Group Details Private

Global Moderators

Forum wide moderators

Member List

  • When a victim gets on a computer, it is first necessary to evaluate and understand where we managed to gain a foothold.

    When a victim gets on a computer, it is first necessary to evaluate and understand where we managed to gain a foothold.

    Who cares, let's get started:

    1. systeminfo gives us information about
    • the name of the node;
    • name and OS version;
    • installation date and OS boot time (there is an opportunity to understand how often the PC reboots);
    • bit depth of the OS (many programs work only on certain bits);
    • The time zone and language of the system (to understand in what part of the world we are);
    • then the important point is whether to find out whether the PC is in the domain or not, this fact is determined by the lines the domain and the network entry server, if the network entry server and the host name match + the WORKGROUP domain, then the PC is not in the domain, if the network entry server different from the host name, then most likely the PC is in the domain (to find out more precisely you need to run the whoami command and see the full path of the username)
    • the next moment installed corrections, it allows you to understand whether the computer is being updated to be able to try certain vulnerabilities in the system;
    • network adapters, find out the number of interfaces and their IP addresses
    1. tasklist / V / FI "MODULES ne WOW64.dll" && tasklist / V / FI "MODULES eq WOW64.dll" I advise you to use this command using filters, since this makes it possible to understand what bit depth the running process needs to know for injection into processes.

    2. and of course we are interested in what kind of documents are processed on a computer, for this we use the following command dir / q / x% appdata% \ Microsoft \ Office \ Recent will show links of the last processed documents.

    3. google.com tracert will let you know which routers pass packets from the victim’s computer and which provider the victim uses

    4. whoami / priv - will allow you to find out the rights of a user working for a PC (a rather successful outcome when we have access to SeDebugPrivilege), which will allow you to run programs that require administrator rights.
      51f31464-982b-42d7-a5a6-2723efb50064-image.png

    posted in Blogs
  • The latest version is 3.14 from May 2019.

    The latest version is 3.14 from May 2019. This is an excellent framework for operation and post-operation. Beacon is used as a payload, which has the ability to obfuscate and freeze to bypass antiviruses. Supports migration to processes. Suitable as a C2 server - it is especially convenient to navigate with a large scope. Out of the box has a one-click payload generator, as well as various delivery methods, which saves a lot of time.

    Cobalt Strike's creed is stealth. Beacon most of the time is in the state of frieze or sleep, and only the “heartbeat” is sent to C2, so it is not easy to detect.

    The biggest drawback of Cobalt is that it is not available to ordinary users. Cobalt Strike is a commercial product, and developers are serious about distribution. There is a trial period of 21 days, but in this mode you will encounter significant limitations.

    Cobalt Strike generates its own executables and DLLs using the Artifact Kit. They, in turn, send a payload, which helps bypass some antiviruses. The trial version includes only the Artifact Kit template without the ability to create executable files.

    Also, the trial version of Cobalt does not download or use flexible C2 profiles. This is a feature that allows users to change network indicators in the Beacon payload. Each trial GET HTTP request includes an X-Malware header with an EICAR string as content. Similarly, modules for attacking Java include an EICAR file inside .jar packages.

    Finally, the Cobalt Strike primary payload encoder has been removed from the trial version. All these restrictions are made so that the trial version could not be used for malicious purposes.
    605f2f34-8dcb-4acb-9fe5-f9a6185a3c4c-image.png

    posted in Must-have! ( Hacking Tools
  • Open Databases and Hacking with Shodan

    Open Databases and Hacking with Shodan
    Increasingly, there are news about leaks. Researchers find confidential information in open databases (MongoDB, Elasticsearch, Kibana, CouchDB, Hadoop and others). After this, scandals begin, serious trials for companies and even ship investigations worth hundreds of millions of dollars. Some examples for visual demonstration in the media.

    Finding open databases with Shodan
    To search for databases, special search engines Shodan and Censys are used. Databases have a specific pattern in the form of a port and a so-called header. For example, for MongoDB, this is the standard port 27017 and the presence of the header "mongodb server information". Such patterns exist for other databases.

    The most popular option is MongoDB. At the time of writing, 69,100 results have been indexed. Most of them are closed (this is indicated by the Authentication partially enabled parameter).

    To find open databases create a query:
    You can use any manager to work with the database. You can also process data from the command line. Despite the fact that Studio 3T for MongoDB has more functionality (which is available for a trial period of 30 days), you saw that you can work quite well with free programs. All individually.

    Conclusion
    There are really many open databases. Loud news about a data leak comes out almost every week. It can be a database of a hotel, a store or a service center. A quick look, among the examples in the article, were two good options: a store and a bulletin board for selling cars. In the first case, it was possible to see the order, description and phone / mail of the owner, in the second case - the phone and make of the car.

    Very often confidential data is in unencrypted form. Many companies store information and do not even think about the possible consequences. I have demonstrated enough ways to find open databases with terabytes of records. What to do with the information found - the choice is yours.

    all: "mongodb server information" all: "metrics"
    In this case, we get 24943 results. About as many open databases exist that contain certain information. Of course, some part is dummies, there is nothing interesting in them. But this is the subject of analysis.
    998f36bd-ac1f-4309-9b2c-1ced99c70837-image.png
    USA is the leader in open MongoDB with a score of 7915.

    There are fewer results for Elasticsearch. 20,283 indexed entries, and the leader is China.

    port: "9200" all: "elastic indices”
    e0064024-07e9-47e5-9443-db901e586595-image.png
    To fully work with the results of issuing a database: filter records by size, date of entry into the index, number of collections, etc. need to use more functional tools. One of them is Lampyre.

    If you don’t want to deliver software to yourself, you can use the familiar Shodan Command-Line Interface. For those who want to work using the command line, I have prepared a file with commands that allow you to find and analyze data in json or xlsx formats.

    To work with more exotic databases, I recommend using LeakLooker. The script is written in Python and works with Shodan. In addition to standard databases, it supports Kibana, CouchDB.
    9be6f746-463a-4659-bc86-6987224f0205-image.png
    Finding open databases with Lampyre
    For more flexible settings, you can use the Lampyre tool for Windows. After downloading the application, you must specify the mail and confirm your account. After starting in Online Mode, you need to click New Investidation, select the folder for storing the project and start working.

    In the List of requests, select Shodan search. We enter the API key and our query in the Query field, which will allow us to find open databases.

    all: "mongodb server information" all: "metrics”
    06c9edd3-8841-46dd-bea6-9ca3e55aa488-image.png

    You can also specify additional parameters in the Shodan - 2 window. For example, country and port. We launch using the "Execute" button. Next up are the results. For graphical display, select “Schema” -> “Network”.
    0108ff99-f34f-4222-9c9a-65be4a3efad6-image.png
    Lampyre can filter found queries with the ExploreDB: MongoDB built-in query. Select the necessary IPs, then right-click on the menu and specify ExploreDB: MongoDB.
    0add6118-2d57-4909-aaae-2a8a16b8f4f1-image.png
    Then we get all the requests in a convenient format. You can filter by database size and other parameters that are not in Shodan. Confirmation that the database is open is the text parameter, which has the status open. It is worth sorting the results by the Size and Count documents parameters, since the most interesting databases will contain the maximum number of records in the tables.
    532b4f8d-badd-40b6-bd2c-fa349fb7dedd-image.png
    You can also notice from the screenshots that Lampyre supports working with ExploreDB: ElasticSearch. We do everything by analogy using the query:

    port: "9200" all: "elastic indices"
    3a2a718a-b5c5-416a-9d1a-8aeb8092ce61-image.png

    We receive in a convenient form the ElasticSearch database. You can see them by clicking on the link in the column "http query top 500".
    9f60d6c8-225e-4751-a9c4-9f6c2cb731fc-image.png
    As a result, we find an open database of some store where you can find the phone, date of creation, description, mail and some other interesting information. Remember, those who seek will always find
    69b70a9e-ce26-4776-a0ac-df4e15012c69-image.png
    You can use any manager convenient for you to work with the resulting databases. For example, for MongoDB, NoSQL Manager for MongoDB, Robo 3T, or Studio 3T for MongoDB is suitable. Consider, for example, one of the options.

    Analyzing Databases Using Robo 3T for MongoDB
    The choice fell on the free version of Robo 3T. Portable version takes about 15 mb and allows you to quickly connect to the desired database. After starting, we see a window where you need to specify the IP address. Right click and add using the Add button.
    446a2a48-7e91-444c-9e3d-2a62d6f695c8-image.png
    Specify the desired IP and click Save.
    ac2746a0-d89d-4961-8ddb-8d6fff7ebd9f-image.png

    After a successful connection, we can see the database. If the connection has occurred, a new client will appear in the left pane.
    4b8928c0-255c-4397-abfa-6ec7597a37ab-image.png
    Next we look at the collections that are used in the database:
    de58e20d-74d8-471c-8a9a-7f0dc8471e6e-image.png

    posted in Hackers Academy
  • It’s called the Hackers Academy.

    Hello everyone. I’m the Hacker Academy with you. And I created my group in Anonymus. It’s in the group section. It’s called the Hackers Academy.
    Link - https://anonymoushackers.org/groups/hackers-academy

    posted in Blogs
  • RE: Hacker tools

    Nikto is a free software command-line vulnerability scanner that scans webservers for dangerous files/CGIs, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received.

    posted in General Discussion
  • RE: Hacker tools posted in General Discussion
  • RE: Hacker tools

    said in Hacker tools:

    Metasploit penetration testing software Knowledge is power, especially when it’s shared. A collaboration between the open source community and Rapid7, Metasploit helps security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness; it empowers and arms defenders to always stay one step (or two) ahead of the game.Maltego is a network reconnaissance and data mining tool that gathers information from a large number of sources. Basically, it can mine data from various places on the internet, and will then gather that data and arrange it in an easy-to-read graph for you. ... In addition, Maltego may find out other connections to Mr.

    posted in General Discussion
  • RE: Hacker tools

    said in Hacker tools:

    John the Ripper is a fast password cracker, currently available for many flavors of Unix, macOS, Windows, DOS, BeOS, and OpenVMS. Historically, its primary purpose is to detect weak Unix passwords. These days, besides many Unix crypt(3) password hash types, supported in "-jumbo" versions are hundreds of additional hashes and ciphers.

    Follow us on Twitter
    John the Ripper is free and Open Source software, distributed primarily in source code form. If you would rather use a commercial product tailored for your specific operating system, please consider John the Ripper Pro, which is distributed primarily in the form of "native" packages for the target operating systems and in general is meant to be easier to install and use while delivering optimal performance.

    Proceed to John the Ripper Pro homepage for your OS:
    John the Ripper Pro for Linux
    John the Ripper Pro for Mac OS X
    On Windows, consider Hash Suite (developed by a contributor to John the Ripper)
    On Android, consider Hash Suite Droid
    Download the latest John the Ripper jumbo release (release notes) or development snapshot:

    1.9.0-jumbo-1 sources in tar.xz, 33 MB (signature) or tar.gz, 43 MB (signature)
    1.9.0-jumbo-1 64-bit Windows binaries in 7z, 22 MB (signature) or zip, 63 MB (signature)
    1.9.0-jumbo-1 32-bit Windows binaries in 7z, 21 MB (signature) or zip, 61 MB (signature)
    Development source code in GitHub repository (download as tar.gz or zip)
    Download the latest John the Ripper core release (release notes):

    1.9.0 core sources in tar.xz, 8.6 MB (signature) or tar.gz, 13 MB (signature)
    Development source code in CVS repository
    Get John the Ripper apparel at 0-Day Clothing and support the project

    To verify authenticity and integrity of your John the Ripper downloads, please use our GnuPG public key. Please refer to these pages on how to extract John the Ripper source code from the tar.gz and tar.xz archives and how to build (compile) John the Ripper core (for jumbo, please refer to instructions inside the archive). You may also consider the unofficial builds on the contributed resources list further down this page.
    These and older versions of John the Ripper, patches, unofficial builds, and many other related files are also available from the Openwall file archive.

    You may browse the documentation for John the Ripper core online, including a summary of changes between core versions. Also relevant is our presentation on the history of password security.

    There's a collection of wordlists for use with John the Ripper. It includes lists of common passwords, wordlists for 20+ human languages, and files with the common passwords and unique words for all the languages combined, also with mangling rules applied and any duplicates purged.

    yescrypt and crypt_blowfish are implementations of yescrypt, scrypt, and bcrypt - some of the strong password hashes also found in John the Ripper - released separately for defensive use in your software or on your servers.

    passwdqc is a proactive password/passphrase strength checking and policy enforcement toolset, which can prevent your users from choosing passwords that would be easily cracked with programs like John the Ripper.

    We may help you integrate modern password hashing with yescrypt or crypt_blowfish, and/or proactive password strength checking with passwdqc, into your OS installs, software, or online services. Please check out our services.

    There's a mailing list where you can share your experience with John the Ripper and ask questions. Please be sure to specify an informative message subject whenever you post to the list (that is, something better than "question" or "problem"). To subscribe, enter your e-mail address below or send an empty message to <john-users-subscribe at lists.openwall.com>. You will be required to confirm your subscription by "replying" to the automated confirmation request that will be sent to you. You will be able to unsubscribe at any time and we will not use your e-mail address for any other purpose or share it with a third party. However, if you post to the list, other subscribers and those viewing the archives may see your address(es) as specified on your message. The list archive is available locally and via MARC. Additionally, there's a list of selected most useful and currently relevant postings on the community wiki.

    Your e-mail address:

    Contributed resources for John the Ripper:

    Community wiki with custom builds, benchmarks, and more
    Custom builds for Windows (up to 1.8.0.13-jumbo)
    Custom builds for Mac OS X / macOS (up to 1.8.0.9-jumbo)
    Custom builds for Solaris (packages up to 1.7.6, non-packaged up to 1.7.8-jumbo-7)
    Custom builds for Android (up to 1.8.0)
    Ubuntu snap package (documentation, announcement)
    OpenVMS and SYSUAF.DAT support (signature) by Jean-loup Gailly
    OpenVMS executables for Alpha and VAX (signature)
    Local copies of the above files by Jean-loup Gailly and a much newer implementation by David Jones
    Local copies of these and many other related packages are also available from the Openwall file archive.

    John the Ripper is part of Owl, Debian GNU/Linux, Fedora Linux, Gentoo Linux, Mandriva Linux, SUSE Linux, and a number of other Linux distributions. It is in the ports/packages collections of FreeBSD, NetBSD, and OpenBSD.

    John the Ripper is a registered project with Open Hub and it is listed at SecTools.Aircrack-ng is a complete suite of tools to assess WiFi network security.

    It focuses on different areas of WiFi security:

    Monitoring: Packet capture and export of data to text files for further processing by third party tools
    Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
    Testing: Checking WiFi cards and driver capabilities (capture and injection)
    Cracking: WEP and WPA PSK (WPA 1 and 2)
    All tools are command line which allows for heavy scripting. A lot of GUIs have taken advantage of this feature. It works primarily Linux but also Windows, OS X, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.

    Fresh news
    Aircrack-ng 1.6 25 Jan 20
    This release brings a ton of improvements. Along with bug fixes and improvements for a lot of tools, we have huge improvements under the hood thanks to code cleanup, deduplication, and reorganization of the source code. We also improved our buildbot, and addedd integration tests.

    The most notable changes are in Airodump-ng, it now sees WPA3 and OWE. Its rates now takes into account 802.11n/ac and aren't limited to 54Mbit anymore. It has PMKID detection, and some basic UTF-8 among other things.

    Many more details can be found in our blog post.

    Aircrack-ng 1.5.2 09 Dec 18
    Fourth and last release of the year. It is smaller than the previous one but we did want to release the fixes and improvements before the holidays so it will be available for Shmoocon next month in your favorite distro. Small issues were found in 1.5 and then in 1.5.1, which is why we ended up with 1.5.2.

    It brings fixes, a new feature and lots of improvements. More details in our blog post.

    More news...
    Under the spotlights
    Injection, -1 channel and other capture issues
    If you are having issues injecting or if you are receiving an error message talking about channel -1 or fixed channel in airodump-ng (top right of the screen) or aireplay-ng, kill the network managers using airmon-ng check kill before putting the wireless card in monitor mode.

    Airodump-ng scan visualizer
    Airodump-ng Scan Visualizer (by Pentester Academy) allows you to filter, sort and visualize Airodump-NG scan data. The tool currently uses the CSV file generated by Airodump-ng with the -w option and can work locally or as a hosted service.

    posted in General Discussion
  • RE: Hacker tools

    Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark development thrives thanks to the volunteer contributions of networking experts around the globe and is the continuation of a project started by Gerald Combs in 1998.

    posted in General Discussion
  • RE: Hacker tools

    OWASP Top 10 for Application Security
    For the first time since 2013, the Open Web Application Security Project (OWASP) has updated its top 10 list of the most critical application security risks. What does this mean for you?

    posted in General Discussion