Tuesday, 16 June 2020

Social Mapper.

Open Source Intelligence.

The world today abounds in open information to an extent unimaginable intelligence.

Social Mapper is an Open Source Intelligence Tool that uses facial recognition to correlate social media profiles across different sites on a large scale.

What social mapper does is it actually logs you in to different social networks of your target for information and generate report i.e picture linked to various social network sites in CSV and HTML format this will help us to build attacking strategies, phishing campaigns, social engineering campaigns and also help to find fake accounts, duplicate accounts, etc. what good part is you don't need any API access or any deep database access. Just you need a standard user account and then what it does is it will login with provided user accounts and will look for specific people that you are looking for on that social network.

 What’s interesting about it is it actually takes a photograph of a person and uses facial recognition to pinpoint that exact person.

So if you are pentesters  looking for particular employee x and want to dig through LinkedIn for employee x  there are thousands of employee x  but if we have a photograph of employee x. we can actually apply facial recognition techniques to that photograph and find the exact employee x you're looking for in an automated fashion, it allows us to dig through social networks find very specific people using facial recognition techniques and then pull back that information for entire social mapping. In the past, we've seen over  55% of the compromises was investigated that initial foothold was gained through a social engineering attack of some sort so we want to make sure we're emulating the exact same techniques that criminals are using to attack organization in order to develop the security awareness and better secure those customers.

Supported platforms

Follow the command to install and run the Social Mapper tool.
wget https://github.com/mozilla/geckodriver/releases/download/v0.26.0/geckodriver-v0.26.0-linux32.tar.gz
tar -xvzf geckodriver-v0.26.0-linux32.tar.gz
cp geckodriver /usr/bin
sudo apt-get install build-essential cmake
sudo apt-get install libgtk-3-dev
sudo apt-get install libboost-all-dev
git clone https://github.com/Greenwolf/social_mapper.git
python3 -m pip install --no-cache-dir -r requirements.txt
leafpad spcailapper.py
#example 1 : Run this command to being our search.
python3 social_mapper.py -f imagefolder -i ./mytargets -m fast -fb -tw

Our search result is stored CSV and HTML format.

There are different switches to try and play.

Than you for reading the post. Stay safe and visit again for new posts.:)

Monday, 1 June 2020

Installing Docker in Kali Linux

What is Docker?

Docker is a set of platform as a service products that use OS-level virtualization to deliver software in packages called containers. Containers are isolated from one another and bundle their own software, libraries and configuration files; they can communicate with each other through well-defined channels.
  • Docker allows you to build and deploy applications and services in the form of containers.
  • It is a platform as a service offering that utilizes the host OS  Kernel as opposed to a traditional VM, where OS’s have to be installed for every virtual machine.
  • The containers contain the dependencies and libraries that application or service needs to run, therefore eliminating the need for installing dependencies manually.
  • Docker containers are much more efficient than VM’s as they utilize the host OS.

Why Docker?

Docker as a platform as a service offers utilization of the host operating system kernel when compare to  traditional VMs where you have to  install the guest operating system on top of the host operating system for each virtual machine. Another advantage is   containers contain the dependencies and the libraries that an application or a service needs to run therefore eliminating the need for installing the dependencies manually so what this means is that if you're a developer of a tool or an environment or operating system or a web application you can essentially use docker to create docker images that can be then turned into docker containers what happening here is you're setting up this service for application in the form of an image that can then be run as a container on a platform.

Install Docker 

Step 1: Import Docker GPG key:

curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -

Step 2: Add the Docker repository to Kali Linux

echo "deb [arch=amd64] https://download.docker.com/linux/debian buster stable" | sudo tee  /etc/apt/sources.list.d/docker.list

Step 3: Install Docker on Kali Linux
$ sudo apt update
gn:1 http://dl.google.com/linux/chrome/deb stable InRelease
Get:3 https://download.docker.com/linux/debian buster InRelease [44.4 kB]                          
Hit:2 http://kali.download/kali kali-rolling InRelease
Hit:4 http://dl.google.com/linux/chrome/deb stable Release
Get:5 https://download.docker.com/linux/debian buster/stable amd64 Packages [10.9 kB]
Fetched 55.3 kB in 1s (45.2 kB/s)
Reading package lists... Done
Building dependency tree       
Reading state information... Done

After installation, Docker service will be started, but not enabled (i.e. it will not be started automatically after reboot). To start it:

systemctl start docker

To start Docker automatically upon reboot :
systemctl enable docker

Thursday, 23 April 2020

Finding Attacker Geolocation [ There was never a good war, or a bad peace ]

Geolocating an IP address

Finding the location of IP addresses helps in tracking the origin of the attack. Thanks to Gorjan Petrovsk one of the active members of Nmap community, He submitted three Nmap NSE scripts that help us to find the Geolocation of a remote IP addresses
Script names are
  1.     ip-geolocation-maxind
  2.     ip-geolocation-ipinfodb
  3.   ip-geolocation-geobytes 
For the script ip-geolocation-maxind there is no build-in database, so we need to download the external database from http://geolite.maxmind.com/download/geoip/ database/GeoLiteCity.dat.gz.
  After downloading  unzip it to the Nmap data folder
  File path : $NMAP_DATA/nselib/data/
For ip-geolocation-ipinfodb we need API key to push the requests and get desired results.we can get the key from  http://ipinfodb.com/register.php. I will be using ip-geolocation-ipinfodb because we can have any number of query request to the service provider.if you have a little bit of experience in writing a script you can add your own service provider.

Let's run the command and find the target.

nmap  - - script  ip-geolocation-ipinfodb.apikey=xxxxxxxxxxxxx 50.116.1.xxx  

22/tcp      closed         ssh
80/tcp       open          http 
113/tcp    closed          ident

Host script results:
| 50.116.1.xxx (Attacker)
|   coordinates (lat,lon): 39.489898681xxx,-74.47730255xxx
|_  state: Targetaddress, Galloway, NJ, USA

Nmap done: 1 IP address (1 host up) scanned in 8.71 seconds

Thanks for reading out. Don't forget to check my previous posts.

Sunday, 19 April 2020

Exploiting 3D Printers. [ Internet Of Things ]

“ The IoT is next Big thing because "Reach out and touch somebody' is becoming reach out and touch everything'.” 

Nowadays everything is getting connected to the internet we called it IoT. Even brush is connected to the internet it shows us when i brushed, how long i have brushed, how much dirt is on my teeth. It will be calculated by measuring the friction between my teeth and brush. With merits there's comes demerits. Connected to the internet means you are opening a bridge if proper control are not there anyone can come in. Hackers can compromise the brush to make it do unintended functions or even can dominate the entire Home network. Nowadays this is no more fiction. Presently hackers are targeting 3D printers by changing the max temperature to a higher value which will lead to Printer overheated and it will catch the fire.

I tested my friend 3D printer Remotely with his permission. What I did was I changed the max value from 240 degrees to 245 to play a safer side because i don’t want to burn my friend printer. So basically there are two strategies we can follow locally or remotely.

Exploit Locally

1. Get access to WI-FI network which  3D printer connected to it.
2. ARP spoof the 3D printer using Bettercamp to pass the request of a firmware update to the server.
3. DNS spoof the address of the public firmware repository so that we act as a real server. when printer request for firmware update then we will pass the malicious firmware to 3D printers.
4. Host malicious firmware at the spoofed address
5.Wait for the owner to update their firmware or do it by Social engineering.
6. We move the head position to the plastic side of the printer. We moved head to plastic side because plastic easily susceptible to catch  fire

The 3D printer which we are targeting works on port 8899 with no authentication this is very common to find with 3D printers. Ports takes G-code command for performing an action such as increasing temperature.

Exploit Remotely

 1. Search a 3D printer via the Shodan search engine.
 2. Connect port 8899 (no authentication needed) via netcat.
 3. Echo G-code command and also move the head position to the plastic side of the printer. We moved the head to the plastic side because of plastic easily susceptible to catch  fire 
 Commands looks like
   Echo –e “~M109 S260\r\n” > /dev/ttyS11.

 snippet of firmware code

As we can see  IPFINDERPlusISP files take the hex as an argument this makes room for us to pass our desired value to burn the printer.  In a future post, I will try to coverup in much detail how to exploit a 3D printer till then stay safe.

Friday, 17 April 2020

Forensics with Kali Linux [Its capital mistake to theorize before one has data.]

The crime was committed and we found the culprit. Now we need to collect the evidence from his machine. So before starting the evidence collecting consider the following facts.
  • Never touch anything; understand exactly what are you getting into.
  • Are you qualified to handle this investigation.
  • Do you have all the tool and resources needed.

                                                   Technical order volatility.


  • Understand the order of volatility.
  • CPU, cache and register content
  • Routing table, Arp cahce, process table, kernel statics
  • Memory
  • Temporary file system / swap space
  • Data on hard disk
  • Remotely logged data
  • Data contained on archival media

Collecting evidence

  • Photograph the computer and scene
  • If the computer is off don’t turn it on
  • If the computer is on photograph the screen
  • Collect live data – start with RAM image and then collect other live data as required such a network connection state, logged on user, currently executing processes, etc.
  • If harddisk encryption detected (using tool like zero view) such as full disk encryption  I.e PGP Disk  collect “logical image” of hard disk using dd.exe, Helix locally or remotely via F-Response
  • Unplug the power cord from the back of the tower- if the machine is laptop and doesnot shutdown when the cord is remove then remove the battery
  • Digram and label the cords
  • Document all device model number and serial number

  • Disconnect all cords and devices
  • Check for HPA then image hard drive using write blocker, helix or hardware imager
  • Package all componenets (anti-static evidence bags)
  • Sieze all additional storage media ( creatre respective image and place original device in anti-static evidence bags)
  • Kepp all media away from magnets radio transmitter and other potentially damaging elements
  • Collect instruction manula documentation and notes
  • Document all steps used in the seizure.

Mount the drives for data extraction.

Now get your hands dirty on Kali Forensic tools. 

Mounting an external hard drive on kali

fdisk –l
what this command does is it let me examine all disk drives connected to kali Linux. 

kali sees every mounted device as sd device. The first device is "a" then second device going to be "b" so on.
kali Linux will view sda as first device.

As you can see in above screenshot  there is sda1 , sda2  and sda5 all are the partitions.
what kali does it set number to the partition sda1.sda2 and sda5. sda5 is a Linux swap partition its nothing but paging in computer system.

When I hit more you can see it also show up my plugged-in external drive sb1.

Lets use commad line tool to copy the disk bit by bit.
dclfdd if=/dev/sda hash=md5 of=/media/diskimage.dd bs= 512 noerror

Let break the command and understand

if=/dev/sda is the input device, in this case /dev/sda
hash=md5 tells the command to calculate md5 hash of the image that we can use to assure the image integrity.
of=/media/diskimage.dd is the file that the disk image with go, in this case external device mounted at /media.
bs=512 tells the command we want to transfer the image 512 bytes at time.
noerror tells the command that in case of error continue to do the data transfer, but write where the error occurs.

    Thank you for reading.

Thursday, 16 April 2020

Exploiting Java RMI Server

Long time back while I was doing the pentest I came across Java RMI Server insecure default configuration Java code execution vulnerability. Still i find this vulnerability exists in many machines while doing enumeration. The same bug is hidden inside them waiting for someone to exploit it. Let first discuss about this vulnerability and later we can exploit it.

RMI stands for remote method invocation. RMI allows object stored in one system to access object running in another system.RMI helps to establish a remote connection between java program.

Java Remote invocation service allows running and execute java classes from the remote URL using RMI.

Java RMI  is a remote method invocation service allows the remote user to  run arbitrary java classes through Class loader thus giving the advantage to the attacker. Attackers can use Java classes to write and run various commands and also can get stored passwords from memory. By default RMI services will run with high privileges under the user context.

What is the solution for it?
At least you need to be upgrade to Java  7.21  because in this version RMI property is changed to java.rmi.server.usercodebaseonly true.  By setting this property true we can prevent client VM from dynamically loading byte code from the remote codebase.

Now i think this information is enough to go and exploit the target machine.

Let's run our all-time favorite Nmap tool
Nmap –sV


Yes we found Java-rmi running on port 1099

The good thing is we don’t need to write exploitation code for it because it already exists in Metasploit. Let use it
Use exploit/multi/misc/java_rmi_server

All parameters are set.
Ammos is loaded its time to fire up.

We are in the machine as root isn't that great. J
I have shared a good cheat sheet about Java Deserialization it will come handy to the pentester and researcher. Thank you for reading.

Wednesday, 15 April 2020

Hacking CCTV Camera [ Physical Security ]

 “Be careful with surveillance camera if it is not secured properly, It could turn into something else” 

Security cameras are all wall-mounted and are setup with default parameters. These cameras can be hacked because of improper mounting, no physical security and insecure connections to the cam devices.

Stuff required
LAN Tap :
LAN TAP is a device that has two different Ethernet ports which allow to see any traffic flowing in between.

Wireshark is a free open-source packet analyzer.

LAN Tap connected to camera footage and router cable.

We will just take the cable that’s going to the router to plugin and another cable going to a device that is looking at camera footage this will power-up our device. It will not only allow us to access the network we want to but also intercept traffic to extract the images from the security camera.
                                                      Plug and Play
Its time to plug the device in our laptop and check LAN Tap connectivity status in the terminal.
Ifconfig | grep eth

Yep, it's showing it up.
Now we need to run Wireshark to capture the packets from the Cam monitor traffic.
We will be selecting Ethernet 1 

There will be a lot of traffic passing through.we are looking for  HTTP packets.

If you are seeing jpg image that means somebody accessing an insecure web portal because its default parameter set in most of the web camera control panel. Since we are intercepting from long time now we can go ahead and save our captured interested packets.

As you can see we intercepted lot of images.

I will save them on the Desktop. 

let us see what we have captured.

The main cause of this type attack was lack of  physical security. To protect from such attack a physical formal or informal inspection is needed to be carried out.