SecTools.Org: List of 75 security tools based on a 2003 vote by hackers.
The Hacker News: The Hacker News — most trusted and widely-acknowledged online cyber security news magazine with in-depth technical coverage for cybersecurity.
DEFCON: Information about the largest annual hacker convention in the US, including past speeches, video, archives, and updates on the next upcoming show as well as links and other details.
Metasploit: Find security issues, verify vulnerability mitigations & manage security assessments with Metasploit. Get the worlds best penetration testing software now.
Hack Forums: Emphasis on white hat, with categories for hacking, coding and computer security.
Packet Storm: Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers.
Hakin9: E-magazine offering in-depth looks at both attack and defense techniques and concentrates on difficult technical issues.
Offensive Security Training: Developers of Kali Linux and Exploit DB, and the creators of the Metasploit Unleashed and Penetration Testing with Kali Linux course.
Exploit DB: An archive of exploits and vulnerable software by Offensive Security. The site collects exploits from submissions and mailing lists and concentrates them in a single database.
SecurityFocus: Provides security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.
Hacked Gadgets: A resource for DIY project documentation as well as general gadget and technology news.
HackRead: HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance, and Hacking News with full-scale reviews on Social Media Platforms.
NFOHump: Offers up-to-date .NFO files and reviews on the latest pirate software releases.
Black Hat: The Black Hat Briefings have become the biggest and the most important security conference series in the world by sticking to our core value: serving the information security community by delivering timely, actionable security information in a friendly, vendor-neutral environment.
KitPloit: Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security.
The OWASP Foundation would like to thank the OWASP Las Vegas Chapter Volunteers for taking the time out of their busy schedule to give back and volunteer to work the booth at BlackHat 2019. It was great meeting our Las Vegas OWASP members and working with Jorge, Carmi, Dave, and Nancy. Also, take a moment to thank Global Board Members Martin Knobloch, Owen Pendlebury, and Gary Robinson for also working the booth and speaking with individuals and groups to answer questions on projects and suggestions on the use of our tools to address their work problems. OWASP can not exist without support from our members.
About A raccoon is a tool made for reconnaissance and information gathering with an emphasis on simplicity. It will do everything from fetching DNS records, retrieving WHOIS information, obtaining TLS data, detecting WAF presence and up to threaded dir busting and subdomain enumeration. Every scan outputs to a corresponding file. As most of Raccoon's scans are independent and do not rely on each other's results, it utilizes Python's asyncio to run most scans asynchronously. Raccoon supports Tor/proxy for anonymous routing. It uses default wordlists (for URL fuzzing and subdomain discovery) from the amazing SecLists repository but different lists can be passed as arguments. For more options - see "Usage".
Installation For the latest stable version:
pip install raccoon-scanner
Or clone the GitHub repository for the latest features and changes:
git clone https://github.com/evyatarmeged/Raccoon.git cd Raccoon python raccoon_src/main.py
Prerequisites Raccoon uses Nmap to scan ports as well as utilizes some other Nmap scripts and features. It is mandatory that you have it installed before running Raccoon. OpenSSL is also used for TLS/SSL scans and should be installed as well. Usage
Usage: raccoon [OPTIONS]
Options: --version Show the version and exit. -t, --target TEXT Target to scan [required] -d, --dns-records TEXT Comma separated DNS records to query. Defaults to: A,MX,NS,CNAME,SOA,TXT --tor-routing Route HTTP traffic through Tor (uses port 9050). Slows total runtime significantly --proxy-list TEXT Path to proxy list file that would be used for routing HTTP traffic. A proxy from the list will be chosen at random for each request. Slows total runtime --proxy TEXT Proxy address to route HTTP traffic through. Slows total runtime -w, --wordlist TEXT Path to wordlist that would be used for URL fuzzing -T, --threads INTEGER Number of threads to use for URL Fuzzing/Subdomain enumeration. Default: 25 --ignored-response-codes TEXT Comma separated list of HTTP status code to ignore for fuzzing. Defaults to: 302,400,401,402,403,404,503,504 --subdomain-list TEXT Path to subdomain list file that would be used for enumeration -S, --scripts Run Nmap scan with -sC flag -s, --services Run Nmap scan with -sV flag -f, --full-scan Run Nmap scan with both -sV and -sC -p, --port TEXT Use this port range for Nmap scan instead of the default --tls-port INTEGER Use this port for TLS queries. Default: 443 --skip-health-check Do not test for target host availability -fr, --follow-redirects Follow redirects when fuzzing. Default: True --no-url-fuzzing Do not fuzz URLs --no-sub-enum Do not bruteforce subdomains -q, --quiet Do not output to stdout -o, --outdir TEXT Directory destination for scan output --help Show this message and exit.
How do I get started with bug bounty hunting? How do I improve my skills?
These are some simple steps that every bug bounty hunter can use to get started and improve their skills:
Learn to make it; then break it! A major chunk of the hacker's mindset consists of wanting to learn more. In order to really exploit issues and discover further potential vulnerabilities, hackers are encouraged to learn to build what they are targeting. By doing this, there is a greater likelihood that hacker will understand the component being targeted and where most issues appear. For example, when people ask me how to take over a sub-domain, I make sure they understand the Domain Name System (DNS) first and let them set up their own website to play around attempting to "claim" that domain.
Read books. Lots of books. One way to get better is by reading fellow hunters' and hackers' write-ups. Follow /r/netsec and Twitter for fantastic write-ups ranging from a variety of security-related topics that will not only motivate you but help you improve. For a list of good books to read, please refer to "What books should I read?".
Join discussions and ask questions. As you may be aware, the information security community is full of interesting discussions ranging from breaches to surveillance, and further. The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do. There are two very popular bug bounty forums: Bug Bounty Forum and Bug Bounty World.
Participate in open source projects; learn to code. Go to https://github.com/explore or https://gitlab.com/explore/projects and pick a project to contribute to. By doing so you will improve your general coding and communication skills. On top of that, read https://learnpythonthehardway.org/ and https://linuxjourney.com/.
Help others. If you can teach it, you have mastered it. Once you discover something new and believe others would benefit from learning about your discovery, publish a write-up about it. Not only will you help others, you will learn to really master the topic because you can actually explain it properly.
Smile when you get feedback and use it to your advantage. The bug bounty community is full of people wanting to help others so do not be surprised if someone gives you some constructive feedback about your work. Learn from your mistakes and in doing so use it to your advantage. I have a little physical notebook where I keep track of the little things that I learnt during the day and the feedback that people gave me.
Learn to approach a target. The first step when approaching a target is always going to be reconnaissance — preliminary gathering of information about the target. If the target is a web application, start by browsing around like a normal user and get to know the website's purpose. Then you can start enumerating endpoints such as sub-domains, ports and web paths.
A woodsman was once asked, "What would you do if you had just five minutes to chop down a tree?" He answered, "I would spend the first two and a half minutes sharpening my axe." As you progress, you will start to notice patterns and find yourself refining your hunting methodology. You will probably also start automating a lot of the repetitive tasks.
"snmpcheck is a free open source utility to get information via SNMP protocols. It works fine against Windows, Linux, Cisco, HP-UX, SunOS systems and any devices with SNMP protocol support. It could be useful for penetration testing or systems monitoring. snmpcheck has been tested on GNU/Linux, *BSD, Windows systems and Cygwin. snmpcheck is distributed under GPL license and based on Athena-2k script by jshaw. " read more...
Why should i use KillShot? You can use this tool to Spider your website and get important information and gather information automaticaly using whatweb-host-traceroute-dig-fierce-wafw00f or to Identify the cms and to find the vulnerability in your website using Cms Exploit Scanner && WebApp Vul Scanner Also You can use killshot to Scan automaticly multiple type of scan with nmap and unicorn . And With this tool You can Generate PHP Simple Backdoors upload it manual and connect to the target using killshot This Tool Bearing A simple Ruby Fuzzer Tested on VULSERV.exe and Linux Log clear script To change the content of login paths Spider can help you to find parametre of the site and scan XSS and SQL. Use Shodan By targ option CreateAccount Here Register and get Your aip Shodan AIP And Add your shodan AIP to aip.txt < only your aip should be show in the aip.txt > Use targ To search about Vulnrable Targets in shodan databases. Use targ To scan Ip of servers fast with Shodan. KillShot's Installation For Linux users, open your Terminal and enter these commands: If you're a Windows user, follow these steps:
First, you must download and run Ruby-lang setup file from RubyInstaller.org, choose Add Ruby executables to your PATH and Use UTF-8 as default external encoding.
Then, download and install curl (32-bit or 64-bit) from Curl.haxx.se/windows. After that, go to Nmap.org/download.html to download and install the lastest Nmap version.
About RED_HAWK: RED_HAWK is a all in one tool for Information Gathering, Vulnerability Scanning and Crawling. A must have tool for all pentesters and hackers. RED_HAWK's features:
Basic ScanSite Title (NEW): IP Address Web Server Detection IMPROVED CMS Detection Cloudflare Detection robots.txt Scanner
Whois Lookup (IMPROVED)
Geo-IP Lookup
Grab Banners IMPROVED
DNS Lookup
Subnet Calculator
Nmap Port Scan
Sub-Domain Scanner IMPROVED: Sub Domain IP Address
Reverse IP Lookup and CMS Detection IMPROVED: Hostname IP Address CMS
Error Based SQLi Scanner
Bloggers View NEW HTTP Response Code Site Title Alexa Ranking Domain Authority Page Authority Social Links Extractor Link Grabber
WordPress Scan NEW Sensitive Files Crawling Version Detection Version Vulnerability Scanner
Crawler
MX Lookup NEW
Scan For Everything - The Old Lame Scanner
List of CMS Supported on RED_HAWK
RED_HAWK's CMS Detector currently is able to detect the following CMSs (Content Management Systems) in case the website is using some other CMS, Detector will return could not detect.
WordPress
Joomla
Drupal
Magento
RED_HAWK Installation How To Configure RED HAWK with moz.com for Bloggers View Scan?
Get your AccessID and SecretKey and replace the $accessID and $secretKey variable's value in the config.php file
All set, now you can enjoy the bloggers view.
How to use RED_HAWK?
Known Issues of RED_HAWK ISSUE: Scanner Stops Working After Cloudflare Detection! SOLUTION: Use the fix command (for Debian-based distros) or manually install php-curl and php-xml. Watch the video to see how to solve that isuue:
Support and Donations Found RED_HAWK cool? Well you could buy a cup of tea for the author 😉 Just send any amount of donations (in Bitcoin) to this address: 1NbiQidWWVVhWknsfPSN1MuksF8cbXWCku
Can't donate? well that's no problem just drop a "THANK YOU, AUTHOR" this will motivate me to create more exciting stuffs for you😉 TODOs for RED_HAWK:
Make a proper update option ( Installs current version automatically )
Types of hacking? We can segregate hacking into different categories, based on what being hacked. Here is a set of examples- 1-Website Hacking- Hacking a website means taking unauthorized control over a web server and its associated software such as databases and other interfaces. 2-Network Hacking-Hacking a network means gathering information about a network by using tool like Telnet, Nslookup, Ping, Tracert, Netstat etc with the intent to harm the network system and hamper its operation. 3-Email Hacking-It includes getting unauthorized access on an Email account and using it without taking the permission of the owner. 4-Ethical Hacking-It involves finding weakness in a computer or network system for testing purpose and finally getting them fixed.
5-Password Hacking-This is the process of recovering secret password from data that has been stored in or transmitted by a computer system. 6-Computer Hacking-This is the process of stealing computer ID & Passwords by applying hacking methods and getting unauthorized access to a computer system.
This quick blog post will document getting started with developing Burp extensions using java. Burp provides interfaces for developers to hook into the Burp application and extend the application or integrate with other tools, this interface is documented on the following site - http://portswigger.net/burp/extender/
After downloading and opening up Eclipse you will need to create a new java project. This can be done by clicking "File->New Java Project". Fill in a project name and click finish.
Once the project has been created you will need to create a new package called "burp". This can be done by right clicking the "src" folder under your new project and selecting "New->Package". When the dialog comes up set the "Name" as "burp":
You should now have a package named "burp" under the source folder in the right pane. Now you will need to import the Burp extender classes into your project. Download all of the extender classes to a local folder, once this is done right click on the "burp" package in your project and select "Import". On the dialog window that comes up select "General->File System" and hit "next":
On the next dialog you will need to navigate to where you downloaded the Burp extender classes to. Once you have done this you should see the classes, click on the folder to select all items and click "Finish":
Next we can add the Burp application into the project. To do this click on "Project->Properties" on the top toolbar. When the dialog opens select "Java Build Path" and then the "Libraries" tab. On this dialog click "Add External JARs..."
Navigate to where ever you have Burp downloaded to and select it. After you have done this click "OK" to dismiss the dialog. You are now ready to build your own Burp extensions. You can test your environment by creating a new class in the burp package named "BurpExtender". Right click the "burp" package and click "New->Class". On the dialog that comes up enter "BurpExtender" and click "Finish":
In the "BurpExtender" class you can enter the following:
package burp;
public class BurpExtender { public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) { callbacks.registerMenuItem("Hello World.", new CustomMenuItem()); } }
class CustomMenuItem implements IMenuItemHandler { public void menuItemClicked(String menuItemCaption, IHttpRequestResponse[] messageInfo) { try { System.out.println("Hello From Burp!"); System.out.println("Request Item Details"); System.out.println("Host: " + messageInfo[0].getHost()); System.out.println("URL: " + messageInfo[0].getUrl());
After adding the content to your "BurpExtender" class you are ready to run the project for the first time. Click on "Run->Run" from the menu. You should see the following dialog asking how it should run your project:
Select "Java Application" and click "Ok". Next you should receive a dialog asking which application you want to run. Select "StartBurp - burp" and click "Ok":
You should now see the burp application running. Intercept a request in the application and right click on the request, you should now see an item in the menu named "Hello World."
When you click the "Hello World." menu button you should see some information about the request in your eclipse console window:
That's it, you now have setup your working development environment for building your own Burp extensions. The javadocs for the Burp Extender interfaces are available on the Extender web page:
Bob was tasked to break into XYZcorporation, so he pulled up the facility on google maps to see what the layout was. He was looking for any possible entry paths into the company headquarters. Online maps showed that the whole facility was surrounded by a security access gate. Not much else could be determined remotely so bob decided to take a drive to the facility and get a closer look.
Bob parked down the street in view of the entry gate. Upon arrival he noted the gate was un-manned and cars were rolling up to the gate typing in an access code or simply driving up to the gate as it opening automatically.Interestingly there was some kind of wireless technology in use.
How do we go from watching a car go through a gate, to having a physical device that opens the gate?
We will take a look at reversing a signal from an actual gate to program a remote with the proper RF signal.Learning how to perform these steps manually to get a better understanding of how RF remotes work in conjunction with automating processes with RFCrack.
In the the previous blogs, we sniffed signals and replayed them to perform actions. In this blog we are going to take a look at a signal and reverse it to create a physical device that will act as a replacement for the original device. Depending on the scenario this may be a better approach if you plan to enter the facility off hours when there is no signal to capture or you don't want to look suspicious.
Recon:
Lets first use the scanning functionality in RFCrack to find known frequencies. Weneed to understand the frequencies that gates usually use. This way we can set our scanner to a limited number of frequencies to rotate through. The smaller rage of frequencies used will provide a better chance of capturing a signal when a car opens the target gate. This would be beneficial if the scanning device is left unattended within a dropbox created with something like a Kali on a Raspberry Pi. One could access it from a good distance away by setting up a wifi hotspot or cellular connection.
Based on research remotes tend to use 315Mhz, 390Mhz, 433Mhz and a few other frequencies. So in our case we will start up RFCrack on those likely used frequencies and just let it run. We can also look up the FCID of our clicker to see what Frequencies manufactures are using. Although not standardized, similar technologies tend to use similar configurations. Below is from the data sheet located at https://fccid.io/HBW7922/Test-Report/test-report-1755584 which indicates that if this gate is compatible with a universal remote it should be using the 300,310, 315, 372, 390 Frequencies. Most notably the 310, 315 and 390 as the others are only on a couple configurations.
RFCrack Scanning:
Since the most used ranges are 310, 315, 390 within our universal clicker, lets set RFCrack scanner to rotate through those and scan for signals.If a number of cars go through the gate and there are no captures we can adjust the scanner later over our wifi connection from a distance.
Currently Scanning: 433000000 To cancel hit enter and wait a few seconds
Example of logging output:
From the above output you will see that a frequency was found on 390. However, if you had left this running for a few hours you could easily see all of the output in the log file located in your RFCrack/scanning_logs directory.For example the following captures were found in the log file in an easily parseable format:
Analyzing the signal to determine toggle switches:
Ok sweet, now we have a valid signal which will open the gate. Of course we could just replay this and open the gate, but we are going to create a physical device we can pass along to whoever needs entry regardless if they understand RF. No need to fumble around with a computer and look suspicious.Also replaying a signal with RFCrack is just to easy, nothing new to learn taking the easy route.
The first thing we are going to do is graph the capture and take a look at the wave pattern it creates. This can give us a lot of clues that might prove beneficial in figuring out the toggle switch pattern found in remotes. There are a few ways we can do this. If you don't have a yardstick at home you can capture the initial signal with your cheap RTL-SDR dongle as we did in the first RF blog. We could then open it in audacity. This signal is shown below.
Let RFCrack Plot the Signal For you:
The other option is let RFCrack help you out by taking a signal from the log output above and let RFCrack plot it for you.This saves time and allows you to use only one piece of hardware for all of the work.This can easily be done with the following command:
From the graph output we see 2 distinct crest lengths and some junk at either end we can throw away. These 2 unique crests correspond to our toggle switch positions of up/down giving us the following 2 possible scenarios using a 9 toggle switch remote based on the 9 crests above:
Possible toggle switch scenarios:
down down up up up down down down down
up up down down down up up up up
Configuring a remote:
Proper toggle switch configuration allows us to program a universal remote that sends a signal to the gate. However even with the proper toggle switch configuration the remote has many different signals it sends based on the manufacturer or type of signal.In order to figure out which configuration the gate is using without physically watching the gate open, we will rely on local signal analysis/comparison.
Programming a remote is done by clicking the device with the proper toggle switch configuration until the gate opens and the correct manufacturer is configured. Since we don't have access to the gate after capturing the initial signal we will instead compare each signal from he remote to the original captured signal.
Comparing Signals:
This can be done a few ways, one way is to use an RTLSDR and capture all of the presses followed by visually comparing the output in audacity. Instead I prefer to use one tool and automate this process with RFCrack so that on each click of the device we can compare a signal with the original capture. Since there are multiple signals sent with each click it will analyze all of them and provide a percent likelihood of match of all the signals in that click followed by a comparing the highest % match graph for visual confirmation. If you are seeing a 80-90% match you should have the correct signal match.
Note:Not every click will show output as some clicks will be on different frequencies, these don't matter since our recon confirmed the gate is communicating on 390Mhz.
In order to analyze the signals in real time you will need to open up your clicker and set the proper toggle switch settings followed by setting up a sniffer and live analysis with RFCrack:
Open up 2 terminals and use the following commands:
#Setup a sniffer on 390mhz Setup sniffer:python RFCrack.py -k -c -f 390000000.
#Monitor the log file, and provide the gates original signal Setup Analysis: python RFCrack.py -c -u 1f0fffe0fffc01ff803ff007fe0fffc1fff83fff07ffe0007c -n.
Cmd switches used
-k = known frequency
-c = compare mode
-f = frequency
-n = no yardstick needed for analysis
Make sure your remote is configured for one of the possible toggle configurations determined above. In the below example I am using the first configuration, any extra toggles left in the down position: (down down up up up down down down down)
Analyze Your Clicks:
Now with the two terminals open and running click the reset switch to the bottom left and hold till it flashes. Then keep clicking the left button and viewing the output in the sniffing analysis terminal which will provide the comparisons as graphs are loaded to validate the output.If you click the device and no output is seen, all that means is that the device is communicating on a frequency which we are not listening on.We don't care about those signals since they don't pertain to our target.
At around the 11th click you will see high likelihood of a match and a graph which is near identical. A few click outputs are shown below with the graph from the last output with a 97% match.It will always graph the highest percentage within a click.Sometimes there will be blank graphs when the data is wacky and doesn't work so well. This is fine since we don't care about wacky data.
You will notice the previous clicks did not show even close to a match, so its pretty easy to determine which is the right manufacture and setup for your target gate. Now just click the right hand button on the remote and it should be configured with the gates setup even though you are in another location setting up for your test.
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
----------Start Signals In Press--------------
Percent Chance of Match for press is: 0.05
Percent Chance of Match for press is: 0.14
Percent Chance of Match for press is: 0.14
Percent Chance of Match for press is: 0.12
----------End Signals In Press------------
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
----------Start Signals In Press--------------
Percent Chance of Match for press is: 0.14
Percent Chance of Match for press is: 0.20
Percent Chance of Match for press is: 0.19
Percent Chance of Match for press is: 0.25
----------End Signals In Press------------
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
----------Start Signals In Press--------------
Percent Chance of Match for press is: 0.93
Percent Chance of Match for press is: 0.93
Percent Chance of Match for press is: 0.97
Percent Chance of Match for press is: 0.90
Percent Chance of Match for press is: 0.88
Percent Chance of Match for press is: 0.44
----------End Signals In Press------------
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
Graph Comparison Output for 97% Match:
Conclusion:
You have now walked through successfully reversing a toggle switch remote for a security gate. You took a raw signal and created a working device using only a Yardstick and RFCrack.This was just a quick tutorial on leveraging the skillsets you gained in previous blogs in order to learn how to analyzeRF signals within embedded devices. There are many scenarios these same techniques could assist in.We also covered a few new features in RF crack regarding logging, graphing and comparing signals.These are just a few of the features which have been added since the initial release. For more info and other features check the wiki.
