michael_kent123

Thanks! Another basic question: is Powershell automatically invoked on Windows 7 and 8 machines? It strikes me that the ducky scripts are invariably dependent on it working.

This is an incredibly basic question. How do I copy .bin files to the micro SD card? My understanding is that I copy the .bin to the SD card then insert the SD card into the rubber ducky. I cannot insert the SD card directly into my laptop as there is no port for mini SD cards. I thought that an adapter came with the ducky? Also, what does the image #4 here https://hakshop.myshopify.com/collections/usb-rubber-ducky/products/usb-rubber-ducky-delux show? It is the photo where the ducky is placed into the larger black object. Is this the adapter? If so, how is it supposed to work? If I put the SD card into the ducky then put it in the USB port, the light flashes green and the introductory next scrolls across the screen. That part clearly works. Thanks.

How similar are the commands for Windows (Powershell), Mac, Android, etc. In other words - once you've learnt one OS, have you more or less learnt the other OSs? Title doesn't make sense as I edited the message body.

Let's imagine a hypothetical scenario. Bob is sitting in a cafe arpspoofing and sslstripping. He has checked his configuration and logs and everything works properly. The cafe is using a standard home router (192.x.x.x) to provide its customers with internet access. In his logfile he sees various POST and SECURE POST entries which sometimes have username / password combinations. However, he is perplexed. This is because he knows that there are plenty of people around him logging into webmail (and thus generating POST or SECURE POST requests) yet his logfile does not show these enteries. This is, presumably, because at the exact moment that the target entered the POST request, the target's ARP cache was showing the real router's IP address rather than the attacker's IP address pretending to be the router. Two questions: First, is it possible to be too near to another computer and hence somehow their ARP cache will not be updated with the attacker's IP? Or does the success or failure of arpspoofing in no way depend on th attacker's distance from the target? Second, is there a way to speed up the ARP poisoning? If success or failure is dependent on whether or not the attacker's IP is in the target's ARP cache, then I would have thought (perhaps incorrectly) that sending more frequent ARP packets would be the solution. I know, from Wireshark logs, that arpspoof sends out ARP requests every 2 seconds. Why can't it (or any other similar tool) send out packets every 0.5 seconds (for example)? Opinions? Thanks.

I have a question about malicious PDFs (or, for that matter, malicious DOC or JPG files). Metasploit has a number of "fileformat" exploits. These create a PDF, DOC, or JPG file which also contains a payload. The file is opened on the target machine and then the payload is executed. This does, of course, assume that it's not detected. The payload is some kind of a shell from the Metasploit suite. However, I can see one major issue. When setting up the fileformat exploit, you need to provide your IP (the LHOST value). That could be your IP or a VPN IP which forwards to your internal IP. This is the address where the listener lives on the attacker's system. The IP needs to be static. If it changes then the payload will not connect to the attacker's listener. (The same is true of tools like Metasploit persistence - you need to set your IP for it to connect to). The issue here is that the victim is connecting to you (reverse shell) and hence it needs your static IP. IPs can change for any number of reasons. Perhaps the router dies. Or you turn off the computer. As I understand it, Remote Administration Tools (RATs) work differently because they use dynamic DNS. Therefore, it is irrelevant whether the attacker's IP has changed because the RAT on the victim will always query the dynamic DNS database to get the latest IP of the attacker. My question: Given the above is it possible to have a RAT which is placed into a PDF or DOC or JPG (like a fileformat program). If so, how? My impression is that the Metasploit fileformat options only allow a Metasploit payload to be placed into the file. This would a) allow the RAT to use dynamic DNS and b) mean that it could be crypted to make it more UD (my impression is that Metasploit payloads are easily detectable). As a side query - I assume that all pen-testers must use static IPs otherwise their Metaspoloit reverse shells would not work. Yes? Thanks!

It's a pre-recorded show so it's not live. There's just no "save as" or an equivalenet.

Here is a radio show that one can listen to online: http://www.bbc.co.uk/programmes/p01crsln It opens in a pop-up window ("listen in pop-out player"). Can it be downloaded and, if so, how? Thanks!

It seems to me from reading various pen-testing guides that there is a 'standard' approach to hacking a system which goes something like this: Identify the target IP range (from WHOIS). Scan all IPs (nmap, etc). Use a vulnerability scanner (maybe). Use Metasploit / Medusa (to target a specific port on a specific IP). This approach targets the network layer rather than the web. However, I wonder whether this approach works in practice. Let's imagine that there is an academic institution with the IP range (I am making this up) 120.120.1.0 to 120.120.255.255. I use academia as an example as universities have many outward-facing IP addresses. Let's call it University X (original I know). What you (the pen-tester) wants to achieve is to gain access to users' e-mail. You want to be able to read people's e-mail. This could occur via valid username / password credentials (and login via the web interface e.g. Outlook / Windows Live) or it could happen through some kind of access to the mail server (IMAP / POP) itself. Assume that all you have is the IP range. What would you do? Would you follow the 'standard' model? Anything technical (no social engineering) is permitted. I am wondering whether what the guides say is truly how it would be done. Thanks!

I see. So, the point is, that it's assumed that if one has access to the SSH server then one is legitimately able to manage whatever the server re-directs the user to. Medusa also has modules for a variety of services. Some of these are obvious like FTP, Telnet, and VNC. But I'm not sure how you would use HTTP. The manual says: The HTTP module tests accounts against HTTP/HTTPS services using BASIC-AUTH, integrated windows authentication (NTLM) and digest (MD5 and MD5-sess). I don't really understand this. How does one 'log in' to HTTP? Thanks.

I understand how SSH servers work - they provide a tunnel between the client and the final destination. All traffic between the client and the SSH server is encrypted. However, I'm not sure what the advantages would be in hacking someone else's SSH server? I ask because you have the option to target SSH in the Medusa brute force program. Thanks!

I have never been able to understand what 0.0.0.0 means? How does it differ from 127.0.0.1? Please do not be too technical! Thanks!

But surely my ARP packets would be competing with the 'real' routers packets. I am saying from a mile away that I am the router but the router itself is a few feet away. Wouldn't that matter?

OK, but let's say that 1 mile away was an unsecured home router. Now if you were next door you could connect to it, then use ARP spoof to be the MITM, then use SSLStrip (for example). Could the equivalent occur from 1 mile away. You might be able to connect to them but would your ARP requests be successful due to your distance away? Or would this be totally irrelevant?

Just to clarify that - in this case - I am not a MITM. I am using mon0 to sniff cookies from unsecured wireless.

Thanks for the in-depth response. Another thing I don't understand is that when I login to Facebook some of the cookies are not session cookies. For example the "datr" cookie expires two years hence. Yet when I sniff and inject the cookies the "datr" cookie expires at the end of session. More about "datr": http://www.rafayhackingarticles.net/2011/07/facebook-cookie-stealing-and-session.html

It's pretty obvious that these pages should not show what they show: http://myview.brighton.ac.uk/ http://draco.bton.ac.uk/ They are just placeholders for webservers. But what do they mean - if anything - from a security perspective?

So anyone who purchases an antenna as the OP plans to do would then have access to presumably hundreds of wifi networks which would suddenly become in range? Or is there something I am missing here? And what is "transmitting over spec"? Thanks!

Is it possible to change session cookies into non-session cookies using a cookie editor which modifies the expiry date from "at end of session" to a date in the future? If, for example, someone was sniffing cookies on an unsecured wireless network, then these cookies would only work for the attacker while the genuine user was logged into his webmail or Facebook or whatever. As soon as he logs out then the cookies are voided. I experimented with this on my network. I logged into Facebook on one machine. On another machine I sniffed. I then logged out on the first machine. I used the cookies in Wireshark and imported them into Firefox. I then edited their expiry dates and tried to login. However, I just was sent to the welcome page - because the genuine user had logged out. So, I wonder, is there a way to use sniffed session cookies to login even if the genuine user has already logged out?

I am not sure that this possible but this is what I want to do. I have a .sqlite file which contains cookies. This was not created by Firefox but by Cookie Cadger (https://www.cookiecadger.com/ and ). I want to import the .sqlite file into Firefox 18.0.1 so that the cookies are loaded. I have renamed the file cookies.sqlite and placed it in the ~/.mozilla/firefox/nameoffirefox/ directory (after deleting the existing cookies* files). However, it just gets overridden by the 'real' cookies.sqlite file when Firefox starts.Is there a way to load the sqlite file (or, more importantly, the cookies in it)? Thanks.

OK. Did it. The solution was to use airmon-ng start wlan0 then sudo -jar CookieCadger.jar (rather than clicking the icon).

I am trying to use Cookie Cadger: https://www.cookiecadger.com/ It requires an interface to be set in monitor mode. I have never had a problem with this before. I use sudo airmon-ng start wlan0 which creates mon0. I now have the wlan0 in managed mode plus: mon0 IEEE 802.11bgn Mode:Monitor Frequency:2.437 GHz Tx-Power=20 dBm Retry long limit:7 RTS thr:off Fragment thr:off Power Management:off However, when I run the Cookie Cadger .jar file: tshark: there are no interfaces on which a capture can be done. Capture device search complete with 0 devices found. I found a guide to Cookie Cadger here (https://ctrlaltnarwhal.wordpress.com/2012/11/04/using-cookie-cadger-for-live-packet-capture/) which also provides some different ways of using monitor mode (https://ctrlaltnarwhal.wordpress.com/2012/11/02/cookie-cadger-is-free-but-how-do-i-use-it/). It suggests sudo iwconfig wlan0 mode monitor. However, if wlan0 is in use (connected to the network I want to sniff) I get: sudo iwconfig wlan0 mode monitor Error for wireless request "Set Mode" (8B06) : SET failed on device wlan0 ; Device or resource busy. So I sudo ifconfig wlan0 down then sudo iwconfig wlan0 mode monitor then sudo ifconfig wlan0 up. I then iwconfig and get: wlan0 IEEE 802.11bgn Mode:Monitor Frequency:2.437 GHz Tx-Power=20 dBm Retry long limit:7 RTS thr:off Fragment thr:off Power Management:on But when I load the .jar file I get the same error as before. Does any one have any ideas how I can successfully use this program. I can put wlan0 and mon0 in monitor mode but, for whatever reason, Cookie Cadger does not find them. Or maybe I am missing something obvious and just can't see it? Many thanks!

Here is what I get when I use nmap -A to my IP when outside my network. This is with telnet, ftp, snmp, dns, and http deliberately open and with Unphp on. Not shown: 996 filtered ports PORT STATE SERVICE VERSION 80/tcp open http-proxy Tinyproxy 1.6.2 |_http-methods: No Allow or Public header in OPTIONS response (status code 400) | http-open-proxy: Potentially OPEN proxy. |_Methods supported: CONNECTION 443/tcp open ssl/http Boa HTTPd 0.93.15 | ssl-cert: Subject: commonName=phc.prontonetworks.com/organizationName=Pronto Networks.Inc/stateOrProvinceName=California/countryName=US/localityName=Pleasanton | Issuer: commonName=Trustwave Organization Validation CA, Level 2/organizationName=Trustwave Holdings, Inc./stateOrProvinceName=Illinois/countryName=US/emailAddress=ca@trustwave.com/localityName=Chicago | Public Key type: rsa | Public Key bits: 2048 | Not valid before: 2012-12-13 17:17:30 | Not valid after: 2015-12-14 18:02:43 | MD5: b2dd 0fdb 27da a917 20a0 7118 f079 26db | SHA-1: 02f2 8772 79d6 1946 a4a3 757b 437b dc89 1c49 16a1 | -----BEGIN CERTIFICATE----- |[cut] -----END CERTIFICATE----- |_http-methods: No Allow or Public header in OPTIONS response (status code 400) | http-title: 302 Moved Temporarily |_8080/tcp open http-proxy Tinyproxy 1.6.2 |_http-methods: No Allow or Public header in OPTIONS response (status code 400) | http-open-proxy: Potentially OPEN proxy. |_Methods supported: CONNECTION 8443/tcp open http-proxy Tinyproxy 1.6.2 | http-open-proxy: Potentially OPEN proxy. |_Methods supported: CONNECTION PORT STATE SERVICE VERSION 21/tcp filtered ftp 23/tcp filtered telnet 7547/tcp filtered unknown PORT STATE SERVICE VERSION 53/udp open domain ISC BIND 9.7.1-P2 |_dns-recursion: Recursion appears to be enabled | dns-nsid: |_ bind.version: 9.7.1-P2 161/udp open|filtered snmp |_snmp-win32-shares: TIMEOUT 7547/udp open|filtered unknown I've turned off all methods except for HTTP (so I can access the router on 192.168.1.1). In the past when I turned off HTTP access I then could not access the router via 192.168.1.1 to turn it on! My "server access" options are: LAN LAN / WAN WAN Disable I don't quite understand what the difference is between the first three options? The results above come from LAN. What, in your opinion, would be the most secure setup? Would you suggest I use an external DNS rather than have port 53 open (and hence use my IPs DNS)? I would like access to the router (when connected to my home network). What would you say is the best method? Currently I have HTTP and DNS set to LAN with FTP, Telnet, and SNMP set to Disable. I am going to try again next week with everything locked down and post my results again. Thanks!

I know you can login to Yahoo (https://login.yahoo.com/config/login_verify2?&.src=ym) with Gmail or Facebook OpenID. However, to the best of my knowledge it is not possible to login to Gmail, Hotmail, or Facebook with OpenID (Facebook used to do it but it never really worked and it appears to have been discontinued). I know you can login to other websites with your Gmail OpenID. What I am, however, wondering is if there is a way to login to Gmail, Hotmail or Facebook in the same way as you can login to Yahoo - that is with the OpenID of another account?

Thanks for the advice. I was scanning my external IP but from inside the network. From what people have said this will not necessarily show the same information as when scanning externally. I'll scan the external IP tomorrow but from outside the network. Here is what I don't understand. Let's say that someone did break in. What could they actually do? They would telnet or netcat to my router and login. Then could they install software e.g. sslstrip. What would an attacker actually do in your opinion?

Here are my updated nmap scans: PORT STATE SERVICE VERSION 21/tcp open ftp? |_ftp-bounce: no banner 23/tcp open telnet? 80/tcp open http Allegro RomPager 4.07 UPnP/1.0 (ZyXEL ZyWALL 2) | http-methods: GET HEAD POST PUT | Potentially risky methods: PUT |_See http://nmap.org/nsedoc/scripts/http-methods.html |_http-generator: GoLive CyberStudio 3 |_http-title: .:: ::. 7547/tcp open http Allegro RomPager 4.07 UPnP/1.0 (ZyXEL ZyWALL 2) |_http-title: Object Not Found | http-methods: GET HEAD POST PUT | Potentially risky methods: PUT |_See http://nmap.org/nsedoc/scripts/http-methods.html 53/udp open domain ISC BIND (Fake version: Nominum Vantio 5.2.0.1) |_dns-recursion: Recursion appears to be enabled | dns-nsid: |_ bind.version: Nominum Vantio 5.2.0.1 161/udp open|filtered snmp |_snmp-win32-shares: TIMEOUT 7547/udp open|filtered unknown Too many fingerprints match this host to give specific OS details As I understand it, if users (hackers) scan dymanic IP addresses with nmap then they are likely to find some home routers. They can then connect via telnet and try default passwords, brute force with hydra, etc. But what can they do even if they find the password (or if none is set). In other words: what is the point of remotely gaining access to someone's home router?