Best 2020 Hacking

TEAM
Editor-in-Chief 
Joanna Kretowicz  
[email protected]
Editors:
Marta Sienicka 
[email protected]
Marta Strzelec 
[email protected]
Bartek Adach
[email protected]
Proofreader:
Lee McKenzie
Senior Consultant/Publisher:  
Paweł Marciniak
CEO:  
[email protected]
Marketing Director:  
[email protected]
DTP  
Marta Sienicka 
[email protected]
Cover Design
Hiep Nguyen Duc
Publisher  
Hakin9 Media Sp. z o.o. 
02-676 Warszawa 
ul. Postępu 17D  
Phone: 1 917 338 3631
www.hakin9.org
All trademarks, trade names, or logos mentioned or used are the

property of their respective owners.
The techniques described in our articles may only be used in private,

local networks. The editors hold no responsibility for misuse of the
presented techniques or consequent data loss.
Dear Readers!
We would like to present you another special edition of Hakin9 - this time we
decided to gather our best 20 hacking tutorials in one place. We divided them
into four sections: Wireless and mobile hacking, password cracking,
programming for hackers, and others. Inside you will find more than 400 pages
of “how-to” and “step-by-step” tutorials that will surely contribute to your
development as a professional pentester or ethical hacker.
Enjoy the issue,
Hakin9 Team
Mobile and Wireless Hacking
Android Hacking: Dissection of Android Apps

10
Samrat Das
Android Mobile App Pentesting

29
Atul Singh
IMSI Catching Over WIFI Networks: Exposing WIFI-

Offloading 54
Loay Abdelrazek
New Hacking Era: Wireless Hacking By Drones

62
Carlos Manzo Trujillo
The Biggest Boogeyman Of Network Wireless

83
Fabrício Salomão And Rafael Capucho
WiFi Hacking
94
Pprasoon Nigam
5
Hidden APK
115
Milan Oulehla
Password Cracking
Cracking Passwords With John The Ripper

149
Brahimi Zakaria
THC-Hydra Network Logon Cracker

165
Sam Vega
Password Cracking: Pentesting With Hydra

175
Saad Faruque
Attacking passwords with Kali Linux

191
Kevin Vaccaro
6
Reverse Engineering And Password Breaking
200
Jan Kopia
Programming for Hackers
Ransomware and Python

Allies or enemies? 219
Adrian Rodriguez Garcia
Build Your own NIDS with Scapy

239
Hadi Assalem
Python For IOT: Make Your Own Botnet And Have Fun
With The MQTT Protocol 279
Power Of Python
305
Omar Ahmed
7
Power Of Scapy
321
Omar Ahmed
Various
Analysis of Linux Malware Tsunami Using Limon

341
Monnappa K A
Metasploit With XSS (Cross Site Scripting)

355
Pprasoon Nigam
Building A Hacking Kit With Raspberry Pi And Kali

Linux 386
Thauã C. Santos, Renato B. Borbolla & Deivison P. Franco
8
Mobile and
Wireless
Hacking
Android Hacking:
Dissection of
Android Apps
Samrat Das
ABOUT THE AUTHOR
Samrat Das
Samrat Das is a security researcher currently working for
Deloitte, India as a Cyber-Security Consultant.
His interests involve: Penetration Testing, Reverse
Engineering/Malware Analysis & Secure Coding. He can be
reached on [email protected], twitter: @Samrat_Das93
or his LinkedIn profile: https://in.linkedin.com/in/samrat18
11
Android Hacking: Dissection Of Android Apps
Android is the biggest market holder currently in the world, with recent stats revealing that over 80% of devices sold in
recent times are droid devices. As the sales and usage increase, so do the security risks associated with it!
Mobile Penetration Testing/ Security Auditing is a vast domain in itself, here I would like to cover a small facet for
those people who would like to know the blend of reverse engineering and Android application security assessments
together.
Some of the topics presented in this paper include:
• What is Dalvik Virtual Machine? | DVM vs JVM
• What is an apk file?
• Tools of the trade
• Android reverse engineering steps
• Anatomy of Apk
• Various components of Android
• Demo step by step
• Detecting Backdoors in Android App
• Diving into Appuse
• Creating infected version of the apps
• Useful Hacking Tools
• Anti-reverse engineering protection for Android
What is an apk file?
APK files are actually zip format packages based on the JAR file format.
To make an APK file, a program is first compiled and then all the contents of the program are packed into one file.
Therefore, this APK file will contain all the program’s code (in DEX files), all resources, certificates, manifest file, etc.,
that we can reverse-engineer.
12
Android Hacking: Dissection Of Android Apps
What is Dalvik Virtual Machine?
As specified nicely from javatpoint.com, the Dalvik Virtual Machine (DVM) is an Android virtual machine optimized
for mobile devices.
It optimizes the virtual machine for memory, battery life and performance.
The Dalvik VM was written by Dan Bornstein.
The Dex compiler converts the class files into the .dex file that run on the Dalvik VM. Multiple class files are converted
into one dex file.
Image source http://www.javatpoint.com/dalvik-virtual-machine
Difference between DVM and JVM (Java Virtual Machine)
While it can be explained on a interestingly large scale, keeping it in simple words, JVM is a piece of work that has
been designed to work based on byte code for computers.
On the other hand, DVM works based on optimized bytecode designed keeping in mind mobile platforms since they
have lower memory and processes and thus consist of opcodes.
Tools we will need:
The best resource for performing Android reverse engineering is the VM called Appuse. It’s one of the best built in
toolkits for performing in depth security assessments of Android applications. Not only does it contains all the tools,
but it automates all the effort needed to do manually.
13
Android Mobile
App Pentesting
Atul Singh
ABOUT THE AUTHOR
Atul Singh
Atul Singh is working as Security Analyst since last 3 years,
currently he is working in Xento Systems. He is a young,
passionate hacker who likes to share everything which he
knows. Main interests: web and mobile penetration
testing. He is a corporate trainer, speaker and a bug
hunter, along with that he’s a part of SAM Offensive
Technologies, Hackers Day, National Information Security
Summit.
15
Introduction: Mobile application pentesting is an upcoming security testing need that has recently obtained more
attention with the introduction of the Android, iPhone, and iPad platforms, among others. Android is the biggest
organized base of any mobile platform and developing fast—every day. Besides, Android is rising as the most extended
operating system in this viewpoint because of different reasons.
However, as far as security, no data related to the new vulnerabilities that could prompt weak programming at this
stage is being revealed, realizing that this stage has an outstanding attack surface. After web applications, a bigger
concern is mobile application penetration test. Let’s start with some basics.
Understanding the Android Operating System: Below is the basic architecture for an Android device,
might be you are familiar with some components.
Let’s start from the bottom:
● Linux Kernel: Linux kernel is the base for a mobile computing environment. It provides Android with several
key security features, like:
o A user-based permissions model
o Process Isolation
16
o Extensible Mechanism for secure IPC
o The ability to remove unnecessary and potentially insecure parts of the kernel.
● Hardware Abstraction Layer: It just gives applications direct access to the hardware resources.
Bluetooth, audio, and radio are examples.
On top of the Hardware Abstraction Layer sits a layer that contains some of the most important and
Useful libraries, as follows:
o Surface Manager: This manages the windows and screens
o Media Framework: This allows the use of various types of codecs for playback and recording of
different media
o SQLite: This is a lighter version of SQL used for database management
o WebKit: This is the browser rendering engine
o OpenGL: This is used to render 2D and 3D contents on the screen properly
The libraries in Android are written in C and C++.
➡ Dalvik Virtual Machine is specifically designed by the Android Open Source Project to execute applications
written for Android. Each app running in the Android device has its own Dalvik Virtual Machine.
➡ Android Runtime (ART) is an alternative to Dalvik Virtual Machine which has been released with Android
4.4 as an experimental release, in Android Lollipop (5.0) it will completely replace Dalvik Virtual Machine. A
major change in ART is because of Ahead-of-Time (AOT) Compilation and Garbage Collection. In
Ahead-of-Time (AOT) Compilation, Android apps will be compiled when the user installs them on their device,
whereas in the Dalvik used Just-in-time(JIT) compilation in which bytecode are compiled when user runs the
app. Moving to the last one, these are common.
17
IMSI Catching Over
WIFI
Networks:Exposing
WIFI-Offloading
Loay Abdelrazek
ABOUT THE AUTHOR
Loay Abdelrazek
Loay Abdelrazek has been in the security field for around
more than three years , A security researcher and
enthusiast focusing on the field of telecom security with
an aim to provide better practical solutions to the telecom
sector to further enhance the security of their
infrastructure whether it's in at user equipment layer,
access layer, core layer and interconnects of telecom
operators. Also interested in open source security
solutions.
19
IMSI Catching Over WIFI Networks: Exposing WIFI-Offloading
Introduction
IMSI (International Mobile Subscriber Identity) catchers have been widely known in 3G mobile networks as a
malicious device to intercept and eavesdrop mobile traffic and tracking users, considered a type of man-in-the-middle
attacks. This type of attack has been aroused in wifi networks as well.
Wifi networks that operate over 2G-4G protocols, better known as Wifi-offloading, has been an emerging concept
adopted by mobile operators for several years to relieve the congested mobile data networks with additional capacity
from the unlicensed Wifi spectrum.
Wifi offloading architecture relies heavily on the mobile operator's infrastructure as the users are authenticated via
their SIM/(U)SIM cards as the normal defined 3GPP mobile authentication mechanism.
The architecture of wifi offloading solutions mainly consists of the wireless access point that the user attaches to and
depends on the operator’s core infrastructure that is responsible for authenticating, using an EAP based AAA server
that is connected to the operator's Home Location Register, known as HLR (HLR is the operator's database that is
responsible to store the details of every authorized subscriber), a WLC (WLAN Controller) that acts as a DHCP and
leases IP, and the GGSN (GPRS Gateway Serving Node) that acts as a gateway to the internet. The below diagram gives
a high level view on how wifi offloading architecture depends much on the same core nodes as 3G/4G.
Fig 1. WiFi offloading Architecture
Traffic Flow
The sequential traffic flow for user equipment (UE) on a 3G/4G wifi network is described as the below:
1. The subscriber associated to SSID.
20
IMSI Catching Over WIFI Networks: Exposing WIFI-Offloading
2. 802.1x EAP-SIM/AKA request to AP.
3. WLC sends RADIUS auth-request.
4. AAA server checks SIM credentials with HLR using MAP over the SS7 network.
5. After successful authentication, WLC leases an IP address to subscriber.
6. Subscriber traffic is now directed to the GGSN to have internet access.
WIFI offloading Authentication Vulnerability
EAP is Extensible Authentication Protocol, which can be used to create new types of authentication protocols for
Radius. EAP-SIM/AKA are one of those new types of authentication commonly used in WLANs.
EAP-SIM/AKA are designed for use with existing GSM/3GPP authentication systems (AuC, HLR/HSS) and
SIM/USIM cards. EAP-SIM/AKA standards allow WLAN users to authenticate access to wireless networks using
mobile SIM cards.
Fig 2. High Level Authentication Procedure (Source: Cisco Networks)
The above figure shows an overview of the authentication procedure. The UE communicates with an EAP server that is
located on an authentication server using AAA.
The first EAP request issued by the authenticator (EAP Server) is EAP-Request/Identity. On full authentication, the
UE’s EAP-Response/Identity includes the IMSI.
GSM subscribers are identified with IMSI. The IMSI is a string of not more than 15 digits. It is composed of a three
digit Mobile Country Code (MCC), a two or three digit Mobile Network Code (MNC), and a Mobile Subscriber
Identification Number (MSIN) of no more than 10 digits.
21
New Hacking Era:
Wireless Hacking
By Drones
ABOUT THE AUTHOR

Carlos Manzo Trujillo grew up in Mexico City (welcome to the jungle people), and
frequented the Universidad Nacional Autonoma de Mexico engineering faculty.
He spent fifteen years working (slaving away) in different companies (like SAMSUNG
and MICROSOFT) where he was recognized with many TOP performance awards.
After moving to Sardina, Italy, (because he was in love with a gorgeous italian girl) and
working briefly as a developer team leader for NAD (he had a cubicle) and a
consultant for the International Parliament for Safety and Peace, and non-profit group
founded for the defense and protection of peace to all people of the world, and for
the security of every nation (he didn’t even have a cubicle), he (finally) finished his first
IT article (that he’d been writing in his “spare time” for the last three months).
He currently lives in Sardinia (in the same town he got married — how weird is that?
nothing weird at all — and where he now feels like fits in) with his lovely wife and
young daughter.
23
Drone Hack (Defensive)
The global market for commercial drones is projected to reach US$1.8 billion by 2020, driven by the expanding use of
unmanned aerial vehicles (UAVs) in executing high-risk tasks and the growing prominence of drones-as-a-service
(DaaS). Growing demand for superior aerial imagery, remote sensing, air surveillance, development of advanced
sensors, improvements on computing speed, and enhanced data processing capabilities, are driving the use of UAVs in
commercial applications. Technology maturity and falling prices of these systems are expanding market opportunities
into a wide range of commercial applications like:
• Precision agriculture
• Construction and Inspection
• Public safety and FRO (First Responder Operations)
• Mapping and Surveying
This is a guide on defense, specifically the Parrot Bebop Drone – once pulled out of the box, it has no encryption or
authentication methods, thus it leaves the drone susceptible to wireless hacking. Remember, if the drone is updated
then certain security functions may be changed.
In this guide, I will be disconnecting the original user from the drone. This can allow any other device to connect to the
drone and control it. Additionally, I will be connecting to the drone through Kali Linux, and downloading video
captured by the drone. Then, I will demonstrate how to upload files on top of drone files, before connecting over telnet
and forcing the drone to shut down and drop from the sky.
24
FreeFlight Pro now enables you to fly Parrot Bebop drones, Parrot Bebop 2 and Parrot Disco.
We need to execute these commands:
root@kali: # airmon-ng start [interface]
root@kali: # airmon-ng check kill
root@kali: # airmon-ng check [interface]
Starts a capture file:
root@kali: # airodump-ng -c [#] --bssid [AP MAC] -w [filelocation/name] [interface]
25
The Biggest
Boogeyman Of
Network Wireless
Fabrício Salomão And Rafael
Capucho
ABOUT THE AUTHOR
Fabrício Salomão
Fabrício Salomão is Information Security Consultant at
CIPHER Intelligence LAB with focus in Penetration
Testing, Vulnerability Assessment and Analysis forensic.
He works with Information Security since 2012, offering
training and lecture about Ethical Hacking. The skills
domain are Linux/Windows, language programming at
Python/C and developing algorithms to automate the
intrusion test. He's author of articles/tutorial approach
exploration offensive techniques and computer
forensics.  
27
ABOUT THE AUTHOR
Rafael Capucho
Rafael Capucho is Information Security Consultant
at CIPHER Intelligence LAB, self-taught,
independent researcher focusing on network
security and systems intrusion testing. Pentester
and CTF player in the offseason.
28
In the current scenario of cyber attacks, the attacks performed in wireless networks are one of the most aimed at, due
to the high rate of WiFi devices in various places. A great number of attacks based on WiFi networks gain fame in this
environment, but the attack that really stands out is Evil AP. The attack is performed mainly in public places, such as
malls, snack bars or coffee shops. They happen to be the perfect spot for the attack, considering the number of people
that circulate through these places, compromising several users who use the internet to access their financial
transactions or personal information, such as their social networks. With the same attack scenario, corporations,
which are seen as targets by attackers who wish to steal information (industrial espionage), are affected.
INTRODUCTION
Evil AP, also known as Evil Access Point, consists of creating a fake WiFi access point without a password and is used
to capture the information of anyone who connects to it. Driving the victim to believe she is in a legitimate network,
due to the attack technique exploited using a tool called Karma, the victim’s device connects automatically to the
attacker’s access point (when WiFi is toggled on in her device), where all information traffic passes by the attacker,
who can exploit various techniques of attacks on the victim. The same way the Evil AP can be used on Black Hat, it can
be used on White Hat, as in Black Box Pentest, where the scope in not defined and demands creativity to obtain great
results.
FUNDAMENTALS
Being the victim's gateway during an attack exploitation allows us to utilize a variety of techniques and tools for
exploitation that depend on creativity. In this article we will demonstrate PoC (Proof of Concept) in order to observe
some forms of exploitation that can be done, without going deeply into exploited attacks. Among the techniques
explored, we will approach session hijacking through JavaScript payloads using the BeeF tool, automated capture of
credentials using a Ssltrip module and data analysis in networks through Wireshark.
CONCEPTS
Mana, a framework that contains the improvements to KARMA attacks, was implemented into hostapd, as well as
some useful configurations for conducting Man-in-The-Middle (MiTM) once you've managed to get a victim to
connect. It is nothing more than a script that calls various tools, automating the exploitation of attacks on wireless
networks, such as sniffing, MiTM, session hijacking, and reverse connection, among many others.
TOOLS REQUIRED
To execute the attack we need a dedicated network interface, and the following tools:
• Mana-toolkit.
• Network Adapter (TP-LINK TL-WN722N with Chipset Atheros AR9271)
• Internet link.
29
INSTALLATION
Mana-toolkit can be installed through Kali Linux.
# apt-get install mana-toolkit
Or through GitHub:
# git clone --depth 1 https://github.com/sensepost/mana
# cd mana
# git submodule init
# git submodule update
# make
# make install
MANA’S CONFIGURATION
Before starting the attack, we need to know the features and configurations of Mana. In the Mana directory “/usr/
share/mana-toolkit/run-mana” we can work in some different ways where we see some start scripts from Mana;
here are the main ones:
• Start-nat-full.sh - Mana will work in NAT Mode, making the attacker the gateway of the wireless
network, it will activate all available Mana features.
• Start-nat-simple.sh - Mana will only work in NAT Mode without activating its features.
• Start-noupstream.sh - Mana will not work with internet, it will start a captive portal and redirect all
connections to the captive portal.
• Start-noupstream-eap.sh - Mana will simulate a fake EAP server.
Before the first use, it is necessary to parameterize the settings within each script. The variables must be checked:
upstream What is the output interface for the internet?
phy What interface will be used for the Rogue AP?
conf Location of the Hostapd configuration file responsible for running Rogue AP.
30
WiFi Hacking
Pprasoon Nigam
ABOUT THE AUTHOR
Pprasoon Nigam
Pprasoon Nigam has been working as a Security Consultant from past few
years in many large organizations and is also involved in VAPT for Web
applications, Mobile applications and Networks. He has been rewarded as an
“Ethical Hacker” and also working on countermeasures on hacking from last
few years to make people aware of hacking.
32
WiFi Hacking
WIFI hacking, it's always been a hot topic for hackers (security testers) and techie guys. So let's start gaining a little
knowledge about it.
What is WI-FI?
Wi-Fi or WiFi is a technology for wireless local area networking with devices based on the IEEE 802.11 standards.
802.11 is the "radio frequency" needed to transmit Wi-Fi, it was defined by Vic Hayes who created the IEEE 802.11
committee. Wi-Fi is a trademark of the Wi-Fi Alliance, which restricts the use of the term Wi-Fi Certified to products
that successfully complete interoperability certification testing.
Devices that can use Wi-Fi technology include personal computers, video-game consoles, smart phones, digital
cameras, tablet computers, digital audio players and modern printers. Wi-Fi compatible devices can connect to the
Internet via a WLAN network and a wireless access point.
What is WIFI-Hacking ?
Cracking of wireless networks is the defeating of security devices in wireless local-area networks. Wireless local-area
networks (WLANs), also called Wi-Fi networks, are inherently vulnerable to security lapses that wired networks are
exempt from.
Cracking is a kind of information network attack that is akin to a direct intrusion. There are two basic types of
vulnerabilities associated with WLANs: those caused by poor configuration and those caused by weak encryption.
Detailed Wireless Security Protocols: WEP, WPA, and WPA2
Wireless security protocols were developed to protect home wireless networks.
These wireless security protocols include:
• WEP
• WPA
• WPA2
each with their own strengths and weaknesses.
Wired Equivalent Privacy (WEP):
This is the original encryption protocol developed for wireless networks. As its name implies, WEP was designed to
provide the same level of security as wired networks. However, WEP has many well-known security flaws, is difficult
to configure, and is easily broken.
33
WiFi Hacking
Wi-Fi Protected Access (WPA):
It was introduced as an interim security enhancement over WEP while the 802.11i wireless security standard was
being developed. Most current WPA implementations use a preshared key (PSK), commonly referred to as WPA
Personal, and the Temporal Key Integrity Protocol (TKIP, pronounced tee-kip) for encryption. WPA Enterprise uses
an authentication server to generate keys or certificates.
Wi-Fi Protected Access version 2 (WPA2):
This protocol is based on the 802.11i wireless security standard, which was finalized in 2004. The most significant
enhancement to WPA2 over WPA is the use of the Advanced Encryption Standard (AES) for encryption. The security
provided by AES is sufficient (and approved) for use by the U.S. government to encrypt information classified as top
secret — it’s probably good enough to protect your secrets as well!
About 802.11i
802.11i is a standard for wireless local area networks (WLANs) that provides improved encryption for networks that
use the popular 802.11a, 802.11b (which includes Wi-Fi) and 802.11g standards. The 802.11i standard requires new
encryption key protocols, known as Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard
(AES). The 802.11i standard was officially ratified by the IEEE in June of 2004, and thereby became part of the 802.11
family of wireless network specifications.
Security Modes of Routers

Number of
Security Rank
Characters
WEP  40/64-bit (10
(Wired Equivalent Basic characters) 
Protocol) 128-bit (26 characters)
WPA Personal  
(Wi-Fi Protected Access Strong 8-63 characters
Personal)
WPA2 Personal 
(Wi-Fi Protected Access Strongest 8-63 characters
2 Personal)
WPA2/WPA Mixed WPA2: Strongest  8-63 characters
Mode WPA: Strong
Security Issues:
• Weak password
• WPA packet spoofing and decryption
• WPS PIN recovery
34
Hidden APK
Milan Oulehla
ABOUT THE AUTHOR
Milan Oulehla
Ph.D. student (distance form of study – Faculty of Applied
Informatics – Tomas Bata University in Zlín) Member of
mobile security section - http://ptlab.fai.utb.cz/oulehla/
36
Hidden APK
Introduction
Mobile devices such as smartphones, tablets and wearable hardware (e.g. smartwatches) have become a common
component in our society. This fact can be illustrated by Facebook - in Q4 2015, it had 51.7% mobile-only users and
this trend is constantly growing [1]. There are three main mobile operating systems: Android developed by Google
Inc., Apple’s iOS and Windows Phone (the last version has been renamed Windows 10 Mobile). The Android operating
system has dominated the market with 82.8% share (Q2 2015) [2] which makes it the most widespread mobile
operating system in the world. However, this popularity is double-edged, including both users and malware creators
resulting in a large number of malicious Android applications. That is the reason why this article deals with one kind
of APK infection - hidden APK on the Android platform.
Theoretical Background
A few essential terms used in the field of Hidden APK development will be explained. It will allow better
understanding of techniques described in this paper. We will start with Hidden APK, a malicious piece of software
which does not provide the users with any useful functionality and thus it must camouflage its presence on mobile
devices. Such malware often uses BroadcastReceiver for its harmful intentions. Another important term is the Activity
class, defined on the official Android website as follows: ”An Activity represents a single screen with a user interface.
For example, an email app might have one activity that shows a list of new emails, another activity to compose an
email and another activity for reading them. Although the activities work together to form a cohesive user
experience in the email app, each one is independent of the others. As such, a different app can start any one of these
activities (if the email app allows it). For example, a camera app can start the activity in the email app that
composes new mail, in order for the user to share a picture” [3]. In other words, an activity is both a Graphical User
Interface and application logic of one screen. How the GUI of a particular activity looks is defined in XML layout file
stored in …/res/layout directory.
Next, we will introduce BroadcastReceiver defined as: “A broadcast receiver is a component that responds to
system-wide broadcast announcements. Many broadcasts originate from the system; for example, a broadcast
announcing that the screen has turned off, the battery is low, or a picture was captured. Apps can also initiate
broadcasts, for example, to let other apps know that some data has been downloaded to the device and is available
for them to use. Although broadcast receivers don't display a user interface, they may create a status bar
notification to alert the user when a broadcast event occurs” [3]. The BroadcastReceiver is a class which does not
have a GUI, it runs silently in the background and above all it can process system broadcasts. All these features make
BroadcastReceiver especially popular with malware writers.
37
Hidden APK
Brief history of Hidden APK
The first versions of Hidden APK were malicious applications which had all application logic implemented only in
BroadcastReceiver. They did not have any Activity or other components of GUI. Some programmers and security
experts called these pieces of malware ‘Evil Applications’
(http://stackoverflow.com/questions/22318161/start-application-without-activity-my-broadcast-receiver-not-work
). Essentially, it was the golden age of mobile malware because the operating system helped malware creators a lot
since malware writers did not have to deal with the malware automatic start-up after the OS boot is completed. Also, it
wasn’t necessary for them to create a monitoring loop waiting for a certain event, for example, incoming SMS or
connecting the device to Wi-Fi, etc. On the other hand, users had only a small chance to find out that an Evil
Application was on their phones. Such Hidden APKs were working up to the last version of Android Gingerbread.
Because the situation of Android malware based on Hidden APK became serious, Google introduced security features
used for the first time in Android Honeycomb and they are still valid. The improvements are based on the idea that
every application using BroadcastReceiver, which demands some permissions such as SMS reading, recording audio,
etc., also has to have an Activity. In other words, if an application wants to process something in the background via
BroadcastReceiver using permissions, such application has to have an Activity because there must be a visible part
giving users a chance to realize that is something wrong.
If you create an old version of Hidden APK, you can install it in new versions of Android; it will run but it will never
respond to system broadcasts, so this malware will not work. In the next part, the article deals with bypassing this
security mechanism. Please be aware of following facts:
• This tutorial has been created for the newest version of Android Studio 2.0. It is the official IDE for Android
app development. Unlike previous versions, Android Studio 2.0 generates slightly different files and project
structure. In other words, if you want to create Hidden APK in previous versions, you may still succeed but it
requires additional effort and you will have to adjust techniques described in this tutorial. For example, some
older versions of Android Studio require the developing Activity to be instance of class Activity not
AppCompatActivity (in this case Hidden APK ends up with a crash) etc. However, the principle is the same.
• We are going to create a draft of Hidden APK, because creation of an actual piece of malware is quite a
complicated process beyond the scope of the article.
• Lastly, we would like you not to use the described techniques to commit cyber-crime. On the contrary, this
paper tries to shed light on the techniques of allowing Hidden APK malware thus improving security in this
field.
38
Hidden APK
Development of modern Hidden APK malware based on

BroadcastReceiver
As mentioned above, an Activity is now a mandatory part of applications; thus, if we want to develop BroadcastReceiver based
malware we will have to use techniques allowing Activity masking. In this tutorial, we are not going to apply a straightforward
process but a step by step method allowing us to understand the interaction between our code and response of the operating
system better. Moreover, you can follow the malware creators’ gradual process.
First of all, we will create a new Android Studio project which will contain an application named ‘Z’. The reason of this name will
be explained later. Let’s call the Activity ‘MainActivity’ and the layout name ‘activity_main’. Both are default values. Once
Android Studio generates a new project, the structure of the developed application is ready and we can try to run it.
Note: All screenshots come from a real physical device HTC One M8 running on Android Lollipop. White
wallpaper was used because the elements of user interface must be clearly visible.
First running of the application is depicted in the figure below:
Figure 1 The first run of the application
As you can see, this application is fully visible and it has no functionality so we will start with modification of …/res/values/
39
Password
Cracking
Cracking
Passwords With
John The Ripper
Brahimi Zakaria
ABOUT THE AUTHOR
Brahimi Zakaria
IT Risk Specialist
[email protected]
Having always been passionate about computer security, I chose it as a specialty for my graduate
studies.
I am currently responsible for IT risks in the subsidiary Société Générale Algérie where I am mainly
responsible for supporting the business lines and IT in the integra- tion of Security within their
projects by providing SSI expertise (risk analysis, risk management plan, control of the
implementation of security measures, etc.) My areas of expertise:
• Security audit and penetration testing;
• IT risk analysis;
• Code review;
• Digital investigation;
I. Projects
42
The projects carried out during my career are all about computer security:
• Securing a vulnerable web application
• Realization of an automated malware analysis framework
• Realization of a file system supervision tool
II. Publication
A Scalable Malware Classification Based on Integrated Static and Dynamic Features
(https://link.springer.com/chapter/10.1007/978-3-319-51064-4_10)
III. Conference
Awareness of OWASP TOP 10
IV. Blog
Https://brahimizakaria.blogspot.com
V. Linkedin
Https://www.linkedin.com/in/zakaria-brahimi/
43
Introduction
Often, in computer science, you have to choose a password to secure something or to identify yourself. From this
point, the headache begins to find one password that you will remember and that is complicated enough to be secure
at the same time. This is where the tools for generating passwords come in. These tools are fully parameterizable and
produce completely random passwords which makes them more difficult against cracking attempts.
Demonstration
1. Installation and test of the password generator 'PWGEN'
PWGEN is available on most GNU / Linux distributions from official repositories. On a Debian-based Linux operating
system you can install it easily with the following command:
Sudo apt-get install pwgen
The command obviously requires the rights of the superuser. We will proceed as follows:
A basic use of the pwgen utility would be to run it by typing the pwgen command without any options as follows:
44
The command returns 160 passwords consisting of 8 characters, including letters, uppercase, lowercase and numbers.
It is possible to completely customize the passwords to be generated by giving the desired options to the pwgen
command. To do this, refer to the manual by typing :  
man pwgen
2. Generation of customizable password with the tool 'PWGEN'
Refer to the following command output :
Referring to the manual, the last command is interpreted as follows:
• Generate a single password that is completely random and difficult to remember with at least one special
character and contains 25 characters. This corresponds perfectly to the returned result shown in the above
figure.
• Refer to the following Bash script 'change_pass.sh':
45
THC-Hydra
Network Logon
Cracker
Sam Vega
ABOUT THE AUTHOR
Sam Vega
Sam has been fiddling with computers for over 20 years but has been
officially an IT professional since 2008. Currently a Senior Technical Systems
Analyst for a nationally recognized hospital working in the capacity of a
Senior Desktop Engineer. He holds current industry standard certifications
such as ISACA, Microsoft, Apple, Oracle, CompTIA, Tenable, Offensive
Security, and eLearnSecurity. He enjoys writing & reverse engineering code,
analyzing malware, performing PoCs and figuring out complex problems. His
mindset is defender by day and attacker by night. So that makes him part of
the Purple Team by design and a lover of all things infosec by nature.
47
This article will be based on a 'very fast network logon cracker' as quoted on tools.kali.org, hence the title of this
article. The description of the tool from the same web page:
"Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new
modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it
would be to gain unauthorized access to a system remotely.
It supports: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST,
HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener,
Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum,
SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and
XMPP."
This tool is already installed in the Kali 2016.2 release, as well as previous Kali builds. You will find the tool under
Password Attacks > Online Attacks. Below is a screenshot of the CLI tool "hydra" when launched via the Kali
Applications menu or via terminal by typing "hydra" or "hydra -h".
48
There also is a GUI version of the tool. It's located in the same sub-menu as Hydra but the GUI version is called
"hydra-gtk". See screenshot below.
Other methods to access help for Hydra:
49
Password Cracking:
Pentesting With
Hydra
Saad Faruque
ABOUT THE AUTHOR
Saad Faruque
I started working as a systems administrator in an ISP back in 2000. What drew me in me to it
is my curiosity towards computer systems and networks in my teens; my passion for solving
problems and designing new systems helped me fit in. Over the years I have worked for
various industries, as systems manager, solution developer, infrastructure consultant. IT
security has always been an integral part of my role and is an area always took great interest
in. Through the lenses of security, you are to better understand how systems work, how to
better integrate, make the system resilient and fix as needed.
Over the years, I became proficiencies in various operating systems, storage systems,
database, virtu- alization, Internet services, and firewalls. I skilled in various communication
technologies such as data over satellite links, wireless, LAN, WAN, server technologies,
power systems and more. Presently I am working as an independent consultant. I help
organizations with security analyses and with ISMS implementation.
Vendor certifications: MCSE, RHCE, CCNA, CEH, ECSAv9, CHFI
[email protected] or http://tektab.com
51
1. What is password cracking penetration testing?
In this article, we shall cover the weakness of single factor authentication system, how to check for vulnerability, and
perform a pentest active online attack (over network) using wordlist/dictionary file. We shall also help you understand
how to design policies, standards, controls, etc., that can withstand such attack.
1.1. Single factor authentication (SFA) vs Multi factor authentication (MFA)
A password is usually used to protect against unauthorized access to digital resources. While using single factor
authentication (SFA), the identifying party gains access through only one category of credentials (in this case using an
ASCII password) as opposed to multi factor authentication (MFA), which requires an additional credential, such as,
besides something you know (e.g. username & password), something you have (eg. a smart card), or something you
are (e.g. fingerprint). In this article, we shall focus on password cracking testing the single factor authentication
system.
1.2. Following are two main password attack techniques:
Dictionary attack: Assuming the password used is based on some dictionary words, or some commonly used
password, a dictionary or word list file containing such word lists are loaded into the password cracking application
against a password database.
Brute force attack: This method uses all combination of characters until the password is found; for example, you
may tell the system to attack up to 8 characters of password while the system will try 1 to 8 characters with all
permutations and combinations until a password is found.
A combination of these techniques is also used while the attacker has some additional information about the password
(e.g. hybrid attack, syllable attack, rule-based attack).
1.3. Type of password attacks:
There are two main types of attacks, one is over the network and one is offline.
Online attack: Assuming the attacker has direct access to the system over the network, the attacker will try to login
to the system using usually a software tool over a period of time, using either brute force or dictionary attack password
attack techniques.
Offline attack: The attacker will try to decrypt the password using automated tools, like brute force, pre-computed
hashes, Rainbow table, etc.
52
2. Online Password attack using Hydra
In this article, we shall be using Hydra as a password attack tool and run a dictionary based password attack over the
network (online attack). Hydra supports online password cracking against 40+ services. Type hydra on your Kali
Linux terminal to see the list of supported services on your installation.
Figure 1: Supported services in hydra
We shall demonstrate the password attack against following services:
1. Remote desktop protocol (rdp) running on the Windows 7 machine.
2. Windows file and printer sharing protocol (smb) running on the Windows 7 machine.
3. File transfer protocol (FTP) running on the Debian machine.
4. Secure shell protocol (ssh) running on the Debian machine.
In this test, we shall be using a dictionary/wordlist file found in Kali named fasttrack.txt. As we know the content of
the file, we shall be using one of those words as a password for the accounts we target. The user name is known by the
attacker.
3. Setting up your lab environment for password cracking pen testing:
A step by step guide for setting up the virtual machines for this lab environment is beyond the scope of this article. In
this section, we cover a high level lab setup guide with the topology.
We are assuming you have the skill sets to set up virtualbox or any vm environment for Kali Linux, Windows 7,
Ubuntu or you have access to a virtual lab or access to a physical machine for such an environment.
This lab environment has been set up on a Windows 10 host machine with 8GB of RAM. The virtual environment is
running on VirtualBox environment (https://www.virtualbox.org/wiki/Downloads). You may set up this environment
on a different host OS, such as a different version of Windows or OS X, Linux distributions and Solaris.
Once the virtualbox installation is completed, you are ready to set up the services that we shall be demonstrating the
password cracking penetration test against.
This lab includes the following machines with the IP address and links to download the VirtualBox image:
53
Attacking
passwords with
Kali Linux
Kevin Vaccaro
ABOUT THE AUTHOR
Kevin Vaccaro
I am a full-time professor at a community college as well as an adjunct faculty
member at several different universities teaching both undergraduate and
graduate courses in Computer Security. Prior to teaching, I spent 20+ years in
IT. Currently, I hold several industry certifications including, CompTIA, SANS,
ISC2 CISSP, and Linux. I enjoy bringing new ideas and methods into the
classroom for my students’ career advancement.
55
Attacking Passwords With Kali Linux
Introduction:
Kali Linux has several tools that can be used when attempting to attack passwords. Depending on the type of attack
you wish to perform, there are different tools to fit the need. In this article, we will cover how passwords are stored, the
methodology to attack a password, and finally the tools that can be used.
Passwords:
Passwords, depending whether they are in Linux or Windows, are stored as hashes. Hashes are one way functions that
computationally can’t be reversed. So unlike other encryption ciphers, once a password is hashed it can’t be reversed.
The difference between Linux and Windows when storing passwords is the use of “salting”. Salting is the injection of
random data into the hash calculation, which renders certain methods of password attacks ineffective. Linux uses
salting and Windows does not salt passwords.
Attack Methods:
There are several methods that can be used when attacking a password(s). First “password guessing”; if you can guess
a person’s password based on some criteria, that is the easiest method. Second would be a “dictionary” attack. A
dictionary attack uses a wordlist to attempt to compare hashes of the words in the wordlist against the stored
password hashes. In this case, salting would render this attack ineffective. A third method would be “brute force”,
trying every combination letter by letter in order to attack the password(s). Brute force will eventually break a
password(s), it is just a matter of time. A fourth method would be “cryptographic” or the use of “rainbow tables”,
which are precomputed hashes used to compare against the password(s). Here again, salting would render this attack
ineffective. Finally, a “hybrid”, which would combine a dictionary with a brute force attack to attempt to break a
password(s).
Passwords can also be captured using a network “sniffer”, a tool to capture network traffic, provided the captured
traffic is not encrypted. Additionally, depending on how the attacker wishes to carry out the attack, they can be
conducted online against a target or a dump of the password files from a target machine to the attacker. Passwords can
also be acquired “live” from a target’s memory using specific tools.
Kali Tools: Creating Custom Dictionaries:
Kali has several password tools for attacking passwords. The first two tools to consider are for creating dictionaries or
wordlists. Kali has some wordlists included in the distribution but you can generate your own using either “cewl” or
“crunch”.
Cewl “custom word list generator” is a small Ruby app that web crawls a site for words to put into a wordlist based on
criteria you specify. Let’s try using the tool:
56
Attacking Passwords With Kali Linux
Cewl command
This command will web crawl the https://digi.ninja to a depth of two levels for words with a min length of five
characters and save them to a file called docswords.txt.
Output of the file:
Cewl Output
You were able to capture 5939 words from the site.
Next, we can use the tool “crunch” to create a customized dictionary based on character sets you choose along with
permutations.
We’ll try a simple example:
Crunch command
This command will generate all possible combinations of 7 lengths of 7 characters using capital letters A & B
Here is the output snippet:
57
Reverse
Engineering And
Password Breaking
Jan Kopia
ABOUT THE AUTHOR
Jan Kopia
Jan is an independent IT-security specialist with 20 years of
experience. His focus of the last years was in managing information
security projects (e.g. implementing ISO 27001, Common Criteria
Certifications, designing secure systems) on the one hand and
IT-security related tasks (security- and penetration testing,
investigations of security incidents, digital forensic) on the other. He
also works as author in the field of management and information
technology.
59
Introduction
Software programs are developed based on source code that is written in human readable programming languages.
Many different programming languages are used today to create programs, such as mobile apps, desktop applications,
web applications, operating systems, firmware, etc. The usual process that follows on the human creation of the code is
that it is compiled (either in advance or during runtime) into a language that can be understood by a machine.
Compiled code usually is a binary file which contains all necessary code for the computer to understand the
instructions of the original source code.
If a program must be reverse engineered, it must be returned in some form that is understandable by humans again. If
a program can be reversed that way, parts of the original source code can be reconstructed and the functions can be
altered. This makes it possible to not only change the program code and, therefore, the behavior of the program but
also to break security mechanisms such as a password protection.
This article gives a basic introduction to reverse engineering and will demonstrate how to bypass a password
protection using common and mostly freely available tools. At the end, the reader will have an understanding of the
entire reverse engineering process from statically inspecting a PE file and dynamically analyzing it using tools such as
IDA Pro and Ollydbg.
Example program and the Reverse engineering process
The example program used in this article calculates the factorial value of a given number. This number must be
entered in the console. The program then asks for a password before any result is shown. If the password is correct,
the factorial is calculated. Without this password, the program terminates (See figure 1).
Figure 1: The example program with the password function
The goal of the reverse engineering process in this article is to:
• Understanding the environment and the program flow
• Getting an idea of the used classes, functions, and variables
60
• Bypassing the password protection
• Re-generating the source code as best as possible
Reversing a binary file – step 1 – file information
A binary file is created during the compilation process. This is machine dependent so that a binary file only runs on a
system it was compiled for. For instance, it is not possible to run a Unix program under Windows without emulating a
Unix environment and vice versa because software programs access different libraries of the system they were
developed for. They also access common functions through the libraries, which might also include access to kernel
functions that are even more platform dependent. A program, therefore, is highly dependent on the user space and
kernel space – the platform environment.
In order to define such dependencies, most programs include several pieces of information in their executable files.
Understanding this information is the first step of the reverse engineering process.
A binary file contains useful information within its structure. Most files are packed in the form of a standardized
package format that can be read by software such as PEiD, PE Explorer, CFF explorer, etc.
An example can be seen in figure 2. The demo program that needs to be understood through a reverse engineering
process is called Project1.exe. The file extension .exe
implies that it is a Windows or DOS application. Using
PEiD, more details are visible. It is a Win32 console
application; more precisely, a Portable Executable 32-bit
application. PE files have a standardized form. There are
different sections that have a predefined virtual size and
virtual address (see figure 3). If the program is executed
this data is copied into the memory of the PC. Each
section is supposed to hold and present (read and write)
a certain kind of data. One section is called the .text or
Figure 2: The demonstration program opened in PEiD
.code-section where the actual program code is stored
(the one which mainly is reverse engineered). The .data-section contains data that needs to be initialized during
runtime (it is either readable and writable or only readable – .rdata). The uninitialized data section is called .bss. i.data
are imported data (usually functions), which is necessary for the file to be available.
61
Programming
for
Hackers
Ransomware and
Python
Allies or enemies?
ABOUT THE AUTHOR

I'm Adrian Rodriguez Garcia, graduate in telecommunication engineering in
the specialty of telematics and student of the Master in security of the
information and communications in the University of Seville. I love the
cybersecurity, especially those thematic directed to the fight against the
malware, reason by which I design solutions based in Open Source to prevent
and mitigate any incident that can be produced in network systems. I have
been part of the team of cyber security of redBorder, where I have developed
redBorder Malware EndPoint to fight against malware. In short, I enjoy in the
world of cyber security where I'm like a fish in water.
64
Ransomware And Python: Allies Or Enemies?
Ransomware is one of the types of more dangerous malware that exists at present due to the damages it can cause.
Today, knowledge of its main characteristics and its evolution are necessary to act against this type of malware. Python
is a tool that is associated with the malware at present and can be an enemy or an ally. You can use Python to create a
ransomware or to design a tool that fights it.
What will you learn What you should know:

• In this article, we will introduce the world of • No prior knowledge is required about cyber
cyber security and a type of malware called security to understand the concept of
ransomware. The topics addressed are as ransomware and its evolution.
follows:
• For the development of a ransomware, as is
• Introduction on what is ransomware; types, explained in the third point of this article, the
characteristics and the extent of the damage it only thing that is required is a basic level of
can cause in a system. programming and a desire to learn and
investigate.
• Historical evolution: what was the first
ransomware that existed and its evolution
throughout history. In this way, we will be aware
of the real danger posed by ransomware and its
various effects.
• Use of Python for the design of ransomware:

starting from a given base, it’s very simple to
build ransomware with our own tools that will
damage a system.
• Python for the development of a system of

defense: maintaining a philosophy of Open
Source, we will give a base designed in Python to
demonstrate how make our own system of
defense and fight against malware infections.
65
Ransomware And Python: Allies Or Enemies?
Introduction
First we’re going to talk about a type of malware called ransomware that generally is introduced by phishing in the
system and can cause damage such as data loss or kidnapping of a computer. Additionally, we will see the ransomware
historical evolution to have a complete overview about how it works and the various damage that it can cause.
Finally, with the Python language and the enormous power of its libraries, we will design a ransomware and an
anti-malware system, all this to demonstrate how easily, and with basic knowledge, it’s possible to design Open Source
tools that cause authentic damage to any computer or systems.
What’s ransomware?
Ransomware is a type of malware that has become one of the cyber threats that is more dangerous and complex to
combat.
This type of malware cannot be considered a virus because it does not propagate across the network, only locally.
Phishing is the main method used to penetrate systems and install the ransomware. To do so, the infection is
camouflaged within seemingly harmless files or websites of dubious reputation but appetizing for the victims. The
most common places to find this type of malware are: websites of erotic content, forums, games, downloaded movies
or series, updates to the system, false antivirus tools or attachments in e-mails.
At the time the system is infected, it can distinguish two groups of ransomware:
• Crypto-ransomware: this name is because through methods of cryptographic complexes, the ransomware can
encrypt files, folders, disks hard and even data of user.
• Locker-ransomware: This type of malware is dedicated to the users of a system. It takes control of the user
data, blocks the administrator from tasks, blocks the access to the records of the system and infects a series of
files to prevent the users from using them. Some of these ransomware are even able to avoid the boot in system
administration mode.
The development of malware of this type requires an infrastructure, large dowries of effort and advanced development
techniques. All this with a single objective: obtain economic benefit.
When ransomware finishes encrypting or locking the system, it asks the user for an economic rescue for recovering the
system control. Sometimes this involves the shipping of SMS of payment, calls to numbers of high pricing or systems
of payment online.
Once the economic quantity demanded has been paid, the infection may persist in the system, with the loss of data
that it involved, or on the other hand the ransomware will return the system control to the user, allowing the
66
Build Your own
NIDS with Scapy
Hadi Assalem
ABOUT THE AUTHOR
Hadi Assalem
Hadi Assalem is a final year student of Information
Technology Software Engineering Department at
AL-Baath University
E-mail: [email protected]
68
Build Your Own NIDS With Scapy
Introduction:
This article will present a Lightweight Network Intrusion Detection system based on the scapy library to detect the
common Data Link layer attacks like (ARP - DNS) spoofing and also some Web apps attacks. We start with building
attacking tools and then the detection tools.
System Demo:
The System is a Lightweight NIDS (Network Intrusion Detection System) built basically on Scapy Library in Python.
The System had two modes:
1. Attacker Mode: in this mode we can Launch (ARP-Spoofing, DNS-Spoofing) attacks and port scans.
2. Defender Mode: in this mode the system can detect the attacks that have been launched by attacker in
Attacker Mode plus Web Apps attacks (SQLI, XSS) and Detect Tor Network Traffic.
About Scapy:
Scapy is a Python program that enables the user to send, sniff and dissect and forge network packets. This capability
allows construction of tools that can probe, scan or attack networks. We can use scapy in two ways:
• Implement it directly in Python scripts as Library.
• Launch it from Terminal (in Unix systems) or CMD (in Windows).
Basically in this system the functions that we used the most:
• Sniff(): function used for packets sniffing.
• Send(): used to send a single packet to the IP destination. Works on layer 3.
• sendp(): used to send a single packet to the IP destination. Works on layer 2.
How the system works:
1. the system works directly from terminal.
2. the system checks dependency.
3. check root privilege (for sending packets).
4. Then the user can choose the Mode:
69
Build Your Own NIDS With Scapy
• Attacker Mode: in this mode the user is able to choose between ARP-Spoofing, DNS-Spoofing, and
Port Scanner.
• Defender Mode: this mode presents the NIDS.
Figure -1- the first interface
Attacker Mode:
The attacker mode offers three types of Data Link Layer attacks:
1. ARP-Spoofing
2. DNS-Spoofing
3. Port-Scanning
70
Python For IOT: Make
Your Own Botnet And
Have Fun With The
MQTT Protocol

ABOUT THE AUTHOR

Adrian Rodriguez Garcia, graduate in telecommunication engineering in the
specialty of telematics and graduate of the Master in security of the information and
communications in the University of Seville.
Currently, I work in Telefonica cybersecurity unit (ElevenPaths), in the area of
innovation and laboratory, where I work on researching and developing solutions
related to security.
I'm a fan of cybersecurity, especially those thematic directed to the fight against
malware, reason by which I design all kind of solutions to prevent and mitigate any
incident that can be produced in network systems. In addition, I’m a curious person
who likes to study and test new technologies to the extreme to take full advantage
of its features or to know the limitations and improve them.
Contact: www.linkedin.com/in/adrian-rodriguez-garcia-64257698
72
Python For IOT: Make Your Own Botnet And Have Fun With The MQTT
Control any type of device connected to the network’ has become one of the main objectives of cybercriminals.
Controlling many devices allows them to attack big network infrastructures to achieve their goal or only to cause a
denial of service.
What will you learn? What should you know?

In this article, we will introduce the world of Internet • No prior knowledge is required about
Of Things using Python, specifically, the device control programming, systems or cybersecurity
from Microsoft Window and Android systems. because all necessary knowledge will be
Additionally, we will learn MQTT protocol to control explained in this article.
devices related to automation. The topics addressed
are as follows: • You just need to have fun reading, learning and
researching.
• Main attacks of 2017.
• Build a botnet by indirect attack.
• Build a botnet by direct attack.
• MQTT Protocol.
Introduction
First, we’re going to talk about the main attacks that have occurred during this year. The objective is to show the big
security problem that exists today due to the knowledge of cybercriminals and the lack of knowledge or awareness of
people.
Then, we will use the Python language and the enormous power of its libraries to demonstrate how to create a basic
botnet by indirect attack. That is, no attack will be made to any system because it will be the people who install
malicious software made by us.
Next, we will make a direct attack to Android systems with the objective to obtain a botnet. For this, we will use a
search engine for devices, like Shodan.
Finally, we will talk about an MQTT protocol, very frequently used in the IOT world, and as it will be seen, very
dangerous if it’s not secured correctly.
Main attacks of 2017
Throughout this year, different security incidents have occurred related to the security of Internet-connected devices.
Then, we will talk about some of the most important to understand different methods used, how their botnets work
and what objectives they pursue.
73
IOT_reaper
It was seen for the first time in September. This botnet caused vast Internet outages by launching massive DDoS
attacks and its main feature is its rapid growth. The malware infected two million devices and it had a growth rate of
10,000 new devices per day.
IOT_reaper no longer depends on cracking weak passwords, instead, it exploits vulnerabilities in various IoT devices
and enslaves them into a botnet network.
Persirai
It’s a botnet that aimed at more than 1,000 models of IP cameras. Nobody knows the exact number of devices that the
botnet has, but we know, thanks to Trend Micro, that there are more than 120.000 vulnerable that can be found in
Shodan.
Many of these vulnerable users do not know that their IP cameras are exposed to the Internet. This makes it much
easier to gain access to the web interface of the IP camera through TCP port 81.
Amnesia
Amnesia is an IoT botnet targeting digital video recorders (DVRs). The malware exploits a vulnerability disclosed
more than a year ago involving remote code execution in DVRs’ Linux-based firmware.
This Linux-based malware is the first of its kind and considered advanced, due to its virtual machine evasion
techniques. The malware detects if it’s running in a VirtualBox, VMware or QEMU VM, typical sandboxes or
honeypots.
Amnesia can turn more than 200.000 vulnerable devices worldwide into a botnet. The malware communicates to the
Command and Control (C&C) servers via IRC protocol, downloads payload via HTTP requests and uses TCP and UDP
flooding techniques.
BrickerBot
BrickerBot vector attack is similar to Mirai botnet, for example, it employed dictionary attacks to gain unauthorized
access in the device but it’s different because it executes a chain of malicious Linux commands that result in
permanent damage in the device instead of denial of service.
This malware takes advantage of security flaws in BSLN and MTLN devices that allow remote code execution. BSNL
and MTNL allowed anyone from the Internet to connect through port 7547 to routers and modems in their internal
network. Thanks to this fact, BrickerBot caused damage between the two Indian ISPs for a week.
74
BlueBorne
It’s not a botnet or malware, it is a vulnerability of Bluetooth technology. The attack does not require the victim to
interact with the attacking device. This means that they can take control of device without having to interact with it.
There’re two ways attackers can use BlueBorne. The first way is to connect to a target device and execute remote code
on the device. Also, it can create a Bluetooth Pineapple to sniff out traffic, hijack this connection, and redirect traffic.
It’s calculated that there are around 5 billion vulnerable devices. This means that it’s the most serious Bluetooth
vulnerability identified to date.
Build a botnet by indirect attack
As seen in the previous section, cybercriminals have cameras, DVRs or routers among many other devices as targets.
Each attack is different from the previous one, both in form and in objectives, but all have a common philosophy to
achieve the goals set. This way of thinking is summarized in one word, "IOT" (Internet Of Things). That is, any device
that’s connected to the Internet serves their purpose.
In this section, the same philosophy will be followed. It should be clear that each device has an operating system to
work with (IOS, Android, Windows, Linux, ...). In this case, a botnet of devices with Windows operating system
(laptops, tablets or desktops) will be created due to my personal predilection for this kind of system.
It has been called "indirect" because it is not intended to directly attack any particular device, we will wait until
through phishing or other methods, people "give us" a session to their devices.
To achieve the goal, we will use the the following programming language and libraries:
• Python 2.7
• Ctypes Python library
• Sockets Python library
• Json Python library
• Subprocess Python library
• WMI Python library
WMI is the infrastructure for data management and Windows operations. The WMI Python library provides an
interface for interacting with Windows WMI so we can manage Windows services, which interests us to make our
botnet persistent.
To perform the botnet, clients are needed on the one hand and the server on the other. So, in the first place, the server
75
Power Of
Python
Omar Ahmed
ABOUT THE AUTHOR
Omar Ahmed
Penetration Tester with 5 years of experience in web application & Network
Penetration Testing & Malware Analysis & Reverse Engineering, Security
Code auditing and incident response. Conducted vulnerability assessment
and penetration testing for many high profile companies all over Middle East,
Highly skilled hands-on application security assessment and development of
security tools with deep understanding of vulnerability
management process and risk assessment. Involved in security challenges by
joining online CTFs.  
https://www.linkedin.com/in/omar-ahmed-843b6b122  
https://www.facebook.com/MistSpark
77
Power Of Python
In the past, there were a lot of programming languages you can use to make your own penetration testing tools, but
there was usually one that was the most popular and was your first choice when you thinking about choosing a
programming language to make a penetration testing tools, like Perl. Lately, programming languages like Python and
Ruby have been widely adopted and proved their usefulness.
In this article, we will try to shed light on some of the Python advantages and functionality. We will divide the article
into two parts; the first part will discuss the practical use of Python to perform Wi-Fi attacks, the second part will use
Python to perform Exploit Development.
I will try to explain everything in detail. But to be honest, you should be aware of some things so that you do not miss
anything.
Introduction:
With each passing day, the wireless connectivity community has grown, but it has also ushered in many security
issues. With wired connectivity, the attacker needs physical access in order to connect and attack, but in the case of
wireless connectivity, and attacker needs the availability of the signal to launch an attack. Before proceeding, you
should be aware of the terminology used:
Access Point (AP): It is a networking hardware device that allows a Wi-Fi compliant device to connect to a wired
network.
Service Set Identifier (SSID): It is a sequence of 0–32 alphanumeric characters. It is used as an identifier for a
wireless LAN, and is intended to be unique for a particular area. Since this identifier must often be entered into
devices manually by a human user, it is often a human-readable string and thus commonly called the "Network
Name".
Basic Service Set Identification (BSSID): It is the MAC address of the wireless AP.
Channel number: This represents the range of the radio frequency used by AP for transmission.
Note: The channel number might get changed due to the auto setting of AP. So, don't get confused if
you saw the channel number getting changed.
802.11: Provides bandwidth up to 1-2 Mbps with a 2.4 GHz frequency band. All components of 802.11 are a set of
Media Access Control (MAC) and Physical Layer (PHY). The MAC Layer is the subclass of the Data Link Layer.
Frame: It is the Protocol Data Unit (PDU) of the Data Link Layer.
There are three main types of 802.11 Frames:
• Data Frame
78
Power Of Python
• Control Frame
• Management Frame
These Frames are supported by The MAC Layer. The following figure represents the format of the MAC Layer:
(Figure 01). MAC Format
As you can see in the previous figure, there are three Addresses:
• Address 1: It's the MAC Address of the Client.
• Address2: It's the MAC Address of the AP.
• Address3: It's the MAC Address of the Source of Transmission.
In this article, we will focus on the "Management Frame". Now, let's see the transmitted frame between the Client and
AP:
(Figure 02). Transmitted Frames
In the previous figure, we can see the exchange of frames. Let's take a look at the subtypes of management frame:
• Beacon: The AP (Access Point) periodically sends a beacon frame to announce its presence and relay
information, such as timestamp, SSID, etc.
• Probe Request: The wireless device (client) sends out a probe request to determine which access points are
within range.
• Probe Response: In the response of the probe request, a station (AP) responds with a probe response frame,
containing capability information, supported data rates, etc.
79
Power Of
Scapy
Omar Ahmed
ABOUT THE AUTHOR
Omar Ahmed
Penetration Tester with 5 years of experience in web application & Network
Penetration Testing & Malware Analysis & Reverse Engineering, Security
Code auditing and incident response. Conducted vulnerability assessment
and penetration testing for many high profile companies all over Middle East,
Highly skilled hands-on application security assessment and development of
security tools with deep understanding of vulnerability
management process and risk assessment. Involved in security challenges by
joining online CTFs.  
https://www.linkedin.com/in/omar-ahmed-843b6b122  
https://www.facebook.com/MistSpark
81
Power Of Scapy
What you will learn? What you need and should know?
• What is Scapy? • Familiar with Open Systems Interconnection
(OSI)
• Where is Scapy Useful?
• Python Basics
• Scapy Basics
• Network Attacks Basics (Scanning, Sniffing)
• Packet Manipulation
Introduction:
When I was introduced to Scapy for the first time, four years ago, I didn't know much about the tool, and I thought I
would try it, to see its limits, and back then there was literally just a few resources about this tool. Now after four years,
I would say that this tool has no limits. When using Scapy you have infinite possibilities.
Scapy:
Scapy is a powerful interactive packet manipulation tool. It is able to forge or decode packets of a wide number of
protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most
classical tasks, like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85%
of nmap, arpspoof, arp-sk, arping, tcpdump, p0f, etc.). It also performs very well at a lot of other specific tasks that
most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, and combining
techniques.
What makes Scapy different from most other tools is, when working with other tools, you can't build something the
author didn't imagine. The idea you need to follow when working with Scapy is that you can imagine and then build
whatever you imagined in your head. There are a lot of other reasons that make Scapy different from most other tools,
but I know that you’re already excited, so I will leave the other reasons for you to discover while actually using Scapy.
Before getting started, you need to know that the most amazing thing about Scapy is it works as a Python Module, so
you can easily use it in your Python Scripts.
Some of Scapy’s Features:
• Building Packets.
• Stacking Layers.
• Reading PCAP files.
• Graphical dumps (PDF, PS).
82
Power Of Scapy
• Fuzzing.
• Scanning.
• Traceroute.
• Sniffing.
PS: That's only some of the things you can do with Scapy.
Let's Get Started:
For the purposes of this tutorial, we will be utilizing Scapy version 2. There is a Scapy version 3 that works with Python
version 3. You will find there are differences between the two versions. Please ensure that you’re following the
directions as a whole to ensure you have the correct version installed.
First of all, if you don't have Scapy on your machine, you can simply install it using pip:
apt-get -y install python-pip (if it’s not installed “Debian Based”)
upgrade pip: pip install –upgrade pip
(Figure 1). Installing Scapy
If you already have Scapy, and want to upgrade it, you can use this command:
Not used if version matters, but actual command I had to use “pip
(Figure 2). Upgrading Scapy
There are two ways to work with Scapy. First, Interactive shell. Second, as Python Module. We will start working with
the interactive shell first, so you can understand how things work before creating any Python scripts.
To execute the interactive shell, type scapy in your Terminal:
(Figure 3). Scapy Interactive Shell
As you can see, there may be warning messages, telling you that there is no default route for IPv6 but it's okay, you can
83
Various
Analysis of Linux
Malware Tsunami
Using Limon
Monnappa K A
ABOUT THE AUTHOR
Monnappa K A
Monnappa K A works with Cisco Systems focusing on threat intelligence,
investigation of advanced cyber attacks, researching on cyber espionage and
APT attacks. He is a core member of the security research community
"SecurityXploded". He is the author of Limon (sandbox for analyzing Linux
malwares). His fields of interest include malware analysis, reverse engineering,
memory forensics, and threat intelligence. As an active speaker at security
conferences like Black Hat Europe, FIRST- TC, 4SICS, C0c0n and
SecurityXploded meetings, he has presented on various topics which include
memory forensics, malware analysis, rootkit analysis, and also conducted
training at FIRST (Forum of Incident Response and Security teams) conference
and 4SICS-SCADA/ICS cyber security summit. He has also authored various
articles in Hakin9, eForensics, and HackInsight magazines.
86
Analysis Of Linux Malware Tsunami Using Limon
A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform the
target for malware attacks, so it becomes important to analyze the Linux malware. Today, there is a need to analyze
Linux malwares in an automated way to understand its capabilities.
Limon is a sandbox developed as a research project written in python, which automatically collects, analyzes, and
reports on the run time indicators of Linux malware. It allows one to inspect the malware before execution, during
execution, and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using open
source tools. Limon analyzes the malware in a controlled environment, monitors its activities and its child processes to
determine the nature and purpose of the malware. It determines the malware's process activity, interaction with the
file system, network, it also performs memory analysis and stores the analyzed artifacts for later analysis. Since Limon
relies on open source tools, it's easy for any security analyst to setup a personal sandbox to perform Linux malware
analysis. The paper will touch on details of Linux malware analysis and features of Limon sandbox.
Why Malware Analysis?
Malware is a piece of software which causes harm to a computer system without the owner's consent. Viruses, Trojans,
worms, backdoors, rootkits and spyware can all be considered as malwares.
With new malware attacks making news every day and compromising company’s network and critical infrastructures
around the world, malware analysis is critical for anyone who responds to such incidents.
Malware analysis is the process of understanding the behaviour and characteristics of malware, how to detect and
eliminate it.
There are many reasons why we would want to analyze a malware, below to name just a few:
• Determine the nature and purpose of the malware i.e. whether the malware is an information stealing malware,
http bot, spam bot, rootkit, keylogger, RAT etc.
• Interaction with the Operating System i.e. to understand the file system, process and network activities.
• Detect identifiable patterns (network and host based indicators) to cure and prevent future infections
Types of Malware Analysis
In order to understand the characteristics of the malware three types of analysis can be performed they are:
• Static Analysis
• Dynamic Analysis
• Memory Analysis
87
Analysis Of Linux Malware Tsunami Using Limon
In most cases static and dynamic analysis will yield sufficient results however Memory analysis helps in determining
hidden artifacts, rootkit and stealth malware capabilities.
Static Analysis
Static Analysis involves analyzing the malware without actually executing it. Following are the steps:
• Determining the File Type: Determining the file type can also help you understand the type of environment
the malware is targeted towards, for example if the file type is ELF (Executable and Linkable format) format
which is a standard binary file format for Unix and Unix-like systems, then it can be concluded that the
malware is targeted towards a Unix or Unix flavoured systems.
• Determining the Cryptographic Hash: Cryptographic Hash values like MD5 and SHA1 can serve as a
unique identifier for the file throughout the course of analysis. Malware, after executing can copy itself to a
different location or drop another piece of malware, cryptographic hash can help you determine whether the
newly copied/dropped sample is same as the original sample or a different one. With this information we can
determine if malware analysis needs to be performed on a single sample or multiple samples. Cryptographic
hash can also be submitted to online antivirus scanners like VirusTotal to determine if it has been previously
detected by any of the AV vendors. Cryptographic hash can also be used to search for the specific malware
sample on the internet.
• Strings search: Strings are plain text ASCII and UNICODE characters embedded within a file. Strings search
give clues about the functionality and commands associated with a malicious file. Although strings do not
provide complete picture of the function and capability of a file, they can yield information like file names,
URL, domain names, ip address, attack commands etc.
• File obfuscation (packers, cryptors) detection: Malware authors often use softwares like packers and
cryptors to obfuscate the contents of the file in order to evade detection from anti-virus softwares and
intrustion detection systems. This technique slows down the malware analysts from reverse engineering the
code.
• Determine Fuzzy Hash: Comparing the malware samples collected or maintained in a private or public
repository is an important part of file identification process. The easiest way to check for file similarity is
through a process called “Fuzzy Hashing”. Fuzzy hash comparison can tell the percentage similarity between
the files. Fuzzy hash comparison is a method by which identical files can be identified. This can help in
determine the variants of the same malware.
• Submission to online Antivirus scanning services: This will help you determine if the malicious code
signatures exist for the suspect file. The signature name for the specific file provides an excellent way to gain
additional information about the file and capabilities. By visiting the respective antivirus vendor web sites or
searching for the signature in search engines can yield additional details about the suspect file. Such
88
Metasploit With
XSS (Cross Site
Scripting)
Pprasoon Nigam
ABOUT THE AUTHOR
Pprasoon Nigam
Pprasoon Nigam has been working as a Security Consultant from past few
years in many large organizations and is also involved in VAPT for Web
applications, Mobile applications and Networks. He has been rewarded as an
“Ethical Hacker” and also working on countermeasures on hacking from last
few years to make people aware of hacking.
90
What is Metasploit? (Developed by HD Moore)
Metasploit is not just a tool; it’s an entire framework that allows us to work on specialized aspects of penetration
testing.  
As we all know, Metasploit framework was firstly rewritten in Perl and later it was shifted to Ruby. After all, it was
acquired by Rapid 7.
We have three commercial products based on Metasploit:
1. Metasploit Community is the free and basic version.
2. Metasploit Express is the lighter version.
3. Metasploit Pro is the expanded version of Metasploit Express.  
Note: Metasploit Community is the free edition and Metasploit Express/Metasploit Pro are paid versions.
91
Important Terminologies
As we will be exploiting and taking over the system, some important terminologies will be used again and again so we
must know what each term means.
Vulnerability: Vulnerability is a weakness that allows an attacker/pentester to break into or compromise a system's
security. Vulnerability is a cyber-security term that refers to a flaw in a system that can leave it open to attack. 
Vulnerability may also refer to any type of weakness in a computer system itself, in a set of procedures, or in anything
that leaves information security exposed to a threat.
Exploit: An Exploit is the means or a way by which an attacker or hacker takes advantage of the flaw/bug or
vulnerability. Exploit is a working piece of code that is used to exploit a vulnerable system. 
Examples: Buffer Overflow, SQL Injection (in web application)
Payload: Payload is a working piece of code bundled with an exploit to aid the attacker in the post-exploitation phase. 
Example: "reverses shell" is a payload that creates a connection from the target machine to the attacker.
Shellcode: Shellcode is the set of instructions used as payload when exploitation occurs. These are written in
assembly language. Examples: Meterpreter shell or a command shell
Module: Module is a piece of software that is used by Metasploit Framework. Examples: Exploit module, auxiliary
module
Auxiliary: An auxiliary module is an exploit without a payload that performs scanning, fuzzing, sniffing, and much
more. Although these modules will not give you a shell, they are extremely valuable when conducting a penetration
test. Examples: arp_sweep or ipv6_neighbor
92
Building A Hacking
Kit With Raspberry
Pi And Kali Linux
Thauã C. Santos, Renato B. Borbolla
& Deivison P. Franco
ABOUT THE AUTHOR
Thauã C. Santos
Systems Analyst. Full Stack Engineer
at Cume Sistemas. Founder at
Fsociety Brasil.
94
ABOUT THE AUTHOR
Renato B. Borbolla
Born in São Paulo, Brazil. Specialist in Cyber Security. Degree in
Information Security Technology. Cyber Security Analyst with
over 5 years in Information Technology. Speaker about
Information Security. Computer Forensics, Penetration Test,
Network Administration and Information Security consultant.
Author of the N1n3 Malware, has released an e-book about
forensics analysis of the N1n3 malware with Dr. Paulo Henrique
as advisor.
95
ABOUT THE AUTHOR
Deivison P. Franco
Master in Computer Science and in Business Administration. Specialist in
Forensic Science (Emphasis in Computer Forensics) and in Computer
Networks Support. Degree in Data Processing. Senior Analyst of
Information Security at Bank of Amazon. College Professor. Judicial and
Extrajudicial Computer Forensics Expert. Researcher and Consultant in
Computer Forensics and Information Security. Member of the IEEE
Information Forensics and Security Technical Committee (IEEE IFS-TC) and
of the Brazilian Society of Forensic Sciences (SBCF). C|EH, C|HFI, DSFE and
ISO 27002 Senior Manager. Author and technical reviewer of the book
Treatise of Computer Forensics. Reviewer and editorial board member of
the Brazilian Journal of Criminalistics and of the Digital Security Magazine.
Regular author of the eForensics Magazine. Columnist of the magazines
CryptoID and Digital Security.
96
Building A Hacking Kit With Raspberry Pi And Kali Linux
The Raspberry Pi has some unique features that are very powerful and easily accessible for a Hacking Kit. In
particular, Pi is a joke and its components cost the price of a LEGO kit. So, Raspberry being highly discreet, small, thin
and easy to hide and, of course, most important, runs Kali Linux natively (without any adaptations or VMs), it is very
flexible and able to run a range of hacking tools, from badge cloners to scripts to cracking Wi-Fi networks. By
swapping SD cards or adding custom components of marketplaces, like Adafruit1, Raspberry can be changed to
withstand any kind of situation.
Additionally, the low footprint and power consumption of the Raspberry Pi means that it is possible to run the device
for a solid day or two on external battery pack USBs. Using Kali Linux on a Raspberry Pi can provide a unique and
cost-effective option to accomplish testing objectives, and it is important to compartmentalize your hacking and avoid
using systems that can identify you, such as custom hardware, for example. Not everyone has access to a
supercomputer and, fortunately, it is not necessary to have one of these for a platform running Kali Linux.
With more than 10 million units sold, Raspberry Pi can be bought in cash for just US$ 30. This makes it very difficult
to identify who is behind a Raspberry Pi attack.
The focus of this article is to learn how to combine the power of Kali Linux with the portability and low cost of a
Raspberry Pi. The result is an extremely flexible hacking platform for specific projects that don't require applications
with high processing power needs. We have used this toolset to conduct vulnerability testing from remote locations,
used the portability of the Raspberry Pi to test security assessment covertly at different locations, and have configured
the Raspberry Pi to be managed remotely with little footprint.
RASPBERRY PI ATTACKS
First, it is important that you control your expectations reasonably by choosing an RPi as your hacking platform, not
least because it is not a supercomputer capable of processing large data capacities or reaching unusual limits for
normal computers. It does not offer much support for tasks that require a lot of hardware processing, such as
brute-force attacks on WPA networks or network attacks because the connection is too slow to fool users. We should
assign these tasks to computers with greater processing power and use Raspberry Pi just as an information collector or
sniffer. Remember, of course, that every hacking tool has its power expanded whenever it is combined with other
techniques and tools of attack or defense.
Raspberry Pi works exceptionally well as a platform for Wireless attacks. Due to its small size and large amount of
system-based tools, such as Kali Linux, it is the ideal weapon for Wi-Fi reconnaissance and attack. Our Kali Build will
also carry out auditing attacks on Wi-Fi networks and Wired.
NECESSARY EQUIPMENT FOR THE ATTACK
Here's the list of components for our project and why we need them.
97
Building A Hacking Kit With Raspberry Pi And Kali Linux
• Raspberry Pi 3 Kit: used platform, which manages and coordinates all the components used. As described
above, we will use it to support Linux-based operating systems with high customization power and limited only
by the creativity of the user;
• Wi-Fi Command and Control Card (C2): to automatically connect the Raspberry Pi to an Access Point
(AP), like a Hotspot from your phone or home network, for example. This allows you to control the Raspberry
Pi from long distances via SSH or VNC. Fortunately, Raspberry Pi 3 has a wireless card integrated into the
system, in the case of a Raspberry Pi 2 it is necessary to include a Wi-Fi adapter;
• Wi-Fi Attack Card: must be compatible with Kali Linux, more specifically, it must be a card with support for
Monitor mode, so it can be used to sniff networks. It can be either Long or Short Distance, this varies from your
need;
• SD Card with System Image: will host the Operating System and brain of the desired environment.
Creating custom image cards allows you to swap the functions of your Raspberry Pi quickly by simply swapping
out SD cards or components;
• Computer: will be used for various tasks, from the creation of the builds on the SD Card, to the remote
control;
• Power Supply: necessary to keep Pi connected;
• Ethernet cable (optional): It will depend on the type of attack you plan to make;
• Bluetooth keyboard (optional): useful for interacting with Pi, especially when you want to use it via the
HDMI cable on the TV;
• Protective Case (optional): by default, all Raspberry Pis need a case to protect it.
98

Best 2020 Hacking

Uploaded by

Copyright:

Available Formats

Best 2020 Hacking

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Best 2020 Hacking

Uploaded by

Copyright:

Available Formats

TEAM

All trademarks, trade names, or logos mentioned or used are the

The techniques described in our articles may only be used in private,

into four sections: Wireless and mobile hacking, password cracking,

of “how-to” and “step-by-step” tutorials that will surely contribute to your

development as a professional pentester or ethical hacker.

Enjoy the issue,

Android Hacking: Dissection of Android Apps

Android Mobile App Pentesting

IMSI Catching Over WIFI Networks: Exposing WIFI-

New Hacking Era: Wireless Hacking By Drones

The Biggest Boogeyman Of Network Wireless

Cracking Passwords With John The Ripper

THC-Hydra Network Logon Cracker

Password Cracking: Pentesting With Hydra

Attacking passwords with Kali Linux

Programming for Hackers

Ransomware and Python

Build Your own NIDS with Scapy

Analysis of Linux Malware Tsunami Using Limon

Metasploit With XSS (Cross Site Scripting)

Building A Hacking Kit With Raspberry Pi And Kali

Deloitte, India as a Cyber-Security Consultant.

His interests involve: Penetration Testing, Reverse

Engineering/Malware Analysis & Secure Coding. He can be

reached on [email protected], twitter: @Samrat_Das93

or his LinkedIn profile: https://in.linkedin.com/in/samrat18

Some of the topics presented in this paper include:

• What is Dalvik Virtual Machine? | DVM vs JVM

• What is an apk file?

• Tools of the trade

• Android reverse engineering steps

• Various components of Android

• Demo step by step

• Detecting Backdoors in Android App

• Diving into Appuse

• Creating infected version of the apps

• Useful Hacking Tools

• Anti-reverse engineering protection for Android

What is an apk file?

What is Dalvik Virtual Machine?

The Dalvik VM was written by Dan Bornstein.

Image source http://www.javatpoint.com/dalvik-virtual-machine

Difference between DVM and JVM (Java Virtual Machine)

Tools we will need:

currently he is working in Xento Systems. He is a young,

passionate hacker who likes to share everything which he

knows. Main interests: web and mobile penetration

testing. He is a corporate trainer, speaker and a bug

hunter, along with that he’s a part of SAM Offensive

Technologies, Hackers Day, National Information Security

Let’s start from the bottom:

o A user-based permissions model

o Extensible Mechanism for secure IPC

Bluetooth, audio, and radio are examples.

Useful libraries, as follows:

o Surface Manager: This manages the windows and screens

o SQLite: This is a lighter version of SQL used for database management

o WebKit: This is the browser rendering engine

training and lecture about Ethical Hacking. The skills