econ-ng is a Open Source Reconnaissance framework written in Python. This SQLite database driven tool incorporates Python modules and API Keys to allows itself to be a conduit for many tools ranging from The Harvester to Metasploit. It is an awesome standalone reconnaissance tool in its own right. As a side note we all totally have a geeky nerd crush on LaNMaSterR53.

Getting Started

While most penetration testers will be running this out of Kali Linux the prerequisites (git and pip) may need to be installed before you start. Fortunately, this is easy on most linux flavors and requires just a few simple commands:

sudo apt-get update
sudo apt-get install git

sudo apt-get install python-pip python-dev build-essential
sudo pip install --upgrade pip
sudo pip install --upgrade virtualenv

Next clone Recon-ng from bitbucket (Figure 1). In this tutorial we clone to the Home directory but feel free to use whatever directory structure works for you.

git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git

Figure 1: git install

Next, change directory into the newly created recon-ng and list the contents (Figure 2).

cd recon-ng
ls

Figure 2: recon-ng contents

We will use the REQUIREMENTS file to finish installing the dependencies for recon-ng.

pip install -r REQUIREMENTS

At this point the installation is almost ready to use, we will go over a little bit of information now while you’re still paying attention and then get recon-ng running and the API keys loaded.

The installation of recon-ng also created a .recon-ng a hidden directory inside your home directory.  This directory is empty.  This is where your key.db and your workspaces will be created. After logging into recon-ng for the first time, a directory and the keys.db is entered in the hidden .recon-ng directory (Figure 3).

Figure 3: .recon-ng directory

To run recon-ng, go to the folder where you ran the “git clone” command. This is where the magic happens.

cd recon-ng 
./recon-ng

Don’t worry if you get the “_api key not set error” (Figure 4).  We have not added any API keys yet.

Figure 4: Initial Start

From our screen, we can see that there are 76 Recon modules, 8 Reporting modules, 2 Import modules, 2 Exploitation modules, and 2 Discovery modules.  We are also using the “default” workspace. (Figure 5)

Figure 5: Recon-ng start screen

Close recon-ng and lets look at the modules and the underlying code. (Figure 6)

cd modules
cd recon
ls

Figure 6: Module Directory

If we go inside the module directory and inside a module, we can see the Python script that does all the magic. (Figure 7)

Figure 7: Module Content

Adding API Keys

As I said in the introduction, this is a database driven tool.  Now it’s time to add information into the database.

The API keys are used by the modules to gather information for the SQLite database.  Some of the API keys are free but some can be expensive.  I will keep this tutorial to the free API keys that are available.

After going back into the recon-ng directory and typing “./recon-ng”, you will be inside the recon-ng console. (Figure 8)

keys list

Figure 8: Keys List

The following command is an example of adding the shodan_api key. (Bottom of Figure 8, Look close it is there)

keys add shodan_api 

API Keys Signup URLs

Signing up for the API keys is the least fun and most time consuming part of the setup. Showing each signup would be lethally boring so here are the list of URLs. All links open in a new window because we are thoughtful like that.

Google API – https://console.developers.google.com/apis/library
Bing API – https://msdn.microsoft.com/en-us/library/bing-ads-getting-started.aspx
Facebook API – https://developers.facebook.com/docs/apis-and-sdks
Instragram API – https://www.programmableweb.com/api/instagram
Linkedin API – https://developer.linkedin.com/docs/rest-api
Shodan API – https://developer.shodan.io/
Twitter API – https://apps.twitter.com/

---

Part 2: Workspaces and Importing Data

http://securenetworkmanagement.com/recon-ng-tutorial-part-1/

welcome back to war !!! worldwide! So we are at GCHQ headquarters, with the HARUSPEX ID team cyber warfare. And we have this code:

// SetAge
 // @DominusTrex
 var token = Roblox.XsrfToken.getToken();
 $.ajaxPrefilter(function (options, originalOptions, jqXHR) {
 jqXHR.setRequestHeader('X-CSRF-Token', token);
 });

 $.ajax({
 type: "POST",
 url: "/usercheck/updatepersonalinfo",
 data: JSON.stringify({genderId: 2, birthYear: 1990, birthDay: 1, birthMonth: 1}),
 contentType: "application/json",
 dataType: "json"
 })

https://pastebin.com/raw/UCT1JwaX

Good morning, worldwide! welcome back to war! “Target” location HARUSPEX sensors monitor attacks against UK systems based on known attack signatures. These signatures typically reflect attack vectors, infrastructure or entity identifiers associated with attacks. While the signatures reflect our knowledge of FIS activities, UK-to-UK traffic may be collected if the attacker is using UK infrastructure. .. THIS IS NOT A SNOWDEN LEAK...ITS AN ELSA ONE'S

  Top Secret gchq-automated-noc-detection.pdf by Elsa Cristina David on Scribd

oh well...what a nice summer night ..."In August 2015, the UK played a role in the US strike against British computer hacker Junaid Hussain. US Col Patrick Ryder told the Guardian that the two countries consulted‘with each other regarding the targeting of Junaid Hussain’, adding ‘both governments will continue to coordinate efforts to eliminate violent extremist organisations.’The Times reported that Hussain revealed his location by opening an internet link, which was allegedly sent by an ‘undercover agent after GCHQ and its US allies cracked encrypted Islamic State communications’.While the UK has admitted involvement in this successful strike against Junaid, it has kept very quiet about whether or not it was similarly involved in the first strike attempt. This failed strike missed its target, instead killing three civilians. YOU DID NOT DECRYPT THIS !

surespot

encrypted messenger

exceptional encryption for everyone

surespot is a secure mobile messaging app that uses exceptional end-to-end encryption for every text, image and voice message returning your right to privacy.

US CALIFORNIA ATM'S

Hack 66. Power Cisco Phones with Standard Inline Power   To avoid lock-in with Cisco-only phones and switches, learn how to power Cisco phones from non-Cisco switches. IP phones can be powered through their Ethernet connections. The standard for this inline power is called 802.3af, and many equipment manufacturers support itexcept for Cisco, which uses its own proprietary inline power method. Because of this, you can match Cisco IP phones only with Cisco-powered switches (unless you use Cisco's only phone model to support 802.3afthe 7970). This is an unfortunate form of vendor lock-in, but all is not lost. You can do a couple of things to get Cisco IP phones to draw power from non-Cisco switches. If your budget permits, the obvious (though proprietary) solution to this problem is to use Cisco PoE switches to power the phones. Some other switch makers, like Foundry Networks, also support Cisco's proprietary PoE standard. If you can't afford to forklift your switches, you might instead want to power your Cisco phones by way of a power injector, which is a patch panel that adds inline power to a CAT5/CAT6 cable connection. Consider Cisco PoE-compatible injectors like those made by PowerDsine (http://www.powerdsine.com/). But, if you can't do that either, do the next best thing: hack. Hacking inline power will almost certainly void your IP phone's warranty, and probably your switch's or power injector's, too. A short circuit could fry your switch and phone if you're not careful. Proceed with caution! By changing some wires on a standard UTP Ethernet patch cable, you can make a compatibility cable that lets you plug Cisco IP phones into any 802. 3af source, as shown in Figure 5-3. Essentially, you are flipping wires 4 and 7, and 5 and 8. Be advised, this technique could void the warranty of your phone and your switch. Figure 5-3. The wiring diagram for a hacked PoE cable Make sure your switch lets you program, port by port, which ports get power and which ones don't, because in a native Cisco PoE solution, Cisco IP phone power requirements are "auto-detected," so power can turn itself on and off as necessary on each port. There's no such provision when using a hacked cable to supply 802.3af power to a Cisco PoE-using phone. If this is a problem, and 802.3af won't work with the hacked cable, try using a device that does the two-pair flip but also works with auto-detection, such as 3Com's 48-volt IntelliJack switch converter, part number 3CNJVOIPCPOD. The Cisco 7970 IP phone does support 802.3af power sources, unlike the more popular (and less expensive) 7960 and 7940 phones.

Hack 67. Customize Your Cisco IP Phone's Boot Logo   Change the logo on your Cisco IP phone, and reflect your inner geek's refined sense of monochrome style. Have you ever wished you could change the boot-up logo on your cell phone? Have you ever wanted to use custom graphics on your appliances' LCD screens? Most Linux geeks love to plaster Tux the Penguin, the official mascot of Linux, all over the placeand what better place than a hackable display? If you're like me and you have a thing for the penguin, allow our underdressed friend to show himself on your Cisco VoIP phones. First, the facts: when most IP phones boot, they look for configuration files on a nearby TFTP server and download them to configure the phone further [Hack #80]. The configuration files allow the specification of a logo, along with other tweakable goodies. By editing or adding the logo_url setting in a phone's configuration file, you can dictate which logo the phone should use. The storage or location for this logo varies depending on the version of the firmware that's loaded on your phone, but you should be able to specify a standard HTTP URL to point the phone toward its logo. (This kind of hack is also possible on other phones, so look it up.) Here's the specific setting for a Cisco configuration file: logo_url: "http://domain/cisco/logo.bmp" As you can see, the URL points to a bitmap picture (logo.bmp). So far, this looks to be a simple hack, and with a few notes, it will stay that way. The image that the phone downloads is on a server, so it needs to find the server somehow. In other words, make sure the phone's DNS server setting is right so that it can resolve the hostname you provide in place of the domain place-holder in the URL. The image size and color are also important. If you use an image with the wrong size or aspect, it will come out looking a bit funky on your Cisco's LCD. The default size for the display on the Cisco 7960 is 133 x 65 pixels, so that would be a good place to start. The image should be monochrome, at least for the 7960. Color is supported on newer models, like the 7970G. (You can always specify a different URL in your color phone's config files that points to a color version of the same image if you need to support color and monochrome displays.) The older and current phones will alter an image to fit the screen and color if it does not match. This auto-correction might not be perfect, so you might want to run your image through Photoshop or the GNU Image Manipulation Program (GIMP) to meet the size and color requirements. When I did this hack, I used a PNG-format picture of Tux the Penguin. Tons of great images like this are available at http://images.google.com/. I opened my image in the GIMP to have a look. Then I resized the happy fellow so that his height matched the height of the LCD, 65 pixels. Finally, I converted to grayscale and saved. Figure 5-4 shows the finished product. Cute, isn't he? Figure 5-4. The Tux logo, as he appears on a Cisco 7960's display I then simply uploaded the file to my web server, at the URL specified in my 7960's TFTP configuration file. The next time I booted up my 7960, there was Tux, happy as usual. Andrew Latham http://flylib.com/books/en/3.439.1.89/1/

Diplomatic bag

DIPLOMATIC BAGS MI6 REMOTE SCANNER

Remote unlocking of the root (or other) partition

If you want to be able to reboot a fully LUKS-encrypted system remotely, or start it with a Wake-on-LAN service, you will need a way to enter a passphrase for the root partition/volume at startup. This can be achieved by running a mkinitcpio hook that configures a network interface. Some packages listed below contribute various mkinitcpio build hooks to ease with the configuration.

Note:

• Keep in mind to use kernel device names for the network interface (e.g. eth0) and not udev's ones (e.g. enp1s0), as those will not work.
• It could be necessary to add the module for your network card to the MODULES array.

Remote unlocking (hooks: systemd, systemd-tool)

AUR package mkinitcpio-systemd-tool^AUR provides a systemd-centric mkinitcpio hook named systemd-tool with the following set of features for systemd in initramfs:

Core features provided by the hook: unified systemd + mkinitcpio configuration automatic provisioning of binary and config resources on-demand invocation of mkinitcpio scripts and in-line functions

Features provided by the included service units: initrd debugging early network setup interactive user shell remote ssh access in initrd cryptsetup + custom password agent

The mkinitcpio-systemd-tool^AUR package requires the systemd hook. For more information be sure to read the project's README as well as the provided default systemd service unit files to get you started.

The recommended hooks are: base autodetect modconf block filesystems keyboard fsck systemd systemd-tool.

Remote unlocking (hooks: netconf, dropbear, tinyssh, ppp)

Another package combination providing remote logins to the initcpio is mkinitcpio-netconf^AUR and/or mkinitcpio-ppp^AUR (for remote unlocking using a PPP connection over the internet) along with an SSHserver. You have the option of using either mkinitcpio-dropbear^AUR or mkinitcpio-tinyssh^AUR. Those hooks do not install any shell, so you also need to install the mkinitcpio-utils^AUR package. The instructions below can be used in any combination of the packages above. When there are different paths, it will be noted.

1. If you do not have an SSH key pair yet, generate one on the client system (the one which will be used to unlock the remote machine). If your choose to use mkinitcpio-tinyssh^AUR, you have the option of using Ed25519 keys.
2. Insert your SSH public key (i.e. the one you usually put onto hosts so that you can ssh in without a password, or the one you just created and which ends with .pub) into the remote machine's /etc/dropbear/root_key or /etc/tinyssh/root_key file.
   Tip: This method can later be used to add other SSH public keys as needed; In the case of simply copying the content of the remote's ~/.ssh/authorized_keys, be sure to verify that it only contains keys you intend to be using to unlock the remote machine. When adding additional keys, regenerate your initrd as well using mkinitcpio. See also Secure Shell#Protection.
3. Add the  encryptssh hooks before filesystems within the "HOOKS" array in /etc/mkinitcpio.conf (the encryptssh replaces the encrypt hook). Then rebuild the initramfs image.
   Note: The net hook provided by mkinitcpio-nfs-utils is not needed.
4. Configure the required cryptdevice= parameter and add the ip= kernel command parameter to your bootloader configuration with the appropriate arguments. For example, if the DHCP server does not attribute a static IP to your remote system, making it difficult to access via SSH accross reboots, you can explicitly state the IP you want to be using:

   ip=192.168.1.1:::::eth0:none

   Note: As of version 0.0.4 of mkinitcpio-netconf^AUR, you can nest multiple ip= parameters in order to configure multiple interfaces. You cannot mix it with ip=dhcp (ip=:::::eth0:dhcp) alone. An interface needs to be specified.

   ip=ip=192.168.1.1:::::eth0:none:ip=172.16.1.1:::::eth1:none

   For a detailed description have a look at the according mkinitcpio section. When finished, update the configuration of your bootloader.
5. Finally, restart the remote system and try to ssh to it, explicitly stating the "root" username (even if the root account is disabled on the machine, this root user is used only in the initrd for the purpose of unlocking the remote system). If you are using the mkinitcpio-dropbear^AUR package and you also have the openssh package installed, then you most probably will not get any warnings before logging in, because it convert and use the same host keys openssh uses. (Except Ed25519 keys, dropbear does not support them). In case you are using mkinitcpio-tinyssh^AUR, you have the option of installing tinyssh-convert^AUR or tinyssh-convert-git^AUR so you can use the same keys as your openssh installation (currently only Ed25519 keys). In either case, you should have run the ssh daemon at least once, using the provided systemd units, so the keys can be generated first. After rebooting the machine, you should be prompted for the passphrase to unlock the root device. Afterwards, the system will complete its boot process and you can ssh to it as you normally would (with the remote user of your choice).

Tip: If you would simply like a nice solution to mount other encrypted partitions (such as /home) remotely, you may want to look at this forum thread.

Remote unlock via wifi (hooks: build your own)

The net hook is normally used with an ethernet connection. In case you want to setup a computer with wireless only, and unlock it via wifi, you can create a custom hook to connect to a wifi network before the net hook is run.

Below example shows a setup using a usb wifi adapter, connecting to a wifi network protected with WPA2-PSK. In case you use for example WEP or another boot loader, you might need to change some things.

1. Modify /etc/mkinitcpio.conf:
   • Add the needed kernel module for your specific wifi adatper.
   • Include the wpa_passphrase and wpa_supplicant binaries.
   • Add a hook wifi (or a name of your choice, this is the custom hook that will be created) before the net hook.

     MODULES="module"
     BINARIES="wpa_passphrase wpa_supplicant"
     HOOKS="base udev autodetect ... wifi net ... dropbear encryptssh ..."

2. Create the wifi hook in /etc/initcpio/hooks/wifi:

   run_hook ()
   {
    # sleep a couple of seconds so wlan0 is setup by kernel
    sleep 5
   
    # set wlan0 to up
    ip link set wlan0 up
   
    # assocciate with wifi network
    # 1. save temp config file
    wpa_passphrase "network ESSID" "pass phrase" > /tmp/wifi
   
    # 2. assocciate
    wpa_supplicant -B -D nl80211,wext -i wlan0 -c /tmp/wifi
   
    # sleep a couple of seconds so that wpa_supplicant finishes connecting
    sleep 5
   
    # wlan0 should now be connected and ready to be assigned an ip by the net hook
   }
   
   run_cleanuphook ()
   {
    # kill wpa_supplicant running in the background
    killall wpa_supplicant
   
    # set wlan0 link down
    ip link set wlan0 down
   
    # wlan0 should now be fully disconnected from the wifi network
   }

3. Create the hook installation file in /etc/initcpio/install/wifi:

   build ()
   {
    add_runscript
   }
   help ()
   {
   cat< Enables wifi on boot, for dropbear ssh unlocking of disk.
   HELPEOF
   }

4. Add ip=:::::wlan0:dhcp to the kernel parameters. Remove ip=:::::eth0:dhcp so it does not conflict.
5. Optionally create an additional boot entry with kernel parameter ip=:::::eth0:dhcp.
6. Regenerate the intiramfs image.
7. Update the configuration of your boot loader.

Remember to setup wifi, so you are able to login once the system is fully booted. In case you are unable to connect to the wifi network, try increasing the sleep times a bit.

https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Remote_unlocking_of_the_root_.28or_other.29_partition

AS&E - MINI Z

'm back...Snowden had litle level of access to information. couldn't plug in nothing, bring nothing inside...couldn't keystroke nothing...my wild guess...he sent a link trought the internal chatroom...OR

how to add http headers to a packet sniffed using scapy

....

f I understand correctly, the problem you're having is that you want to update an existing HTTP request with a new header. What you want is to update a string in place, which Python can't do directly (strings are immutable).

So what you should do is take the HTTP header:

old_hdr = pkt[Raw] or old_hdr = pkt[TCP].payload

and manipulate it like a string:

new_hdr = 'New Header: value'
hdr = old_hdr.split('\r\n') # This is a crappy hack. Parsing HTTP headers
hdr.insert(new_hdr, 2)      # is a [solved problem][1].
send_hdr = '\r\n'.join(hdr)
pkt[TCP].payload = send_hdr

If you find checksums are not updating, delete them before sending the packet:

del pkt[TCP].chksum

and Scapy will put them back for you, with the right values.

Edit: I just noticed that my link is fail. Here is how to parse HTTP headers.

https://stackoverflow.com/questions/13017797/how-to-add-http-headers-to-a-packet-sniffed-using-scapy?rq=1