Fare well Jamshoro : June 2020

Tuesday, June 30, 2020

Top 12 Best Websites To Learn Ethical Hacking 2018

Hakin9: E-magazine offering in-depth looks at both attack and defense techniques and concentrates on difficult technical issues.
KitPloit: Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security.
The Hacker News: The Hacker News — most trusted and widely-acknowledged online cyber security news magazine with in-depth technical coverage for cybersecurity.
Phrack Magazine: Digital hacking magazine.
Packet Storm: Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers.
HackRead: HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance, and Hacking News with full-scale reviews on Social Media Platforms.
SecurityFocus: Provides security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.
NFOHump: Offers up-to-date .NFO files and reviews on the latest pirate software releases.
SecTools.Org: List of 75 security tools based on a 2003 vote by hackers.
Metasploit: Find security issues, verify vulnerability mitigations & manage security assessments with Metasploit. Get the worlds best penetration testing software now.
Exploit DB: An archive of exploits and vulnerable software by Offensive Security. The site collects exploits from submissions and mailing lists and concentrates them in a single database.
Hacked Gadgets: A resource for DIY project documentation as well as general gadget and technology news.

Thursday, June 11, 2020

BASICS OF METASPLOIT – BASIC COMMANDS OF METASPLOIT

Metasploit is an advanced hacking tool that comes itself with a complete lack of advanced penetration testing tools. Penetration testers and hackers are taking so much advantage of this tool. It's a complete hack pack for a hacker that he can play almost any attack with it. Here I am going to discuss the basics of Metasploit. I am not covering attacks in this article, as I am just making sure to share the basics of Metasploit and basic commands of Metasploit. So, we can get back to cover attacks of Metasploit in the next articles.

BASICS OF METASPLOIT

The Metasploit framework has three types of working environments.

msfconsole
msfcli interface
msfweb interface

However, the most preferred and used is the 'msfconsole'. It's a very efficient command-line interface that has its own set of commands and system's working environment.

First of all, it's most important to know and understand all the useful commands of Metasploit that are going to be used.

BASIC COMMANDS OF METASPLOIT

Metasploit have a huge number of command that we can use in different type of attacks, but I am just going to share the most used and useful commands here that a beginner can easily understand and follow 'em.

help (It will give the basic commands you need to launch an exploit.
search (Finds out the keywords in the selected attack method).
show exploits (Shows list of an available exploit in the selected option).
show payloads (It lists all the payloads available).
show options (It helps you to know all the options if you might have forgotten one).
info (This is used to get information about any exploit or payload).
use (It tells Metasploit to use the exploit with the specified name).
set RHOST (Sets the address of specified remote host).
set RPORT (Sets up a port that connects to on the remote host).
set PAYLOAD (It sets the payload that gives you a shell when a service is exploited).
set LPORT (Sets the port number that the payload will open on the server when an exploit is exploited).
exploit (It actually exploits the service).
rexploit (Reloads your exploit code and then executes the exploit without restarting the console).

These are the most used Metasploit commands which come in handy in most of the situations during any sort of attack. You must give all the commands a try and understand 'em how it works and then move to the next part of designing an attack.

Related word

Extending Your Ganglia Install With The Remote Code Execution API

Previously I had gone over a somewhat limited local file include in the Ganglia monitoring application (http://ganglia.info). The previous article can be found here -
http://console-cowboys.blogspot.com/2012/01/ganglia-monitoring-system-lfi.html

I recently grabbed the latest version of the Ganglia web application to take a look to see if this issue has been fixed and I was pleasantly surprised... github is over here -
https://github.com/ganglia/ganglia-web
Looking at the code the following (abbreviated "graph.php") sequence can be found -

$graph = isset($_GET["g"]) ? sanitize ( $_GET["g"] ) : "metric";
....
$graph_arguments = NULL;
$pos = strpos($graph, ",");
$graph_arguments = substr($graph, $pos + 1);
....
eval('$graph_function($rrdtool_graph,' . $graph_arguments . ');');

I can only guess that this previous snippet of code was meant to be used as some sort of API put in place for remote developers, unfortunately it is slightly broken. For some reason when this API was being developed part of its interface was wrapped in the following function -

function sanitize ( $string ) {
return escapeshellcmd( clean_string( rawurldecode( $string ) ) ) ;
}

According the the PHP documentation -
Following characters are preceded by a backslash: #&;`|*?~<>^()[]{}$\, \x0A and \xFF. ' and " are escaped only if they are not paired. In Windows, all these characters plus % are replaced by a space instead.

This limitation of the API means we cannot simply pass in a function like eval, exec, system, or use backticks to create our Ganglia extension. Our only option is to use PHP functions that do not require "(" or ")" a quick look at the available options (http://www.php.net/manual/en/reserved.keywords.php) it looks like "include" would work nicely. An example API request that would help with administrative reporting follows:
http://192.168.18.157/gang/graph.php?g=cpu_report,include+'/etc/passwd'

Very helpful, we can get a nice report with a list of current system users. Reporting like this is a nice feature but what we really would like to do is create a new extension that allows us to execute system commands on the Ganglia system. After a brief examination of the application it was found that we can leverage some other functionality of the application to finalize our Ganglia extension. The "events" page allows for a Ganglia user to configure events in the system, I am not exactly sure what type of events you would configure, but I hope that I am invited.

As you can see in the screen shot I have marked the "Event Summary" with "php here". When creating our API extension event we will fill in this event with the command we wish to run, see the following example request -
http://192.168.18.157/gang/api/events.php?action=add&summary=<%3fphp+echo+`whoami`%3b+%3f>&start_time=07/01/2012%2000:00%20&end_time=07/02/2012%2000:00%20&host_regex=

This request will set up an "event" that will let everyone know who you are, that would be the friendly thing to do when attending an event. We can now go ahead and wire up our API call to attend our newly created event. Since we know that Ganglia keeps track of all planned events in the following location "/var/lib/ganglia/conf/events.json" lets go ahead and include this file in our API call -
http://192.168.18.157/gang/graph.php?g=cpu_report,include+'/var/lib/ganglia/conf/events.json'

As you can see we have successfully made our API call and let everyone know at the "event" that our name is "www-data". From here I will leave the rest of the API development up to you. I hope this article will get you started on your Ganglia API development and you are able to implement whatever functionality your environment requires. Thanks for following along.

Update: This issue has been assigned CVE-2012-3448Related posts

10 Best Wifi Hacking Android Apps To Hack Others Wifi (Without Root)

Top 10 Best wifi hacking apps to hack wifi^s.

Today, a smartphone without internet is like a decade ago featured phone which is mainly used to dial and receive the call. No one would even want such a phone today. The Internet is now a necessity for every mobile user. They can't live without the internet and unfortunately; if the Internet is not working due to some signal issues; they get frustrated and sometimes depressed too.

Generally, we need to pay for the Internet subscription package to run mobile data on our smartphone. But what to do if I don't want to spend money on the Internet? The solution is to connect your mobile with WiFi. You can access the internet from there. Easy, right? NO, it's not easy until you know the password of WiFi. But what if you don't know.

Two ways possible in this situation

Either you ask for the password to the owner; he will provide you to use his internet through Wi-Fi
You have to hack the Wi-Fi password of other's network and use the internet as an unauthorized person.

First is not reliable when you don't know the person so, you only have a second option. Today, I am going to share a few apps that help you steal the password and allow you to use the internet from others' account.

1. WiFi WPS WPA Tester

This is the foremost tool to hack the WiFi password without knowing even the root. This is a preferred choice of numerous smartphone users to decipher the pin and get access to the Wi-Fi. As time passes, a tool is upgraded and now even hack the WiFi networks while it was used to check if an access point is highly vulnerable to the rancorous attacks or not.

If you are using Lollipop or above version on your android mobile phone; you don't even need to root your device to crack a WiFi network.

Android App

Pros

Easy to use
Free
Decrypt the password in no time.
Implementation of several algos like Zhao, Arris, Dlink and more.

Cons

Need root access if you are using the version below Lollipop.

2. WPS Connect

Routers which has enabled a WPS protocol can be hacked with this app. The important thing is that almost all routers found in public places and homes fall under this category. In short, you will have what you want. Moreover, you can focus on your router & examine that it's vulnerable to any malicious attack or not. It helps you hack the WiFi password without root and also strengthen your WiFi network.

Once you identify the vulnerable (accessible) network, you can quickly get the password and start using the internet without any hassle. It uses algorithms like easyboxPIN and Zhao. Although, this app is not compatible with various Android phones as it is tested on Android devices like the Galaxy series, Nexus and more.

Android App

Pros

It's free and easy to use
Powerful algorithms (Zhao & easyboxPin) to crack the password
Supports pinning of Wi-Fi routers

Cons

Incompatible with few android devices
Couldn't identify the network automatically.

3. WiFi WPS WPA Tester Premium

This is an excellent app to decrypt the WiFi network password on your android phone. This works fine on rooted & non-rooted android phones. If you can root the Android device; you can have a better chance to hack into. Today, security is the primary concern and so, many people use the highly secured wireless router, I think. For such networks, this app will not work as it should be. But, still it can work for numerous times with the help of WPS; not all the time. Every time, you have to try your luck to get access to other's WiFi network. This WPS WPA tester is a premium apk.

Android App

Pros

Works for both rooted and non-rooted android devices
Find the nearby network and connect your mobile with it.

Cons

It's a premium apk.
You have to try your luck to get access to the nearby network.
Not good to connect with highly secured wireless routers.

4. AndroDumpper Wifi (WPS Connect) – Discontinued

If you want to connect to a router which is WPS enabled; download this app immediately without going down to browse for other apps. Just open the app, start its interface & find the nearby wireless networks, you want to connect with. The app will provide an excellent option to regain the password of a selected network with & without root. Once you implemented the algorithm; it will display the password in app screen & connect to the network. Isn't it easy for you?

Android App

Pros

It's Free on Google Play Store
Easy to use and faster than some other tool.
Works fine for rooted & non-rooted devices
A dedicated blog is available for the tool (Get guidance anytime)
Supports for giant company routers (Vodaphone, Asus, Huawei, Dlink, etc.)

Cons

Rooting is required if you are using a version below android 5.0
Works only for WPS enabled routers.

5. Wi-fi Password Hacker Prank

Wifi Password hacker prank is a free app for the android users and can help you to connect your android phone to wifi networks available nearby. This free app simulates a process of hacking the wireless network with your smartphone. With this app, you can hack all wifi network passwords with just one key. The Prank word itself says it's a funny app used to prank with your friends. Sometimes, girls can be impressed with this prank as well. But try this at your own risk. Look excellent and professional in front of your friends and colleagues.

Steps to Hack Wifi using the Wifi Password Hacker Prank:

Catch up the wireless networks near to you and then select the secure network you wish to hack.
Wait for a while & a dialogue will be opened with the wifi password.
Bingo! Paste the password and start using others' Internet without spending single money.
Watch your favourite show and movie in High-Definition quality without worrying about your mobile data.

Android App

6. WiFi Warden

WiFi Warden is one of the finest and free android WiFi hacking apps to get access to others WiFi with ease. With WiFi Warden, a user can Analyze the WiFi networks, connect to your WiFi using the passphrase and WPS and view saved WiFi passwords without root.

By analyzing the WiFi networks, you can see all necessary information that can be discovered on the wireless networks around including BSSID, SSID, Channel bandwidth, encryption, security, router manufacturer, distance and channel number, etc.

Android App

Pros

Find the less crowded channel to get WiFi access.
You can root your device on all Android versions.
Easy to use and connect with the router quickly.
All features of this app are available for free.

Cons

This app doesn't work on all types of router, use a passphrase instead.
Access Point (AP) must have enabled WPS.
Require Android version 6 (Marshmallow) or higher version is necessary to display Wi-Fi networks around you.
Some of the features are in the testing phase. So, use it your own risk.

7. WiFi Password

'WiFi Password' is a completely free app for those who don't want to get away from the Internet even when their internet data is running out. You can connect with others' WiFi routers and use their Internet.

If you are using Android Version 5 or above; 'WiFi Password' can be the right choice for you to watch your favorite shows on YouTube in HD without even worrying about Mobile Data.

Android App

Pros:

Millions of WiFi Hotspots
Scan and detect the WiFi security
Connect WiFi Hotspot nearby without knowing the WiFi Password
You can simply add a free WiFi Hotspot by sharing the passwords with others.

Cons :

Still, there are some glitches in it but works well.

8. WiFi Kill Pro

WiFi Kill is one the best WiFi network controller application which can disable the Internet connection of others who are connected to the same network. Yes, this is true. It is a useful tool for internet users who want to improve their data speed by disabling other's internet connection and allocate all the bandwidth to your device only.

Currently, this app is only for Android users and needs root access to perform well.

Android App

Pros

- You can see all connected device on the same network you are connected.
- Display the data transfer rate of all devices
- Monitor network activity
- You can cut the network connection of any connected device.
It works well on tablets too.

Cons

- Require root access
Require Android version 4.0.3 or up to use this app.

9. Penetrate Pro

A popular Wifi hacker app for android users, Penetrate pro is free and works well on Android devices. This app is widely used to find WEP and/or WPA keys to connect the devices with network routers without knowing the wifi password. Just install the app and search for the network; this app starts automatically displaying the WEP/WPA keys on the screen. Tap on the network you want to connect; one it gets connected; you can start watching videos on YouTube. Quite interesting, doesn't it?

Android App

Pros

- Easy to search nearby free wifi networks.
- Connect the network without knowing keys
Available for Free

Cons

- Not available on Google Play Store; need to download manually.
Works well only for the rooted android devices

So, you have got the list of apps that help you use the internet from other's wireless network without getting caught. If you have any idea of any other Wi-Fi password hacking app; just let me know. We would love to discuss it here.

Disclaimer: VR Bonkers is not responsible for any consequences if you face while using any of the above apps. This is just a list and we are not taking any responsibility for the same. So, use them at your risk.

@EVERYTHING NT

Difference Between Hacker, Programmer, And Developer

There are numerous sprite debates and discussions on the differences between hackers, developers, and programmers. With most descriptions, however, there is usually a slight flaw in at least one or two serious ways. These terms are all traditionally misused and misunderstood, with many of us frequently mixing them up as an all-encompassing definition of anyone working on the Software realm.

However, if you are looking to clarify your project goals and business needs adequately, it is essential that you understand that all these terms do not all represent the same thing (although a person with the ability to program a computer can use different skills to accomplish various outcomes).

What's more, it is also quite important for you to differentiate between these three terms if you are working with software development groups and the fact that they cannot be interchanged. This excerpt seeks to break it all down for you mainly-the vital difference between hackers, developers, and programmers, their actual tasks, as well as their relationship.

The Hacker

A hacker is a computer expert who uses his knowledge of computer networking, programming, cryptography, and databases to overcome a problem in the system. Hackers are more concerned with availing the concept as opposed to minding about the long-term quality. And although a hacker can conceptualize about how will ultimately be created while frantically writing code, the role is primarily about speed.

A hacker, as well as hacking,' are most useful in dealing with emergency circumstances or when prototyping an item. Hackers and the profession of hacking, in general, is not concerned with the ultimate effect of the code.

Hackers make things. They typically alter the things programmers create and transform them to function differently as well as also writing codes. While "hacker" can refer to any skilled technical person, the term has become associated with computer security, someone who, with their technical knowledge, uses bugs or exploits to break into computer systems.

The Programmer

A programmer is an individual equipped with the expertise to write codes. Programmers usually master in a single or multiple programming languages and boast vast knowledge on related areas also. Their roles are relatively procedural and mandate for total concentration not to mention refined skills.

A programmer is solely focused both in writing codes as well as getting features appropriately performed so that these features are accessible for integration and later use. Programming is merely the process of swinging the hammer and adequately creating the software.

Usually, it is easy to identify that an individual is in programming mode since they often have a concentrated gaze and are deep in the zone.' Programmers are normally internalizing the system they are operating as well as editing and writing pieces of something that can only best be described as a long algebra problem.'

The Developer

Developers are typically creators. However, not anyone that is an expert at writing codes can be a developer. Developers are experts at identifying ways around various problems as well as plugging together components to fulfill some requirements. These professionals solve problems or create things by adhering to a specific set of principles (design and implementation).

This set of principles includes attributes such as maintainability, performance, robustness, security, and scale among others. They solve problems in a systematic manner. Ideally, this is what distinguishes programmers, developers, and hackers.

In A Nutshell:

In all simplicity, these three professionals solve various problems using code. A programmer is an encompassing term that means a problem solver, a developer is a trained programmer (formal) who besides resolving issues achieves it in an organized and methodical manner likely instilled in the course of their formal education, and a hacker is a tinkerer/creator.

Despite their differences in individual meaning and professional capacities, these terms, however, can interrelate with each other quite effectively. In fact, it is possible for you to combine the skills to your benefit. In reality, all developers and hackers are programmers. However, despite their expertise, not many developers and programmers are creative enough to warrant an identity as hackers.

Finally, although hackers and programmers are quite impressive, they are however not experienced or educated enough to warrant consideration as developers. The similarity, however, is that all work to create code, each in their specified manner.

Ideally, anyone would work to be all the above-as creative as a hacker, though, somewhat better experienced and formally trained to design software as opposed to only hacking.

Nonetheless, even if you lack the creativity, experience, or education, or either to necessarily create a broad application, it is still worth noting that you are still ideally a programmer. And in case you did not know, solving a problem through code is by itself, a superpower!

@£√£RYTHING NT

Related posts

Wednesday, June 10, 2020

April 2019 Connector

OWASP
Connector

April 2019

Communications | Projects | Events | Community | Membership

COMMUNICATIONS

Letter from the Vice Chairman:

Dear OWASP Community,

Over the past number of months the Board of Directors has been working on the feedback received from the community. This feedback aligned with our key strategic goals for the year. One of our key goals was to further strengthen the "P" in OWASP. To this end we have been working with the Open Security Summit to put more of a focus on improving project development and growth and hope to enable projects through events such as this.

Another goal is to strengthen our student outreach. One idea I had was to work with colleges all over the world to support our projects development as part of their internships. I wonder if there would be anyone in the community to assist in this effort by creating a Committee under the revised Committee 2.0 model - https://www.owasp.org/index.php/Governance/OWASP_Committees. To simplify things I have added a quick start guide at the beginning of the document.

Diversity is something that we hold dear to our hearts. There are a number of people in our community that have driven this initiative to enable OWASP to be a more diverse community, without naming any names, we would like to thank them and encourage more of those in and outside of the OWASP community to get involved and help OWASP grow.

Last but not least, planning for our global conferences is well under way with OWASP Global AppSec Tel Aviv coming up at the end of May – one small ask is that everyone share information on this conference in your communities,https://telaviv.appsecglobal.org.

Thanks for all your hard work.

Owen Pendlebury
OWASP Vice Chairman

OWASP FOUNDATION UPDATE FROM INTERIM EXECUTIVE DIRECTOR:

For these first few months I have been focused on business operations retooling. As you know, Mailman was recently retired. There is now an online static archive of historical messages. Our goal before Q3 is to have most of our tools on managed, trusted hosted services.

We have increased our use of JIRA to manage inbound requests and last month the team closed 98.6% of service tickets within their prescribed SLA. In January it was 20.4%. This is a very big accomplishment and demonstrates our progress on this work effort. There have also been a number of back office changes that most members won't notice, but we're focused on stronger business continuity for the long term.

In addition to all our upcoming events, the staff along with some members of the community are actively prototyping how we will completely update the website this summer. This effort will not be simply cosmetic, it will be a foundational change in how we manage and publish content that we believe will better connect with our community - and more importantly help us grow. Expect more updates on this in the coming months.

Be safe out there,

Mike McCamon
OWASP, Interim Executive Director

Have you Registered yet?

Sponsorship for Global AppSec Tel Aviv is still available.

Global AppSec DC September 9-13, 2019
submit to the Call for Papers and Call for Training

Save the Date for: Global AppSec Amsterdam Sept 23-27, 2019

EVENTS

You may also be interested in one of our other affiliated events:

REGIONAL AND LOCAL EVENTS

Event	Date	Location
Latam Tour 2019	Starting April 4, 2019	Latin America
OWASP Portland Training Day	September 25, 2019	Portland, OR
LASCON X	October 24-25,2019	Austin, TX
OWASP AppSec Day 2019	Oct 30 - Nov 1, 2019	Melbourne, Australia

PARTNER AND PROMOTIONAL EVENTS

Event	Date	Location
Cyber Security and Cloud Expo Global	April 25-26, 2019	London
IoT Tech Expo Global	April 25-26, 2019	London
Internet of Things World	May 13-16, 2019	Santa Clara Conventional Center, CA
Hack in Paris 2019	June 16-20, 2019	Paris
Cyber Security and Cloud Expo Europe	June 19-20, 2019	Amsterdam
IoT Tech Expo Europe	June 19-20, 2019	Amsterdam
it-sa-IT Security Expo and Congress	October 8-10, 2019	Germany

PROJECTS

The Project Showcase at Global AppSec Tel Aviv has received a great deal of interest. Anyone attending will be in for a steady stream of information on OWASP Projects. The following projects are proposed for the showcase (the actual schedule has not been developed so the order is not indicative of time slots):

Project	Presenter(s)
Glue Tool	Omer Levi Hevroni
Internet of Things	Aaron Guzman
Embedded AppSec	Aaron Guzman
Software Assurance Maturity Model (SAMM)	John DiLeo
API Security	Erez Yalon, Inon Shkedy
Mod Security Core Rule Set	Christian Folini, Tin Zaw
Automated Threats	Tin Zaw
Application Security Curriculum Project	John DiLeo
Defect Dojo	Aaron Weaver
Web Honeypot Project	Adrian Winckles
Damned Vulnerable Serverless Application	Tal Melamed

The scheduled for project reviews at Global AppSec Tel Aviv are the following:

Project	Review Level	Leaders
Snakes and Ladders	Lab	Colin Watson, Katy Anton
Amass	Lab	Jeff Foley
Attack Surface Detector	Lab	Ken Prole
SecureTea Tool	Lab	Ade Yoseman Putra, Bambang Rahmadi KP, Rejah Rehim.AA
Serverless-Goat	Lab	Ory Segal
Cheat Sheet Series	Flagship	Dominique Righetto, Jim Manico
Mobile Security Testing Guide	Flagship	Sven Schleier, Jeroen Willemsen

If you are attending Global AppSec Tel Aviv 2019 and can participate in the project reviews (to be held on Monday and Tuesday prior to the conference, schedule pending), then please send an email to project-reviews@owasp.org

COMMUNITY

New OWASP Chapters
Amaravathi, India
Belo Horizonte, Brazil
Bhopal, India
Cusco, Peru
Dindigul, India
Kharkiv, Ukraine
Meerut, India
Rio de Janeiro, Brazil
San Jacinto College, Texas
San Pedro Sula, Honduras
Seoul, Korea
West Delhi, Delhi

MEMBERSHIP

We welcome the following Contributor Corporate Members

Premier Corporate Members

Contributor Corporate Members

Join us

Donate

Our mailing address is:
OWASP Foundation
1200-C Agora Drive, # 232
Bel Air, MD 21014

Unsubscribe

This email was sent to *|EMAIL|*
why did I get this? unsubscribe from this list update subscription preferences
*|LIST:ADDRESSLINE|*