Change Passwords Regularly - A Myth And A Lie, Don'T Be Fooled, Part 1

TL;DR: different passwords have different protection requirements, and different attackers using various attacks can only be prevented through different prevention methods. Password security is not simple. For real advise, checking the second post (in progress).

Are you sick of password advices like "change your password regularly" or "if your password is password change it to pa$$w0rd"? This post is for you!

The news sites are full of password advises nowadays due to recent breaches. When I read/watch these advise (especially on CNN), I am usually pissed off for a lot of reasons. Some advises are terrible (a good collection is here), some are good but without solutions, and others are better, but they don't explain the reasons. Following is my analysis of the problem. It works for me. It might not work for you. Comments are welcome!

Password history

Passwords have been used since ancient times.

Because it is simple. When I started using the Internet, I believe I had three passwords. Windows login, webmail, and IRC. Now I have ~250 accounts/passwords to different things, like to my smartphone, to my cable company (this password can be used to change the channels on the TV), to my online secure cloud storage, to full disk encryption to start my computer, to my nude pictures, to my WiFi router, to my cloud server hosting provider, etc etc etc. My money is protected with passwords, my communication is protected with passwords/encryption, my work is protected with passwords. It is pretty damn important. But yet people tend to choose lame passwords. Pretty lame ones. Because they don't think it can be significant. But what is not essential today will be relevant tomorrow. The service you used to download music (iTunes) with the lame password will one day protect all your Apple devices, where attackers can download your backup files, erase all your devices, etc. The seven-character and one capital rule is not enough anymore. This advice is like PDF is safe to open, Java is secure. Old, outdated, untrue.

Now, after this lengthy prologue, we will deep dive into the analysis of the problem, by checking what we want to protect, against whom (who is the attacker), and only after that, we can analyze the solutions. Travel with me, I promise it will be fun! ;)

What to protect?

There are different services online, and various services need different ways to protect. You don't use the same lock on your Trabant as you do on your BMW.

Internet banking, online money

For me, this is the most vital service to protect. Luckily, most of the internet banking services use two-factor authentication (2FA), but unfortunately, not all of them offer transaction authorization/verification with complete transactions. 2FA is not effective against malware, it just complicates the attack. Transaction authorization/verification is better, but not perfect (see Zitmo). If the access is not protected with 2FA, better choose the best password you have (long, real random, sophisticated, but we will get to this later). If it is protected with 2FA, it is still no reason not to use the best password ;) This is what I call the "very high-level password" class.

Credit card data

This system is pretty fucked up bad. Something has to be secret (your credit card number), but in the meantime that is the only thing to identify your credit card. It is like your username is your password. Pretty bad idea, huh? The problem is even worse with a lot of different transaction types, especially when the hotel asks you to fax both sides of your CC to them. Unfortunately, you can't change the password on your credit card, as there is no such thing, but Verified by VISA or 3-D Secure with 2FA might increase the chances your credit card won't get hacked. And on a side note, I have removed the CVV numbers from my credit/debit cards. I only read it once from the card when I received it, I don't need it anymore to be printed there.
And sometimes, you are your own worst enemy. Don't do stupid things like this:

Work related passwords (e.g. Windows domain)

This is very important, but because the attack methods are a bit different, I created this as a different category. Details later.

Email, social sites (Gmail/Facebook/Twitter), cloud storage, online shopping

This is what I call the "high level password" class.

Still, pretty important passwords. Some people don't understand "why would attackers put any energy to get his Facebook account?" It is simple. For money. They can use your account to spread spam all over your Facebook wall. They can write messages to all of your connections and tell them you are in trouble and send money via Western Union or Bitcoin.

They can use your account in Facebook votes. Your e-mail, cloud storage is again very important. 20 years ago you also had letters you didn't want to print and put in front of the nearest store, neither want you to do that with your private photo album. On a side note, it is best to use a cloud storage where even the cloud provider admin can't access your data. But in this case, with no password recovery option, better think about "alternative" password recovery mechanisms.

Other important stuff with personal data (e.g. your name, home address)

The "medium level password" class. This is a personal preference to have this class or not, but in the long run, I believe it is not a waste of energy to protect these accounts. These sites include your favorite pizza delivery service, your local PC store, etc.

Not important stuff

This is the category other. I usually use one-time disposable e-mail to these services. Used for the registration, get what I want, drop the email account. Because I don't want to spread my e-mail address all over the internet, whenever one of these sites get hacked. But still, I prefer to use different, random passwords on these sites, although this is the "low level password" class.

Attackers and attack methods

After categorizing the different passwords to be protected, let's look at the different attackers and attack methods. They can/will/or actively doing it now:

Attacking the clear text password 

This is the most effective way of getting the password. Bad news is that if there is no other factor of protection, the victim is definitely not on the winning side. The different attack methods are:

• phishing sites/applications,

• social engineering,
• malware running on the computer (or in the browser), 
• shoulder surfing (check out for smartphones, hidden cameras), 
• sniffing clear-text passwords when the website is not protected with SSL,
• SSL MiTM,
• rogue website administrator/hacker logging clear text passwords,
• password reuse - if the attacker can get your password in any way, and you reuse it somewhere else, that is a problem,
• you told your password to someone and he/she will misuse it later,
• hardware keyloggers,
• etc.

The key thing here is that no matter how long your passwords are, no matter how complex it is, no matter how often do you change it (except when you do this every minute ... ), if it is stolen, you are screwed. 2FA might save you, or might not.

Attacking the encrypted password 

This is the usual "hack the webserver (via SQL injection), dump the passwords (with SQLMap), post hashes on pastebin, everybody starts the GPU farm to crack the hashes" scenario. This is basically the only scenario where the password policies makes sense. In this case the different level of passwords need different protection levels. In some cases, this attack turns out to be the same as the previous attack, when the passwords are not hashed, or are just encoded.

The current hash cracking speeds for hashes without any iterations (this is unfortunately very common) renders passwords like Q@tCB3nx (8 character, upper-lowercase, digit, special characters) useless, as those can be cracked in hours. Don't believe me? Let's do the math.

Let's say your password is truly random, and randomly choosen from the 26 upper, 26 lower, 10 digit, 33 special characters. (Once I tried special passwords with high ANSI characters inside. It is a terrible idea. Believe me.). There are 6 634 204 312 890 620 different, 8 character passwords from these characters. Assuming a 2 years-old password cracking rig, and MD5 hash cracking with 180 G/s speed, it takes a worst case 10 hours (average 5) to crack the password, including upgrading your bash to the latest, but still vulnerable bash version. Had the password been 10 characters long, it would take 10 years to crack with today hardware. But if the password is not truly random, it can be cracked a lot sooner.

A lot of common hashing algorithms don't use protections against offline brute-force attacks. This includes LM (old Windows hashes), NTLM (modern Windows hashes), MD-5, SHA1-2-512. These hashing algorithms were not developed for password hashing. They don't have salting, iterations, etc. out of the box. In the case of LM, the problem is even worse, as it converts the lowercase characters to uppercase ones, thus radically decreasing the key space. Out of the box, these hashes are made for fast calculation, thus support fast brute-force.

Another attack is when the protected thing is not an online service, but rather an encrypted file or crypto-currency wallet.

Attacking the authentication system online

This is what happened in the recent iCloud hack (besides phishing). Attackers were attacking the authentication system, by either brute-forcing the password, or bypassing the password security by answering the security question. Good passwords can not be brute-forced, as it takes ages. Good security answers have nothing to do with the question in first place. A good security answer is as hard to guess as the password itself. If password recovery requires manual phone calls, I know, it is a bit awkward to say that your first dog name was Xjg.2m`4cJw:V2= , but on the other hand, no one will guess that!

Attacking single sign on

This type of attack is a bit different, as I was not able to put the "pass the hash" attacks anywhere. Pass the hash attack is usually found in Windows domain environments, but others might be affected as well. The key thing is single sign on. If you can login to one system (e.g. your workstation), and access many different network resources (file share, printer, web proxy, e-mail, etc.) without providing any password, then something (a secret) has to be in the memory which can be used to to authenticate to the services. If an attacker can access this secret, he will be able to access all these services. The key thing is (again) it does not matter, how complex your passwords are, how long it is, how often do you change, as someone can easily misuse that secret.

 

Attacking 2FA

As already stated, 2 factor authentication raises the efforts from an attacker point of view, but does not provide 100% protection. 

• one time tokens (SecurID, Yubikey) can be relayed in a man-in-the-middle attack, 
• smartcard authentication can be relayed with the help of a malware to the attacker machine - or simply circumvented in the browser malware, 
• text based (SMS) messages can be stolen by malware on the smartphone or rerouted via SS7, 
• bio-metric protection is constantly bypassed,
• SSH keys are constantly stolen,
• but U2F keys are pretty good actually, even though BGP/DNS hijack or similar MiTM can still circumvent that protection,
• etc. 

Others

Beware that there are tons of other attack methods to access your online account (like XSS/CSRF), but all of these have to be handled on the webserver side. The best you can do is to choose a website where the Bug Bounty program is running 24/7. Otherwise, the website may be full of low hanging, easy-to-hack bugs.

Now that we have covered what we want to protect against what, in the next blog post, you will see how to do that. Stay tuned. I will also explain the title of this blog post.Related links

1. Hacking Linux Distro
2. Hacking Programs
3. Hacking Attacks
4. Como Aprender A Hackear
5. Hacking Gif
6. Definicion De Hacker
7. Como Aprender A Hackear Desde Cero
8. Hacking Wifi

HOW TO BECOME A CERTIFIED ETHICAL HACKER

7 Tips to become a hacker?
It is very important for a hacker to learn different types of programming language such as C,C++,Python,Java,PHP etc and it is also necessary to learn hardware and networking for a good hacker because these skill are very useful to become a successful hacker.

1-Programming Language are essential to becoming a good hacker 

2-Networking skills is important to becoming an effective hacker.

3-SQL language are essential to becoming an effective hacker 

4-Internet surfing is also essential for becoming a hacker for gathering information.

5-Cryptography is essential to becoming a certified hacker from which a hacker can share his/her readable data to other person in a nonreadable form with the help of Cryptography.

6-Penetration testing  is also important for a hacker.

7-experiment a lot is also very useful to becoming a ethical hacker.

Follow me on insta_anoymous_adi

Read more

1. Tools Hacking
2. Hacking Academy
3. Growth Hacking Madrid
4. Tutoriales Hacking
5. Car Hacking
6. Experto En Seguridad Informática
7. Hacker En Español
8. Phishing Hacking
9. Hacking Wifi Windows
10. Herramientas Hacking Etico
11. Hacking Y Forensic Desarrolle Sus Propias Herramientas En Python Pdf
12. Programa Hacker

CEH: Identifying Services & Scanning Ports | Gathering Network And Host Information | NMAP

CEH scanning methodology is the important step i.e. scanning for open ports over a network. Port is the technique used to scan for open ports. This methodology performed for the observation of the open and close ports running on the targeted machine. Port scanning gathered a valuable information about  the host and the weakness of the system more than ping sweep.

Network Mapping (NMAP)

Basically NMAP stands for Network Mapping. A free open source tool used for scanning ports, service detection, operating system detection and IP address detection of the targeted machine. Moreover, it performs a quick and efficient scanning a large number of machines in a single session to gathered information about ports and system connected to the network. It can be used over UNIX, LINUX and Windows.

There are some terminologies which we should understand directly whenever we heard like Open ports, Filtered ports and Unfiltered ports.

Open Ports means the target machine accepts incoming request on that port cause these ports are used to accept packets due to the configuration of TCP and UDP.

Filtered ports means the ports are usually opened but due to firewall or network filtering the nmap doesn't detect the open ports.

Unfiltered means the nmap is unable to determine whether the port is open or filtered  while the port is accessible.

Types Of NMAP Scan

Scan Type	Description
Null Scan	This scan is performed by both an ethical hackers and black hat hackers. This scan is used to identify the TCP port whether it is open or closed. Moreover, it only works over UNIX  based systems.
TCP connect	The attacker makes a full TCP connection to the target system. There's an opportunity to connect the specifically port which you want to connect with. SYN/ACK signal observed for open ports while RST/ACK signal observed for closed ports.
ACK scan	Discovering the state of firewall with the help ACK scan whether it is stateful or stateless. This scan is typically used for the detection of filtered ports if ports are filtered. Moreover, it only works over the UNIX based systems.
Windows scan	This type of scan is similar to the ACK scan but there is ability to detect an open ports as well filtered ports.
SYN stealth scan	This malicious attack is mostly performed by attacker to detect the communication ports without making full connection to the network. This is also known as half-open scanning.

 

All NMAP Commands 

Commands	Scan Performed
-sT	TCP connect scan
-sS	SYN scan
-sF	FIN scan
-sX	XMAS tree scan
-sN	Null scan
-sP	Ping scan
-sU	UDP scan
-sO	Protocol scan
-sA	ACK scan
-sW	Window scan
-sR	RPC scan
-sL	List/DNS scan
-sI	Idle scan
-Po	Don't ping
-PT	TCP ping
-PS	SYN ping
-PI	ICMP ping
-PB	ICMP and TCP ping
-PB	ICMP timestamp
-PM	ICMP netmask
-oN	Normal output
-oX	XML output
-oG	Greppable output
-oA	All output
-T Paranoid	Serial scan; 300 sec between scans
-T Sneaky	Serial scan; 15 sec between scans
-T Polite	Serial scan; .4 sec between scans
-T Normal	Parallel scan
-T Aggressive	Parallel scan, 300 sec timeout, and 1.25 sec/probe
-T Insane	Parallel scan, 75 sec timeout, and .3 sec/probe

 

How to Scan

You can perform nmap scanning over the windows command prompt followed by the syntax below. For example, If you wanna scan the host with the IP address 192.168.2.1 using a TCP connect scan type, enter this command:

nmap 192.168.2.1 –sT

nmap -sT 192.168.2.1

Read more

1. Hacking With Python
2. Hacking Libro
3. Hacking Games Online
4. Curso De Ciberseguridad Y Hacking Ético
5. Password Hacking
6. Programa De Hacking
7. Pagina Hacker
8. Hacking Ético Curso
9. Hacking To The Gate
10. Hacking Traduccion
11. Wifi Hacking App

Web Hacking Video Series #4 MySQL Part 2 (Injection And Coding)

Video Lesson Topics:

1. Setting up your victim application, databases and lab
2. Attacking a simple injection with information Schema
3. Automating your injections with python and beautiful soup
4. Dealing with various web encoding in Python and PHP
5. Bypassing LoadFile Size restrictions and automating it
6. Decrypting sensitive data via PHP and Python interactions
7. As always me rambling about stupid nonsense :P FTW

Part 2 of Mysql covers the topic of injecting a simple SQL injection example. Starts out slow then combines techniques and moves into more advanced topics. Prior to attempting this lesson make sure you have watched the videos in the previous blog or understand both SQL and basic python coding. I will show how to automate the injection process via python utilizing simple HTML processing abilities of beautiful soup.  I will cover many python libraries for encoding data and calling web based applications. I also talk about how to deal with encrypted data and methods of enumerating files and folders looking for possible implementation issues and attack points to decrypt sensitive data via PHP/Python interaction with whats available on the server. This is the 2nd part of a 3 part series on MySQL for attacking web applications.

Files Needed:

Lab Files
BT5

Video Lesson:

Whats Next:

PHP source code analysis
Recoding PHP applications to fix SQLi

Read more

• Hacking 2019
• Wordpress Hacking
• Hacking With Swift
• Hacking Traduccion
• Software Hacking
• Hacking Aves
• Elhacker Ip
• Hacking Traduccion
• Curso Hacking Gratis
• Google Hacking
• Curso Seguridad Informatica
• Hacking Aves
• Herramientas Hacking
• Hacking Tutorials
• Chema Alonso Wikipedia
• Libro Hacker

CEH Practical: Gathering Target Information: Reconnaissance And Competitive Intelligence

CEH Exam Objectives:

Describe Reconnaissance. 

Describe aggressive/competitive intelligence.

Reconnaissance

 Reconnaissance is the process of gathering informative data about a particular target of a malicious hack by exploring the targeted system. Basically two types of Reconnaissance exist i.e. Active and Passive. Active reconnaissance typically related to port scanning and observing the vulnerabilities about the targeted system (i.e., which ports are left vulnerable and/or if there are ways around the firewall and routers). Passive reconnaissance typically you will not be directly connected to a computer system. This process is used to gather essential information without ever interacting with the target systems.

Understand Aggressive Intelligence 

Competitive intelligence means information gathering about competitors' products, marketing, and technologies. Most competitive intelligence is non intrusive to the company being investigated and is benign in nature. It's used for product comparison or as a sales and marketing tactic to better understand how competitors are positioning their products or services.

Online tools to gather competitive intelligence

Exercise 1.1

Using KeywordSpy 

To use the KeywordSpy online tool to gather competitive intelligence information:  

• Go to the www.keywordspy.com website and enter the website address of the target in the search field 

• Review the report and determine valuable keywords, links, or other information.

 

Exercise 1.2

Using spyfu

• Go to your browser and type www.spyfu.com and enter the website address of the target in the search field.
  

Exercise 1.3

Using the EDGAR Database to Gather Information

1. Determine the company's stock symbol using Google.

2. Open a web browser to www.sec.gov.

3. On the right side of the page, click the link EDGAR Filers. 

4. Click the Search For Filings menu and enter the company name or stock  symbol to search the filings for information. You can learn, for example, where the company is registered and who reported the filing.

5. Use the Yahoo! yellow pages ( http://yp.yahoo.com ) to see if an address or phone number is listed for any of the employee names you have located.

More info

• Libro Hacking Etico
• Hacking School
• Master Growth Hacking
• Seguridad Y Hacking
• Fake Hacking
• Hacking Con Python
• Curso De Hacking Etico
• Hacking Software
• Ethical Hacking Curso
• Hacking Ético Con Herramientas Python Pdf

CEH: System Hacking, Cracking A Password, Understanding The LAN Manager Hash, NetBIOS DoS Attacks

Passwords are the key element of information require to access the system. Similarly, the first step is to access the system is that you should know how to crack the password of the target system. There is a fact that users selects passwords that are easy to guess. Once a password is guessed or cracked, it can be the launching point for escalating privileges, executing applications, hiding files, and covering tracks. If guessing a password fails, then passwords may be cracked manually or with automated tools such as a dictionary or brute-force method.

Cracking a Password

Passwords are stored in the Security Accounts Manager (SAM) file on a Windows system and in a password shadow file on a Linux system.

Manual password cracking involves attempting to log on with different passwords. The hacker follows these steps:

1. Find a valid user account (such as Administrator or Guest).
2. Create a list of possible passwords.
3. Rank the passwords from high to low probability.
4. Key in each password.
5. Try again until a successful password is found.

A hacker can also create a script file that tries each password in a list. This is still considered manual cracking, but it's time consuming and not usually effective.

A more efficient way of cracking a password is to gain access to the password file on a system. Most systems hash (one-way encrypt) a password for storage on a system. During the logon process, the password entered by the user is hashed using the same algorithm and then compared to the hashed passwords stored in the file. A hacker can attempt to gain access to the hashing algorithm stored on the server instead of trying to guess or otherwise identify the password. If the hacker is successful, they can decrypt the passwords stored on the server.

Understanding the LAN Manager Hash

Windows 2000 uses NT LAN Manager (NTLM) hashing to secure passwords in transit on the network. Depending on the password, NTLM hashing can be weak and easy to break. For example, let's say that the password is 123456abcdef . When this password is encrypted with the NTLM algorithm, it's first converted to all uppercase: 123456ABCDEF . The password is padded with null (blank) characters to make it 14 characters long: 123456ABCDEF__ . Before the password is encrypted, the 14-character string is split in half: 123456A and
BCDEF__ . Each string is individually encrypted, and the results are concatenated:

123456A = 6BF11E04AFAB197F
BCDEF__ = F1E9FFDCC75575B15

The hash is 6BF11E04AFAB197FF1E9FFDCC75575B15 .

Cracking Windows 2000 Passwords

The SAM file in Windows contains the usernames and hashed passwords. It's located in the Windows\system32\config directory. The file is locked when the operating system is running so that a hacker can't attempt to copy the file while the machine is booted to Windows.

One option for copying the SAM file is to boot to an alternate operating system such as DOS or Linux with a boot CD. Alternately, the file can be copied from the repair directory. If a system administrator uses the RDISK feature of Windows to back up the system, then a compressed copy of the SAM file called SAM._ is created in C:\windows\repair . To expand this file, use the following command at the command prompt:

C:\>expand sam._ sam

After the file is uncompressed, a dictionary, hybrid, or brute-force attack can be run against the SAM file using a tool like L0phtCrack. A similar tool to L0phtcrack is Ophcrack.

Download and install ophcrack from http://ophcrack.sourceforge.net/

Redirecting the SMB Logon to the Attacker

Another way to discover passwords on a network is to redirect the Server Message Block (SMB) logon to an attacker's computer so that the passwords are sent to the hacker. In order to do this, the hacker must sniff the NTLM responses from the authentication server and trick the victim into attempting Windows authentication with the attacker's computer.

A common technique is to send the victim an email message with an embedded link to a fraudulent SMB server. When the link is clicked, the user unwittingly sends their credentials over the network.

SMBRelay

An SMB server that captures usernames and password hashes from incoming
SMB traffic. SMBRelay can also perform man-in-the-middle (MITM) attacks.

SMBRelay2

Similar to SMBRelay but uses NetBIOS names instead of IP addresses to capture usernames and passwords.

pwdump2

A program that extracts the password hashes from a SAM file on a Windows system. The extracted password hashes can then be run through L0phtCrack to break the passwords.

Samdump

Another program that extracts NTLM hashed passwords from a SAM file.

C2MYAZZ

A spyware program that makes Windows clients send their passwords as clear text. It displays usernames and their passwords as users attach to server resources.

NetBIOS DoS Attacks

A NetBIOS denial-of-service (DoS) attack sends a NetBIOS Name Release message to the NetBIOS Name Service on a target Windows systems and forces the system to place its name in conflict so that the name can no longer be used. This essentially blocks the client from participating in the NetBIOS network and creates a network DoS for that system.

1. Start with a memorable phrase, such as "Maryhadalittlelamb"
2. Change every other character to uppercase, resulting in "MaRyHaDaLiTtLeLaMb"
3. Change a to @ and i to 1 to yield "M@RyH@D@L1TtLeL@Mb"
4. Drop every other pair to result in a secure repeatable password or "M@H@L1LeMb"

Now you have a password that meets all the requirements, yet can be "remade" if necessary. Related news

1. Hacking Web
2. Curso De Hacking Gratis
3. Hacking Con Python
4. Mindset Hacking Español
5. Body Hacking
6. Hacking Books

Leo's Noob

I would like to send a salve to my friend noob at Rivendel in Brazilian company hahaha

Related word

• Como Ser Hacker
• Sean Ellis Growth Hacking
• Hacker Definicion
• Growth Hacking Pdf
• Hacking In Spanish
• Libros Hacking Pdf
• Definicion De Hacker
• Social Hacking
• Hacking Python
• Growth Hacking

WiFi Hacking On Tablets

Disclaimer: Don't hack anything where you don't have the authorization to do so. Stay legal.

Ever since I bought my first Android device, I wanted to use the device for WEP cracking. Not because I need it, but I want it :) After some googling, I read that you can't use your WiFi chipset for packet injection, and I forgot the whole topic.

After a while, I read about hacking on tablets (this was around a year ago), and my first opinion was: 

"This is stupid, lame, and the usage of that can be very limited".

After playing one day with it, my opinion just changed: 

"This is stupid, lame, the usage is limited, but when it works, it is really funny :-)"

At the beginning I looked at the Pwn Pad as a device that can replace a pentest workstation, working at the attacker side. Boy was I wrong. Pwn Pad should be used as a pentest device deployed at the victim's side!

You have the following options:

1. You have 1095 USD + VAT + shipping to buy this Pwn Pad
2. You have around 200 USD to buy an old Nexus 7 tablet, a USB OTG cable, a USB WiFi dongle (e.g. TP-Link Wireless TL-WN722N USB adapter works).

In my example, I bought a used, old 2012 Nexus WiFi. Originally I bought this to play with different custom Android ROMs, and play with rooted applications. After a while, I found this Pwn Pad hype again and gave it a shot.

The Pwn Pad community edition has an easy-to-use installer, with a proper installation description. Don't forget to backup everything from your tablet before installing Pwn Pad on it!

I don't want to repeat the install guide, it is as easy as ABC. I booted a Ubuntu Live CD, installed adb and fastboot, and it was ready-to-roll. I have not measured the time, but the whole process was around 20 minutes.

The internal WiFi chipset can be used to sniff traffic or even ARP poisoning for active MiTM. But in my case, I was not able to use the internal chipset for packet injection, which means you can't use it for WEP cracking, WPA disauth, etc. This is where the external USB WiFi comes handy. And this is why we need the Pwn Pad Android ROM, and can't use an average ROM.

There are two things where Pwn Pad really rocks. The first one is the integrated drivers for the external WiFi with monitor mode and packet injection capabilities. The second cool thing is the chroot wrapper around the Linux hacking tools. Every hacking tool has a start icon, so it feels like it is a native Android application, although it is running in a chroot Kali environment.

Wifite

The first recommended app is Wifite. Think of it as a wrapper around the aircrack - airmon - airodump suite. My biggest problem with WEP cracking was that I had to remember a bunch of commands, or have the WEP cracking manual with me every time I have to crack it. It was overcomplicated. But thanks to Wifite, that is past.

In order to crack a WEP key, you have to:

1. Start the Wifite app
2. Choose your adapter (the USB WiFi)
   
   
   
3. Choose the target network (wep_lan in the next example)
4. Wait for a minute 
5. PROFIT!

SSH reverse shell

This is one of the key functionalities of the Pwn Pad. You deploy the tablet at the Victim side, and let the tablet connect to your server via (tunneled) SSH.

The basic concept of the reverse shells are that an SSH tunnel is established between the Pwn Pad tablet (client) and your external SSH server (either directly or encapsulated in other tunneling protocol), and remote port forward is set up, which means on your SSH server you connect to a localport which is forwarded to the Pwn Pad and handled by the Pwn Pad SSH server.

I believe the best option would be to use the reverse shell over 3G, and let the tablet connect to the victim network through Ethernet or WiFi. But your preference might vary. The steps for reverse shells are again well documented in the documentation, except that by default you also have to start the SSH server on the Pwn Pad. It is not hard, there is an app for that ;-) On your external SSH server you might need to install stunnel and ptunnel if you are not using Kali. The following output shows what you can see on your external SSH server after successful reverse shell.

root@myserver:/home/ubuntu# ssh -p 3333 pwnie@localhost
The authenticity of host '[localhost]:3333 ([127.0.0.1]:3333)' can't be established.
ECDSA key fingerprint is 14:d4:67:04:90:30:18:a4:7a:f6:82:04:e0:3c:c6:dc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:3333' (ECDSA) to the list of known hosts.
pwnie@localhost's password:
  _____      ___  _ ___ ___   _____  _____ ___ ___ ___ ___
 | _ \ \    / / \| |_ _| __| | __\ \/ / _ \ _ \ __/ __/ __|
 |  _/\ \/\/ /| .` || || _|  | _| >  <|  _/   / _|\__ \__ \
 |_|   \_/\_/ |_|\_|___|___| |___/_/\_\_| |_|_\___|___/___/

 Release Version: 1.5.5
 Release Date: 2014-01-30
 Copyright 2014 Pwnie Express. All rights reserved.

 By using this product you agree to the terms of the Rapid Focus
 Security EULA: http://pwnieexpress.com/pdfs/RFSEULA.pdf

 This product contains both open source and proprietary software.
 Proprietary software is distributed under the terms of the EULA.
 Open source software is distributed under the GNU GPL:
 http://www.gnu.org/licenses/gpl.html

pwnie@localhost:~$

Now you have a shell on a machine that is connected to the victim network. Sweet :) Now Metasploit really makes sense on the tablet, and all other command-line tools.

EvilAP and DSniff

Start EvilAP (it is again a wrapper around airobase), choose interface (for me the Internal Nexus Wifi worked), enter an SSID (e.g freewifi), enter channel, choose whether force all clients to connect to you or just those who really want to connect to you, and start.

The next step is to start DSniff, choose interface at0, and wait :) In this example, I used a popular Hungarian webmail, which has a checkbox option for "secure" login (with default off). There are sooo many problems with this approach, e.g. you can't check the certificate before connecting, and the login page is delivered over HTTP, so one can disable the secure login checkbox seamlessly in the background, etc. In this case, I left the "secure" option on default off.

In the next tutorial, I'm going to show my next favorite app, DSploit ;)

Lessons learned

Hacking has been never so easy before
In a home environment, only use WPA2 PSK
Choose a long, nondictionary passphrase as the password for WPA2
Don't share your WiFi passwords with people you don't trust, or change it when they don't need it anymore
Don't let your client device auto-connect to WiFi stations, even if the SSID looks familiar

I believe during an engagement a Pwn Plug has better "physical cloaking" possibilities, but playing with the Pwn Pad Community Edition really gave me fun moments.

And last but not least I would like to thank to the Pwn Pad developers for releasing the Community Edition!

Read more

• Growth Hacking Tools
• Hacking Etico Pdf
• Como Hacker
• Hacking Day
• Tipos De Hacker
• Hacking Smart Tv
• Hacking Cracking
• Computer Hacking
• Hacking Background

Skeleton Key: Cómo Poner Una Clave Maestra En El Domain Controller En Windows Server 2016 Y Controlarlo Una Vez Hackeado

La técnica que hoy se muestra en el artículo no es nueva, pero podemos decir que para muchos será desconocida. Este técnica tiene grandes frases cómo: "Todas las puertas de tu Active Directory quedan abiertas con la técnica Skeleton Key". Al principio el tema puede parecer complejo, pero viendo en qué se basa, la idea es sencilla. Podemos hablar de que Skeleton Key te da persistencia, pero realmente es parcial, ya que en el momento que se reinicie el DC o Domain Controller se acabó la persistencia. El tema es que un DC no se reinicia todos los días, por lo que podemos hablar de cierto grado de persistencia.

Figura 1: Skeleton Key: Cómo poner una clave maestra en el Domain
Controller en Windows Server 2016 y controlarlo una vez hackeado

Antes de hablar en qué consiste esta técnica y ponerla a prueba vamos a hablar de que hay varios métodos para comprometes cuentas de Active Directory con el objetivo de escalar privilegios y crear persistencia. ¿De dónde viene esta técnica? Fue vista en malware orientado a dominios de Active Directory, el cual permitía el secuestro de cualquier cuenta. ¿Cómo? Esta pieza de código se inyectaba en el proceso lsass.exe y creaba lo que llamaremos una contraseña maestra, la cual funcionaría para cualquier cuenta del dominio. La idea mola. 

 

Figura 2: Libro Windows Server 2016: Administración, Seguridad y Operaciones

Lo curioso de la técnica es que las contraseñas existentes también siguen funcionando, por lo que es complejo saber si el ataque se ha llevado a cabo. Más adelante hablaremos de la mitigación o el cómo darse cuenta o tener indicios de que Skeleton Key ha sido ejecutada en nuestro DC. Para entender bien esta técnica, cuantos más conocimientos tengas de Windows Server 2016:Administración, Seguridad y Operaciones, mejor que mejor, así que te recomiendo la lectura de este libro de 0xWord que explica muchos de los conceptos que vamos a utilizar hoy. Y si tienes tiempo, puedes hacerte el VBook de Windows Server 2016.

Requisitos antes de comenzar  

Los requisitos del ataque Skeleton Key son los siguientes:

- Solo es aplicable a los Domain Controller. 

 

- El pentester tiene que ser admin del dominio. 

 

- Cuando la máquina reinicia, el DC eliminará el Skeleton Key y deberá ser desplegado de nuevo si se quiere optar a tener los privilegios que se consiguen con Skeleton Key.

¿En qué consiste? Este ataque se aplica sobre dos métodos de autenticación: NTLM y Kerberos. Cuando se realiza la autenticación NTLM se inyectará el hash NTLM de la contraseña maestra, si lo hacemos con Mimikatz, ésta será "mimikatz". El hash se inyecta en el proceso lsass.exe y no se comprobará contra la SAM. De esta forma, cuando hagamos login con el usuario X y la contraseña correspondiente al hash que hemos inyectado, se logrará autenticar en el controlador de dominio.

Figura 3: Máxima Seguridad en Windows Gold Edition

El cifrado de Kerberos sufrirá un "downgrade" a un algoritmo que no soporte "salt": RCA_HMAC_MD5 y el hash que se recupera del AD es reemplazado por el hash generado con la técnica Skeleton Key. El hash que corresponde con la contraseña maestra es validado en el lado del servidor, por lo que se consigue una autenticación exitosa, tanto en NTLM como en Kerberos.

Skeleton Key 'on fire'

Antes de empezar a jugar vamos a proponer un escenario sencillo, pero real. A continuación se muestra:

- Metasploit (en cualquier máquina o contenedor de Docker que tengáis a mano). Intentaremos que sean últimas versiones. Yo he realizado un msfupdate antes de ejecutarlo. 

 

- Máquina Windows Server 2016 con dominio de pruebas HC (de mi querido hackersClub). 

 

- Máquina con un Windows cliente para conectarse con la clave maestra, una vez hecho el proceso.

Para entrar en el Domain Controller vamos a simular el acceso con el módulo web_delivery de Metasploit. Tras comprometer el Domain Controller habría que lograr escalar privilegios en el sistema, ya que sin ello no se podría hacer uso de Skeleton Key. En la siguiente imagen se puede visualizar la configuración del módulo web_delivery de Metasploit con el uso de un Meterpreter inverso. Ese código Powershell es el que utilizaremos para simular la intrusión.

Figura 4: Ataque con módulo web_delivery

Una de las cosas que me ha sorprendido de las últimas versiones y las modificaciones que ha ido sufriendo el código Powershell que se genera con Metasploit es que primero envía un código de bypass de AMSI y, posteriormente, se ejecuta el resto del payload.

Figura 5: Pentesting con Powershell 2ª Edición

Es decir, primero se deshabilita AMSI en el proceso de Powershell y luego se ejecuta el resto del script que proporcionará un Meterpreter en memoria. Ya hemos comentado en el blog que esto, hoy en día es fundamental, ya que AMSI puede detectaros un gran número de herramientas, entre las que se encuentra nuestra querida iBombshell: La estrategia es, primero quito AMSI, luego ejecuto herramienta.

Figura 6: Bypass de AMSI y ejecución de payload

Tras obtener la sesión de Meterpreter en Windows Server 2016, vamos a mostrar algunos detalles importantes.

Figura 7: Información del sistema contrtolado

Como se puede la máquina se llama HC-SERVER, la arquitectura es de 64 bits, tanto en máquina como el Meterpreter, y vemos que tenemos privilegios para impersonar a SYSTEM, por lo que entonces lo hacemos. Aquí ya hemos simulado esa escalada de privilegios, tendríamos el control del Domain Controller. Y desde aquí podríamos planear todos los ataques del Hacking Windows que quisiéramos.

Figura 8: Libro de Hacking Windows

Ahora, se puede hacer de varias formas. Podemos generar un Mimikatz y subirlo, pero debemos tener en cuenta que no nos lo "caze" el AV. Podemos cargar el módulo Kiwi que tiene Meterpreter y ejecutar la sentencia de Mimikatz sobre Skeleton Key.  Para ello, haremos uso de "load kiwi" y cargamos la extensión. Es importante que el payload sea de 64 bits, ya que aquí podemos encontrarnos un punto de fallo. Por otro lado, la sentencia a ejecutar para cargar Skeleton Key es: "kiwi_cmd misc::skeleton".

Figura 9: Cargando kiwi

Como se puede ver, todo ha ido bien y tenemos el "patch" listo. Ahora, vamos a ir a la máquina cliente, la cual puede ser nuestra u otra máquina que se haya comprometido en el pentesting.  Antes de nada, hay que indicar que con la herramienta Mimikatz, desde su propia consola, hay que ejecutar lo siguiente:

- Privilege::debug 

 

- Misc::skeleton

Con estas dos instrucciones tendríamos la Master Key ya en memoria y todo preparado para que desde el equipo cliente que sea, se pueda acceder a los recursos del DC.

 

Figura 10: mimikatz

Hay que fijarse en la contraseña utilizada "mimikatz". El usuario va con el dominio explícito y, como se puede ver, funciona. Para ver un poco más en detalle, deshacemos la instrucción anterior y comenzamos de nuevo. 

Figura 11: Autenticación remota con password "mmikatz"

Ejecutando "dir \\hc-server\c$" vemos que no se puede acceder, pero en cuanto hacemos uso de net use para autenticarnos por SMB y poder utilizar un recurso remoto con la contraseña "mimikatz" se logra el acceso, tal y como se puede ver en la imagen. 

Mitigación

En muchas ocasiones nos importa saber cómo se protege uno o cómo puede mitigarse el ataque. El uso de la técnica genera algunos eventos en el sistema que pueden ser buscados:

- ID 7045 

 

- ID 4673 (En este "Audit Privilege Use" debe estar habilitado) 

 

- ID 4611 ("Audit Privilege Use" debe estar habilitado)

En Powershell se puede ejecutar:

Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "Kernel Mode Driver"}

Ó si queremos buscar solo mimidrv:

Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$.message -like "Kernel Mode Driver" -and $.message -like "mimidrv"}

Si lsass.exe se ha ejecutado en modo proceso protegido o "protected process", fozará a un atacante o pentester a cargar "kernel mode drive". Se puede verificar lsass:

New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name RunAsPPL -Value 1 -Verbose

 

Verificar después del reinicio:

Get-WinEvent -FilterHashtable @{Logname='System';ID=12} | ?{$_.message -like "protected process"}

Tenéis más información sobre lo que se puede comprobar en este genial artículo sobre Skeleton Key y su mitigación.

Saludos,

Autor: Pablo González Pérez (@pablogonzalezpe), escritor de los libros "Metasploit para Pentesters", "Hacking con Metasploit: Advanced Pentesting" "Hacking Windows", "Ethical Hacking", "Got Root",  "Pentesting con Powershell" y de "Empire: Hacking Avanzado en el Red Team", Microsoft MVP en Seguridad y Security Researcher en el equipo de "Ideas Locas" de la unidad CDCO de Telefónica.  Para consultas puedes usar el Buzón Público para contactar con Pablo González

Figura 12: Contactar con Pablo González

Sigue Un informático en el lado del mal RSS 0xWord

This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com

More information

• Libro Hacker
• Best Hacking Books
• Growth Hacking Marketing
• Curso Hacking Etico Gratis
• Que Es El Hacking Etico
• Hacker Seguridad Informática
• Programas Para Hackear
• Funnel Hacking Live
• Que Estudiar Para Ser Hacker
• Wordpress Hacking
• El Libro Del Hacker
• Cracker Informatico
• Ethical Hacking Certification
• Ingeniería Social El Arte Del Hacking Personal
• Social Hacking
• Growth Hacking Instagram