Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral


Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. I am looking for a serious spammer who wants to work for the long term. I provide scampage, letter and mailist to the spammer. It's up to the spammer to find SMTP and the rest. I am looking for someone who wants to work and who wants to earn money. telegram convo me for more @ solar_sip_spoofer. We cash credit cards and register banks in bitcoin and more
  2. I am looking for a serious spammer who wants to work for the long term. I provide scampage, letter and mailist to the spammer. It's up to the spammer to find SMTP and the rest. I am looking for someone who wants to work and who wants to earn money. telegram convo me for more @ solar_sip_spoofer. We cash credit cards and register banks in bitcoin and more
  3. I am looking for a serious spammer who wants to work for the long term. I provide scampage, letter and mailist to the spammer. It's up to the spammer to find SMTP and the rest. I am looking for someone who wants to work and who wants to earn money. telegram convo me for more @ solar_sip_spoofer. We cash credit cards and register banks in bitcoin and more
  4. Je recherche un spammeur sérieux qui veut travailler sur le long terme. Je fournis scampage, lettre et mailist au spammeur. C'est au spammeur de trouver SMTP et le reste. Je cherche quelqu'un qui veut travailler et qui veut gagner de l'argent. télégramme m'envoyer un message pour plus @ solar_sip_spoofer. Nous encaissons les cartes de crédit et enregistrons les banques en bitcoin et plus
  5. It's good contact me on telegram @solar_sip_spoofer
  6. ╦ ╦╔═╗ ╔═╗ ╦╔═╠═╣╠═╣ ║ ╠╩╗╩ ╩╩ ╩ ╚═╝ ╩ ╩'╔╦╗╔═╗╔═╗╦ ╔═╗║ ║ ║║ '║║ ╚═╗╩ ╚═╝╚═╝╩═╝╚═╝Anti Forensics ToolsAudioStego - Audio file steganography. Hides files or text inside audio files and retrieve them automaticallyInstallation :sudo apt-get install libboost-all-devgit clone https://github.com/danielcardeenas/AudioStego.gitcd AudioStegomkdir buildcd buildcmake ..makedban - Hard Drive Eraser & Data Clearing UtilityInstallation : https://sourceforge.net/projects/dban/OpenStego - The free steganography solutionDownload : https://sourceforge.net/projects/openstego/srm - srm (secure rm) is a command-line program to delete files securelyDownload : https://sourceforge.net/projects/srm/Steghide - Steganography program that is able to hide data in various kinds of image- and audio-filesDownload : steghide.sourceforge.netExploitation ToolsAuto-Root-Exploit - Find exploits on Linux KernelInstallation :git clone https://github.com/nilotpalbiswas/Auto-Root-Exploit/cd Auto-Root-ExploitUsage: bash auto-root.shAutoSploit - Automated Mass ExploiterInstallation :git clone https://github.com/NullArray/AutoSploitcd AutoSploitchmod +x install.sh./install.shUsage : python autosploit.pybeef - The Browser Exploitation Framework ProjectWebsite: https://beefproject.com/Installation:sudo apt install beef-xssUsage : beefWeb Panel : - Find a way to escalate our privilege (linux)Installation:git clone https://github.com/AlessandroZ/BeRoot/cd BeRoot/LinuxUsage : python beroot.pyCrackMapExec - A swiss army knife for pentesting networksInstallation:apt-get install -y libssl-dev libffi-dev python-dev build-essentialgit clone --recursive https://github.com/byt3bl33d3r/CrackMapExeccd CrackMapExecpip3 install -r requirements.txtpython3 setup.py installUsage : crackmapexecDccwBypassUAC - Windows 8.1 and 10 UAC bypass abusing WinSxS in "dccw.exe"Download : https://github.com/L3cr0f/DccwBypassUAC/blob/release/DccwBypassUAC/Release/DccwBypassUAC.exeUsage : C:\Users\L3cr0f> DccwBypassUAC.exeInvoke-PSImage - Embeds a PowerShell script in the pixels of a PNG fileDownload : peewpw/Invoke-PSImage Encodes a PowerShell script in the pixels of a PNG file and generates a oneliner to execute - peewpw/Invoke-PSImage github.com KeeFarce - Extracts passwords from a KeePass 2.x database, directly from memoryInstallation (Windows):C:> curl -LO https://github.com/denandz/KeeFarce/blob/master/prebuilt/x64.zipkoadic - C3 COM Command & ControlInstallation:git clone https://github.com/zerosum0x0/koadic.gitcd koadicpip3 install -r requirements.txt./koadicmeterssh - Inject shellcode into memory and tunnel port over SSH(windows)Installation:git clone https://github.com/trustedsec/metersshcd metersshnano meterssh.pyEdit:user = "sshuser"# password for SSHpassword = "sshpw"# this is where your SSH server is runningrhost = ""# remote SSH port - this is the attackers SSH serverport = "22"PowerShell-Suite - Collection of PowerShell utilities(windows)Download : https://github.com/FuzzySecurity/PowerShell-SuiteUACME - Defeating Windows User Account Control 60+ Methods(windows)Download: https://github.com/hfiref0x/UACMEUsage:akagi32.exe 1akagi64.exe 3akagi32 1 c:\windows\system32\calc.exeakagi64 3 c:\windows\system32\charmap.exeWinPwnage - Elevate, UAC bypass, privilege escalation, dll hijack techniquesInstallation:git clone https://github.com/rootm0s/WinPwnagecd WinPwnagepip install -r requirements.txtpip install pyinstallerpyinstaller --onefile main.pyUsage: main.py --scan uacForensics ToolsAutopsy - Digital forensics platformInstallation: apt-get install autopsy -ybulk_extractor - Scans a disk image, a file, or a directory of filesInstallation: apt-get install bulk-extractor bulk-extractor-dbgsym -yScalpel - Open source data carving tooInstallation: apt-get install scalpel -yvolatility - Volatile memory extraction utility frameworkInstallation: apt-get install volatility volatility-tools -ybinwalk - A fast, easy to use tool for analyzing, reverse engineering, and extracting firmware imagesInstallation: apt-get install binwalk -yCatfish - Versatile file searching toolInstallation: apt-get install catfish -ydc3dd - A patched version of GNU dd with added features for computer forensicsInstallation: apt-get install dc3dd -yDumpsterDiver - Analyze big volumes of various file types in search of hardcoded secretsInstallation:git clone https://github.com/securing/DumpsterDivercd DumpesterDiverpip install -r requirements.txtUsage: python3 DumpersterDiver.pyfrida-extract - Based RunPE extraction toolInstallation:git clone https://github.com/OALabs/frida-extractcd frida-extractORpip install fridaUsage: python FridaExtract.py bad.exeImage-ExifTool - Read, Write and Edit Exif metadataInstallation: apt-get install libimage-exif-perl libimage-exiftool-perl -ywhatsapp-viewer - Small tool to display chats from the Android msgstore.db database(windows)Installation:C:> curl -LO https://github.com/andreas-mausch/whatsapp-viewer/releases/download/v1.12/WhatsApp.Viewer.zipUnzip and run WhatsAppViewer.exeInformation Gatheringbing-ip2hosts - Enumerate hostnames from BingInstallation:apt-get install bing-ip2hostsGithub: https://github.com/urbanadventurer/bing-ip2hostsUsage : bing-ip2hosts -o results.txt -u github.ioreplace github.io with website.datasploit - OSINT Framework to perform various recon techniquesInstallation:pip install --upgrade --force-reinstall -r requirements.txtgit clone https://github.com/DataSploit/datasploitcd datasploitpip --upgrade -r requirements.txt && while read line; do pip install $line; done < requirements.txtsed -i 's/dep_check.check_dependency()/#/g' datasploit.pysed -i 's/import dep_check/#/g' datasploit.pyUsage: python2 datasploit.py -i target.comdnsenum - Perl script that enumerates DNS informationInstallation : apt-get install dnsenumdnsmap - Subdomain brute-forcingInstallation : apt-get install dnsmapdnsrecon - DNS Enumeration ScriptInstallation : apt-get install dnsrecondork-cli - Command-line Google dork toolInstallation:git clone https://github.com/jgor/dork-clicd dork-clichmod +x dork-cli-pyUsage: ./dork-cli.py inurl:logindorks - Google hack database automation toolInstallation :git clone https://github.com/USSCltd/dorkscd dorksapt-get install phantomjsUsage: phantomjs ghdb -q linux -o linux_dorks.txtUsage: phantomjs google -d inurl:upload.php -t 5 -T 3pagodo - Automate Google Hacking Database scrapingInstallation:git clone https://github.com/opsdisk/pagodo.gitcd pagodopip install -r requirements.txtapt install proxychains4 -yUsage: proxychains4 python3 pagodo.py -g ALL_dorks.txt -s -e 17.0 -l 700 -j 1.1Usage: python3 ghdb_scraper.py -j -sNote: edit proxychains by yourselffaraday - Collaborative Penetration Test and Vulnerability Management PlatformInstallation : apt-get install faraday -yfierce - DNS Analysis perl scriptInstallation : apt-get install fierce -youhping - Network tool able to send custom TCP/IP packetsInstallation : apt-get install hping3knock - Subdomain ScanInstallation :sudo apt-get install python-dnspythongit clone https://github.com/guelfoweb/knock.gitcd knocknano knockpy/config.json (setup here your virustotal.com api key)sudo python setup.py installUsage: knockpy website.commasscan - Fast TCP port scannerInstallation : apt-get install masscanmetagoofil - Document and metadata reconnaissance (updated version)Installation : apt-get install metagoofilonioff - An onion url inspector for inspecting deep web linksInstallation :git clone https://github.com/k4m4/onioff.gitcd onioffpip3 install -r requirements.txtUsage: python3 onioff.py http://xmh57jrzrnw6insl.onion/Usage: python3 onioff.py -f urllist.txt -o report.txtOSINT-SPY - Performs OSINT scan on email/domain/ip_address/organizationInstallation :git clone https://github.com/SharadKumar97/OSINT-SPY.gitcd OSINT-SPYpip install -r requirements.txtSetup:API Websites:https://account.shodan.io/register | config: shodan_api_keyhttps://dashboard.fullcontact.com/register | config: fullcontact_api_keyhttps://www.virustotal.com/gui/join-us | config: virus_total_api_keyhttps://hunter.io/users/sign_up | config: email_hunter_api_keyInfo BTC Owner : python osint-spy.py --btc_address 1DST3gm6JthxhuoNKFqXrdpzPFfz1WgHpW --jsonInfo Website : python osint-spy.py --domain google.com --jsonVuln Webcam : python osint-spy.py --device webcam --jsonEmail Info : python osint-spy.oy --email test@viperzcrew.com --jsonSimplyEmail - Email recon made fast and easyInstallation :git clone --branch dev https://github.com/killswitch-GUI/SimplyEmail.gitcd SimplyEmail./setup/setup.shcd ..cd SimplyEmailUsage:./SimplyEmail.py -all -e viperzcrew.com./SimplyEmail.py -all -v -verify -e viperzcrew.comspiderfoot - OSINT collection and reconnaissance toolInstallation :git clone https://github.com/smicallef/spiderfoot.gitcd spiderfootpip3 install -r requirements.txtUsage: python3 sf.pyWeb: python3 sf.py -l - a fast UNIX command line interface to a variety of popular WWW search enginesInstallation : apt-get install surfraw -yTekDefense-Automater - IP URL and MD5 OSINT AnalysisInstallation :git clone https://github.com/1aN0rmus/TekDefense-Automater.gitcd TekDefense-AutomaterUsage:Auto : python Automater.py <ip address>Normal : python Automater.py -o result.txt -d 5 <ip address>theHarvester - E-mails, subdomains and names Harvester - OSINTInstallation :git clone https://github.com/laramies/theHarvestercd theHarvesterapt-get install python3-dev python3-pip -ypip3 install -r requirements/base.txtpip3 install -r requirements/dev.txtpython3 setup.py || python3 setup.py installIf the above pip3 commands not working try this:while read line; do pip3 install $line; done < requirements/base.txtwhile read line; do pip3 install $line; done < requirements/dev.txtUsage: python3 theHarvester.py -d viperzcrew.com -l 500 -S 0 -g --dns-server -n -c -f result.txt -b alltrape - People tracker on the Internet: OSINT analysis and research tool by Jose PinoInstallation :git clone https://github.com/jofpin/trape.gitcd trapepip2 install -r requirements.txtIf you have ngrok token:python2 trape.py --ngrok <token>python2 --port 6666 --url viperzcrew.comWhatWeb - Web scannerInstallation : apt-get install whatweb -yxray - A tool for recon, mapping and OSINT gathering from public networksInstallation:git clone https://github.com/evilsocket/xray.gitcd xraymakeUsage: xray -shodan-key yourshodaniapi -domain domainzmap - Fast single packet network scannerInstallation : apt-get install zmap -yUsage: zmap -p 21 -o result.txt -i <interface> --vpn --ignore-invalid-hosts--vpn if you are using vpn!KeyloggersBeeLogger - Generate Gmail Emailing Keyloggers to WindowsInstallation :git clone https://github.com/4w4k3/BeeLogger.gitcd BeeLoggersudo chmod +x install.sh./install.shpython2 bee.pyKeylogger - A simple keylogger for Windows, Linux and MacInstallation : pip install keyloggerUsage: keyloggerRadium-Keylogger - Python keylogger with multiple featuresInstallation :git clone https://github.com/mehulj94/Radiumcd Radiumpip2 install -r requirements.txtpython2 Radiumkeylogger.Maintaining AccessEggShell - iOS/macOS/Linux Remote Administration ToolInstallation :git clone https://github.com/neoneggplant/eggshellcd eggshellUsage: python eggshell.pyEvilOSX - An evil RAT (Remote Administration Tool) for macOS / OS XInstallation :git clone https://github.com/Marten4n6/EvilOSXcd EvilOSXsudo pip install -r requirements.txtUsage: python start.pyMetasploit - The world’s most used penetration testing frameworkInstallation : sudo apt-get install metasploit -yParat - Python based Remote Administration Tool(RAT)Installation :git clone https://github.com/micle-fm/Parat && cd ParatUsage: python main.pypupy - An opensource, cross-platform, multi function RATInstallation :git clone --recursive https://github.com/n1nj4sec/pupycd pupysudo chmod +x *./create-workspace.py pupywsQuasarRAT - Remote Administration Tool for WindowsDownload : https://github.com/quasar/Quasar/releases/download/v1.4.0/Quasar.v1.4.0.zipSetup : https://github.com/quasar/Quasar/wikitgcd - TCP/IP Gender Changer DaemonDownload : https://sourceforge.net/projects/tgcd/TheFatRat - An Easy tool to Generate Backdoor for bypass AVInstallation :git clone https://github.com/Screetsec/TheFatRat.gitcd TheFatRatchmod +x setup.sh && ./setup.shVeil - Tool designed to generate metasploit payloads that bypass common anti-virus solutionsInstallation :sudo apt-get -y install gitgit clone https://github.com/Veil-Framework/Veil.gitcd Veil/./config/setup.sh --force --silentWMImplant - PowerShell based tool that is designed to act like a RATDownload : https://github.com/FortyNorthSecurity/WMImplantAhMyth - Android RATDownload : https://github.com/AhMyth/AhMyth-Android-RAT/releasesPassword AttacksBEWGor - Bull's Eye Wordlist GeneratorInstallation :git clone https://github.com/berzerk0/BEWGorcd BEWGorUsage : python BEWGor.py -inputbruteforce-wallet - Try to find the password of an encrypted Peercoin (or Bitcoin, Litecoin, etc...) wallet fileInstallation :git clone https://github.com/glv2/bruteforce-walletcd bruteforce-walletapt install libdb-dev libssl-dev -y./autogen.sh.configure && make; make installUsage : bruteforce-wallet -t 6 -f dictionary.txt wallet.datchntpw - Utility to reset the password on WindowsInstallation : apt-get install chntpwchromepass - View passwords stored by Google Chrome Web browserDownload : https://www.nirsoft.net/utils/chromepass.htmlcrowbar - Brute forcing toolInstallation : sudo apt install -y crowbarnmap openvpn freerdp2-x11 tigervnc-viewer python3 python3-pip -ycupp - Common User Passwords ProfilerInstallation :git clone https://github.com/Mebus/cuppcd cupppython3 setup.py || python3 setup.py installUsage: python3 cupp.py -ihashcat - Advanced Password RecoveryInstallation : apt-get install hashcat -yJohn the Ripper - A fast password crackerInstallation : sudo apt-get install john -yLaZagne - Credentials recovery projectInstallation :git clone https://github.com/AlessandroZ/LaZagnecd LaZagnepip install -r requirements.txtcd LinuxUsage: python laZagne.py allmimikatz - A little tool to play with Windows securityDownload : https://github.com/gentilkiwi/mimikatz/releasespasswordfox - Extract the user names/passwords stored in FirefoxDownload : https://www.nirsoft.net/utils/passwordfox.htmlfcrackzip - A braindead program for cracking encrypted ZIP archivesInstallation :git clone https://github.com/hyc/fcrackzipcd fcrackzip./configure || configuremake; make installUsage: fcrackzip -b -c a -p aaaaaa ./noradi.zipSSH-Brute-Forcer - A Simple Multi-Threaded SSH Brute Forcergit clone https://github.com/R4stl1n/SSH-Brute-Forcercd SSH-Brute-Forcerpip install -r requirements.txtcd srcUsage: python SSHBruteForce.py -i -d True -p 2222 -U ./usernames.txt -P ./passwords.txtWCE - Windows Credentials EditorDownload : https://github.com/returnvar/wce/releasesReverse EngineeringIDA - Windows, Linux or Mac OS X hosted multi-processor disassembler and debuggerDownload : https://ida.winsite.com/OllyDBG - A 32-bit assembler level analysing debugger for Microsoft WindowsDownload : https://sourceforge.net/projects/x64dbg/Resource Hacker - A freeware resource compiler & decompiler for Windows applicationsDownload : http://angusj.com/resourcehacker/apktool - A tool for reverse engineering Android apk filesInstallation : apt-get install apktool -ysmali - smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android's Java VM implementationDownload : https://bitbucket.org/JesusFreke/smali/downloads/Sniffing SpoofingEttercap - A comprehensive suite for man in the middle attacksInstallation : apt-get install ettercapbettercap - The Swiss Army knife for 802.11, BLE and Ethernet networks reconnaissance and MITM attacksInstallation : apt-get install bettercap -ymacchanger - Utility that makes the manipulation of MAC addresses of network interfaces easierInstallation : apt-get install macchanger -ymitmproxy - Free and open source interactive HTTPS proxyInstallation : apt-get install mimtproxy -ymkcert - Make locally trusted development certificates with any names you'd likeInstallation :git clone https://github.com/FiloSottile/mkcertcd mkcertapt install libnss3-toolsgo build -ldflags "-X main.Version=$(git describe --tags)"Usage: mkcert -key-file key.pem -cert-file cert.pem example.com *.example.comsslstrip - SSL/TLS man-in-the-middle attack toolInstallation : apt-get install sslstrip -yWireshark - The world’s foremost and widely-used network protocol analyzerInstallation : apt-get install wireshark -ymoloch - An open source, large scale, full packet capturing, indexing, and database system.Installation:git clone https://github.com/aol/moloch./easybutton-build.sh --installmake configSocial Engineeringevilginx2 - Standalone man-in-the-middle attack frameworkInstallation :sudo apt-get install git makego get -u github.com/kgretzky/evilginx2cd $GOPATH/src/github.com/kgretzky/evilginx2makeUsage: sudo ./evilginx -dGophish - Open-Source Phishing FrameworkDownload : https://github.com/gophish/gophish/releases/HiddenEye - Modern phishing tool with advanced functionalityInstallation :git clone https://github.com/DarkSecDevelopers/HiddenEye.gitchmod +x cd HiddenEyesudo apt install python3-pipsudo pip3 install -r requirements.txtsudo pip3 install requestssudo pip3 install pyngrokUsage: python3 HiddenEye.pyking-phisher - Phishing Campaign ToolkitInstallation : apt-get install king-phisher -yReelPhish - A Real-Time Two-Factor Phishing ToolInstallation :git clone https://github.com/fireeye/ReelPhishcd ReelPhishpip install -r requirements.txtUsage: python2 ReelPhish.py --browser FF --logging debug --submitBrowser: - Open-source penetration testing framework designed for social engineeringInstallation :git clone https://github.com/trustedsec/social-engineer-toolkit/ setoolkit/cd setoolkitpip3 install -r requirements.txtpython setup.pyUsage: setoolkitVulnerability AnalysisAm-I-affected-by-Meltdown - Meltdown Exploit - Proof-of-conceptInstallation :git clone https://github.com/raphaelsc/Am-I-affected-by-Meltdown.gitcd ./Am-I-affected-by-Meltdownmaketaskset 0x1 ./meltdown-checkerCMSmap - python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSsInstallation :git clone https://github.com/Dionach/CMSmapcd CMSmappip3 install .Usage: cmsmaplinux-exploit-suggester - Linux privilege escalation auditing toolInstallation :wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.shUsage: ./linux-exploit-suggester.shLynis - Auditing tool for Unix-based systemsInstallation :git clone https://github.com/CISOfy/lyniscd lynis; ./lynis audit systemNmap - The Network MapperInstallation : apt-get install nmap -ysqlmap - Automatic SQL injection and database takeover toolInstallation : apt-get install sqlmap -yunix-privesc-check - Shell script to check for simple privilege escalation vectors on Unix systemsInstallation : apt-get install unix-privesc-check -yWapiti - The web-application vulnerability scannerInstallation : apt-get install wapiti -ywesng - Windows Exploit Suggester - Next GenerationInstallation :git clone https://github.com/bitsadmin/wesngcd wesngpython setup.py || python setup.py installUsage: python wes.py --updateMobile Security Framework (MobSF) - Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing frameworkInstallation :sudo apt-get install python3.7 openjdk-8-jdksudo apt install python3-dev python3-venv python3-pip build-essential libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev wkhtmltopdfgit clone https://github.com/MobSF/Mobile-Security-Framework-MobSFcd Mobile-Security-Framework-MobSF./setup.shWeb ApplicationsBurp Suite - Web vulnerability scannerInstallation : apt-get install burpsuite -yCLOUDKiLL3R - Bypasses Cloudflare protection service via TOR Browser using crimeflare !Installation :git clone https://github.com/inurlx/CLOUDKiLL3Rcd CLOUDKiLL3Rpip install argparsepip install sockspip install socketpip install requestspip install sysUsage: python CK.pyNikto - Web server scannerInstallation : apt-get install nikto -yowtf - Offensive Web Testing Framework (OWTF)Installation :git clone https://github.com/owtf/owtfcd owtfpython setup.py developUsage: otfBrwoser: localhost:8080wafw00f - Fingerprint Web Application Firewall (WAF)Installation : apt-get install wafw00fw3af - Web Application Attack and Audit FrameworkInstallation : apt-get install w3af -yWfuzz - Web application fuzzerInstallation : apt-get install wfuzzWhatWaf - Detect and bypass web application firewalls and protection systemsWPscan - WordPress vulnerability scannerInstallation : apt-get install wpscan -yWeb Shellsweevely3 - Weaponized web shellInstallation :git clone https://github.com/epinna/weevely3cd weevely3pip3 install -r requirements.txtUsage: python3 weevely3b374k - PHP Webshell with handy featuresInstallation :git clone https://github.com/b374k/b374kcd b374kUsage: php -f index.phpEx: php -f index.php -- -o myShell.php -p myPassword -s -b -z gzcompress -c 9Miyachung - PHP BackConnect ShellDownload : https://packetstormsecurity.com/files/download/122612/miyabc.php.txt(rename from php.txt to php)wso-2.8-web-shell - Automatically exported from code.google.com/p/wso-web-shell-2-8Download : https://github.com/rzkyh007/wso-web-shell-2-8/blob/master/WSO2.8_undetectable.phpWireless AttacksAircrack-ng - A complete suite of tools to assess WiFi network securityInstallation : apt-get install aircrack-ngairgeddon - Multi-use bash script for Linux systems to audit wireless networksInstallation :git clone --depth 1 https://github.com/v1s1t0r1sh3r3/airgeddon.gitcd airgeddonsudo bash airgeddon.shBluelog - A highly configurable Linux Bluetooth scannerInstallation : apt-get install bluelog -yfluxion - Fluxion is a remake of linset by vk496 with less bugs and enhanced functionalityInstallation :wget https://raw.githubusercontent.com/FluxionNetwork/fluxion/master/install/install.sh && bash install.shinfernal-twin - This is automated wireless hacking toolInstallation :git clone https://github.com/entropy1337/infernal-twincd infernal-twinchmod +x *./InfernalWireless.pykismet - An 802.11 layer2 wireless network detector, sniffer, and intrusion detection systemInstallation : apt-get install kismet -ykrackattacks-scripts - WPA2 Krack Attack ScriptsInstallation :apt-get updateapt-get install libnl-3-dev libnl-genl-3-dev pkg-config libssl-dev net-tools git sysfsutils python-scapy python-pycryptodome virtualenvgit clone https://github.com/vanhoefm/krackattacks-scriptscd krackattacks-script/hostapdcp defconfig .configmake -j 2cd ..; cd krackattackpip install -r requirements.txtUsage: ./krack-test-client.py --replay-broadcastKRACK Detector - Detect and prevent KRACK attacks in your networkInstallation :git clone https://github.com/securingsam/krackdetectorcd krackdetectorUsage: python krack_detect.py <interface>Usage: python krack_detect.py wlan0Pixiewps - An offline Wi-Fi Protected Setup brute-force utilityInstallation : apt-get install pixieswps -yRouterSploit - Exploitation Framework for Embedded DevicesInstallation : apt-get install routersploit -ywifi-arsenal - Resources for WiFi PentestingLink : https://github.com/0x90/wifi-arsenalDo not clone it will overfill your space xDWifiphisher - The Rogue Access Point FrameworkInstallation : apt-get install wifiphisher -yWiFi-Pumpkin - Framework for Rogue Wi-Fi Access Point AttackInstallation :sudo apt install libssl-dev libffi-dev build-essentialgit clone https://github.com/P0cL4bs/wifipumpkin3.gitcd wifipumpkin3sudo apt install python3-pyqt5sudo python3 setup.py installUsage: wifipumpkin3𝗧𝗛𝗜𝗦 𝗪𝗔𝗦 𝗖𝗢𝗟𝗟𝗘𝗖𝗧𝗘𝗗 𝗕𝗬 𝗟𝗜𝗡𝗞𝗦, 𝗜𝗡𝗦𝗧𝗔𝗟𝗟𝗔𝗧𝗜𝗢𝗡 𝗣𝗥𝗢𝗚𝗥𝗘𝗦𝗦 𝗘𝗧𝗖... !
  7. The story of one patient About a year ago, one of my acquaintances did not mind getting sick with coronavirus. His naive delusions in the absence of dangers for the lives of young people were pretty much seasoned with the cheerful stories of friends who had recovered from illness, who got off with a slight cold. How wrong he was. Most likely, it was just frivolity and not enough frequent hand washing that ultimately led to his natural infection. So, a couple of months ago, a friend was diagnosed with a coronavirus. I do not know what this is connected with, the specifics of the organism, or a mutated strain of the virus itself, but his experience of the disease was very painful and no less prolonged. It all started in the classics. Mild fever, sore throat. At first glance - an easy form, and he felt great. But on the 3rd day of illness, terrible things began to happen to him. Trying to sleep at night, the comrade noticed that something was wrong with him. He got out of bed and realized that he was losing consciousness. Buzz in the ears, darkening in the eyes, legs do not hold. Of course, he immediately thought he was going to die. But still he stayed on his feet. Raised low blood pressure with sugar tea and somehow managed to fall asleep. In the morning, an acquaintance was literally smeared - the most severe phase of the disease began. In a nutshell - you cannot do anything and lie dumbly. I don't even want to look at the smartphone screen, and the temperature goes off scale. Feels like your brain is melting. Thoughts are intertwined and you cannot formulate anything, delusional, unrelated ideas appear. Then everything calmed down and real mind games began. His health became much better, but an incomprehensible chest discomfort appeared. The obvious onset of pneumonia, which is probably the most unpleasant sensation from covid. You seem to be breathing, but at the same time you understand that you are half full of strength. This is aggravated by anxiety and panic measurements of blood oxygen levels every 15 minutes. The most unpleasant thing is that from all this discomfort you fall into a state of permanent anxiety, an obsessive fear of death appears and you cannot sleep normally. Pneumonia has passed - we meet a new misfortune! Sharp chest pains. After such a call on another sleepless night, he rushed into the cardiologist's office with his feet. Total - a heart like a bull, no violations were found. As it turned out, the friend started intercostal neuralgia. It hurts clearly in the same place where the heart should be and terribly interferes with sleep. The worst thing is that she accompanies him to this day. Postcovid Syndrome My acquaintance once again pulled out a "lucky" ticket and was among those 20% of people to whom the disease became attached an order of magnitude longer than the promised two weeks. So, what exactly is this postcovid syndrome? Roughly speaking, this is when the symptoms of the disease last more than 12 weeks. At the same time, the disease in you, as it were, is no longer there, and antibodies have long been developed. These are muscle spasms, and that very heavy breathing, and digestive problems and a bunch of other things, you can read the full list yourself on the Internet, and I will tell you which of these symptoms have remained with him to this day. First of all, the coronavirus hit his psyche in the most serious way. He seems to be breathing normally, but psychosomatics does not leave. Comrade still, every night, looks at his breathing and is paranoid about the fact that he is breathing badly. Let's go further. As for neuralgia, everything seems to be clear, she is not going to disappear. On the assurance of a friend, chest pains are still weakened, but very successfully manifested before bedtime. As for the taste and smell, they disappeared, but after a week they returned successfully. But literally this month, his perception of smells flew to hell. Now he constantly tastes strange after eating. The comrade perfectly feels the tastes - salty, sweet, but the strange smell is annoying. It does not work on all food, but for example on meat, coffee and a whole bunch of other things. It looks like a rotten chicken roll and freezes terribly. Something I can't quite imagine such a smell, but it feels disgusting. He is not sure if the covid is related to this, but for six months, he did not have any other health problems. What is all this shit about? Basically, all the consequences of postcovid are due to a violation of the nervous system. The virus is so powerful that it disrupted the functioning of the olfactory nerve, which is responsible for smell, and a bunch of other nerves. There is an imbalance of the two nerve systems - the parasympathetic and the sympathetic, which is why sleep problems, anxiety, tachycardia, and fear of death arise. The worst thing is that there is no way to cure postcovid syndrome. It can only be endured, and it is not clear how long it will take to suffer. Outcome I am very afraid of this disease and do not want to go through what my good friend recently suffered. I will not urge you to wear masks and wash your hands, decide for yourself. I just wanted to share an interesting and alternative experience. Although the crown does not kill young people, it leaves a huge imprint on the nervous system. His case is to prove to you. Now I am trying to heal my comrade with meditation. Let me know if it works. That's all for me, write about your experience of fighting the crown, and especially those who have become victims of the post-coccygeal symptom. Reactions:CreedX
  8. I sell it no longer message on the @krrrbaw telegram to have it
  9. In previous articles, we have already talked about how to test a site for vulnerabilities using the simplest tools.Today we will work with professional software. Namely with Netsprker and SQLmap. It's time to get rid of the pacifier, which is played by programs such as Webcruiser and Albaloo. To begin with, I suggest downloading everything that we will use throughout the article.It is impossible not to mention that this particular "bundle" was used in 2016 by the American hacker Ray Buttler right from prison and achieved impressive results by opening several clandestine "shops" and bitcoin exchanges. Gone are the days, but do not forget that 19% of web applications have vulnerabilities that allow them to gain control over both the application itself and the server OS. Netsparker will find them.We will consider working with the software under Windows, since NetSparker works only on this platform. However, the author recommends using Kali Linux and NetSparker on a virtual machine.Netsparker - The version I'm using.Netsparker - Newer than mine, but generally no different except for possible additional functionality), so this article should be relevant for this version ofSQLmap git or Sqlmap Git rarPython 2.7 (for working with SQLmap)Burp SuiteWhy exactly Netsprker and SQLmap?NetSparker is a powerful scanner, SqlMap is a console tool for exploiting found vulnerabilities.Netsparker is a powerful scanner of online resources, sites and web applications for errors, vulnerabilities and minor bugs. In the course of work, he generates a report, describing in as much detail as possible each part of the scanned resource, drawing up its “map”. Flexible settings, an intuitive interface, prompts and a huge base of vulnerabilities, plus a unique tool for detecting false positives, make this tool the de facto leader in the industry. It also has disadvantages: NetSparker is a heavyweight, scanning a resource can take hours, but at the same time the “sparker” will run the site and all its applications for all possible and impossible variants of vulnerabilities.NetSparker is far from the only tool of this kind, there are other good scanners like ZAP, which I will talk about next time.Since, before proceeding directly to exploitation, vulnerabilities must be discovered, therefore, first we will talk about Netsparker. Next, we will look at the basic principles of attacking these vulnerabilities using SQLmap.In order to open the program, you need to double-click on the Netsparker.exe file. After starting the program, we see the following: The start window of the program has six sections, which we should consider: 1 - Field for entering the crawled site. The button built into the input field (the rightmost one, with a green arrow) opens the site that we introduced earlier. Also netsparker remembers the sites that we have already scanned and by clicking on the down arrow, which is located slightly to the left of the button, we can see them. It is very convenient if you suddenly need to go back to rescanning previous sites. 2 - For each crawled site, the program remembers the settings (which we will consider below), and this item allows you to save and select the crawl settings for the selected site. As follows: Save Profile - Save settings Save As New Profile - Save settings for this scan separately Default - Standard scan Previous Settings - Previous scan settings 3 - Site scan settings 4 - Authentication settings on the crawled site. An optional menu, but very useful if you need to scan a resource through your personal account 5 - Field of settings for each item of the third and fourth menus 6 - Start button and cancel button. It is worth mentioning that this item also has its own “settings” window: Start Scan - Getting started. No problems.Crawl and Wait - Crawl without attacks.Manual Crawl (Proxy Mode) - The same quiet mode, but through a proxy. I must warn you that you will need to install the certificate: Scan Imported Links Only - Scans only specific links.Schedule Scan - scheduled scanning.After we have disassembled the interface, it's time to start a detailed study of the menu items. First, let's look at the third section - Scan Settings. We see five items in total. Let's consider them in orderGeneralBasic settings. Let's start by looking at Scan Policy. These are the rules by which the resource will be scanned. Using this item, you can optimize our scan if we already have any information about the target. To do this, you need to click on the button that resembles a magic wand: The following menu opens: This is the welcome window. You can skip it. We look further. Here we select the operating system installed on the scanned server. In this window, we have to select the server installed on the scanned machine. The fourth window is the choice of the language in which the applications of the scanned resource are written. You can select several at once if you are not sure. In this window, select the database that the scanned resource uses. You can choose several if you are not sure. At this stage, we indicate the amount of dynamic content on the site:Little or no dynamic content - there is little dynamic content, or it is decorative, that is, it does not interact in any way with the back-end of theModerately sized dynamic web site - there is a lot of dynamic content and pages with it. Most sites fall into this category.Complex Single-Page-Application - Complex applications that update the content of one page. The seventh window is the search for hidden content. Netsparker enumerates the possible names and names of the contents of the remote server. Here it is possible to set a search limit. The latter is a report of the parameters we selected earlier.Scan Policy Name - the name of the created / optimized policy by us.Click Finish, and in the main menu of the scan settings, we can select our policy. It usually becomes active by default. The next thing we will look at in the main menu is the Report Policy. These are the items on which the program will report. If it is important for you to know only one detail, for example, whether the target has a vulnerability to the same SQL injection, click on three dots and from the entire list, leave only the SQL injection checked: Conveniently, the list is sorted from minimum to maximum.It is better not to disable anything here - let the report be as complete as possible.Custom Cookies is a menu item where you can insert your own cookies, for example, intercepted ones: The last point - setting up the Crawling AKA making a sitemap Find & Follow New Links - Follow the found links.Enable Crawl & Attack at Same Time - Attack simultaneously with scanningPause Scan After Crawling - Stop the software after drawing up a complete sitemap.Incremental Scan - Augmented scan based on the previous scan. Cannot be used without a finished resource card or on a new scanScopeScan area settings Includes only three fields:ScopeSelect the scan scale: Entered Path and Below - Scanning a page and deeperOnly Entered URL - Scanning only an entered pageWhole Domain - Scanning an entire domainNext - Exlude URLs with RegEx Exceptions. Regular expressions, pages with which the program will skipTo invert this function, just mark Include instead of Exclude in the lower right corner of this item: Inlude URLs with RegEx - Regular expressions, pages with which the program will crawl first Disallowed HTTP methods - Disallowed request types In total, the program supports 13 types of requests: We select the methods of requests to the server, turn on everything and we will not change anything here.I will not describe each of them in detail, since this information is not necessary in our case and can easily be found on the Internet.Additional WebsitesAdditional sites and links to crawl The fact is that netsparker does not scan pages that have a different domain from the main one. As an example, I can cite my previous article, where there was a site ixi.store. When switching to the affiliate program, we were transferred to the partner.ixi.store domain. So the program will scan only ixi.store, but will not compile a sitemap of partner.ixi.storeTherefore, to achieve a full scan, you need to add this domain to the augmented scan lists: To do this, just insert the link we need into the text field and click on the square on the right in the Canonicial column to make a check mark appear. It is also worth warning that the program accepts links only in the correct form. That is, in the form of Партнерка магазина, CPA, аффилиат сеть, дропшиппинг ' Партнерская программа интернет-магазина IXI.STORE . Links like partner.ixi.store will be considered incorrect: Imported LinksLinks that the netsparker will crawl in addition to the main domain. Also, when the Scan Imported Links Only button is selected, the program will scan only what we have thrown here. Let's explore the main functions of this menu.Add - adding links After clicking on this button, a new configuration window opens: This is a form for creating a request for scanning and adding a link to the list of scanned. It's very simple, because the program will do everything automatically for you.Let's say we have a link Rybolov.ORG - рыболовный магазин с доставкой по России, товары для рыбалки почтой Интернет-магазин Rybolov.ORG - рыболовные товары с доставкой по России. Доставка почтой, в том числе наложенным платежом, курьером, транспортными компаниями, пункты самовывоза. rybolov.org that we want to add. To do this, just insert this link into the Host line. The domain that we will scan is usually entered there. But if we are going to “conduct an investigation” on individual links and sites, we can safely paste the copied into this field. The program will automatically edit everything: If we have a completely different site in the scan profile, the netsparker will warn us about this and suggest changing the header. Yes - ChangeNo - Do not changeEdit - edit the entered link. The same can be done with two clicks on the desired line. Delete - delete the selected line. Another option is to press the delete button on your keyboard Clear - complete clearing of the list, deletes all lines Search - search through the list. This function can be called by the key combination Ctrl + F Import From File - import data from files. It also accepts reports from other programs: After choosing the type of imported file - select this file on your computer.Enter Links - manual entry of links. In addition, you can choose the format of the links you enter. In my case, it's Relative or Absoute Links After entering the links, we see the following picture: Everything was imported successfullyURL RewriteLink conversions. This makes it much easier for search engines to index all pages on the site. Use Heuristic URL Rewrite Support - The program will automatically detect other URL rewriting rules. Both custom and heuristic rules will also apply. Root Path Maximum Dynamic Signatures - maximum dynamic signatures in the root path. By default, their value is 60.Sub Path Maximum Dynamic Signatures - maximum dynamic signatures of the sub path. Usually the value is 30.Block Separators - separators. Classic separators are / $.,; |:Analyzable Extensions - extensions that will be analyzed. In our case htm and html.Use Custom Rewrite Rules - netsparker will use custom (custom) link rewriting rules. To create / test a rule - click on the New button A window opens where we will edit the link for the example. We will use Rybolov.ORG - рыболовный магазин с доставкой по России, товары для рыбалки почтой Интернет-магазин Rybolov.ORG - рыболовные товары с доставкой по России. Доставка почтой, в том числе наложенным платежом, курьером, транспортными компаниями, пункты самовывоза. rybolov.org . Here we need to choose where we will rewrite and what: Select the parameter to be overwritten, select its type and enter the name of the parameter. There are a lot of parameter types, but if you don't want to mess around, choose Any. After these actions, we can observe how the program itself creates regular expressions and executes new rewriting rules. To delete a rule, select the required line and click on Delete: No URL Rewrite - do not convert links We're done with this menu. It remains to consider the Authentication menu. This menu is responsible for configuring authentication on the scanned resource. Sometimes a resource can be closed, and for a full report you will need to log in to it.We will consider this function through authorization at php.testsparker.com. It is intended for testing the netsparker, and it seems to me that it is great for an illustrative example. Let's start!FormSelect a form for authorization on the resource. To “enable” automatic authorization, you must check the Enabled box: Now we need a link to the data entry form to enter the personal account. In our case, this is the link http://php.testsparker.com/auth/login.php. We enter it in the Login Form URL: After that, enter your login information. They are entered in the Personas field.Active - selection of a combination of login and password that will be usedUsername - UsernamePassword - User passwordWe will fill in the data as follows:Login - adminPassword - admin123456These data are written on the site itself: After entering, everything should look like this: There are also settings for authorization by login and password. We'll look at them in turn: Interactive Login - The program enters data and then transfers control to the user. It is mainly used to bypass captcha, the user of the program enters it here manually, and then completes the authorization and transfers control back to the program.Override Target URL with authenticated page - Use the final page of the authentication process at the beginning of the entered url. If this option is selected, then netsparker will not make a request to the specified target url.Detect Bearer Authorization Token - if an AJAX request is received after authorization on the site, the intercepted tokens will be used for scanning.Now let's verify the login and logout functions. This is done using the Verify Login & Logout button. It looks like this: Immediately (or almost immediately) a window opens: This window can be roughly divided into two sections: 1 - Input check section 2 - Output check section Immediately after opening this window, netsparker will begin initializing the login.The circles in the lower right corners of the sections will indicate the work done. They are yellow by default. Look like this: Immediately after the initialization of the input, work on the output begins. The completed work will look like this: If the program has coped with the task, the circle in each corner will be green: You can check if the login page is verified in the settings menu of the authentication form, which we reviewed earlier. The following message should have appeared next to the Enabled item: If the login has not been verified, we will write login scripts. It's not as complicated as you might think. I'll help you. To create a "plot" according to which the netsparker will initialize the input, click on the Custom Script item: After clicking, the program itself tries to explain to us how we will write scripts: I created this script earlier, so let's look at the left menu first. I will explain how scripts worknetsparker.auth.login (username, password); - the command should be the default. This is the initialization of variables with a login and password, which we entered into the form at the very beginning.As I understand it, the program fills in the form using a CSS selector, which is copied automatically.In order to create your own script, right-click on the login field. We are looking for it in the window on the right: Right-clicking on any item will always bring up the same menu. It consists of four points, of which we will use only two at most. But we will analyze everything at once: Log element to console - logging of the selected element to the console. A very convenient thing to avoid looking for an element in the element code After clicking on this item, find our element in the console below: This function is very convenient if we need to conjure with an element separately. For example, copy Selector, or just change.Generate Element code - automatic generation of code using the selected element. After clicking on this item, a line of code appears in the left menu. Of course, we will not understand anything right away, so I will specially analyze the line of this code for you:netsparker.auth.setValueByQuery ('# content> div.post> form> input [type = ”text”]: nth-child (1)', username);It consists of four elements 1 - netsparker.auth.setValueByQuery - defining actions to be performed on the element from which the first part is netsparker.auth. always static. The second part of the first element is of two kinds: setValueByQuery and clickByQuery. In the case of setValueByQuery, the program will write the data. clickByQuery, on the other hand, initiates a click on an element, it is usually used for buttons and other elements, such as links, etc. 2 - '#content> div.post> form> input [type = ”text”]: nth-child (1)' - this is the path to the element to which the actions described in the first element will be applied (respectively, this is either a click, or data entry). The path to the element is described in the form of a CSS Selector. To get such a path ourselves, we turn to the Log element to console, where in the console we copy Selector. Thus, we get an identical path that can be entered manually. For example, the path to the password field would be content> div.post> form> input [type = ”password”]: nth-child (3). Copied this from the console like this: 3 - username or password. These two variables were initialized with the first line netsparker.auth.login (username, password); ... Works only on text fields. As you understand, we are not going to enter anything into buttons, so these variables are applied only for text fields. 4 - Pause element. Together with it, we will consider the last point - Generate element code (delay 2000ms): This item adds a pause. By default, this is two thousand milliseconds (which is equal to two seconds). This value is appended in the case of a text field after the entered variable, for example, username: If we talk about buttons, then clicking on the authorization button will look like this: netsparker.auth.clickByQuery ('# content> div.post> form> input [type = ”submit”]: nth-child (7)'); ... In the case of a pause, the value is appended immediately after the path, since the variables, as I said, do not take any part. The pause option looks like this: netsparker.auth.clickByQuery ('# content> div.post> form> input [type = ”submit”]: nth-child (7)', 2000);Now let's formulate the mask by which the code is built:What to Do ('path', variable, pause);Now with this knowledge, we can write our own script (or generate via Generate element code ). The finished version will look like this: To test it, click on the Test Script button: And we observe the work of the script: If everything works, click on OK, after which we are thrown into the main start menu, and the Custom Scripts item is replenished: We are done with this point.Basic, NTLM / KerberosAuthentication via Basic, NTLM and Kerberos protocols We will linger on this topic a little longer to figure out what kind of protocols they are.The basic protocol can be found, for example, when trying to connect to FTP of any site through a browser. NTLM is a network authentication protocol that was developed by Microsoft specifically for its operating systemsKerberos is also a network authentication protocol, the mechanism of which is mutual authentication between a client and a server. It is also supported by operating systems of the Windows family. A more secure protocol based on the Single Sign-On principleIn addition to these three, the program supports two more types: Digest and Negotiate. Consider them as well: Digest (commonly known as a digest) - This is commonly used by web servers to process user credentials entered into a web browser. A similar method uses VoIPNegotiate is a scheme inherent in the Windows family that offers a choice between NTLM and KerberosNow we can start studying the form itself. It consists of five elements - the type of authentication (there are only five types that the program supports: Basic, NTLM Kerberos, Digest and Negotiate) 1 (Type) - Authentication type. 2 (URL Prefix) - URL to be logged in. 3 (Username) - Username 4 (Password) - User password 5 (Domain) - Domain, optional item. To test the entered credentials or just look at the work of the program - use the Test Credentials button There is also one more setting, the last one in this window.Do not expect challenge (Basic Authentication) - means that after authentication no problems or additional requirements should arise, just like with basic authentication In addition to all this, there are tips for each item in the netsparker. They are located at the bottom of the menu: Therefore, if you did not understand anything from what I told you, you can read the tips. And we go to the next point.Header Header customization. In some cases, resources use headers for authorization. This menu is necessary to indicate these very titles. It is worth paying attention to the hint, which says that the title should contain only ASCII characters. Now about its functionality. There are only two settings here:Name - the name of the titleValue - the value for the title.Example: name is auth, value is true. It will look like this: You can use a kind of built-in constructor, which is called on the Add Authorization Header button After clicking on this button, the following window opens: In Type we select the type, and in Credentials the same value. In order not to get stuck at this point, I will enter a random value in order to show what is written at the output. To save the data, click Save To delete a line - click on any value ( Name or Value ), and press Delete: Client CertificationClient certificate for authorization on the resource By default, this is DO_NOT_TRUST_NetsparkerRoot, but you can add your own by clicking on the Add New button The program accepts PFX and P12 filesPFX and P12 are extensions to the PKCS # 12 standard. It did not become clearer, as I see it. This standard is used in cryptography. The very name PKCS is an abbreviation for “Public Key Cryptography Standards”, which translates as “Public Key Cryptography Standards”. In our opinion, PKCS will sound like SKOK. In our case, this is PKCS # 12, which is a file format for storing keys that is recognized and used by many browsers and email agents. PFX and P12 are the same extensions.Smart cardAuthentication on the resource through a readable card. If you have a similar card - activate the item To add data - click on Import Smart Carf Certificate Then netsparker will start looking for a driver for reading cards, and then save the certificate it read. After reading the card, enter the pincode in the PIN field, and click on Get Certificates. After this procedure, click Import and in the main menu select the certificate we need, which the program read earlier.We have disassembled the scan setting. Now we can proceed to the main window of the Netsparker program!Let's start a test scan. 1 - Main pages of the program. During the scan, two more are added: Link and Vulnerability . 2 - Menu with items and functions. For each page, everything is different and in different quantities. Lord, I still have to consider each of them ... 3 - Sitemap generated by the program during scanning. 4 - Controlled scanning. You can check the items from the third menu (which will appear in the upper Choose Parametrs to Scan window) separately for the parameters selected in the Choose Security Tests window. By the way, this is a very useful item if in the scan parameters you have chosen only to draw up a map without attacks. Thus, you can hit the right nodes clearly, and not rape the entire site, as it happens with a normal scan. 5 - Window with the most detailed scan report (and not only). 6 - List of found items, grouped by netsparker database. Easier to show in practice. 7 - Brief information about the scan. Scanning speed (currently and average), number of requests, failed requests, time spent. 8 - Found vulnerabilities, potential vulnerabilities, flaws and general information about “problem” areas. 9 - Program log, report on work. So. Let's do a full scan of php.testsparker.com. Just a scan, no settings. Unless we'll add authorization via login and password. How to do it - see above. Just in case, let me remind you: Now let's wait a bit to see the full picture. This site was created specifically to test the program, so it contains all possible holes, flaws and vulnerabilities. We are better off, because we can see what the program is capable of.First, let's examine the functions of menu number one (1): FileWork with program files. Import, export, etc.Let's examine this function: All autosaves and saves of previous scans are located here. To load - we find the save we need and load it by double clicking on it.You can upload someone else's (or your own, if saved separately) report using the Browse button To export a report, use the Export button in the left menu Then we create a file with the nss extension. In fact, two files are created: Everything is in order, part is the report, part is the base of the report.After that, the data download icon appears in the center of the screen: When the download is over, the Home page will open. And to return to it without loading the report, there is a button in the upper left corner: You can also look at the beautiful and minimalistic design of the About window: Well, and Exit, if you are suddenly tired of everything and want to do something else: All clear? It's strange if not. If it's still not clear, read it again.It's time to deal with the Home tab. New - new scan Schedule Scan - scheduled scanning. Incremental Scan - Augmented scan based on our Schedule Incremental - a postponed additional scan that requires entering a report on which the work will be carried out. New Instanse - opens a new netsparker. Retest all - retest all found vulnerabilities to find out if they were fixed or not. Useful if you are checking your resource. Hawk Check - check for Out-of-band vulnerabilities. These vulnerabilities are vulnerabilities such as the: The Blind the SQL Injection, The Blind Cross-site the Scripting etc .. It also applies to post-scan. Import - import report \ session Export - export our session \ report Scan Policy Editor - editing the resource scan policy: Consider this point. Here you can change the policy right during the scan. For example, if during the scan it turned out that this is a Linux system, all tests under Windows can be disabled to speed up the work.If we look at the interesting things, then there are a couple of quite tasty parameters. For example, a list of ignored mail accounts. If you have similar ones, write them down. The item is called Ignored Email AddressesTo configure, copy the Extensive Security Checks item. To copy an item, first select the item we need, and then click on the Clone button: The copied item will appear at the very bottom.Security Checks - Vulnerabilities for which the resource will be scanned. Moreover. Each vulnerability has its own scan settings. For example, take our favorite SQL injection: Crawling - search for links, drawing up a sitemap, studying a resource. Crawling Page Limit - Page limit.Maximum Signature - the maximum number of site signaturesMaximum Page Visits - The maximum number of visits to the site pagesWait for Resource Finder Checks to Finish - waiting for the resource search check to completeText Parser - parser text from the crawled resourceParse SOAP Web Services - A type of parsing of WSDL files (WSDL is a language for describing web services and accessing them)Parse REST Web Services - Parses WADL files and Swagger (framework and specification for defining REST APIs).Fallback to GET - can we get to work already? no? okay... The program sends special HEAD requests to reveal hidden files and directories. If all else fails, the netsparker reverts to the GET option. Usually offAdd Related Links - Specifies whether to crawl all related links when a new one is found. Adds all related links to the sitemap. Usually includedEnable Parameter-Based Navigation - if the target website uses parameters to work with content other than pages. For example, instead of the page tovar.php, it uses a parameter like page = tovar. Usually offNavigational Parameter RegEx - navigation regular expressions for the program to work by resource.Maximum Page Visits - the maximum number of visits to a page that contains navigation parameters, we talked about them above. Load Preset Values - Load presets of all items for different types of sites.DOM Load Timeout - Timeout in milliseconds to wait for the site page to load before starting the JS DOM simulation. DOM stands for Document Object Model, which translates to “ Document Object Model”. A programming interface that allows programs and scripts to access the content of HTML and XML files.DOM Simulation timeout - Timeout in milliseconds (all timeouts are in milliseconds, I won't write this anymore, that's all) before the end of the JS DOM simulation.Intervent Timeout - timeout after a JS event trigger before new events start. Just like in life.Max Simulated Elements - the maximum number of elements in the simulation.Skip Threshold - Skip threshold. The number of elements that will be simulated / simulated before starting the total skip of all other elements.Elements to skip - the number of skipped elements after passing the skip threshold (referring to the point above).Max Modified Element Depth - The simulation begins to skip examining each of the cascading elements after passing through the depth threshold.Pre-simulation Wait - timeout before starting simulation / simulation and after loading the pageExclude by CSS Selector - Exclude HTML elements from event modeling using the CSS Selector function. All matching elements will be excluded, including their derivatives. We will have to select the elements manually: After completing the work, click on Select, and enjoy the recorded data.Max Option Elements - the maximum number of optional elements per selected element to simulate.Persistent JavaScript Cookies - Semicolon - separated cookie names.Open Redirect Conf. Timeout - timeout before the end of the JS DOM simulation to confirm an open redirect. How. Where - do not ask. Where the redirection goes there and there will be confirmation.XSS Confirmation Timeout - timeout before the end of the JS DOM simulation for XSS confirmation. Yes, there is such a thing too.Filter document events - Filter the events attached to the document by name to reduce the number of events triggered during simulation.Ignore document events - ignore events attached to a documentFilter 'colon' events - filter for events containing a colon. Commonly used by frameworks.Extract static resources - Extract static resources from DOM elements.Allow out-of-scope XML HTTP requests during simulation - A useful feature if the target is not unloaded due to a curved scan profile settingNow we are gradually moving on to other settings.Attacking Maximum Number of Parameters to Attack on Single Page - the maximum number of attacked parameters on one page.Enable Proof Generation - generate an exploit report after confirming a vulnerability.Attack Parameter Names - Generate additional. attacks using the name of the request parameter.Attack User-Agent Header - Generate additional. attacks using user agent headerOptimize Header Attack - I didn't understand how this function works. I only understood that the header attack will target all linksOptimize Attack to Recurring Parameters - search for duplicate parameters in different URLs. Attacks everything that is included in the limit on the attacked elements on the page (Maximum Number of Parameters to Attack on Single Page)Recurring Parameters Attack Limit - page limit for attack by repeated parametersAnti-CSRF Token Names (Comma Separated) - comma separated names of tokens for protection against CSRF attacks ( Cross Site Request Forgery in translation as “cross-site request forgery”)Enable Random Parameter Attacks in Cross-site Scripting Engine - using additional parameters on pages to detect vulnerabilities such as Cross-site ScriptingWe continue to suffer, learning all the functions of the program.Custom 404 Setting up 404 pages, as I understand it. Some sites use their own beautiful ones. And now they are very different from the standard 404. So that the program does not be stupid and does not scan empty answers, we choose what values the 404 pages have to detect them.Auto Custom 404 - Automatic recognition. You need to enter the maximum number of 404 signatures.Manual Custom 404 - You will have to enter the regular rules for 404 manually.Disabled - standard 404.Maximum 404 pages to Attack - the number of 404 pages to bypass and attack.Go to the Scope item Case Sensetive - Increased SQL Injection Report. Although the scan will be more sensitive, the result was never affected, no matter how much I used netsparker. And by default it is usually always off.Bypass Scope for Static Checks - detection of vulnerabilities even if a scan is specified from a specific page and further, without going down to the domain.Enable Content-type Checks - the program will ignore and not analyze pages whose content title matches the values given in the list.Block Ad Networks - Always on. If there is a link to an advertising resource from the list, the program will ignore the scan of this resource.Next on the list is Ignored Parameters Parameters are simply ignored.closer to the end - Form Values Form data. You can add your data via URL or by uploading past scans. We will consider this as regular rules.Brute force Netsparker has about sixty brute force combinations. You can use this function to check for standard login form passwords.Autocomplete Data for searching forms with autocomplete.Netsparker hawk It's simple, setting up one of the post-scans. The URL is inserted by default.Ignored Email Adresses regulars of ignored mailboxes.CSRF Configuring a CSRF attackWeb Storage Web storageAuto Send To Configuring Automatic SubmissionExtensions Scanned extensions and some settings for them: Attacked parameter or not, investigate or not, and so on. To change this or that parameter - click on it and select the option you need from the list.Go to the HTTP tabLet's examine the Request item User Agent - data of user agents. Name and meaningRequset Timeout (seconds) - the program will retry the request if the previous request took more than the specified time. This time the timeout is set in seconds.Accept - setting the headers that the netsparker will use in all requests.Accept Charset - setting the encoding for all subsequent requests.Accept Language - Setting the language that will be used in all requestsThen there are just three checkboxes: Gzip support, server load reduction, cookie support.Concurrent Connections - the number of connections to the target. If you put too much, there may be connection problems and / or server failure (DoS). Haha, dudosThe second point is Proxy Setting the used proxies for the scan. You can chop up your proxies, just like in my last article about brute force, where you can connect your account with proxies to the program Penultimate item - Headers This is the setting for the headers.The last one is SSL / TLS Configuring supported protocols.Now the third menu item is Knowledge Base.And immediately the first page of the menu - General Connecting this very base to the scan. The thing is useful, we leave it on.The last item in this window is Comments Regular expressions for finding information from comments. You can add your own search terms if you know what to look for.Everything! We can go back to the program itself. I hope there will be no more such large-scale menus.We continue to explore our top menu: There are a couple of unstudied items left for eac. For example, Report Policy Editor In fact, this is a configuration of vulnerabilities, the presence of which will be reported by the program: Another important point is Options These are program settings. Everything is very simple and straightforward, let's figure it out. Believe me, you will come here sometimes. Not as often as in the scan settings (which I will dream about after this article), but you will go.This is what the window looks like: Now everything is in turn.General Language - the language of the program. Usually only two languages are supported: English and Korean.Sounds - setting the sounds of the program. Type of sound notifications when a vulnerability is “caught”To add your own sounds or customize existing ones, there is a Configure sounds button :Storage Setting up storage locations.Data Directory is a storage location for scanned data and the like.Password Encryption Scope - sorting passwords for setting up authentication.Internal proxy Internal proxies.Listening port - proxy portRegister as the System Proxy - connecting the system proxy settings from IE.Allow Remote Connections - the program will listen to all connected interfaces "from outside"Use Custom Root Certificate - use your own root certificate. The program will read files with the extension. cer and. pfx (we talked about them earlier, by the way).Logging Level Logging and customization.Enable Logging - Enables the logging function.Performance Analysis - Performance analysis.Show Attack Possibilites Knowledge Base Node - show potential vulnerabilities of a node in the Knowledge Base function tree.Default Log Level - Select what will be reported and what will be logged by the program. The further we move the slider, the more will be logged. You can see the number of logged elements just below the slider: Categories - categories of logging.Auto Update Automatic updates. Why is this included for me? Turn off.Scan Policy Suggest Optimization - a warning about the optimization of the scan policy.Proxy Setting up external proxies.Use System Proxy - Using proxies with IEUse Custom Proxy - use your own proxies. Data entry will be required. As in brute force. I talked about this earlier, by the way. And in the last article about databases, you can find a similar function. Nothing complicated. Enter the Username, Password, domain on which authentication will take place, etc. Cloud Netsparker's cloud storage settings. Disable the function and skip this item.Well, the last menu is Extensions with a single Send To Actions item. Setting up automatic sending of data. If you will use it, the easiest way is to set up a submission to GitHub. I've experimented with this function, and somehow it didn't work out very well. This function is optional, so we skip it.If you realized that you were tricky with the settings, then you can reset them to the standard ones: Understood? Excellent! There is not much.Go to the new menu: View Well, I won't say much here. It's just setting up windows - which ones to show, which ones to not. The main six are always active, the rest are opened either automatically or manually, if you like. I'll just look at a couple of interesting features.Encoder and Request Builder can be used outside the scan as separate functions. Lucky they are next to each other Let's look at the Encoder utility first. A useful utility for decrypting encoded / ciphertext. The only thing it doesn't decode is hashes. Has two fields. Entering text: And the text output: There is a settings menu in between. Encode text, or decode: And now my favorite. Request Builder. A very handy thing for working with queries. True, the utility supports only seven requests: GET, POST, HEAD, PUT, PATCH, DELETE, and OPTIONS. I spoke about them, and I will not repeat myself. To send a request - use the button in the upper right corner of the Send Request The program will configure everything automatically - just paste the link into the Host line. Only the choice of the type of request depends on you. Actually, that's all with that. I showed the main functions, then it all depends on what you want.To return windows to default - use the Reset Layout button The next tab to learn is Reporting This is the export of a scan report, but more advanced, it is possible to generate a report for import into other programs. OWASP Top Ten 2010 Report - A report for the OWASP project, in my case unreadable. Detailed Scan Report - same raspberry as with OWASP HIPAA Compliance Report is a human, readable report compiled in accordance with GOST HIPAA ( Health Insurance Portability and Accountability Act ), a la the health insurance accountability act, but in the Internet OWASP Top Ten 2013 Report - The report for the OWASP 2013 project, in my case, remains unreadable. OWASP Top Ten 2017 Report - Report for the OWASP 2017 project. Unlike previous OWASPs, readable and convenient PCI Compliance Report - PCI Compliance Report, Compration Report is a short report. My key is broken like a border in Letov's song Executive Summary Report - The shortest and most beautiful report on found issues with an explanation. Beautiful pie chart. Knowledge Base Report is a “knowledge base” only report. I have it broken. Who still does not understand what a "knowledge base" is - please read: These are the collected features of the site and found details such as postal addresses or code comments. A very useful thing. We will get acquainted with it a little later, when we finish with the main menu.[*]ModSecurity WAF Rules - Report of vulnerable parameters and rules of the ModSec firewall. I don’t use it, the report works.[/LIST] Wow, there are still 10 points left. Let me simplify the task. 1 - Export the list of found links 2 - Export the list of crawled links 3 - Exporting the list of found vulnerabilities There are only three options for the exported list: in CSV, JSON and XML files.The last tenth function is a detailed report on the vulnerabilities found in XML format. Vulnerabilities List - Detailed (XML) Before we finish parsing the reports, I will disassemble the window for saving the report: Path - the path where the report will be savedPolicy - reporting policy. By default, this is the Default Report PolicyExport as HTML - Save report to HTML documentExport as PDF - Save report to PDF documentOpen Generated Report - Open a saved report. If you make two reports - PDF and HTML, then both will open upon creation.Save - saveThe next tab is Help. This menu has nothing to do with the functionality of the program, so we will not consider it.The active items in the Vulnerability tab depend on what kind of vulnerability Netsparker found For example, let's take one of the previously found vulnerabilities: In addition, pages are added in the main block. Usually there are two new pages - Vulnerability and Browser View. We'll look at them later when we work with the main interface.Retest - to double-check the found vulnerability. Copy as cURL - copy the cURL request for this link Generate Exploit - Creates XSS and CSRF vulnerabilities, works only for Cross-site Scripting vulnerabilities. Accordingly, in order to be able to generate such a vulnerability, you need to select a link that has a confirmed Cross-site Scripting. Execute SQL commands - execution of SQL commands. Only works with SQL injection vulnerabilities Get Shell - using a shell for remote execution. Can only be exploited if there is a Code Evaluation vulnerability. LFI Exploitation - download system and just important files from the site server if there is a Local File Inclusion vulnerability Short Names - short names. I have never used it. Ignore from this Scan - ignore vulnerability or item for this scan Configure Send To Action - See the Extensions menu, Send To Actions. ModSecurity - As I understand it, this is a report of the vulnerable settings and rules of the ModSec firewall specifically to this link. So, everything with this menu item. It remains to consider the latter.Link Controlled Scan - a controlled scan of this particular page. Send Request Builder - We have already analyzed this Copy URL - copy the URL. You can also copy the URL from the Vulnerability tab Next, there is a whole bunch of useless functions that I have never used - open this page in the selected browser. Not in the program, but in your browser. By the way, I've always wondered why the icons of all browsers are always round. Amigo doesn't count - it's a virus.The last push. Let's examine the main window in more detail. This should have been done at the very beginning, but I decided to debug the sweet and simple for later.Sitemap - sitemap. To get a report on a particular phenomenon, page and vulnerability found, you need to click on the item of interest to us.If you right-click the mouse, you can call up a quick menu with basic functions. We've covered everything before It is worth considering only a couple of individual ones that will help us a lot in the future.Copy SQLmap Command - the program generates a command for SQLmap and copies it to the clipboard. Perhaps one of the most useful features.Exclude This Branch from Attack - exclude all pages of this node from the list of attackedExpand - expand a nodeCollapse - collapse a nodeControlled Scan - controlled scan. To get started, you need to select the desired parameter in the sitemap, select it in the upper list, select what we will scan for in the lower list and click on the Scan button. I have already talked about it several times. Once again, I will say that it is very useful when you do not attack with a scan, but simply draw up a sitemap, and then hit specific nodes, and do not force the entire system.One large window. Several tabs. Let's start with the first one - Scan A detailed report on the current scan: the attacked page, its parameters, the attack method, what is happening, passive analysis, etc. There is even a timer showing how long the page has already been scanned.HTTP Request / Response - a log of HTTP requests and responses, there is a search function by response. Attack Radar - visualization of problematic sides and their criticality. Nice, huh? You can also disable the grid with the Logarithmic item.The other two we have already considered earlier.Browser View - viewing this page “in the browser”. Purely visual function, nothing more. The page itself does not work. That's all with that. These are the main pages that we will have by default.Let's proceed to the Knowledge Base window. This window is linked to the previous one, and when we click on the element of interest, a new page opens in the previous window. I don't think I need to explain what is what here. You can poke at random and see what has opened. Everything is intuitively clear from the icons. But since I promised to consider it in more detail, it is worthwhile to deal with each item separately:Comments - Comments found by the programCrawling Performance - Crawling performance report for each functionCSS Files - Found CSS filesEmail Addresses - Email addresses found on the siteExternal Frames - External framesExternal Scripts - External scriptsFile Extensions - all file extensions on the siteInteresting Headers - Headers that the program paid attention toMIME Types - found MIME typesOut of Scope Links - links and pages that were excluded from scanningProofs - basic data pulled from the server through exploits (for example, data from 😄 \ windows \ win.ini or a list of server processes)Scan Performance - Report on the performance of the entire scanSite Profile - site profileSlowest Pages - pages that took the most time to loadWeb Pages With Inputs - pages that have an input function Issues - a short report on found problems, vulnerabilities and just information. Can be grouped by severity, by type of vulnerability, by “proof” and by page.Everything. We've completely disassembled Netsparker. I must say right away: do not forget to configure the program when checking serious resources! The admins will not have any questions if suddenly someone searches through the entire site, drawing up a map. But if you rape the site, then it will certainly be noticed.Therefore, use the settings and work correctly!Let's get down to the next tool. This can be considered the last part of this article - in it I will teach you how to use SQLmap. But first, I'll tell you what it is and what we need to work.SQLmap automates the process of finding and exploiting SQL injection, and not only finds a security hole, but exploits it to the fullest. Supports all types of injections. The sqlmap functionality allows you to: dump databases, automatically search in the database, extract and decrypt logins and passwords, launch cmd shell, launch an interactive sql shell, in which you only need to write SQL queries to the database, and sqlmap itself will compose the payload for injection. There is an excellent Cheet Sheet that shows all the features of this tool in two pages.To work with this utility, we need Python version 2.7. All links are given at the very beginning and I see no point in telling what to download and what to install.In this article, I use an operating system of the Windows family, therefore, the analysis will be for this OS. In fact, working with SQLmap on shind is actually no different from working with it on Linux. The Internet is full of manuals for this program, so we will consider only the main functionality.There are five main classes of SQL injection, and all of them are supported bysqlmap: UNION query SQL injection. The classic version of SQL injection, when an expression starting with “UNION ALL SELECT” is passed to the vulnerable parameter. This technique works when web applications directly return the output of the SELECT command to the page: using a for loop or similar, so that each record of the retrieved database selection is sequentially output to the page. Sqlmap can also exploit the situation when only the first record from the selection is returned (Partial UNION query SQL injection). Error-based SQL injection. In the case of this attack, the scanner replaces or adds a syntactically incorrect expression to the vulnerable parameter, after which it parses the HTTP response (headers and body) in search of DBMS errors, which would contain a previously known injected sequence of characters and somewhere “nearby” output to the desired us a subquery. This technique only works when the web application for some reason (most often for debugging purposes) exposes DBMS errors. Stacked queries SQL injection. The scanner checks if the web application supports sequential requests and, if they do, adds a semicolon ( to the vulnerable HTTP request parameter, followed by an injected SQL request. This technique is mainly used to inject non-SELECT SQL commands, such as manipulating data (using INSERT or DELETE). It is noteworthy that the technique can potentially lead to the ability to read / write from the file system, as well as the execution of commands in the OS. However, depending on the database management system used as the back-end, as well as user privileges. Boolean-based blind SQL injection... Implementation of the so-called blind injection: data from the database in a "pure" form are not returned anywhere by a vulnerable web application. The technique is also called deductive. Sqlmap adds a syntactically well-formed expression containing a SELECT subquery (or any other command to retrieve a selection from the database) to the vulnerable HTTP request parameter. For each HTTP response received, the headers / body of the page is compared with the response to the original request, so the utility can determine the output of the embedded SQL statement character by character. Alternatively, the user can supply a string or regular expression to define "true" pages (hence the name of the attack). The binary search algorithm implemented in sqlmap to perform this technique is capable of retrieving each character in the output with a maximum of seven HTTP requests. Time-based blind SQL injection. Completely blind injection. Just like in the previous case, the scanner plays with the vulnerable parameter. But in this case, it adds a subquery that causes the DBMS to pause for a specified number of seconds (for example, using the SLEEP () or BENCHMARK () commands). Using this feature, the scanner can retrieve data from the database character by character, comparing the response time to the original request and to the request with the embedded code. It also uses a binary search algorithm. In addition, a special method for data verification is applied to reduce the likelihood of incorrect character extraction due to unstable connection. Despite the fact that the scanner is able to automatically exploit the found vulnerabilities, you need to understand in detail each of the techniques used. If the topic of SQL injection is still familiar to you only on your fingers, I recommend flipping through the archive] [or read Dmitry Evteev's manual " SQL Injection: From A to Z ". It is also important to understand that attack implementations are often very different for different DBMSs. All these cases are able to handle sqlmap and currently supports MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB.Remember that before we learned how to use NetSparker? If Netsparker finds at least one Sql injection, then SqlMap will allow it to be exploited.I got bored with conventional injections, so I suggest considering Blind Injection to make it more interesting. We will not search for a long time - we will take the link from the site that we crawled earlier. Netsparker Test Web Site - PHP By the way, when installing python, there is a clause that adds the python executable file to path, so as not to write the path to it every time. I am still a fruit and for my fruit reasons I will not do this. Just because I'm not looking for easy ways. But in fact, I just realized that I fucked up, and I am writing this paragraph at the end of the articleNow we open the command line. I installed python on the C drive. Next to python I also installed sqlmap. Now we need to check if everything works. To do this, use the CD command to go to the root: CD 😄 \To run the utility, you first need to register the path to the python executable file: Python27 \ Python.exe, and then, separated by a space, the path to the utility itself: SQLmap \ sqlmap.py and press Enter. Don't copy SQLmap to python folder! Don't worry, this error is caused by a "blank" startup. Let's check one of the proposed options. Use -h to get a list of commands. Press Enter again (this time to continue), and enter:Python27 \ Python.exe SQLmap \ sqlmap.py -h Everything is working.To get started, you need to use the -u option. It is used to indicate an attacked link. The correct command would look like this:Python27 \ Python.exe SQLmap \ sqlmap.py -u Netsparker Test Web Site - PHP It is necessary to follow the whole process, since the program may ask us how to proceed next: Usually we are asked a simple yes or no. To answer yes - enter Y or y, otherwise - N or n. The capital letter in the question means the default choice, and if you are too lazy to press two buttons, you can press one - Enter, and the program will continue working with the default choice. What? Are you too lazy? Okay. To make the program act at its own discretion, we use –batch. Please note, two hyphens. We add this option to the end of the command:Python27 \ Python.exe SQLmap \ sqlmap.py -u http://php.testsparker.com/artist.php?id=test –batch It remains to wait for the program to finish. She herself will inform you about the completion of the work, and provide the found material To get a list of databases - use the –dbs option.You can find out what exactly the program does and what methods it uses by reading the log of work.And since this is a blind injection, the utility will gradually, by letter, recognize the names of all bases. a great and illustrative example of working with blind injection. To do it manually, you would have quit in the second minute of work. When working with other resources, the utility can stop its work, reporting the expired timeout: “connection timed out to the target URL”. With this, your target will work and open quietly in the browser. The problem is that some resources recognize the SQLmap and disconnect with it. To avoid this problem, I advise you to use the –random-agent function. Thus, we disguise ourselves and continue working:Python27 \ Python.exe SQLmap \ sqlmap.py -u http://php.testsparker.com/artist.php?id=test –random-agent –dbsOk, we've got a list of all databases, and now we need to get their contents. Our proud -dbs turns into a simple -D, after which we enter the name of the database we are interested in. In my case, this is mysql. To get the tables, add –tables to the very end.Python27 \ Python.exe SQLmap \ sqlmap.py -u http://php.testsparker.com/artist.php?id=test –random-agent -D mysql –tables –batchSince this is a blind injection, we also have to wait for all the data to be received. Yes, for a long time, but how else? The utility found a lot of tables. To get the columns, we use the same system as with obtaining tables, only change –tables to -T, enter the required tables and then add –columns :Python27 \ Python.exe SQLmap \ sqlmap.py -u http://php.testsparker.com/artist.php?id=test –random-agent -D mysql -T proc –columns –batchYes, we have to wait again. It was necessary to study in advance the insides of the target for the article. It takes only a couple of seconds for you, and I'm sitting here with tea, I've been waiting for an hour.I've been waiting for the fifth hour, so I just scored and left to work with another database of logs. Everything is the same, only the names of the bases and tables are different:Python27 \ Python.exe SQLmap \ sqlmap.py -u http://php.testsparker.com/artist.php?id=test –random-agent -D logs -T logs –columns –batch Finally! We got a list of columns. Now, to get their contents, we do the following: –columns evolves (or degrades, as it is more convenient for anyone) into -C, enter the columns / columns we are interested in separated by commas and add the –dump key to the end. Python: Python27 \ Python.exe SQLmap \ sqlmap.py -u http://php.testsparker.com/artist.php?id=test –random-agent -D logs -T logs -C IP, useragent –dump –batch After that, the program starts merging data: I will have to wait a very long time to show the finished result, so I'll show you how the dump will look in someone else's example: The problem is the time it will take for the blind injection.In principle, that's all. But specifically, as an addition, I will show a couple of chips. For example, how about the server executing our commands? for this we need to create a wrapper. For this we will use the –sql-shell command: Python: Python27 \ Python.exe SQLmap \ sqlmap.py -u http://php.testsparker.com/artist.php?id=test –sql-shell It does not always work, but if we are successful, we get full access, and we can even add our own users. For example, let's try to get the user with the SELECT user () command. To execute this command, we just need to write it directly into the command line. SQLmap has already created a wrapper and is ready to send our commands for execution. Let's try: Voala. I will not explain the usefulness of this function, it seems obvious to me. And to get out of this mode - enter x or q. If you want to use CMD, it is easier to do it in Netsparker if there is a similar vulnerability.In addition, I am obliged to tell you how to attack the vulnerability if the data is transmitted by the POST parameter. If in Netsparker you see a message that this is a POST SQL Injection, then by clicking on it in the sparker, in the working window find the name of the variable being passed (TYPE) and its value (VALUE), then simply substitute these values into sqlmap:Python27 \ Python.exe SQLmap \ sqlmap.py -u Netsparker Test Web Site - PHP –data “username = admin, password = admin123456”, then everything is the same.You can also use Burp Suite to parse POST injections. You can do without this program, but more on that later, but this tool is very interesting and we must put in at least a word for it. After installation and launch, we will be asked to select a project. We will not create anything, and therefore we will select a temporary one and click further: We will use the default settings for this project, the standard ones: Click on start and wait for the program to open Immediately after opening the program, we go to the proxy settings menu: Now I will immediately show you how to add your own, but we will add a little specific. Click on the Add button. After that, set up everything like mine and click OK: We will use our new proxy. To do this, go to the browser settings. Since I use Firefox (and I advise you), then the proxy setting is in my "Network Settings" We manually configure the proxies that we introduced in Burp Suite.Before accepting the settings, open the login data entry form separately: http://php.testsparker.com/auth/internal.php. After that, we accept the settings, enter the data and click on the login button. The page will load, but we do not need this process, but the data that is in Burp Suit'e: We only need one line. Input line: username = admin + & password = admin123456 & token = 11940to work with this data in SQLmap, we will use the –data option: Python: Python27 \ Python.exe SQLmap \ sqlmap.py -u http://php.testsparker.com/auth/internal.php –random-agent –data “username = admin + & password = admin123456 & token = 11940” - dbs –batch In our case, the injection failed. However, I explained how to use POST in SQLmap to attack.As I promised, I will tell you how to catch POST immediately in the browser. for this we need to open the page where we will enter the login and password, and open the console with the F12 key. Next, we need to open the Network tab and check the Continuous logs item After that, we enter the data on the site and start looking for our POST request in the logs. To get the data we need - click on the request we need and in the menu on the right, select the “parameters” tab. In the parameters there is an item "payload", which contains the string we need.My task is to consider the main functions, and separately and completely the SQLmap utility needs to be disassembled and considered in a new, separate article. This article is already painfully long and loaded. I think I'll analyze it in a future article as well as Netsparker in this one.The article has come to an end. I will not hide, most of the effort went to Netsparker. The reason for this is the lack of such material in Russian. There are short descriptions, but no full analysis. I decided to change the situation by writing a full analysis of the functions of this product. The fact is that on the same SQLmap you will find hundreds, if not thousands of articles and full analyzes of all functions, commands, and even examples of successful attacks. But you will hardly find a complete analysis of Netsparker.On my own behalf, I want to add that professionals reading this material do not throw rotten tomatoes at me. I really tried.Good luck. Take care of yourself, do not break the law and remember that you can scan other people's resources only with the permission of their owners. Nevertheless, the utilities described by us will allow you to conduct an excellent pen test of even the most complex application.(c) cybersec.org
  10. Vulnerabilities we discoveredIn our analysis of PayPal’s mobile apps and website UI, we were able to uncover a series of significant issues. We’ll explain these vulnerabilities from the most severe to least severe, as well as how each vulnerability can lead to serious issues for the end user.#1 Bypassing PayPal’s two-factor authentication (2FA)Using the current version of PayPal for Android (v. 7.16.1), the CyberNews research team was able to bypass PayPal’s phone or email verification, which for ease of terminology we can call two-factor authentication (2FA). Their 2FA, which is called “Authflow” on PayPal, is normally triggered when a user logs into their account from a new device, location or IP address. How we did itIn order to bypass PayPal’s 2FA, our researcher used the PayPal mobile app and a MITM proxy, like Charles proxy. Then, through a series of steps, the researcher was able to get an elevated token to enter the account. (Since the vulnerability hasn’t been patched yet, we can’t go into detail of how it was done.) The process is very simple, and only takes seconds or minutes. This means that attackers can gain easy access to accounts, rendering PayPal’s lauded security system useless.What’s the worst case scenario here?Stolen PayPal credentials can go for just $xx.xx on the black market. Essentially, it’s exactly because it’s so difficult to get into people’s PayPal accounts with stolen credentials that these stolen credentials are so cheap. PayPal’s authflow is set up to detect and block suspicious login attempts, usually related to a new device or IP, besides other suspicious actions.But with our 2FA bypass, that security measure is null and void. Hackers can buy stolen credentials in bulk, log in with those credentials, bypass 2FA in minutes, and have complete access to those accounts. With many known and unknown stolen credentials on the market, this is potentially a huge loss for many PayPal customers.PayPal’s responseWe’ll assume that HackerOne’s response is representative of PayPal’s response. For this issue, PayPal decided that, since the user’s account must already be compromised for this attack to work, “there does not appear to be any security implications as a direct result of this behavior.” Based on that, they closed the issue as Not Applicable, costing us 5 reputation points in the process.#2 Phone verification without OTPOur analysts discovered that it’s pretty easy to confirm a new phone without an OTP (One-Time Pin). PayPal recently introduced a new system where it checks whether a phone number is registered under the same name as the account holder. If not, it rejects the phone number.How we did itWhen a user registers a new phone number, an onboard call is made to api-m.paypal.com, which sends the status of the phone confirmation. We can easily change this call, and PayPal will then register the phone as confirmed. The call can be repeated on already registered accounts to verify the phone.What’s the worst case scenario here?Scammers can find lots of uses for this vulnerability, but the major implication is unmissable. By bypassing this phone verification, it will make it much easier for scammers to create fraudulent accounts, especially since there’s no need to receive an SMS verification code.PayPal’s responseInitially, the PayPal team via HackerOne took this issue more seriously. However, after a few exchanges, they stopped responding to our queries, and recently PayPal itself (not the HackerOne staff) locked this report, meaning that we aren’t able to comment any longer. #3 Sending money security bypassPayPal has set up certain security measures in order to help avoid fraud and other malicious actions on the tool. One of these is a security measure that’s triggered when one of the following conditions, or a combination of these, is met: You’re using a new device You’re trying to send payments from a different location or IP address There’s a change in your usual sending pattern The owning account is not “aged” well (meaning that it’s pretty new) When these conditions are met, PayPal may throw up a few types of errors to the users, including: “You’ll need to link a new payment method to send the money” “Your payment was denied, please try again later” How we did itOur analysts found that PayPal’s sending money security block is vulnerable to brute force attacks.What’s the worst case scenario here?This is similar in impact to Vulnerability #1 mentioned above. An attacker with access to stolen PayPal credentials can access these accounts after easily bypassing PayPal’s security measure.PayPal’s responseWhen we submitted this to HackerOne, they responded that this is an “out-of-scope” issue since it requires stolen PayPal accounts. As such, they closed the issue as Not Applicable, costing us 5 reputation points in the process.#4 Full name changeBy default, PayPal allows users to only change 1-2 letters of their name once (usually because of typos). After that, the option to update your name disappears.However, using the current version of PayPal.com, the CyberNews research team was able to change a test account’s name from “Tester IAmTester” to “christin christina”. How we did itWe discovered that if we capture the requests and repeat it every time by changing 1-2 letters at a time, we are able to fully change account names to something completely different, without any verification.We also discovered that we can use any unicode symbols, including emojis, in the name field.What’s the worst case scenario here?An attacker, armed with stolen PayPal credentials, can change the account holder’s name. Once they’ve completely taken over an account, the real account holder wouldn’t be able to claim that account, since the name has been changed and their official documents would be of no assistance.PayPal’s responseThis issue was deemed a Duplicate by PayPal, since it had been apparently discovered by another researcher.#5 The self-help SmartChat stored XSS vulnerabilityPayPal’s self-help chat, which it calls SmartChat, lets users find answers to the most common questions. Our research discovered that this SmartChat integration is missing crucial form validation that checks the text that a person writes. How we did itBecause the validation is done at the front end, we were able to use a man in the middle (MITM) proxy to capture the traffic that was going to Paypal servers and attach our malicious payload.What’s the worst case scenario here?Anyone can write malicious code into the chatbox and PayPal’s system would execute it. Using the right payload, a scammer can capture customer support agent session cookies and access their account.With that, the scammer can log into their account, pretend to be a customer support agent, and get sensitive information from PayPal users.PayPal’s responseThe same day that we informed PayPal of this issue, they replied that since it isn’t “exploitable externally,” it is a non-issue. However, while we planned to send them a full POC (proof of concept), PayPal seems to have removed the file on which the exploit was based. This indicates that they were not honest with us and patched the problem quietly themselves, providing us with no credit, thanks, or bounty. Instead, they closed this as Not Applicable, costing us another 5 points in the process.#6 Security questions persistent XSSThis vulnerability is similar to the one above (#5), since PayPal does not sanitize its Security Questions input.How we did itBecause PayPal’s Security Questions input box is not validated properly, we were able to use the MITM method described above.Here is a screenshot that shows our test code being injected to the account after refresh, resulting in a massive clickable link: What’s the worst case scenario here?Attackers can inject scripts to other people’s accounts to grab sensitive data. By using Vulnerability #1 and logging in to a user’s account, a scammer can inject code that can later run on any computer once a victim logs into their account.This includes: Showing a fake pop up that could say “Download the new PayPal app” which could actually be malware. Changing the text user is adding. For example, the scammer can alter the email where the money is being sent. Keylogging credit card information when the user inputs it. There are many more ways to use this vulnerability and, like all of these exploits, it’s only limited by the scammer’s imagination.PayPal’s responseThe same day we reported this issue, PayPal responded that it had already been reported. Also on the same day, the vulnerability seems to have been patched on PayPal’s side. They deemed this issue a Duplicate, and we lost another 5 points.PayPal’s reputation for dishonestyPayPal has been on the receiving end of criticism for not honoring its own bug bounty program.Most ethical hackers will remember the 2013 case of Robert Kugler, the 17-year old German student who was shafted out of a huge bounty after he discovered a critical bug on PayPal’s site. Kugler notified PayPal of the vulnerability on May 19, but apparently PayPal told him that because he was under 18, he was ineligible for the Bug Bounty Program.But according to PayPal, the bug had already been discovered by someone else, but they also admitted that the young hacker was just too young.Another researcher earlier discovered that attempting to communicate serious vulnerabilities in PayPal’s software led to long delays. At the end, and frustrated, the researcher promises to never waste his time with PayPal again.There’s also the case of another teenager, Joshua Rogers, also 17 at the time, who said that he was able to easily bypass PayPal’s 2FA. He went on to state, however, that PayPal didn’t respond after multiple attempts at communicating the issue with them.PayPal acknowledged and downplayed the vulnerability, later patching it, without offering any thanks to Rogers.The big problem with HackerOneHackerOne is often hailed as a godsend for ethical hackers, allowing companies to get novel ways to patch up their tools, and allowing hackers to get paid for finding those vulnerabilities.It’s certainly the most popular, especially since big names like PayPal work exclusively with the platform. There have been issues with HackerOne’s response, including the huge scandal involving Valve, when a researcher was banned from HackerOne after trying to report a Steam zero-day.However, its Triage system, which is often seen as an innovation, actually has a serious problem. The way that HackerOne’s triage system works is simple: instead of bothering the vendor (HackerOne’s customer) with each reported vulnerability, they’ve set up a system where HackerOne Security Analysts will quickly check and categorize each reported issue and escalate or close the issues as needed. This is similar to the triage system in hospitals.These Security Analysts are able to identify the problem, try to replicate it, and communicate with the vendor to work on a fix. However, there’s one big flaw here: these Security Analysts are also active Bug Bounty Hackers.Essentially, these Security Analysts get first dibs on reported vulnerabilities. They have full discretion on the type of severity of the issue, and they have the power to escalate, delay or close the issue.That presents a huge opportunity for them, if they act in bad faith. Other criticisms have pointed out that Security Analysts can first delay the reported vulnerability, report it themselves on a different bug bounty platform, collect the bounty (without disclosing it of course), and then closing the reported issue as Not Applicable, or perhaps Duplicate.As such, the system is ripe for abuse, especially since Security Analysts on HackerOne use generic usernames, meaning that there’s no real way of knowing what they are doing on other bug bounty platforms.What it all meansAll in all, the exact “Who is to blame” question is left unanswered at this point, because it is overshadowed by another bigger question: why are these services so irresponsible?Let’s point out a simple combination of vulnerabilities that any malicious actor can use: Buy PayPal accounts on the black market for pennies on the dollar. (On this .onion website, you can buy a $5,000 PayPal account for just $150, giving you a 3,333% ROI.) Use Vulnerability #1 to bypass the two-factor authentication easily. Use Vulnerability #3 to bypass the sending money security and easily send money from the linked bank accounts and cards. Alternatively, the scammer can use Vulnerability #1 to bypass 2FA and then use Vulnerability #4 to change the account holder’s name. That way, the scammer can lock the original owner out of their own account.While these are just two simple ways to use our discovered vulnerabilities, scammers – who have much more motivation and creativity for maliciousness (as well as a penchant for scalable attacks) – will most likely have many more ways to use these exploits.And yet, to PayPal and HackerOne, these are non-issues. Even worse, it seems that you’ll just get punished for reporting it.
  11. Hello, this is a very interesting and relevant topic for successful work.To get data from your pos terminal, you can use the following methods:1. Download a free topical virus from a virus storage site and infect your pos terminal. Configure and study the transfer of customer data from your device to a computer or mobile phone. Sites where you can download Trojan viruses are listed in the next topic.2. Buy a working vSkimmer and install it in your post terminal. Set up data transfer to your device.Some additional information:POS terminal infection Infection of POS terminals (Point Of Sale - point of sale), hardware and software systems for trading or automated workstations of a cashier is a cybercriminal activity aimed at stealing bank card data and further withdrawing funds.Classification of methods of infecting POS terminalsMalicious programs for POS terminals can be distinguished by the volume of tasks being solved and the nature of the information stolen.RAM scrapersWriting the contents of RAM is a mandatory part of almost all programs for infecting POS terminals, since during a transaction all data from a bank card is processed in RAM. Basic RAM scrapers record information from memory and send it to the attacker's server for further offline analysis, while more advanced versions are able to independently extract data from the magnetic stripes of bank cards from the general stream.RAM scraper and keyloggerSuch programs, in addition to analyzing the RAM, also record all keystrokes, fixing PIN codes and other entered information. Since all transactions are carried out via a computer or mobile device, the development of malicious code often does not take place from scratch: cybercriminals modify already created Trojans and viruses by adding RAM scrapers to them to steal data from bank cards. Accordingly, such instances may contain rootkits to hide traces of activity or backdoors for remote access, and steal other information. In particular, the well-known malicious agent vSkimmer collects information about the operating system used, users, and GUID.Object of influenceWhen it comes to infecting POS terminals, malware is not injected into the card reader, but into the computer or mobile device that controls it. Although all transmitted transaction data is encrypted, the information from the magnetic stripe of the card arrives in unencrypted form and is already encrypted on the computer. Evolution of POS malwareThis vulnerability is used by criminals. The programs for scanning the RAM, embedded in the system, constantly analyze the contents of the latter and read the card data. The number, expiration date, owner's name, PIN-code, CVV and CVC recorded on the magnetic stripe are sufficient to make a clone with which you can withdraw money and pay for purchases. In addition, this data allows you to pay for online orders where the presentation of physical cards is not required. Chip cards are better protected: they encrypt payment information with a chip before being sent to the POS terminal, and intercepting it is useless. However, the magnetic stripe is also there, and its data can still be copied. In this case, the criminal will not be able to withdraw money from the ATM (there is no chip), but he will be able to use the clone as a means of payment if the reader in the store works only with a strip. However, in this case, traces remain for law enforcement agencies, and therefore criminals prefer to copy cards without chips.Sources of threatA POS terminal can be infected with malware in several ways: via the Internet using exploits, via a USB interface to which an infected medium is connected, by replacing a secure POS terminal with an infected one, via spam with a Trojan downloader. A program that steals passwords can be entered into the system on purpose. Bank data is of great value, and an unscrupulous or offended employee, having agreed with a cybercriminal, will easily introduce a malicious agent into the system. The third major source of threat is companies that install and remotely service POS terminals. In theory, in such firms, the security system should be organized at the highest level, but in practice this is not always true. There are known cases when, having cracked the password of the remote administrator of POS terminals, attackers at once gained access to the banking data of millions of users.Threat analysisFor a simple bank card holder, the main danger of POS-terminals being infected is that he is not able to prevent it. A person uses the card, assuming normal operation of the system, but if it performs unauthorized operations, then the user will not be able to find out about it. To reduce the risk, you can abandon the card, which contains only a magnetic stripe, in favor of a more secure chip one and regularly monitor the status of your accounts, track all transactions in order to immediately take action if any suspicions arise. If we talk about the owners of POS terminals, then from their point of view there are no direct losses: after all, the data is stolen not from the company, but from the cardholders. However, reputational losses and customer outflow can result in millions of damage, and therefore any company must take the necessary measures to protect the banking data of its customers.All POS computers must be equipped with effective antivirus software, and the system software must be up to date. The list of installed programs itself should be limited, and the computer should not be used for other tasks not related to transactions. The same applies to the owners of mobile POS terminals. For such purposes, it is better to purchase a second smartphone, using it only to transfer money, and communicate, take selfies and other photos, launch media files - on another device. Access to POS-terminals, authorization on them should be allowed only to those employees who directly work with them. Within the system, a clear delineation of rights is required with the prohibition to install or modify computer software for unprivileged accounts. Each user must have their own complex password.Finally, in addition to working with the terminal, cashiers and other tellers should be trained in information security rules. As already mentioned, the methods of distributing malicious programs for trading devices do not differ from the methods of infecting other computers, and in many cases the penetration of Trojan horses and viruses is due to the carelessness and frivolity of users; compliance with cyber hygiene greatly complicates the activities of intruders.Trojan.MWZLesson - a Trojan for POS terminalsFor many years, POS terminals have remained a tasty morsel for virus writers, since they are used by numerous merchants around the world to make payments using bank plastic cards. Doctor Web's specialists examined another Trojan capable of infecting payment terminals, which turned out to be a modification of another malicious program well known to our virus analysts.A POS Trojan added to the Dr.Web virus databases under the name Trojan.MWZLesson, after its launch, registers itself in the branch of the system registry responsible for starting applications. Its architecture includes a module that scans the RAM of the infected device for the presence of bank card tracks in it. The cybercriminals borrowed this code from another malicious program designed to infect POS terminals known as Trojan.PWS.Dexter. The Trojan transfers the detected tracks and other intercepted data to the command and control server.Trojan.MWZLesson can intercept GET and POST requests sent from an infected machine by Mozilla Firefox, Google Chrome or Microsoft Internet Explorer - the Trojan duplicates these requests to the command and control server belonging to the attackers. In addition, this malware can execute the following commands: CMD - transfers the received directive to the CMD command interpreter; LOADER - downloads and runs the file (dll - using the regsrv utility, vbs - using the wscript utility, exe - the direct launch is performed); UPDATE - update command; rate - sets the time interval of communication sessions with the management server; FIND - search for documents by mask; DDOS - start a DDoS attack using the http flood method. Trojan.MWZLesson exchanges data with the control center via the HTTP protocol, while the packets that the Trojan sends to the remote server are not encrypted, but the malware uses a special cookie parameter in them, in the absence of which the C&C server ignores requests from the Trojan.While studying the internal architecture of Trojan.MWZLesson, virus analysts from Doctor Web came to the conclusion that they were familiar with this Trojan, since they had encountered part of its code earlier in another malicious program. It turned out to be BackDoor.Neutrino.50, a truncated and shortened version of which, in fact, is Trojan.MWZLesson.BackDoor.Neutrino.50 is a multifunctional backdoor that uses exploits for the CVE-2012-0158 vulnerability during its distribution. Cases of downloading this malicious program from various sites hacked by cybercriminals have been recorded. When BackDoor.Neutrino.50 islaunched, itchecks for the presence of virtual machines in its environment, if any, the Trojan displays an error message "An unknown error occurred. Error - (0x [random number])", after which BackDoor.Neutrino.50 deletes itself from the system.In addition to the functions of a Trojan for POS terminals, this backdoor has the ability to steal information from Microsoft's mail client, as well as credentials for accessing resources via FTP using a number of popular ftp clients. In addition to directives typical for Trojan.MWZLesson, the BackDoor.Neutrino.50 Trojan can execute other commands, in particular, it is capable of carrying out several types of DDoS attacks, deleting some other malicious programs running on the infected machine, and can also try to infect computers. available on the local network.The signatures of these Trojans have been added to the Dr.Web virus databases, so they pose no threat to users of our anti-virus products.Experts have identified several new malware samples for POS terminalsThe pre-holiday season has come, the number of purchases has increased, and with it the risk of running into an unsafe PoS terminal has grown. Experts report the detection of several samples of malware that infects payment device systems. Experts generally called the ModPOS virus one of the most complex in its class.The specialists of iSight Partners, who discovered ModPOS, called the malware "PoS malware on steroids" and one of the most difficult representatives of the "genre". And this is the opinion of a company that has been analyzing this kind of malware for over eight years! According to iSight Partners, in a massive campaign aimed at undisclosed major US retailers, ModPOS stole several million dollars from credit and debit cards.The malware has remained out of sight of virus analysts since 2013. It is almost impossible to find references to this malware even on hacker forums.It took the iSight Partners team more than three weeks to reverse engineer the program, and only after that they were able to get to the three ModPOS kernel modules. For comparison, recently it took their colleagues about half an hour to "open" the Cherry Picker PoS malware . ISight Partners writes that "an incredibly talented author did a great job" creating ModPOS. The company believes that the author of the virus is a resident of Eastern Europe. The experts also report that it took "a lot of time and money" to develop each of the ModPOS kernel modules. Each of the modules behaves like a rootkit, which further complicates their analysis and reverse engineering.To communicate with C&C servers, the malware uses 128- and 256-bit encryption and requests a unique key for each client. Because of this, it is almost impossible to understand what data was stolen. Other PoS malware typically transmits information in clear text without resorting to encryption.A less complex, but very insidious representative of the PoS malware family was discovered by specialists from InfoArmor. The virus, dubbed Pro PoS, weighs only 76 KB. Oddly enough, this volume was enough to accommodate the functions of a rootkit and outwit virus analysts. The virus is also supposedly created by East European hackers (see screenshot below).Pro PoS uses a polymorphic engine, that is, each malware build has a new signature. This avoids detection and overcomes security systems. InfoArmor experts warn that at the moment Pro PoS is actively used to attack major Canadian and American retail chains. Pro PoS received its last update on November 27, 2015, and its price increased at the same time. Today, a six-month malware license costs $ 2,600.New threats for old PoS terminalsIt would seem that not so long ago the world learned about threats specially designed for unusual computers filled with real money - ATMs. Several years have passed, and the ranks of "unusual computers" have replenished with new devices for trading and accepting payment cards - PoS terminals (point of sales, point of sale).2013 was marked by an incident that affected US residents: the data of more than 40 million bank cards and information on more than 70 million customers of a large retail chain Target fell into the hands of cybercriminals. During the investigation, it turned out that the cause of the incident was not the compromise of the payment processing system or the company's servers, but the infected cash registers and PoS terminals. Malicious software installed on them by cybercriminals intercepted payment data in the device's RAM in plain text. In 2014, the situation with terminals was repeated in another retail chain, Home Depot, and led to data leaks from 56 million cards.These incidents have shown that cybercriminals are not only closely monitoring the trends in technology and devices for receiving and processing payments, but also continuously developing specialized malicious software to steal valuable financial data.Before large-scale retail hacks, the problem of malware for PoS terminals was not so much ignored as it simply did not attract public and media attention, despite the fact that PoS malware has attacked various enterprises since at least 2010. For example, back in 2010, the world learned about Trojan-Spy.Win32.POS (also known as CardStealer), which looked for payment card details on an infected workstation and transmitted the found information to the cybercriminals' server. Since then, antivirus experts have discovered more and more instances of malware designed to steal payment data from PoS terminals every year. Timeline of threat detection for PoS terminals (source: Kaspersky Lab)Currently, the infection of PoS terminals has already gone beyond pinpoint attacks, and cybercriminals have received a new foothold for the implementation of threats, which allows them to get closest to other people's money.General purpose OS against specific malwareThe life of attackers is somewhat simplified by the fact that PoS devices are actually ordinary computers that can also be used (and are sometimes used, especially in small businesses) for "general purposes", including surfing the Net and checking email. This means that in some cases criminals can gain remote access to such devices.The Dexter malware, discovered in 2012, stole bank card details by attacking POS terminals running Windows. It infiltrated the iexplore.exe system process, read the RAM and looked for payment data sufficient to make a fake plastic card (owner's name, account number, expiration date and card number, including the issuer code, class and type of card, and so on), then sent the collected information to a remote server controlled by the attackers. Examples of commands that Dexter received from the command and control serverDuring its existence, Dexter has managed to hit hundreds of PoS systems in well-known retail chains, hotels, restaurants, as well as in private parking lots. And as you might guess, most of the victims' workstations were running the Windows XP operating system.Another notorious example is the threat dubbed Backoff. This PoS Trojan is designed to steal card information from payment terminals. Like Dexter, this malware reads the RAM of a PoS terminal to obtain payment card details. In addition, some versions of Backoff contained a component for intercepting keyboard input (keylogger), presumably in case it ends up not on a PoS terminal, but on a regular workstation, which can also be used for payments (which means that the user will enter valuable information from the keyboard).Points of sale in "non-trade" placesCurrently, PoS devices can wait for their users not only in retail chains, supermarkets or hotels. Parks and streets are full of parking payment terminals for all kinds of vehicles and cozy "booths" for fast recharging of a mobile device. Airports and train stations offer help information and pay for tickets through various devices. In cinemas, there are terminals for buying and booking tickets for film shows. In clinics and government agencies, visitors are greeted with electronic queues and receipt printing devices. In some places, even toilets are equipped with payment terminals!At the same time, not all of these devices are sufficiently well protected. For example, in the summer of 2014, experts from an antivirus company discovered configuration flaws in parking terminals that allowed them to compromise devices and, as a result, user data (including payment).The application for parking meters operating on the basis of the operating system of the Windows family allows the user to register and get help information about the location of the parking meter and other bicycle parking lots. The display of all this, as well as bars, cafes and other objects, is implemented using the Google widget. The user does not have the ability to minimize the full-screen application and go beyond it, however, it is precisely in it that lies the configuration flaw that allows you to compromise the device: in the lower right corner of the widget there are links "Report a bug", "Privacy" and "Terms of use", after clicking on which will launch the Internet Explorer browser. An example of exploiting vulnerabilities in a parking meter applicationThe use cases for such configuration flaws depend only on the imagination of the attacker. For example, an attacker can extract an administrator password stored in clear text in memory. You can also get a snapshot of the bike parking app's memory. It may then be possible to extract the personal information of its users from it: name, e-mail address and phone number - such a database of verified addresses and phone numbers will be of particular value on the black market of cybercriminals. An attacker can also install a keylogger that intercepts all the entered data and sends it to a remote server, or, by adding fields for entering additional data, implement an attack scenario that will result in the receipt of even more personal data.Default denyFinancial institutions and organizations operating PoS terminals should pay more attention to protecting their devices, and not only the security of their hardware, but also the security of their operating systems, as well as the entire network information infrastructure. This will be helped by means of protection that have long been used in corporate networks, and specialized solutions for ensuring the security of embedded systems.Point of sale equipment is no less valuable to the owner than a lone ATM in a shopping center for the owner bank. And if the owners of ATMs with each new incident understand better that it is necessary to protect devices, then many owners of PoS terminals still pay for their carelessness. Deny by default and full disk encryption are not innovative methods, but they are still effective at protecting the iron bag of money.Analyzing malware created for POS terminalsThe malware authors do not stand still, but constantly invent new schemes to replenish their wallets. In this article, we will look at a new trend in the field of virus writing - malware for POS terminals.What is a POS terminal?POS is translated as point of sale, that is, the place where the client pays for goods or services. POS terminals represent a wide class of devices, and its implementation depends only on the imagination of manufacturers. For example, there are POS terminals based on the iPad. So far, virus writers for POS terminals have mastered only one platform - Windows, so this article will focus on malware specifically for that platform.Why are POS terminals interesting to cybercriminals? The answer is simple - acquiring, that is, payment by credit card. Despite the fact that the data security standards of the payment card industry prohibit the storage of complete card data after a successful transaction, virus writers have still found a way to get their hands on it. The fact is that in order to authorize the purchase, the POS terminal must somehow contact the processing center, and all this time the card data is in the memory of the POS terminal. This is what the attackers decided to take advantage of. Once again, I repeat that there are a lot of POS terminal implementations and this attack will not be successful on all devices.Attackers are interested in track1 and track2 - data recorded on magnetic tape. This data contains the owner's name, card code, expiration date and other intimate information. Having track1 / track2 is enough to make a clone of a plastic card.DexterIn December 2012, the Israeli company Seculert announced a new malware it had detected on hundreds of POS systems around the world. One of the interesting details is that over 30% of server versions of Windows were found among the infected systems. The company provides a cloud service that helps identify malicious activity on an enterprise's network by analyzing log files generated by various software or hardware proxies (Blue Coat, Squid, and others). Unsurprisingly, she was the first to spot this threat .Consider the files whose hashes were published by Seculert. The files are packed with a fairly popular cryptor, which uses the XPXAXCXK signature during the decompression process. This cryptor is widely used to hide from signature detection. And therefore, it is also well studied, a static unpacker has even been written for it .However, to unpack it manually, it is enough to set a breakpoint on the VirtualAlloc WinAPI functions and trace the code until the unpacked PE file is found in one of the allocated memory regions.After removing the cryptor, we find that three of the four files are completely identical. The size of the first variant is only 24 KB, the file was compiled using Visual Studio, the compilation date is August 30, 2012, according to the data from the PE header. The second, more recent version was compiled on October 16, 2012, and its size is 44 KB.Now closer to the functionality itself. The first thing Dexter does is try to inject its body and create a thread in the Internet Explorer process. Next, the malware copies itself to% APPDATA% using a random name, and is also registered in the registry key for startup. Dexter launches its own threads, which are responsible for keeping the autorun key in the registry, searching for data and injecting it into the IE process. Finally, control is passed to the code that establishes the connection and sends the collected data to the server.To communicate with the server, Dexter uses the HTTP protocol, data is transmitted using a POST request. Before sending data to the server, Dexter encrypts it using the XOR operation and base64 algorithm. The following information is sent to the server: page - bot identifier; ump - collected track data; unm - username; cnm - computer name; query - operating system version; spec - "bitness" of the operating system (32 vs 64); opt is the time elapsed from the previous user input of information. Retrieved using the GetLastInputInfo WinAPI function; view - a list of all processes running on the infected system; var is a unique string for each build; val is a random string, used as a decryption key. The server sends a response to this POST request, the header of which contains a cookie with a command to execute for the client. The command is encrypted with the same algorithm as the request. An early version of Dexter only supports two commands: checkin - setting the delay period between requests to the server; scanin - sets the delay period between attempts to find track data in memory. In a later version, three more were added to these two commands: update - update from the specified URL; uninstall - remove yourself from the infected computer; download - download and launch a file from the URL specified in the command. In general, Dexter has a classic set of functionality for a Trojan. The only thing that makes it unique among many similar malware is its focus on stealing plastic card data. The search for track2 goes in the following sequence: A list of processes is compiled. System and 64-bit processes are excluded from the list. The WinAPI function VirtualQueryEx checks the availability of memory regions. An attempt is made to read memory from available regions using the ReadProcessMemory WinAPI function. The read buffer is searched for the = symbol, and it is also checked that there is a string of a certain length, consisting of digits, to the right and left of the symbol. The ability to store a string in both ANSI and Unicode is taken into account. The numbers to the left of the = symbol are checked using the Luna algorithm. If the check is passed, the data is copied into a special buffer, from where it will later be sent to the server. After a certain period, all steps are repeated, this period can be set by a command from the server. A later version of Dexter searches for track1 using a similar algorithm.vSkimmerThis malware is considered to be a follower of Dexter. VSkimmer added a simple anti-debug, executed using standard WinAPI functions, and writing its own process to trusted Windows firewall processes. VSkimmer searches for processes using approximately the same algorithm as Dexter, but the author did not reinvent the wheel and used regular expressions to search.However, among other things, vSkimmer also has interesting functionality. Obviously, the main difficulty for cybercriminals is to infect the computer that is used in the POS terminal. From such a computer, they usually do not go to sites, and sometimes there is no Internet at all on it. In this case, you can infect your computer with the help of an insider in your organization. This is the mode of operation that was added to vSkimmer. If the infected computer does not have an Internet connection, the malware writes all the accumulated data to a special file. When a USB drive with a volume label KARTOXA007 is connected to the computer, vSkimmer copies all the collected information to the drive into the dmpz.log file.The author of this malware has a good sense of humor - apparently, this can explain that the PCICompliant / 3.33 value is used as the User-Agent when connecting to the server. PCI Compliant is the name given to a terminal that fully complies with the data security standards of the payment card industry.Are the ideas of these viruses so new?Despite all the noise raised in the media and the Internet in early 2013, a similar attack pattern was demonstrated in 2010 by Trustwave employees at DEF CON 18. In their report "Malware Freakshow 2", Trustwave employees demonstrated malware that can extract applications from memory track1 / track2. Presentation slides are available here.ConclusionDespite their primitiveness, the considered malicious programs successfully cope with the tasks assigned to them. However, in the future we may witness the use of more sophisticated software aimed at stealing data from POS terminals.History of successIn May 2011, an official charge was brought against four Romanian citizens of stealing data on plastic cards of US residents using POS terminals. According to the indictment, from 2008 to May 2011, Romanian attackers infiltrated more than 150 POS terminals of one of the fast food restaurant chains, as well as POS terminals of other companies. In total, hackers managed to steal more than 80 thousand data on plastic cards. In order to install their malware on POS terminals, hackers brute-force passwords for pcAnywhere, a program used to remotely control a computer.
  • Create New...