Website



Visit our website :- www.techtrick.in

Sunday, May 12, 2019

Website Information Gathering On Kali Linux - Whatweb

We can gather information manually too but in this tutorial we will be using a tool in kali linux called " WhatWeb " for information gathering and via this whatweb tool we will be able to collect a tasty information about our targeted server and web application. This tool will dump all the important information which is necessary to launch our attack.
Whatweb offers both passive scanning and aggressive testing. Passive scanning just extracts data from HTTP headers simulating a normal visit. Aggressive options get deeper with recursion & various types of queries & identify all technologies just like a vulnerability scanner.
So a pentester can use this tool as both a recon tool & vulnerability scanner. There are various other features like proxy support, scan tuning, scanning a range of IPs, spidering etc.

Whatweb can identify all sorts of information about a live website, like:

  • Platform
  • CMS platform
  • Type of Script
  • Google Analystics
  • Webserver Platform
  • IP address, Country
  • Plugins & their libraries used
  • Server Headers, Cookies and a lot more.

Lets Start With Website Information Gathering - Whatweb

Step 1.Open the terminal in Kali Linux and type whatweb

Website Information Gathering  - Whatweb



Read More :- http://www.techtrick.in/description/3547-website-information-gathering-on-kali-linux-whatweb

How To Scan a Website For Vulnerabilities (XSS & Sqlinjection)

D-TECT is an All-In-One Tool for Penetration Testing. This is specially programmed for Penetration Testers and Security Researchers to make their job easier, instead of launching different tools for performing different task. D-TECT provides multiple features and detection features which gather target information and finds different flaws in it.

Compatibility:

  • Any platform using Python 2.7

Requirements:

  • Python 2.7
  • Modules(included): Colorama, BeautifulSoup

Features :-

  • Sub-domain Scanning
  • Port Scanning
  • Wordpress Scanning
  • Wordpress Username Enumeration
  • Wordpress Backup Grabbing
  • Sensitive File Detection
  • Same-Site Scripting Scanning
  • Click Jacking Detection
  • Powerful XSS vulnerability scanning
  • SQL Injection vulnerability scanning


Lets Start With Scan a Website For Vulnerabilities

Step 1 :- Download and clone from github
git clone https://github.com/shawarkhanethicalhacker/D-TECT.git
 How To Scan a Website For Vulnerabilities (XSS & Sqlinjection)


Step 2 :- Now Run It.
python ./d-tect.py
 How To Scan a Website For Vulnerabilities (XSS & Sqlinjection)


AngryFuzzer - Tool for Information Gathering on Kali Linux

AngryFuzz3r is a collection of tools for pentesting to gather information and discover vulnerabilities of the targets based on Fuzzedb project

FEATURES :-

  • Fuzz url set from an input file
  • Concurrent relative path search
  • Configurable number of fuzzing workers
  • Fuzz CMS ==> Wordpress,Durpal,Joomla
  • Generate reports of the valid paths

Lets Start With AngryFuzzer - Tool for Information Gathering

Step 1. Download and clone from github
git clone https://github.com/ihebski/angryFuzzer.git
AngryFuzzer - Tool for Information Gathering


Step 2. Install the required dependencies with:
sudo pip install -r requirements.txt
AngryFuzzer - Tool for Information Gathering



Read More :-  http://www.techtrick.in/description/3542-angryfuzzer-tool-for-information-gathering-on-kali-linux

Sunday, May 5, 2019

Spear Phishing Attack Using Stack Buffer Overflow Payload

Spear-phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim, often for malicious reasons. This is achieved by acquiring personal details on the victim such as their friends, hometown, employer, locations they frequent, and what they have recently bought online.
The attackers then disguise themselves as a trustworthy friend or entity to acquire sensitive information, typically through email or other online messaging. This is the most successful form of acquiring confidential information on the internet, accounting for 91% of attacks.

How to Defend Against Spear Phishing Attacks

No matter wherever you are within the organizational structure, attackers might choose you as their next spear phishing target to snoop within an organization.

Here are some best practices to defend against spear phishing attacks :
  • Be wary of spam and surprising emails, especially those who need urgency. Always verify with the person concerned through a different means of communication, like phone calls or face-to-face conversation.
  • Block threats that arrive via email exploitation hosted email security and antispam protection.
  • Regularly scan the web for exposed email addresses and/or credentials, you would not be the primary one to find one of your users username and password on a criminal offense or porn web site.
  • Enlighten your users concerning the risks of oversharing their personal data on social media sites. The additional the dangerous guys recognize, the additional convincing they can be when crafting spear phishing emails.
  • Learn to acknowledge the basic ways used in spear phishing emails, like tax-related fraud, CEO fraud, business email compromise scams, and other social engineering tactics.
  • Refrain from clicking on links or downloading attachments in emails, especially from unknown sources.
  • Never send sensitive personal data via email. Be wary if you get an email asking you for this information and once doubtful, go on to the source.

How to Protect Yourself

Traditional security usually does not stop these attacks as a result of they are thus smartly customized. As a result, they are changing into harder to detect. One worker mistake will have serious consequences for businesses, governments and even nonprofit organizations. With taken information, fraudsters will reveal commercially sensitive data, manipulate stock prices or commit various acts of espionage. Additionally, spear phishing attacks can deploy malware to hijack computers, organizing them into huge networks referred to as botnets that may be used for denial of service attacks.
To fight spear phishing scams, employees need to remember of the threats, like the chance of imitative emails landing in their inbox. Besides education, technology that focuses on email security is necessary.

How Does Spear Phishing Work ?

The act of spear-phishing may sound simple, however spear-phishing emails have improved inside the past few years and are currently extremely tough to detect while not previous knowledge on spear-phishing protection. Spear-phishing attackers target victims who put personal info on the web. They could read individual profiles while scanning a social networking website.
From a profile, they will be able to notice a person’s email address, friends list, geographic location, and any posts concerning new gadgets that were recently purchased. With all of this info, the attacker would be ready to act as a friend or a familiar entity and send a convincing however fraudulent message to their target.
To increase success rates, these messages usually contain urgent explanations on why they have sensitive info. Victims are asked to open a malicious attachment or click on a link that takes them to a spoofed web site wherever they are asked to provide passwords, account numbers, PINs, and access codes. an attacker motility as a friend would possibly ask for usernames and passwords for varied websites, like Facebook , in order that they would be able to access posted photos.
In reality, the attackers can use that password, or variations of it, to access completely different websites that have confidential information like mastercard details or social security Numbers. Once criminals have gathered enough sensitive info, they will access bank accounts or perhaps create a brand new identity using their victim’s info. Spear-phishing may trick people into downloading malware or malicious codes when people click on links or open attachments provided in messages.

Spear phishing example

The following example illustrates a spear phishing attack’s progression and potential consequences:
A spoofed email is sent to an enterprise’s sysadmin from someone claiming to represent www.example.com, a database management SaaS provider. The email uses the example.com customer mailing template.
The email claims that example.com is offering a free new service for a limited time and invites the user to sign up for the service using the enclosed link.

Spear Phishing Attack Using Stack Buffer Overflow Payload


After clicking on the link, the sysadmin is redirected to a login page on example.com, a fake website identical to the example.com registration page
At the same time, a command and control agent is installed on the sysadmin’s machine, which can then be used as a backdoor into the enterprise’s network to execute the first stage of an APT.

Spear phishing mitigation

The targeted nature of spear phishing attacks makes them tough to detect. However, many risk prevention measures will help, together with two-factor authentication (2FA), passwordmanagement policies and educational campaigns.

Two factor authentication

2FA helps secure login to sensitive applications by requiring users to have two things: one thing they know, like a password and user name, and something they need, like a smartphone orcryptographic token. When 2FA is used, even if a password is compromised using a technique like spear phishing, it’s of no use to an attacker while not the physical device held by the real user.

Password management policies

A prudent password management policy should take steps to prevent employees from using corporate access passwords on fake external websites. One example of such a policy is to instruct employees to always enter a false password once accessing a link provided by email. A legitimate web site won’t settle for a false password, however a phishing web site can.

Educational campaigns

At the organizational level, enterprises can raise awareness and actively train employees, highlighting spear phishing attacks as a very important threat.Training materials can feature real-life examples of spear phishing, with queries designed to check employee information. Employees who are aware of spear phishing are less likely to fall victim to an attack.

Spear Phishing Attack Using Stack Buffer Overflow Payload

Step 1 : Open Terminal and Type setoolkit

Spear Phishing Attack Using Stack Buffer Overflow Payload


Step 2 :Once SET is loaded it will show few options as shown in the image below. Select "Social-Engineering Attacks" by entering "1" and hit enter.

Spear Phishing Attack Using Stack Buffer Overflow Payload

Step 3 :Now it will show you another set of options, select "Spear-Phishing Attack Ventors" by entering "1" and hit enter.

Spear Phishing Attack Using Stack Buffer Overflow Payload


Step 4 :Type 2 for File Format Payload

Spear Phishing Attack Using Stack Buffer Overflow Payload




Thursday, May 2, 2019

Using the Social Engineering Toolkit (SET) to Create a Backdoor Executable

Metasploit has the ability to create an executable payload. This can be extremely useful if you can get a target machine to run the executable. Attackers often use social engineering, phishing, and other attacks to get a victim to run a payload. If attackers can get their a victim to run a payload, there is no reason for an attacker to find and exploit vulnerable software.

Social Engineer Toolkit (SET)

The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering . SET has been given at large-scale conferences together with Blackhat, DerbyCon, Defcon, and ShmooCon. With over 2 million downloads, SET is that the standard for social-engineering penetration tests and supported heavily within the protection community.
It is an application used by pen testers, hackers etc… it can be found in Kali Linux, parrot-sec, backbox and different pentesting OS otherwise you can install by downloading from github or simply type in terminal apt search set toolkit or search in synaptic for synaptic type in terminal synaptic otherwise you have not installed then type apt-get install synaptic then open synaptic look for set toolkit then right click on set and mark for installation then click on apply it will automatically install set for you.

What are Social Engineering Attacks ?

Social Engineering attacks are the various cons used by the hackers to trick people into providing sensitive data to the attackers. There are various type of social engineering attacks,some of the popular attacks are :-

What you will need:

  • Kali Linux
  • A little background on Networking and its terms (Private vs Public IPs esp.) would be good.
  • You should be online.

In the last decade, there were major hacks and leaks in social media platforms like Twitter,Facebook , LinkedIn and several others. currently the social media platforms take security very seriously and it has become very tough to hack directly into social media platforms, currently the hackers have moved the focus towards Social Engineering Attacks.

Lets start with the SetoolKit to create a backdoor executable

Step 1 : Open Terminal and Type setoolkit

Using the Social Engineering Toolkit (SET) to create a backdoor executable


Step 2 :Once SET is loaded it will show few options as shown in the image below. Select "Social-Engineering Attacks" by entering "1" and hit enter.

Using the Social Engineering Toolkit (SET) to create a backdoor executable


Step 3 :Now it will show you another set of options, select "Create a Payload and Listener" by entering "4" and hit enter.

Using the Social Engineering Toolkit (SET) to create a backdoor executable



Step 4 :Type 1 for Windows shell Reverse_Tcp Payload

Using the Social Engineering Toolkit (SET) to create a backdoor executable


Step 5 :The payload.exe has been exported to the SET Directory Under Root Folder.

Using the Social Engineering Toolkit (SET) to create a backdoor executable




Read More :- http://www.techtrick.in/description/3539-using-the-social-engineering-toolkit-set-to-create-a-backdoor-executable

How to Hack Facebook using SEToolKit (Phishing attack)

Hack Facebook with Social Engineering, you can apply this method to hack Instagram accounts as well. But this tutorial is focused exclusively on how to hack facebook accounts on Kali Linux with the Social Engineering Toolkit. But if you have just a little imagination you can apply the same steps you will learn in this tutorial and duplicate the process to hack another account for another website as well. Is pretty much the same with just a few small variations.

Social Engineer Toolkit (SET)

The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering . SET has been given at large-scale conferences together with Blackhat, DerbyCon, Defcon, and ShmooCon. With over 2 million downloads, SET is that the standard for social-engineering penetration tests and supported heavily within the protection community.
It is an application used by pen testers, hackers etc… it can be found in Kali Linux, parrot-sec, backbox and different pentesting OS otherwise you can install by downloading from github or simply type in terminal apt search set toolkit or search in synaptic for synaptic type in terminal synaptic otherwise you have not installed then type apt-get install synaptic then open synaptic look for set toolkit then right click on set and mark for installation then click on apply it will automatically install set for you.

What are Social Engineering Attacks ?

Social Engineering attacks are the various cons used by the hackers to trick people into providing sensitive data to the attackers. There are various type of social engineering attacks,some of the popular attacks are :-

What you will need:

  • Kali Linux
  • A little background on Networking and its terms (Private vs Public IPs esp.) would be good.
  • You should be online.

In the last decade, there were major hacks and leaks in social media platforms like Twitter,Facebook , LinkedIn and several others. currently the social media platforms take security very seriously and it has become very tough to hack directly into social media platforms, currently the hackers have moved the focus towards Social Engineering Attacks.

Lets start with Hack Facebook using SEToolKit (Phishing attack)

Step 1 : Once you have installed SEToolkit, open up bash and type setoolkit.

How to Hack Facebook using SET (Phishing attack) | Kali Linux


Step 2 :Once SET is loaded it will show few options as shown in the image below. Select "Social-Engineering Attacks" by entering "1" and hit enter.

How to Hack Facebook using SET (Phishing attack) | Kali Linux

Step 3 :We will be greeted with a screen similar to this that has many different attacks.
I will be guiding you through one of the most effective options: Website Attack Vectors. Pretty much everyone who has used a computer has used the Internet, and pretty much everyone on the Internet will click on a link . Social Engineering is a society like Facebook or Twitter, but can also be as simple as, well, a link. SEToolkit helps you abuse that trust people have on the Internet, so not only do you have over 5 billion targets, but you can also recognize attacks like these.
Type 2 and press [Enter] to continue.

How to Hack Facebook using SET (Phishing attack) | Kali Linux



Step 4 :We now have a list of 7 different attack vectors, all very effective. The 3 most effective vectors are the Credential Harvester, Metasploit Browser, and Java Applet Attack. Lets say that you want to get your friends Facebook login. By choosing Credential Harvester Attack Method, SEToolkit will copy any website you want and add a credential stealing code to the HTML.
Type 3 and press [Enter] to continue.

How to Hack Facebook using SET (Phishing attack) | Kali Linux


Step 5 :Type 2 for Site Cloner.

How to Hack Facebook using SET (Phishing attack) | Kali Linux



Read More :- http://www.techtrick.in/description/3538-how-to-hack-facebook-using-setoolkit-phishing-attack

Hack Tools | Finding Admin Panels, Sniffing, Backdoors - Katana Framework

Katana is a framework written in python for making penetration testing, based on a simple and comprehensive structure for anyone to use, modify and share, the goal is to unify tools serve for professional when making a penetration test or simply as a routine tool, The current version is not completely stable, not complete.

Lets start with Hack Tools | Finding Admin Panels, Sniffing, Backdoors

Step 1 :Just Download or clone from github.
git clone https://github.com/PowerScript/KatanaFramework.git
cd KatanaFramework
sudo sh dependencies
 How to find admin panel/page of a website 2017 - Katana


Step 2 :Lets Install it.
sudo python install
 How to find admin panel/page of a website 2017 - Katana


Step 3 :Lets start with Katana Framework with just type a simple command.
ktf.console
 How to find admin panel/page of a website 2017 - Katana


Step 4 :Lets open of modules with command
show modules
 How to find admin panel/page of a website 2017 - Katana



Best Way To Archive Outlook And Gmail Emails

Gmail And Outlook is one of  the most important tools in their daily lives. The problem is that most get so many emails that it is hard to...