:
:

Powered by GetResponse email marketing software

Actually Make Money Online

Your Helpful Resource About "Actually Make Money Online"

Monday, August 24, 2020

How To Install Metasploit In Termux

Related posts

  1. What Are Hacking Tools
  2. Hacker Tool Kit
  3. Pentest Tools Linux
  4. Hacking Tools Usb
  5. Hack Tools Online
  6. Hacking Tools Mac
  7. Beginner Hacker Tools
  8. Top Pentest Tools
  9. Nsa Hacker Tools
  10. Pentest Tools Website
  11. Hacking Tools Free Download
  12. Pentest Tools Website
  13. Pentest Tools Download
  14. Pentest Tools Online
  15. Hacker Tools Mac
  16. Blackhat Hacker Tools
  17. Hacker Tools Software
  18. Hacker Tools Hardware
  19. Pentest Reporting Tools
  20. Hacker Tools Mac
  21. Usb Pentest Tools
  22. Pentest Tools Windows
  23. Pentest Tools Nmap
  24. Hacker Techniques Tools And Incident Handling
  25. Hacker Tools Mac
  26. Hack Rom Tools
  27. What Is Hacking Tools
  28. Hacking Tools Name
  29. Pentest Tools Url Fuzzer
  30. Pentest Tools For Windows
  31. Pentest Tools Find Subdomains
  32. New Hack Tools
  33. Hacker Tools Linux
  34. Hack Tools Online
  35. Install Pentest Tools Ubuntu
  36. Tools Used For Hacking
  37. Nsa Hacker Tools
  38. Tools For Hacker
  39. Hacking Tools 2019
  40. Physical Pentest Tools
  41. Hack Tools Github
  42. Pentest Tools List
  43. Hacking Tools For Mac
  44. Hack Tools For Ubuntu
  45. Pentest Tools Website
  46. Usb Pentest Tools
  47. Best Hacking Tools 2019
  48. Hacker Tools For Pc
  49. Hacker Tools
  50. Hacking Tools Usb
  51. Usb Pentest Tools
  52. World No 1 Hacker Software
  53. Pentest Tools For Windows
  54. Free Pentest Tools For Windows
  55. Pentest Tools Online
  56. Android Hack Tools Github
  57. Hacker Tools For Ios
  58. Hacking Tools Github
  59. Hacking Tools 2019
  60. Pentest Tools Open Source
  61. Hacker Tools Apk Download
  62. Free Pentest Tools For Windows
  63. Ethical Hacker Tools
  64. How To Make Hacking Tools
  65. Pentest Tools For Ubuntu
  66. Hacking App
  67. Wifi Hacker Tools For Windows
  68. How To Install Pentest Tools In Ubuntu
  69. Tools For Hacker
  70. Pentest Tools Apk
  71. Hacking Tools For Windows 7
  72. Pentest Tools Url Fuzzer
  73. Hacker Tools Online
  74. Termux Hacking Tools 2019
  75. Hacking Tools For Beginners
  76. Hacker Tools Apk
  77. Hack Tool Apk No Root
  78. Ethical Hacker Tools
  79. Hacking Tools Name
  80. Hacking Tools And Software
  81. Pentest Tools Nmap
  82. Pentest Reporting Tools
  83. How To Hack
  84. Tools 4 Hack
  85. Pentest Tools Windows
  86. Pentest Automation Tools
  87. Hack Tools For Windows
  88. Pentest Tools For Android
  89. Hacker Tools Hardware
  90. Hack Tools Online
  91. Hacking Tools For Beginners
  92. Android Hack Tools Github
  93. Pentest Tools Nmap
  94. Hacker Tool Kit
  95. Hacking Tools Windows
  96. Install Pentest Tools Ubuntu
  97. What Are Hacking Tools
  98. Pentest Tools Review
  99. Pentest Tools Android
  100. Pentest Tools Apk
  101. Nsa Hack Tools
  102. Pentest Tools Open Source
  103. Growth Hacker Tools
  104. Hacker Tools Windows
  105. Pentest Tools Framework
  106. Hack Tools
  107. Tools 4 Hack
  108. Pentest Box Tools Download
  109. Hacking Tools Usb
  110. Game Hacking
  111. Hacker Tools Apk Download
  112. Hack Tools For Ubuntu
  113. What Are Hacking Tools
  114. Hack Tools Github
  115. How To Make Hacking Tools
  116. Hack Rom Tools
  117. Hacking Tools 2019
  118. Hacker Search Tools
  119. Hacking App
  120. Hacking Tools And Software
  121. Hack Tools
  122. Pentest Tools Github
  123. Hack Tool Apk
  124. Hacking Tools Usb
  125. Pentest Tools For Windows
  126. Free Pentest Tools For Windows
  127. Pentest Tools For Mac
  128. How To Make Hacking Tools
  129. Hack Tools For Games
  130. Pentest Tools List
  131. Termux Hacking Tools 2019
  132. Nsa Hack Tools
  133. Best Hacking Tools 2020

posted by Affiliate Marketer @ 3:39 PM  0 Comments

Open Sesame (Dlink - CVE-2012-4046)

A couple weeks ago a vulnerability was posted for the dlink DCS-9xx series of cameras. The author of the disclosure found that the setup application that comes with the camera is able to send a specifically crafted request to a camera on the same network and receive its password in plaintext. I figured this was a good chance to do some analysis and figure out exactly how the application carried out this functionality and possibly create a script to pull the password out of a camera.

The basic functionality of the application is as follows:

  • Application sends out a UDP broadcast on port 5978
  • Camera sees the broadcast on port 5978 and inspects the payload – if it sees that the initial part of the payload contains "FF FF FF FF FF FF" it responds (UDP broadcast port 5978) with an encoded payload with its own MAC address
  • Application retrieves the camera's response and creates another UDP broadcast but this time it sets the payload to contain the target camera's MAC address, this encoded value contains the command to send over the password
  • Camera sees the broadcast on port 5978 and checks that it is meant for it by inspecting the MAC address that has been specified in the payload, it responds with an encoded payload that contains its password (base64 encoded)

After spending some time with the application in a debugger I found what looked like it was responsible for the decoding of the encoded values that are passed:


super exciting screen shot.
After spending some time documenting the functionality I came up with the following notes (messy wall of text):

CommandComments
.JGE SHORT 0A729D36; stage1
./MOV EDX,DWORD PTR SS:[LOCAL.2]; set EDX to our 1st stage half decoded buffer
.|MOV ECX,DWORD PTR SS:[LOCAL.4]; set ECX to our current count/offset
.|MOV EAX,DWORD PTR SS:[LOCAL.3]; set EAX to our base64 encoded payload
.|MOVSX EAX,BYTE PTR DS:[EAX]; set EAX to the current value in our base64 payload
.|MOV AL,BYTE PTR DS:[EAX+0A841934]; set EAX/AL to a hardcoded offset of its value table is at 0a841934
.|MOV BYTE PTR DS:[ECX+EDX],AL; ECX = Offset, EDX = start of our half-decoded buffer, write our current byte there
.|INC DWORD PTR SS:[LOCAL.4]; increment our offset/count
.|INC DWORD PTR SS:[LOCAL.3]; increment our base64 buffer to next value
.|MOV EDX,DWORD PTR SS:[LOCAL.4]; set EDX to our counter
.|CMP EDX,DWORD PTR SS:[ARG.2]; compare EDX (counter) to our total size
.\JL SHORT 0A729D13; jump back if we have not finished half decoding our input value
.MOV ECX,DWORD PTR SS:[ARG.3]; Looks like this will point at our decoded buffer
.MOV DWORD PTR SS:[LOCAL.5],ECX; set Arg5 to our decoded destination
.MOV EAX,DWORD PTR SS:[LOCAL.2]; set EAX to our half-decoded buffer
.MOV DWORD PTR SS:[LOCAL.3],EAX; set arg3 to point at our half-decoded buffer
.MOV EDX,DWORD PTR SS:[ARG.4]; ???? 1500 decimal
.XOR ECX,ECX; clear ECX
.MOV DWORD PTR DS:[EDX],ECX; clear out arg4 value
.XOR EAX,EAX; clear out EAX
.MOV DWORD PTR SS:[LOCAL.6],EAX; clear out local.6
.JMP SHORT 0A729DAE; JUMP
./MOV EDX,DWORD PTR SS:[LOCAL.3]; move our current half-decoded dword position into EDX
.|MOV CL,BYTE PTR DS:[EDX]; move our current byte into ECX (CL) (dword[0])
.|SHL ECX,2; shift left 2 dword[0]
.|MOV EAX,DWORD PTR SS:[LOCAL.3]; move our current dword position into EAX
.|MOVSX EDX,BYTE PTR DS:[EAX+1]; move our current dword position + 1 (dword[1]) into EDX
.|SAR EDX,4; shift right 4 dword[1]
.|ADD CL,DL; add (shift left 2 dword[0]) + (shift right 4 dword[1])
.|MOV EAX,DWORD PTR SS:[LOCAL.5]; set EAX to our current decoded buffer position
.|MOV BYTE PTR DS:[EAX],CL; write our decoded (dword[0]) value to or decoded buffer
.|INC DWORD PTR SS:[LOCAL.5]; increment our position in the decoded buffer
.|MOV EDX,DWORD PTR SS:[LOCAL.3]; set EDX to our current dword position
.|MOV CL,BYTE PTR DS:[EDX+1]; set ECX to dword[1]
.|SHL ECX,4; left shift 4 dword[1]
.|MOV EAX,DWORD PTR SS:[LOCAL.3]; set EAX to our current dword position
.|MOVSX EDX,BYTE PTR DS:[EAX+2]; set EDX to dword[2]
.|SAR EDX,2; shift right 2 dword[2]
.|ADD CL,DL; add (left shift 4 dword[1]) + (right shift 2 dword[2])
.|MOV EAX,DWORD PTR SS:[LOCAL.5]; set EAX to our next spot in the decoded buffer
.|MOV BYTE PTR DS:[EAX],CL; write our decoded value into our decoded buffer
.|INC DWORD PTR SS:[LOCAL.5]; move to the next spot in our decoded buffer
.|MOV EDX,DWORD PTR SS:[LOCAL.3]; set EDX to our current half-decoded dword
.|MOV CL,BYTE PTR DS:[EDX+2]; set ECX dword[2]
.|SHL ECX,6; shift left 6 dword[2]
.|MOV EAX,DWORD PTR SS:[LOCAL.3]; set EAX to our current half-decoded dword
.|ADD CL,BYTE PTR DS:[EAX+3]; add dword[2] + dword[3]
.|MOV EDX,DWORD PTR SS:[LOCAL.5]; set EDX to point at our next spot in our decoded buffer
.|MOV BYTE PTR DS:[EDX],CL; write our decoded byte to our decoded buffer
.|INC DWORD PTR SS:[LOCAL.5]; move to the next spot in our decoded buffer
.|ADD DWORD PTR SS:[LOCAL.3],4; increment our encoded buffer to point at our next dword
.|MOV ECX,DWORD PTR SS:[ARG.4]; set ECX to our current offset?
.|ADD DWORD PTR DS:[ECX],3; add 3 to our current offset?
.|ADD DWORD PTR SS:[LOCAL.6],4; add 4 to our byte counter??
.|MOV EAX,DWORD PTR SS:[ARG.2]; move total size into EAX
.|ADD EAX,-4; subtract 4 from total size
.|CMP EAX,DWORD PTR SS:[LOCAL.6]; compare our total bytes to read bytes
.\JG SHORT 0A729D50; jump back if we are not done
.MOV EDX,DWORD PTR SS:[LOCAL.3]; set EDX to our last DWORD of encoded buffer
.MOVSX ECX,BYTE PTR DS:[EDX+3]; set ECX to dword[3] last byte of our half-decoded dword (dword + 3)
.INC ECX; increment the value of dword[3]
.JE SHORT 0A729E1E
.MOV EAX,DWORD PTR SS:[LOCAL.3]; set EAX to our current half-decoded dword
.MOV DL,BYTE PTR DS:[EAX]; set EDX (DL) to dword[0]
.SHL EDX,2; shift left 2 dword[0]
.MOV ECX,DWORD PTR SS:[LOCAL.3]; set ECX to our current encoded dword position
.MOVSX EAX,BYTE PTR DS:[ECX+1]; set EAX to dword[1]
.SAR EAX,4; shift right 4 dword[1]
.ADD DL,AL; add (shifted left 2 dword[0]) + (shifted right 4 dword[1])
.MOV ECX,DWORD PTR SS:[LOCAL.5]; set ECX to point at our next spot in our decoded buffer
.MOV BYTE PTR DS:[ECX],DL; write our decoded value (EDX/DL) to our decoded buffer
.INC DWORD PTR SS:[LOCAL.5]; move to the next spot in our decoded buffer
.MOV EDX,DWORD PTR SS:[LOCAL.3]; set EDX to point at our dword
.MOV AL,BYTE PTR DS:[EDX+1]; set EAX/AL to dword[1]
.SHL EAX,4; shift left 4 dword[1]
.MOV EDX,DWORD PTR SS:[LOCAL.3]; set EDX to our current dword
.MOVSX ECX,BYTE PTR DS:[EDX+2]; set ECX to dword[2]
.SAR ECX,2; shift right 2 dword[2]
.ADD AL,CL; add (shifted left 4 dword[1]) + (shifted right 2 dword[2])
.MOV EDX,DWORD PTR SS:[LOCAL.5]; set EDX to point at our current spot in our decoded buffer
.MOV BYTE PTR DS:[EDX],AL; write our decoded value to the decoded buffer
.INC DWORD PTR SS:[LOCAL.5]; move to the next spot in our decoded buffer
.MOV EAX,DWORD PTR SS:[LOCAL.3]; set EAX to point at our current dword
.MOV CL,BYTE PTR DS:[EAX+2]; set ECX/CL to dword[2]
.SHL ECX,6; shift left 6 dword[2]
.MOV EAX,DWORD PTR SS:[LOCAL.3]; point EAX at our current dword
.ADD CL,BYTE PTR DS:[EAX+3]; add dword[3] + (shifted left 6 dword[2])
.MOV EDX,DWORD PTR SS:[LOCAL.5]; point EDX at our current decoded buffer
.MOV BYTE PTR DS:[EDX],CL; write our decoded value to the decoded buffer
.INC DWORD PTR SS:[LOCAL.5]; increment our deocded buffer
.MOV ECX,DWORD PTR SS:[ARG.4]; set ECX to our current offset?
.ADD DWORD PTR DS:[ECX],3; add 4 for our current byte counter?
.JMP 0A729EA6; jump

Translated into english: the application first uses a lookup table to translate every byte in the input string, to do this it uses the value of the current byte as an offset into the table.  After it is done with "stage1" it traverses the translated input buffer a dword at a time and does some bit shifting and addition to fully decode the value. The following roughly shows the "stage2" routine:
(Dword[0] << 2) + (Dword[1] >> 4) = unencoded byte 1 
(Dword[1] << 4) + (Dword[2] >> 2) = unencoded byte 2 
(Dword[2] << 6) + Dword[3] = unencoded byte 3

I then confirmed that this routine worked on an "encoded" value that went over the wire from the application to the camera. After confirming the encoding scheme worked, I recreated the network transaction the application does with the camera to create a stand alone script that will retrieve the password from a camera that is on the same lan as the "attacker". The script can be found here, thanks to Jason Doyle for the original finding (@jasond0yle ).

Continue reading


  1. Hacking Tools Download
  2. Hacker Tools 2019
  3. Pentest Tools Linux
  4. World No 1 Hacker Software
  5. Pentest Tools For Windows
  6. Hacker Tools 2019
  7. Wifi Hacker Tools For Windows
  8. Hacking Tools Free Download
  9. Hack Tools
  10. Free Pentest Tools For Windows
  11. Hacker Tools Apk Download
  12. Tools 4 Hack
  13. Hacker Tools Github
  14. Pentest Tools Bluekeep
  15. Pentest Tools Kali Linux
  16. Hacking Tools Usb
  17. Hacker Tools For Mac
  18. Pentest Tools Find Subdomains
  19. Pentest Tools Review
  20. Hacker Tools Github
  21. Pentest Recon Tools
  22. Hacker Tools Online
  23. Pentest Tools
  24. How To Make Hacking Tools
  25. Hacking Tools For Mac
  26. Blackhat Hacker Tools
  27. Pentest Tools Android
  28. Hacker Tools Apk Download
  29. Pentest Tools Bluekeep
  30. Pentest Tools Github
  31. Hacking Tools For Windows
  32. Pentest Tools Online
  33. Pentest Tools Apk
  34. What Is Hacking Tools
  35. Hacking Tools Kit
  36. Pentest Reporting Tools
  37. Pentest Tools Free
  38. Pentest Tools Github
  39. Hacker Tools List
  40. Pentest Tools
  41. Install Pentest Tools Ubuntu
  42. Pentest Tools Website
  43. Hacker Tools Apk
  44. Best Pentesting Tools 2018
  45. Best Hacking Tools 2019
  46. Hacker Tools For Ios
  47. Easy Hack Tools
  48. What Are Hacking Tools
  49. Hacking Tools Name
  50. Pentest Tools Free
  51. Hack Tools 2019
  52. Hacking Tools For Windows
  53. Ethical Hacker Tools
  54. Pentest Reporting Tools
  55. Hacker Tools Hardware
  56. Growth Hacker Tools
  57. Hacker Tools Apk
  58. Hacker Tools Linux
  59. Pentest Tools Url Fuzzer
  60. Pentest Tools Linux
  61. Tools 4 Hack
  62. Hacking Tools 2019
  63. Hack Tools For Games
  64. Hacking Tools 2019
  65. Hacker Search Tools
  66. Pentest Tools List
  67. Pentest Tools Framework
  68. Hacker Tools 2020
  69. Blackhat Hacker Tools
  70. Pentest Tools Open Source
  71. Android Hack Tools Github
  72. Hacking Apps
  73. Hack Tool Apk No Root
  74. Pentest Tools Nmap
  75. Hacker Tools
  76. Hack Tool Apk
  77. Hacking Tools
  78. Hacker Tools For Windows
  79. Hacking Tools Windows 10
  80. Hacker
  81. Hack Tool Apk No Root
  82. Hacker Tools Windows
  83. Pentest Tools Website Vulnerability
  84. Hack Tools For Pc
  85. Pentest Tools Tcp Port Scanner
  86. New Hack Tools
  87. Hack Tools
  88. Beginner Hacker Tools
  89. Hacker Tools For Pc
  90. Usb Pentest Tools
  91. Tools For Hacker
  92. Pentest Tools
  93. Hack Tools For Games
  94. Hacking Tools For Windows 7
  95. Hacking Tools 2020
  96. Kik Hack Tools
  97. How To Install Pentest Tools In Ubuntu
  98. Top Pentest Tools
  99. Hacker Techniques Tools And Incident Handling
  100. Hacking Tools Name
  101. Pentest Tools Linux
  102. Wifi Hacker Tools For Windows
  103. Hacker Tools Github
  104. Pentest Tools Github
  105. Hacker Hardware Tools
  106. Usb Pentest Tools
  107. What Is Hacking Tools
  108. Best Pentesting Tools 2018
  109. How To Install Pentest Tools In Ubuntu
  110. Hack Tools
  111. Hacking Tools For Windows 7
  112. Pentest Tools For Mac
  113. Pentest Tools Online
  114. Pentest Tools Review
  115. Hack Tools Online
  116. Hacking Tools For Games
  117. Tools Used For Hacking
  118. Hacking Tools Kit
  119. Termux Hacking Tools 2019
  120. How To Hack

posted by Affiliate Marketer @ 7:12 AM  0 Comments