Pages

Amazon

Saturday, 29 August 2020

Wafw00F: The Web Application Firewall Fingerprinting Tool

How does wafw00f work?
   To do its magic, WAFW00F does the following steps:
  • Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions.
  • If that is not successful, wafw00f sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is.
  • If that is also not successful, wafw00f analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to wafw00f's attacks.

   For further details, check out the source code on EnableSecurity's main repository.

What does it detect? WAFW00F can detect a number of firewalls, a list of which is as below:

wafw00f's installation
   If you're using Debian-based distro, enter this commands to install wafw00f: sudo apt update && sudo apt install wafw00f

   But if you're using another Linux distro, enter these commands to install wafw00f:

How to use wafw00f?
   The basic usage is to pass an URL as an argument. Example:

Final Words to you
   Questions? Pull up an issue on GitHub Issue Tracker or contact to EnableSecurity.
   Pull requests, ideas and issues are highly welcome. If you wish to see how WAFW00F is being developed, check out the development board.

   Some useful links:

   Presently being developed and maintained by:

More info


How I Hacked My IP Camera, And Found This Backdoor Account

The time has come. I bought my second IoT device - in the form of a cheap IP camera. As it was the most affordable among all others, my expectations regarding security was low. But this camera was still able to surprise me.

Maybe I will disclose the camera model used in my hack in this blog later, but first, I will try to contact someone regarding these issues. Unfortunately, it seems a lot of different cameras have this problem because they share being developed on the same SDK. Again, my expectations are low on this.

The obvious problems



I opened the box, and I was greeted with a password of four numeric characters. This is the password for the "admin" user, which can configure the device, watch its output video, and so on. Most people don't care to change this anyway.

It is obvious that this camera can talk via Ethernet cable or WiFi. Luckily it supports WPA2, but people can configure it for open unprotected WiFi of course. 

Sniffing the traffic between the camera and the desktop application it is easy to see that it talks via HTTP on port 81. The session management is pure genius. The username and password are sent in every GET request. Via HTTP. Via hopefully not open WiFi. It comes really handy in case you forgot it, but luckily the desktop app already saved the password for you in clear text in 
"C:\Users\<USER>\AppData\Local\VirtualStore\Program Files (x86)\<REDACTED>\list.dat"

This nice camera communicates to the cloud via UDP. The destination servers are in Hong Kong - user.ipcam.hk/user.easyn.hk - and China - op2.easyn.cn/op3.easyn.cn. In case you wonder why an IP camera needs a cloud connection, it is simple. This IP camera has a mobile app for Android and iOS, and via the cloud, the users don't have to bother to configure port forwards or dynamic DNS to access the camera. Nice.

Let's run a quick nmap on this device.
PORT     STATE SERVICE    VERSION
23/tcp   open  telnet     BusyBox telnetd
81/tcp   open  http       GoAhead-Webs httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized
|_  Digest algorithm=MD5 opaque=5ccc069c403ebaf9f0171e9517f40e41 qop=auth realm=GoAhead stale=FALSE nonce=99ff3efe612fa44cdc028c963765867b domain=:81
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: Document Error: Unauthorized
8600/tcp open  tcpwrapped
The already known HTTP server, a telnet server via BusyBox, and a port on 8600 (have not checked so far). The 27-page long online manual does not mention any Telnet port. How shall we name this port? A debug port? Or a backdoor port? We will see. I manually tried 3 passwords for the user root, but as those did not work, I moved on.

The double-blind command injection

The IP camera can upload photos to a configured FTP server on a scheduled basis. When I configured it, unfortunately, it was not working at all, I got an invalid username/password on the server. After some debugging, it turned out the problem was that I had a special $ character in the password. And this is where the real journey began. I was sure this was a command injection vulnerability, but not sure how to exploit it. There were multiple problems that made the exploitation harder. I call this vulnerability double-blind command injection. The first blind comes from the fact that we cannot see the output of the command, and the second blind comes from the fact that the command was running in a different process than the webserver, thus any time-based injection involving sleep was not a real solution.
But the third problem was the worst. It was limited to 32 characters. I was able to leak some information via DNS, like with the following commands I was able to see the current directory:
$(ping%20-c%202%20%60pwd%60)
or cleaning up after URL decode:
$(ping -c 2 `pwd`)
but whenever I tried to leak information from /etc/passwd, I failed. I tried $(reboot) which was a pretty bad idea, as it turned the camera into an infinite reboot loop, and the hard reset button on the camera failed to work as well. Fun times.

The following are some examples of my desperate trying to get shell access. And this is the time to thank EQ for his help during the hacking session night, and for his great ideas.
$(cp /etc/passwd /tmp/a)       ;copy /etc/passwd to a file which has a shorter name
$(cat /tmp/a|head -1>/tmp/b)   ;filter for the first row
$(cat</tmp/b|tr -d ' '>/tmp/c) ;filter out unwanted characters
$(ping `cat /tmp/c`)           ;leak it via DNS
After I finally hacked the camera, I saw the problem. There is no head, tr, less, more or cut on this device ... Neither netcat, bash ...

I also tried commix, as it looked promising on Youtube. Think commix like sqlmap, but for command injection. But this double-blind hack was a bit too much for this automated tool, unfortunately.



But after spending way too much time without progress, I finally found the password to Open Sesame.
$(echo 'root:passwd'|chpasswd)
Now, logging in via telnet
(none) login: root
Password:

BusyBox v1.12.1 (2012-11-16 09:58:14 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#

Woot woot :) I quickly noticed the root of the command injection problem:

# cat /tmp/ftpupdate.sh
/system/system/bin/ftp -n<<!
open ftp.site.com 21
user ftpuser $(echo 'root:passwd'|chpasswd)
binary
mkdir  PSD-111111-REDACT
cd PSD-111111-REDACT
lcd /tmp
put 12.jpg 00_XX_XX_XX_XX_CA_PSD-111111-REDACT_0_20150926150327_2.jpg
close
bye

Whenever a command is put into the FTP password field, it is copied into this script, and after the script is scheduled, it is interpreted by the shell as commands. After this I started to panic that I forgot to save the content of the /etc/passwd file, so how am I going to crack the default telnet password? "Luckily", rebooting the camera restored the original password. 

root:LSiuY7pOmZG2s:0:0:Administrator:/:/bin/sh

Unfortunately, there is no need to start good-old John The Ripper for this task, as Google can tell you that this is the hash for the password 123456. It is a bit more secure than a luggage password.



It is time to recap what we have. There is an undocumented telnet port on the IP camera, which can be accessed by default with root:123456, there is no GUI to change this password, and changing it via console, it only lasts until the next reboot. I think it is safe to tell this a backdoor.
With this console access we can access the password for the FTP server, for the SMTP server (for alerts), the WiFi password (although we probably already have it), access the regular admin interface for the camera, or just modify the camera as we want. In most deployments, luckily this telnet port is behind NAT or firewall, so not accessible from the Internet. But there are always exceptions. Luckily, UPNP does not configure the Telnet port to be open to the Internet, only the camera HTTP port 81. You know, the one protected with the 4 character numeric password by default.

Last but not least everything is running as root, which is not surprising. 

My hardening list

I added these lines to the end of /system/init/ipcam.sh:
sleep 15
echo 'root:CorrectHorseBatteryRedStaple'|chpasswd
Also, if you want, you can disable the telnet service by commenting out telnetd in /system/init/ipcam.sh.

If you want to disable the cloud connection (thus rendering the mobile apps unusable), put the following line into the beginning of /system/init/ipcam.sh
iptables -A OUTPUT -p udp ! --dport 53 -j DROP
You can use OpenVPN to connect into your home network and access the web interface of the camera. It works from Android, iOS, and any desktop OS.

My TODO list

  • Investigate the script /system/system/bin/gmail_thread
  • Investigate the cloud protocol * - see update 2016 10 27
  • Buy a Raspberry Pie, integrate with a good USB camera, and watch this IP camera to burn
A quick googling revealed I am not the first finding this telnet backdoor account in IP cameras, although others found it via JTAG firmware dump. 

And 99% of the people who buy these IP cameras think they will be safe with it. Now I understand the sticker which came with the IP camera.


When in the next episode of Mr. Robot, you see someone logging into an IP camera via telnet with root:123456, you will know, it is the sad reality.

If you are interested in generic ways to protect your home against IoT, read my previous blog post on this. 

Update: as you can see in the following screenshot, the bad guys already started to take advantage of this issue ... https://www.incapsula.com/blog/cctv-ddos-botnet-back-yard.html

Update 20161006: The Mirai source code was leaked last week, and these are the worst passwords you can have in an IoT device. If your IoT device has a Telnet port open (or SSH), scan for these username/password pairs.

root     xc3511
root     vizxv
root     admin
admin    admin
root     888888
root     xmhdipc
root     default
root     juantech
root     123456
root     54321
support  support
root     (none)
admin    password
root     root
root     12345
user     user
admin    (none)
root     pass
admin    admin1234
root     1111
admin    smcadmin
admin    1111
root     666666
root     password
root     1234
root     klv123
Administrator admin
service  service
supervisor supervisor
guest    guest
guest    12345
guest    12345
admin1   password
administrator 1234
666666   666666
888888   888888
ubnt     ubnt
root     klv1234
root     Zte521
root     hi3518
root     jvbzd
root     anko
root     zlxx.
root     7ujMko0vizxv
root     7ujMko0admin
root     system
root     ikwb
root     dreambox
root     user
root     realtek
root     00000000
admin    1111111
admin    1234
admin    12345
admin    54321
admin    123456
admin    7ujMko0admin
admin    1234
admin    pass
admin    meinsm
tech     tech
mother   fucker

Update 2016 10 27: As I already mentioned this at multiple conferences, the cloud protocol is a nightmare. It is clear-text, and even if you disabled port-forward/UPNP on your router, the cloud protocol still allows anyone to connect to the camera if the attacker knows the (brute-forceable) camera ID. Although this is the user-interface only, now the attacker can use the command injection to execute code with root privileges. Or just grab the camera configuration, with WiFi, FTP, SMTP passwords included.
Youtube video : https://www.youtube.com/watch?v=18_zTjsngD8
Slides (29 - ) https://www.slideshare.net/bz98/iot-security-is-a-nightmare-but-what-is-the-real-risk

Update 2017-03-08: "Because of code reusing, the vulnerabilities are present in a massive list of cameras (especially the InfoLeak and the RCE),
which allow us to execute root commands against 1250+ camera models with a pre-auth vulnerability. "https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt

Update 2017-05-11: CVE-2017-5674 (see above), and my command injection exploit was combined in the Persirai botnet. 120 000 cameras are expected to be infected soon. If you still have a camera like this at home, please consider the following recommendation by Amit Serper "The only way to guarantee that an affected camera is safe from these exploits is to throw it out. Seriously."
This issue might be worse than the Mirai worm because these effects cameras and other IoT behind NAT where UPnP was enabled.
http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/


Related links

  1. Hack Tools For Mac
  2. Pentest Tools Windows
  3. Hack App
  4. Pentest Tools Find Subdomains
  5. Pentest Automation Tools
  6. Pentest Tools Open Source
  7. Tools For Hacker
  8. Pentest Tools For Android
  9. Hacker Tools Hardware
  10. Hacker Security Tools
  11. Hack App
  12. Best Pentesting Tools 2018
  13. Pentest Tools For Mac
  14. Pentest Tools Website Vulnerability
  15. Pentest Tools Download
  16. Hacker Tools Mac
  17. Pentest Tools Tcp Port Scanner
  18. Hacker Tools Mac
  19. Hacking Tools Name
  20. Kik Hack Tools
  21. Pentest Tools Linux
  22. Android Hack Tools Github
  23. Pentest Tools For Mac
  24. Tools 4 Hack
  25. Hacker Tools For Mac
  26. Hacking Tools Windows
  27. Kik Hack Tools
  28. Pentest Tools Windows
  29. Computer Hacker
  30. Hacking Tools Github
  31. Hacking Tools For Beginners
  32. Hacking Tools For Windows
  33. Hacking Tools Hardware
  34. Bluetooth Hacking Tools Kali
  35. Growth Hacker Tools
  36. Bluetooth Hacking Tools Kali
  37. Hacking Tools Windows
  38. Physical Pentest Tools
  39. What Are Hacking Tools
  40. Hacking Tools For Windows
  41. Pentest Tools For Ubuntu
  42. Nsa Hacker Tools
  43. Pentest Tools Download
  44. Hack App
  45. Pentest Tools Bluekeep
  46. Pentest Tools Kali Linux
  47. Hacking Tools For Windows 7
  48. Github Hacking Tools
  49. Pentest Tools Online
  50. Hackrf Tools
  51. Nsa Hack Tools Download
  52. Blackhat Hacker Tools
  53. Hacker Hardware Tools
  54. How To Install Pentest Tools In Ubuntu
  55. Hack Website Online Tool
  56. Pentest Tools Url Fuzzer
  57. Hacking Tools And Software
  58. Hacks And Tools
  59. Hacker Tools 2020
  60. How To Install Pentest Tools In Ubuntu
  61. Hack Rom Tools
  62. Pentest Automation Tools
  63. Growth Hacker Tools
  64. Hacker Tools For Pc
  65. Hacking Tools For Mac
  66. Hacking Apps
  67. Hacker
  68. Hackrf Tools
  69. Hacking Tools Software
  70. Hacking Tools
  71. Best Hacking Tools 2019
  72. Hacking Tools 2020
  73. Pentest Reporting Tools
  74. Hack Tools Github
  75. Easy Hack Tools
  76. How To Make Hacking Tools
  77. Hacker Tools For Windows
  78. Hacks And Tools
  79. Pentest Tools Find Subdomains
  80. Hacking Tools 2020
  81. Growth Hacker Tools
  82. Physical Pentest Tools
  83. Pentest Tools Alternative
  84. Hacker Tools Github
  85. Pentest Tools Online
  86. Hacking Tools Mac
  87. Hacker Tools List
  88. Hacker Tools Free
  89. Pentest Tools
  90. Wifi Hacker Tools For Windows
  91. Hack Tool Apk
  92. Pentest Tools Alternative
  93. Pentest Tools Download
  94. Hack Website Online Tool
  95. Hack Tools Download
  96. Hack Website Online Tool
  97. Hacker Tools 2020
  98. Hack Apps
  99. Pentest Tools Linux
  100. Hacking Tools 2019
  101. Tools 4 Hack
  102. Hacking Tools For Windows 7
  103. Hacking Tools Pc
  104. Hacking Tools Mac
  105. Hack Tools Pc
  106. Hacking Tools For Games
  107. Hacker Tools For Windows
  108. Termux Hacking Tools 2019
  109. How To Hack
  110. Hacker Tools List
  111. Pentest Tools Framework
  112. Pentest Tools Review
  113. Hacking Tools Pc
  114. Easy Hack Tools
  115. Pentest Recon Tools
  116. Nsa Hack Tools
  117. Hack Tools For Ubuntu
  118. Pentest Tools Android
  119. Nsa Hack Tools
  120. Hack Tools
  121. Growth Hacker Tools
  122. Hacker Tools List
  123. Computer Hacker
  124. Hack Tools For Mac
  125. Hacker Techniques Tools And Incident Handling
  126. Hack Tools 2019
  127. Growth Hacker Tools
  128. Hacker Tools Apk Download
  129. Pentest Tools List
  130. What Are Hacking Tools
  131. Best Hacking Tools 2019
  132. Hacking Tools Free Download
  133. Hacker Tools Software
  134. Pentest Tools Review
  135. Hacking Tools And Software
  136. Hacker Tools 2020
  137. Wifi Hacker Tools For Windows
  138. Hacker Tools 2020
  139. Hacking App
  140. Hacker Tools Linux
  141. Hack Tool Apk No Root
  142. Hacking Tools Github
  143. Hacker Security Tools
  144. Hack Tool Apk No Root
  145. Hack And Tools

Los Mejores Programas Para Recuperar Vídeos Borrados Del PC Y Móvil

Estamos en el siglo veintiuno donde la tecnología se ha hecho notar y sigue transformando y evolucionando de manera exponencial al mundo entero. Tanto así, que ya puede llevar un super ordenador en tu bolsillo y no se diga de algunos smartphones, que sin duda son los aparatos con mejor desarrollo en la actualidad y por supuesto los que están por llegar que relativamente serán sorprendentes.
Esto significa que detrás de todos estos inventos grandiosos, también se crearon software capaz de recuperar información ya eliminada de los diferentes sistemas como: Windows, Android, iPhone y otros. Son aplicaciones muy potentes que pueden extraer información ingresando a la raíz oculta de cualquier dispositivo seleccionado por la persona. Y en este post queremos relacionar las mejores opciones para que pueda redimir de manera rápida cualquier archivo que por error hayas eliminado.
https://www.dominatupc.com.co/
Este inconveniente se presenta a menudo en dispositivos móviles, que por un simple descuido terminamos eliminando archivos importantes, ya sea vídeo, fotos o algún fichero valioso. Por suerte existen numerosas herramientas las cuales vamos a presentar a continuación.

Cómo recuperar Vídeos y más borrados del ordenador

En esta selección, nombramos los más populares y porque no decir que sin duda, los mejores para este tipo de tarea. 
Tenorshare UltData
Un poderoso asistente que te ayuda a salvar los datos borrados y en algunos casos cuando has formateado el PC. También recupera archivos eliminados de tarjetas de memoria o dispositivos extraíbles.
Recoverit Data
Permite escanear de manera rápida tu dispositivo para luego mostrar una vista previa de todos los archivos recuperados como: Fotos, Vídeos, Audios, documentos y más.
MiniTool
Un software gratuito de recuperación detallada que facilita el rescate de cualquier archivo en diferentes situaciones de perdida de datos, como ocasionada por virus, eliminación del disco duro o error del mismo.
EaseUS
Con amplia disposición para rescatar cualquier archivo, este software está diseñado para recuperar datos de dispositivos extraíbles realizando un escaneo profundo sin destruir y garantizando resultados óptimos.

Recuperar Vídeos y más, borrados en Android

Una aplicación que te ayuda a recuperar fotos, imágenes, Vídeos, archivos de todo tipo. Además, te permite liberar espacio de almacenamiento en tu dispositivo de forma automática.
Una App desarrollada para recuperar vídeos, con resultados precisos y rápidos. Es importante aclarar que solo recupera aquellos vídeos que hayas eliminado después de instalar la aplicación.
Cómo el nombre lo indica, se trata de alcanzar archivos de audio y vídeos que ya no estén en el dispositivo y recuperarlos de manera satisfactoria.
Con una interfaz amigable esta App es responsable de extraer vídeos que por error ya no estén en su teléfono. La recuperación se realiza después de haber instalado Recovery.
No dudes en probar alguna de estas aplicaciones si presenta este tipo de contratiempo. Pero sería muy indispensable tener un as bajo la manga y para ello recomendamos que el dispositivo lo sincronice con Dropbox o Drive para que tengas una copia de cualquier documento en la nube, de esta manera podría tener a la mano todos sus archivos, incluso si rompes el móvil o lo pierde. También te puede interesar: (Cómo recuperar datos de manera segura)


More information
  1. Hacking Apps
  2. Hacking Tools For Windows
  3. Hacker Tools Software
  4. Pentest Tools Download
  5. Hacker Search Tools
  6. Hacking Tools Free Download
  7. Hacking Tools For Windows Free Download
  8. Wifi Hacker Tools For Windows
  9. Tools Used For Hacking
  10. Pentest Tools Kali Linux
  11. Hacking Tools Pc
  12. How To Hack
  13. Hacking Tools Github
  14. Hack Tools
  15. Pentest Tools Online
  16. Hacking App
  17. Pentest Tools Nmap
  18. Pentest Tools List
  19. Pentest Tools Download
  20. Pentest Tools Android
  21. Hack Tool Apk
  22. Pentest Tools Alternative
  23. Hacker Tools For Windows
  24. Beginner Hacker Tools
  25. Pentest Tools Alternative
  26. Hacker Tools For Ios
  27. Pentest Tools For Mac
  28. Black Hat Hacker Tools
  29. Hacker Tools Github
  30. Pentest Tools Find Subdomains
  31. What Are Hacking Tools
  32. How To Make Hacking Tools
  33. Hacker Tools For Pc
  34. World No 1 Hacker Software
  35. Pentest Tools Bluekeep
  36. Pentest Reporting Tools
  37. Hacker Tools Software
  38. Pentest Tools Tcp Port Scanner
  39. Hacker Security Tools
  40. Best Hacking Tools 2019
  41. Pentest Tools For Windows
  42. Hacker Tools For Ios
  43. Hacking Tools
  44. Hack Tools
  45. Pentest Tools Windows
  46. Hack Rom Tools
  47. Hacker Tools Apk Download
  48. Hacker Tools For Ios
  49. Hacking Tools For Games
  50. Pentest Tools Bluekeep
  51. Hacking App
  52. What Are Hacking Tools
  53. Hack Tool Apk
  54. Hacking Tools Hardware
  55. Pentest Tools Kali Linux
  56. World No 1 Hacker Software
  57. Hacking Tools For Windows 7
  58. Hacking Tools Pc
  59. Pentest Tools Find Subdomains
  60. Hacking Tools For Windows
  61. Pentest Tools Url Fuzzer
  62. Hacker Tools For Pc
  63. Hack Tools For Pc