Tuesday, 1 November 2016
Turns out, something has to happen to kick the USB host into action. I'm still experimenting, but if you are having similar issues, try running the nethunter custom scripts for "WLAN1 monitor mode", Y-Cable Charging, or wifite... you don't have to have an external wifi connected, just run the script.
It will of course fail. But, try drivedroid after doing this and you might find it works, as it did for me.
Monday, 24 October 2016
http:// www dot dolcifirme dot com dot au/scripts/redir dot asp?link=http:// dkmhab dot xyz
Nice one, spammer scum, and thanks for giving me something to write about, not to mention a great example to talk about next time someone asks why open redirects are such a big deal.
I owe you one!
Saturday, 22 October 2016
From thought and emotion
Even the tiger finds no room
To insert his fierce claws
Interpretation: The tiger in this case is the cyber criminal. Your personality is your vulnerability. Your likes, dislikes, interests, pet hates, your emotional response to events, emails, phone calls, physical interactions, incidents, and conversations. Even the people you know and care about, work with, or love, expose you to a potential for social engineering, either directly or by association.
Unless you are a recluse, hermit, self-loathing, bipolar, split-personality schizophrenic, or psychotic, drug addicted social reject, you will not be able to free yourself from this vulnerability. Even then no one is immune.
Taoism might be able to help, but true dedication to the path to enlightenment is incompatible and irreconcilable with modern day life. So how do you go about protecting yourself from social engineering while still having a "life", in the 21st century sense? For me, this is not always straightforward.
From my experience, there are likely several stages of a career in Cyber. These stages can be visualised as a diminishing sine wave, with an Y axis of "paranoia".
To begin with, you will no doubt see things in your line of work that open your eyes to the techniques that cyber criminals use. This will make you paranoid for a while.
Later, you will see how careless and dismissive the general population are in their online habits, without any negative repercussions. This will make you relax somewhat, perhaps too much. Perhaps you will rationalise the reduced security as operating appropriately within the current threat landscape, or level of risk.
Inevitably, you will see some bad shit go down, affecting real people, maybe some people that you know, maybe even you. This will send your sine wave back up to a heightened level of security again.
Over time, you might realise that actually, the repercussions of that last incident didn't really affect people too badly. Within a few months, everyone stopped talking about it. And no one died. This will help you to relax again.
Eventually, you will find a baseline of secure practices that are not so difficult to live with, that you can get used to and make part of your daily operations. This might include the use of multi-factor wherever possible, a password manager with unique passwords on all sites, using pseudonyms on facebook, sticking camera lens covers on your devices, using Tor for sensitive browsing or security research, regularly checking your credit report, signing up to haveibeenpwned, etc.
You will still be wondering if you are doing enough... should you also be using a VPN with Tor? Should you configure a VPN gateway at home for streaming video sources? Should you encrypt your disks at the expense of performance? Do you establish and regularly test an emergency secure data destruction procedure?
If you're not buying or selling drugs, viewing or distributing illegal porn, offering DDoS or hitman services, then the extra effort of such measures is probably unnecessary.
But you must still be aware of these procedures, because you might find that you do need them one day and, of course, they are also the methods that your adversaries will be using.
To conclude with a real life rationalisation of the opening poem excerpt: we are only human. Very few of us go to the extremes necessary in the pursuit of enlightenment, thus sacrificing what makes us human. You must do what you feel is right to protect yourself in your world. Not everyone becomes celibate, carries a gun, or studies martial arts to extreme levels in order to defend themselves against a gang of drug dealers, or a state-sponsored hitman. Likewise, not everyone implements secure online practices to a level that would protect them from a determined cyber attacker or opportunistic cyber thief.
You only need to be secure to the extent that makes you feel comfortable, and that is the end of the matter. When you, or someone you know suffers a cyber attack, you might decide to up your game a little bit. And so your sine wave of paranoia propagates.
Of course, working and researching in cyber leads to an increased risk profile, and increased baseline level of paranoia. You really should practice what you preach, because it doesn't look great for a security professional to suffer a security breach.
Sunday, 15 May 2016
This is the first in a (probably) ongoing series of thought experiments to rationalise some of these threats and what they mean for me, and maybe also for you.
To understand the techniques that malicious entities might try to use against me, my employer, or people that I know, I inevitably like to try these things out for myself sometimes. This includes playing with tools such as nmap, zmap, nping, recon-ng, the social engineering toolkit, metasploit, Mana, Karma, BDFProxy, WiFite, Tor, SQLMap, etc. etc. etc. the list is simply too long. Most recently, thanks to my MSc final year project, I have been increasingly experimenting with Tor, scapy, and MITMProxy.
All of this toying and experimenting has never resulted in a complaint, although it has always occurred to me that my ISP might find some of the traffic emanating from my location increasingly questionable. I have read stories online of people's internet being disconnected due to using nmap too aggressively, for example, and so the possibility that this could happen to me has always been at the back of my mind. I do make use of Tor and various VPN's when testing out certain tools, but I have never made an all-encompassing effort to go completely "dark".
Two weeks ago, my internet connection slowed right down. It's never been that amazing, typically achieving between 8-14Mbps down and 2Mbps up. Around 2 weeks ago it slowed down to around 3Mbps down. I didn't have the time or energy to take this up with my ISP. Around a week ago, my download speed dropped again to around 1Mbps. Today I thought enough was enough so I called them. They were incredibly helpful and ran a number of line tests, and stated that they had found a fault on the line, which would require an engineer to visit somewhere (not my house) later in the week to correct the problem.
Immediately, my line speed increased to 3Mbps.
So, with my tin-foil hat lying somewhere else in the house, my paranoia metre begins to register some activity.
I suppose it is possible that my IP address has been flagged as sending suspicious packets for a long enough time now that I have ended up on some kind of "high risk" list. And perhaps the ISP process is to, rather than just disconnect their users, throttle their connection until the customer gets in touch to report a problem, thus getting confirmation that they have the correct customer. Maybe they occasionally take the step of sending an engineer to physically separate the high risk users from the main customer base to make their monitoring easier and reduce noise from lower risk customers. Perhaps, nah, surely not... perhaps they alert suspicious activity to higher authorities so that they can have their agents patch high risk users through to other monitoring systems for closer inspection, with minimal noise.
Perhaps it was just a fault on the line.
This certainly isn't the only thing that I wonder about. Trying to guess what other people's intentions are (mostly at work) takes up an increasing amount of my thought time these days, which can be exhausting. I wonder, do all Information Security professionals have this same level of paranoia?
In any case, I have spent enough time pondering this now. Any excuse for a distraction from wrestling with shadow-tor, python, graphml generation, and pcap inspection! I'm sure I have enough evidence that I'm a researcher and not a criminal in case I ever get a knock on the door.
Back to work!
Friday, 6 May 2016
Friday, 22 April 2016
Tuesday, 19 April 2016
Wednesday, 13 April 2016
Tuesday, 12 April 2016
Caution: nethunter can swallow up large amounts of valuable time. Only use it if you have time to spare and don't mind hacking (as in close to the true sense of the word) in order to fix issues that arise. Having reached a stable state now, I will think twice about changing anything anytime soon!
I've used nethunter for fun stuff on my oneplus One for around a year now. There were a very small number of minor niggles that annoyed me a little, but that I chose to just live with, and everything was fine. The user interface wasn't amazing, but the tools mostly worked as intended. It was awesome, running on CM 11 and nethunter 2.x. BDFProxy did what it said on the tin, BEeF worked nicely with MITMProxy injecting hooks, I could run vulnerability scans with openVAS, and it generally rocked my world. The Swiss army knife for ethical hackers and script kiddies alike.
Around January this year I spotted that a new version of nethunter had been released, and I was pretty excited. As soon as I was able to, I followed the upgrade instructions on the nethunter site through CM 12 and installed nethunter 3.0. Things have been far less awesome since then. I'll describe some of the issues and then the resolution at the end of this post.
Issue number 1: drivedroid just stopped working. Drivedroid is great because it allows you to host an ISO or other disk image from your phone, over a USB cable and make it appear as though it is a CD drive, writeable USB stick, or read only USB. It's amazing knowing that you can boot into tails, kali, DEFT, or any other favourite live CD distro or tool of your choosing, even konboot. With CM12, none of this worked. In CM 13 it does.
Issue number 2: The phone crashed randomly and frequently. It could happen overnight while I was asleep, meaning that my alarm wouldn't go off. It could happen when I disabled WiFi tethering. Rebooting the phone would sometimes fix, but sometimes required 3 or 4 reboots. Clearing the cache would increase the chance of success but was still not full-proof. CM 13 fixed this.
Issue number 3: Sound and video playback would just stop. Again, rebooting didn't always help. CM 13 fixed this.
Issue number 4: If you are running the TWRP recovery manager, you cannot apply over the air updates for your OS. There is no fix for this that I have found.
Resolution: Most of the issues above have been fixed by upgrading to CM 13, and now things are much more awesome again. It was a painful upgrade process, but worth it. Some advice if you are about to embark upon this endeavour:
Make sure you have backed up your precious data. You don't want to lose those pictures of your cat or mum or whatever.
Clear the cache, and preferably factory-reset the device before every step. Failing to do so can lead to crashing applications, failed startups and other such delights.
Download the latest stable CM 13 and store it in the root of your device. This may appear as /sdcard in TWRP. Do the same with the latest nethunter build, openGapps, and SuperSU.
With TWRP, first install CM 13, then openGapps. Boot up and make sure everything seems OK. If things don't seem good, then go back into recovery and factory reset.
Next, install SuperSU, and then boot up and download and install busybox from the play store.
Finally, go back into recovery and install nethunter.
If all has gone well then you should have a stable installation.
Happy scripting, kiddie!
Monday, 11 April 2016
Thursday, 7 April 2016
Monday, 4 April 2016
A rainbow table, on the other hand, consists of precomputed "chains" of hashes, where a reduction function is repeatedly performed on each output hash along the chain to create a new password candidate according to the desired length and complexity. Once a chain is complete, which is typically thousands of hashes long, only the start and end hash are stored in the rainbow table.
There are instructions online for generating your own rainbow tables or for downloading or purchasing precomputed rainbow tables. This effectively allows any password within a given character set and length to be cracked in a very short space of time, as long as it has not been salted, and as long as you have the storage available for your rainbow table.
When you have a hash for which you wish to find the password, you begin by running the same reduction function on it repeatedly until you match the end hash for one of your chains. You then start the repeated reductions again from the start of that same chain until you find the hash that matches the one you wish to crack. At this point you have successfully guessed the password, if all has gone according to plan. Software such as rtgen will do all of this for you and it is much quicker than a standard brute force, and will take far less storage space than a complete hash table for a character set.
- Acquire your AD backup NTDS.dit, and SYSTEM file.
- Remember to tidy up files as you go, leave no trail.
- Extract the hashes using 2014 version of libesedb and latest esedbextract.py.
- Filter the accounts and hashes to only show active user accounts that have not expired.
- For the worst offenders, just use the worst password lists freely downloadable from the net, in NT format, and no rules.
- For slightly less bad offenders, use more wordlists such as rockyou from previous breaches.
- For more offenders, use a dictionary containing company names and usernames, etc. and start adding rules.
- For users who do at least make some effort to choose their own password, use a dictionary containing months, days, seasons, town names, countries, etc. with rules.
- Crack in LM mode and use the output passwords to create a new dictionary for NT mode
- Larger dictionaries with harder rules
- Incremental mode
- Another tool such as rainbow tables.
Sunday, 3 April 2016
Simple tip for Kali Nethunter:
You don't have to run any mana or karma, hostapd or use an external WiFi adapter for credential harvesting. Just openly share your normal WiFi access point and run the net-creds.py tool that comes with mana. Any unencrypted creds will be caught and stored.
Important: don't do this in public unless you are willing to risk being arrested. Also be aware that when you share your WiFi for open tethering, you may be incriminated for the actions of anyone who connects.
The discussion is informed by a review of recent literature focusing on attacks against anonymous systems such as Tor, i2p, and Freenet and can be found here http://www.sciencedirect.com/science/article/pii/S1353485816300289
Quite a change in direction from my previous publication on performance enhancing substances in Freediving but then my career took a sharp change in direction circa 15 years ago.
This blog is going to be a place for me to share my personal experiences and adventures into the world of cyber. If that sounds like your bag then welcome on board, friend!