Robsec

NowSecure  has a nifty Community edition tool VM that can be used to extract lots of data from Android devices and iPhones too. All that is required is register for the Community edition where you then receive an activation key that you use to activate the NowSecure forensics tool. You will also get the download link for the VM which contains the said tool among other forensic tools. The tools returns browser history, accounts on the device, wifi history, contacts and a host of other information that you may have or may not have been aware of. It also has an option to download media files such as videos, images and audio files though including them will definitely take more time. You should also ensure that the phone has USB debugging enabled. However, for some Android flavors, the lock-screen can also be unlocked from within the tool itself. This is strictly for Educational Purposes only. Video Demo

This is very similar to the previous post on generation of RATs for Windows with the main difference being the platform and what you can do.  This demo basically highlights the risks of downloading third party apps from untrusted websites. The apps you download may actually contain malicious payloads that can potentially download your contacts, messages, call logs, take videos with your phone camera as well as photos without your knowledge. In addition to that, you must be vigilant when checking the permissions apps require from you upon installation (though this mainly applies to pre-Marshmallow flavors of Android). The knowledge imparted here is strictly for educational purposes only.

Now we delve into the world of Malware analysis, This can be either Basic static, basic dynamic, advanced static or advanced dynamic malware analysis. By static we just mean we do not execute the malicious program but simply analyse it by looking at the headers, the linked libraries it calls, its resources, etc. When it is advanced, this would mean breaking it down and analysing it with tools such as IDA Pro. Dynamic means we run it in a safe environment and see what it does. Basic tools include Regshot which simply takes a snapshot of the registry before and after the malware was executed. It then returns only the changes made in between those two points in time. Advanced would involve the use of a sandbox that monitors all the calls the malware makes as well as the connection attempts it tries to make to outside terminals or C&C servers. The video below illustrates Basic Static and Dynamic malware analysis.

Considering the threats that have been highlighted in the previous posts, there definitely have to be ways for users to stay or keep themselves safe besides: keeping their antivirus software updated,  first checking whether a program is malicious via Virustotal before installing it or  submitting it to malwr.com  which uses the cuckoo sandbox The operation of cuckoo sandbox was demonstrated in one of the earlier posts on this blog as part of a tool that extracts malware embedded within pictures and scans it. The video below shows how to use the Volatility framework which is actually a memory forensics tool. It is used in partnership with a "RAM dumping" tool or basically a tool that takes a snapshot of the RAM in a targeted computer.  For our case, we used DumpIt in the video below. A forensic investigator could have this on a USB drive, connect it to the evidence workstation and then download the RAM dump onto the USB. DumpIt saves the RAM dump

Typically after a malware developer has created his malicious payload (for example using the steps mentioned in the post about generating a RAT with MSFVenom) they test whether that malicious program can be detected by antivirus software.  Enter Virustotal . This is a website that can be used for both positive and negative means (as is the case with all forms of education). With Virustotal, bad actors can use it to test their payloads to see if it can be detected by antivirus software that is the most popular on the market. Regular actors/uses can use it to check if a tool or software they want to run on their computer is malicious or not. How to do this is also illustrated in the video below. In most cases malware analysts use it for static analysis of potentially malicious programs.  So typically there are a number of ways that antivirus software works but the one method that bad actors try to combat in this scenario is signature based analysis. By this, a hash is gener

In the past there was msfpayload and msfencode that served the purpose of creating a malicious payload under the metasploit framework. However, like all good things, they needed an upgrade and ended up being combined into msfvenom (feisty sounding name). So basically msfvenom allows pentesters to create a payload and then encode it with their selected encoder without having to port the generated msfpayload to msfencode. This makes for a more compact framework with the integration of these modules. The video below shows a demonstration of how to create a remote access trojan (RAT) that is attached to a functional calculator.exe program. In most cases, when we do not have our own executable to attach the malicious code to, we end up using the metasploit templates which are known to most antiviruses. It's quite simple to download the calculator.exe program from the internet (or any specific executable file the pentester wishes to use. Please note that this tutorial a

This video tutorial is on how to sniff images from a target's logged in session using Ettercap in coordination with Driftnet . this is for educational purposes only.

This is a tutorial on how to Install a Vyatta router and configure it in VMWare running on Windows 8 platform. We will add 2 interfaces to the router as well as set the network configurations for each one respectively.

This is a tutorial on how to create a new user account on an XP machine using Metasploit in Kali Linux. The attacker decides on the username and password he wants, uses the ms08-670 netapi exploit along with the adduser payload for windows. This video is not to be used for nefarious purposes or any related activities.

This is a tutorial on how to pivot from the attacking Kali Linux machine to a Windows XP machine (victim) through another Windows XP machine. Basically, this would seem like the attack is being orchestrated by the XP host in-between the attacker and target. This can be checked using the netstat command in windows shell. The XP host in-between will have 2 network interfaces. Each of those interfaces will be on the same network as the attacker and victim respectively. This video tutorial is not to be used for nefarious purposes or any related activities.

This attack ensures that when a victim tries to communicate with any other machine, the requests are not completed. This is done through the use of ARP poisoning and Port Stealing .

This video tutorial is on how to sniff passwords from an unsecured login attempt. The scenario is as follows: you are on the same network with victim A. Victim A wishes to access a website that he has a login account with, e.g a library site like the one in the video. The main condition for this scenario to work as expected is that Victim A should try and log in to the site using unsecured HTTP and not HTTP over SSL (HTTPS). this is for educational purposes only.

This kind of attack only works if the victim/target is using http to connect to their mail server and not https . In this case, the connection is unsecured! This means we can do packet sniffing without having to do much donkey work. For that, we use Wireshark (which has a great deal of capabilities beyond this alone). It may seem strange that we’re attacking our own machine in this scenario, but a little more reading on Wireshark will let you know how this will work. To add to that, for this attack you will also need to have a table of magic numbers at hand because they will be very useful to you.

When working with virtualization software, you may come across a software called GNS3 . It is quite similar to Packet Tracer , but the biggest difference is the trouble you go through when making the initial configurations. In this video I’m assuming you have already found the cisco ios images to mount as routers and you are now faced by the task of adding hosts. Adding hosts in GNS3 is different from the way it is done in Packet Tracer. very different! :) There are actually 3 ways you can add hosts which are: using a router as a host and disabling its routing capabilities using an already available virtual machine in a virtualization software such as VMWare using VPCS the method shown in the video involves using VPCS. It is an extremely watered-down simulation of a PC (very few tasks) but it gets the job done. For more complex scenarios, it would be better to use the second option.

I came across this other tool on kitploit.com as usual which had the sole purpose of scanning for wordpress vulnerabilities and I found this utterly fascinating. So i decided to test it out and then also create a video of my excursion.  Point to note: one of the Google Dorks to return joomla sites is : inurl:"com_admin" However, you'll notice that I tried my best to stay clear of targeting any specific site or actual proceeding to do the vulnerability scanning on a live site (lack of permission n what not). As always this knowledge is meant to be used for educational purposes only and not nefarious ones. Developer site Tool location on github VIDEO DEMO:

Okay, so the other day I bumped into  this tweet  which introduced me to this nifty tool called  JPEG snoop  by Calvin Hass.  [ Virustotal Scan Link ] It basically allows you to upload an image and check its structure including the EXIF headers where the image metadata is stored. This also includes GPS location data with the syntax {degrees, minutes, seconds} for the latitude and the longitude reference. You can take this data and plug it into  this GPS coordinates site  to get the actual location mapped onto Google Maps. A cool project idea would be to integrate the tool and the module on this site to allow users to get the location where a picture was taken at the click of a button, thereby making it much easier for investigators in DFIR to get their job done. *the above shared data/information is only to be used for educational purposes Demo Video

so i was just walking around my space in the cybers (on twitter to be exact) when i came across this tweet by  +KitPloit  , one of my more reliable sources of new tools on the penetration testing and vulnerability assessment scene (i am not a hacker of any sort...lol). it mentioned how it was possible to "recover your stored wifi passwords" which my brain translated as "steal someone's wifi passwords" and i decided to check out what sorcery this was by analysing the source code.. the code on github  by LionSec  had just 120 lines in python and since it was supposed to work for both windows and linux platform (according to the code, mac wasn't supported yet), i assumed the section with respect to windows would be even shorter if you factor in error handling as well. after checking the imports (sys, subprocess) i immediately realised that some system commands would be called from within the script and executed. that also meant that i could easily re

The project is comprised of 3 modules: The embedding Module which is written in Ruby The Execution/ exploiting stage The IMP Scanner, to scan for Images with Malicious Programs (IMP) For the embedding the following are the stages: Generate malicious program (malp.exe) using msfpayload from metasploit encode the generated program (malp.exe) using msfencode from metasploit obfuscate malp.exe using UPX or any other suitable packer like Themida to make sure it is not detected by antivirus. embed malip.exe into selected stegoimage (stegoimg.jpg) using F5 algorithm (for transform domain steganography) or Jsteg (for spatial domain steganography). the size of the image should be more than double the size of malp.exe to be safe and to ensure no distortion occurs. Deploy the image to the target machine. Many possible ways of doing this including keydrops with manipulated autorun.inf file to extract malp from stego or passive propagation via FTP shared folder and then later