Rootstealer – X11 Trick To Inject Commands On Root Terminal

This is simple example of new attack that using X11. Program to detect when linux user opens terminal with root and inject intrusive commands in terminal with X11 lib.Video of Proof of conceptThe proposal of this video is use the tool rootstealer to spy all gui windows interactions and inject commands only in root terminal. This approach is util when attacker need to send a malicious program to prove that user is vulnerable to social engineering. Force root command in terminal with lib X11 is a exotic way to show the diversity of weak points.Install# apt-get install libX11-dev libxtst-dev# cd rootstealer/sendkeys; Edit file rootstealer/cmd.cfg and write your command to inject.Now you can take that following:# make; cd .. #to back to path rootstealer/ # pip intall gior# pip install girRun the python script to spy all windows gui and search window with “root@" string in title.$ python rootstealer.py &Note: If you prefers uses full C code… to use simple binary purposes… you can uses rootstealer.c$ sudo apt-get install libwnck-dev$ gcc -o rootstealer rootstealer.c `pkg-config –cflags –libs libwnck-1.0` -DWNCK_I_KNOW_THIS_IS_UNSTABLE -DWNCK_COMPILATION$ ./rootstealer &Done, look the video demo, rootstealer force commands only on root terminal…MitigationDon’t trust in anyone. https://www.esecurityplanet.com/views/article.php/3908881/9-Best-Defenses-Against-Social-Engineering-Attacks.htmAlways when you enter by root user, change window title:# gnome-terminal –title="SOME TITLE HERE"This simple action can prevent this attack.TestsTested on Xubuntu 16.04Download Rootstealer

Link: http://feedproxy.google.com/~r/PentestTools/~3/-M-T8gOTCIc/rootstealer-x11-trick-to-inject.html

PXE Boot Attacks – Tradecraft Security Weekly #27

Network administrators often utilize Pre-boot Execution Environment (PXE) to rapidly deploy new systems on a network easily. Golden system images can be created with all the software and settings already in place for new systems. In this episode of Tradecraft Security Weekly Beau Bullock (@dafthack) discusses some of the potential attack vectors surrounding PXE boot […]
The post PXE Boot Attacks – Tradecraft Security Weekly #27 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/OpK71gbmKRk/

OSINT & External Recon Pt. 2: Contact Discovery – Tradecraft Security Weekly #26

During the reconnaissance phase of a penetration test being able to discover employee names and email addresses of an organization is extremely important. It is also important to do so as stealthily as possible. Using open-source techniques and tools it is possible to enumerate employee names and email addresses at an organization. In this episode […]
The post OSINT & External Recon Pt. 2: Contact Discovery – Tradecraft Security Weekly #26 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/7sBjsWQHGms/

Trackerjacker – Like Nmap For Mapping Wifi Networks You’Re Not Connected To, Plus Device Tracking

Like nmap for mapping wifi networks you’re not connected to. Maps and tracks wifi networks and devices through raw 802.11 monitoring.PyPI page: https://pypi.python.org/pypi/trackerjackerInstallpip3 install trackerjackerSupported platforms: Linux (tested on Ubuntu, Kali, and RPi) and macOS (pre-alpha)trackerjacker can help with the following:I want to know all the nearby wifi networks and know all the devices connected to each network.I want to know who’s hogging all the bandwidth.I want to run a command when this MAC address sends more than 100000 bytes in a 30 second window (maybe to determine when an IP camera is uploading a video, which is indicative that it just saw motion).I want to deauth anyone who uses more than 100000 bytes in a 10 second window.I want to deauth every Dropcam in the area so my Airbnb hosts don’t spy on me.I want to be alerted when any MAC address is seen at a power level greater than -40dBm that I’ve never seen before.I want to see when this particular person is nearby (based on the MAC of their mobile phone) and run a command to alert me.I want to write my own plugin to run some script to do something fun every time a new Apple device shows up nearby.UsageFind detailed usage like this:trackerjacker -hThere are 2 major usage modes for trackerjacker: map mode and track mode:Map mode exampleMap command:trackerjacker -i wlan1337 –mapBy default, this outputs the wifi_map.yaml YAML file, which is a map of all the nearby WiFi networks and all of their users. Here’s an example wifi_map.yaaml file:TEST_SSID: 00:10:18:6b:7a:ea: bssid: 00:10:18:6b:7a:ea bytes: 5430 channels: – 11 devices: 3c:07:71:15:f1:48: bytes: 798 signal: 1 vendor: Sony Corporation 78:31:c1:7f:25:43: bytes: 4632 signal: -52 vendor: Apple, Inc. signal: -86 ssid: TEST_SSID vendor: BroadcomBRANSONS_WIFI: 90:48:9a:e3:58:25: bssid: 90:48:9a:e3:58:25 bytes: 5073 channels: – 1 devices: 01:00:5e:96:e1:89: bytes: 476 signal: -62 vendor: ” 30:8c:fb:66:23:91: bytes: 278 signal: -46 vendor: Dropcam 34:23:ba:1c:ba:e7: bytes: 548 signal: 4 vendor: SAMSUNG ELECTRO-MECHANICS(THAILAND) signal: -80 ssid: BRANSONS_WIFI vendor: Hon Hai Precision Ind. Co.,Ltd.hacker_network: 80:2a:a8:e5:de:92: bssid: 80:2a:a8:e5:de:92 bytes: 5895 channels: – 11 devices: 80:1f:02:e6:44:96: bytes: 960 signal: -46 vendor: Edimax Technology Co. Ltd. 80:2a:a8:8a:ec:c8: bytes: 472 signal: 4 vendor: Ubiquiti Networks Inc. 80:2a:a8:be:09:a9: bytes: 5199 signal: 4 vendor: Ubiquiti Networks Inc. d8:49:2f:7a:f0:8f: bytes: 548 signal: 4 vendor: CANON INC. signal: -46 ssid: hacker vendor: Ubiquiti Networks Inc. 80:2a:a8:61:aa:2f: bssid: 80:2a:a8:61:aa:2f bytes: 5629 channels: – 44 – 48 devices: 78:88:6d:4e:e2:c9: bytes: 948 signal: -52 vendor: ” e4:8b:7f:d4:cb:25: bytes: 986 signal: -48 vendor: Apple, Inc. signal: -48 ssid: null vendor: Ubiquiti Networks Inc. 82:2a:a8:51:32:25: bssid: 82:2a:a8:51:32:25 bytes: 3902 channels: – 48 devices: b8:e8:56:f5:a0:70: bytes: 1188 signal: -34 vendor: Apple, Inc. signal: -14 ssid: hacker vendor: ” 82:2a:a8:fc:33:b6: bssid: 82:2a:a8:fc:33:b6 bytes: 7805 channels: – 10 – 11 – 12 devices: 78:31:c1:7f:25:43: bytes: 4632 signal: -52 vendor: Apple, Inc. 7c:dd:90:fe:b4:87: bytes: 423223 signal: 4 vendor: Shenzhen Ogemray Technology Co., Ltd. 80:2a:a8:be:09:a9: bytes: 5199 signal: 4 vendor: Ubiquiti Networks Inc. signal: -62 ssid: null vendor: ”Note that, since this is YAML, you can easily use it as an input for other scripts of your own devising.Example: Track mode with trigger commandTrack mode allows you to specify some number of MAC addresses to watch, and if any specific devices exceeds the threshold (in bytes), specified here with the -t 4000 (specifying an alert threshold of 4000 bytes) an alert will be triggered.trackerjacker –track -m 3c:2e:ff:31:32:59 –t 4000 –trigger-command “./alert.sh" –channels-to-monitor 10,11,12,44Using monitor mode interface: wlan1337Monitoring channels: {10, 11, 12, 44}[@] Device (3c:2e:ff:31:32:59) threshold hit: 4734[@] Device (3c:2e:ff:31:32:59) threshold hit: 7717[@] Device (3c:2e:ff:31:32:59) threshold hit: 7124[@] Device (3c:2e:ff:31:32:59) threshold hit: 8258[@] Device (3c:2e:ff:31:32:59) threshold hit: 8922In this particular example, I was watching a security camera to determine when it was uploading a video (indicating motion was detected) so that I could turn on my security system sirens (which was the original genesis of this project).Example: Track mode with foxhunt plugintrackerjacker -i wlan1337 –track –trigger-plugin foxhuntDisplays a curses screen like this: POWER DEVICE ID VENDOR======= ================= ================================ -82dBm 1c:1b:68:35:c6:5d ARRIS Group, Inc. -84dBm fc:3f:db:ed:e9:8e Hewlett Packard -84dBm dc:0b:34:7a:11:63 LG Electronics (Mobile Communications) -84dBm 94:62:69:af:c3:64 ARRIS Group, Inc. -84dBm 90:48:9a:34:15:65 Hon Hai Precision Ind. Co.,Ltd. -84dBm 64:00:6a:07:48:13 Dell Inc. -84dBm 00:30:44:38:76:c8 CradlePoint, Inc -86dBm 44:1c:a8:fc:c0:53 Hon Hai Precision Ind. Co.,Ltd. -86dBm 18:16:c9:c0:3b:75 Samsung Electronics Co.,Ltd -86dBm 01:80:c2:62:9e:36 -86dBm 01:00:5e:11:90:47 -86dBm 00:24:a1:97:68:83 ARRIS Group, Inc. -88dBm f8:2c:18:f8:f3:aa 2Wire Inc -88dBm 84:a1:d1:a6:34:08Note that foxhunt is a builtin plugin, but you can define your own plugins using the same Plugin API.Example: Track mode with trigger plugin$ trackerjacker –track -m 3c:2e:ff:31:32:59 –threshold 10 –trigger-plugin examples/plugin_example1.py –channels-to-monitor 10,11,12,44 –trigger-cooldown 1Using monitor mode interface: wlan1337Monitoring channels: {10, 11, 12, 44}[@] Device (device 3c:2e:ff:31:32:59) threshold hit: 34 bytes3c:2e:ff:31:32:59 seen at: [1521926768.756529][@] Device (device 3c:2e:ff:31:32:59) threshold hit: 11880 bytes3c:2e:ff:31:32:59 seen at: [1521926768.756529, 1521926769.758929][@] Device (device 3c:2e:ff:31:32:59) threshold hit: 18564 bytes3c:2e:ff:31:32:59 seen at: [1521926768.756529, 1521926769.758929, 1521926770.7622838]This runs examples/plugin_example1.py every time 3c:2e:ff:31:32:59 is seen sending/receiving 10 bytes or more.trackerjacker plugins are simply python files that contain either:Trigger class which defines a __call__(**kwargs) method (example: examples/plugin_example1.py)trigger(**kwargs) function (example: examples/plugin_example2.py)And optionally a __apiversion__ = 1 line (for future backward compatibility)Example: Configuring with config filetrackerjacker.py -c my_config.jsonAnd here’s the example config file called my_config.json:{ "iface": "wlan1337", "devices_to_watch": {"5f:cb:53:1c:8a:2c": 1000, "32:44:1b:d7:a1:5b": 2000}, "aps_to_watch": {"c6:23:ef:33:cc:a2": 500}, "threshold_window": 10, "channels_to_monitor": [1, 6, 11, 52], "channel_switch_scheme": "round_robin"}A few notes about this:threshold_bytes is the default threshold of bytes which, if seen, a causes the alert function to be calledthreshold_window is the time window in which the threshold_bytes is analyzed.devices_to_watch is a list which can contain either strings (representing MACs) or dicts (which allow the specification of a name and threshold)name is simply what a label you want to be printed when this device is seen.threshold in the "Security camera" is how many bytes must be seenchannels_to_monitor – list of 802.11 wifi channels to monitor. The list of channels your wifi card supports is printed when trackerjacker starts up. By default, all supported channels are monitored.channel_switch_scheme – either default, round_robin, or traffic_based. traffic_based determines the channels of most traffic, and probabilistically monitors them more.Example: Enable/Disable monitor mode on interfaceTrackerjacker comes with a few other utility functions relevant to WiFi hacking. One of these is the ability to turn on monitor mode on a specific interface.Enable monitor mode:trackerjacker –monitor-mode-on -i wlan0Disable monitor mode:trackerjacker –monitor-mode-off -i wlan0monNote that trackerjacker will automatically enable/disable monitor mode if necessary. This functionality is just useful if you want to enable monitor mode on an interface for use with other applications (or for quicker starup of trackerjacker, if you plan to be starting/exiting to test stuff).Example: Set adapter channeltrackerjacker –set-channel 11 -i wlan0Note that trackerjacker will automatically switch channels as necessary during normal map/track actions. This option is just useful if you want to set the channel on an interface for use with other applications.Recommended hardwarePanda PAU07 N600 Dual Band (nice, small, 2.4GHz and 5GHz)Panda PAU09 N600 Dual Band (higher power, 2.4GHz and 5GHz)Alfa AWUS052NH Dual-Band 2x 5dBi (high power, 2.4GHz and 5GHz, large, ugly)TP-Link N150 (works well, but not dual band)Download Trackerjacker

Link: http://feedproxy.google.com/~r/PentestTools/~3/Xo8qc5Gk9jM/trackerjacker-like-nmap-for-mapping.html

One-Lin3r v1.1 – Gives You One-Liners That Aids In Penetration Testing Operations

One-Lin3r is simple and light-weight framework inspired by the web-delivery module in Metasploit.It consists of various one-liners that aids in penetration testing operations:Reverser: Give it IP & port and it returns a reverse shell liner ready for copy & paste.Dropper: Give it an uploaded-backdoor URL and it returns a download-&-execute liner ready for copy & paste.Other: Holds liners with the general purpose to help in penetration testing (ex: Mimikatz, Powerup, etc…) on the trending OSes (Windows, Linux, and macOS) “More OSes can be added too".FeaturesSearch for any one-liner in the database by its full name or partially.You can add your own liners by following these steps to create a ".liner" file. Also, you can send it to me directly and it will be added in the framework and credited with your name .Autocomplete any framework command and recommendations in case of typos (in case you love hacking like movies ).Command line arguments can be used to give the framework a resource file to load and execute for automation.The ability to reload the database if you added any liner without restarting the framework.You can add any platform to the payloads database just by making a folder in payloads folder and creating a ".liner" file there.More…The payloads database is not big now because this the first edition but it will get bigger with updates and contributions.ScreenshotsUsageCommandline argumentsusage: one-lin3r [-h] [-r R] [-x X] [-q]optional arguments: -h, –help show this help message and exit -r Execute a resource file (history file). -x Execute a specific command (use ; for multiples). -q Quit mode (no banner).Framework commandsCommand Description——– ————-help/? Show this help menulist/show List payloads you can use in the attack.search Search payloads for a specific oneuse <payload> Use an available payloadinfo <payload> Get information about an available payloadbanner Display bannerreload/refresh Reload the payloads databasecheck Prints the core version and database version then check for them online.history Display command line most important history from the beginningsave_history Save command line history to a fileexit/quit Exit the frameworkInstalling and requirementsTo make the tool work at its best you must have :Python 3.x or 2.x (preferred 3).Linux (Tested on kali rolling), Windows system, mac osx (tested on 10.11)The requirements mentioned in the next few lines.Installing+For windows : (After downloading ZIP and upzip it)python -m pip install ./One-Lin3r-masterone-lin3r -h+For Linux :git clone https://github.com/D4Vinci/One-Lin3r.gitapt-get install libncurses5-devpip install ./One-Lin3rone-lin3r -hUpdating the framework or the databaseOn Linux while outside the directorycd One-Lin3r && git pull && cd ..pip install ./One-Lin3r –upgradeOn Windows if you don’t have git installed, redownload the framework zipped!Download One-Lin3r

Link: http://feedproxy.google.com/~r/PentestTools/~3/elxDfxPSrg8/one-lin3r-v11-gives-you-one-liners-that.html

Check whether you were hacked in the past

There have been a lot of data breaches over the past few years. We often use the same password on many websites or reuse it after some time. This not only compromises our main social media accounts but also other email accounts.Fol website help us to identify from  email address whether it was part of some data breach or not and help us to patch things up.Mention other websites you know in comment for other people to benefit from.Happy surfing1.    Pwned

Link: http://hackingplayground.blogspot.com/2018/06/check-whether-you-were-hacked-in-past.html

Windows Privilege Escalation – Unquoted Services

So, you’ve popped a user shell on a windows box and now you’re looking to escalate those privileges. Great! In this article we’ll look at one method of elevating your privileges by exploiting unquoted system services. A Windows service is a program that runs in the background similar to a *nix daemon. Often they are automatically started when Windows loads […]
The post Windows Privilege Escalation – Unquoted Services appeared first on The Ethical Hacker Network.

Link: https://www.ethicalhacker.net/community/windows-privilege-escalation-unquoted-services/

The Modern Day Hacker – A Cautionary Tale

J0hn_D0ugh$ – So there I was once again enjoying my victory. I wasn’t technically done yet, however all of the hard stuff had already been done. I’m not a hacker just for the money. I’ve made enough of that already. Such is the life for a modern day hacker. It’s really more about the challenge. Sadly however, many of these […]
The post The Modern Day Hacker – A Cautionary Tale appeared first on The Ethical Hacker Network.

Link: https://www.ethicalhacker.net/columns/kron/the-modern-day-hacker-a-cautionary-tale/