Recent Posts

Getting caught is exactly what every hacker does not want. They want to be able to gain entry into a system and then quickly withdraw to the safety of the internet café they are presumably hacking from. Logs are designed to record nearly everything that occurs in a system, including hacking attempts, and can be the determinative factor in catching hackers after their crime has been committed.  Ethical hackers need to understand how hackers tamper with logs, as it is a common practice with hackers. This article will detail the basics of log tampering for ethical hackers, including disabling auditing, clearing logs, modifying logs and erasing command history. The focus will be on Windows and Linux logs, as they are the most used by organizations.  Please note that this article is intended as an introduction to log tampering for ethical hacking purposes only.     What are logs ? Detailed list of an application information, system performance, or user activities. A log can be useful for keeping track of computer use, emergency recovery, and application improvement. Each software program that is capable of creating a log has different methods of starting or stopping the log creation An example of a software log file can be found in the Microsoft Windows 2000 and Windows XP Event Viewer, which logs events, errors, and other information occurring in Microsoft Windows.   Many web pages, including Computer Hope, keeps logs of what pages users access, any errors that occur, how people are viewing the page, and more. These logs help the owners of the web page keep track of usage statistics and informs them if something needs to be fixed or updated on the site. Google Analytics is a great example of a free service that monitors this information In terms of analogies, hacking is sort of like stealing cookies from the cookie jar. Every cookie thief, or hacker, wants to be able to get in there and do what their dirty deeds before getting caught.  Now imagine that this cookie jar is surrounded by fresh snow that covers everything around it. It would be impossible to even get to the cookie jar without leaving tracks — just as it would be impossible to gain entry to a system without being detected. Tampering with logs is the equivalent of covering these obvious tracks that administrators use to catch hackers.   The process There is a four-step process to covering your tracks by tamping with logs that hackers know like the back of their hand. These steps are:    Disable auditing Clearing logs Modifying logs Erasing command history   1. Disable auditing Disable auditing is a smart first step for hackers because if logging is turned off, there will be no trail of evidence.  In Windows systems, hackers can use the command line favorite, Auditpol, which will not only allow the hacker to disable auditing but will also allow the hacker to see the level of logging that the organization’s system administrator has set. Knowing this will help the hacker see what is logged. This is important because when possible, hackers like to turn off or alter only the logging that captured their activity — making them harder to track.   2. Clearing logs Since logs preserve the evidence trail of hacking activities, clearing logs is the logical next step for ethical hackers to know about.  How to clear logs in Windows There are a few ways to clear logs in Windows systems. Presented below are the top methods for performing this track-clearing tactic. Clearlogs.exe One way is to use the clearlogs.exe file, which can be found here. Once access to the target Windows system is obtained, the file needs to be installed and then run to clear the security logs. To run the file, enter the following into a command line prompt: clearlogs.exe -sec This will clear security logs on the target system. To verify if it has worked, open Event Viewer and check the security logs. Voila!  Please note — if the hacker does not remove clearlogs.exe, it will serve as hard evidence of log tampering. If this occurs in a Windows 10 system or Windows Server 2016, event ID 1102(S) will be displayed as an event, and overlooking this is a common error many beginner hackers make.  Meterpreter Originally created by Metasploit and Matt “Skape” Miller in 2004, this advanced payload is a type of shell that, without getting too technical, will help to clear all logs in a Windows system in newer versions of Meterpreter. After compromising the system with Metasploit, use a Meterpreter command prompt and enter the following command: Meterpreter > clearev This will present the ethical hacker with a window stating that all of the security, application and system logs have been cleared.  Windows Event Viewer Even if auditing has been disabled, it is still smart to clear logs in Windows Event Viewer because actions like disabling auditing will display as an event. To perform this simple task, first navigate to Event Viewer under Windows Logs in the folder tree. In the left-hand pane, right-click on the type of logs you want to clear and select Clear All Events. Boom! Done.  Linux systems Linux systems have their own process of log clearing. To perform this, you want to use the Shred tool. To shred and erase the log file on the target system, run the following bash command: Shred -vfzu auth.log Just like that, with one command your logged tracks in Linux have been wiped out.   3. Modifying logs Knowing is half the battle, and knowing where the logs are in your target system is crucial for any hacker. Being that you are an ethical hacker working on behalf of your organization, you will already know their location. Inexperienced hackers may not, causing wasted time and an increased chance of detection. In some cases, a text editor may be needed to modify logs; regardless, it as easy as modifying a Word file. In Windows 8 and 7, these instructions assume you are using either Large or Small Icon view.   Log into your computer as an administrator. Note: Security of Information Technology Resources policy (IT-12)  requires that you normally refrain from running your Windows computer as an administrator. For more, see About the principle of least privilege. In Windows 8, press Win-q and select Control Panel. Alternatively, in Desktop view, move the mouse to the bottom right corner of the screen and select Settings, followed by Control Panel. For help navigating, see Get around in Windows. In Windows 7 and Vista, from the Start menu, open Control Panel. Open Administrative Tools, and then Computer Management. In the left frame, double-click Event Viewer, and then Windows Logs. Right-click Security and choose Clear Log.... You will have the option to save the details of the log. After you respond to this prompt, the log will be cleared.   4. Deleting commands The thing with bash is that it retains the history of entered bash commands, so unless you clear it, the administrator will be able to see that the Shred command above was entered. The retained history of bash commands is found in the file ~/.bash_history.  How to clear the contents of a log file from the command line Say you want to clear the contents of a log file named /var/log/messages, run: # >/var/log/messages The following is compatible with various Linux or Unix shells: : > /var/log/messages Verify file size: # ls -l /var/log/messages If you really wanted to delete or remove a file type the following rm command: # rm /var/log/message Delete a log files in Linux or UNIX using truncate Use the truncate command to shrink or extend the size of each FILE to the specified size. So a proper way to clear log file named www.cyberciti.biz_access.log is to run the following command: # cd /var/log/nginx/ # ls -lh www.tech2secure_access.log # truncate -s 0 www.tech2secure.biz_access.log # ls -lh www.tech2secure.biz_access.log Clear the contents of a file named /var/log/nginx/www.cyberciti.biz_access.log from the command line Other commands to empty or delete a large file content in Linux Try the cat command: cat /dev/null > www.tech2secure.biz_access.log Or the cp command: # cp /dev/null /var/log/nginx/php_error.log How do I clear log file using dd on Linux or Unix? Type dd command as follows: # dd if=/dev/null of=/path/to/log/file # dd if=/dev/null of=/var/log/lighttpd/error_log How to empty or truncate a file in Linux using echo/printf One more method is to use the echo command: # echo -n "" > /path/to/java/appserver.log          

Ethical Hacking : IoT Hacking Tool     Introduction: IoT (Internet of Things) and embedded devices present a replacement challenge to moral hackers hoping to know the safety vulnerabilities these devices contain. To hack IoT interfaces also because the integrated applications, an individual requires knowledge of Python, Swift and PHP, among others. Knowledge of those programming languages, combined with the utilization of some IoT hacking tools, will provide you with the power to hack several sorts of IoT devices.   Useful IoT hacking tools Hacking tools make ethical hacking convenient because they assist in automating the steps involved. Certified hackers can use them to perform certain functions that aid find loopholes during a device. Knowledge of existing flaws can then be shared with the manufacturers to assist fortify their defenses better.   With that in mind, here’s a glance at a number of the favored IoT hacking tools that are capable of creating every ethical hacker’s job easier.   Wireshark Because IoT devices believe networks to speak with one another and with external routers, it’s crucial to seek out how to capture packets and debug network information so as to seek out vulnerabilities. That’s where Wireshark comes in handy. Using the Export Objects feature within the tool, you'll extract all of the network communication from the collected pcap data to ascertain if an attacker is attempting to smell the traffic generated by the IoT device.   Ethical hackers also can leverage the TCP handshake to line up a TCP communications channel in Wireshark for TCP reflection and DDoS amplification. As targets, TCP reflections DDoSing applications are often identified by programs within the network, especially those transmitting large quantities of SYN/ACK packets but receiving no response.   Fiddler Fiddler is an open-source tool that permits users to trace, manipulate and reuse HTTP requests. Many utilize it for debugging to ascertain the HTTP requests their system is sending to a site or a service. What tons of ethical hackers don’t know is that it can actually be used as an HTTP proxy.   In Fiddler’s settings, there’s a “Connections” tab that lets users choose a “Remote Connections” option. the option has been selected, you'll attend an IoT device that allows you to configure a proxy and tell it to use your computer’s IP address because of the HTTP proxy. By performing these steps, you'll make sure that all kinds of activities performed thereon devices are routed via Fiddler.   As a result, you'll scan the traffic happening between the server and therefore the IoT device to seem for issues like cleartext (which was found on the Nest thermostat).   Binwalk Binwalk may be a firmware extraction tool developed by Craig Heffner. It helps ethical hackers understand and analyze an IoT device’s firmware. Running binwalk on the firmware file of an embedded device will enable you to retrieve the contents of the filing system and other data that's saved inside the firmware.   Once extracted, the tools are often wont to analyze any version of common binaries to ascertain if there's a corresponding exploit present in firmware images. Binwalk utilizes libmagic library, so it’s also compatible with magic signatures made for Unix file utilities.   Firmwalker Firmwalker may be a bash script that scans the files extracted from the IoT firmware to ascertain if they’re vulnerable. The sole requirement is that the tool and therefore the extracted firmware file should be within the same folder.   Once you set them within the same location, the computer file generated by Firmwalker — Firmwalker.text — will highlight an inventory of potential issues, which may be any of the following:     etc/ ssl directory etc/passwd and etc/shadow configuration, script and other .bin files Keywords like remote, admin, password, etc. Common binaries like dropbear, tftp and ssh Common web servers present on IoT devices Random IP addresses, email IDs, and URLs Experimental ability to use Shodan CLI for creating a call to Shodan API   All the IoT devices facing any of those issues are vulnerable and may be attacked.     SAINT It’s crucial to make sure that the cloud-facing interface of an IoT device isn't vulnerable to XSS, CSRF and SQLi. this is often where SAINT – a static taint analysis program — shines.   Essentially, SAINT tracks the flow of data from sensitive sources (like internet connections) to get sensitive data flows in IoT applications. It then conducts static taint analysis that monitors how source data propagates within the sink, e.g., network interface.   All of that's done by extracting an IR (immediate representation) from the ASCII text file of the IoT app. Run the SAINT analyzer to urge started then await the IR to construct event handlers, call graphs and entry points.   SAINT doesn't say whether the info flows and potential leaks are harmful or malicious; however, an ethical hacker can further analyze SAINT’s output to find out whether an IoT app abides by its ethics and alert users to form an informed decision about app-related privacy risks, like when the user location is transmitted.   OWASP ZAP (Zed Attack Proxy) The web interfaces on some IoT devices don’t sign users out of their accounts after multiple failed login attempts, also as offering inadequate protection against SQL injections and XSS. Fortunately, tools like Zed Attack Proxy allow ethical hackers to perform proxying, spidering and fuzzing so as to attack the online interface and find potential vulnerabilities.     Upon launching ZAP, the right-hand section will provide you with a URL section for specifying the target to scan. The tool also allows ethical hackers to launch their preferred browser for manual testing. Detected issues are transferred to the rock bottom section, where an “Alert” tab provides more information on the vulnerabilities discovered.   ZAP are often wont to check if OS commands are abused to spy on the files present within the web app’s server hosting, whether proper input sanitization was applied on the input field with the assistance of malicious payloads like /etc/passwd& and more.       Metasploit This is a set of tools which will be wont to perform attacks on IoT apps. Metasploit comes with a variety of modules (software components that perform a particular attack on a selected target) which will test the app for common vulnerabilities black-hat hackers exploit. Once launched, you'll execute commands that use a module with an exploit that you simply want to run against the app to undertake and break it.   To give an example, several REST APIs are increasingly hooked in to SSL. With Metasploit’s modules, you'll test the system to ascertain how it responds to SSL vulnerabilities just like the popular Heartbleed flaw. Overall, the IoT hacking tool has many exploits that you simply can test the apps against.   Conclusion After learning what these IoT hacking tools need to offer, you'll come to understand that you simply can ethically hack and test many aspects of an IoT device. With these handy programs, you'll check for insecure firmware, analyze web interfaces and more.          

Two-factor authentication (2FA) has been renowned for some time now for the security it can bring to organizations. The combination of something you know, something you have and something you are is the heart and soul of 2FA and helps explain its relative security strength.    Despite this fact, attackers are known to have several ways to successfully attack 2FA, and as an ethical hacker, it is your job to understand these potential attacks. This article will detail the top six techniques for attacking 2FA and present you with an all-around picture for the kind of 2FA attackers you can expect to encounter when working as an ethical hacker.   What is two-factor authentication?    Two-step verification or two-step authentication is a method of confirming a user's claimed identity by utilizing something they know (password) and a second factor other than something they have or something they are. An example of a second step is the user repeating back something that was sent to them through an out-of-band mechanism (such as a code sent over SMS), or a number generated by an app that is common to the user and the authentication system.   There are two ways to authenticate: One-way: This is the most common type of authentication. This is a server-only/client-only method, with server-only authentication being the most used Two-way (mutual authentication): Both client and server must authenticate with this method. It is not as common as one-way authentication but is more secure     Advantages No additional tokens are necessary because it uses mobile devices that are (usually) carried all the time. As they are constantly changed, dynamically generated passcodes are safer to use than fixed (static) log-in information. Depending on the solution, passcodes that have been used are automatically replaced in order to ensure that a valid code is always available, transmission/reception problems do not therefore prevent logins. Advances in mobile two-factor authentication Advances in research of two-factor authentication for mobile devices consider different methods in which a second factor can be implemented while not posing a hindrance to the user. With the continued use and improvements in the accuracy of mobile hardware such as GPS,] microphone, and gyro/acceleromoter, the ability to use them as a second factor of authentication is becoming more trustworthy. For example, by recording the ambient noise of the user's location from a mobile device and comparing it with the recording of the ambient noise from the computer in the same room in which the user is trying to authenticate, one is able to have an effective second factor of authentication. This[ also reduces the amount of time and effort needed to complete the process   In India, the Reserve Bank of India mandated two-factor authentication for all online transactions made using a debit or credit card using either a password or a one-time password sent over SMS. This was temporarily withdrawn in 2016 for transactions up to ₹2,000 in the wake of the November 2016 banknote demonetisation. Vendors such as Uber have been pulled up by the central bank for allowing transactions to take place without two-factor authentication   Top 5 techniques for defeating two-factor authentication    Duplicate code generator Depending on how your organization has implemented 2FA, code or number generators may be used for generation of “something you know” (see Google Authenticator).  “Random” number generators normally start with a seed value generated at random which is in turn used to generate the first number in the code. This first value is used by the algorithm to generate the subsequent code values. If attackers learn the algorithm and the seed number, they can use this information to create a duplicate code generator that is identical to the compromised user’s code generator.    Ss7 Using SS7 exploits we can intercept any SMS and bypass 2FA SMS Authentication. You can hack gmail accounts, Whatsapp, Telegram, bitcoin accounts, credit cards which require Verified by VISA or MasterCard Secure Code or any other site that requires a SMS to authenticate. Usually, banks send those one-time passwords in SMS text messages. Unfortunately, SMS is one of the weakest ways to implement 2FA, because text messages can be intercepted. SS7 is a telephony signalling protocol used since 1975, when it was designed. It’s widely used in fixed and mobile networks around the world. Every day billions of calls and SMS messages are handled by this system. This protocol despite an update in 2000 to add IP networking – hasn’t changed much since. As you can guess, its security concepts are pretty outdated. Hence, why it is so easy to hack.   Brute force What would authentication attacks be without the quintessential brute-force attacks? Even though 2FA offers better security than 1FA, brute force can help attackers get around it.  Brute-force attacks are possible if the 2FA authentication screen does not enforce account lockouts for a predetermined number of bad attempts. How this works is that the attacker sends a password reset message to the compromised user’s email. The attacker can then navigate to this password reset email and set a new password, and then simply brute-force the user’s 2FA code.   Buggy two-factor authentication Bugs are still a fact of life in today’s world and this extends into the world of 2FA. Within the last year or so, there have been several examples of this affecting widely-used websites and services, including Uber.  The dangerous thing about buggy 2FA is the sheer volume of machines it can impact. For example, in 2017 the Return of Coppersmith’s Attack vulnerability (ROCA) was discovered to impact all 2FA products, including smart cards and TPM chips, that use Infineon Technologies-generated RSA keys of 2048 key lengths or less (which most are). To this day, there are hundreds of millions of impacted devices.   Social engineering Without a doubt, the top technique to attack 2FA is social engineering. 2FA relies heavily on knowledge that is only known by the user and when a website or service that uses 2FA is seemingly not working, users naturally reach out to tech support. Attackers have been observed socially engineering tech support in order to get the user to reset their password or steal sensitive information related to 2FA.  This is a natural point of vulnerability for 2FA, as any tech support interaction will make the odds of sensitive user information disclosure near inevitable, and by asking just a few questions (or none at all, if the user volunteers this information).