Search This Blog

Showing posts with label Hacking Tools. Show all posts

Dark web listings for malware aimed at companies on rise

There's been a significant rise in the number of dark web listings for malware and other hacking tools which target the enterprise, and an increasing number of underground vendors are touting tools that are designed to target particular industries.

A study by cybersecurity company Bromium and criminologists at the University of Surrey involved researchers studying underground forums and interacting with cyber-criminal vendors. The study found that the dark web is fast becoming a significant source of bespoke malware.

In many cases, the dark web sellers demonstrated intimate knowledge of email systems, networks and even cybersecurity protocols in a way that suggests they themselves have spent a lot of time inside enterprise networks, raising questions about security for some companies.

"What surprised me is the extent you could obtain malware targeting enterprise, you could obtain operational data relating to enterprise," Mike McGuire, senior lecturer in Criminology at the University of Surrey and author of the study, told ZDNet.

"There seems to be an awareness and sophistication among these cyber criminals, to go for the big fry, to go where the money is, as a criminal, and the enterprise is providing that," he said, adding: "What surprised me is just how easy it is to get hold of it if you want to."

McGuire and his team interacted with around 30 sellers on dark web marketplaces – sometimes on forums, sometimes via encrypted channels, sometimes by email – and the findings have been detailed in the Behind the Dark Net Black Mirror report.

The study calculated that since 2016, there's been a 20 percent rise in the number of dark web listings that have the potential to harm the enterprise.

Malware and distributed denial of service (DDoS) form almost half of the attacks on offer – a quarter of the listings examined advertised malware and one in five offered DDoS and botnet services. Other common services targeting enterprises that were for sale include espionage tools, such as remote-access Trojans and keyloggers.

Ransomware tool causing chaos in Baltimore was developed by NSA

A recent spate of ransomware attacks in Baltimore and other U.S. cities has been executed using a tool developed by the National Security Agency (NSA). Thousands of people in Baltimore have been locked out of their computers in the past three weeks, causing disruption across the city. And this has been enabled by a piece of software created by the NSA, according to a report in the New York Times.
The EternalBlue exploit takes advantage of a vulnerability in Microsoft Windows machines to infiltrate target computers. The software was stolen from the NSA and leaked by hackers in 2017, and since then has been used in a wide variety of cybercrinimal schemes. 2017’s WannaCry attack used the software, as did Russia’s NotPetya attack on Ukraine last year.
Now the same software is being used against U.S. citizens, causing particular problems for local governments with machines which have been disrupted. Many local governments do not regularly update their computers, leaving them vulnerable to exploits. In Baltimore, hospitals, airports, ATMs, shipping operators, and vaccine-producing factories have all been effected in the last few weeks.
The software locks the target computer’s screen, then shows a message demanding a payment of around $100,000 in Bitcoin for the target to regain access to their files. “We’ve watching you for days,” the message says, according to The Baltimore Sun. “We won’t talk more, all we know is MONEY! Hurry up!”
The NSA has never acknowledged the theft of the software or its responsibility for the cyberattacks conducted using it.
“The government has refused to take responsibility, or even to answer the most basic questions,” Thomas Rid, a cybersecurity expert at Johns Hopkins University, said to the Times. “Congressional oversight appears to be failing. The American people deserve an answer.”
EternalBlue may have been developed with good intentions to protect national security, but this event shows the problems with law enforcement or intelligence agencies having tools which allow them access to computers and phones. When such a tool is leaked, it can no longer be controlled.

Buckeye APT hackers stole the NSA hacking tools before Shadow Brokers leaked these tools

Buckeye APT hackers, a Chinese State sponsored group employed the tools of Equation Group which were leaked by the Shadow Brokers in 2017, a year earlier than the leaks.

Shadow Brokers is a mysterious assemblage of hackers who stole malware, hacking tools and zero-day exploits from the Equation group which is a branch under the NSA and is one of the most advanced and futuristic cyber attack groups across the world.

Conducting operations since 2009, Buckeye group, also known by the name of APT3, exploited these tools earlier for carrying out multiple attacks on to a number of organizations on their list, they did so in order to gain unauthorized access to these organizations mainly based in the United States.

Besides being responsible for exploiting zero-day vulnerabilities in 2014, the Buckeye group, a couple of years later, used 'Trojan.Bemstour', a custom exploit tool in order to reach the targets.

With the intent to attain remote kernel code execution on victims' computer systems, Bemstour exploited the following zero-day vulnerabilities on Windows – (CVE-2019-0703),(CVE-2017-0143). These were later employed by EternalRomance and EternalSynergy, two NSA owned exploit tools,

Referenced from the findings of Symantec report, “Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor. DoublePulsar is then used to inject a secondary payload, which runs in memory only. The secondary payload enables the attackers to access the affected computer even after DoublePulsar is removed. “

“The variant of DoublePulsar used in the first attacks performed by Buckeye was different to that leaked by the Shadow Brokers. It appears to contain code to target newer versions of Windows (Windows 8.1 and Windows Server 2012 R2), indicating that it is a newer version of the malware.”

iPhone hacking tool for sale on eBay

iPhones are renown for their security -- to the point that even law enforcement agencies have trouble accessing their contents. An Israeli firm, Cellebrite, became well-known when it transpired that hacking tools it made were used by the US government to crack locked iPhones and now its hacking tools are available to buy on eBay.

Cellebrite phone-cracking devices, beloved by law enforcement, are available at bargain-basement prices so you can get a gander at all the devices that the police have presumably been able to squeeze for data.

The Cellebrite Universal Forensic Extraction Device (UFED) is a smartphone hacking tool commonly used by the FBI, Department of Homeland Security and other law enforcement agencies in the US and elsewhere. It’s the most powerful tool yet created by the Israeli company, able to extract a huge amount of data – even data which has been deleted from phones.

Security researcher Matthew Hickey who is the co-founder of the training academy, Hacker House recently told Forbes that he’d picked up a dozen Cellebrite UFED devices for dirt cheap and probed them for data, which he found in spades.

For as little as $100-$1000, you can get your hands on a second-hand piece of Cellebrite equipment (a fraction of its usual selling price). For just a few Benjamins, you could get a Cellebrite UFED (Universal Forensic Extraction Device) and use it for whatever you might fancy.

A brand new one normally costs $5,000 to $15,000 depending on the model.

What surprised Hickey was that nobody bothered to wipe these things before dumping them onto eBay, he told Forbes:

“You’d think a forensics device used by law enforcement would be wiped before resale. The sheer volume of these units appearing online is indicative that some may not be renewing Cellebrite and disposing of the units elsewhere.”

Facebook rewards Researchers for Vulnerability Discovery Tool

(pc- google images)
Facebook has awarded a prize of $100,000 to a team of security researchers in Georgia for finding a new class of vulnerabilities in browser-based C++ programs.

The award “Internet Defense Prize” was given at the 24th USENIX Security Symposium in Washington D.C. for projects that encourage internet safety. The payout of $100,000 was double of what was awarded to German researchers Johannes Dahse and Thorsten Holz last year, who won the prize for their paper, “Static Detection of Second-Order Vulnerabilities in Web Applications.”

This year’s prize winners; PhD students Byoungyoung Lee and Chengyu Song, along with Professors Taesoo Kim and Wenke Lee revealed a new class of C++ vulnerabilities and introduced CaVeR, a runtime bad-casting detection tool.

CaVeR performs instrumentation at compile time and uses a new runtime type tracing mechanism—the type hierarchy table—to overcome the limitation of existing approaches and efficiently verify type casting dynamically. The researchers claim to have applied CAVER to the code of the Chromium and Firefox browsers and discovered 11 previously unknown security vulnerabilities: nine in GNU libstdc++ and two in Firefox.

Facebook Security Engineering Manager Ioannis Papagiannis explains, “C++ supports two major different types of casting operators to convert one type of data into another: static and dynamic casts. Dynamic casts are checked at runtime for correctness, but they also incur a performance overhead.
People typically prefer to use static casts because they avoid that overhead, but if you cast to the wrong type using a static cast, the program may end up creating a pointer that can point past the memory allocated to a particular object. That pointer can then be used to corrupt the memory of the process."

Papagiannis said that CAVER makes it possible to have the best of both worlds: using static type casting to improve performance, but identifying type casting vulnerabilities that can then be addressed.

He added, “We all benefit from this kind of work. A large part of why Facebook has been successful in serving nearly 1.5 billion people is because we have been quick to introduce and adopt categories of systems and frameworks that prevent whole classes of vulnerabilities at once. As an industry, we need to invest in those kinds of solutions that scale.”

Will Cyber Security Companies shift their Headquarters out of US?

Until now nuclear, radiological, chemical and biological weapons considered to be a Weapon of Mass Destruction(WMD).

The Bureau of Industry and Security (BIS), an agency of the United States Department of Commerce that deals with issues involving national security and high technology, is proposing to classify cyber security tools as weapons of War in an attempt to control the distribution.

The tools used for extraction of data or information, from a computer or network-capable device, or the modification of system or user data, will come under this law and is being classified as Intrusion software. Also, the tools designed to avoid detection by 'monitoring tools'( Antivirus, IDS/IPS,End point security products) will be considered as a weapon.

Any penetration testing products designed to identify security Vulnerabilities of computers and network-capable devices fall under this category.

"The proposal is not beneficial. Most vulnerability scanners and penetration testing products come under it. The proposal means tools from US companies which have been used to do assessments and audits in corporate will need to go through the clearance. It could also lead to corporate getting tracked" says J.Prasanna, founder of Cyber Security and Privacy Foundation(CSPF).

Most of these Cyber Security firms either should convince their world wide clients to go through the process or shift their head quarter out of USA.

Prasanna pointed out that US government tried to stop the export of cryptography in the past. But, Russian, European and Israeli companies got advantage by the cryptography restriction.

He said that the new proposal is a bad news for the cyber security researchers. If it becomes a law, it will force them to find a new way to beat the Cyber Criminals.

"Hackers are already may steps ahead of us. Some tools like canvas and Metasploit Pro are important tool for penetration testing" said Prasanna.

Thomas Dullien, Google Researcher, said "addition of exploits to the Wassenaar arrangement is an egregious mistake for anyone that cares about a more secure and less surveilled Internet" in his personal blog.

Rapid7, a Boston-based cybersecurity firm, well known for its Metasploit Pentesting framework, said that they are investigating implications of Wassenaar for Metasploit and security research, and working on comments for the consultation.

According to the proposal, the governments of Australia, Canada, New Zealand or the UK will get favorable treatment for license applications, as they have partnered with the US on Cyber Security Policy and issues.

The BIS is seeking comments before 20th July 2015 on the proposed rule. You can submit the comments here.

TNS released WPA attack tool "Reaver" that Cracks WPA within 10 Hours

Just a day after security researcher Stefan Viehbock released details of vulnerabilities in the WiFi Protected Setup (WPS) protocol that allows attackers to recover WPA/WPA2 passphrases in a matter of hour, a security firm "Tactical Network Solutions" has published an open-source tool capable of exploiting the vulnerability.

Reaver is WPS attack tool ,capable of breaking WPS pins and recovering the plain text WPA/WPA2 passphrase of the target access point in approximately 4-10 hours (attack time varies based on the access point).

There are two offerings of the Reaver tool. The free open source version, which has limited functionality and a commercial version which is user friendly and feature-rich

Download it from here:

The Social-Engineer Toolkit (SET) v2.3 “Eclipse” released by SecManiac

SecManiac released The Social-Engineer Toolkit (SET) v2.3 with code name "Eclipse".  It is open source tool , written in python, solely focuses on attacking the human element of penetration testing. It’s main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed.

The SET is designed to make complex social engineering tasks relatively simple for you by allowing you to utilize a robust framework for penetration tests.

The official Changelog below:

version 2.3
  •  fixed a bug that would not load the menus properly when loading SET (bad return placement)
  •  fixed an annoying bug that has been around for a number of versions, finally tracked down..some occasions where it would show “Moving payload to website”, you couldn’t control-c out to exit and would have to close the console window. This has been resolved.
  •  rewrote shellcodeexec again to evade AV
  •  added the shellcodeexec.c modified source code
  •  removed improper way to mask error messages through 1> /dev/null and 2> /dev/null, pipe information through subprocess.PIPE instead
  •  fixed a bug in fast-track with the mssql bruter where if using the SET interactive shell, it wouldn’t spawn the HTTP server properly due to to site.template and attack.vector files not being found. Added better granularity on detecting files and setting defaults if its not found
  •  adjusted the repeater time to 2 seconds versus 3
  •  added additional passwords found in pentests to the wordlist
  •  removed excess code from setcore
  •  moved Signed_Update.jar that is generated through Java Applet attack it now goes through src/program_junk versus src/html
  •  rewrote large portions of SET to place cloned websites and files under src/program_junk/web_clone versus src/webattack/web_clone/site/template
  • added new config option for OSX/LINUX payload ports and removed the automatic prompt after generating metasploit payload if you want to target OSX/Linux. It will automatically target Linux/OSX and removes another prompt in setting everything up
  • added additional stability to powershell injection, it is now enabled by default. If powershell is injected, it will send a payload straight through memory versus touching disk. Note that you may get two shells back. This is intentional as its a failsafe if the one method fails through powershell. So regardless, if the powershell injection fails to compromise, the backup dropper will still execute
  • bug fix in where it would throw an error about not finding the proper payload in the fasttrack mssql bruter

sqlsus 0.7 released with Time-based Blind SQL injection support

Sqlsus is an open source MySQL injection and takeover tool, written in perl. It is used to test the vulnerability of web application. It uses stacked subqueries and an powerful blind injection algorithm to maximise the data gathered per web server hit.Using multithreading on top of that, sqlsus is an extremely fast database dumper, be it for inband or blind injection.

Sqlsus now supports time-based blind injection and automatically detects web server / suhosin / etc.. lentgh restrictions.

The official Change Log:
  • Added time-based blind injection support (added option "blind_sleep", and renamed "string_to_match" to "blind_string").
  • It is now possible to force sqlsus to exit when it's hanging (i.e.: retrieving data), by hitting Ctrl-C more than twice.
  • Rewrite of "autoconf max_sendable", so that sqlsus will properly detect which length restriction applies (WEB server / layer above). (removed option "max_sendable", added options "max_url_length" and "max_inj_length")
  • Uploading a file now sends it into chunks under the length restriction.
  • sqlsus now saves variables after each command, so that forcing it to quit (or killing it) will not discard the changes that were made.
  • Added a progress bar to inband mode, sqlsus now determines the number of rows to be returned prior to fetching them.
  • get db (tables/columns) in inband mode now uses multithreading (like everything else).
  • clone now uses count(*) if available (set by "get count" / "get db"), instead of using fetch-ahead.
  • In blind mode, "start" will now test if things work the way they should, by injecting 2 queries : one true and one false.
  • sqlsus now prints what configuration options are overriden (when a saved value differs from the configuration file).
Bug Fixes:
  • Fixed some misuse of the object returned by LWP UserAgent that could trigger a perl error.
  • Fixed a useless memory consumption in the IPC that could trigger an "out of memory" error (since 0.5RC1).
  • Removed a false error display in backdoor sql mode when using INSERT, UPDATE, DELETE, DROP, etc..
Download from Here:

THC(The Hacker's Choice) SSL DOS tool released

Today the German hacker group “The Hacker’s Choice” officially released a new DDoS tool. The tool exploits a weakness in SSL to kick a server off the Internet.

Technical details can be found at

“We decided to make the official release after realizing that this tool leaked to the public a couple of months ago” said a member of THC who wants to remain anonymous.

The tool departs from traditional DDoS tools: It does not require any bandwidth and just a single attack computer (“bot”).

The THC-SSL-DOS attack is en par with other resource exhausting DDoS attacks. Some of those methods played a vital role in demonstrations against oppressive governments (like the DDoS attack against Iran’s leader) and against companies that violate free speech (like the DDoS attack against Mastercard for closing Wikileak’s non-profit donation account because of an alleged typo/misspelling in the application form).

“Here at THC the rights of the citizen and the freedom of speech are at the core of our research”, says a member of THC in a private interview this morning.

“We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century.”, Says a THC member, referring to 3 major vulnerabilities disclosed in SSL over the past 3 years.

To list the 3 major vulnerabilities here THC explains: “In 2009 a vulnerability was disclosed that broke the encryption of SSL. De-facto making all SSL traffic unsafe. In 2011 various Certification Authorities got hacked. De-facto making all SSL traffic unsafe _again_.”

“We warned in 2002 about giving hundreds of commercial companies (so called Certification Authorities) a master key to ALL SSL traffic.”, says Fred Mauer, a senior cryptographer at THC. “Only a real genius can come up with such an idea!”.

“And last but not least the immense complexity of SSL Renegotiation strikes again in 2011 with the release of THC-SSL-DOS.”.

“It’s time for a new security model that adequately protects the citizens.”.

The THC-SSL-DOS tool is a Proof Of Concept tool to disclose fishy security in SSL. It works great if the server supports SSL Renegotiation. It still works if SSL Renegotiation is not supported but requires some modifications and more bots before an effect can be seen.

Our tests reveal that the average server can be taken down from a single IBM laptop through a standard DSL connection.

Taking on larger server farms who make use of SSL Load balancer required 20 average size laptops and about 120kbit/sec of traffic.

All in all superb results.

Interesting here is that a security feature that was supposed to make SSL more secure makes it indeed more vulnerable to this attack:

SSL Renegotiation was invented to renegotiate the key material of an SSL connection. This feature is rarely used. In fact we could not find any software that uses SSL Renegotiation. Yet it’s enabled by default by most servers.

An old saying comes true all over again: Complexity is the enemy of security.

“Renegotiating Key material is a stupid idea from a cryptography standpoint. If you are not happy with the key material negotiated at the start of the session then the session should be re-established and not re-negotiated”, says THC.

Optima DDOS 10a botnet leaked on Hacker Forums(r00tW0rm)

"Optima DDOS 10a Botnet" full version is available to download in Hacker forums.

In this new version 10a according to the author was raised in secrecy bot system and optimized grabber passwords. It cost about $ 600 worth.

Features a bot:
  • DDoS attacks of three types - http flood, icmp-flood, syn-flood.
  • Theft of stored passwords from some applications installed on the victim's system, details below.
  • Opening on the infected system proxy Socks5.
  • The possibility of cheating various counters on the websites (http-access the sites).
  • Hidden download and run the specified file to the affected systems.
  • Installed in the system as a service
  • Weight bot - 95.5 kb, written in Delphi.

PuttyHijack~session hijack POC

PuttyHijack is a POC tool that injects a dll into the Putty process to hijack an existing, or soon to be created, connection. This can be useful during penetration tests when a windows box that has been compromised is used to SSH/Telnet into other servers.

The injected DLL installs hooks and creates a socket in guest operating system for a callback connection that is then used for input/output redirection.

PuttyHijack does not kill the current connection, and will cleanly uninject if the socket or process is stopped. Leaves no race for further analysis.

How to run/install PuttyHijack
  • Start a nc listener on some fully controlled machine.
  • Run PuttyHijack specify the listener ip and port on victime machine (Some socail engg skill may be helpfull)
  • Watch the echoing of everything including passwords (grab it for further analysis)

Help commands of PuttyHijack

!disco – disconnect the real putty from the display
!reco – reconnect it
!exit – just another way to exit the injected shell

Nmap 5.61 Changelog ~Added IPv6 OS detection system

# Nmap Changelog[2011-10-01]
  • [NSE] Made http-wordpress-enum.nse able to get names of users who have no posts. [Duarte Silva]
  • Increased hop distance estimates from OS detection by one. The distance now counts the number of hops including the final one to the target, not just the number of intermediate nodes. The IPv6 distance calculation already worked this way. [David]

Nmap 5.61TEST2:[2011-09-30]

o Added IPv6 OS detection system! The new system utilizes many tests
similar to IPv4, and also some IPv6-specific ones that we found to
be particularly effective. And it uses a machine learning approach
rather than the static classifier we use for IPv4. We hope to move
some of the IPv6 innovations back to our IPv4 system if they work
out well. The database is still very small, so please submit any
fingerprints that Nmap gives you to the specified URL (as long as
you are certain that you know what the target system is
running). Usage and results output are basically the same as with
IPv4, but we will soon document the internal mechanisms at, just as we have for IPv4. For an
example, try "nmap -6 -O". [David, Luis]

o [NSE] Added 3 scripts, bringing the total to 246! You can learn
more about them at Here they are (authors
listed in brackets):

+ lltd-discovery uses the Microsoft LLTD protocol to discover hosts
on a local network. [Gorjan Petrovski]

+ ssl-google-cert-catalog queries Google's Certificate Catalog for
the SSL certificates retrieved from target hosts. [Vasiliy Kulikov]

+ quake3-info extracts information from a Quake3-like game
server. [Toni Ruottu]

o Improved AIX support for raw scans. This includes some patches
originally written by Peter O'Gorman and Florian Schmid. It also
involved various build fixes found necessary on AIX 6.1 and 7.1. See [David]

o Fixed Nmap so that it again compiles and runs on Solaris 10,
including IPv6 support. [David]

o [NSE] Moved our brute force authentication cracking scripts
(*-brute) from the "auth" category into a new "brute"
category. Nmap's brute force capabilities have grown tremendously!
You can see all 32 of them at It isn't clear
whether dns-brute should be in the brute category, so for now it
isn't. [Fyodor]

o Made the interface gathering loop work on Linux when an interface
index is more than two digits in /proc/sys/if_inet6. Joe McEachern
tracked down the problem and provided the fix.

o [NSE] Fixed a bug in dns.lua: ensure that dns.query() always return two values
(status, response) and replaced the workaround in asn-query.nse by the proper
use. [Henri]

o [NSE] Made irc-info.nse handle the case where the MOTD is missing.
Patch by Sebastian Dragomir.

o Updated nmap-mac-prefixes to include the latest IEEE assignments
as of 2011-09-29.

    Firebug 1.9a3 Update

    Now Firebug 1.9a3 available , compatible with Firefox 5 to Firefox 9(nightly).  if you want to know what issues fixed, follow this link.

    Some highlights from this release.
    • Autocompletion in Firebug Command line has been improved (issue 3622 and issue 4803)
    • Vertical position (line number) is preserved across page reloads (issue 1413)
    Also, Firebug Working Group has a new member: Stampolidis Anastasios (aka Tasos). Tasos has been long time Firebug contributor helping with issues in various areas and FWG is pleased to have him on board!

    Visual DuxDebugger 3.0 ~ Reverse Engineering Tools

    Visual DuxDebugger is a debugger disassembler for Windows 64-bit.

    Main features
    Fully support 64-bit native processes
    Fully support 64-bit .NET processes
    Full code analysis
    Full memory analysis
    Code edition
    Memory edition
    Module export formats (EXE/DLL/CSV)
    Debug multiple processes
    Debug multiple child processes

    Minimum Requirements
    O.S: Windows 7 64-bit / Windows Server 2008 R2
    Processor: Pentium 4 3.0 GHz

    Recommended Requirements
    O.S: Windows 7 64-bit / Windows Server 2008 R2
    Processor: Dual Core 2.5 GHz
    Display: 1920 x 1080


    Run 'setup.exe' to install prerequisites

    John the Ripper 1.7.8-jumbo-7 Released ~ Password Cracking Tools

    Earlier today, They've released John the Ripper 1.7.8-jumbo-7.

    Change log:
    * Support for encrypted pkzip archives has been added, testing millions
    of candidate passwords per second. (JimF)
    (This is in addition to WinZip/AES archives, support for which was added
    in prior -jumbo updates.)
    * Support for Mac OS X 10.7 Lion salted SHA-512 hashes has been added
    (enabled when building against OpenSSL 0.9.8+ only), with optional OpenMP
    parallelization. (Solar)
    * Optional OpenMP parallelization has been added for salted SHA-1 hashes
    used by Mac OS X 10.4 to 10.6. (Solar)
    * PoC support for DES-based 10-character tripcodes has been added (does
    not use the bitslice DES implementation yet, hence is slow). (Solar)
    * The DIGEST-MD5 authentication cracker has been revised to be usable
    without requiring source code customizations. (magnum)
    * Highly experimental support for dynamically loaded plugins (adding new
    formats) has been added (currently only enabled on Linux). (David Jones)
    * Added the ability for the john.conf file to ".include" other .conf
    files and/or individual sections (e.g., a wordlist rules section may
    include more rules from elsewhere). (JimF)
    * John now makes an attempt to suppress duplicate rules (handy along
    with the ".include" feature). (JimF)
    * More character encodings are now supported. The full list is: raw,
    utf-8, iso-8859-1, iso-8859-7, iso-8859-15, koi8-r, cp437, cp737, cp850,
    cp858, cp866, cp1251, cp1252, cp1253.
    * Full encoding support for "single crack" mode, rules, and character
    classes has been implemented. (JimF/magnum)
    * Full encoding support for all formats, including md5_gen. (JimF/magnum)
    * Some new character classes have been added. (JimF/magnum)
    * Support for user-defined character classes has been added, along with
    some samples in the default john.conf. (magnum)
    * New rule reject flag "->N" (reject unless length N is supported by the
    current hash/cipher type). (magnum)
    * New Boolean options in john.conf: LogCrackedPasswords, AlwaysReportUTF8,
    UnicodeStoreUTF8, CPstoreUTF8. (magnum)
    * raw-md5-unicode has been replaced with faster 'thin' raw-md5u. (magnum)
    * The generic crypt(3) module now recognizes some "subformats"
    (md5/sha256/sha512), solely for benchmarking. (magnum)
    * Wordlist mode is now much faster when using memory buffer and running
    against a fast hash/cipher type. (JimF/magnum)
    * Unicode DumbForce-like external mode samples have been added (Dumb16
    and Dumb32). (magnum)
    * Numerous bug, performance, and portability fixes (JimF/magnum/Solar)


    SSHtrix - Fastest Multithreaded SSHv1 and SSH1v2 login cracker

    sshtrix is a very fast multithreaded SSH login cracker. It supports SSHv1 and SSHv2. sshtrix was designed to automate rapid bruteforce attacks against SSH authentification screens. Unlike other public tools, the aim is to keep it simple, stable, fast and modular. With its clean code design, it is easy to extend the code to a framework or to fork it against protocols of your choice. In fact, sshtrix is a fork of my own generic login cracker framework.


    DroidSheep ~ one-click session hijacking using your android smartphone

    What is this about?
    If you know Firesheep or Faceniff, you probably know what this is about – one-click session hijacking using your android smartphone or tablet computer.

    If you do not know one of these tools, I’ll try to explain what DroidSheep is.

    Maybe you know Bob. Bob is a wellknown person and Bob loves coffee. Every morning, he takes his laptop and visits one the famous green coffee bars, has a “grande vanilla latte” and writes messages to his facebook friends. For doing that, Bob uses the coffee bars WiFi – because it´s free and fast.

    One Morning, Bob is just writing a message to his girlfriend, Eve enters the coffee bar. Eve has an Android phone and Eve uses DroidSheep. After ordering a “venti caramel macchiato”, Eve sits down, takes her phone and starts browsing facebook. Using Bobs identity. She can watch at his friends. Read his messages. Write messages. Write wall posts. Remove friends. Delete Bobs account. Without getting ever in touch with Bob.

    What happened?

    When Bob is using the WiFi, his laptop sends all the data intended to be received by facebook, over the air to the coffee bars wireless router. As “over the air” means “captureable by everybody”, Eve (or her phone) can read all the data sent by Bob. As some data is encrypted before being sent, she cannot read Bobs facebook password, but in order not to make Bob enter his password after each click, facebook sends Bob a so called “session id” after logging in, which Bob sends with each interaction, making it possible for facebook to identify Bob. Usually only Bob knows this id, as he receives it encrypted. But when Bob uses the coffee bars WiFi, he spreads his session id over the air to everybody. So Eve takes this session id and uses it as hers – and facebook cannot determine, if Bob or Eve uses this id.

    DroidSheep makes it easy to use for everybody. Just start DroidSheep, click the START button and wait until someone uses one of the supported websites. Jumping on his session simply needs one more click. That´s it.

    What do you need to run DroidSheep?
    - You need an android-powered device, running at least version 2.1 of Android
    - You need Root-Access on your phone (link)
    - You need DroidSheep :-) (You can get it in the “GET IT” section)

    DroidSheep now supports nearly all Websites using Cookies!
    With Version 5, DroidSheep got the new “generic”-Mode! Simply enable it, and DroidSheep will capture all Accounts in the network!!
    Successfully tested with ALL already supported Accounts and a lot of other ones (even all WordPress and Joomla-Pages should work!!)

    Which pages does DroidSheep support?
    – fl
    – (only the non-encrypted services like “maps”)

    DroidSheep now supports OPEN, WEP, WPA and WPA2 secured networks.
    For WPA/WPA2 it uses an DNS-Spoofing attack.
    DNS-Spoofing, means it makes all devices within the network think, the DroisSheep-device is the router and sending their data to the device. This might have an impact to the network and cause connection problems or bandwith-limitations – and it can be spotted. DroidSheeps attack can not, as it only reads the packets sent over the WiFi, but instead of dismissing them, it uses the data :-)

    How does this work?
    When you use web applications, they usually require you to enter your credentials in order to verify your identity. To avoid entering the credentials at every action you do, most web applications use sessions where you need to log-in once. A sessions gets identified by a session token which is in possession of the user and is sent together with any subsequent request within the HTTP packets.
    DroidSheep reads all the packets sent via the wireless network and captures this session token, what allows you to use this session token as yours and make the web application think you are the person identified by this token. There is no possibility for the server to determine if you’re the correct person or not.

    It shall show the weak security properties of big websites just like Facebook. Please be always aware of what you’re doing.

    HowTo use.
    Using DroidSheep is really simple
    Before you start — Make sure your phone is ***ROOTED***
    DroidSheep will not work without Root-Privileges! If it is not, try THIS
    There are two possible ways to install DroidSheep:
    • One of the Android Markets (Google, AppBrain, …) — Simply search for DroidSheep and install the application
    • Download it from the “GET-IT” section using your phones browser and open the file — your phone should ask for installing the app.


    FBPwn ~ A cross-platform Java based Facebook profile dumper

    Friends, if you get invitation from stranger in facebook, don't accept it.  Even if you know the person, please verify whether profile is real or not.  A new hacking tool is available that will send friend request to you.  If you accept, it  can steal all info ,photos,friend list from you. Think twice before accepting invitation.

    FbPwn: A cross-platform Java based Facebook profile dumper, sends friend requests to a list of Facebook profiles, and polls for the acceptance notification. Once the victim accepts the invitation, it dumps all their information,photos and friend list to a local folder.


    A typical scenario is to gather the information from a user profile. The plugins are just a series of normal operations on FB, automated to increase the chance of you getting the info.

    Typically, first you create a new blank account for the purpose of the test. Then, the friending plugin works first, by adding all the friends of the victim (to have some common friends). Then the clonning plugin asks you to choose one of the victims friends. The cloning plugin clones only the display picture and the display name of the chosen friend of victim and set it to the authenticated account. Afterwards, a friend request is sent to the victim's account. The dumper polls waiting for the friend to accept. As soon as the victim accepts the friend request, the dumper starts to save all accessable HTML pages (info, images, tags, ...etc) for offline examining.

    After a a few minutes, probably the victim will unfriend the fake account after he/she figures out it's a fake, but probably it's too late!

    All modules work on a selected profile URL (we'll call him bob), using a valid authenticated account (we'll call him mallory).

    FBPwn modules are:

    - AddVictimFriends: Request to add some or all friends of bob to increase the chance of bob accepting any future requests, after he finds that you have common friends.

    - ProfileCloner: A list of all bob's friends is displayed, you choose one of them (we'll call him andy). FBPwn will change mallory's display picture, and basic info to match andy's. This will generate more chance that bob accepts requests from mallory as he thinks he is accepting from andy. Eventually bob will realize this is not andy's account, but probably it would be too late as all his info are already saved for offline checking by mallory.

    - CheckFriendRequest: Check if mallory is already friend of bob, then just end execution. If not, the module tries to add bob as as a friend and poll waiting for him to accept. The module will not stop executing until the friend request is accepted.

    - DumpFriends: Accessable friends of bob is saved for offline viewing. The output of the module depends on other modues, if mallory is not a friend of bob yet, the data might not be accessable and nothing will be dumped.

    - DumpImages: Accessable images (tagged and albums) are saved for offline viewing. Same limitations of dump friends applies.

    - DumpInfo: Accessable basic info are saved for offline viewing. Same limitations of dump friends applies.

    Hackers Extend Firesheep to exploit Google Search data leak

    Security Professionals developed Firesheep(used to hack FB accounts using Wi-Fi further to catch the Google History cache.

    Firesheep steal the Google Web History feature. Although it is necessary to login to use the web history, it is not require for unencrypted page(http:// not https://)

    So Hackers are able to find out what you are searching for.  Based on your search, they may find some other your information also.  Once they know what is your interest , they can trick you and launch malicious attacks or adwares.

    Thank god, it won't allow hackers to steal the google accounts.  However, it does expose private data.

    The researchers have already alerted the Google Security Team who are working on a fix. In the meantime they recommend making sure you’re not logged in to your Google account when you’re using an unsecured network.

    For more information on this research you can download Toubiana and Verdot's paper "Show Me Your Cookie And I Will Tell You Who You Are" from

    You might also like to watch our video showing you how to counter Firesheep and its friends, even on unencrypted WiFi.

    Security Tips:
    Use Encrypted google search to protect your web history.
    If you don't use Web Search History or you've never heard of it you may want to visit your search history page and disable it.