DD-WRT : Linux based Alternative OpenSource Firmware

1.   After we have heard and seen over last few years the rise of Open Source and their imminent threat to Mac and Windows!!!!,now I read about  , a Linux based alternative Open Source firmware suitable for a great variety of WLAN routers and embedded systems.

2.    This open-source firmware was developed for specific router models and is used as a replacement for the factory default firmware. This modification lifts restrictions built-in to the default firmware, providing advanced capabilities to make Internet and Home Network more controllable and versatile.Manufacturers develop routers for non-technical users in mind, making them simple and easy to use, while limiting their effectiveness as a web-access gateway. DD-WRT transforms a personal-class router with limited functionality into a powerful, multi-use, business-class router. With DD-WRT, a router's enterprise potential can be unlocked at a home user's price.

3.    The advantages offered are bought out below :

    - Stability of running a linux-based, non-proprietary firmware.
    - VPN (Virtual Private Network) passthrough capabilities.
    - Software support for the SD-Card hardware modification.
    - Advanced QoS (Quality of Service) controls for bandwidth allocation.
    - NAT (Network Address Translation) support.
    - Cycle router from the Administration settings.
    - Built-in DNS caching
    - Configure the router as a Wi-Fi hotspot using the integrated Chillispot          
    - Radius Authentication for additional wireless security.
    - VLAN (Virtual Local Area Network) Support.
    - Create unique SSIDs (service set identifiers) when using multiple routers.

4.   But it is not a win win situation always,while flashing a router with DD-WRT is highly beneficial , the risks that are involved can sometimes outweigh the benefits . Flashing a router with DD-WRT can be risky and when done improperly, it may "brick" the router. For devices mainly used for private purposes, DD-WRT is freely available. Platforms used for commercial purposes require a paid license. Compared to the freely available version, the professional version also allows for configuration of the WLAN parameters, thus opening up the opportunity of creating e.g. reliable and powerful network infrastructures. Special demands can be fulfilled by specifically tailored versions of DD-WRT.

Fierce Domain Scan by FIERCE @ Kali Linux

1.   This post gives a stepped screen shot version of a relatively unknown but powerful tool known as Fierce. It is a perl script written by rsnake. Fierce tries multiple techniques to find all the IP addresses and hostnames used by a target. Fierce is meant specifically to locate likely targets both inside and outside a corporate network.A very detailed explanation with ease is given at http://ha.ckers.org/fierce/

2.  To use Fierce, navigate to Information Gathering | DNS Analysis | Fierce.
Fierce will load into a terminal window as shown in the following screen shot.

DOMAIN INFORMATION GROPER : DIG@Kali LINUX

1.    Most high-value targets have a DNS name associated to an application. DNS names make it easier for users to access a particular service and add a layer of professionalism to their system. For example, if you want to access Google for information, you could open a browser and type in 74.125.68.138 or type www.google.com

(Click on image to enlarge)

2.  DNS information about a particular target can be extremely useful to a Penetration Tester. DNS allows a Penetration Tester to map out systems and subdomains. To use Dig, open a command prompt and type dig and hostname, where hostname represents the target domain. 

3.  Dig lookups will show the DNS records for the given host or domain. This gateway allows lookups for network address, mail exchanger, name servers, host information, arbitrary strings and zone of authority records. Please leave the server field blank to query a properly configured internet DNS cache.Dig will use your operating systems default DNS settings to query the hostname.You can also configure Dig to query custom DNS servers by adding @ to the command. The example in the following screen shot illustrates using Dig on http://www.hacklabs.com/

 

4.   The -t option in Dig will delegate a DNS zone to use the authoritative name
servers. We type dig -t ns http://www.hacklabs.com/ in the example in the
following screen shot:

             

5.  We see from the results we have two authoritative DNS servers for the domain http://www.hacklabs.com/; they are ns51.domaincontrol.com and ns51.domaincontrol.com

6.   Thanks to book Web Penetration Testing with Kali Linux by Joseph Muniz & Aamir Lakhani

HTTrack : Clone a Website@KALI LINUX

1.    This post will introduce you with a well known tool to clone a website ..the tool is known as HTTrack...though is inbuilt into Kali but older versions may not have it... The purpose of HTTrack is to copy a website.It allows a Penetration Tester to look at the entire content of a website, all its pages,and files offline, and in their own controlled environment. Needless to emphasize on the importance and usefulness of having a copy of a website that could be used to develop fake phishing websites, which can be incorporated in other Penetration Testing toolsets.To install HTTrack if not already inbuilt in Kali, open a Terminal window and type in the following as shown in the following screenshot.

apt-get install httrack 

(Click on image to enlarge)

(Click on image to enlarge)

(Click on image to enlarge)

2.  Firstly we will create a directory to store the copied website. The following
screenshot shows a directory created named testwebsite using the mkdir command.

3.   To start HTTrack, type httrack in the command window and give the project
a name, as shown in the following screen shot:

(Click on image to enlarge)

(Click on image to enlarge)

 4.   The next step is to select a directory to save the website. The example in the
following screen shot shows the folder created in the previous step /root/
testwebsite, used for the directory:

(Click on image to enlarge)

5.   Enter the URL of the site you want to capture. The example in the following
screen shot shows www.hackershandbook.org. This can be any website. Most attacks use a website accessed by clients from your target, such as popular social media websites or the target's internal websites.The next two options are presented regarding what you want to do with the captured site. Option 2 is the easiest method, which is a mirror website with a wizard as shown in the following screen shot:

(Click on image to enlarge)

6.  Next, you can specify if you want to use a proxy to launch the attack. You can also specify what type of files you want to download (the example in the following screen shot shows * for all files). You can also define any command line options or flags you might want to set. The example in the following screen shot shows no additional options.Before httrack runs, it will display the command that it is running. You can use this command in the future if you want to run httrack without going through the wizard again. The following screen shots show hhtrack cloning www.hackershandbook.org:

(Click on image to enlarge)

(Click on image to enlarge)

7.   After you are done cloning the website, navigate to the directory where you
saved it. Inside, you will find all your files and web pages, as shown in the
following screen shot:

(Click on image to enlarge)

8.   Thanks to book Web Penetration Testing with Kali Linux by Joseph Muniz & Aamir Lakhani

Setting up your Virtual Lab : Two Machines for SET

1.  This post will be useful for those looking to setup a virtual lab on their laptops/PCs that can be used to play with Backtrack/Kali Linux like similar images.Here I am sharing exact screen shots of configuration required to set up two machines who would access internet independently and would also at the same time ping each other on a local LAN setup...subsequently can be used to work with SET(Social Engineering Toolkit) as discussed in my last post.I have two machines here with Kali Linux and a Windows 7 machine.

2.  Both have been setup with two NICs each and configured as shown below :

(Windows 7 Machine NIC 1 Setting)

(Windows 7 Machine NIC 2 Setting)

(Kali Machine NIC 1 Setting)

(Kali Machine NIC 2 Setting)

(IPCONFIG output at Windows machine)

(ifconfig output at Kali machine)

(Ping to Windows Machine)

(Ping to Kali Machine)

(Kali Access to Internet)

(Windows Access to Internet)

Computer-based Social Engineering Tools : Kali LINUX

1.   The Social-Engineering Toolkit (SET) is a product of TrustedSec. SET is a Python-driven suite of custom tools and is a menu-driven attack system that mainly concentrates on attacking the human element of security. With a wide variety of attacks available, this toolkit is an absolute must-have for penetration testing.SET comes preinstalled in Kali Linux. You can simply invoke it through the command line using the command se-toolkit:

/usr/share/set# ./set
root@Kali:/usr/share/set/# python set

Or, you can choose it through the Applications menu:

Once the user clicks on the SET toolkit, it will open with the options shown in the
following screen shot:

Website cloning

In this attack, we will mirror a web page and send that mirror page link to the target. As this is the first attack that takes place, I would suggest you to go through the options available in the different sections of the SET toolkit.Select  Social-Engineering Attacks to receive a listing of possible attacks that can be performed.

Here I start with the Website Vectors. Enter 2 to move to the next menu. For this example, on the list, we will take a look at the third option, Credential Harvester Attack Method.The following menu provides three options. We will be using one of the provided templates for this example:

 The second method will completely clone a website of your choosing and allow
you to utilize the attack vectors within the same web application that you were
attempting to clone.The IP address the user needs to enter is the IP address of Kali Linux, which can be found using the following command:

ifconfig –a

For instance, the IP address of my machine comes out as 10.0.2.15. Enter the URL to clone, for example, http://www.facebook.com, as shown in the following screenshot:

Now we have created a cloned Facebook login page that is listening on port 80. We can check the source code of the clone of the website that we have created for the phishing attack. It is stored at /usr/share/set/src/program_junk/Web Clone/~Index.html.This is the source of the web page the attacker has cloned through the SET toolkit.Navigate to the 127.0.0.1:80 (localhost port 80) URL in the browser. The phishing page is hosted on your machine's IP address.The following IP address needs to be sent to the target; this can be sent through an e-mail or can be uploaded on any web hosting site.Once the user visits the link and enters the username and password, the login credentials are redirected to our Kali Linux server that we have set up as shown in the preceding screenshot.

Snowden Reveals : Projects to Profile YOU

1.  Documents revealed by Edward Snowden pertaining to the National Security Agency (NSA), US surveillance programs and US Intelligence Community partners abroad were released about a year back and revealed a horde of code named projects that were all intruding our lives in some way or the other.This post brings out the glossary of codenamed PROJECTS along with a small brief of what was the intent of the project.These have been listed here after I read " The Snowden Files" by Luke Harding.This long list is actually a miniscule of thousands hidden projects which all are after every bit of info that we all share digitally....skype...sms...mms..whatapp...fax,emails,chat,photos etc...thats all in all everything!!!!!

Blackfoot

The codename given to an NSA operation to gather data from French diplomats' offices at the United Nations in New York and this information was collected from bugged computer screens.

Accumulo

The name given to an open-source database created by the National Security Agency (NSA) but later made available to others via the Apache Foundation. It stores large amounts of structured and unstructured data across many computers and can use it to create near real-time reports.

Blackpearl

NSA has been spying on Petrobas, Brazil's largest oil company, through the "Blackpearl" program that extracts data from private networks.

Evening Esel

The NSA conducts its surveillance of telephone conversations and text messages transmitted through Mexico's cell phone network under the internal code name "Eveningeasel."

Angry Birds

Leaked documents indicate that the NSA and GCHQ routinely try to gain access to personal data from Angry Birds and other mobile applications.

Bullrun/Edgehill

The revelations claim that "vast amounts of encrypted Internet data which have up till now been discarded are now exploitable vide  Bullrun,a clandestine, highly classified decryption program run by the United States National Security Agency (NSA) and The British signals intelligence agency Government Communications Headquarters (GCHQ) with a similar program codenamed Edgehill.

Boundless Informant

A tool used by the NSA to analyse the metadata it holds. It aims to let analysts know what information is currently available about a specific country and whether there are trends can be deduced.

Cheesy Name

A GCHQ program designed to identify encryption keys that could be cracked by the agency's computers.

Dishfire

The codename for a system used to process and store SMS message data.A leaked 2011 NSA presentation, published by the Guardian, indicated it was used to collect about 194 million texts a day, adding that the content was shared with GCHQ.

Dropmire

The name for a way to bug security-enhanced fax machines to provide the NSA with access to documents that have passed through encrypted fax machines based in other countries' foreign embassies.

Genie

An NSA programme, identified in a leaked memo analysed by the Washington Post, which is said to involve the remote delivery of spyware to devices on foreign-controlled networks.

Marina

The NSA's tool to gather metadata about the online activity of targets and other internet users.The Marina metadata application tracks a user's browser experience, gathers contact information/content and develops summaries of target.

Thinthread

A proposed NSA system to chart relationships between people in real-time.

Muscular

A joint project operated by the NSA and GCHQ used to intercept data from the cable links that are used by Google and others to connect up their computer servers, which are located across the world .

Fallout

Identified by an alleged NSA slide, the term appears to refer to an effort to screen out metadata collected about US citizens as part of the Prism programme before it is analysed by the Marina and Mainway systems.

Nucleon

An NSA tool used to analyse voice data gathered via the Prism programme.

EgotisticalGiraffe

The alleged codename given to an NSA effort to track users of Tor (The Onion Router) - a project that aims to let people browse the web anonymously by bouncing their traffic through other people's computers.

Perdido

The codename for an NSA surveillance operation targeting the EU's offices in New York and Washington.

Prism

A surveillance system launched in 2007 by the NSA allows the organization to "receive" emails, video clips, photos, voice and video calls, social networking details, log-ins and other data held by a range of US internet firms including Apple, AOL, Facebook, Google (including YouTube), Microsoft (including Skype), Paltalk and Yahoo.

QuantumInsert

A technique used to redirect a target's computer to a fake website where it can be infected with malware.

Stellarwind

A metadata-collecting scheme from communications in which at least one party was outside the US, and none of the other parties could be known to be US citizens.

 

Tempora

The codename given to an operation to create a "buffer" to allow huge amounts of data to be temporarily stored for analysis and is run by GCHQ to hold content gathered from tapped fibre-optic cables for three days and metadata for 30 days so that both it and the NSA can search and analyse it before details are lost.

FoxAcid

A tool reportedly used by the NSA to study what vulnerabilities a target's computer has. It then uses this knowledge to infect the machine with malware via a web browser.

 

Harden PRIVACY : PRIVACY BADGER Tool

1.    Till few years back PRIVACY as a word meant the state of being free from unsanctioned intrusion in physical life from your peers/friends/strangers but the whole meaning has taken a new dimension since Snowden released his HIDDEN FILES last year around June.Today not only NSA but a plethora of third party agencies are after you all to track you..profile you...read you.Though in my earlier posts here,I had given a mention of few tools like disconnect.me,Adblock Plus,Ghostery etc but with time technology has further improved and here in this post I discuss about PRIVACY BADGER that is a browser add-on that stops advertisers and other third-party trackers from secretly tracking where you go and what pages you look at on the web.  If an advertiser seems to be tracking you across multiple websites without your permission, Privacy Badger automatically blocks that advertiser from loading any more content in your browser.  To the advertiser, it's like you suddenly disappeared.Looks Interesting..!!!

3.   Once installed as seen above we get a red hexagon..indicating installed and this has color indicators as follows :

• Green means there's a third party domain, but it hasn't yet been observed tracking you across multiple sites, so it might be unobjectionable. When you first install Privacy Badger every domain will be in this green state but as you browse, domains will quickly be classified as trackers.

• Yellow means that the thirty party domain appears to be trying to track you, but it is on Privacy Badger's cookie-blocking "whitelist" of third party domains that, when analyzed, seemed to be necessary for Web functionality. In that case, Privacy Badger will load content from the domain but will try to screen out third party cookies and supercookies from it.

• Red means that content from this third party tracker has been completely disallowed.

4.   Currently available for CHROME,here I have used the beta for Mozilla browser ...though the site says they will soon release the extension for other browsers incl opera and safari too.....!!!!

Kali Linux 1.0.8 - New Release Supports UEFI Boot

1.    The long awaited Kali Linux USB UEFI boot support feature has been added to newly released Kali Linux 1.0.8 release. This new feature simplifies getting Kali installed and running on more recent hardware which requires EFI as well as various Apple Macbooks Air and Retina models.

2.   If you already have Kali installed on your system, need not to download the new setup since it can easily be upgrade to the latest version of the Kali Linux using the following commands:

    root@kali:~# apt-get update
    root@kali:~# apt-get dist-upgrade

3.   Btw..this is my 500th post on this blog!!!hurrah!!!

Determining Network Range @ Kali Linux

This post will focus on determining the IP addresses range from the target network. Here I will explore the tools needed to achieve it.

Let's begin the process of determining the network range by opening a terminal window:

1.     DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line Application coded in C language.DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more. The information are gathered with following methods:

 

·         Perform an Internet Number whois lookup.

·         Retrieve possible uptime data, system and server data.

·         Perform a SubDomain search on a target host.

·         Perform an E-Mail address search on a target host.

·         Perform a TCP Portscan on the host target.

·         A Modular program allowing user specified modules

2.     Open a new terminal window and issue the following command:

dmitry -wnspb targethost.com -o /root/Desktop/dmitry-result

3.     When finished, we should now have a text document on the desktop with filename dmitry-result.txt, filled with information gathered from the target:

4.    To issue an ICMP netmask request, type the following command:

netmask -s targethost.com

 
5.    Using scapy, we can issue a multiparallel traceroute. To start it, type the
following command:
scapy

6.    Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc.Now with scapy started, we can now enter the following function:

ans,unans=sr(IP(dst="www.targethost.com/30", ttl=(1,6))/TCP())


7.    To exit scapy, type the following function:

exit()