Monday, June 05, 2023

How To Start | How To Become An Ethical Hacker

Are you tired of reading endless news stories about ethical hacking and not really knowing what that means? Let's change that!
This Post is for the people that:

  • Have No Experience With Cybersecurity (Ethical Hacking)
  • Have Limited Experience.
  • Those That Just Can't Get A Break


OK, let's dive into the post and suggest some ways that you can get ahead in Cybersecurity.
I receive many messages on how to become a hacker. "I'm a beginner in hacking, how should I start?" or "I want to be able to hack my friend's Facebook account" are some of the more frequent queries. Hacking is a skill. And you must remember that if you want to learn hacking solely for the fun of hacking into your friend's Facebook account or email, things will not work out for you. You should decide to learn hacking because of your fascination for technology and your desire to be an expert in computer systems. Its time to change the color of your hat 😀

 I've had my good share of Hats. Black, white or sometimes a blackish shade of grey. The darker it gets, the more fun you have.

If you have no experience don't worry. We ALL had to start somewhere, and we ALL needed help to get where we are today. No one is an island and no one is born with all the necessary skills. Period.OK, so you have zero experience and limited skills…my advice in this instance is that you teach yourself some absolute fundamentals.
Let's get this party started.
  •  What is hacking?
Hacking is identifying weakness and vulnerabilities of some system and gaining access with it.
Hacker gets unauthorized access by targeting system while ethical hacker have an official permission in a lawful and legitimate manner to assess the security posture of a target system(s)

 There's some types of hackers, a bit of "terminology".
White hat — ethical hacker.
Black hat — classical hacker, get unauthorized access.
Grey hat — person who gets unauthorized access but reveals the weaknesses to the company.
Script kiddie — person with no technical skills just used pre-made tools.
Hacktivist — person who hacks for some idea and leaves some messages. For example strike against copyright.
  •  Skills required to become ethical hacker.
  1. Curosity anf exploration
  2. Operating System
  3. Fundamentals of Networking
*Note this sites





More info


  1. Pentest Tools Linux
  2. Hack Tools Pc
  3. Nsa Hacker Tools
  4. Hacking Tools 2020
  5. New Hack Tools
  6. Ethical Hacker Tools
  7. Hak5 Tools
  8. Hacking App
  9. Physical Pentest Tools
  10. Hacking Tools Pc
  11. Hacking Tools For Beginners
  12. Pentest Automation Tools
  13. Hack And Tools
  14. Hack Tools For Ubuntu
  15. What Are Hacking Tools
  16. Physical Pentest Tools
  17. Growth Hacker Tools
  18. Hacking Tools And Software
  19. Pentest Tools Framework
  20. Physical Pentest Tools
  21. New Hacker Tools
  22. Nsa Hack Tools Download
  23. Hacking Tools Windows 10
  24. Hack Apps
  25. Hacking Tools
  26. Hacking Tools For Windows
  27. Termux Hacking Tools 2019
  28. Ethical Hacker Tools
  29. Hacker Tools Apk
  30. Pentest Tools For Mac
  31. Pentest Tools Subdomain
  32. Hacker Tools For Windows
  33. Pentest Tools Port Scanner
  34. Pentest Tools For Mac
  35. Pentest Tools Alternative
  36. Pentest Tools Android
  37. Pentest Tools Apk
  38. Nsa Hacker Tools
  39. Hacker Tools 2019
  40. Hak5 Tools
  41. Best Hacking Tools 2019
  42. Hacker Tools Github
  43. Hacking Tools For Mac
  44. Hacker Security Tools
  45. Hacking Tools Name
  46. Hacking Tools Usb
  47. Pentest Tools Review
  48. How To Hack
  49. Pentest Tools Linux
  50. Hacking Tools Mac
  51. Hacker Tools Windows
  52. Pentest Tools For Android
  53. Hacking Apps
  54. Pentest Tools Kali Linux
  55. How To Hack
  56. Hacking Tools Name
  57. Black Hat Hacker Tools
  58. What Are Hacking Tools
  59. Pentest Tools Windows
  60. Nsa Hacker Tools
  61. Pentest Tools For Mac
  62. Hacker Tools Linux
  63. Hack Tools Online
  64. Pentest Tools Online
  65. Pentest Tools Review
  66. Hacker Tools Apk Download
  67. Ethical Hacker Tools
  68. Hack Tools For Ubuntu
  69. Hacking Tools Github
  70. Android Hack Tools Github
  71. Computer Hacker
  72. Pentest Tools Windows
  73. Pentest Tools Tcp Port Scanner
  74. Hack Tools For Games
  75. Pentest Reporting Tools
  76. Hack Tools For Windows
  77. Hacker Tools Mac
  78. Hack Tool Apk
  79. Hacker Security Tools
  80. Game Hacking
  81. Hack Tools Download
  82. Hacking App
  83. Hacker Tools
  84. Hacking Tools And Software
  85. Android Hack Tools Github
  86. Hacker Tools For Pc
  87. Hacking Tools Software
  88. Hacking Tools For Beginners
  89. Hacker Tools List
  90. New Hack Tools
  91. Hacking Tools Usb
  92. Free Pentest Tools For Windows
  93. Tools For Hacker
  94. Pentest Tools Find Subdomains
  95. Usb Pentest Tools
  96. Hacking Tools Github
  97. Hacking Tools And Software
  98. Pentest Tools Free
  99. Hacker Tools For Windows
  100. Hacker Techniques Tools And Incident Handling
  101. Hack Website Online Tool
  102. Hacker Tools Online
  103. Hackers Toolbox
  104. Pentest Recon Tools
  105. Hacking Tools Usb
  106. Hacker Tools 2019
  107. Hacker Techniques Tools And Incident Handling
  108. Hacking Apps
  109. Hack Apps
  110. Hacker Tools Mac
  111. Beginner Hacker Tools
  112. Hacking Tools For Pc
  113. Hacker Tools 2020
  114. Hack Tool Apk No Root
  115. Install Pentest Tools Ubuntu
  116. Android Hack Tools Github
  117. Growth Hacker Tools
  118. Pentest Tools For Ubuntu
  119. Github Hacking Tools
  120. Free Pentest Tools For Windows
  121. What Is Hacking Tools
  122. How To Hack
  123. Best Pentesting Tools 2018
  124. Hacker Tools Mac
  125. Hacking Tools For Beginners
  126. Pentest Tools Apk
  127. Pentest Tools For Android
  128. Hacker Tools
  129. Hack Tools For Pc
  130. Hacker Tools Windows
  131. How To Hack
  132. Hacking Tools 2019
  133. Pentest Recon Tools
  134. Pentest Tools Tcp Port Scanner
  135. Hack Tools Mac
  136. Pentest Tools Subdomain
  137. Hacking Tools Kit
  138. Hacker Tools Windows
  139. Hacker Tool Kit
  140. Tools 4 Hack
  141. Hacking Tools Kit
  142. Pentest Tools For Android
  143. Hacker Tools Windows
  144. Pentest Tools Online
  145. Hack App
  146. Hack Tools Mac
  147. Hack Tools For Windows
  148. Hacker Tool Kit
  149. Hacking Tools Download
  150. Install Pentest Tools Ubuntu
  151. Hack Tool Apk No Root

How To Install And Run Backtrack On Android

Guide you step by step to How to install and run Backtrack on android. As the Backtrack is also available with ARM architecture which makes it possible to run Backtrack on an ARM machine such as mobiles or tablets.
Recently, We are discussed Install and Run BackTrack on Windows. Android is the best OS for penetration testing. It designed for digital forensics and penetration testing or hacking tool. It comes with many more updated tools. As the Backtrack is also available with ARM architecture which makes it possible to run Backtrack on an ARM machine such as mobiles or tablets.
How To Install and Run Backtrack On AndroidRequirements
Step to Install and Run Backtrack On Android:
First of all extract the BT5-GNOME-ARM.7z. and copy the "BT5" folder and then put in your phone's root directory. Here mine phone is /sdcard. The root directory is different for different mobile devices.
  • Now install all the above apps BusyboxAndroid TerminalAndroid Vnc.
  • After installing BusyBox application open it and wait until it finishes loading and then click on Smart install.
  • Now open the android terminal and type the following command:
    su cd /sdcard/BT5sh bootbtNOTE :- When you type su in terminal it will ask you for superuser request and you have to tap on Grant.
  • After this, type the following commands in terminal.
    export USER=rootvncpasswd
  • After entering vncpasswd the terminal will ask you to enter the password. Enter the desired password and hit enter.
  • Now type the following commands.
    tightvncserver -geometry 1280×720
  • The terminal emulator will create the localhost to connect it to VNC server. Now note the localhost port marked red below. Now minimize the terminal emulator.
  • Open the Android VNC and type the following settings.
Nickname : BT5
Password : your password here which you entered in terminal (step no.6)
Address : localhost
Port : 5906
NOTE: Make sure that your localhost's port matches with terminal's localhost. Here mine New 'X' desktop is localhost:6. You may be different. So, in VNC type Port 590X where the "X" is the localhost in the android terminal.
That's it now just tap on connect to run the Backtrack on your android. So in this way you successfully install and run backtrack 5 on android. If you face any problem feel free to discuss in below comments!

Related word


Proxying Newer Versions Of Android With Genymotion

 I did a quick video last night for someone on proxying the newer version of Android SDK with Genymotion as the changes back in version 7 make it a bit more difficult to proxy https traffic and I get a lot of questions on a regular basis even years later... 

Hopefully this video helps anyone else out that may be running into the same troubles.. This is proxying the latest version of android as of this writing which is version 10 but should work just fine on newer versions unless there is a major change in the future again that specifically restricts this method.. 


Mobile Hacking - Proxying Newer Versions of Android with Burp and Genymotion:




You can follow along with the video but additionally for reference below are the commands used: 



Step 1: Create a Burp Cert for Android

  1. Export the certificate from burp to .DER format via the proxy tab import/export

  2. Change the format from der to pem: 

       openssl x509 -inform DER -in cacert.der -out cacert.pem


  3. Pull the hash of the certificate subject name and rename the cert to the hah.0 format: 

       openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1

       mv cacert.pem <hash>.0


Step 2: Create a new Emulator: 

  1. Create a version 10 Galaxy x10 with bridge mode networking (or whatever newest version required)

  2. Click 3 dots under my installed devices in genymotion --> Edit --> Change to bridged mode


Step 3: Setup certificate on device

  1. Check devices and push the certificate to the SD card: 

     adb devices

     adb push <hash.0> /sdcard/


  2. Connect to the device and install the cert with proper permissions: 

     adb remount

     adb shell

     mv /sdcard/<hash.0> /system/etc/security/cacerts/

     chmod 644 /system/etc/security/cacerts/<hash.0>


  3. Reboot the device: 

     reboot


Step 4: Verify and setup the proxy: 

  1. Settings --> search for Trusted --> Scroll down till you see portswigger

  2. Setup your Burp proxy to the correct IP/Port combo of your external interface IP

  3. In Genymotion click Settings --> wifi  --> Gear -> Pencil Icon -> Add in Proxy info under advanced

  4. Go forth and proxy things

More info

Sunday, June 04, 2023

Shadow Attacks: Hiding And Replacing Content In Signed PDFs

Last year we presented How to Spoof PDF Signatures. We showed three different attack classes. In cooperation with the CERT-Bund (BSI), we contacted the vendors of affected PDF applications to inform them about the vulnerabilities and to support them in developing countermeasures. Most vendors reacted promptly and closed the reported vulnerabilities promptly.
One of those three attack classes was Incremental Saving Attacks (ISA). The proposed countermeasures aimed to distinguish PDF objects appended to the file via updates into dangerous and non-dangerous. In other words, black and whitelisting approaches were used. 

Naturally, this countermeasure succeeds as long as the PDF update contains evil objects. So we came up with the idea to attack PDFs with only non-dangerous updates. We achieve this by adding invisible, malicious content when creating the PDF document (before it is signed) and to reveal them after signing.
Today, we present Shadow Attacks! Our evaluation of 28 PDF applications reveals that 15 of them, including Adobe Acrobat and Foxit Reader, are vulnerable.
We responsibly disclosed all affected vendors. Together with the CERT-Bund (BSI), we supported the vendors in developing suitable countermeasures. The attacks are documented in CVE-2020-9592 and CVE-2020-9596.
Full results are available in our vulnerability report and on our website.

What are PDF signatures used for and what is the legal status?

PDFs can be secured against manipulations by using digital signatures. This feature enables use-cases such as signing contracts, agreements, payments, and invoices. Regulations like the eSign Act in the USA or the eIDAS regulation in Europe facilitate the acceptance of digitally signed documents by companies and governments. Asian and South American countries also accept digitally signed documents as an equivalent to manually signed paper documents. Adobe Cloud, a leading online service for signing PDF documents, provided 8 billion electronic and digital signature transactions in 2019. The same year, DocuSign processed 15 million documents each day.

What could a Simple Signing Process look like?
The process of digitally signing a contract involves multiple entities and can look as follows: The PDF contract is prepared by the collaborators. The collaborators can be lawyers, designers, typewriters, or members of different companies. Finally, the contract is digitally signed.

PDF Structure and Signature Basics


A PDF consists of three parts: Body, Xref table, and Trailer

The PDF is a platform-independent document format. It starts with a Header, to set the version, and is followed by three main parts, as depicted in the figure.

The first part defines the PDF Body. It contains different objects, which are identified by its object number. The most important object is the root object, which is called the Catalog. In the figure, the Catalog has the object identifier 1 0. The Catalog defines the whole PDF structure by linking to other objects in the Body. In the example given, the Catalog links to form object AcroForm, to some PDF MetaData, and to actual PDF Pages. The latter can reference multiple Page objects, which in turn reference, for example, the actual Content, Font, and Images.
The second part of the PDF is the Xref table. It contains references to the byte positions of all objects used in the PDF Body.
The third part is the Trailer. It consists of two further references: one to the byte position at which the Xref table starts, and another link to the identifier of the root object (1 0).

Incremental Updates and Digitally Signing a PDF



The content of a PDF may be updated for different reasons, for example, by adding review comments or by filling out PDF forms. From a technical perspective, it is possible to add this new content directly into the existing PDF Body and add new references in the Xref table. However, this is not the case according to the PDF specification. Changes to a PDF are implemented using Incremental Updates. An Incremental Update adds new objects into a new PDF Body, which is directly appended after the previous Trailer as shown in the figure to the right. To adequately address the new objects, a new Xref table and Trailer are also appended as well for each Incremental Update. Summarized, a PDF can have multiple Bodies, Xref tables, and Trailers, if Incremental Update is applied.
For protecting the integrity and the authenticity of a PDF, digital signatures can be applied. For this purpose, a Signature object is created and appended to the PDF by using Incremental Update. It is also possible to sign a PDF multiple times (e.g., a contract), resulting in multiple Incremental Updates. The Signature object contains all relevant information for validating the signature, such as the algorithms used and the signing certificate. Once a PDF containing a PDF Signature is opened, the viewer application automatically validates the signature and provides a warning if the content has been modified.

Shadow Attacks

The main idea of the attacks is that the attackers prepare a PDF document containing invisible content. Afterward, the document is sent to a signing entity like a person or a service which reviews the document, signs it and sends it back to the attackers. Despite the integrity protection provided by the digital signature, the attackers can make modifications to the document and change the visibility of the hidden content. Nevertheless, the manipulation is not detected. The digital signature remains valid. Finally, the attackers send the modified signed document to the victim. Although the document is altered, the signature validation is successful, but the victims see different content than the signing entity.

Do the Attacks match a Real-World Scenario?

Of course! In companies and authorities, relevant documents like contracts or agreements are often prepared by the employees who take care of most of the details and technicalities. The document is then signed by an authorized person after a careful review. Another scenario is the signing process of a document within a consortium. Usually, one participant creates the final version of the document, which is then signed by all consortium members. Considering the given examples, an employee or consortium member acting maliciously can hide invisible shadow content during the editing. Consequentially, this content will be signed later.
Additionally, multiple cloud signing services like Adobe Cloud, DocuSign, or Digital Signature Service exist. Among other functionalities, such services receive a document and sign it. This process can also be used also to sign shadow documents.

Different Attack Classes of Shadow Attacks

Shadow Attacks can be divided into the three attack classes Hide, Replace, and Hide-and-Replace, as shown in the figure below. Each class offers the possibility of taking a significant influence on the content of a signed PDF document. In the following, we describe the functionality of the individual classes in more detail.


Shadow Attack: Hide

The concept of this class of shadow attacks is to hide the content relevant for the victims behind a visible layer. For example, the attackers can hide the text "You are fired!" behind a full-page picture showing "Sign me to get the reward!". Once the attackers receive the signed document, they manipulate the document in such a way that the picture is no longer rendered by the viewer application. Hide attacks have two advantages from the attackers' perspective:
  1. Many viewers show warnings if new visible content is added using an Incremental Update. However, they do not warn in most cases if content is removed.
  2. The objects are still accessible within the PDF. In the example above, the text "You are fired!" can still be detected by a search function. This might be important if an online signing service is used and it reviews the document by searching for specific keywords. We identified two variants of this attack class.
Hiding Content via Page.
This attack variant uses an Incremental Update to create a new Page object. It contains all previously used objects except for the overlay, for example, the image. This attack variant is depicted on the left side of figure above.
Hiding Content via Xref.
If the viewer application does not accept changes to PDF structuring objects, such as Page, Pages, or Contents, the second attack variant can be applied. This variant directly affects the overlay object. The simplest method for this is to create an Incremental Update, which only updates the Xref table by setting the overlay object to free. However, making this change is interpreted as a dangerous in many viewers (e.g., Adobe) and an error or a warning is thrown. For this reason, we use another approach: we use the same object ID within the Incremental Update, but we define it as a different object type. For example, we change the overlay type Image to XML/Metadata.

When opening this manipulated document, the overlay is hidden because Metadata cannot be shown. Since adding Metadata to a signed PDF using Incremental Update is considered harmless, the signature remains valid.

Shadow Attack: Replace

In this attack class, specific content of the PDF document is to be exchanged. The first variant uses the visual properties of text fields for this purpose. The second variant is based on a fatal misconception that fonts cannot be used for manipulation purposes.
Replace via Overlay.

This attack targets an interactive feature in PDFs: interactive forms. Forms support different input masks (e.g., text fields, text areas, radio/selection buttons) where users dynamically enter new content and store it in the PDF document. The main idea of the attack is to create a form, which shows one value before (PDF1) and after signing (PDF2), as illustrated on the leftside in the figure below. After the attackers manipulate the PDF and create PDF3, different values are shown in the form (and can be seen on the right side of the figure below). The attack abuses a special property of PDF text fields. A text field can show two different values: the real field value and an overlay value which disappears as soon as the text field is selected. The real value of a form field is contained in an object key named /V. The content of the overlay element is defined within a /BBox object. The /BBox object is comparable to the hint labels known from HTML forms; for example, the hint username to indicate that the username should be entered into a specific login field. In contrast to HTML, in PDF there is no visual difference between the hint and the actual value.


In summary, we can say that this variant allows attackers to manipulate the contents of the text fields for the visible layer arbitrary. As shown in the figure above, this can be used, for example, to maliciously redirect a payment.
Replace via Overwrite.
The main idea of this variant is to append new objects to the signed document which are considered harmless but directly influence the presentation of the signed content. As shown in figure of the three attack classes, the attackers prepare a shadow document that defines a font and includes its description into the document. The font is used for the presentation of specific content. After the document is signed, the attackers append a new font description and overwrite the previous description.  The definition of new fonts is considered harmless, because of that, the applications verifying the signature do not show any warning regarding the made changes. For instance, the (re)definition of fonts does not change the content directly. However, it influences the view of the displayed content and makes number or character swapping possible.

Shadow Attack: Hide-and-Replace

In this attack class, the attackers create a shadow PDF document that is sent to the signers. The PDF document contains a hidden description of another document with different content. Since the signers cannot detect the hidden (malicious) content, they sign the document. After signing, the attackers receive the document and only append a new Xref table and Trailer. Within the Xref table, only one change takes place: the reference to the document Catalog (or any other hidden object), which now points to the shadow document.
In fact, the document contains two independent content paths. One path to show the signer harmless content, and one path with malicious content that replaces the first content after it is signed and activated by the attackers. The figure above visually illustrates the described relationships once again.
This attack variant is the most powerful one since the content of the entire document can be exchanged, including text content, forms, fonts, and annotations. The attackers can build a complete shadow document influencing the presentation of each page and each object.

Evaluation

Overall, 15 out of 28 PDF viewing applications were vulnerable to at least one presented attack. Surprisingly, for 11 PDF viewers, all three attack classes were successful. The Table shows that some applications have limited vulnerabilities. These applications respond to any type of Incremental Update with a post-signature modification note, including modifications that are allowed due to the specification. We have evaluated the latest (at the time of evaluation) available versions of the applications on all supported desktop platforms: Windows, macOS, and Linux.

Evaluation results.


Authors of this Post

Simon Rohlmann 
Christian Mainka
Vladislav Mladenov
Jörg Schwenk

Acknowledgments

Many thanks to the CERT-Bund (BSI) team for the great support during the responsible disclosure. We also want to acknowledge the teams of the vendors which reacted to our report and fixed the vulnerable implementations.

More info