Learn Penetration Testing And Ethical Hacking Online.


  • Facebook
  • Popular Posts

    New attack method in Wi-Fi networks WPA / WPA2 PSK using PMKID

    The developer Jens "atom" Steube, of the HashCat cracking application ,  has found a new vulnerability in the wireless networks protected with WPA-WPA2 PSK (Pre-Shared Key) with fast  roaming activated , since they are vulnerable to a new method of attack . Unlike other attacks , no connected client is needed , since the router is attacked directly by obtaining the PMKID value Nor does it require full handshake (4 ways).

    Previous WPA / WPA2 attacks required an attacker to wait patiently while listening on a wireless network until the user successfully logged in. Then they could capture the four-way greeting to "decipher" the key.

    New vulnerability in WPA2-PSK 

    The developers  discovered this attack quite accidentally  while they were looking for  possible attacks for WPA3 , which will be much more difficult to attack thanks to the use of  Simultaneous Authentication of Equals (SAE) , which makes it  immune to passive, active attacks, or attacks with dictionary. 

    WPA2, stands for  WiFi Protected Access 2 , is considered as the system to protect wireless networks of maximum security. Recall that WPA2 is a security protocol for WiFi networks with 15 years old (published in 2004), and has its replacement in WPA3.

    WPA and WPA2 differ little conceptually and differ mainly in the encryption algorithm they employ. While WPA bases the encryption of communications on the use of the TKIP [ Temporary Key Integrity Protocol ] algorithm , which is based on RC4 like WEP, WPA2 uses CCMP [ Counter-mode / CBC-MAC Protocol ] based on AES [ Advanced Encrytion] System ]. The second notable difference is found in the algorithm used to control the integrity of the message. While WPA uses a less elaborate version for the generation of the MIC code ( Message Integrity Code ), or code "Michael" , WPA2 implements an improved version of MIC.

    WPA-PSK / WPA2-PSK and TKIP or AES use a pre-shared key (Pre-Shared Key = PSK) of 8 or more characters long, and a maximum of 63 characters. 

    The key to the attack they have discovered is that, unlike previous ones, you do not need to capture the  4-way EAPOL handshake  (Extensible Authentication Protocol over LAN) as needed with KRACK . Instead, the attack will extract the RSN IE (Robust Security Network Information Element ) from a single EAPOL frame. The RSN IE is an optional field that contains the (PMK), which is generated by the router itself when a user tries to authenticate. The main advantages over other types of attacks already known are:

    • No more regular users are required, because the attacker communicates directly with the AP (also known as "no client" attack)
    • No more waiting for a complete 4-way handshake between the regular user and the AP
    • No more eventual retransmissions of EAPOL frames (which can lead to results that are impossible to decipher)
    • No more invalid passwords sent by the regular user
    • No more EAPOL frames lost when the regular user or the AP is too far away from the attacker
    • Fixing of nonce and replaycounter values ​​is not required (resulting in slightly higher speeds)
    • No more special output format (pcap, hccapx, etc.) - the final data will appear as a regular hexagonal encoded string 

    Pairwise Master Key Identifier (PMKID)

    The PMKID is calculated using HMAC-SHA1 where the key is PMK and the data part is the concatenation of a fixed string label "PMK name", the MAC address of the access point and the MAC address of the station.

    PMK = PBKDF2 (HMAC-SHA1, PSK, SSID, 4096, 256)
    PMKID = HMAC-SHA1-128 (PMK, "Name of PMK" | MAC_AP | MAC_STA)

    In addition, obtaining the handshake is much easier by obtaining the Pairwise Master Key Identifier (PMK). They have also added a new method of hash resolution called hash-mode 16801, which allows to skip the PMK computing part , which is what until now made the cracking of WPA so slow. So, now it is much easier to obtain the hash, but to crack it is still as difficult (or easy) as always, depending on the means available. 

    16801 mode waits for a list of precalculated PMKs, as hexadecimal encoded strings of length 64, as the list of input words. To precalculate the PMKs, you can use the hcxkeys tool. The hcxkeys tools require the ESSID, so you must request the ESSID of your client in advance. 

    Discoverers do not know what is the scope of the vulnerability, nor how many devices and routers will work. What they do know is that it will work on any network that has roaming enabled  (802.11i / p / q / r) (the most modern routers). Many companies with WPA2 Enterprise use PSK, so their networks are now vulnerable to these new attacks. 
    Continue Reading
    mimikatz: hacking tool for windows

    Mimikatz   (mimi katz) became an extremely effective attack tool against Windows clients, allowing to recover secure passwords, as well as password hashes in memory. Dubbed the Swiss Army knife of Windows credentialing tools as well as, Windows Credential Editor (WCE) of Hernán Ochoa .

    Mimikatz, written for the first time by Frenchman Benjamin Delpy (akk gentilkiwi) in 2011, has greatly simplified and automated the collection of credentials in Windows systems. 

    Mimikatz: cute cat

    Mimikatz is an open source utility that allows you to view the credentials information of Windows lsass (Subsystem Service of the Local Security Authority) through its sekurlsa module that includes plain text passwords and Kerberos tickets that could then be used for attacks such as pass-the-hash and pass the ticket. Most antivirus tools will detect the presence of Mimikatz as a threat and eliminate it, but it may be interesting to test the security of the systems.

    Mimikatz provides a large number of tools to collect and use Windows credentials on target systems, including recovery of clear text passwords, Lan Manager hashes and NTLM hashes, certificates and Kerberos tickets. The tools run with varying success in all versions of Windows from XP onwards, with somewhat limited functionality in Windows 8.1 and later.

    It has also come to light as a component of two ransomware worms that have crossed Ukraine and have spread across Europe, Russia and the USA. US: Both NotPetya and BadRabbit ransomware used Mimikatz along with NSA-filtered tools to create automated attacks whose infections quickly saturated networks, with disastrous results. NotPetya alone led to the paralysis of thousands of computers at companies such as Maersk, Merck and FedEx, and is believed to have caused more than a billion dollars in damages.


    Mimikatz became for the first time a key asset for hackers thanks to its ability to exploit a dark Windows function called WDigest . That feature is designed to make it more convenient for corporate and government Windows users to test their identity to different applications on their network or on the web; It contains your authentication credentials in the memory and reuses them automatically, so you only have to enter your username and password once. While Windows keeps the copy of the user's password encrypted, it also saves a copy of the secret key to decrypt it in memory

    In 2014, Microsoft responded to this security hole with a patch that allows system administrators to disable the " WDiges t" passwords so that they are not stored. This notice from Microsoft explains how to update a special registry entry.

    HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ SecurityProviders \ WDigest

    In Windows 8 and above, the default setting is to not store clear text passwords in lsass.

    mimikatz comes in two flavors: x64 or Win32, depending on your version of Windows (32/64 bits). 
    The flavor of Win32 can not access the 64-bit process memory (such as lsass), but it can open a 32-bit minidump in Windows 64 bits. Some operations need administrator privileges or system token, so consider the UAC of the Vista version. 

    privilege :: debug 
    inject :: process lsass.exe s 
    sekurlsa :: logonpasswords

    Modules of use of mimikatz with Metasploit

    meterpreter > mimikatz_command -f fu ::
    Module: 'fu' introuvable
    Modules available: 
                    - Standard
          crypto - Cryptographie et certificats
            hash - Hash
          system - Gestion système
         process - Manipulation des processus
          thread - Manipulation of threads
         service - Manipulation des services
       privilege - Manipulation des privilèges
          handle - Manipulation des handles
     impersonate - Manipulation tokens d'accès
         winmine - Manipulation du démineur
     minesweeper - Manipulation du démineur 7
           nogpo - Anti-gpo et patchs divers
         samdump - SAM Dump
          inject - Injecteur de librairies
              ts - Terminal Server
          divers - Fonctions diverses n'ayant pas encore assez de corps pour avoir leurs propres module
        sekurlsa - Dump des sessions courants for providers LSASS
             efs - Manipulations EFS

    Modules of mimikatz

    Technical characteristics (features)

    • Dump credentials from LSASS (Windows Local Security Account database)
    • MSV1.0: hashes & keys (dpapi)
    • Kerberos password, ekeys, tickets, & PIN
    • TsPkg (password)
    • WDigest (clear-text password)
    • LiveSSP (clear-text password)
    • SSP (clear-text password)
    • Generate Kerberos Golden Tickets (Kerberos TGT logon token ticket attack)
    • Generate Kerberos Silver Tickets (Kerberos TGS service ticket attack)
    • Export certificates and keys (even those not normally exportable).
    • Dump cached credentials
    • Stop event monitoring.
    • Bypass Microsoft AppLocker / Software Restriction Polcies
    • Patch Terminal Server
    • Basic GPO bypass
    Yara rules for tool detection

    LaZagne Project

    The LaZagne project is an open source application used to recover many passwords stored on local computers. Many software products store access passwords using different techniques, from common plain text, through databases, APIs and proprietary algorithms. 

    This tool was developed for the purpose of finding such passwords for the most commonly used software products. It currently supports 22 Windows programs and 12 Linux / Unix operating systems:

    In the GitHub repository of the product there are more details about its use and alternatives to extend it.

    An important precaution that we can take in our teams, to avoid the findings of programs like LaZagne is to clean up the traces of our activities, for example through a program like CCleaner (although it does not eliminate everything that LaZagne finds, if it does with everything related to the clues that remain of the use of Internet browsers for example). 
    Continue Reading

    The torrent sites are banning CracksNow, which is a popular source of torrent uploads, after discovering that the cracker and keygens loader was distributing ransomware.
    CracksNow labeled as "trusted"; this before several users began to notice anomalies in their computers. Torrentfreak shows one of the most recent examples in a screenshot showing the comments to a torrent now removed. According to the thread, the resulting download contained version 5.1 of GandCrab, the latest version of an unpleasant ransomware family. Like any ransomware, GandCrab encrypts users' files and requires a cryptographic rescue in exchange for the keys.
    An administrator of the 1337x.to torrent site told the publication: "I banned it myself because I found ransomware in its uploads".
    "I also checked the same loads of him on a couple of other torrent sites and got the same results, I immediately alerted his staff about it so they could investigate and take appropriate action, which they did," he said.
    Several torrent sites banned the load when listening to the news. Reportedly, 1337x still has some CracksNow uploads in the file, but it assures Torrentfreak that the uploads have been checked for malware and are clean.
    "I must admit that it is rare for a reliable charger of this caliber to become a rogue. Normally it's new people who have infected files , " added the 1337x administrator.
    As a general rule, torrents are a risky business, especially those that ask you to disable your AV. Always download software from reliable sources and avoid hacked (cracked) executables at all times. Downloading pirated software increases the risk of malware infection.

    Continue Reading

    Tallow is a small program that redirects all outgoing traffic from a Windows machine through the Tor anonymity network. Any traffic that can not be handled by Tor, eg. UDP, is blocked. Tallow also intercepts and handles DNS requests avoiding possible leaks.
    Tallow has several applications, including:
    • Tor-ifying: they were never designed to use Tor
    • Filter circumvention: if you want to omit a local filter and do not worry about anonymity
    • Better-than-nothing-Tor: a Tor can be better than no Tor.
    Keep in mind that, by itself, Tallow is not designed to be a complete and secure solution of anonymity. See the warnings below.
    Form of Use
    Using the Tallow GUI, simply press the large "Tor" button to start redirecting traffic through the Tor network. Press the button again to stop Tor redirection. Note that your Internet connection can be temporarily interrupted each time you activate the button.
    To check if the Tor redirect is working, visit the following site: https://check.torproject.org .
    Allows you to use the following settings to connect to the Internet:
    Here (abcd) represents the local address, and (xyzw) represents a remote server.
    Tallow uses WinDivert to intercept all traffic to / from his PC. Tallow handles two main types of traffic: DNS traffic and TCP flows.
    DNS queries are intercepted and handled by Tallow. Instead of finding the real IP address of a domain, Tallow generates a random "fake" domain (in the range and uses this address in the query response. The false IP is also associated with the domain and is recorded in a table for later reference. The alternative would be to look for the real IP through Tor (which supports DNS). However, since Tallow uses SOCKS4a, the actual IP is not necessary. The handling of DNS requests at the local level is significantly faster.
    TCP connections are also intercepted. Tallow "reflects" the outbound TCP connects to the incoming SOCKS4a connects to the Tor program. If the connection is to a false IP, Tallow searches for the corresponding domain and uses it for the SOCKS4a connection. Otherwise, the connection is blocked (by default) or a SOCKS4 direct connection through Tor is used. Connecting TCP to SOCKS4 (a) is possible with a little magic.
    All the rest of the traffic is simply blocked. This includes all incoming traffic (not Tor) and outgoing traffic that is not TCP or DNS. In addition, Tallow blocks all the domains listed in the hosts.deny file. This includes domains such as the Windows update, the Windows Phone home page and some common ad servers, to help avoid wasting Tor bandwidth. It is possible to edit and customize your hosts.deny file as you see fit.
    Note that Tallow does not intercept TCP ports 9001 and 9030 that Tor uses. As a side effect, Tallow will not work in any other program that uses these ports.

    Tallow was derived from the TorWall prototype (where "tallow" is an anagram of "torwall" minus the 'r').
    Tallow works slightly differently and aims to redirect all traffic instead of just HTTP port 80. Also, unlike the prototype, Tallow does not use Privoxy or alter the content of any TCP flow in any way
    Continue Reading
    The 10 best security tools of 2019 for pentest

    As in recent years ToolsWatch , a website to keep the arsenal of security and hacking tools updated, has published the top 10 of the most voted tools by its readers:

    1. OWASP ZAP

    OWASP ZAP (Zed Attack Proxy Project) is one of the best known tools for intrusion testing in web applications. ZAP offers automatic scanners that are easy to use, in order to verify if our web applications are safe. It also has a complete set of tools that will allow us to modify the intrusion tests and allow discovering vulnerabilities in a "manual" way. ToolsWatch readers have voted OWASP ZAP as the best security tool of the year 2015. You can visit the official website of OWASP ZAP where you will find tutorials of use.

    2. Lynis

    This open source tool allows to perform security audits, allows to evaluate the security measures applied to systems based on Unix and also on Linux. This application runs on the host itself where we want to evaluate security, so the security analysis is much broader than typical vulnerability scanners.

    3. Haka

    Haka is not a security tool, it is an open source language oriented to security that allows us to describe protocols and apply security policies while capturing traffic in real time, adapting to the circumstances.

    4. Faraday

    It is an integrated intrusion testing environment and is designed specifically for the distribution, indexing and analysis of data generated during the security audit process. This tool is capable of creating real-time graphs of captured traffic for analysis and also for further study.

    5. BeEF

    This well-known framework is responsible for the exploitation of web browsers, The Browser Exploitation Framework is able to control all victims by executing different types of payloads, it also allows to capture a large amount of valuable information such as the operating system used, the web browser, the IP address and also the cookies.

    6. Burp Suite

    This tool is also widely known in the world of security, is responsible for performing different security tests in web applications. It is in charge from the initial process, going through the analysis of the different attacks that can be carried out, and ending with the exploitation of the vulnerabilities found.

    7. PeStudio

    It is an application that performs an initial malware evaluation of any executable file, this tool allows you to analyze it without running the file, so we will not have any risk when analyzing a malicious file .

    8. Nmap

    The Swiss Army knife of network scanners, open source, free and widely used for the discovery of equipment, identification of services, versions of operating systems, open ports and even vulnerabilities in discovered services.

    9. IDA

    It is an interactive disassembler to perform reverse engineering , is programmed in C ++ and is compatible with major operating systems such as Microsoft Windows, Mac OS X and Linux.

    10. OWASP Offensive (Web) Testing Framework

    Finally, the security tool included in this TOP 10 is OWASP Offensive (Web) Testing Framework, a framework that is specifically responsible for gathering the best tools and making intrusion tests very efficient, automating the most repetitive tasks. This tool is written in python.

    Results of 2014: 

    • 01 - Unhide (NEW)
    • 02 - OWASP ZAP - Zed Attack Proxy Project (-1?)
    • 03 - Lynis (+3?)
    • 04 - BeEF - The Browser Exploitation Framework (-2?)
    • 05 - OWASP Xenotix XSS Exploit Framework (0?)
    • 06 - PeStudio (-2?)
    • 07 - OWASP Offensive (Web) Testing Framework (NEW)
    • 08 - Brakeman (NEW)
    • 09 - WPScan (0?)
    • 10 - Nmap (NEW)

    Results of 2013:

    • 01 - OWASP Zed Attack Proxy (ZAP)
    • 02 - BeEF (The Browser Exploitation Framework)
    • 03 - Burp Suite
    • 04 - PeStudio
    • 05 - OWASP Xenotix XSS Exploit Framework
    • 06 - Lynis
    • 07 - Recon-ng
    • 08 - Suricata
    • 09 - WPScan
    • 10 - O-Saft (OWASP SSL Advanced Forensic Tool)
    Continue Reading