Tuesday 4 December 2018

How I hacked GTU's Website - Admin Panel hack - Exams site - SQL Injection

Once again, a flaw was found in GTU's website. But this time it's different as I found it :). BTW, if you don't know about last hack on GTU's research website, you can find it here. Now, let's talk about this hack.

I was just frustrated of exams and so spent some time surfing and reading on things other than the paper I had next day. I had some work to do with the GTU Research Dept. and so was searching for a link of some form. But then on Google, I found a website
whose description read GTU Admin Panel. I haven't seen that website before and so gave to thought to see what was the purpose of that site. As soon as I opened the site, it brought me to a login page of administrator.

Before telling you more on what I did and how I hacked the site, let me tell you what was the purpose of that site and what might have happened if someone else (except me) hacked that site (because I am ethical - I follow rules meant for peace and freedom). This website is exactly what the description said. There are many courses going on in GTU like UG courses, PG courses, PhD courses and many more. According to the courses, it provides a login page where the colleges registered for that courses can login. Each college has been assigned an administrator account. Colleges are meant to upload details about students, professors and assistants who are a part of that college. This is all about human resource but this site is specifically for things related to exams.

That means, which student has paid the fees and eligible for exam and who is suspended. Also, you can suspend a student using this admin portal. Other exam related updates like question paper dates, marks, etc. are also a part of this website. In short, each and every information related to exams was available on this site and the admin could modify this information. Now, just think of the consequences of what might have happened if some wrong personality got into this site. I don't need to list the consequences as you are capable of thinking that yourself.

Moreover, this has been my second vulnerability report. The first one was when I found the rsync server password in plain text of the Stanford University's server. I mailed them but no response. But GTU is better in this case (not talking about education system XD). I just sent a mail to 2 different email ids of GTU but one of them was deactivated. I got a response from a person at GTU within 24 hours. At first, he didn'i believe me and asked if I can tell him username and password of any single registered account. I just explained him that no one can get plain text passwords except the owner leaks it intentionally or unintentionally. And there are other ways you can get into account even when you don't have username and password. That's what SQLi is meant for.. It doesn't get into OWASP's top 10 attacks list without any purpose and that too with a high rank (3).



After sending a proof photo, he believed me and asked for the solution and here it is now.. The website is patched of this vulnerability.


Now, let's focus on how to hack rather than discussing what I did. But before that, let me share the proof image with you and make you believe that this works.


SQL Injection

Structured Query Language (SQL) is used to query, operate, and administer database systems such as Microsoft SQL Server, Oracle, or MySQL. The general use of SQL is consistent across all database systems that support it; however, there are intricacies that are particular to each system.

Database systems are commonly used to provide backend functionality to many types of web applications. In support of web applications, user-supplied data is often used to dynamically build SQL statements that interact directly with a database. A SQL injection attack is an attack that is aimed at misusing the original intent of the application by submitting attacker-supplied SQL statements directly to the backend database. Depending on the web application, and how it processes the attacker-supplied data prior to building a SQL statement, a successful SQL injection attack can have far-reaching implications. The possible security ramifications range from authentication bypass to information disclosure to enabling the distribution of malicious code to application users.

Note what I mentioned above is submitting the user input directly i.e. without any preprocessing may lead to SQLi. Hence, the short and simple answer to avoid SQLi is to preprocess the input taken from user, identify threats in it and then submit the inputs for database query. Let us see the same with an example.

One of the many possible uses for SQL injection involves bypassing an application login process. The following example illustrates the general operation of a SQL injection attack. An application with a vulnerable login process may accept the submitted information and use it as part of the following SQL statement, which locates a user profile that contains the submitted username and password:

select * from Users where (username = 'submittedUser' and password = 'submittedPassword');

For example, if an application accepts and processes user-supplied data without any validation, an attacker could submit a maliciously crafted username and password. Consider the following string sent by an attacker:

username=admin%27%29+--+&password=+

Once this string is received and URL-decoded, the application will attempt to build a SQL statement using a username of admin') -- and a password that consists of a single space. Placing these items into the previous SQL statement yields:

select * from Users where (username = 'admin') -- and password = ' ');

The string of two dash characters (--) that appears in the crafted input is very important; it indicates to the database server that the remaining characters in the SQL statement are a comment and should be ignored. So, the backend of web application will only check for a matching username without performing a password check and hence, one can easily login into a website if they know a username.

But there's a twist. I didn't knew username of any user account before I hacked the site. Still I was able to login to the account. That's because of a single reason - all the web applications doesn't have the same backend code like 'select * from ...'. And according to the backend logic, we need to try different user input formats to get into a website. Suppose that the SQL syntax was different than the one shown above. Suppose, it was like:

select * from Users where username = 'submittedUser';
select * from Users where password = 'submittedPassword';

And then it matched the username and password separately to login. Then the above described user input wouldn't work as it won't find a variable named submittedPassword  when trying to execute the 2nd line of code. Here, the commenting using '--' wouldn't work as the semicolon at the end of 1st line defines the end of comment as well as 1st statement. So, the application would throw an error specifying 'Please provide a password.' This was the case with GTU exams website and so I tried a new modified input as:


username=abc' or 1-1--
password=pqr' or 1=1--


Here, we provide separate values for username and password and add comments to both statements. Here. the OR operator does the task. It just performs a check for '1=1' which is always true and hence I logged in successfully.

That's all about this.. But an extra note - the use input for performing SQLi varies with the varying backend code. So, there are various forms of user input and without knowing the backend script (which you won't), you need to try all of them.

The good news are here.. The site is patched! Ending this article with a last picture.


For any query, just post a comment here.. Thank you!

Sunday 9 September 2018

Wi-Fi Protocol update - WPA3 - More Security - Everything one needs to know


A new post after a long time.. Right! But do you know that this wait is much smaller than the wait of this new security release? WPA2 was introduced in 2004 and WPA3 is released two days ago. And this article will guide you about everything you should know about this new update. Don't worry if you don't know anything about the past, this will still be interesting.. Let's start.

In-Short: The Wi-Fi Alliance just announced WPA3 - a Wi-Fi security standard that will replace WPA2. Qualcomm has already started new making chips for phones and tablets which will support this WPA3, Cisco announced upcoming support that might even include updating existing devices to support it. And till now, every other company has announced their support to WPA3.

What is WPA2 and WPA3? 

“WPA” stands for Wi-Fi Protected Access. It is a methodology used to connect to and communicate with the Wireless Access Point. Now that it is implemented by everyone, the most important service that it should provide is "security". And that is the main reason why WPA3 is released.

If you have a password on your home Wi-Fi, it probably protects your network using WPA2—that’s version two of the Wi-Fi Protected Access standard. Does it mean that you are vulnerable using the old version? You might be if you haven't updated to latest software implementing a patch for the vulnerability known as KRACK which lies in WPA2. But this attack is not going to work in WPA3.

Technically, WPA2 and WPA3 are hardware certifications that device manufacturers must apply for. A device manufacturer must fully implement the required security features before being able to market their device as “Wi-Fi CERTIFIED™ WPA2™” or “Wi-Fi CERTIFIED™ WPA3™”.

What is new in WPA3?

WPA3 standard adds 4 new features to WPA2. Manufacturers must fully implement these four features to market their devices as “Wi-Fi CERTIFIED™ WPA3™”. The Wi-Fi Alliance group hasn't still revealed all the information about this standard, still we know what will it be.. (How? Reading past articles and and their official blog - then combining things together).

Privacy and Security on Public networks: Currently, open Wi-Fi networks, the kind you find in airports, hotels, coffee shops, and other public locations, are a security mess. Because they’re open and allow anyone to connect, traffic sent over them isn’t encrypted at all. It doesn’t matter whether you have to sign in on web page after you join the network - everything sent over the connection is sent in plain text that people can intercept. The rise of encrypted HTTPS connections on the web have improved things, but people could still see which websites you were connecting to and view the content of HTTP pages.

WPA3 fixes things by using “individualized data encryption”. When you connect to an open Wi-Fi network, the traffic between your device and the Wi-Fi access point will be encrypted, even though you didn’t enter a passphrase at the time of connection. This will make public, open Wi-Fi networks much more private. This is going to affect Hackers greatly. Recently, I was thinking of programming my own Network Hacking Toolkit (which will me available on GitHub) and am stuck at programming a MAC address changer. It may seem very easy but it isn't!. The next phase was implementing a network spoofer where I can see all the communications happening through the network to which I am connected. This was very easy till now and will be easy for some more time until the devices implement WPA3. Yes, this made harder for Hackers to spy on networks..

Protection against attacks (Bruteforce and KRACK): The KRACK attack hacked the key at the time of handshake between router and victim. Simultaneous Authentication of Equals (SAE) is a new method of authenticating a device trying to connect to a network in WPA3. A variation of the so-called dragonfly handshake that uses cryptography to prevent an eavesdropper guessing a password, SAE dictates exactly how a new device, or user, should “greet” a network router when they exchange cryptographic keys.

Here's the past. WPA2 used PSK method - a 4 way handshake method when connecting to devices. It seemed secure until the attack known as KRACK came into existence. A KRACK interrupts the series of handshakes by pretending to temporarily lose the connection to the router. In actuality, it is using the repeated connection opportunities to analyze the handshakes until it pieces together what the password must be.

SAE blocks this kind of attack, as well as more common offline dictionary attacks, where a computer churns through hundreds, thousands, or millions of passwords to determine which password matches the verification information provided by the PSK handshakes.

Easier connection for IoT devices: The world has changed a lot in fourteen years. Today, it’s common to see Wi-Fi enabled devices without displays. Everything from the Amazon Echo and Google Home to smart outlets and light bulbs can connect to a Wi-Fi network. Every time you want to connect to such devices, you need to open up your android device (controller), disconnect the home network and connect to the IoT device network.

WPA3 contains a feature called "Easy Connect". Now, rather than enter passwords every time you want to add something to your network, devices will have unique QR codes—each device’s code will function as a sort of public key. To add a device, you scan the code using a smartphone already connected to the network.

Higher Security for Defense Applications: The final feature isn’t something that home users will care about, but the Wi-Fi Alliance also announced WPA3 will include a “192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems”. It’s intended for government, defense, and industrial applications.

The Committee on National Security Systems (CNSS) is part of the US National Security Agency, so this change adds a feature requested by the US government to allow stronger encryption on critical Wi-Fi networks.

When will you get the Update? 

According to the Wi-Fi Alliance, devices supporting WPA3 will be released later in 2018. Qualcomm is already making chips for phones and tablets that supports WPA3, but it’ll take a while for them to be integrated into new devices.

The Wi-FI Alliance hasn’t announced anything about existing devices receiving WPA3 support yet, but we don’t expect that many devices will receive software or firmware updates to support WPA3. Device manufacturers could theoretically create software updates that add these features to existing routers and other Wi-Fi devices, but they’d have to go through the trouble of applying for and receiving WPA3 certification for their existing hardware before rolling out the update. Most manufacturers will likely spend their resources on developing new hardware devices instead.

Even when you get a WPA3-enabled router, you’ll need WPA3-compatible client devices—your laptop, phone, and anything else that connects to Wi-Fi—to fully take advantage of these new features. This seems a kind of bad news, as you have to upgrade your hardware and software of buy a new one to get WPA3 working. But he good news is that the same router can accept both WPA2 and WPA3 connections at the same time. Hence, you can still use WPA2 after the release of WPA3.

Saturday 28 April 2018

PowerHammer - Steal data via power lines - Computer not connected to any network can be hacked!


Till now, we have seen various hacks performed through networks (mostly, the internet). But today, I will show you how to hack a computer which isn't connected to any network. Here, you will learn to hack a computer via powerlines. Powerline means the electrical line through which computers get their power - the electricity lines.

Seems, like a magic! But its the reality. Yes, I am late introducing you all to this master piece of hacking as I am busy with many other tasks. But I won't let you down. Articles of The Hacker's Library will always be the best quality articles with complete understanding. So, now let's start with the understanding of this hack.

You need to know a term called air-gapped computer to understand a point in this article. Air-gapping is a security measure that involves isolating a computer or network and preventing it from establishing an external connection. For example, an air gapped computer is one that is physically segregated and incapable of connecting wirelessly or physically with other computers or network devices. In short, air-gapping prevents the computer from being hacked by not connecting it to any network. And here's the trap... Here, you will learn to hack an air-gapped computer.

What happened?

A team of academics has successfully developed and tested malware that can exfiltrate data from air-gapped computers via power lines. The team —from the Ben-Gurion University of the Negev in Israel— named their data exfiltration technique PowerHammer.

PowerHammer works by infecting an air-gapped computer with malware that intentionally alters CPU utilization levels to make the victim's computer consume more or less electrical power.

Sound something like a James Bond movie? Well, the same group of researchers has previously demonstrated various out-of-band communication methods to steal data from a compromised air-gapped computer via light, sound, heat, electromagnetic, magnetic and ultrasonic waves. All these information is available on the net.

How it works?

By default, computers extract power from the local network in a uniform manner. A PowerHammer attack produces a variation of the amount of power a victim's PC sucks from the local electrical network. This phenomena is known as a "conducted emission."

By altering the high and low power consumption levels, PowerHammer malware can encode binary data from a victim's computer into the power consumption pattern. That is, once power hammer gets installed on your computer, it takes control over the processor. To do this, it need administrator privileges (in windows) or root level access (in linux). Once it gets the control, it will follow the following steps:

Step 1 - Read data from disk or memory.
Step 2 - Encode data in binary form and then digital signals containing 0s and 1s.
Step 3 - Send the data in form of current to the power lines. (Conversion from digital signals to analog signals is done automatically by the hardware - the malware just needs to force digital data into processor output lines.)

There are two types of PowerHammer attacks

Well, we have seen how the malware sends data into powerline. But how does the attacker receive this data? To retrieve this data, an attacker must tap a victim's electrical network so it can read the power consumption variation and decode the binary data hidden inside. Based where the attacker places his tapping rig, two types of PowerHammer attacks exists, with two different exfiltration speeds.

The first is "line level power-hammering," and this occurs when the attacker manages to tap the power cable between the air-gapped computer and the electrical socket. The exfiltration speed for a line level hammering is around 1,000 bits/second.

The second is "phase level power-hammering," this version of the attack occurs when the intruder taps the power lines at the phase level, in a building's electrical panel. This version of the PowerHammer attack is more stealthy but can recover data at only 10 bits/second, mainly due to greater amount of "noise" at the power line phase level.


The tapping device isn't anything super-advanced, being a mundane split-core current transformer that can be attached to any electrical line.
This is a non-invasive probe which is clamped around the power line and measures the amount of current passing through it (Fig. 10). The non-invasive probe behaves like an inductor which responds to the magnetic field around a current-carrying cable (Fig. 10 b). The amount of current in the coil is correlated with the amount of current flowing in the conductor. For our experiments we used SparkFun’s split core current transformer ECS1030-L72.
The tapping device (probe) is also capable of sending the recorded data to a nearby computer via WiFi, making data collection easier from afar, without the attacker having to physically connect to the tapping probe.

Scope of this attack

Experiments revealed the attack is successful for stealing data from air-gapped desktops, laptops, servers, and even IoT devices, but the speed exfiltration speed is slower for the latter. Another observation is that exfiltration speed gets better the more cores a CPU possesses.

Mitigations and more details for technically inclined users are available in the research team's paper, entitled "PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines." It also must be said that this malware is only an experiment and if ever deployed in the wild, such a tool would only be found in the arsenal of intelligence agencies and not something that normal users would see every day.

How to prevent yourself from this attack? 

To be true, I didn't knew much about this attack as it includes electrical components and all. Therefore, 50% of above data is just referred from another articles. But, of all the articles I reffered, there wasn't a part like how to prevent this attack. But I know a way to detect this attack and its very simple.

The attack works by sending data through powerlines and hence it has a side effect of increasing the voltage. So, just connect a Voltage Regulator between your computer and the circuit board. Hence, the current flows in the following manner: Computer <-----> Voltage Regulator <-----> Source Power.

If voltage stays high for a long time, you have probably been attacked!!

Where to find more information on this?

As I said above, I don't have much knowledge about it. I haven't implemented it yet and this was just the abstract of it. But what if you want to dive deep into this? This can be done as the authors of PowerHammer have published a research paper online. Thanks to them..

Here's the link of research paper: https://arxiv.org/abs/1804.04014

Thank you for reading this article.. If you got something to learn new, if you liked it, share it with your friends too.

Monday 26 March 2018

Delete Facebook - theft of private data and data leakage - Downloading your own facebook data - Everything a facebook user should know


You might have heard in a last few days about everyone's facebook data getting leaked to a private company. How and why are some matters we will discuss about later but the most important concern is which data is getting leaked. The answer is, your private information. Facebook spies on you in one or the other way and gets all the information from your device. Also, you can't argue about this - because it is clearly mentioned in terms and conditions when you signup for a new facebook account. And without reading, you click "Agree and Continue". But let us leave that point and focus on what is happening now and how can you get a proof of it.

Let me share my own experience when I once doubted about this but didn't had any proof. A few months ago, I visited a family function (yep... you got it right - I didn't want to visit that). There I just meet a man who was in a far relation with our family. It was definitely the first time I was that person. And I was surprised the next day to see that person in my "facebook friend suggestions list". That day, I searched all over google to get the answer of - How did this happen! I surely doubted facebook spying on us - through our locations, phone calls, and more... But didn't get a single answer on google. What everyone said was - facebook uses master algorithms to get this data. And I was like - algorithms are meant to work on data and not to steal data. But as time passed, I forgot of it.

Here are some proofs to make this article interesting:


Click to view full size images. Explore more by yourselves... Steps are mentioned below in this article.

But now, its time for everyone to know. You probably know by now, that there is a #DeleteFacebook movement sweeping the internet. After the Cambridge Analytica scandal, users across the world are terrified that Facebook has been using their accounts against them. The Cambridge Analytica scandal is all over the internet from past few days. The story is short but not sweet. Once, Facebook signed a deal with Cambridge Analytica to provide them users' information for analysis. But afterwards, they got a change of mind and asked Cambridge Analytica to stop retrieving the users' data from Facebook servers. Cambridge Analytica, on receiving this message, sent a message to Facebook that they agree to stop getting data from analysis from Facebook servers. And you know what - facebook was happy with that message. They didn't took this thing seriously, they didn't crosscheck if the message they received was just a message or the task was actually implemented. And now, after 3 years, they came to know that Cambridge Analytica didn't stop spying on users' data.

It all started when the scandal was brought to light after a whistleblower at Cambridge Analytica, a consulting firm for Trump's campaign, admitted that they had access to millions of users' Facebook data. After this, it didn't take long for users to realize that they were able to download their own "Facebook Data" in order to find out exactly what information companies like Cambridge Analytica have on users like us.

And then, users' started implementing the job to see which data was actually leaked. And the result was completely terrifying. First, let us learn how to download your facebook data in 5 simple steps:
  1. Open your facebook home page. Go to settings.
  2. Click your facebook "General Account" settings.
  3. Click "download a copy of your facebook data".
  4. Verify that you would like the data file downloaded and sent to your email. (Wait for some minutes so that the compressed file is ready)
  5. Open your email and download the file.
After downloading the file and investigating exactly what information Facebook has stored on you, you may contemplate deleting your account or at least limiting your information. Users that have downloaded their own data files have found extensive information on their previous contacts, call history, private telephone numbers from their phones, dozens of companies targeting them for ads, and complete conversations from Messenger.

See the below real time examples if you don't trust The Hacker's Library:


Well, that's it. Are you going to delete your account? Or just post less information on Facebook?

Friday 9 March 2018

Source code for massive memcached server attack leaked - Memcrashed code made public


Its the time when everyone can attack. You, me and everyone else with the code can now perform a DDoS attack using the memcached servers. In this article you will find the source codes of the massive DDoS attack performed using memcached.

First, make a note of this - 
I am not liable for any kind of misuse of this codes. You are on your own. This article is only for sharing information and its misuse is not promoted by me.

This article is linked to the previous article I wrote, so kindly read the previous article if you haven't. The whole thing is what people call Memcrashed. If you don't know what it is - its just a simple way of performing the world's largest DDoS attack. For more info, I would recommend you to read the below articles -
After reading the following articles, everything here will make sense to you. You, too, can now attempt a record-setting denial-of-service attack, as the tools used to launch the attacks were publicly posted this week.

This code were released as a proof-of-concept code making programmers aware of how this thing works. There were intotal two codes released. One was released by @037 twitter user, and the author of the other is still unknown. Code released by @037 is written in python while the other is writtern in C.

The python code scans for memcached servers using shodan search engine API. Then it starts the attack depending on the input provided by the user. It’s been just over a week since the first massive memcache-fueled denial of service attack. The code’s authors says it’s being released “to bring more attention to the flaw and force others into updating their devices.”

Akamai and Cloudflare predicted more attacks following the record-setting efforts. Cloudflare CEO Matthew Prince said he was seeing separate attacks of a similar size last week.

“Looking at shodan.io indicates there are many more than just 17,000 Memcached servers that can be used for DDoS attacks,” said Ashley Stephenson, CEO of Corero. “If the vulnerable servers on the list are utilized for attacks they can be neutralized with the kill switch by sending just 17,000 packets, one to each attacking server, neutralizing their DDoS potential until they are reloaded by the attacker which take 10,000 times longer. Corero has announced today that the ‘flush-all’ command can be used as a benign active defense ‘kill switch’ by those being attacked to suppress attacks from the compromised Memcached server.”

This vulnerability has existed since a decade and now more and more attacks of this type are possible because of the source code leak. Wasting no more time, I am providing the links to download the codes.
  1. C language code 
  2. Python code 
 Enjoy.. but remember - No Misuse...

Saturday 3 March 2018

The Biggest DDoS attack on Github using Memcached Servers - Survived


Brief News:- On Wednesday, at about 12:15 pm ET, 1.35 terabits per second of traffic hit the developer platform GitHub all at once. However, the attack cannot take the server down. GitHub managed to tackle the attack and it lasted for less than 10 minutes.

Seems great, right! 1.35 terabits of traffic using botnets. What do you think about how many botnets might have been required? And it would be surprising to tell you that this is a new method which doesn't use Botnet. Rather, it uses only a single server - Memcached Server. It was the most powerful distributed denial of service attack recorded to date—and it used an increasingly popular DDoS method, no botnet required.

Before going into deep about what happened, let us understand how this attack can be done. This is something you will find in all my articles because I believe that having the knowledge of what happened doesn't help. One should also have the knowledge of how it happened. And that's the reason why I always specify the method of attack. Let us start by learning what is memcached server and how are they exploited to perform this kind of attack.

What is a Memcached Server?

Memcached Servers are used to cache small chunks of data in the memory of a server. Think of the time required to retrieve data from the database by making queries to it and then converting that data into a readable format. What if a server finds out that a piece of information stored in database is accessed frequently! The server can access that data once and then store it into the cache i.e. memory. Now, only a memory read needs to be performed to access the data.

Memcached is a distributed caching system used for this purpose. It stores the data in dictionary form using key-value pairs. And hence, speedily access to data can be done. Hence, it works to speed up servers and websites.

How can a Memcached Server be exploited to DDoS?

Memcached servers generally return a large amount of data in response to a small request. Also, it works over UDP on port 11211. These are the two things which are taken as an advantage to exploit the server.

Crooks send small byte-sized requests to Memcached servers on port 11211. Because the UDP protocol wasn't implemented correctly, instead of responding with a similar or smaller packet, Memcached servers respond with packets that are sometimes thousands of times bigger than the initial request. The next trick is called an amplification attack, and it exploits UDP. UDP (as opposed to TCP) is like the early post office; you send mail and hope it gets there, and if it doesn't then you have no control over it. There’s no handshaking between communicating computers. When a device sends a UDP packet to a server, it includes the return address so that the server can send the response back. If the device sends a carefully crafted fake request with a different return address, then the server will send the response to that spoofed return address. Hence, the return address field in the request packet is spoofed to the target's (victim's) address.

In the DDoS community, this type of DDoS attack is named reflective DDoS or reflection DDoS. The amount of times the response packet size is amplified is the DDoS attack's "amplification factor". By a research, it is found that the amplification factor of a memcached server can reach a massive 51,200.

Now you know how the attack is performed, let's take a look a the news...

What Happened?

GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off.
“We modeled our capacity based on fives times the biggest attack that the internet has ever seen,” Josh Shaul, vice president of web security at Akamai said hours after the GitHub attack ended. “So I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once. It’s one thing to have the confidence. It’s another thing to see it actually play out how you’d hope."
GitHub continued routing its traffic through Prolexic for a few hours to ensure that the situation was resolved. Akamai's Shaul says he suspects that attackers targeted GitHub simply because it is a high-profile service that would be impressive to take down. The attackers also may have been hoping to extract a ransom. "The duration of this attack was fairly short," he says. "I think it didn’t have any impact so they just said that’s not worth our time anymore."

As a result, everyone thought that memcached process should not be available for public. It should be kept private for the servers. The infrastructure community has also started attempting to address the underlying problem, by asking the owners of exposed memcached servers to take them off the internet, keeping them safely behind firewalls on internal networks. Groups like Prolexic that defend against active DDoS attacks have already added or are scrambling to add filters that immediately start blocking memcached traffic if they detect a suspicious amount of it. And if internet backbone companies can ascertain the attack command used in a memcached DDoS, they can get ahead of malicious traffic by blocking any memcached packets of that length.

This was everything you need to know about the news... Thanks.

Friday 2 March 2018

Learn Machine Learning with Google AI - Google offers free online machine learning course for everyone


Short News:- Google is now offering everyone to learn Machine Learning for free! Yep.. at zero cost.

First of all, let me clear myself. You might be thinking - why such a post in The Hackers' Library! There's no hacking in here! Yep.. you are absolutely right. But this post is here due to a single reason. I always thought of creating a Master Hacking Bot. We all know the power of AI. Just think of what can a bot do if it is taught to HACK!!! Along with ML capabilities, the power of this bot can be infinite. I don't know if it is possible or not. But the truth is - no one charges you for dreaming big...

So, now let's start the discussion. There is really no good material available on net for learning AI. If it is, I doubt it is free. But no worries now, Google brings you a way to learn AI and ML for free. Not only it gives you tutorials, but it also gives you practice by providing you with examples and exercises. It introduces you to the world of AI.

"AI can solve complex problems and has the potential to transform entire industries, which means it's crucial that AI reflect a diverse range of human perspectives and needs. That's why part of Google AI's mission is to help anyone interested in machine learning succeed – from researchers, to developers and companies, to students," said Google Technical Program Manager Zuri Kemp on the company's official blog.

She also introduced the new Learn with Google AI website which provides ways for users to learn about core machine learning concepts, develop and hone their skills in the subject, as well as apply the technology to real-world problems.

This website is created for a wide range of users. Everyone from deep learning experts needing advanced tutorials and materials on TensorFlow, to newbies who just want to take their first steps with AI. That means, from students to experts, everyone can use this website, learn from the provided courses and expand their knowledge upto the top level.

Learn with Google AI also offers a free online course (actually its first course) called Machine Learning Crash Course (MLCC) which provides exercises, interactive visualisation, and instructional videos for anyone to learn and practise machine learning concepts.

So far, more than 18,000 Googlers have enrolled in MLCC, applying lessons from the course to enhance camera calibration for Daydream devices, build virtual reality for Google Earth, and improve streaming quality at YouTube. And this great achievement inspired Google to make it available for everyone. (Yep.. Google too needs inspiration - everyone does...)

This course is estimated about 15 hours and it is designed for newcomers with a zero knowledge of Machine Learning. There are some prerequisites of this course which are stated below:-
  1. Knowledge of algebra - Yep...Mathematics including algebra and statistics is must and most important for ML.
  2. Programming in Python - This is because the examples provided in the course are coded in python. It is not necessary but compared to other languages, Python is best for AI.
"There’s more to come from Learn with Google AI, including additional courses and documentation. We're excited to help everyone learn more about AI," said Kemp.

Thursday 15 February 2018

Zero-day vulnerability in Telegram exploited by Cyber Criminals to mine Cryptocurrency - Everything you need to know along with source code of miners







Below is an account of how this vulnerability was exploited in Telegram:
  • The cybercriminal prepares the malware to be sent in a message. For example, a JS file is renamed as follows:

    evil.js -> photo_high_re*U+202E*gnp.js


    Where *U+202E* is the RLO character to make Telegram display the remaining string gnp.js in reverse. Note that this operation does not change the actual file – it still has the extension *.js.
  • The attacker sends the message, and – surprise! – the recipient sees an incoming PNG image file instead of a JS file:

Hence, this kind on vulnerability makes a user download a malicious software on his/her desktop and then that script gets executed and everyone here knows what will happen next. The piece of malware installed can download another payload from some insecure website, turn windows security down, take control over startup of the desktop and much more. That means, you can do anything you want once you get control of the system by installing malware on it.

Update:- Source code of malware and cryptocurreny miners is removed from this site due to leak of harmful data. And I would not take the responsibility of its misuse, so it was better to remove it from here. Though, I am dropping a link at the end of this article to a website where you can find them. Take a risk to visit it if you want.

How is it used to mine cryptocurrency?

The task in done in various small steps. In the first step, the malware gets installed on the system and takes remote control of the system. Hence, now it can do whatever the hell it wants. It uses telegram API to find a bot that can control the whole system remotely.

Click to see full size image


Now the thing is, how is this bot able to control the whole system. Thanks to Telegram that it allows bots to execute commands on the system. The bot sends malicious commands and they are run on your system. On analyzing, security researchers found that this commands are written in Russian. The list of supported commands shows that the bot can silently deploy arbitrary malicious tools like backdoors, loggers and other malware on the target system. 

The next step taken by this malware is, it changes the Windows Startup Registry and makes a place for itself inside it. That makes this malware run everytime your Computer boots up. Now, at this stage malware has got a way to get inside your memory everytime you boot up your desktop.

In this last stage, it downloads a cryptocurrency miner from untrusted websites and install them on your PC. It also adds the miner in startup so that mining starts as soon as you start your OS. Also much more was discovered about its use and one such thing I would like to mention here is, the malware also installed a spyware on the system. An FTP server was found with dumps of Telegram Users' data. Mentioning everything here is out of my capacity - just google it.


Sunday 3 December 2017

Whois Lookup - Gather Information through Whois Footprinting


Hello friends... This is out 100th article today. And we are excited to get response from all of you. Just before starting to study this topic, I would like to inform you that all the articles from now onward will be most important in hacking. Because this is the point at which real hacking starts. The previous articles might not seem much interesting to all but they were important for the "n00bs". A reason why this site will be the best in future - We post everything. Everything at one place - sooner or later this will become number one site to study hacking.

Now, related to this article... Basically, everything from now on will be related to hacking and IP address and concepts of network and domains in main. So, I suggest you to read the articles on IP address, domains and networking first. This is basically important as you know - A server is hacked by its IP address and an attacker is also tracked by using a unsecured network and IP address.

What is Whois?

Whois, as the name implies, is a protocol granting users access to the massive database of registered owners of an internet resource such as an autonomous system, an IP block, and a domain name, among others. In other words, it is a query and response protocol that lets users find out ‘who is’ the registered owner of a domain by simply typing the exact domain name.

The protocol, in return, will deliver the response in a format that is readable to the human. A more detailed specification of the Whois protocol can be found in RFC 3912. Here are a few reasons why people are conducting a Whois search:
  • Domain buying and trading
  • Check domain expiration
  • Find out domain owner identity
  • Find out location and address of the owner
  • Marketing purposes
Based on the above usage, the importance of a Whois search is clear. But why is Whois important to Hackers? And how is it important? These are the two questions which will be answered here...

How to perform a Whois Lookup?

To understand the importance of Whois in hacking, we will study an example of whois lookup. And to study the example, you need to know about how to perform whois lookup.

Doing a Whois lookup is very simple and quick. There are only a few easy steps to make, and the results will be instantly shown in a few seconds. The procedures are as follows:
  1. Visit https://whois.net
  2. Enter the domain name your want to lookup in the search box
  3. Hit the ‘GO’ button
The results will immediately show up in the next few seconds, depending on your internet speed. Other websites can also be used for Whois Lookup. My personal favourite is - https://www.whois.com/whois/

Below is the information obtained by whois lookup of the domain "gtu.ac.in".
Domain Information
Domain: gtu.ac.in
Registrar: ERNET India (R9-AFIN)
Registration Date: 2008-07-15
Expiration Date: 2026-07-15
Updated Date: 2017-01-27
Status: ok

Name Servers:
ns-602.awsdns-11.net
ns-355.awsdns-44.com
ns-1775.awsdns-29.co.uk
ns-1501.awsdns-59.org

Registrant Contact
Name: gujarat technological university
Organization: gujarat technological university
Street: JACPC building l d college of engineering campus
City: ahmedabad
Postal Code: 380015
Country: IN
Phone: +91.9909980005
Email: registrar@gtu.ac.in

Administrative Contact
Name: n n bhuptani
Organization: gujarat technological university
Street: JACPC building l d college of engineering campus
City: ahmedabad
Postal Code: 380015
Country: IN
Phone: +91.9909980005
Email: registrar@gtu.ac.in

Technical Contact
Name: Harshad Borisa
Organization: gujarat technological university
Street: Gujarat Technological University JACPC building L. D. college of engineering campus
City: ahmedabad
State: Gujrat
Postal Code: 380015
Country: IN
Phone: +91.7926301500
Email: rupendra@gtu.edu.in

As you can clearly see, whois lookup provides us with the details such as:
  • Domain expiry date
  • Email address of owner
  • Mobile number of owner
  • Address of owner
  • IP address or IP block
  • And much more...
Based on this information, the importance of whois is determined. Take note that the registrant’s details may vary based on the Top Level Domain, or TLD. Some TLDs will not show all information of the registrant, while others will not show any detail at all. Also, the owners’ information may be concealed if they are subscribed to the domain privacy, and the domain registrar’s information and contact details will be shown, instead.

Importance of Whois Lookup

Whois lookup is useful in many ways depending on the motive of the person performing lookup. There are various things to be applied on whois lookup but the two of them which are mostly used are listed below...
  • If you are defender, it can help you in tracking down the attacker - You can perform whois lookup on the attacker's IP address and find out the ISP and the location of the ISP which provided IP address to the attacker. Then contact the ISP to reveal other details.
  • If you are on the attacking side, it helps you finding targets to attack - Based on the information available, you can contact the owner and try some social engineering tricks on him/her.
Being able to identify the owner of a domain is one advantage that benefits many users. However, there is also a major disadvantage that comes with it, which is lack of privacy on the part of the domain owner since their identities are made public. Prior to the domain registration, user are required to reveal their full name, address, and contact details such as email address and phone numbers. This is in compliance to the stipulations of Internet Corporation for Assigned Names and Numbers or ICANN, mandating that the registrants’ details be made publicly available through the Whois directories. This provides an entry point for spammers and marketers to grab email addresses and phone numbers for their marketing and spamming activities.

Due to the massive criticism on lack of privacy, most domain registrants like GoDaddy and Hostgator are now offering domain privacy that provides privacy to the owners by concealing some details of their personal information. In this case, the contact information of the registrar is displayed instead of the domain owner. But such feature is available at a premium price.

The above article provides the complete information about Whois Lookup. If you still don't understand how to use it, comment below your queries. If you still don't understand where to use it, then wait for it.

Remember - Hacking is not performed using a single trick or tool. One needs to combine the power of everything he/she has to perform hacking. And you are learning a small part of it to develop your powers. Learn everything separately and combine them at a time.

Tuesday 17 October 2017

KRACK - WiFi devices all over the world are Hackable..! - Everyone's data is at risk - Everything you need to know


Hello friends.. Here you are about to find the most important and something unbelievable about the WiFi networks we use daily. What if someone tell you that your WiFi is hackable! Or what if I tell you that all of your private data in this world is hackable. And everyone is at risk! Some of you won't believe me but this has become a reality and you can't neglect it.

Till now, all we knew about WiFi hacking was hacking passwords and WiFi sniffing attacks. Also these attacks were not successful on all WiFi devices. But now, there is something big. All the wifi devices are hackable. And the attacker can get all your private data through it. Hence, this is something serious that should be taken care of. I expect you to read this whole article, take the corrective steps and share this post on facebook, whatsapp and all other social media websites to make people aware of the the big risk they are in.

Introduction

Most vulnerabilities go unnoticed by the majority of the world’s population even if they affect several million people. But this news, published yesterday, is probably even bigger than all other security breaches and affects several billion people all over the world: Researchers have found a bunch of vulnerabilities that make all Wi-Fi networks insecure.

Researchers have found out that devices based on Android, iOS, Linux, macOS, Windows, and some other operating systems are vulnerable to some variation of this attack, and that means almost any device can be compromised. They called this type of attack a key reinstallation attack, or KRACK for short.

What is KRACK?

The attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network). At the same time, the 4-way handshake also negotiates a fresh encryption key that will be used to encrypt all subsequent traffic. Currently, all modern protected Wi-Fi networks use the 4-way handshake. This implies all these networks are affected by (some variant of) our attack. For instance, the attack works against personal and enterprise Wi-Fi networks, against the older WPA and the latest WPA2 standard, and even against networks that only use AES. All the attacks against WPA2 use a novel technique called a key reinstallation attack (KRACK).

Now to understand how KRACK works, we need to know how the WiFi devices work.

The process of connecting to a Wi-Fi network

When a client joins a network, it executes the 4-way handshake to negotiate a fresh encryption key. It will install this key after receiving message 3 of the 4-way handshake. Once the key is installed, it will be used to encrypt normal data frames using an encryption protocol. However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol. The researchers at Kaspersky Lab found that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.

I am damn sure that some of our readers will not understand what is written above (as it requires the concepts of networking to be clear) but the latter part will make everything clear.

How does the KRACK attack work?

To perform this attack, the attacker has to set up a Wi-Fi network with the same name (SSID) as that of an existing network and target a specific user. When the attacker detects that the user is about to connect to the original network, they can send special packets that make the device switch to another channel and connect to the fake network with the same name.

After that, using a flaw in the implementation of the encryption protocols they can change the encryption key the user was using and thus access all of the information that the user uploads or downloads.

One may argue that there’s another layer of security — the encrypted connection to a site, e.g., SSL or HTTPS. However, a simple utility called SSLstrip set up on the fake access point is enough to force the browser to communicate with unencrypted, HTTP versions of websites instead of encrypted, HTTPS versions, in cases where encryption is not correctly implemented on a site (and that is true for quite a lot of websites, including some very big ones).

So, by using this utility in their fake network, the attacker can access the users’ logins and passwords in plain text, which basically means stealing them. And not only the plain login passwords but all the data which goes into plain text form is accessible by the attacker. Even OTPs are accessible. So, now you know - What the heck.!

Let me give you a short information about SSLStrip. SSLStrip is a type of MITM attack that forces a victim's browser into communicating with an adversary in plain-text over HTTP, and the adversary proxies the modified content from an HTTPS server. To do this, SSLStrip is "stripping" https:// URLs and turning them into http:// URLs. Hence, the data is transmitted in plain text form rather than encrypted form. So, finally you know that everyone including you is at risk.

How to stay secure?

The fact that almost every device in almost every Wi-Fi network is vulnerable to KRACK sounds quite scary, but like pretty much any other type of attack, this one is not the end of the world. Here are a couple of tips on how to stay safe. First of all, you should understand that - here the vulnerability lies in the protocols designed. Hence, you cannot do anything extra rather than depending on the company of your WiFi device.
  • Always check to make sure there’s a green lock icon in the address bar of your browser. That lock indicates that an HTTPS (encrypted and therefore secure) connection to this particular website is being used. If someone attempts to use SSLstrip against you, the browser will be forced to use HTTP versions of websites, and the lock will disappear. If the lock is in place, your connection is still secure.
  • Most of appliance manufacturers are in the process of issuing firmware updates that can fix the issue with key reinstallation. So check if there are fresh firmware updates for your devices and install them as soon as possible.
  • You can secure your connection using a VPN, which adds another layer of encryption to the data transferred from your device.
So, now you know what to do - share this and spread awareness. Thank you..

Popular Posts