strength is the measure of a password's efficiency to resist password cracking attacks. The strength of a password is determined by;

• Length: the number of characters the password contains.
• Complexity: does it use a combination of letters, numbers, and symbol?
• Unpredictability: is it something that can be guessed easily by an attacker?

Let's now look at a practical example. We will use three passwords namely

1.  password

2.  password1

3.  #password1$

 For this example, we will use the password strength indicator of Cpanel when creating passwords. The images below show the password strengths of each of the above-listed passwords.

Note: the password used is password the strength is 1, and it's very weak.

Note: the password used is password1 the strength is 28, and it's still weak.

Note: The password used is #password1$ the strength is 60 and it's strong.

The higher the strength number, better the password.

Let's suppose that we have to store our above passwords using md5 encryption. We will use an online md5 hash generator to convert our passwords into md5 hashes.

 The table below shows the password hashes

Password	MD5 Hash	Cpanel Strength Indicator
password	5f4dcc3b5aa765d61d8327deb882cf99	1
password1	7c6a180b36896a0a8c02787eeafb0e4c	28
#password1$	29e08fb7103c327d68327f23d8d9256c	60

 We will now use http://www.md5this.com/ to crack the above hashes. The images below show the password cracking results for the above passwords.

As you can see from the above results, we managed to crack the first and second passwords that had lower strength numbers. We didn't manage to crack the third password which was longer, complex and unpredictable. It had a higher strength number.

Password cracking techniques

There are a number of techniques that can be used to crack passwords. We will describe the most commonly used ones below;

• Dictionary attack– This method involves the use of a wordlist to compare against user passwords.
• Brute force attack– This method is similar to the dictionary attack. Brute force attacks use algorithms that combine alpha-numeric characters and symbols to come up with passwords for the attack. For example, a password of the value "password" can also be tried as p@$$word using the brute force attack.
• Rainbow table attack– This method uses pre-computed hashes. Let's assume that we have a database which stores passwords as md5 hashes. We can create another database that has md5 hashes of commonly used passwords. We can then compare the password hash we have against the stored hashes in the database. If a match is found, then we have the password.
• Guess– As the name suggests, this method involves guessing. Passwords such as qwerty, password, admin, etc. are commonly used or set as default passwords. If they have not been changed or if the user is careless when selecting passwords, then they can be easily compromised.
• Spidering– Most organizations use passwords that contain company information. This information can be found on company websites, social media such as facebook, twitter, etc. Spidering gathers information from these sources to come up with word lists. The word list is then used to perform dictionary and brute force attacks.

Spidering sample dictionary attack wordlist

1976 <founder birth year>

smith jones <founder name>

acme <company name/initials>

built|to|last <words in company vision/mission>

golfing|chess|soccer <founders hobbies

Password cracking tool

These are software programs that are used to crack user passwords. We already looked at a similar tool in the above example on password strengths. The website www.md5this.com uses a rainbow table to crack passwords. We will now look at some of the commonly used tools

John the Ripper

John the Ripper uses the command prompt to crack passwords. This makes it suitable for advanced users who are comfortable working with commands. It uses to wordlist to crack passwords. The program is free, but the word list has to be bought. It has free alternative word lists that you can use. Visit the product website http://www.openwall.com/john/ for more information and how to use it.

Cain & Abel

Cain & Abel runs on windows. It is used to recover passwords for user accounts, recovery of Microsoft Access passwords; networking sniffing, etc. Unlike John the Ripper, Cain & Abel uses a graphic user interface. It is very common among newbies and script kiddies because of its simplicity of use. Visit the product website http://www.softpedia.com/get/Security/Decrypting-Decoding/Cain-and-Abel.shtml for more information and how to use it.

Ophcrack

Ophcrack is a cross-platform Windows password cracker that uses rainbow tables to crack passwords. It runs on Windows, Linux and Mac OS. It also has a module for brute force attacks among other features. Visit the product website http://ophcrack.sourceforge.net/  for more information and how to use it.

Password Cracking Counter Measures

• An organization can use the following methods to reduce the chances of the passwords been cracked
• Avoid short and easily predicable passwords
• Avoid using passwords with predictable patterns such as 11552266.
• Passwords stored in the database must always be encrypted. For md5 encryptions, its better to salt the password hashes before storing them. Salting involves adding some word to the provided password before creating the hash.
• Most registration systems have password strength indicators, organizations must adopt policies that favor high password strength numbers.

Hacking Activity: Hack Now!

In this practical scenario, we are going to crack Windows account with a simple password. Windows uses NTLM hashes to encrypt passwords. We will use the NTLM cracker tool in Cain and Abel to do that.

Cain and Abel cracker can be used to crack passwords using;

• Dictionary attack
• Brute force
• Cryptanalysis

We will use the dictionary attack in this example. You will need to download the dictionary attack wordlist here 10k-Most-Common.zip

For this demonstration, we have created an account called Accounts with the password qwerty on Windows 7.

Password cracking steps

• Open Cain and Abel, you will get the following main screen

• Make sure the cracker tab is selected as shown above
• Click on the Add button on the toolbar.

• The following dialog window will appear

• The local user accounts will be displayed as follows. Note the results shown will be of the user accounts on your local machine.

• Right click on the account you want to crack. For this tutorial, we will use Accounts as the user account.

• The following screen will appear

• Right click on the dictionary section and select Add to list menu as shown above
• Browse to the 10k most common.txt file that you just downloaded

• Click on start button
• If the user used a simple password like qwerty, then you should be able to get the following results.

• Note: the time taken to crack the password depends on the password strength, complexity and processing power of your machine.
• If the password is not cracked using a dictionary attack, you can try brute force or cryptanalysis attacks.

Summary

• Password cracking is the art of recovering stored or transmitted passwords.
• Password strength is determined by the length, complexity, and unpredictability of a password value.
• Common password techniques include dictionary attacks, brute force, rainbow tables, spidering and cracking.
• Password cracking tools simplify the process of cracking passwords.

@EVERYTHING NT

More information

• Hacker Software
• Pentest Tools Free
• Hacking Meaning
• Hacking Growth
• Hacking Programs
• Pentest Ftp
• Hacking Browser
• Pentesterlab
• Basic Pentest 1 Walkthrough
• Pentest Red Team
• Pentesterlab

Webkiller Tool | Information Gathering | Github

More information

1. Pentesterlab
2. Pentest With Metasploit
3. Hacker0Ne
4. Hacking Wifi
5. Hacking The Art Of Exploitation
6. Hacking Apps
7. Pentest Guide
8. What Hacking Is
9. Pentest Report

CEH: System Hacking, Cracking A Password, Understanding The LAN Manager Hash, NetBIOS DoS Attacks

Passwords are the key element of information require to access the system. Similarly, the first step is to access the system is that you should know how to crack the password of the target system. There is a fact that users selects passwords that are easy to guess. Once a password is guessed or cracked, it can be the launching point for escalating privileges, executing applications, hiding files, and covering tracks. If guessing a password fails, then passwords may be cracked manually or with automated tools such as a dictionary or brute-force method.

Cracking a Password

Passwords are stored in the Security Accounts Manager (SAM) file on a Windows system and in a password shadow file on a Linux system.

Manual password cracking involves attempting to log on with different passwords. The hacker follows these steps:

1. Find a valid user account (such as Administrator or Guest).
2. Create a list of possible passwords.
3. Rank the passwords from high to low probability.
4. Key in each password.
5. Try again until a successful password is found.

A hacker can also create a script file that tries each password in a list. This is still considered manual cracking, but it's time consuming and not usually effective.

A more efficient way of cracking a password is to gain access to the password file on a system. Most systems hash (one-way encrypt) a password for storage on a system. During the logon process, the password entered by the user is hashed using the same algorithm and then compared to the hashed passwords stored in the file. A hacker can attempt to gain access to the hashing algorithm stored on the server instead of trying to guess or otherwise identify the password. If the hacker is successful, they can decrypt the passwords stored on the server.

Understanding the LAN Manager Hash

Windows 2000 uses NT LAN Manager (NTLM) hashing to secure passwords in transit on the network. Depending on the password, NTLM hashing can be weak and easy to break. For example, let's say that the password is 123456abcdef . When this password is encrypted with the NTLM algorithm, it's first converted to all uppercase: 123456ABCDEF . The password is padded with null (blank) characters to make it 14 characters long: 123456ABCDEF__ . Before the password is encrypted, the 14-character string is split in half: 123456A and
BCDEF__ . Each string is individually encrypted, and the results are concatenated:

123456A = 6BF11E04AFAB197F
BCDEF__ = F1E9FFDCC75575B15

The hash is 6BF11E04AFAB197FF1E9FFDCC75575B15 .

Cracking Windows 2000 Passwords

The SAM file in Windows contains the usernames and hashed passwords. It's located in the Windows\system32\config directory. The file is locked when the operating system is running so that a hacker can't attempt to copy the file while the machine is booted to Windows.

One option for copying the SAM file is to boot to an alternate operating system such as DOS or Linux with a boot CD. Alternately, the file can be copied from the repair directory. If a system administrator uses the RDISK feature of Windows to back up the system, then a compressed copy of the SAM file called SAM._ is created in C:\windows\repair . To expand this file, use the following command at the command prompt:

C:\>expand sam._ sam

After the file is uncompressed, a dictionary, hybrid, or brute-force attack can be run against the SAM file using a tool like L0phtCrack. A similar tool to L0phtcrack is Ophcrack.

Download and install ophcrack from http://ophcrack.sourceforge.net/

Redirecting the SMB Logon to the Attacker

Another way to discover passwords on a network is to redirect the Server Message Block (SMB) logon to an attacker's computer so that the passwords are sent to the hacker. In order to do this, the hacker must sniff the NTLM responses from the authentication server and trick the victim into attempting Windows authentication with the attacker's computer.

A common technique is to send the victim an email message with an embedded link to a fraudulent SMB server. When the link is clicked, the user unwittingly sends their credentials over the network.

SMBRelay

An SMB server that captures usernames and password hashes from incoming
SMB traffic. SMBRelay can also perform man-in-the-middle (MITM) attacks.

SMBRelay2

Similar to SMBRelay but uses NetBIOS names instead of IP addresses to capture usernames and passwords.

pwdump2

A program that extracts the password hashes from a SAM file on a Windows system. The extracted password hashes can then be run through L0phtCrack to break the passwords.

Samdump

Another program that extracts NTLM hashed passwords from a SAM file.

C2MYAZZ

A spyware program that makes Windows clients send their passwords as clear text. It displays usernames and their passwords as users attach to server resources.

NetBIOS DoS Attacks

A NetBIOS denial-of-service (DoS) attack sends a NetBIOS Name Release message to the NetBIOS Name Service on a target Windows systems and forces the system to place its name in conflict so that the name can no longer be used. This essentially blocks the client from participating in the NetBIOS network and creates a network DoS for that system.

1. Start with a memorable phrase, such as "Maryhadalittlelamb"
2. Change every other character to uppercase, resulting in "MaRyHaDaLiTtLeLaMb"
3. Change a to @ and i to 1 to yield "M@RyH@D@L1TtLeL@Mb"
4. Drop every other pair to result in a secure repeatable password or "M@H@L1LeMb"

Now you have a password that meets all the requirements, yet can be "remade" if necessary.

More info

1. Hacker Anonymous
2. Pentest Windows
3. Hacker Wifi Password
4. Pentest Framework
5. Pentest Firewall
6. Pentest Reporting Tool
7. Hacking Images
8. Pentest Book

How To Hack Any Whatsapp Account In 2020

The article will also be broken down into different subtopics and subcategories. This to make it easy for those who are just interested in skimming through the article to pick the part of WhatsApp hack they are most interested in. Just incase you don't have enough time to go through the entire article.

Search queries like these are a common place; Can WhatsApp be hacked? Can you read WhatsApp messages? How safe is the most popular trade fair in the world? This article gives you all the solution you need to hack any WhatsApp account, as well as how to protect yourself from a WhatsApp hack attack.

Although the messenger is now on an end-to-end encryption, WhatsApp is still not totally safe from espionage. WhatsApp chats and messages can still be accessed and read remotely, and old &deleted WhatsApp chats and messages retrieved.

WhatsApp Spy: Hack WhatsApp Chats and Messages

A very simple solution is to use a software that can hack WhatsApp remotely. All manufacturers offer to read the WhatsApp messages an extra web portal. In addition to the Whatsapp messages but can also spy on other messengers. So you can also have access to social media accounts.

The software may only be installed on a smartphone. If the user of the smartphone has been informed about the installation and effects.

WhatsApp Hacker: 3 Steps to Hack WhatsApp in 2020

You can hack Whatsapp using a second cell phone. No extra SIM card is necessary for this. The guide also works with a tablet. With this method, the other phone only needs to clone WhatsApp messages is internet connection.

The trick to hack Whatsapp successfully is not a software bug. It's the way WhatsApp has developed the setup wizard. Since there are no user accounts with passwords and you log in via the mobile number, here lies the vulnerability. But you can also protect yourself from the Whatsapp hack.

Hack WhatsApp Chat with the Best WhatsApp Hacking Tool

To read Whatsapp messages, the mobile phone number of the target must be known. The cell phone can remain locked. There is no need to install software to hack and read Whatsapp messages. Even with the PIN or fingerprint, the Whatsapp account can be hacked.

STEP 1: Create a New WhatsApp Account

To hack an account from Whatsapp, the app from the App Store must be installed on the second cell phone. After the installation of Whatsapp, target's phone number is entered. A confirmation request must be waited until access to the smartphone of the victim exists.

STEP 2: WhatsApp Account Confirmation

The confirmation of the Whatsapp account is the actual security risk of the messenger. Whatsapp usually confirms the registration via SMS. Occasionally the confirmation will also be sent by automated phone call via a phone call.

Calls and text messages can be read and taken by anyone even when the screen is locked. So that the WhatsApp hack does not stand out, the SMS must be removed from the start screen by swiping.

STEP 3: Enter Confirmation

The stolen verification PIN is now entered on the second smartphone. As a result, the WhatsApp account has been taken over by you. You can read the WhatsApp messages, which respond to this mobile phone number.

The downside to this trick is that the victim immediately notices the Whatsapp hack as soon as Whatsapp is opened. If the victim goes through the sign-in process again. The attacker loses access to the messages and no Whatsapp messages can be read.

How to Hack Someone's WhatsApp in 2020

A good way to hack a WhatsApp account is to hack whatsapp online. Here you can read WhatsApp messages via a browser and also write. The target user can continue to use his cell phone (works for iOS, Android phone etc) and does not notice the WhatsApp hack.

STEP 1: Access the Cell Phone

In order to be able to read WhatsApp messages by installing software. Access to the unlocked smartphone is required for a short time. In addition, cell phone, a computer or laptop is necessary. On this the Whatsapp messages will be read later.

STEP 2: Access WhatsApp Web

If you have access to the unlocked smartphone, Whatsapp must be started there. The Whatsapp settings include Whatsapp Web . If this is selected, Whatsapp opens a QR code scanner with the hint to open WhatsApp Web in the browser.

If the QR code is scanned in the browser with the smartphone. There is a permanent connection and Whatsapp messages can be read. If you want to hack Whatsapp in this way. You have full access to all incoming messages and you can even write messages yourself.

STEP 3: Read WhatsApp Messages

The target usually sees this Whatsapp hack only when the settings are invoked to Whatsapp Web in the app. Whatsapp messages can be read via the browser. Regardless of whether the smartphone is on home Wi-Fi or on the move. You can also hack group chats admin by just having any of the contact details.

WhatsApp Hack: How to Hack any WhatsApp account

Which is the most popular messaging app globally? Of course, you can use different apps from Android or iOS to send and receive messages. But Whatsapp remains everyone's favorite globally!

Whatsapp is one of the popular apps in the world. There are more than 2 billion active users on Whatsapp, messaging daily with the app. Why do people love WhatsApp? Whatsapp is very convenient and easy to use.

Other messaging apps like Facebook Messenger, still needs a special account to sign up for this app. If you change a new app, you'll need to add another account. This can be stressful, as you have to remember a lot of new passwords and usernames.

HACKER NT

Read more

• Hacker Typer
• How To Pentest A Network
• Hacking Hardware
• Hacker Tools
• How To Pentest A Network
• Pentest Gear
• Pentest Security
• Hacker Tools
• Pentest Os
• Hacker Videos
• Pentest As A Service

Attacking Financial Malware Botnet Panels - SpyEye

This is the second blog post in the "Attacking financial malware botnet panels" series. After playing with Zeus, my attention turned to another old (and dead) botnet, SpyEye. From an ITSEC perspective, SpyEye shares a lot of vulnerabilities with Zeus. 

The following report is based on SpyEye 1.3.45, which is old, and if we are lucky, the whole SpyEye branch will be dead soon. 

Google dorks to find SpyEye C&C server panel related stuff:

• if the img directory gets indexed, it is rather easy, search for e.g. inurl:b-ftpbackconnect.png
• if the install directory gets indexed, again, easy, search for e.g. inurl:spylogo.png
• also, if you find a login screen, check the css file (style.css), and you see #frm_viewlogs, #frm_stat, #frm_botsmon_country, #frm_botstat, #frm_gtaskloader and stuff like that, you can be sure you found it
• otherwise, it is the best not to Google for it, but get a SpyEye sample and analyze it

And this is how the control panel login looks like, nothing sophisticated:

The best part is that you don't have to guess the admin's username ;)

This is how an average control panel looks like:

Hack the Planet! :)

Boring vulns found (warning, an almost exact copy from the Zeus blog post)

• Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
• No password policy - admins can set up really weak passwords
• No anti brute-force - you can try to guess the admin's password. There is no default username, as there is no username handling!
• Password autocomplete enabled - boring
• Missing HttpOnly flag on session cookie - interesting when combining with XSS
• No CSRF protection - e.g. you can upload new exe, bin files, turn plugins on/off :-( boring. Also the file extension check can be bypassed, but the files are stored in the database, so no PHP shell this time. If you check the following code, you can see that even the file extension and type is checked, and an error is shown, but the upload process continues. And even if the error would stop the upload process, the check can be fooled by setting an invalid $uptype. Well done ...

        if ($_FILES['file']['tmp_name'] && ($_FILES['file']['size'] > 0))
        {
                $outstr = "<br>";
                set_time_limit(0);
                $filename = str_replace(" ","_",$_FILES['file']['name']);
                $ext = substr($filename, strrpos($filename, '.')+1);
                if( $ext==='bin' && $uptype!=='config' ) $outstr .= "<font class='error'>Bad CONFIG extension!</font><br>";
                if( $ext==='exe' && $uptype!=='body' && $uptype!=='exe' ) $outstr .= "<font class='error'>Bad extension!</font><br>";

                switch( $uptype )
                {
                case 'body': $ext = 'b'; break;
                case 'config': $ext = 'c'; break;
                case 'exe': $ext = 'e'; break;
                default: $ext = 'e';
                }
                $_SESSION['file_ext'] = $ext;
                if( isset($_POST['bots']) && trim($_POST['bots']) !== '')
                {
                        $bots = explode(' ', trim($_POST['bots']));
                        //writelog("debug.log", trim($_POST['bots']));
                        $filename .= "_".(LastFileId()+1);
                }
                if( FileExist($filename) ) $filename .= LastFileId();
                $tmpName  = $_FILES['file']['tmp_name'];
                $fileSize = $_FILES['file']['size'];
                $fileType = $_FILES['file']['type'];
                ## reading all file for calculating hash
                $fp = fopen($tmpName, 'r');

• Clear text password storage - the MySQL passwords are stored in php files, in clear text. Also, the login password to the form panel is stored in clear text.
• MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5. Just look at the pure simplicity of the login check, great work!

$query = "SELECT * FROM users_t WHERE uPswd='".md5($pswd)."'";

• ClickJacking - really boring stuff

SQL injection

SpyEye has a fancy history of SQL injections. See details here, here, here, video here and video here.

It is important to highlight the fact that most of the vulnerable functions are reachable without any authentication, because these PHP files lack user authentication at the beginning of the files.

But if a C&C server owner gets pwned through this vuln, it is not a good idea to complain to the developer, because after careful reading of the install guide, one can see:

"For searching info in the collector database there is a PHP interface as formgrabber admin panel. The admin panel is not intended to be found on the server. This is a client application."

And there are plenty of reasons not to install the formgrabber admin panel on any internet reachable server. But this fact leads to another possible vulnerability. The user for this control panel is allowed to remotely login to the MySQL database, and the install guide has pretty good passwords to be reused. I mean it looks pretty secure, there is no reason not to use that.

CREATE USER 'frmcpviewer' IDENTIFIED BY 'SgFGSADGFJSDGKFy2763272qffffHDSJ';

Next time you find a SpyEye panel, and you can connect to the MySQL database, it is worth a shot to try this password.

Unfortunately the default permissions for this user is not enough to write files (select into outfile):

Access denied for user 'frmcpviewer' (using password: YES)

I also made a little experiment with this SQL injection vulnerability. I did set up a live SpyEye botnet panel, created the malware install binaries (droppers), and sent the droppers to the AV companies. And after more and more sandboxes connected to my box, someone started to exploit the SQL injection vulnerability on my server!

63.217.168.90 - - [16/Jun/2014:04:43:00 -0500] "GET /form/frm_boa-grabber_sub.php?bot_guid=&lm=3&dt=%20where%201=2%20union%20select%20@a:=1%20from%20rep1%20where%20@a%20is%20null%20union%20select%20@a:=%20@a%20%2b1%20union%20select%20concat(id,char(1,3,3,7),bot_guid,char(1,3,3,7),process_name,char(1,3,3,7),hooked_func,char(1,3,3,7),url,char(1,3,3,7),func_data)%20from%20rep2_20140610%20where%20@a=3%23 HTTP/1.1" 200 508 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"

Although the query did not return any meaningful data to the attacker (only data collected from sandboxes), it raises some legal questions.

Which company/organization has the right to attack my server? 

• police (having a warrant)
• military (if we are at war)
• spy agencies (always/never, choose your favorite answer)
• CERT organisations?

But, does an AV company or security research company has the legal right to attack my server? I don't think so... The most problematic part is when they hack a server (without authorization), and sell the stolen information in the name of "intelligence service". What is it, the wild wild west?

The SQLi clearly targets the content of the stolen login credentials. If this is not an AV company, but an attacker, how did they got the SpyEye dropper? If this is an AV company, why are they stealing the stolen credentials? Will they notify the internet banking owners about the stolen credentials for free? Or will they do this for money?

And don't get me wrong, I don't want to protect the criminals, but this is clearly a grey area in the law. From an ethical point of view, I agree with hacking the criminal's servers. As you can see, the whole post is about disclosing vulns in these botnet panels. But from a legal point of view, this is something tricky ... I'm really interested in the opinion of others, so comments are warmly welcome.

On a side note, I was interested how did the "attackers" found the SpyEye form directory? Easy, they brute-forced it, with a wordlist having ~43.000 entries.

(Useless) Cross site scripting

Although parts of the SpyEye panel are vulnerable to XSS, it is unlikely that you will to find these components on the server, as these codes are part of the install process, and the installer fails to run if a valid install is found. And in this case, you also need the DB password to trigger the vuln...

Session handling

This is a fun part. The logout button invalidates the session only on the server side, but not on the client side. But if you take into consideration that the login process never regenerates the session cookies (a.k.a session fixation), you can see that no matter how many times the admin logs into the application, the session cookie remains the same (until the admin does not close the browser). So if you find a session cookie which was valid in the past, but is not working at the moment, it is possible that this cookie will be valid in the future ...

Binary server

Some parts of the SpyEye server involve running a binary server component on the server, to collect the form data. It would be interesting to fuzz this component (called sec) for vulns.

Log files revealed

If the form panel mentioned in the SQLi part is installed on the server, it is worth visiting the <form_dir>/logs/error.log file, you might see the path of the webroot folder, IP addresses of the admins, etc.

Reading the code

Sometimes reading the code you can find code snippets, which is hard to understand with a clear mind:

$content = fread($fp, filesize($tmpName));
if ( $uptype === 'config' )
    $md5 = GetCRC32($content);
else $md5 = md5($content);
....
<script>
if (navigator.userAgent.indexOf("Mozilla/4.0") != -1) {
        alert("Your browser is not support yet. Please, use another (FireFox, Opera, Safari)");
        document.getElementById("div_main").innerHTML = "<font class=\'error\'>ChAnGE YOuR BRoWsEr! Dont use BUGGED Microsoft products!</font>";
}
</script>

Decrypting SpyEye communication

It turned out that the communication between the malware and C&C server is not very sophisticated (Zeus does a better job at it, because the RC4 key stream is generated from the botnet password).

function DeCode($content)
{
        $res = '';
        for($i = 0; $i < strlen($content); $i++)
        {
                $num = ord($content[$i]);
                if( $num != 219) $res .= chr($num^219);
        }
        return $res;
}

Fixed XOR key, again, well done ...

This means that it is easy to create a script, which can communicate with the SpyEye server. For example this can be used to fill in the SpyEye database with crap data.

import binascii
import requests
import httplib, urllib

def xor_str(a, b):
    i = 0
    xorred = ''
    for i in range(len(a)):
        xorred += chr(ord(a[i])^b)
    return xorred
            
b64_data= "vK6yv+bt9er17O3r6vqPnoiPjZb2i5j6muvo6+rjmJ/9rb6p5urr6O/j/bK+5uP16/Xs7evq9ers7urv/bSo5u316vXs7evq/a6v5pq/trK1/bi4qbjm453j6uPv7Or9tr/u5um+uuvpve3p7eq/4+vsveLi7Lnqvrjr6ujs7rjt7rns/au3vOa5sre3srW8s7q2tr6p4Lm3tLiw4LmuvKm+q7Spr+C4uPu8qbq5ub6p4Li4vKm6ubm+qeC4qb6/sq+8qbq54LiuqK+0tri0tbW+uK+0qeC/v7So4L+1qLqrsuC+trqyt7ypurm5vqngvb24vqmvvKm6ubm+qeC9/aivuq/mtLW3srW+"
payload =xor_str (binascii.a2b_base64(b64_data), 219) 
print ("the decrypted payload is: " + payload)
params = (binascii.b2a_base64(xor_str(payload,219)))
payload = {'data': params}
r = requests.post("http://spyeye.localhost/spyeye/_cg/gate.php", data=payload)

Morale of the story?

Criminals produce the same shitty code as the rest of the world, and thanks to this, some of the malware operators get caught and are behind bars now. And the law is behind the reality, as always.

Continue reading

• Hacking Box
• Hacking Process
• Hacker News
• Pentest Hardware
• Pentesterlab
• Pentest Free
• Pentest Basics

DOWNLOAD SENTRY MBA V1.4.1 – AUTOMATED ACCOUNT CRACKING TOOL

Sentry MBA is an automated account cracking tool that makes it one of the most popular cracking tools. It is used by cybercriminals to take over user accounts on major websites. With Sentry MBA, criminals can rapidly test millions of usernames and passwords to see which ones are valid on a targeted website. The tool has become incredibly popular — the Shape Security research team sees Sentry MBA attack attempts on nearly every website we protect.  Download Sentry MBA v1.4.1 latest version.

FEATURES

Sentry MBA has a point-and-click graphical user interface, online help forums, and vibrant underground marketplaces to enable large numbers of individuals to become cybercriminals. These individuals no longer need advanced technical skills, specialized equipment, or insider knowledge to successfully attack major websites.

Sentry MBA attack has three phases,

• Targeting and attack refinement
• Automated account check
• Monetization

Related news

1. How To Pentest A Network
2. Hacker0Ne
3. Pentest Xss
4. Hackerrank
5. Hacker Tools
6. Pentest Tools
7. Pentest Open Source
8. Pentest Website
9. Pentest +

Rootkit Umbreon / Umreon - X86, ARM Samples

Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems
Research: Trend Micro


There are two packages
one is 'found in the wild' full and a set of hashes from Trend Micro (all but one file are already in the full package)

Download

Download Email me if you need the password  

File information

Part one (full package)

#	File Name	Hash Value	File Size (on Disk)	Duplicate?
1	.umbreon-ascii	0B880E0F447CD5B6A8D295EFE40AFA37	6085 bytes (5.94 KiB)
2	autoroot	1C5FAEEC3D8C50FAC589CD0ADD0765C7	281 bytes (281 bytes)
3	CHANGELOG	A1502129706BA19667F128B44D19DC3C	11 bytes (11 bytes)
4	cli.sh	C846143BDA087783B3DC6C244C2707DC	5682 bytes (5.55 KiB)
5	hideports	D41D8CD98F00B204E9800998ECF8427E	0 bytes ( bytes)	Yes, of file promptlog
6	install.sh	9DE30162E7A8F0279E19C2C30280FFF8	5634 bytes (5.5 KiB)
7	Makefile	0F5B1E70ADC867DD3A22CA62644007E5	797 bytes (797 bytes)
8	portchecker	006D162A0D0AA294C85214963A3D3145	113 bytes (113 bytes)
9	promptlog	D41D8CD98F00B204E9800998ECF8427E	0 bytes ( bytes)
10	readlink.c	42FC7D7E2F9147AB3C18B0C4316AD3D8	1357 bytes (1.33 KiB)
11	ReadMe.txt	B7172B364BF5FB8B5C30FF528F6C5125	2244 bytes (2.19 KiB)
12	setup	694FFF4D2623CA7BB8270F5124493F37	332 bytes (332 bytes)
13	spytty.sh	0AB776FA8A0FBED2EF26C9933C32E97C	1011 bytes (1011 bytes)	Yes, of file spytty.sh
14	umbreon.c	91706EF9717176DBB59A0F77FE95241C	1007 bytes (1007 bytes)
15	access.c	7C0A86A27B322E63C3C29121788998B8	713 bytes (713 bytes)
16	audit.c	A2B2812C80C93C9375BFB0D7BFCEFD5B	1434 bytes (1.4 KiB)
17	chown.c	FF9B679C7AB3F57CFBBB852A13A350B2	2870 bytes (2.8 KiB)
18	config.h	980DEE60956A916AFC9D2997043D4887	967 bytes (967 bytes)
19	config.h.dist	980DEE60956A916AFC9D2997043D4887	967 bytes (967 bytes)	Yes, of file config.h
20	dirs.c	46B20CC7DA2BDB9ECE65E36A4F987ABC	3639 bytes (3.55 KiB)
21	dlsym.c	796DA079CC7E4BD7F6293136604DC07B	4088 bytes (3.99 KiB)
22	exec.c	1935ED453FB83A0A538224AFAAC71B21	4033 bytes (3.94 KiB)
23	getpath.h	588603EF387EB617668B00EAFDAEA393	183 bytes (183 bytes)
24	getprocname.h	F5781A9E267ED849FD4D2F5F3DFB8077	805 bytes (805 bytes)
25	includes.h	F4797AE4B2D5B3B252E0456020F58E59	629 bytes (629 bytes)
26	kill.c	C4BD132FC2FFBC84EA5103ABE6DC023D	555 bytes (555 bytes)
27	links.c	898D73E1AC14DE657316F084AADA58A0	2274 bytes (2.22 KiB)
28	local-door.c	76FC3E9E2758BAF48E1E9B442DB98BF8	501 bytes (501 bytes)
29	lpcap.h	EA6822B23FE02041BE506ED1A182E5CB	1690 bytes (1.65 KiB)
30	maps.c	9BCD90BEA8D9F9F6270CF2017F9974E2	1100 bytes (1.07 KiB)
31	misc.h	1F9FCC5D84633931CDD77B32DB1D50D0	2728 bytes (2.66 KiB)
32	netstat.c	00CF3F7E7EA92E7A954282021DD72DC4	1113 bytes (1.09 KiB)
33	open.c	F7EE88A523AD2477FF8EC17C9DCD7C02	8594 bytes (8.39 KiB)
34	pam.c	7A947FDC0264947B2D293E1F4D69684A	2010 bytes (1.96 KiB)
35	pam_private.h	2C60F925842CEB42FFD639E7C763C7B0	12480 bytes (12.19 KiB)
36	pam_vprompt.c	017FB0F736A0BC65431A25E1A9D393FE	3826 bytes (3.74 KiB)
37	passwd.c	A0D183BBE86D05E3782B5B24E2C96413	2364 bytes (2.31 KiB)
38	pcap.c	FF911CA192B111BD0D9368AFACA03C46	1295 bytes (1.26 KiB)
39	procstat.c	7B14E97649CD767C256D4CD6E4F8D452	398 bytes (398 bytes)
40	procstatus.c	72ED74C03F4FAB0C1B801687BE200F06	3303 bytes (3.23 KiB)
41	readwrite.c	C068ED372DEAF8E87D0133EAC0A274A8	2710 bytes (2.65 KiB)
42	rename.c	C36BE9C01FEADE2EF4D5EA03BD2B3C05	535 bytes (535 bytes)
43	setgid.c	5C023259F2C244193BDA394E2C0B8313	667 bytes (667 bytes)
44	sha256.h	003D805D919B4EC621B800C6C239BAE0	545 bytes (545 bytes)
45	socket.c	348AEF06AFA259BFC4E943715DB5A00B	579 bytes (579 bytes)
46	stat.c	E510EE1F78BD349E02F47A7EB001B0E3	7627 bytes (7.45 KiB)
47	syslog.c	7CD3273E09A6C08451DD598A0F18B570	1497 bytes (1.46 KiB)
48	umbreon.h	F76CAC6D564DEACFC6319FA167375BA5	4316 bytes (4.21 KiB)
49	unhide-funcs.c	1A9F62B04319DA84EF71A1B091434C64	4729 bytes (4.62 KiB)
50	cryptpass.py	2EA92D6EC59D85474ED7A91C8518E7EC	192 bytes (192 bytes)
51	environment.sh	70F467FE218E128258D7356B7CE328F1	1086 bytes (1.06 KiB)
52	espeon-connect.sh	A574C885C450FCA048E79AD6937FED2E	247 bytes (247 bytes)
53	espeon-shell	9EEF7E7E3C1BEE2F8591A088244BE0CB	2167 bytes (2.12 KiB)
54	espeon.c	499FF5CF81C2624B0C3B0B7E9C6D980D	14899 bytes (14.55 KiB)
55	listen.sh	69DA525AEA227BE9E4B8D59ACFF4D717	209 bytes (209 bytes)
56	spytty.sh	0AB776FA8A0FBED2EF26C9933C32E97C	1011 bytes (1011 bytes)
57	ssh-hidden.sh	AE54F343FE974302F0D31776B72D0987	127 bytes (127 bytes)
58	unfuck.c	457B6E90C7FA42A7C46D464FBF1D68E2	384 bytes (384 bytes)
59	unhide-self.py	B982597CEB7274617F286CA80864F499	986 bytes (986 bytes)
60	listen.sh	F5BD197F34E3D0BD8EA28B182CCE7270	233 bytes (233 bytes)

part 2 (those listed in the Trend Micro article)

#	File Name	Hash Value	File Size (on Disk)
1	015a84eb1d18beb310e7aeeceab8b84776078935c45924b3a10aa884a93e28ac	A47E38464754289C0F4A55ED7BB55648	9375 bytes (9.16 KiB)
2	0751cf716ea9bc18e78eb2a82cc9ea0cac73d70a7a74c91740c95312c8a9d53a	F9BA2429EAE5471ACDE820102C5B8159	7512 bytes (7.34 KiB)
3	0a4d5ffb1407d409a55f1aed5c5286d4f31fe17bc99eabff64aa1498c5482a5f	0AB776FA8A0FBED2EF26C9933C32E97C	1011 bytes (1011 bytes)
4	0ce8c09bb6ce433fb8b388c369d7491953cf9bb5426a7bee752150118616d8ff	B982597CEB7274617F286CA80864F499	986 bytes (986 bytes)
5	122417853c1eb1868e429cacc499ef75cfc018b87da87b1f61bff53e9b8e8670	9EEF7E7E3C1BEE2F8591A088244BE0CB	2167 bytes (2.12 KiB)
6	409c90ecd56e9abcb9f290063ec7783ecbe125c321af3f8ba5dcbde6e15ac64a	B4746BB5E697F23A5842ABCAED36C914	6149 bytes (6 KiB)
7	4fc4b5dab105e03f03ba3ec301bab9e2d37f17a431dee7f2e5a8dfadcca4c234	D0D97899131C29B3EC9AE89A6D49A23E	65160 bytes (63.63 KiB)
8	8752d16e32a611763eee97da6528734751153ac1699c4693c84b6e9e4fb08784	E7E82D29DFB1FC484ED277C702187818	55564 bytes (54.26 KiB)
9	991179b6ba7d4aeabdf463118e4a2984276401368f4ab842ad8a5b8b73088522	2B1863ACDC0068ED5D50590CF792DF05	7664 bytes (7.48 KiB)
10	a378b85f8f41de164832d27ebf7006370c1fb8eda23bb09a3586ed29b5dbdddf	A977F68C59040E40A822C384D1CEDEB6	176 bytes (176 bytes)
11	aa24deb830a2b1aa694e580c5efb24f979d6c5d861b56354a6acb1ad0cf9809b	DF320ED7EE6CCF9F979AEFE451877FFC	26 bytes (26 bytes)
12	acfb014304b6f2cff00c668a9a2a3a9cbb6f24db6d074a8914dd69b43afa4525	84D552B5D22E40BDA23E6587B1BC532D	6852 bytes (6.69 KiB)
13	c80d19f6f3372f4cc6e75ae1af54e8727b54b51aaf2794fedd3a1aa463140480	087DD79515D37F7ADA78FF5793A42B7B	11184 bytes (10.92 KiB)
14	e9bce46584acbf59a779d1565687964991d7033d63c06bddabcfc4375c5f1853	BBEB18C0C3E038747C78FCAB3E0444E3	71940 bytes (70.25 KiB)

Continue reading

1. Hacking Websites
2. Pentest Cyber Security
3. Pentest Azure
4. Pentest +
5. Basic Pentest 1 Walkthrough
6. Hacking Quotes
7. Pentest Iso
8. Pentesterlab
9. Hacking Apps