NanoCore is one of the most powerful RATs ever created. It is capable of taking complete control of a victim's machine. It allows a user to control the system with a Graphical User Interface (GUI). It has many features which allow a user to access remote computer as an administrator. Download nanocore rat 1.2.2.0 cracked version free of cost.
NanoCore's developer was arrested by FBI and pleaded guilty in 2017 for developing such a malicious privacy threat, and sentenced 33 months in prison.
FEATURES
Complete Stealth Remote Control
Recover Passwords from the Victim Device
Manage Networks
Manage Files
Surveillance
Plugins (To take it to the next level)
Many advanced features like SCRIPTING
DOWNLOAD NANOCORE RAT 1.2.2.0 CRACKED – REMOTE ADMINISTRATION TOOL
After playing with the applications installed on the Pwn Pad, I found that the most important application (at least for me) was missing from the pre-installed apps. Namely, DSploit. Although DSploit has tons of features, I really liked the multiprotocol password sniffing (same as dsniff) and the session hijacking functionality.
The DSploit APK in the Play Store was not working for me, but the latest nightly on http://dsploit.net worked like a charm.
Most features require that you and your target uses the same WiFi network, and that's it. It can be Open, WEP, WPA/WPA2 Personal. On all of these networks, DSploit will sniff the passwords - because of the active attacks. E.g. a lot of email clients still use IMAP with clear text passwords, or some webmails, etc.
First, DSploit lists the AP and the known devices on the network. In this case, I chose one victim client.
In the following submenu, there are tons of options, but the best features are in the MITM section.
Stealthiness warning: in some cases, I received the following popup on the victim Windows:
This is what we have under the MITM submenu:
Password sniffing
For example, let's start with the Password Sniffer. It is the same as EvilAP and DSniff in my previous post. With the same results for the popular Hungarian webmail with the default secure login checkbox turned off. Don't forget, this is not an Open WiFi network, but one with WPA2 protection!
Session hijack
Now let's assume that the victim is very security-aware and he checks the secure login checkbox. Another cause can be that the victim already logged in, long before we started to attack. The session hijacking function is similar to the Firesheep tool, but it works with every website where the session cookies are sent in clear text, and there is no need for any additional support.
In a session hijacking attack (also called "sidejacking"), after the victim browser sends the authentication cookies in clear text, DSploit copies these cookies into its own browser, and opens the website with the same cookies, which results in successful login most of the time. Let's see session hijacking in action!
Here, we can see that the session cookies have been sniffed from the air:
Let's select that session, and be amazed that we logged into the user's webmail session.
Redirect traffic
This feature can be used both for fun or profit. For fun, you can redirect all the victim traffic to http://www.kittenwar.com/. For-profit, you can redirect your victim to phishing pages.
Replace images, videos
I think this is just for fun here. Endless Rick Rolling possibilities.
Script injection
This is mostly for profit. client-side injection, drive-by-exploits, endless possibilities.
Custom filter
If you are familiar with ettercap, this has similar functionalities (but dumber), with string or regex replacements. E.g. you can replace the news, stock prices, which pizza the victim ordered, etc. If you know more fun stuff here, please leave a comment (only HTTP scenario - e.g. attacking Facebook won't work).
Additional fun (not in DSploit) - SSLStrip
From the MITM section of DSploit, I really miss the SSLStrip functionality. Luckily, it is built into the Pwn Pad. With the help of SSLStrip, we can remove the references to HTTPS links in the clear text HTTP traffic, and replace those with HTTP. So even if the user checks the secure login checkbox at freemail.hu, the password will be sent in clear text - thus it can be sniffed with DSniff.
HTML source on the client-side without SSLstrip:
HTML source on the client-side with SSL strip:
With EvilAP, SSLStrip, and DSniff, the password can be stolen. No hacking skillz needed.
Lessons learned here
If you are a website operator where you allow your users to login, always:
Use HTTPS with a trusted certificate, and redirect all unencrypted traffic to HTTPS ASAP
How do I get started with bug bounty hunting? How do I improve my skills?
These are some simple steps that every bug bounty hunter can use to get started and improve their skills:
Learn to make it; then break it! A major chunk of the hacker's mindset consists of wanting to learn more. In order to really exploit issues and discover further potential vulnerabilities, hackers are encouraged to learn to build what they are targeting. By doing this, there is a greater likelihood that hacker will understand the component being targeted and where most issues appear. For example, when people ask me how to take over a sub-domain, I make sure they understand the Domain Name System (DNS) first and let them set up their own website to play around attempting to "claim" that domain.
Read books. Lots of books. One way to get better is by reading fellow hunters' and hackers' write-ups. Follow /r/netsec and Twitter for fantastic write-ups ranging from a variety of security-related topics that will not only motivate you but help you improve. For a list of good books to read, please refer to "What books should I read?".
Join discussions and ask questions. As you may be aware, the information security community is full of interesting discussions ranging from breaches to surveillance, and further. The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do. There are two very popular bug bounty forums: Bug Bounty Forum and Bug Bounty World.
Participate in open source projects; learn to code. Go to https://github.com/explore or https://gitlab.com/explore/projects and pick a project to contribute to. By doing so you will improve your general coding and communication skills. On top of that, read https://learnpythonthehardway.org/ and https://linuxjourney.com/.
Help others. If you can teach it, you have mastered it. Once you discover something new and believe others would benefit from learning about your discovery, publish a write-up about it. Not only will you help others, you will learn to really master the topic because you can actually explain it properly.
Smile when you get feedback and use it to your advantage. The bug bounty community is full of people wanting to help others so do not be surprised if someone gives you some constructive feedback about your work. Learn from your mistakes and in doing so use it to your advantage. I have a little physical notebook where I keep track of the little things that I learnt during the day and the feedback that people gave me.
Learn to approach a target. The first step when approaching a target is always going to be reconnaissance — preliminary gathering of information about the target. If the target is a web application, start by browsing around like a normal user and get to know the website's purpose. Then you can start enumerating endpoints such as sub-domains, ports and web paths.
A woodsman was once asked, "What would you do if you had just five minutes to chop down a tree?" He answered, "I would spend the first two and a half minutes sharpening my axe." As you progress, you will start to notice patterns and find yourself refining your hunting methodology. You will probably also start automating a lot of the repetitive tasks.
Setting up your victim application, databases and lab
Attacking a simple injection with information Schema
Automating your injections with python and beautiful soup
Dealing with various web encoding in Python and PHP
Bypassing LoadFile Size restrictions and automating it
Decrypting sensitive data via PHP and Python interactions
As always me rambling about stupid nonsense :P FTW
Part 2 of Mysql covers the topic of injecting a simple SQL injection example. Starts out slow then combines techniques and moves into more advanced topics. Prior to attempting this lesson make sure you have watched the videos in the previous blog or understand both SQL and basic python coding. I will show how to automate the injection process via python utilizing simple HTML processing abilities of beautiful soup. I will cover many python libraries for encoding data and calling web based applications. I also talk about how to deal with encrypted data and methods of enumerating files and folders looking for possible implementation issues and attack points to decrypt sensitive data via PHP/Python interaction with whats available on the server. This is the 2nd part of a 3 part series on MySQL for attacking web applications.
As I wrote in a previous blog post, I had an engagement last year where my task was to exfiltrate data from a workstation on some sort of storage media. The twist in that task was Lumension Sanctuary Device Control, and the version was 4.3.2, but I am not sure how newer version work and this seems to be a more general problem with device control solution, for example with Symantecproducts.
But what is a device control solution? In short, they audit I/O device use and block the attempts to use unauthorized devices. This includes hardware such as USB, PS/2, FireWire, CD/DVD so basically every I/O port of a computer. In my opinion, these are pretty good things and they offer a better looking solution than de-soldering the I/O ports from the motherboards or hot-gluing them, but on the other hand, they can be bypassed.
Bypass
OK, so what is the problem? Well the way these device control solutions work is that they load a few kernel drivers to monitor the physical ports of the machine. However... when you boot up the protected computer in safe mode, depending on the device control solution software, some of these drivers are not loaded (or if you are lucky, none of those modules will be loaded...) and this opens up the possibility to exfiltrate data.
In theory, if you have admin (SYSTEM maybe?) privileges, you might as well try to unload the kernel drivers. Just do not forget, that these device control solutions also have a watchdog process, that checks the driver and automatically loads it back if it is unloaded, so look for that process and stop or suspend it first.
In my case with the Lumension Sanctuary Device Control, I have found that when I boot the Workstation protected by the device control software in Safe Mode where, software's key logger protection module is not running... so I was still unable to use a USB stick, or a storage media, but I could plug in a keyboard for example...hmmm :)
As some of you probably already figured it out, now it is possible to use a pre-programmed USB HID, for example a Teensy! : ) I know about three different project, that uses this trick like these two mentioned in a Hackaday post, or this one. Unfortunately, the site ob-security.info no longer seems to be available (well, at least it is no longer related to infosec :D ), but you can still find the blog post and the files with the Wayback Machine.
I have to note here that there are other ways to bypass these device control solutions, like the method what Dr. Phil Polstra did with the USB Impersonator, which is basically looks for an authorized device VID/PID and then impersonates that devices with the VID/PID.
Mitigation
Most probably, you will not need safe mode for the users, so you can just disable it... I mean, it is not that easy, but luckily there is a great blog post on how to do that. BTW, the first page of the post is for Windows XP, but you are not using XP anymore, aren't you? ;)
Alternatively, as I mentioned at the beginning, you might as well use some physical countermeasure (de-soldering/hot-gluing ports). That shit is ugly, but it kinda works.
Conclusion
Next time you will face a device control solution, try out these tricks, maybe they will work, and if they do, well, that's a lot of fun. :)
But don't get me wrong, these device control solutions and similar countermeasures are a good thing and you should use something like this! I know that they make doing business a bit harder as you are not able to plugin whatever USB stick you want, but if you buy a pile of hardware encrypted flash drives, and only allow those to be plugged in, you are doing it right ;)
Intro: I recently returned from the new Social Engineering training provided by Social-Engineer.org in the beautiful city of Seattle,WA, a state known for sparkly vampires, music and coffee shop culture. As many of you reading this article, i also read the authors definitive book Social Engineering- The art of human hacking and routinely perform SE engagements for my clients. When i heard that the author of the aforementioned book was providing training i immediately signed up to get an in person glance at the content provided in the book. However, i was pleasantly surprised to find the course covered so much more then what was presented in the book.
I wasn't aware that there would be more then one instructor and was extremely happy with the content provided by both instructors. Chris and Robin both have a vast amount of knowledge and experience in the realm of social engineering. Each instructor brought a different angle and use case scenario to the course content. Robin is an FBI agent in charge of behavioral analysis and uses social engineering in his daily life and work to get the results needed to keep our country safe. Chris uses social engineering in his daily work to help keep his clients secure and provides all sorts of free learning material to the information security community through podcasts and online frameworks.
Course Material and Expectation: I originally thought that the material covered in class would be a live reiteration of the material covered in Chris's book. However, I couldn't have been more wrong !! The whole first day was about reading yourself and other people, much of the material was what Robin uses to train FBI agents in eliciting information from possible terrorist threats. Each learning module was based on live demo's, nightly labs, and constant classroom interaction. Each module was in depth and the level of interaction between students was extremely useful and friendly. I would say the instructors had as much fun as the students learning and sharing social techniques and war stories. The class was heavily made up of ways to elicit personal and confidential information in a way that left the individuatial "Happier for having met you". Using language, body posture and social truisms as your weapon to gather information, not intended for your ears, but happily leaving the tongue of your target. Other class activities and materials included an in depth look at micro expressions with labs and free extended learning material going beyond the allotted classroom days. Also break out sessions which focused on creating Phone and Phishing scripts to effectively raise your rate of success. These sessions were invaluable at learning to use proper language techniques on the phone and in email to obtain your objectives.
Nightly Missions/Labs: If you think that you are going to relax at night with a beer. Think again!! You must ensure that your nights are free, as you will be going on missions to gain information from live targets at venues of your choice. Each night you will have a partner and a mission to gain certain information while making that persons day better then it started. The information you are requested to obtain will change each night and if done properly you will notice all of the material in class starting to unfold.. When you get to body language training you will notice which targets are open and when its best to go in for the kill. You will see interactions change based on a persons change in posture and facial expressions. Each day you will take the new techniques you have learned and put them into practice. Each morning you have to report your findings to the class.. During my nightly labs i obtained information such as door codes to secured research facilities, information regarding secret yet to be released projects. On the lighter side of things i obtained much personal information from my targets along with phone numbers and invitations for further hangouts and events. I made many new friends inside and outside of class. There were also labs within the confines of the classroom such as games used to solidify your knowledge and tests to figure out what kind of learner you are. Technical labs on the use of information gathering tools and ways to use phone and phishing techniques to your advantage via linguistically and technologically. Essentially the class was about 60% interaction and labs.
Proof it works: After class i immediately had a phishing and phone based contract at my current employment. I used the email and phone scripts that we created in class with 100% click rate and 100% success in phone elicitation techniques. Gaining full unfettered access to networks through phone and email elicitation and interaction. Although I do generally have a decent SE success rate, my rates on return are now much higher and an understanding of what works and what doesn't, and why are much more refined.
Conclusion and Certification: I paid for this class out of pocket, including all expenses, hotels, rentals cars and planes etc etc. I would say that the class was worth every penny in which i paid for it. Many extras were given including black hat passes, extended training from notable sources and continued interaction from instructors after class ended. I would highly recommend this class to anyone looking for a solid foundation in social engineering or a non technical alternative to training. You will learn a lot, push yourself in new ways and have a blast doing it. However I did not see any sparkly vampires while in seattle.... Twilight lied to me LOL The certification is a 48 hour test in which you will utilize your knowledge gained technologically and socially to breach a company.I am not going to give away to much information about the certification as i haven't taken it yet and I do not want to misspeak on the subject. However I will say that social-engineer.org has done an excellent job at figuring out a way to include Real World Social Engineering into a test with verifiable proof of results. I am going to take my test in a couple weeks and it should be a blast!!!
Thanks and I hope this review is helpful to all those looking for SE training. I had a blast :) :)
OctoSniff is a network research tool that allows you to determine information about all the other players you're playing with. It is compatible with PS, XBox 360 and XBox One. It has many other features that make it a great sniffing tool. Some people think it might be a tool like Wireshark or Cain n Abel. No, it's not a tool like that. It simply sniffs players that let you know who's really playing. Download OctoSniff 2.0.3 full version. It's only for educational purposes to use.
Kali 2018.3 brings the kernel up to version 4.17.0 and while 4.17.0 did not introduce many changes, 4.16.0 had a huge number of additions and improvements including more Spectre and Meltdown fixes, improved power management, and better GPU support.
New Tools and Tool Upgrades Since our last release, we have added a number of new tools to the repositories, including:
If you would like to check out this latest and greatest Kali release, you can find download links for ISOs and Torrents on the Kali Downloads page along with links to the Offensive Security virtual machine and ARM images, which have also been updated to 2018.3. If you already have a Kali installation you're happy with, you can easily upgrade in place as follows.
root@kali:~# apt update && apt -y full-upgrade
If you come across any bugs in Kali, please open a report on our bug tracker. It's more than a little challenging to fix what we don't know about.
Making sure you are up-to-date
To double check your version, first make sure your network repositories is enabled.
root@kali:~# cat</etc/apt/sources.list deb http://http.kali.org/kali kali-rolling main non-free contrib EOF root@kali:~#
Then after running apt -y full-upgrade, you may require a reboot before checking:
root@kali:~# grep VERSION /etc/os-release VERSION="2018.3" VERSION_ID="2018.3" root@kali:~#
Ayer no llegué a publicar el post de El lado del mal, pero no es porque no estuviera trabajando. Estuve trabajando y mucho desde muy temprano, que es cuando más disfruto yo de ciclos de computación de calidad en mi CPU, pero cuando pude acabar con el trabajo que me había puesto se me había hecho muy tarde, así que decidí dejar para hoy la publicación del post.
No llegué a tiempo a publicar el post, pero sí que hice el trabajo que me había propuesto, que no era otro que hacer una lista de "Las 50 mejores conferencias de Chema Alonso" en mi Canal Youtube, de esas que me gustan a mí y a mi mamá, y que dejé publicado.
Me he pasado el día seleccionando las 50 charlas que más me gustan de las que he dado... Algunas son muy viejas, pero las tengo mucho cariño. Por si queréis ver alguna, estas son para mí (y para mi mamá) las 50 mejores conferencias de Chema Alonso https://t.co/Sb4UifVGSy so far
No están todas las charlas, y alguna que he dejado fuera por ahora porque había decidido que solo fueran 40 los vídeos que tenían que estar, pero a lo mejor los cambio con el tiempo. Tampoco las he ordenado por ahora en un orden temático o especial, pero puede que lo haga en el futuro. Y también puede que luego haga una lista del Top 10, y lo mismo hago que esta lista de 50 acaba siendo de 10. Ya veremos.
Lo que sí es cierto es que ahora tienes esa lista con las 50 charlas que he elegido - y hay algunas de 3 minutos, otras de 5 minutos y otras de más de una hora -, pero si quieres verte "La Serie Completa", tienes temporada a temporada, todas las series ordenadas cronológicamente en listas. Los vídeos de charlas comienzan en el año 2007 - no he conseguido vídeos anteriores - donde está la primera charla de LDAP Injection & Blind LDAP Injectiony unWebcast de ISA Server 2006. Y así hasta2020con la charla deGremlin Botnetsy las que vaya a dar este año.
También tengo otras listas para entrevistas a cosas temáticas, y los vídeos que usamos en los artículos, y otros vídeos con explicaciones puntuales, pero subido al escenario dando charlas, tienes todo el material que he sido capaz de recuperar en esas listas, para que encuentres la charla que quieres ver.
El teletrabajo está demostrado que puedes ser más eficiente para las empresas de lo que la mayoría de las organizaciones pensaba hasta hace unos meses. Pero también puede traer consigo un incremento de "leaks" de información confidencial si no tenemos cuidado con la manera de implementarlo. Inspirándome en el post que escribí sobre el "Google Dorks & Low Hanging Fruit: Open Redirects" podría decirse que esta es una segunda parte, ya que vamos a usar dorks similares para encontrar "trufas" en una de las plataformas que más está dando que hablar últimamente en la comunidad: Github
Figura 1: GitHub Dorks: Buscando "Trufas" en GitHub usando TrufleHog & GitRob
Github es una plataforma para desarrolladores donde pueden compartir código en diferentes lenguajes de programación. En ella se permite editar simultáneamente un proyecto, lo que resulta de gran utilidad en escenarios de teletrabajo, pero si no se usa con cuidado, también presenta una gran amenaza a la seguridad de las empresas, ya que en este entorno es relativamente sencillo que a alguien se le termine escapando en el código que sube alguna KEY, algún TOKEN o contraseña…
Y ahí viene la gracia, es un entorno fantástico para aplicar todas las técnicas de Hacking con Buscadores, pero en este caso dentro de la plataforma de GitHub, así que vamos a ver cuáles son sus posibilidades. En esta plataforma cuenta con un buscador con multitud de comandos, entre los más útiles destacaría:
Figura 3: Comandos de búsqueda en GitHub
Como podéis ver, se pueden utilizar comandos bastante específicos para localizar cosas jugosas, así que ahora es el momento de ver qué tipos de GitHub Dorks podemos crear para sacar partido en un entorno de búsqueda de objetivos en un pentesting.
Github Dorks
Teniendo estos comandos claros, las posibilidades son infinitas. Podemos probar filtrando por la organización objetivo y campos como "password", "pwd", "token", "credential"….
Figura 4: Buscando "password" en GitHub
Con esta técnica podemos encontrarnos con auténticas bases de datos de usuarios y clientes volcadas en Github por descuido, así como credenciales de AWS (aws_secret), tokens calentitos que han sido recientemente indexados y que todavía no han expirado. Este tipo de técnicas son similares a las que se pueden ver en la charla de Chema Alonso de "Dorking & Pentesing with Tacyt", donde hacía dorks similares para buscar en el código fuente de las apps que el servicio de ElevenPaths tiene indexado, que es lo mismo que podemos hacer en GitHub.
Figura 5: Dorking & Pentesting con Tacyt por Chema Alonso
Aquí surge una segunda derivada, ya que si la organización cuenta con mecanismos de control contra leaks en Github, el riesgo no se mitiga por completo, ya que los trabajadores cuentan con su página personal en Github donde puede haber leaks fuera del radar de la organización. Veamos por ejemplo, Netflix, una compañía que si tiene un mecanismo de control de leaks en su repositorio oficial de Github:
Figura 6: Netflix Open Source Platform
Vemos que cuenta con 15 usuarios registrados en su repositorio oficial. Lo que podríamos hacer aquí es meternos en la página personal de cada uno de esos usuarios y buscar repositorios propios donde se suelen guardar notas o trozos de código que no están en el repositorio oficial y que son altamente peligrosos para la compañía.
Si nos fijamos en la dimensión de Netflix, suena raro que tan solo cuente con 15 empleados desarrollando código, y esto no es así, el problema es que muchos de los que trabajan en el repositorio no han vinculado su perfil al de Netflix, algo todavía más peligroso, ya que podríamos buscar "developer" en Linkedin y filtrando por la organización podríamos obtener usuarios de Github que sabemos que trabajan pero cuyo perfil no está vinculado al de Netflix.
Utilizar Linkedin como fuente de datos OSINT es algo habitual, y el libro que publicaban ayer sobre OSINT y la investigación en redes sociales dedica un capítulo enorme solo a este asunto, como puedes ver en el índice del libro. Estos usuarios que trabajan en una compañía y lo anuncian en Linkedin, y luego no están vinculados a los repositorios oficiales de la empresa en Github son estos los que, por norma general, guardan la mayor cantidad de Leaks. Por suerte, Netflix ("rara avis") también tiene a estos usuarios controlados, pero no es lo habitual.
Trapos sucios de las organizaciones en Github
Otra de las curiosidades que nos está dejando esta cuarentena es una gran cantidad de discusiones en repositorios, en las que parece que los usuarios implicados no recuerdan que su conversación es pública.
Figura 8: Issues & Discussions en GitHub
Para ello basta con buscar en las secciones "Issues" y "Discussions" donde los desarrolladores presentan un problema y discuten (no siempre de las mejores formas, poniendo en riesgo reputacional a la compañía) hasta conseguir solucionarlos.
Automatizando la búsqueda: TrufleHog & GitRob
Sería ideal que las organizaciones tuvieran alertas sobre posibles leaks en Github de sus empleados, para ello existen dos herramientas que permiten automatizar este proceso. La primera es TruffleHog que por supuesto está en GitHub y puedes ver en ejecución en la imagen siguiente en la que busca Keys de AWS que puedan estar fresquitas.
Figura 9: TruffleHog
Y la segunda que os dejo, que también está en GitHub, por supuesto, es Gitrob, que te animo a que pruebes un rato para ver qué es lo que eres capaz de encontrar. Recuerda que constantemente hay actualizaciones de código, así que siempre hay "trufas" frescas que localizar.
Hay que remarcar que las posibilidades son infinitas tanto para la parta atacante como para la atacada. Es especialmente importante que en entornos de teletrabajo seamos más cuidadosos que nunca y que trabajemos con la VPN de nuestra organización que nos permita tener una conexión segura. Estos escáneres también son susceptibles de ser usados por los "malignos" y no sería recomendable que ellos se enteraran antes que nosotros de que hemos tenido un "leak".
Por último, me gustaría recalcar que el equipo de seguridad de GitHub se preocupa mucho por este tipo de leaks y ayuda a la comunidad de developers constantemente con herramientas y seminarios de concienciación. Cuenta en su equipo con grandes profesionales y siempre que desde la comunidad de hackers se ha reportado algo a GitHub lo han corregido y mejorado. Son developers trabajando para developers, y eso se nota. Ha sido una alegría ver que Nico Waisman está en el equipo como Senior VP de Innovación en Seguridad de GitHub, así que os podéis hacer una idea de cómo de serio se toma la seguridad esta compañía.
.jpg)
More info
