Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing. It is compatible with Bash and Android Shell (tested on Kali Linux and Cyanogenmod 10.2) and uses aircrack-ng to scan for clients that are currently connected to access points (AP). Those clients are then deauthenticated in order to capture the handshake when attempting to reconnect to the AP. Verification of a captured handshake is done using aircrack-ng. If one or more handshakes are captured, they are entered into an SQLite3 database, along with the time of capture and current GPS data (if properly configured).
After capture, the database can be tested for vulnerable router models using crackdefault.sh. It will search for entries that match the implemented modules, which currently include algorithms to compute default keys for Speedport 500-700 series, Thomson/SpeedTouch and UPC 7 digits (UPC1234567) routers.
Requirements WiFi interface in monitor mode aircrack-ng SQLite3 openssl for compilation of modules (optional) wlanhc2hcx from hcxtools In order to log GPS coordinates of handshakes, configure your coordinate logging software to log to .loc/*.txt (the filename can be chosen as desired). Airbash will always use the output of cat "$path$loc"*.txt 2>/dev/null | awk 'NR==0; END{print}', which equals to reading all .txt files in .loc/ and picking the second line. The reason for this way of implementation is the functionality of GPSLogger, which was used on the development device. Calculating default keys After capturing a new handshake, the database can be queried for vulnerable router models. If a module applies, the default keys for this router series are calculated and used as input for aircrack-ng to try and recover the passphrase. Compiling Modules The modules for calculating Thomson/SpeedTouch and UPC1234567 (7 random digits) default keys are included in src/ Credits for the code go to the authors Kevin Devine and [peter@haxx.in].
If on Android, you may need to copy the binaries to /system/xbin/ or to another directory where binary execution is allowed. Usage Running install.sh will create the database, prepare the folder structure and create shortlinks to both scripts which can be moved to a directory that is on $PATH to allow execution from any location. After installation, you may need to manually adjust INTERFACE on line 46 in airba.sh. This will later be determined automatically, but for now the default is set to wlan0, to allow out of the box compatibility with bcmon on Android. ./airba.sh starts the script, automatically scanning and attacking targets that are not found in the database. ./crackdefault.sh attempts to break known default key algorithms. To view the database contents, run sqlite3 .db.sqlite3 "SELECT * FROM hs" in the main directory. Update (Linux only ... for now): Airbash can be updated by executing update.sh. This will clone the master branch into /tmp/ and overwrite the local files. Output _n: number of access points found __c/m: represents client number and maximum number of clients found, respectively -: access point is blacklisted x: access point already in database ?: access point out of range (not visible to airodump anymore) The Database The database contains a table called hs with seven columns. id: incrementing counter of table entries lat and lon: GPS coordinates of the handshake (if available) bssid: MAC address of the access point essid: Name identifier psk: WPA Passphrase, if known prcsd: Flag that gets set by crackdefault.sh to prevent duplicate calculation of default keys if a custom passphrase was used. Currently, the SQLite3 database is not password-protected.
There is the number of applications which are not having the features of translating apps to your favorite languages. This makes it difficult for the users to translate apps into their native language. Today, I am going to tell you about an application which will help you to Automatically Translate Any Android App into Any Language.
Nowadays there are around hundreds of application on play store which is having the feature of translate but some applications don't have this features. This is just because they don't have proper developers or sometimes translators.
There is an application launched by Akhil Kedia from XDA Developer which made it possible for all the users to translate the application to any language you need. This is something which everyone needs it.
Akhil Kedia built an Xposed module in which users can easily change the language of any application to whichever they like or love. Personally, we all love English language but there are peoples in many parts of the world they are suitable for other languages.
Automatically Translate Any Android App into Any Language
Automatically Translate Any Android App into Any Language
The best part about this Xposed Module is that it translates the application to any language whichever you like and there are around many languages which you can try it. The other best part about this application is that the user interface which is amazing.
In an Android application, the best thing is the user interface. This is something which helps users to download the module or application to run again and again. There are about many settings which can be changed from the application.
The setup process is a bit different from other applications but if you will look at the application you will definitely love it. Just because of too many settings and features available in the application and you can turn it to any language without any crashing issues of the application.
Requirements:
Rooted Android Phone
Xposed Framework installed on your phone.
Android 5.0 or higher.
Unknown Source enabled (You might be knowing it)
How to Automatically Translate Any Android App into Any Language
Download the module called as All Trans from here: Download
Now, after installation, it will ask you to reboot your phone to activate the module
Now, you need to get the API Key to get it you need to sign up with Yandex first so sign up: Yandex Sign up
Then after sign up you will get the API key just enter the API key in the All-Trans application.
Open All Trans Application and the swipe right to Global Settings.
Click on Enter Yandex Subscription key and then enter your key.
In Global Settings click on Translate from and select the Language the application is already in. (Eg: English)
Now, click on translate to and select your favorite language. This will change the language.
Swipe left and select the applications which you need to translate and done.
After selecting just open the application and the language is translated automatically.
Final Words:
This is the best and easy way to Automatically Translate Any Android App into Any Language. I hope you love this article.Share this article with your friends and keep visiting for more tips and tricks like this and I will meet you in the next one.
Why vlang? V is a featured, productive, safe and confortable language highly compatible with c, that generates neat binaries with c-speed, the decompilation also seems quite clear as c code. https://vlang.io/
After open the binary with radare in debug mode "-d" we proceed to do the binary recursive analysis with "aaaa" the more a's the more deep analys.
The function names are modified when the binary is crafted, if we have a function named hello in a module named main we will have the symbol main__hello, but we can locate them quicly thanks to radare's grep done with "~" token in this case applied to the "afl" command which lists all the symbols.
Being in debug mode we can use "d*" commands, for example "db" for breakpointing the function and then "dc" to start or continue execution.
Let's dissasemble the function with "pD" command, it also displays the function variables and arguments as well, note also the xref "call xref from main"
Let's take a look to the function arguments, radare detect's this three 64bits registers used on the function.
Actually the function parameter is rsi that contains a testing html to test the href extraction algorithm.
The string structure is quite simple and it's plenty of implemented methods.
With F8 we can step over the code as we were in ollydbg on linux.
Note the rip marker sliding into the code.
We can recognize the aray creations, and the s.index_after() function used to find substrings since a specific position.
If we take a look de dissasembly we sill see quite a few calls to tos3() functions. Those functions are involved in string initialization, and implements safety checks.
tos(string, len)
tos2(byteptr)
tos3(charptr)
In this case I have a crash in my V code and I want to know what is crashing, just continue the execution with "dc" and see what poits the rip register.
In visual mode "V" we can see previous instructions to figure out the arguments and state.
We've located the crash on the substring operation which is something like "s2 := s1[a..b]" probably one of the arguments of the substring is out of bounds but luckily the V language has safety checks and is a controlled termination:
Switching the basic block view "space" we can see the execution flow, in this case we know the loops and branches because we have the code but this view also we can see the tos3 parameter "href=" which is useful to locate the position on the code.
When it reach the substr, we can see the parameters with "tab" command.
Looking the implementation the radare parameter calculation is quite exact.
Let's check the param values:
so the indexes are from 0x0e to 0x24 which are inside the buffer, lets continue to next iteration, if we set a breakpoint and check every iteration, on latest iteration before the crash we have the values 0x2c to 0x70 with overflows the buffer and produces a controlled termination of the v compiled process.
As cyberattacks continue to proliferate in volume and increase in sophistication, many organizations acknowledge that some part of their breach protection must be outsourced, introducing a million-dollar question of what type of service to choose form. Today, Cynet releases the Security Outsourcing Guide (download here), providing IT Security executives with clear and actionable guidance on
The Ukrainian police have arrested a hacker who made headlines in January last year by posting a massive database containing some 773 million stolen email addresses and 21 million unique plaintext passwords for sale on various underground hacking forums. In an official statement released on Tuesday, the Security Service of Ukraine (SBU) said it identified the hacker behind the pseudonym "Sanix
Fluxion is a security auditing and social-engineering research tool. It is a remake of linset by vk496 with (hopefully) less bugs and more functionality. The script attempts to retrieve the WPA/WPA2 key from a target access point by means of a social engineering (phishing) attack. It's compatible with the latest release of Kali (rolling). Fluxion's attacks' setup is mostly manual, but experimental auto-mode handles some of the attacks' setup parameters. Read the FAQ before requesting issues. If you need quick help, fluxion is also avaible on gitter. You can talk with us on Gitter or on Discord. Installation Read here before you do the following steps. Download the latest revision
Requirements A Linux-based operating system. We recommend Kali Linux 2 or Kali rolling. Kali 2 & rolling support the latest aircrack-ng versions. An external wifi card is recommended. Related work For development I use vim and tmux. Here are my dotfiles Credits
Authors do not own the logos under the /attacks/Captive Portal/sites/ directory. Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for "fair use" for purposes such as criticism, comment, news reporting, teaching, scholarship, and research.
The usage of Fluxion for attacking infrastructures without prior mutual consent could be considered an illegal activity, and is highly discouraged by its authors/developers. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program.
Note
Beware of sites pretending to be related with the Fluxion Project. These may be delivering malware.
Fluxion DOES NOT WORK on Linux Subsystem For Windows 10, because the subsystem doesn't allow access to network interfaces. Any Issue regarding the same would be Closed Immediately
Bob was tasked to break into XYZcorporation, so he pulled up the facility on google maps to see what the layout was. He was looking for any possible entry paths into the company headquarters. Online maps showed that the whole facility was surrounded by a security access gate. Not much else could be determined remotely so bob decided to take a drive to the facility and get a closer look.
Bob parked down the street in view of the entry gate. Upon arrival he noted the gate was un-manned and cars were rolling up to the gate typing in an access code or simply driving up to the gate as it opening automatically.Interestingly there was some kind of wireless technology in use.
How do we go from watching a car go through a gate, to having a physical device that opens the gate?
We will take a look at reversing a signal from an actual gate to program a remote with the proper RF signal.Learning how to perform these steps manually to get a better understanding of how RF remotes work in conjunction with automating processes with RFCrack.
In the the previous blogs, we sniffed signals and replayed them to perform actions. In this blog we are going to take a look at a signal and reverse it to create a physical device that will act as a replacement for the original device. Depending on the scenario this may be a better approach if you plan to enter the facility off hours when there is no signal to capture or you don't want to look suspicious.
Recon:
Lets first use the scanning functionality in RFCrack to find known frequencies. Weneed to understand the frequencies that gates usually use. This way we can set our scanner to a limited number of frequencies to rotate through. The smaller rage of frequencies used will provide a better chance of capturing a signal when a car opens the target gate. This would be beneficial if the scanning device is left unattended within a dropbox created with something like a Kali on a Raspberry Pi. One could access it from a good distance away by setting up a wifi hotspot or cellular connection.
Based on research remotes tend to use 315Mhz, 390Mhz, 433Mhz and a few other frequencies. So in our case we will start up RFCrack on those likely used frequencies and just let it run. We can also look up the FCID of our clicker to see what Frequencies manufactures are using. Although not standardized, similar technologies tend to use similar configurations. Below is from the data sheet located at https://fccid.io/HBW7922/Test-Report/test-report-1755584 which indicates that if this gate is compatible with a universal remote it should be using the 300,310, 315, 372, 390 Frequencies. Most notably the 310, 315 and 390 as the others are only on a couple configurations.
RFCrack Scanning:
Since the most used ranges are 310, 315, 390 within our universal clicker, lets set RFCrack scanner to rotate through those and scan for signals.If a number of cars go through the gate and there are no captures we can adjust the scanner later over our wifi connection from a distance.
Currently Scanning: 433000000 To cancel hit enter and wait a few seconds
Example of logging output:
From the above output you will see that a frequency was found on 390. However, if you had left this running for a few hours you could easily see all of the output in the log file located in your RFCrack/scanning_logs directory.For example the following captures were found in the log file in an easily parseable format:
Analyzing the signal to determine toggle switches:
Ok sweet, now we have a valid signal which will open the gate. Of course we could just replay this and open the gate, but we are going to create a physical device we can pass along to whoever needs entry regardless if they understand RF. No need to fumble around with a computer and look suspicious.Also replaying a signal with RFCrack is just to easy, nothing new to learn taking the easy route.
The first thing we are going to do is graph the capture and take a look at the wave pattern it creates. This can give us a lot of clues that might prove beneficial in figuring out the toggle switch pattern found in remotes. There are a few ways we can do this. If you don't have a yardstick at home you can capture the initial signal with your cheap RTL-SDR dongle as we did in the first RF blog. We could then open it in audacity. This signal is shown below.
Let RFCrack Plot the Signal For you:
The other option is let RFCrack help you out by taking a signal from the log output above and let RFCrack plot it for you.This saves time and allows you to use only one piece of hardware for all of the work.This can easily be done with the following command:
From the graph output we see 2 distinct crest lengths and some junk at either end we can throw away. These 2 unique crests correspond to our toggle switch positions of up/down giving us the following 2 possible scenarios using a 9 toggle switch remote based on the 9 crests above:
Possible toggle switch scenarios:
down down up up up down down down down
up up down down down up up up up
Configuring a remote:
Proper toggle switch configuration allows us to program a universal remote that sends a signal to the gate. However even with the proper toggle switch configuration the remote has many different signals it sends based on the manufacturer or type of signal.In order to figure out which configuration the gate is using without physically watching the gate open, we will rely on local signal analysis/comparison.
Programming a remote is done by clicking the device with the proper toggle switch configuration until the gate opens and the correct manufacturer is configured. Since we don't have access to the gate after capturing the initial signal we will instead compare each signal from he remote to the original captured signal.
Comparing Signals:
This can be done a few ways, one way is to use an RTLSDR and capture all of the presses followed by visually comparing the output in audacity. Instead I prefer to use one tool and automate this process with RFCrack so that on each click of the device we can compare a signal with the original capture. Since there are multiple signals sent with each click it will analyze all of them and provide a percent likelihood of match of all the signals in that click followed by a comparing the highest % match graph for visual confirmation. If you are seeing a 80-90% match you should have the correct signal match.
Note:Not every click will show output as some clicks will be on different frequencies, these don't matter since our recon confirmed the gate is communicating on 390Mhz.
In order to analyze the signals in real time you will need to open up your clicker and set the proper toggle switch settings followed by setting up a sniffer and live analysis with RFCrack:
Open up 2 terminals and use the following commands:
#Setup a sniffer on 390mhz Setup sniffer:python RFCrack.py -k -c -f 390000000.
#Monitor the log file, and provide the gates original signal Setup Analysis: python RFCrack.py -c -u 1f0fffe0fffc01ff803ff007fe0fffc1fff83fff07ffe0007c -n.
Cmd switches used
-k = known frequency
-c = compare mode
-f = frequency
-n = no yardstick needed for analysis
Make sure your remote is configured for one of the possible toggle configurations determined above. In the below example I am using the first configuration, any extra toggles left in the down position: (down down up up up down down down down)
Analyze Your Clicks:
Now with the two terminals open and running click the reset switch to the bottom left and hold till it flashes. Then keep clicking the left button and viewing the output in the sniffing analysis terminal which will provide the comparisons as graphs are loaded to validate the output.If you click the device and no output is seen, all that means is that the device is communicating on a frequency which we are not listening on.We don't care about those signals since they don't pertain to our target.
At around the 11th click you will see high likelihood of a match and a graph which is near identical. A few click outputs are shown below with the graph from the last output with a 97% match.It will always graph the highest percentage within a click.Sometimes there will be blank graphs when the data is wacky and doesn't work so well. This is fine since we don't care about wacky data.
You will notice the previous clicks did not show even close to a match, so its pretty easy to determine which is the right manufacture and setup for your target gate. Now just click the right hand button on the remote and it should be configured with the gates setup even though you are in another location setting up for your test.
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
----------Start Signals In Press--------------
Percent Chance of Match for press is: 0.05
Percent Chance of Match for press is: 0.14
Percent Chance of Match for press is: 0.14
Percent Chance of Match for press is: 0.12
----------End Signals In Press------------
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
----------Start Signals In Press--------------
Percent Chance of Match for press is: 0.14
Percent Chance of Match for press is: 0.20
Percent Chance of Match for press is: 0.19
Percent Chance of Match for press is: 0.25
----------End Signals In Press------------
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
----------Start Signals In Press--------------
Percent Chance of Match for press is: 0.93
Percent Chance of Match for press is: 0.93
Percent Chance of Match for press is: 0.97
Percent Chance of Match for press is: 0.90
Percent Chance of Match for press is: 0.88
Percent Chance of Match for press is: 0.44
----------End Signals In Press------------
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
Graph Comparison Output for 97% Match:
Conclusion:
You have now walked through successfully reversing a toggle switch remote for a security gate. You took a raw signal and created a working device using only a Yardstick and RFCrack.This was just a quick tutorial on leveraging the skillsets you gained in previous blogs in order to learn how to analyzeRF signals within embedded devices. There are many scenarios these same techniques could assist in.We also covered a few new features in RF crack regarding logging, graphing and comparing signals.These are just a few of the features which have been added since the initial release. For more info and other features check the wiki.
Most of the people don't go with videos and read books for learning. Book reading is a really effective way to learn and understand how things work. There are plenty of books about computers, security, penetration testing and hacking. Every book shows a different angle how things work and how to make system secure and how it can be penetrated by hackers. So, here I have gathered a few of the best hacking books of 2018 available on the market.
BEST HACKING BOOKS OF 2018
There are hundreds of books about hacking, but I have streamlined few of best hacking books of 2018.
1. THE HACKER'S PLAYBOOK PRACTICAL GUIDE TO PENETRATION
This handbook is about experting yourself with the hacking techniques in the hacker's way. This is about penetration testing that how hackers play their techniques and how we can counter them.
CONTENTS
Introduction
Pregame – The Setup
Setting Up a Penetration Testing Box
Before the Snap – Scanning the Network
The Drive – Exploiting Scanner Findings
The Throw – Manual Web Application Findings
The Lateral Pass – Moving Through the Network
The Screen – Social Engineering
The Onside Kick – Attacks that Require Physical Access
The Quarterback Sneak – Evading AV
Special Teams – Cracking, Exploits, Tricks
Post Game Analysis – Reporting
Download the Hacker's Playbook Practical Guide to Penetration.
2. ANDROID HACKER'S HANDBOOK
The Android Hacker's Handbook is about how the android devices can be hacked. Authors chose to write this book because the field of mobile security research is so "sparsely charted" with disparate and conflicted information (in the form of resources and techniques).
CONTENTS
Chapter 1 Looking at the Ecosystem
Chapter 2 Android Security Design and Architecture
Chapter 3 Rooting Your Device
Chapter 4 Reviewing Application Security
Chapter 5 Understanding Android's Attack Surface
Chapter 6 Finding Vulnerabilities with Fuzz Testing
Chapter 7 Debugging and Analyzing Vulnerabilities
Chapter 8 Exploiting User Space Software
Chapter 9 Return Oriented Programming
Chapter 10 Hacking and Attacking the Kernel
Chapter 11 Attacking the Radio Interface Layer
Chapter 12 Exploit Mitigations
Chapter 13 Hardware Attacks
Download Android Hacker's Handbook.
3. PENETRATION TESTING: A HANDS-ON INTRODUCTION TO HACKING
This book is an effective practical guide to penetration testing tools and techniques. How to penetrate and hack into systems. This book covers beginner level to highly advanced penetration and hacking techniques.
CONTENTS
Chapter 1: Setting Up Your Virtual Lab
Chapter 2: Using Kali Linux
Chapter 3: Programming
Chapter 4: Using the Metasploit Framework
Chapter 5: Information Gathering
Chapter 6: Finding Vulnerabilities
Chapter 7: Capturing Traffic
Chapter 8: Exploitation
Chapter 9: Password Attacks
Chapter 10: Client-Side Exploitation
Chapter 11: Social Engineering
Chapter 12: Bypassing Antivirus Applications
Chapter 13: Post Exploitation
Chapter 14: Web Application Testing
Chapter 15: Wireless Attacks
Chapter 16: A Stack-Based Buffer Overflow in Linux
Chapter 17: A Stack-Based Buffer Overflow in Windows
Chapter 19: Fuzzing, Porting Exploits, and Metasploit Modules
Chapter 20: Using the Smartphone Pentesting Framework
Download Penetration Testing: A Hands-On Introduction To Hacking.
4. THE SHELLCODER'S HANDBOOK
This book is about learning shellcode's of the OS and how OS can be exploited. This book is all about discovering and exploiting security holes in devices to take over.
Authors: Chris Anley, John Heasman, Felix "FX" Linder, Gerardo Richarte.
CONTENTS
Stack Overflows
Shellcode
Introduction to Format String Bugs
Windows Shellcode
Windows Overflows
Overcoming Filters
Introduction to Solaris Exploitation
OS X Shellcode
Cisco IOS Exploitation
Protection Mechanisms
Establishing a Working Environment
Fault Injection
The Art of Fuzzing
Beyond Recognition: A Real Vulnerability versus a Bug
Instrumented Investigation: A Manual Approach
Tracing for Vulnerabilities
Binary Auditing: Hacking Closed Source Software
Alternative Payload Strategies
Writing Exploits that Work in the Wild
Attacking Database Software
Unix Kernel Overflows
Exploiting Unix Kernel Vulnerabilities
Hacking the Windows Kernel
Download The ShellCoder's HandBook.
5. THE HACKER'S HANDBOOK WEB APPLICATION SECURITY FLAWS
This handbook is about finding and exploiting the web applications.
Authors: Dafydd Stuttard, Marcus Pinto.
CONTENTS
Chapter 1 Web Application (In)security
Chapter 2 Core Defense Mechanisms
Chapter 3 Web Application Technologies
Chapter 4 Mapping the Application
Chapter 5 Bypassing Client-Side Controls
Chapter 6 Attacking Authentication
Chapter 7 Attacking Session Management
Chapter 8 Attacking Access Controls
Chapter 9 Attacking Data Stores
Chapter 10 Attacking Back-End Components
Chapter 11 Attacking Application Logic
Chapter 12 Attacking Users: Cross-Site Scripting
Chapter 13 Attacking Users: Other Techniques
Chapter 14 Automating Customized Attacks
Chapter 15 Exploiting Information Disclosure
Chapter 16 Attacking Native Compiled Applications
Chapter 17 Attacking Application Architecture
Chapter 18 Attacking the Application Server
Chapter 19 Finding Vulnerabilities in Source Code
Chapter 20 A Web Application Hacker's Toolkit
Chapter 21 A Web Application Hacker's Methodology
Download The Hacker's Handbook Web Application Security Flaws.
So, these are the top 5 best hacking books on the market. There may be more fascinating books in the future that make take place in the top list. But for now, these are the best hacking books. Read and share your experience with these books.
