Category: Hacking Tools

Jan 06 2015

Wifiphisher – Fast Automated Phishing Attack Tool for WiFi Networks

wifiphisherWifiphisher is a security tool that mounts fast automated phishing attacks against WPA networks in order to obtain the secret passphrase. It is a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining WPA credentials.

From the victim’s perspective, the attack makes use in three phases:

1] Victim is being deauthenticated from her access point: Wifiphisher continuously jams all of the target access point’s wifi devices within range by sending deauth packets to the client from the access point, to the access point from the client, and to the broadcast address as well.

2] Victim joins a rogue access point: Wifiphisher sniffs the area and copies the target access point’s settings. It then creates a rogue wireless access point that is modeled on the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will start connecting to the rogue access point. After this phase, the victim is MiTMed.

MiTM Attack

3] Victim is being served a realistic router config-looking page: Wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for WPA password confirmation due to a router firmware upgrade.

― Kali Linux
― Two wireless network interfaces, one capable of injection.

Wifiphisher works on Kali Linux and is licensed under the MIT license.

More Info: sophron/wifiphisher – GitHub

Oct 21 2013

Facebook Data Mining Tool Uncovers Your Life

You know you shouldn’t post potentially damaging data on Facebook, but more often that not, your friends don’t think twice about it, and this can impact you even more than you think. At the Hack In The Box conference in Kuala Lumpur, security consultants Keith Lee and Jonathan Werrett from SpiderLabs revealed how a simple tool can enable anyone to find a comprehensive amount of data on any user.

Facebook Data Mining
Keith Lee and Jonathan Werrett during their presentation

To get the information, they created the aptly named FBStalker. This tool reverse-engineers the Facebook Graph and can find information on almost anyone. You don’t have to be a friend with someone on the network – the only thing that FBStalker needs to work is for parts of your posts to be marked as public. The tool will find things based on photos you’ve been tagged in, the comments you’ve put on other people’s posts, the things that you like, etc.

If you are tagged in a photo, we can assume you know the people you’re in the photo with. If you comment on a post, FBStalker knows there’s an association. Most people have an open friends list and this gives the tool a variety of people to target for more information. By looking at their posts and your interactions with them, it’s possible to understand how some of those people are important in your life.

Even though many users don’t use the Check-In function, it’s still possible to determine their favorite places to hang-out based on the tagged photos and posts from their friends. Just imagine the level of detail you can achieve and how that can help you if you want to mount a targeted social engineering attack against the user.

The first thing that came to mind when I learned about this tool was to ask if it’s a violation of Facebook’s terms of service. Werrett was expecting the question, he says with a smile: “The tool is basically automating what the user can do in the browser. We’re not using any APIs or unofficial ways of interacting with the interface. We’re using Graph Search to build-up this profile.”

FBStalker goes also a step further and provides private information about the targeted user that might not be obvious to others. It allows you to analyze the time when the person is online and, with time you are able to guess their sleep patterns and active hours.

This type of tool works well if you haven’t locked down your profile, but it can still work even if you have, provided that your friends haven’t locked down their profiles. You know the old saying – the chain is only as strong as its weakest link. With Facebook’s recent announcement that they are removing a privacy feature and that every user is going to be discoverable by name, things are getting increasingly harder to hide.

Even if your account is locked down, you can’t mark your profile picture as private. Once you change it and people like the picture, the attacker can start building a view of your friends list.

What can you do to protect yourself? The authors have a few suggestions: turn off location tracking and tighten your Facebook privacy settings. However, with the social networking giant increasingly removing privacy options, you may have trouble staying hidden.

Feb 27 2013

ARPwner – ARP & DNS Poisoning Attack Tool

ARPwner is a tool to do ARP poisoning and DNS poisoning attacks, with a simple GUI and a plugin system to do filtering of the information gathered, also has a implementation of sslstrip and is coded 100% in python and on Github, so you can modify according to your needs.


This tool was released by Nicolas Trippar at BlackHat USA 2012.

For the tool to work you need pypcap, so assuming are using a Debian derivative OS (like all sane people do) – you’ll need to do this first:

“apt-get install python-pypcap”


Read More: ARPwner @ GitHub

Jan 19 2013

Shylock Banking Trojan Spreads via Skype

Skype TrojanThe home Trojan-banker known as Shylock has just been updated with new functions. According to the CSIS Security Group, during an investigation, researchers found that Shylock is now capable of spreading using the popular Voice over IP service and software application, Skype.

The program was discovered in 2011 that steals online banking credentials and other financial information from infected computers. Shylock, named after a character from Shakespeare’s “The Merchant of Venice”.

Shylock is active in only a few parts of the world. The epicenter of infections is primarily located in the UK.

The Skype replication is implemented with a plugin called “msg.gsm”. This plugin allows the code to spread through Skype and adds the following functionality:

– Sending messages and transferring files
– Clean messages and transfers from Skype history (using sql-lite access to Skype%smain.db )
– Bypass Skype warning/restriction for connecting to Skype (using “findwindow” and “postmessage”)
– Sends request to server: https://a[removed]…

Besides from utilizing Skype it will also spread through local shares and removable drives. Basically, the C&C functions allow the attacker to:

– Execute files
– Get cookies
– Inject HTTP into a website
– Setup VNC
– Spread through removable drives
– Uninstall
– Update C&C server list
– Upload files

Shylock is one of the most advanced Trojan-banker currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly.

As always for this type of Trojans antivirus detection is low.

Nov 28 2012

Yahoo Account Exploit Selling on Black Market

Yahoo ExploitYahoo is investigating the claims of a hacker who is selling an exploit that apparently hijacks Yahoo mail accounts.

The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a cross-site scripting (XSS) weakness in that lets attackers steal cookies from Yahoo! Webmail users.

Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

Demonstrating an apparent flair for marketing, the hacker, under the alias “TheHell” also posted a video on YouTube, providing a demo for potential customers. He claims it works with all browsers and does not require a bypass of XSS filters in either Chrome or Internet Explorer. He also says the exploit will be sold only to trusted individuals who are not likely to turn it over to Yahoo, which would undoubtedly develop a patch that will foil the attack.

“TheHell” claims that his exploit attacks a “stored” XSS flaw. This type of attack injects a code that is permanently stored on targeted servers until it is found and deleted. The malicious code is then passed to the victim’s machine when that particular server is accessed for legitimate download.

A standard phishing attempt is used to access the user’s cookies, from which the attacker can access the person’s email, or take full control of the account.

As of Tuesday morning, Yahoo was in the process of trying to identify the infected URL. Once the identification is successful, the malicious portion of code will be deleted.