OpenSTF Dock Ready to Farm Clicks

Deep in the heart of a Chinese click farm — and probably used by the company your company hired to build an ‘app’ — is a magical device. Call it a Beowulf Cluster of Phones. Call it the farm. By any name, it’s a whole bunch of smartphones, smart watches, tablets, and other Smart Things all controlled remotely. This is OpenSTF, or a Smartphone Test Farm. You can build your own, but as with anything requiring a whole lot of cables and devices, if you don’t plan it well, it’s going to look like crap.

[Paul] needed an OpenSTF device lab, and found the perfect product to repurpose into a great looking enclosure. This device was the Griffin MultiDock 2, a charging station for smartphones and tablets ostensibly designed for classrooms. There really isn’t a lot going on inside this $500 phone charger, with a few modifications this enclosure can become an awesome phone farm.

This charging station is not meant to be used this way. On the outside, there are ten USB ports for ten different devices. Inside, there are three four-port USB hubs providing ten ports. ADB simply doesn’t work with this setup, so [Paul] had to completely replace the USB brains of this device. With new USB hubs, an Intel Compute Stick, and Sugru, [Paul] got OpenSTF up and running. While this would have been a fantastic waste of money had [Paul] bought this phone charging dock at full retail price, he didn’t. He apparently picked this up at a reasonable price, giving him a great looking phone farm that works just like he wanted.

Filed under: Android Hacks http://ift.tt/2r814VW http://ift.tt/2aM8QhC

Anúncios

eaphammer evil twin attacks,evil twin attacks against WPA2-Enterprise networks

EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate how fast this tool is, here’s an example of how to setup and execute a credential stealing evil twin attack against a WPA2-TTLS network in just two commands:

# generate certificates
./eaphammer –cert-wizard

# launch attack
./eaphammer -i wlan0 –channel 4 –auth ttls –wpa 2 –essid CorpWifi –creds

Features

Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks.

Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots

Perform captive portal attacks

Built-in Responder integration

Support for Open networks and WPA-EAP/WPA2-EAP

No manual configuration necessary for most attacks.

No manual configuration necessary for installation and setup process

Installation

On Kali Linux

git clone http://ift.tt/2odfk1n
python setup.py

Usage

x.509 Certificate Generation

Eaphammer provides an easy-to-use wizard for generating x.509 certificates. To launch eaphammer’s certificate wizard, just use the command shown below.

./eaphammer –cert-wizard

Stealing RADIUS Credentials From EAP Networks

To steal RADIUS credentials by executing an evil twin attack against an EAP network, use the –creds flag as shown below.

./eaphammer –bssid 1C:7E:E5:97:79:B1 –essid Example –channel 2 –interface wlan0 –auth ttls –creds

The flags shown above are self explanatory. For more granular control over the attack, you can use the –wpa flag to specify WPA vs WPA2 and the –auth flag to specify the eap type. Note that for cred reaping attacks, you should always specify an auth type manually since the the –auth flag defaults to “open” when omitted.

./eaphammer –bssid 00:11:22:33:44:00 –essid h4x0r –channel 4 –wpa 2 –auth ttls –interface wlan0 –creds

Stealing AD Credentials Using Hostile Portal Attacks

Eaphammer can perform hostile portal attacks that can force LLMNR/NBT-NS enabled Windows clients into surrendering password hashes. The attack works by forcing associations using an evil twin attack, then forcing associated clients to attempt NetBIOS named resolution using a Redirect To SMB attack. While this occurs, eaphammer runs Responder in the background to perform a nearly instantaneous LLMNR/NBT-NS poisoning attack against the affected wireless clients. The result is an attack that causes affected devices to not only connect to the rogue access point, but send NTLM hashes to the rogue access point as well.

The –hostile-portal flag can be used to execute a hostile portal attack, as shown in the examples below.

./eaphammer –interface wlan0 –bssid 1C:7E:E5:97:79:B1 –essid EvilC0rp –channel 6 –auth peap –wpa 2 –hostile-portal

./eaphammer –interface wlan0 –essid TotallyLegit –channel 1 –auth open –hostile-portal

Performing Indirect Wireless Pivots Using Hostile Portal Attacks

The hostile portal attack described in Stealing AD Credentials Using Hostile Portal Attacks can be used to perform an SMB relay attack against the affected devices. An attacker can use hostile portal attack to perform an SMB relay attack that places timed reverse shell on an authorized wireless devices. The attacker can then disengage the attack to allow the authorized device to reconnect to the targetted network. When the attacker receives the reverse shell, he or she will have the same level of authorization as the attacker.

Performing Captive Portal Attacks

To perform a captive portal attack using eaphammer, use the –captive-portal flag as shown below.

./eaphammer –bssid 1C:7E:E5:97:79:B1 –essid HappyMealz –channel 6 –interface wlan0 –captive-portal

This will cause eaphammer to execute an evil twin attack in which the HTTP(S) traffic of all affected wireless clients are redirected to a website you control. Eaphammer will leverage Apache2 to serve web content out of /var/www/html if used with the default Apache2 configuration. Future iterations of eaphammer will provide an integrated HTTP server and website cloner for attacks against captive portal login pages.

Source

http://ift.tt/2prVMGx

The post eaphammer | evil twin attacks against WPA2-Enterprise networks appeared first on Penetration Testing in Linux. http://ift.tt/2r8pyhy http://ift.tt/2aM8QhC

Introduction to target = “_ blank” attribute for the phishing attack

Now, many website administrators use to add the target = “_ blank” attribute to the link address of the page, which is definitely a very insecure behavior. Not only that, the target = “_ blank” attribute will also expose the vast majority of Internet users to the risk of phishing attacks.

As early as 2014, there have been a lot of security research experts said, target = “_ blank” attribute is a very insecure property. And some of the safety report on the property in order to attract people’s attention, but also specifically set the title is very eye-catching.

Vulnerability implementation mechanism

When the user clicks on a site with a target = “_ blank” attribute hyperlink, the browser will create a separate tab to show the link to the content. Note, however, that at this point in time, the browser will allow the newly created tab to communicate briefly with the previous page via a browser API called “window.opener”.

At this point, the attacker can be malicious code embedded in the new open Web site, and then detect the user from which a site to jump over, and finally use the window.opener interface to force the original page to open a new URL address.

For example, if a user clicks on a Facebook site with a link with the target = “_ blank” attribute, the attacker can use a forged Facebook page to replace the original Facebook page, and then ask the user to re-enter the user name and password. As a result, the attacker has successfully obtained the target user’s certificate data.

Sphere of influence

Terrible, Instagram, Facebook, and Twitter and other large social networking sites will be affected by this attack.

In the three major social networking sites, only Instagram completely fix the problem. For Twitter, this is only possible when users use the Safari browser to access Twitter sites. But Google has long been open that they do not care about this issue …

How to fix this problem?

This means that the burden of fixing the problem will fall on the webmaster’s body. In fact, the easiest way to fix the problem is to add the rel = “noopener” attribute to all links to the site. For Firefox, because it does not fully support the property, the developer should use the rel = “noopenernoreferrer” attribute instead.

Keep in mind that when you use the window.open() interface every time you open a new page window, your security is likely to be affected by this API, so do not forget to reset the “opener” attribute.

var newWnd = window.open();
newWnd.opener = null;

The post Introduction to target = “_ blank” attribute for the phishing attack appeared first on Penetration Testing in Linux. http://ift.tt/2qnOcxO http://ift.tt/2aM8QhC

Introduction to target = “_ blank” attribute for the phishing attack

Now, many website administrators use to add the target = “_ blank” attribute to the link address of the page, which is definitely a very insecure behavior. Not only that, the target = “_ blank” attribute will also expose the vast majority of Internet users to the risk of phishing attacks.

As early as 2014, there have been a lot of security research experts said, target = “_ blank” attribute is a very insecure property. And some of the safety report on the property in order to attract people’s attention, but also specifically set the title is very eye-catching.

Vulnerability implementation mechanism

When the user clicks on a site with a target = “_ blank” attribute hyperlink, the browser will create a separate tab to show the link to the content. Note, however, that at this point in time, the browser will allow the newly created tab to communicate briefly with the previous page via a browser API called “window.opener”.

At this point, the attacker can be malicious code embedded in the new open Web site, and then detect the user from which a site to jump over, and finally use the window.opener interface to force the original page to open a new URL address.

For example, if a user clicks on a Facebook site with a link with the target = “_ blank” attribute, the attacker can use a forged Facebook page to replace the original Facebook page, and then ask the user to re-enter the user name and password. As a result, the attacker has successfully obtained the target user’s certificate data.

Sphere of influence

Terrible, Instagram, Facebook, and Twitter and other large social networking sites will be affected by this attack.

In the three major social networking sites, only Instagram completely fix the problem. For Twitter, this is only possible when users use the Safari browser to access Twitter sites. But Google has long been open that they do not care about this issue …

How to fix this problem?

This means that the burden of fixing the problem will fall on the webmaster’s body. In fact, the easiest way to fix the problem is to add the rel = “noopener” attribute to all links to the site. For Firefox, because it does not fully support the property, the developer should use the rel = “noopenernoreferrer” attribute instead.

Keep in mind that when you use the window.open() interface every time you open a new page window, your security is likely to be affected by this API, so do not forget to reset the “opener” attribute.

var newWnd = window.open();
newWnd.opener = null;

The post Introduction to target = “_ blank” attribute for the phishing attack appeared first on Penetration Testing in Linux. http://ift.tt/2qnOcxO http://ift.tt/2aM8QhC

Introduction to target = “_ blank” attribute for the phishing attack

Now, many website administrators use to add the target = “_ blank” attribute to the link address of the page, which is definitely a very insecure behavior. Not only that, the target = “_ blank” attribute will also expose the vast majority of Internet users to the risk of phishing attacks.

As early as 2014, there have been a lot of security research experts said, target = “_ blank” attribute is a very insecure property. And some of the safety report on the property in order to attract people’s attention, but also specifically set the title is very eye-catching.

Vulnerability implementation mechanism

When the user clicks on a site with a target = “_ blank” attribute hyperlink, the browser will create a separate tab to show the link to the content. Note, however, that at this point in time, the browser will allow the newly created tab to communicate briefly with the previous page via a browser API called “window.opener”.

At this point, the attacker can be malicious code embedded in the new open Web site, and then detect the user from which a site to jump over, and finally use the window.opener interface to force the original page to open a new URL address.

For example, if a user clicks on a Facebook site with a link with the target = “_ blank” attribute, the attacker can use a forged Facebook page to replace the original Facebook page, and then ask the user to re-enter the user name and password. As a result, the attacker has successfully obtained the target user’s certificate data.

Sphere of influence

Terrible, Instagram, Facebook, and Twitter and other large social networking sites will be affected by this attack.

In the three major social networking sites, only Instagram completely fix the problem. For Twitter, this is only possible when users use the Safari browser to access Twitter sites. But Google has long been open that they do not care about this issue …

How to fix this problem?

This means that the burden of fixing the problem will fall on the webmaster’s body. In fact, the easiest way to fix the problem is to add the rel = “noopener” attribute to all links to the site. For Firefox, because it does not fully support the property, the developer should use the rel = “noopenernoreferrer” attribute instead.

Keep in mind that when you use the window.open() interface every time you open a new page window, your security is likely to be affected by this API, so do not forget to reset the “opener” attribute.

var newWnd = window.open();
newWnd.opener = null;

The post Introduction to target = “_ blank” attribute for the phishing attack appeared first on Penetration Testing in Linux. http://ift.tt/2qnOcxO http://ift.tt/2aM8QhC

chkrootkit rootkits malware Linux

Although the Linux system can be protected from the spread of most malware, it is not absolutely safe. If your data center erected a Linux server, especially the Web server, you should be on the rootkit Trojans and malicious software to prevent, because some of the data destruction class Rootkit is very dangerous, and the attacker once the invasion may be used after the site server malicious Software dissemination. How to eliminate such risks? One way is to use the correct security check tool.

chkrootkit

chkrootkit is a tool to locally check for signs of a rootkit, Worms and LKMs. It contains:

* chkrootkit: a shell script that checks system binaries forrootkit modification.

* ifpromisc.c: checks if the network interface is in promiscuous mode.

* chklastlog.c: checks for lastlog deletions.

* chkwtmp.c: checks for wtmp deletions.

* check_wtmpx.c: checks for wtmpx deletions. (Solaris only)

* chkproc.c: checks for signs of LKM trojans.

* chkdirs.c: checks for signs of LKM trojans.

* strings.c: quick and dirty strings replacement.

* chkutmp.c: checks for utmp deletions.

chkwtmp and chklastlog *try* to check for deleted entries in the wtmp and lastlog files, but it is *not* guaranteed that any modification will be detected.

Aliens tries to find sniffer logs and rootkit config files. It looks for some default file locations — so it is also not guaranteed it will succeed in all cases.

chkproc checks if /proc entries are hidden from ps and the readdir system call. This could be the indication of a LKM trojan. You can
also run this command with the -v option (verbose).

Installation

On debian/ubuntu, you simple type command

sudo apt-get install chkrootkit

Usage

Open terminal, and type command

sudo chkrootkit

If there are some Rookit signs after the test, you can try to analyze the same, because some may be false positives. If there are other Rookit suspected reports, you will need to pay attention, carefully control the chkrootkit report analysis, find a solution problem, because the chkrootkit tool only provides detection, does not provide a solution or delete method.

The post chkrootkit: detection rootkits & malware on Linux appeared first on Penetration Testing in Linux. http://ift.tt/2r8lmyq http://ift.tt/2aM8QhC

Medical safety research: pacemaker ecosystem network security risks, difficult to solve in the short term – Penetration Testing in Linux

According to a report released this week, security researchers pointed out that a series of network security problems plagued leading the pacemaker manufacturers, including the lack of authentication and encryption, third-party software library suffered Thousands of loopholes attack, so that pacemakers once again become a hot topic in the field of medical equipment safety.

The pacemaker is an implantable cardiac device used to adjust the abnormal rhythm, most of which can be by the physician or technician near the device or remotely. WhiteScope IO researchers Billy Rios and Jonathan Butts have conducted RF communication tests for the pacemaker programmer (devices in clinical settings for monitoring the working principle of implantable devices and setting treatment parameters) for four manufacturers.

The test results show that there is a serious security vulnerability in the infrastructure that provides support for the implant, and the struggle between patient care and cybersecurity is stalemate. In addition, all cardiac pacemaker systems have unencrypted file systems on removable media. In terms of software, Rios and Butts found more than 8,000 known vulnerabilities in the third-party libraries of existing controllers. As the medical institutions will be unencrypted data (social security card number and medical records, etc.) stored in the programmer, so some of the equipment is not only the risk of personal information theft, but also has a violation of the privacy of patients suspected.

Security experts said, look at the status of medical equipment, comprehensive repair update is still a major challenge. Although the US Food and Drug Administration (FDA) has made efforts to streamline the routine process of network security updates, the test results still show that all program controllers are associated with obsolete software that has known vulnerabilities.

For more information, see ” Pacemaker Ecosystem Evaluation.pdf “

The post Medical safety research: pacemaker ecosystem network security risks, difficult to solve in the short term appeared first on Penetration Testing in Linux. http://ift.tt/2qnPx7D http://ift.tt/2aM8QhC