sábado, 16 de mayo de 2020

Takeover - SubDomain TakeOver Vulnerability Scanner


Sub-domain takeover vulnerability occur when a sub-domain (subdomain.example.com) is pointing to a service (e.g: GitHub, AWS/S3,..) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that sub-domain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com. For more information: here



Installation:
# git clone https://github.com/m4ll0k/takeover.git
# cd takeover
# python takeover.py
or:
wget -q https://raw.githubusercontent.com/m4ll0k/takeover/master/takeover.py && python takeover.py


Related links


  1. Hacking News
  2. Libros Para Aprender A Hackear
  3. Hacking Hardware
  4. Hacking Etico Libro
  5. Hardware Hacking
Publicadas por a la/s No hay comentarios.:

Networking | Switching And Routing | Tutorial 1 | 2018


Welcome to my new series of tutorials about networking. Moreover in this series I'll discuss briefly each and every thing related to routing and switching. After that you will able to pass an exam of HCNA, CCNA etc. First of all you have to know which software is used by which company such as Huawei used its own software named eNSP while Cisco used its own software named Cisco Packet Tracer. After that you have to know that how to download and install both of the software in your computer systems. So the purpose of this blog is to give you people an overview about how to download and install both of them.

What is a Network? 

First of all we must have to know about what is a network. So the network is the interconnection of two or more than two devices in such a way that they can communicate each other. In computer networks we can say that the interconnection of two or more than two end devices (computer, laptops, printers etc) for the sake of sending and receiving some amount of data is known as computer network.

What is Internet?  

The very simple and easily understandable definition of a internet is "The network of networks". Now what is meant by that? When different networks from the different areas or at the same areas wanna communicate with each other then internet formed. So we can say that "Internet is the interconnection of different networks in such a way that networks can communicate with each other".



Appeared:
  • Cyber Space (Computer Security).
  • Terror Security (Computer Security).
  • National Cyber Security Services.

Brief Introduction
  • Tishna is useful in Banks, Private Organisations and Ethical hacker personnel for legal auditing.
  • It serves as a defense method to find as much as information possible for gaining unauthorised access and intrusion.
  • With the emergence of more advanced technology, cybercriminals have also found more ways to get into the system of many organizations.
  • Tishna software can audit, servers and web behaviour.
  • Tishna can perform Scanning & Enumeration as much as possible of target.
  • It's first step to stop cyber criminals by securing your Servers and Web Application Security.
  • Tishna is false positive free, when there is something it will show no matter what, if it is not, it will give blank results rather error.

Developer

Support to the coder
   You can sponsor and support via BTC.
   The bitcoin address: 3BuUYgEgsRuEra4GwqNVLKnDCTjLEDfptu
qr code

Related links


Publicadas por a la/s No hay comentarios.:

Evil Limiter: Taking Control Of Your Network Bandwidth







Ever wanted to block someone from the network or limit their bandwidth without having the network admin privileges? Well Evil Limiter has got you covered then.

An amazing tool to help you control your network without having access to the admin panel.
Today I'm gonna show you how to use this interesting tool to take control of your network.


Requirements:

1. A PC or Laptop with Linux OS.
2. A Network Adapter.
3. Access to the Network you want to control.
4. sudo or root access on your Linux OS.

First of all we will download the tool from its github repository:
https://github.com/bitbrute/evillimiter

You can download and extract the zip file from the link above or you can clone evillimiter repository using git like this:

git clone https://github.com/bitbrute/evillimiter 

Now lets install the downloaded tool on our machine
Step 1: Move inside the downloaded github repository

cd evillimiter

Step 2: To install type

sudo python3 setup.py install

wait for the installation to finish (May take some time)

Step 3: To run type

sudo evilimiter

Voila! That's it, you got it up and running on your machine

Now how do you control your network with it, its very easy.
It should detect your network automatically but yeah you can set it up manually as well using the command line argument -i.

After you have selected the right interface to control, you need to scan your network for live hosts. To perform the scan type

scan

you can pass an optional flag to the scan command which is range which will help you to specify the range of ip addresses you want to scan like this

scan --range 192.168.1.1-192.168.1.100




The above command will scan a total of 100 hosts from 192.168.1.1 to 192.168.1.100

Now after you have scanned your network next thing is to list the hosts that have been discovered during the scan for that you type the hosts command like this

hosts




Now you know the hosts on your network and now you should know which host you wanna block or limit based on the mac address of the host. Remember the host id of the host that you want to block or limit bandwidth of and lets do the magic.
to block a host from using the internet we simply specify the block command followed by the host id of the host that we want to block like this

block 1




if instead of blocking the host we just want to limit his internet bandwidth we can do just that by using the limit command followed by the host id and then the bandwidth that we want to allocate to that particular host like this

limit 1 100kbits




Wohooo! yeah its that easy and yes you can do all this without having the network admin role.
Now if you want to show mercy on that poor guy (blocked host), you can set him free by using the free command followed by the host id like this:

free 1




Well isn't administrating your network bandwidth so easy now.
Hope you enjoyed this tutorial.:)

Related links
Publicadas por a la/s No hay comentarios.:

New Printers Vulnerable To Old Languages

When we published our research on network printer security at the beginning of the year, one major point of criticism was that the tested printers models had been quite old. This is a legitimate argument. Most of the evaluated devices had been in use at our university for years and one may raise the question if new printers share the same weaknesses.

35 year old bugs features

The key point here is that we exploited PostScript and PJL interpreters. Both printer languages are ancient, de-facto standards and still supported by almost any laser printer out there. And as it seems, they are not going to disappear anytime soon. Recently, we got the chance to test a $2,799 HP PageWide Color Flow MFP 586 brand-new high-end printer. Like its various predecessors, the device was vulnerable to the following attacks:
  • Capture print jobs of other users if they used PostScript as a printer driver; This is done by first infecting the device with PostScript code
  • Manipulate printouts of other users (overlay graphics, introduce misspellings, etc.) by infecting the device with PostScript malware
  • List, read from and write to files on the printers file system with PostScript as well as PJL functions; limited to certain directories
  • Recover passwords for PostScript and PJL credentials; This is not an attack per se but the implementation makes brute-force rather easy
  • Launch denial of Service attacks of various kinds:

Now exploitable from the web

All attacks can be carried out by anyone who can print, which includes:
Note that the product was tested in the default configuration. To be fair, one has to say that the HP PageWide Color Flow MFP 586 allows strong, Kerberos based user authentication. The permission to print, and therefore to attack the device, can be be limited to certain employees, if configured correctly. The attacks can be easily reproduced using our PRET software. We informed HP's Software Security Response Team (SSRT) in February.

Conclusion: Christian Slater is right

PostScript and PJL based security weaknesses have been present in laser printers for decades. Both languages make no clear distinction between page description and printer control functionality. Using the very same channel for data (to be printed) and code (to control the device) makes printers insecure by design. Manufacturers however are hard to blame. When the languages were invented, printers used to be connected to a computer's parallel or serial port. No one probably thought about taking over a printer from the web (actually the WWW did not even exist, when PostScript was invented back in 1982). So, what to do? Cutting support for established and reliable languages like PostScript from one day to the next would break compatibility with existing printer drivers. As long as we have legacy languages, we need workarounds to mitigate the risks. Otherwise, "The Wolf" like scenarios can get very real in your office…

More articles
  1. Linux Hacking Distro
  2. Etica Hacker
  3. Hacking News
  4. Hacking Aves
  5. Hacking Wifi Kali Linux
  6. Tecnicas De Hacking
  7. Como Hackear
  8. Ethical Hacking Certification
  9. Hacking Background
  10. Black Hacker
  11. Hacking 101
  12. Curso Completo De Hacking Ético
  13. Windows Hacking
Publicadas por a la/s No hay comentarios.:

Osueta: A Simple Python Script To Exploit The OpenSSH User Enumeration Timing Attack


About Osueta?
   Osueta it's a simple Python 2 script to exploit the OpenSSH User Enumeration Timing Attack, present in OpenSSH versions <= 7.2 and >= 5.*. The script has the ability to make variations of the username employed in the bruteforce attack, and the possibility to establish a DoS condition in the OpenSSH server.

    Read more: OpenSSH User Enumeration Time-Based Attack

   The bug was corrected in OpenSSH version 7.3.

   Authors of Osueta:

Osueta's Installation
   For Linux users, open your Terminal and enter these commands:
   If you're Windows users, follow these steps:
  • Install Python 2.7.x from Python.org first. On Install Python 2.7.x Setup, choose Add python.exe to Path.
  • Download Osueta-master zip file.
  • Then unzip it.
  • Open CMD or PowerShell window at the Osueta folder you have just unzipped and enter these commands:
    pip install python-nmap paramiko IPy
    python osueta.py -h

Advice: Like others offensive tools, the authors disclaims all responsibility in the use of this script.

Osueta help menu:

Osueta's examples:
   A single user enumeration attempt with username variations:
python2 osueta.py -H 192.168.1.6 -p 22 -U root -d 30 -v yes

   A single user enumeration attempt with no user variations a DoS attack:
python2 osueta.py -H 192.168.1.6 -p 22 -U root -d 30 -v no --dos yes

   Scanning a C class network with only one user:
python2 osueta.py -H 192.168.1.0/24 -p 22 -U root -v no 

   Scanning a C class network with usernames from a file, delay time 15 seconds and a password of 50000 characters:
python2 osueta.py -H 192.168.1.0/24 -p 22 -L usernames.txt -v yes -d 15 -l 50

Related links
  1. Seguridad Y Hacking
  2. Blog Hacking
  3. Hacking Tools
  4. Curso Completo De Hacking Ético
  5. Phone Hacking
  6. Aprender Hacking Desde Cero
  7. Hacking Mifare
  8. Experto En Seguridad Informática
Publicadas por a la/s No hay comentarios.:

APPLE IPHONE X FACE ID CAN BE HACKED WITH SILICON MASK

Just a week after Apple released its brand new iPhone X on November 3, a team of researchers has claimed to successfully hack Apple's Face ID facial recognition technology with a mask that costs less than $150. They said Apple iPhone x face id can be hacked with silicon mask easily.

apple iPhone x face id hacked
Yes, Apple's "ultra-secure" Face ID security for the iPhone X is not as secure as the company claimed during its launch event in September this year.

"Apple engineering teams have even gone and worked with professional mask makers and makeup artists in Hollywood to protect against these attempts to beat Face ID," Apple's senior VP of worldwide marketing Phil Schiller said about Face ID system during the event.

"These are actual masks used by the engineering team to train the neural network to protect against them in Face ID."

However, the bad news is that researchers from Vietnamese cybersecurity firm Bkav were able to unlock the iPhone X using a mask.

Yes, Bkav researchers have a better option than holding it up to your face while you sleep. Bkav researchers re-created the owner's face through a combination of 3D printed mask, makeup, and 2D images with some "special processing done on the cheeks and around the face, where there are large skin areas" and the nose is created from silicone.

The researchers have also published a proof-of-concept video, showing the brand-new iPhone X first being unlocked using the specially constructed mask, and then using the Bkav researcher's face, in just one go.

"Many people in the world have tried different kinds of masks but all failed. It is because we understand how AI of Face ID works and how to bypass it," an FAQ on the Bkav website said.

"You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID's AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought."

Researchers explain that their "proof-of-concept" demo took about five days after they got iPhone X on November 5th. They also said the demo was performed against one of their team member's face without training iPhone X to recognize any components of the mask.

"We used a popular 3D printer. The nose was made by a handmade artist. We use 2D printing for other parts (similar to how we tricked Face Recognition 9 years ago). The skin was also hand-made to trick Apple's AI," the firm said.

The security firm said it cost the company around $150 for parts (which did not include a 3D printer), though it did not specify how many attempts its researchers took them to bypass the security of Apple's Face ID.

It should be noted that creating such a mask to unlock someone's iPhone is a time-consuming process and it is not possible to hack into a random person's iPhone.

However, if you prefer privacy and security over convenience, we highly recommend you to use a passcode instead of fingerprint or Face ID to unlock your phone.

More info


  1. Hacking Madrid
  2. Curso De Hacker Gratis Desde Cero
  3. Hacking Iphone
  4. Arduino Hacking
  5. Paginas Para Hackear
  6. Hacking 101
Publicadas por a la/s No hay comentarios.:

jueves, 14 de mayo de 2020

AirPodSpy: Cómo Te Pueden Vigilar Por Tus Apple AirPods

El otro día, en la segunda parte del artículo que estoy escribiendo sobre AirPods Pro: Safety & Security os hablé de un descubrimiento que había hecho sobre el funcionamiento de Find My iPhone para los AirPods de Apple que me aterraba. Se trata de la posibilidad de parear los Apple AirPods a dos cuentas
de Apple ID, lo que permite que una persona sepa en todo momento donde está la otra persona.

Figura 1: AirPodSpy: Cómo te pueden vigilar por tus Apple AirPods

Hoy os hemos hecho un vídeo haciendo una demostración explicando este riesgo de privacidad y seguridad, al que hemos llamado AirPodSpy, donde se puede ver que en cuestión de apenas tres segundos una persona puede parearse tus AirPods y a partir  de ese momento puede vigilar tu posición - o mejor dicho, la de tus AirPods - desde su cuenta de Apple usando el servicio de Find My iPhone.


Figura 2: Explicación y demo de AirPodSpy

Ten mucho cuidado con esto, ya que si alguien tiene acceso a tus Apple AirPods en el trabajo, en tu casa o en un espacio público, podrá saber dónde estás en cada momento. Y lo peor, es que puede pasar por un simple "descuido" o error, pero puede afectar a tu vida personal.

Figura 3: Libro de MacOS Hacking


Como sabéis, durante años hemos investigado las opciones de las tecnologías Apple, y tienes en 0xWord un libro sobre MacOS Hacking, y otro, llamado Hacking iOS: iPhone & iPad (2ª Edición) donde participé y hablamos de todo el modelo de seguridad de iOS, para entender mejor su funcionamiento y cómo puede ser atacado.

Figura 4: Libro de Hacking iOS: iPhone & iPad (2ª Edición)


En este caso concreto, Apple debería añadir en los AirPods un número que indicara cuántas cuentas están trackeando la posición de los AirPods y que se pudiera eliminar el seguimiento de esa cuenta. O que para que el servicio de Find My iPhone en AirPods funcione deban ser registrados manualmente la primera vez en la cuenta de Apple ID y no se active el seguimiento de GPS en otra cuenta.


Figura 5: Haría falta un aviso del número de usuarios que
vigilan la posición de este dispositivo.

Ahora mismo solo se puede eliminar el tacking de unos AirPods  si la cuenta elimina ese dispositivo de los dispositivos BlueTooth, así que si conectas tus AirPods a cualquier iPhone, no te olvides de eliminarlo de la lista de dispositivos BlueTooth pareados.

Figura 6: Solo si se elimina de la lista de BlueTooth desaparece de Find my iPhone


En este blog, ya sabes que tienes técnicas sencillas como el truco para robar cuentas de Gmail o Hotmail usando Siri en iPhone, o el famoso DirtyTooth que obligó a Apple a modificar el pareado de dispositivos BlueTooth por el riesgo que suponía para la seguridad de tu cuenta, ya que te podían robar toda tu agenda.


Figura 7: DirityTooth en RootedCON por Chema Alonso

Os dejo la conferencia de DirtiyTooth para iPhone que di en la RootedCON y donde se puede ver cómo toda la agenda de contactos de un iPhone es robada con una altavoz de música. It´s Only Rock'n Roll, but I  like it.

Saludos Malignos!

Autor: Chema Alonso (Contactar con Chema Alonso)



Sigue Un informático en el lado del mal RSS 0xWord

This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com
More articles

  1. Hacking Etico Libro
  2. Definicion De Cracker
  3. Ingeniería Social El Arte Del Hacking Personal
  4. Como Aprender A Hackear
  5. Portatil Para Hacking
  6. Hacking Bluetooth Speaker
  7. Black Hacker
  8. Seguridad Y Hacking
  9. Manual Del Hacker
  10. El Hacker Pelicula
  11. Chema Alonso Libros
  12. Hacker En Español
  13. Herramientas De Seguridad Informatica
  14. Hacking Google Home Mini
  15. Hacking Food
  16. Certificacion Hacking Etico
Publicadas por a la/s No hay comentarios.:

Save Your Cloud: DoS On VMs In OpenNebula 4.6.1

This is a post about an old vulnerability that I finally found the time to blog about. It dates back to 2014, but from a technical point of view it is nevertheless interesting: An XML parser that tries to fix structural errors in a document caused a DoS problem.

All previous posts of this series focused on XSS. This time, we present a vulnerability which is connected another Cloud Management Platform: OpenNebula. This Infrastructure-as-a-Service platform started as a research project in 2005. It is used by information technology companies like IBM, Dell and Akamai as well as academic institutions and the European Space Administrations (ESA). By relying on standard Linux tools as far as possible, OpenNebula reaches a high level of customizability and flexibility in hypervisors, storage systems, and network infrastructures. OpenNebula is distributed using the Apache-2 license.


OpenNebula offers a broad variety of interfaces to control a cloud. This post focuses on Sunstone, OpenNebula's web interface (see Figure 1).

Figure 1: OpenNebula's Sunstone Interface displaying a VM's control interface

Before OpenNebula 4.6.2, Sunstone had no Cross-Site Request Forgery (CSRF) protection. This is a severe problem. Consider an attacker who lures a victim into clicking on a malicious link while being logged in at a private cloud. This enables the attacker to send arbitrary requests to the private cloud through the victims browser. However, we could find other bugs in OpenNebula that allowed us to perform much more sophisticated attacks.

Denial-of-Service on OpenNebula-VM

At its backend, OpenNebula manages VMs with XML documents. A sample for such an XML document looks like this:
<VM>
   <ID>0</ID>
   <NAME>My VM</NAME>
   <PERMISSIONS>...</PERMISSIONS>
   <MEMORY>512</MEMORY>
   <CPU>1</CPU>
   ...
</VM>
OpenNebula 4.6.1 contains a bug in the sanitization of input for these XML documents: Whenever a VM's name contains an opening XML tag (but no corresponding closing one), an XML generator at the backend automatically inserts the corresponding closing tag to ensure well-formedness of the resulting document. However, the generator outputs an XML document that does not comply with the XML schema OpenNebula expects. The listing below shows the structure that is created after renaming the VM to 'My <x> VM':
<VM>
   <ID>0</ID>
   <NAME>My <x> VM</x>
      <PERMISSIONS>...</PERMISSIONS>
      <MEMORY>512</MEMORY>
      <CPU>1</CPU>
      ...
   </NAME>
</VM>
The generator closes the <x> tag, but not the <NAME> tag. At the end of the document, the generator closes all opened tags including <NAME>.

OpenNebula saves the incorrectly generated XML document in a database. The next time the OpenNebula core retrieves information about that particular VM from the database the XML parser is mixed up and runs into an error because it only expects a string as name, not an XML tree. As a result, Sunstone cannot be used to control the VM anymore. The Denial-of-Service attack can only be reverted from the command line interface of OpenNebula.

This bug can be triggered by a CSRF-attack, which means that it is a valid attack against a private cloud: By luring a victim onto a maliciously crafted website while logged in into Sunstone, an attacker can make all the victim's VMs uncontrollable via Sunstone. A video of the attack can be seen here: