Archive for the ‘Hacking’ Category

We have all used sites such as bugcrowd.com but did you know there are some companies that offer bug bounties through their own website.

This list will help bug bounty hunters and security researchers to explore different bug bounty programs and responsible disclosure policies.

Company URL
The Atlantic https://www.theatlantic.com/responsible-disclosure-policy/
Rollbar Docs https://docs.rollbar.com/docs/responsible-disclosure-policy
Vulnerability Analysis https://vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy
Ambassador Referral Software https://www.getambassador.com/responsible-disclosure-policy
NN Group https://www.nn-group.com/Footer-Pages/Ethical-hacking-NN-Groups-Responsible-Disclosure-Policy.htm
Octopus Deploy https://octopus.com/security/disclosure
Mimecast https://www.mimecast.com/responsible-disclosure/
Royal IHC https://www.royalihc.com/en/responsible-disclosure-policy
SignUp.com https://signup.com/responsible-disclosure-policy
MailTag https://www.mailtag.io/disclosure-policy
Fox-IT (ENG) https://www.fox-it.com/en/responsible-disclosure-policy/
Kaseya https://www.kaseya.com/legal/vulnerability-disclosure-policy
Vend https://www.vendhq.com/responsible-disclosure-policy
Gallagher Security https://security.gallagher.com/gallagher-responsible-disclosure-policy
Surevine https://www.surevine.com/responsible-disclosure-policy/
IKEA https://www.ikea.com/ms/en_US/responsible-disclosure/index.html
Bunq https://www.bunq.com/en/terms-disclosure
GitLab https://about.gitlab.com/disclosure/
Rocket.Chat https://rocket.chat/docs/contributing/security/responsible-disclosure-policy/
Quantstamp https://quantstamp.com/responsible-disclosure
WeTransfer https://wetransfer.com/legal/disclosure
18F https://18f.gsa.gov/vulnerability-disclosure-policy/
Veracode https://www.veracode.com/responsible-disclosure/responsible-disclosure-policy
Oracle https://www.oracle.com/support/assurance/vulnerability-remediation/disclosure.html
Mattermost https://about.mattermost.com/report-security-issue/
Freshworks Inc. https://www.freshworks.com/security/responsible-disclosure-policy
OV-chipkaart https://www.ov-chipkaart.nl/service-and-contact/responsible-disclosure-policy.htm
ICS-CERT https://ics-cert.us-cert.gov/ICS-CERT-Vulnerability-Disclosure-Policy
Netflix https://help.netflix.com/en/node/6657
RIPE Network https://www.ripe.net/support/contact/responsible-disclosure-policy
Pocketbook https://getpocketbook.com/responsible-disclosure-policy/
Salesforce Trust https://trust.salesforce.com/en/security/responsible-disclosure-policy/
Duo Security https://duo.com/labs/disclosure
EURid https://eurid.eu/nl/other-infomation/eurid-responsible-disclosure-policy/
Oslo Børs https://www.oslobors.no/ob_eng/Oslo-Boers/About-Oslo-Boers/Responsible-Disclosure
Marketo https://documents.marketo.com/legal/notices/responsible-disclosure-policy.pdf
FreshBooks https://www.freshbooks.com/policies/responsible-disclosure
BizMerlinHR https://www.bizmerlin.com/responsible-disclosure-policy
MWR InfoSecurity https://labs.mwrinfosecurity.com/mwr-vulnerability-disclosure-policy
KAYAK https://www.kayak.co.in/security
98point6 https://www.98point6.com/responsible-disclosure-policy/
AlienVault https://www.alienvault.com/documentation/usm-appliance/system-overview/how-to-submit-a-security-issue-to-alienvault.htm
Seafile https://www.seafile.com/en/responsible_disclosure_policy/
LevelUp https://www.thelevelup.com/security-response
BankID https://www.bankid.com/en/disclosure
Orion Health https://orionhealth.com/global/support/responsible-disclosure/
Aptible https://www.aptible.com/legal/responsible-disclosure/
NowSecure https://www.nowsecure.com/company/responsible-disclosure-policy/
Takealot.com https://www.takealot.com/help/responsible-disclosure-policy
Smokescreen https://www.smokescreen.io/responsible-disclosure-policy/
Royal Bank of Scotland https://personal.rbs.co.uk/personal/security-centre/responsible-disclosure.html
Flood IO https://flood.io/security
CERT.LV https://www.cert.lv/en/about-us/responsible-disclosure-policy
 Zero Day Initiative https://www.zerodayinitiative.com/advisories/disclosure_policy/
Geckoboard https://support.geckoboard.com/hc/en-us/articles/115007061468-Responsible-Disclosure-Policy
Internedservices https://www.internedservices.nl/en/responsible-disclosure-policy/
FloydHub https://www.floydhub.com/about/security
Practo https://www.practo.com/company/responsible-disclosure-policy
Zimbra https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
Cyber Safety https://www.utwente.nl/en/cyber-safety/responsible/
Port of Rotterdam https://www.portofrotterdam.com/en/responsible-disclosure
Georgia Institute of … http://www.policylibrary.gatech.edu/information-technology/responsible-disclosure-policy
NautaDutilh https://www.nautadutilh.com/nl/responsible-disclosure/
BitSight Technologies https://www.bitsighttech.com/responsible-disclosure
BOSCH https://psirt.bosch.com/en/responsibleDisclosurePolicy.html
CARD.com https://www.card.com/responsible-disclosure-policy
SySS GmbH https://www.syss.de/en/responsible-disclosure-policy/
Mailtrack https://mailtrack.io/en/responsible-vulnerability
Pinterest https://policy.pinterest.com/en/responsible-disclosure-statement
PostNL https://www.postnl.nl/en/responsible-disclosure/
Pellustro https://pellustro.com/responsible-disclosure-policy/
iWelcome https://www.iwelcome.com/responsible-disclosure/
Hacking as a Service https://hackingasaservice.deloitte.nl/Home/ResponsibleDisclosure
N.V. Nederlandse Gasunie https://www.gasunie.nl/en/responsible-disclosure
Hostinger https://www.hostinger.co.uk/responsible-disclosure-policy
SiteGround https://www.siteground.com/blog/responsible-disclosure/
Odoo https://www.odoo.com/security-report
Thumbtack https://help.thumbtack.com/article/responsible-disclosure-policy
ChatShipper http://chatshipper.com/responsible-disclosure-policy/
ServerBiz https://server.biz/en/legal/responsible-disclosure
Palo Alto Networks https://www.paloaltonetworks.com/security-disclosure
Advertisements

  1. wifite
    Link Project: https://github.com/derv82/wifite
    Wifite is for Linux only.Wifite is an automated wireless attack tool.Wifite was designed for use with pentesting distributions of Linux, such as Kali LinuxPentooBackBox; any Linux distributions with wireless drivers patched for injection. The script appears to also operate with Ubuntu 11/10, Debian 6, and Fedora 16.Wifite must be run as root. This is required by the suite of programs it uses. Running downloaded scripts as root is a bad idea. I recommend using the Kali Linux bootable Live CD, a bootable USB stick (for persistent), or a virtual machine. Note that Virtual Machines cannot directly access hardware so a wireless USB dongle would be required.Wifite assumes that you have a wireless card and the appropriate drivers that are patched for injection and promiscuous/monitor mode.
  2. wifiphisher
    Link Project: https://github.com/sophron/wifiphisher
    Wifiphisher is a security tool that performs Wi-Fi automatic association attacks to force wireless clients to unknowingly connect to an attacker-controlled Access Point. It is a rogue Access Point framework that can be used to mount automated victim-customized phishing attacks against WiFi clients in order to obtain credentials or infect the victims with malwares. It can work a social engineering attack tool that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages (e.g. in social networks) or WPA/WPA2 pre-shared keys.Wifiphisher works on Kali Linux and is licensed under the GPL license.
  3. wifi-pumpkin
    Link Project: https://github.com/P0cL4bs/WiFi-Pumpkin
    Very friendly graphic user interface, good handling, my favorite one is the establishment of phishing wifi attack tools, rich functional interface, ease of use is excellent. Compatibility is also very good. Researcher  is actively update them, we can continue to focus on this fun project
  4. fruitywifi
    Link Project: https://github.com/xtr4nge/FruityWifi
    FruityWifi is an open source tool to audit wireless networks. It allows the user to deploy advanced attacks by directly using the web interface or by sending messages to it.
    Initially the application was created to be used with the Raspberry-Pi, but it can be installed on any Debian based system
  5. mama toolkit
    Link Project: https://github.com/sensepost/mana
    A toolkit for rogue access point (evilAP) attacks first presented at Defcon 22.
    More specifically, it contains the improvements to KARMA attacks we implemented into hostapd, as well as some useful configs for conducting MitM once you’ve managed to get a victim to connect.
  6. 3vilTwinAttacker
    Link Project:https://github.com/wi-fi-analyzer/3vilTwinAttacker
    Much like wifi-pumpkin interface. Has a good graphical interface, the overall experience is very good, good ease of use. Good compatibility. Researcher has hardly been updated.
  7. ghost-phisher
    Link Project: http://tools.kali.org/information-gathering/ghost-phisher
    It has a good graphical interface, but almost no fault tolerance, many options easily confusing, but the overall feeling is still very good use. It can be a key to establish rogue ap, and protect dhcp, dns services interface, easy to launch a variety of middle attack, ease of use is good. Compatible good. Kali has been made official team updated original repo.
  8. fluxion
    Link Project: https://github.com/wi-fi-analyzer/fluxion
    Fluxion is a remake of linset by vk496 with (hopefully) less bugs and more functionality. It’s compatible with the latest release of Kali (rolling). The attack is mostly manual, but experimental versions will automatically handle most functionality from the stable releases.

Happy Hunting

he windows passwords can be accessed in a number of different ways. The most common way would be via accessing the Security Accounts Manager (SAM) file and obtaining the system passwords in their hashed form with a number of different tools. Alternatively passwords can be read from memory which has the added benefit of recovering the passwords in plain text and avoiding the cracking requirement. In order to understand the formats you’ll see when dumping Windows system hashes a brief overview of the different storage formats is required.

Lan Manager (LM) Hashes
Originally windows passwords shorter than 15 characters were stored in the Lan Manager (LM) hash format. Some OSes such as Windows 2000, XP and Server 2003 continue to use these hashes unless disabled. Occasionally an OS like Vista may store the LM hash for backwards compatibility with other systems. Due to numerous reasons this hash is simply terrible. It includes several poor design decisions from Microsoft such as splitting the password into two blocks and allowing each to be cracked independently. Through the use of rainbow tables which will be explained later it’s trivial to crack a password stored in a LM hash regardless of complexity. This hash is then stored with the same password calculated in the NT hash format in the following format: ::::::

An example of a dumped NTLM hash with the LM ant NT component. Administrator:500:611D6F6E763B902934544489FCC9192B:B71ED1E7F2B60ED5A2EDD28379D45C91:::

NT Hashes
Newer Windows operating systems use the NT hash. In simple terms there is no significant weakness in this hash that sets it apart from any other cryptographic hash function. Cracking methods such as brute force, rainbow tables or word lists are required to recover the password if it’s only stored in the NT format.

An example of a dumped NTLM hash with only the NT component (as seen on newer systems.
Administrator:500:NO PASSWORD*********************:EC054D40119570A46634350291AF0F72:::

It’s worth noting the “no password” string is variable based on the tool. Others may present this information as padded zeros, or commonly you may see the string “AAD3B435B51404EEAAD3B435B51404EE” in place of no password. This signifies that the LM hash is empty and not stored.

Location
The hashes are located in the Windows\System32\config directory using both the SAM and SYSTEM files. In addition it’s also located in the registry file HKEY_LOCAL_MACHINE\SAM which cannot be accessed during run time. Finally backup copies can be often found in Windows\Repair.

Tool – PwDump7 – http://www.tarasco.org/security/pwdump_7/
This tool can be executed on the system machine to recover the system hashes. Simply download the run the binary with at least administrator account privileges.

Tool – Windows Credential Editor – http://www.ampliasecurity.com/
Windows Credentials Editor (WCE) is great for dumping passwords that are in memory. Personally I typically use it with the -w flag to dump passwords in clear text. This can often net you passwords that are infeasible to get any other way.

Tool – Meterpreter
If you have a meterpreter shell on the system, often you can get the hashes by calling the hashdump command.

Method – Recovery Directory
Occasionally you may not have direct access to the file required, or perhaps even command line interaction with the victim. An example of this would be a local file inclusion attack on a web service. In those cases it’s recommended you try and recover the SYSTEM and SAM directories located in the Windows\Repair directory.

Method – Live CD
Sometimes you may have physical access to the computer but wish to dump the passwords for cracking later. Using a Live CD is a common method of being able to mount the Windows drive and recover the SYSTEM and SAM files from the System32/config directory since the OS isn’t preventing you access.

 

tv crime2ChaosVPN is a system to connect Hackers.

Design principals include that it should be without Single Point of Failure, make usage of full encryption, use RFC1918 ip ranges, scales well on >100 connected networks and is being able to run on an embedded hardware you will find in our today’s router. It should be designed that no one sees other peoples traffic. It should be mainly autoconfig as in that besides the joining node no administrator of the network should be in the need to actually do something when a node joins or leaves. If you want to find a solution for a Network without Single Point of failure, has – due to Voice over IP – low latency and that no one will see other peoples traffic you end up pretty quick with a full mesh based network.

Therefore we came up with the tinc solution. tinc does a fully meshed peer to peer network and it defines endpoints and not tunnels.

ChaosVPN connects hacker wherever they are. We connect road warriors with their notebook. Servers, even virtual ones in Datacenters, Hacker houses, and hackerspaces. To sum it up we connect networks – may be down to a small /32.

So there we are. It is working and it seems the usage increases, more nodes join in and more services pop up.

Installation

  • Installation dependency package

    If you get an “E: The package bison is not available for the candidate” error, please add them to your sources.list file
    deb http://debian.sdinet.de/ stable chaosvpn
    deb-src http://debian.sdinet.de/ stable chaosvpn
    apt-get update

  • Install
    apt-get install chaosvpn
    If the error cannot be installed
    vi /etc/apt/sources.list
    deb http://security.debian.org/debian-security wheezy/updates main
    apt-get update
    apt-get install libssl1.0.0
    apt-get install chaosvpn

Configuration

  • For tinc and chaosvpn docking operation
    mkdir -p /etc/tinc/chaos
    tincd –ne=chaosvpn –generate-keys=2048
    if you get “Error opening file `/etc/tinc/=chaosvpn/rsa_key.priv’: No such file or directory” error, then run a command:
    mkdir /etc/tinc/chaos/ecdsa_key.priv
  •  executed
    tincd –ne=chaosvpn –generate-keys=2048
  • run command
    vi /etc/tinc/chaosvpn.conf
    Change parameters
    $ my_vpn_ip = 172.31。。[1-255]
    Only use a-z, 0-9 and underline
    Ip address to be changed to 172.31.x.x
    Save the exit.
  • you have to join chaosVPN also must write a letter of introduction to indicate your motive, send mail to chaosvpn-join@hamburg.ccc.de
  • If you join, in the terminal input chaosvpn, you can see some information.

    The contents of the letter of introduction are:

  • Start
    /etc/init.d/chaosvpn start
  • View the chaosvpn network port
    route -n

 

HP has an awful history of ‘accidentally’ leaving keyloggers onto its customers’ laptops. At least two times this year, HP laptops were caught with pre-installed keylogger or spyware applications.
tweet made by a security researcher claiming to have found a built-in keylogger in several HP laptops, and now he went public with his findings.

A security researcher who goes by the name of ZwClose discovered a keylogger in several Hewlett-Packard (HP) laptops that could allow hackers to record your every keystroke and steal sensitive data, including passwords, account information, and credit card details.

The Keylogger was found embedded in the SynTP.sys file, a part of Synaptics touchpad driver that ships with HP notebook computers, leaving more than 460 HP Notebook models vulnerable to hackers.

Although the keylogger component is disabled by default, hackers can make use of available open source tools for bypassing User Account Control (UAC) to enable built-in keylogger “by setting a registry value.”

Here’s the location of the registry key:

  • HKLM\Software\Synaptics\%ProductName%
  • HKLM\Software\Synaptics\%ProductName%\Default

The researcher reported the keylogger component to HP last month, and the company acknowledges the presence of keylogger, saying it was actually “a debug trace” which was left accidentally, but has now been removed.

A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impact all Synaptics OEM partners,” HP says in its advisory, calling the keylogger as a potential, local loss of confidentiality.

A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue.

The company has released a Driver update for all the affected HP Notebook Models. If you own an HP laptop, you can look for updates for your model. The list of affected HP notebooks can be found at the HP Support website.

This is not the first time a keylogger has been detected in HP laptops. In May 2017, a built-in keylogger was found in an HP audio driver that was silently recording all of its users’ keystrokes and storing them in a human-readable file.

Caintech.co.uk

vsaudit

This is an opensource tool to perform attacks to general voip services It allows to scans the whole network or single host to do the gathering phase, then it is able to search for most known vulnerabilities on the founds alive hosts and try to exploit them.

Install dependencies

To start using vsaudit you must install the ‘bundler’ package that will be used to install the requireds gem dependencies through the Gemfile.

Download directly from website:

http://bundler.io/

Or install with ‘gem’ (ruby package manager) with:

deftcode ~ $ gem install bundler

After that the installation has been completed, run (in the directory where is located vsaudit):

deftcode vsaudit $ bundle

Now you can start vsaudit with:

deftcode vsaudit $ ruby vsaudit.rb

NOTE: If you get an error with gem, you need to install the libssl-dev package (kali-linux: apt install libssl-dev).

Environment commands

  • Display the available options that can be set
  • List the environment variables
  • Get the value of environment variable
  • Set or change the environment variables

Audit commands

  • Check mistakes in the local configuration files
  • Scan a local o remote network
  • Enumerate the extensions
  • Bruteforce extensions
  • Get the live network traffic
  • Intercept the network traffic by custom bpf

Informations commands

  • Get informations about modules or address
  • Show the report list
  • Show the extensions list

Global commands

  • Display the help message
  • Quit from the framework

Screenshot

Reference

Source: https://github.com/eurialo/vsaudit

So why do we restrict Powershell to users in an organisation, well the answer is Mimikittenz.

Mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes.
mimikittenz can also easily extract other kinds of juicy info from target processes using regex patterns including but not limited to:

  • TRACK2 (CreditCard) data from merchant/POS processes
  • PII data
  • Encryption Keys & All the other goodstuff

NOTE: This tool is targeting running process memory address space, once a process is killed it’s memory ‘should’ be cleaned up and inaccessible however there are some edge cases in which this does not happen.

The aim of mimikittenz is to provide user-level (non-admin privileged) sensitive data extraction in order to maximise post exploitation efforts and increase value of information gathered per target.
Currently mimikittenz is able to extract the following credentials from memory:

NOTE: This tool is targeting running process memory address space, once a process is killed it’s memory ‘should’ be cleaned up and inaccessible however there are some edge cases in which this does not happen.

The aim of mimikittenz is to provide user-level (non-admin privileged) sensitive data extraction in order to maximise post exploitation efforts and increase value of information gathered per target.

Currently mimikittenz is able to extract the following credentials from memory:

#####Webmail#####

Gmail
Office365
Outlook Web
#####Accounting#####

Xero
MYOB
#####Remote Access#####

Juniper SSL-VPN
Citrix NetScaler
Remote Desktop Web Access 2012
#####Developement#####

Jira
Github
Bugzilla
Zendesk
Cpanel
#####IHateReverseEngineers#####

Malwr
VirusTotal
AnubisLabs
#####Misc#####

Dropbox
Microsoft Onedrive
AWS Web Services
Slack
Twitter
Facebook

Download
git clone https://github.com/putterpanda/mimikittenz.git
https://github.com/putterpanda/mimikittenz.git

Also read: Unofficial Guide to Mimikatz & Command Reference