NetRipper: Smart traffic sniffing for penetration testers

NetRipper

NetRipper is a fairly recent tool that is positioned for the post-operating system based on Windowsand uses a number of non-standard approaches to extract sensitive data. It uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption. This tool was first demonstrated at the Defcon 23 in Vegas.

NetRipper

How does NetRipper work:

[IP] It has two main components:

  1. dll – A DLL that will be injected in various processes (the main component)
  2. The DLL configurator and injector

The DLL configurator and injector comes in three flavours:

  1. exe – Command line version
  2. rb – Metasploit post-exploitation module
  3. Invoke-NetRipper.ps1 – PowerShell version created by @HarmJ0y

So, after you have access to a system, you use your preferred DLL configurator and injector and inject the DLL into processes like Chrome, Firefox, Putty or WinSCP. You can go and grab a coffee, read the news or just scroll Facebook and come back to the system. You will find text files with plain-text traffic from that system. This may include usernames and passwords from different servers or applications so you are able to access them.

DLL

API hooking

  • Basic network sniffing
  • DLL Injection and API hooking

While basic network sniffing may work, it will just capture unencrypted traffic. Also, it is possible to install our own Root CA (Certificate Authority) in order to capture encrypted traffic. But this method would require Administrator privileges.

Because the applications encrypt and decrypt the data at the application level, the easiest way to reach our goal was to create a DLL that hooks network traffic and encryption API functions in order to get plain-text information.

network

 

NetRipper main goals:

[IP] As network or system administrators use multiple tools to access different systems, NetRipper had to work on multiple applications from the beginning.

It should capture plain-text traffic from any application, from Chrome or Firefox to FileZilla or SQL Management Studio. By hooking Windows API function responsible with plain-text network traffic – send/recv and WSASend/WSARecv – it should just work.

But network or system administrators are professionals that do not use unencrypted channels to do their job, so NetRipper must be able to handle as many applications as possible. Some applications use Windows API functions and it is easy to intercept them but other applications such as WinSCP or Putty require special work.

A partial list of the supported applications is the following: Google Chrome, Mozilla Firefox, Internet Explorer, FileZilla, Skype for Business, SQL Server Management Studio, Microsoft Outlook, Putty, WinSCP, Yahoo! Messenger.

 

system

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

TrickBot (WebRoot) ship a new module, “screenlocker”

TrickBot

TrickBot the recent version of banking trojan now includes a screenlocker component, suggesting the malware’s operators might soon start holding victims for ransom if infected targets don’t appear to be e-banking users.

The good news is that the screenlocker mechanism is not fully functional just yet, and appears to still be under development.

Nonetheless, security researchers have spotted the new module dropped on victims’ computers, suggesting development is advanced enough to have reached field trials.

 

TrickBot

 

Trickbot Component:

The good news is that TrickBot’s lock screen function is not yet fully functional and seems to be still in development. However, this new component has indeed been found to be installed on the victim’s computer, indicating that the attacker has at least been able to implant it on the infected computer.

computer

 

WebRoot said that since the beginning of 2016, the TrickBot Bank Trojan has been constantly updating and changing, trying to stay ahead of the defenders forever. TrickBot initially appeared to the public as a bank Trojan, but in recent years it has evolved into a malware downloader.

 

Trojan

 

The “ScreenLocker_x86.dll” file for the component. details as follows:

  • dll – Through the combined use of the “Eternal romance” vulnerability in the NSA hacker’s arsenal and other attacks that may be patched by the MS17-010 security patch, attempts to propagate to other computers via the SMB protocol in the same network;
  • exe – traverses the configuration file in the registry and goes to each configuration file to add the copied binary file link to the boot path to establish a persistence mechanism on the infected computer;
  • dll – The screen used to lock the infected computer is not currently available.

ScreenLocker

 

Screenlocker module developed for enterprise networks:

The thing that stands out is the fact that TrickBot already had an SMB self-spreading worm component since the summer of 2017, dropped as a file named wormDll32.dll.

All the three files dropped via this newly discovered module appear to be designed to work together, one after the other, ignoring the original worm component, and with the screenlocker triggered after spreading laterally through a network.

This has led security researchers to believe that this module was developed as a one-click method to monetize infections in corporate networks where users are less likely to use e-banking services, independently from the original SMB worm.

“If the TrickBot developers are attempting to complete this locking functionality, this generates interesting speculation around the group’s business model,” says Jason Davison, Advanced Threat Research Analyst for security firm Webroot.

worm

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

 

Safesql: Tatic analysis tool for Go that protects against SQL injections

SafeSQL

SafeSQL is a static analysis tool for Go that protects against SQL injections.

SQL Injection is one of the vulnerabilities in OWASP’s Top Ten List for Web Based Application Exploitation. These types of attacks takes place on Dynamic Web applications as they interact with the databases for the various operations.

 

SafeSQL

 

How does SafeSQL work:

SafeSQL uses the static analysis utilities in go/tools to search for all call sites of each of the query functions in packages (database/sql,github.com/jinzhu/gorm,github.com/jmoiron/sqlx) (i.e., functions which accept a parameter named query,sql). It then makes sure that every such call site uses a query that is a compile-time constant.

The principle behind SafeSQL’s safety guarantees is that queries that are compile-time constants cannot be subverted by user-supplied data: they must either incorporate no user-controlled values, or incorporate them using the package’s safe placeholder mechanism. In particular, call sites which build up SQL statements via fmt.Sprintf or string concatenation or other mechanisms will not be allowed.

query

 

False positives:

If SafeSQL passes, your application is free from SQL injections (modulo bugs in the tool), however, there are a great many safety programs which SafeSQL will declare potentially unsafe. These false positives fall roughly into two buckets:

First, SafeSQL does not currently recursively trace functions in the call graph.

Only call MyQuery with compile-time constants, your program is safe; however, SafeSQL will report that (*database/sql.DB).Query is called with a non-constant parameter (namely the parameter to MyQuery). This is by no means a fundamental limitation: SafeSQL could recursively trace the query argument through every intervening helper function to ensure that its argument is always constant, but this code has yet to be written.

 

MyQuery

 

The second sort of false positive is based on a limitation in the sort of analysis SafeSQL performs: there are many safe SQL statements which are not feasible (or not possible) to represent as compile-time constants. More advanced static analysis techniques (such as taint analysis) or user-provided safety annotations would be able to reduce the number of false positives, but this is expected to be a significant undertaking.

 

SafeSQL

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

Trape: People tracker on the Internet

Trape

Trape is a recognition tool that allows you to track people, the information you can get is very detailed. We want to teach the world through this, as large Internet companies could monitor you, obtaining information beyond your IP.

This tool has been published educational purposes in order to teach people how bad guys could track them or monitor them or obtain information from their credentials, we are not responsible for the use or the scope that may have the People through this project.

Trape

 

Trape – Some benefits

 

  • One of its most enticing functions is the remote recognition of sessions. You can know where a person has logged in, remotely. This occurs through a Bypass made to the Same Origin Policy(SOP)
  • Currently, you can try everything from a web interface. (The console, becomes a preview of the logs and actions)
  • Registration of victims, requests among other data are obtained in real time.
  • If you get more information from a person behind a computer, you can generate a more direct and sophisticated attack. Trape was used at some point to track down criminals and know their behavior.
  • You can do real-time phishing attacks
  • Simple hooking attacks
  • Mapping
  • Important details of the objective
  • Capturing credentials
  • Open Source Intelligence(OSINT)

Remote

 

Recognizes the sessions of the following services:

  • Facebook
  • Twitter
  • VK
  • Reddit
  • Gmail
  • tumblr
  • Instagram
  • Github
  • Bitbucket
  • Dropbox
  • Spotify
  • PayPal
  • Amazon
  • Foursquare (new)
  • Airbnb (new)
  • Hackernews (new)
  • Slack (new)

 

Facebook

 

Example of execution:

 

  • In the option –url you must put the lure, can be a news page, an article something that serves as a presentation page.
  • In the –port option you just put the port where you want it to run.
  • Do you like to monitor your people? Everything is possible with Trape.
  • Do you want to perform phishing attacks? Everything is possible with Trape.
  • In the Files directory, located on the path: /static/files here you add the files with .exe extension or download files sent to the victim.

Trape

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

Chrome Zero: Chrome extension

Chrome Zero

Chrome Zero is a Google Chrome extension to protect users from microarchitectural and side-channel attacks.

Chrome Zero implements JavaScript Zero, a fine-grained policy-based system which allows changing the behavior of standard JavaScript interfaces and functions. Using so-called policies, Chrome Zero enforces certain restrictions to a website to protect users from malicious JavaScript. The policies allow to quickly adapt the permission system to protect against any newly discovered attack.

 

Chrome Zero is a proof of concept implementation that defends against these attacks. It installs as a Chrome extension and protects functions, properties, and objects that can be exploited to construct attacks. The basic idea is very simple, functions are wrapped with replacement versions that allow injection of a policy. This idea of wrapping functions (and properties with accessor properties, and certain objects with proxy objects) goes by the fancy name of virtual machine layering.

Chrome Zero

 

Chrome Zero: Extension blocks 11 JavaScript-based side-channel attacks:

 

Experts say that currently there are eleven state-of-the-art side-channel attacks that can be performed via JavaScript code running in a browser.

Each attack needs access to various local details, for which it uses JavaScript code to leak, recover, and gather the needed information before mounting the actual side-channel attack.

After looking at each of the eleven attacks, researchers say they’ve identified five main categories of data/features that JavaScript side-channel attacks attempt to exploit: JS-recoverable memory addresses, accurate timing (time difference) information, the browser’s multithreading (web workers) support, data shared among JS code threads, and data from device sensors.

JavaScript

 

Chrome Zero has a minimum performance impact:

Experts said that despite the extension’s intrusive behavior, tests showed a minimum performance impact of only 1.54% on resource usage, and an indiscernible page loading latency ranging from 0.01064s and 0.08908s —depending on the number of protection policies active at runtime.

The extension may be very well able to thwart even future and unknown Chrome zero-days as well, mainly because of its habit of rewriting dangerous functions to safer versions.

extension

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

List of 29 Different Types of USB Attacks

 Attacks of USB

Attacks of USB is the driver-related attacks family in which an attacker plugs in a compromised malicious USB device that causes the host to download a specific malicious driver crafted in such a way as to execute malicious code on the host.

Researchers from the Ben-Gurion University of the Negev in Israel have identified 29 ways in which attackers could use USB devices to compromise users’ computers.

These 29 exploitation methods in four different categories, depending on the way the attack is being carried out.

A) By reprogramming the USB device’s internal microcontroller. The device looks like a particular USB device (e.g.: charger), but carries out the operations of another (e.g.: keyboard —injects keystrokes).

B) By reprogramming the USB device’s firmware to execute malicious actions (such as malware downloading, data exfiltration, etc.).

C) By not reprogramming USB device firmware, but leveraging flaws in how operating systems normally interact with USB protocols/standards.

D) USB-based electrical attacks.

attacks

 

Reprogrammable microcontroller USB attacks:

  1. Rubber Ducky – a commercial keystroke injection attack platform released in 2010. Once connected to a host computer, the Rubber Ducky poses as a keyboard and injects a preloaded keystroke sequence.
  2. PHUKD/URFUKED attack platforms – similar to Rubber Ducky, but allows an attacker to select the time when it injects the malicious keystrokes.
  3. USB driveby – provides quick covert installation of backdoors and overriding DNS settings on an unlocked OS X host via USB in a matter of seconds by emulating an USB keyboard and mouse.
  4. Evilduino – similar to PHUKD/URFUKED, but uses Arduino microcontrollers instead of Teensy. Also works by emulating a keyboard/mouse and can send keystrokes/mouse cursor movements to the host according to a preloaded script.
  5. Unintended USB channel – a proof of concept (POC) USB hardware trojan that exfiltrates data based on unintended USB channels (such as using USB speakers to exfiltrate data).
  6. TURNIPSCHOOL (COTTONMOUTH-1) – a hardware implant concealed within a USB cable. Developed by the NSA.
  7. RIT attack via USB mass storage – attack described in a research paper. It relies on changing the content of files while the USB mass storage device is connected to a victim’s computer.
  8. Attacks on wireless USB dongles – a category of attacks first explored with the release of the KeySweeper attack platform by Samy Kamkar, a tool that covertly logs and decrypts keystrokes from many Microsoft RF wireless keyboards.
  9. Default Gateway Override – an attack that uses a microcontroller to spoof a USB Ethernet adapter to override DHCP settings and hijack local traffic.

attacks

 

Maliciously reprogrammed USB peripheral firmware attacks:

  1. Smartphone-based HID attacks – first described in a research paper for which researchers created custom Android gadget drivers to overwrite how Android interacted with USB devices. The malicious driver interacted with the Android USB gadget API to simulate USB keyboard and mouse devices connected to the phone.
  2. DNS Override by Modified USB Firmware – researchers modified the firmware of a USB flash drive and used it to emulate a USB-ethernet adapter, which then allowed them to hijack local traffic.
  3. Keyboard Emulation by Modified USB Firmware – several researchers showed how poisoning the firmware of USB flash drives, an attacker could inject keyboard strokes.
  4. Hidden Partition Patch – researchers demonstrated how a USB flash drive could be reprogrammed to act like a normal drive, creating a hidden partition that cannot be formatted, allowing for covert data exfiltration.
  5. Password Protection Bypass Patch – a small modification of a USB flash drive’s firmware allows attackers to bypass password-protected USB flash drives.
  6. Virtual Machine Break-Out – researchers used USB firmware to break out of virtual machine environments.
  7. Boot Sector Virus – researchers used a USB flash drive to infect the computer before it boots.
  8. iSeeYou – POC program that reprograms the firmware of a class of Apple internal iSight webcams so that an attacker can covertly capture video without the LED indicator warning.

smartphone

 

Attacks based on unprogrammed USB devices:

  1. CVE-2010-2568 .LNK exploit used by Stuxnet and Fanny malware.
  2. USB Backdoor into Air-Gapped Hosts – attack used by the Fanny malware, developed by the Equation Group (codename for the NSA). Attack uses USB hidden storage to store preset commands tha map computers in air-gapped networks. Info on networks is saved back to the USB flash drive’s hidden storage.
  3. Data Hiding on USB Mass Storage Devices – a large collection of tricks of hiding malware or stolen data inside a USB flash drive (eg.: storing data outside of the normal partitions, hiding the file inside an invisible folder by making that folder’s icon and name transparent, etc.).
  4. AutoRun Exploits – depending on how host computers were configured, some PCs would auto-execute predetermined files located on a USB device’s storage. There’s an entire malware category dedicated to this called autorun malware.
  5. Cold Boot Attacks – aka the RAM dump attack. Attackers can store a memory dumper on a USB flash drive and extract left-over data from RAM by booting from a USB device.
  6. Buffer Overflow based Attacks – Several attacks that rely on exploiting OS buffer overflows when a USB device is inserted into a computer. This happens because operating systems will enumerate the devices and functions (run certain predetermined operations) when a USB device is inserted.
  7. Driver Update – very complex attack that relies on obtaining a VeriSign Class 3 Organizational Certificate and submitting drivers to Microsoft that are automatically delivered and installed on user PCs when a certain SUB device is inserted. This attack is possible, but very hard to pull off in the real world.
  8. Device Firmware Upgrade (DFU) – attackers can use the Device Firmware Upgrade (DFU), a legitimate process supported by the USB standard, to update local legitimate firmware to a malicious version.
  9. USB Thief – a USB flash drive based data-stealing malware that was recently discovered by ESET.
  10. Attacks on Smartphones via the USB Port – attackers can hide and deliver malware (malicious) via USB phone chargers.
  11. USBee attack – make a USB connector’s data bus give out electromagnetic emissions that can be used to exfiltrate data.

Device

 

Electrical attacks:

  1. USB Killer – permanently destroy devices by inserting a USB device that triggers an electrical surcharge.

Killer

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

Algo VPN: Set up a personal IPSEC VPN in the cloud

Algo VPN

Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC VPN. It uses the most secure defaults available, works with common cloud providers, and does not require client software on most devices.

The ‘VP of all Networks’ is strong, secure and tidy. It uses the least amount of software necessary to get the job done.

VPN

Don’t bother with commercial VPNs

Really, the paid-for services are just commercial honeypots. If an attacker can compromise a VPN provider, they can monitor a whole lot of sensitive data.

Paid-for VPNs tend to be insecure: they share keys, their weak cryptography gives a false sense of security, and they require you to trust their operators.

 

paid

OpenVPN: Requires client software

OpenVPN’s lack of out-of-the-box client support on any major desktop or mobile operating system introduces unnecessary complexity. The user experience suffers.

Speaking of users, they’re required to update and maintain this software too. That is a recipe for disaster.

client

Algo VPN Features:

  • Supports only IKEv2 with strong crypto: AES-GCM, SHA2, and P-256
  • Generates Apple profiles to auto-configure iOS and macOS devices
  • Includes a helper script to add and remove users
  • Blocks ads with a local DNS resolver (optional)
  • Sets up limited SSH users for tunneling traffic (optional)
  • Based on current versions of Ubuntu and strongSwan
  • Installs to DigitalOcean, Amazon EC2, Microsoft Azure, Google Compute Engine, or your own server.

Does

Anti-features:

  • Does not support legacy cipher suites or protocols like L2TP, IKEv1, or RSA
  • Does not install Tor, OpenVPN, or other risky servers
  • Does not depend on the security of TLS
  • Does not require client software on most platforms
  • Does not claim to provide anonymity or censorship avoidance
  • Does not claim to protect you from the FSB, MSS, DGSE, or FSM.

Does

 

Designed to be disposable:

Algo to be easy to set up. So one can start it when they need it, and tear it down before anyone can figure out the service, routing their traffic through.

Setup is automated. Just answer a few questions, and then Algo will build VPN.

It has automated the setup process for Apple devices, too. Algo just gives a file that AirDrop to anyone’s device. Press ‘install’ and got VPN. Or ‘VPNs.’

No one have to choose just one VPN gateway that could make 20 on different services; Digital Ocean in Bangalore, EC2 in Virginia or any other combination.

Algo

 

Most Popular Training Courses at Indian Cyber Security Solutions

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

ezXSS: Test Blind Cross Site Scripting

Blind Cross Site Scripting

Blind cross site scripting (BXSS) is a variation of stored XSS, where the injection point and the execution point are different. It’s harder to find and certainly requires a different methodology than testing for stored (non-blind), reflected, or even DOM-based XSS.

Typically, with stored Blind cross site scripting, the payload is executed on the same page it was injected in.

Blind Cross Site Scripting

ezXSS: Test Blind Cross Site Scripting

ezXSS is an easy way to test blind Cross Site Scripting.

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

ezXSS

Features of ezXSS:

  • Easy to use dashboard with statics, payloads, view/share/search reports and more
  • Payload generator
  • Instant email alert on the payload
  • Custom javascript for extra testing
  • Prevent double payloads from saving or alerting
  • Share reports with other ezXSS users
  • Easily manage and view reports in the system
  • Search for reports in no time
  • Secure your system account with extra protection (2FA)
  • The following information is collected on a vulnerable page:
  • The URL of the page
  • IP Address
  • Any page referer (or share referer)
  • The User-Agent
  • All Non-HTTP-Only Cookies
  • Full HTML DOM source of the page
  • Page origin
  • Time of execution
  • its just ez

Payload

Required

  • PHP 5.5 or up
  • A domain name (consider a short one)
  • An SSL if you want to test on https websites (consider Cloudflare or Let’s Encrypt for a free SSL)

SSL

Blind Cross site Scripting (XSS) Vulnerability Detection

One of the major features that XSS Hunter offers is the ability to find blind XSS. This is a vulnerability where an XSS payload fires in another user’s browser (such as an administrative panel, support system, or logging application) which you cannot “see” (e.g. it does not fire in your browser). XSS Hunter addresses this by recording extensive information about each payload fire in its database.

XSS

 

Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Critical bugs in CredSSP allow remote code execution on Servers

CredSSP allow remote code

The newly discovered Credential Security Support Provider protocol (CredSSP) vulnerability on the Windows platform allows hackers to use Remote Desktop Protocol (RDP) and Windows Remote Manager (WinRM) to remotely steal data or run malicious code. The CredSSP protocol was originally designed to provide cryptographic authentication when Windows hosts use RDP or WinRM for remote connections.

This vulnerability (CVE-2018-0886) was discovered by a researcher at a company named Preempt Security. There is a logical encryption vulnerability in the CredSSP protocol. A hacker can use a wireless connection to initiate a man-in-the-middle attack. Physical connection to the network, you can also initiate a remote call (Remote Procedure Call) to steal the authentication information in the computer process.

CredSSP

 

How Does CredSSP Attack Work?

An attacker can exploit this vulnerability in conjunction with a man-in-the-middle attack. The attacker will set up the man-in-the-middle, wait for a CredSSP session to occur, and once it does, will steal session authentication and perform a Remote Procedure Call (DCE/RPC) attack on the server that the user originally connected to (e.g., the server user connected with RDP). An attacker which have stolen a session from a user with sufficient privileges could run different commands with local admin privileges. This is especially critical in case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default.

attacker

 

CredSSP attack could be mounted list:

An attacker with WiFi/Physical access – If an attacker has some physical access to your network, then he could easily launch a man-in-the-middle attack. If you also have WiFi deployed in areas of your network, you might be vulnerable to key reinstallation attacks (KRACK), thus making all machines that do RDP via WiFI exposed to this new attack.

WiFi

Address Resolution Protocol (ARP) poisoning – Despite being an old attack technique, many networks are still not 100% protected from ARP poisoning. If this is the case in your network, this new vulnerability means an attacker with control of one machine could easily move laterally and infect all machines in the same network segment.

ARP

 

Attacking sensitive servers (including domain controllers) – Sometimes, an attacker has control of several workstations in an organization and needs to find a way to infect sensitive business-critical servers (which might require higher privileges).

servers

 

Most corporate internal networks use the Windows RDP protocol for remote login. Preempt’s researchers reported this vulnerability to Microsoft last August but until now Microsoft released a patch for the vulnerability.

Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

Agrigento: Identify privacy leaks in Android apps

Agrigento

Agrigento is a tool to identify privacy leaks in Android apps by performing black-box differential analysis on the network traffic. It performs root cause analysis of non-determinism in the network behavior of Android apps.

Agrigento works in two steps: first, Agrigento establishes a baseline of the network behavior of an app; then, modifies sources of private information, such as the device ID and location, and detects privacy leaks by observing deviations in the resulting network traffic. The main contribution of this work is to make black-box differential analysis practical when applied to modern Android apps.

Agrigento

Agrigento sources:

Agrigento is able to eliminate the different sources of non-determinism by intercepting calls from the app to certain Android API calls and recording their return values, and in some cases replacing them (either by replaying previously seen values or by returning constant values).

  • It records the timestamps generated during the first run of each app and replays the same values in the further runs.
  • It records the random identifiers (UUID) generated by the app.
  • It records the plaintext and ciphertext values whenever the app performs encryption.
  • The instrumented environment sets a fixed seed for all random number generation functions.
  • It replaces the values of system-related performance measures (e.g., free memory, available storage space) with a set of constants.

App

Agrigento requires other modules to be installed on the Android device:

  • [Xposed].
  • [CryptoHooker] – Collect contentextual information.
  • [Changer] – Modify the values of private information sources.
  • [JustTrustMe] – Handle certificate pinning.
  • [Android Mock-location] – Allow to set mock location through ADB.

Android

Agrigento Network Behavior:

Agrigento looks for privacy leaks at all levels of the tree, i.e., in all parts of the HTTP request: the domain, path, key, and values, as well as the headers and the payload. In the current implementation Agrigento includes parsers for application/x-www-form-urlencoded, application/json, and any content that matches a HTTP query format. However, it can be easily extended with parsers for further content types.

Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

×

Hello!

Click one of our representatives below to chat on WhatsApp or send us an email to [email protected]

× Hi How can we help you