Skip to main content


Showing posts from 2022

Bluetooth Sniffing

There is no promisc mode for standard bluetooth firmwares. With tools such as hci dump we can only read our own traffic. "hcidump -X -i hci0" So to implement bluetooth sniffer we will use the bluetooth modules once again Lets start digging into the code to sniff bluetooth packets. ##Required Libraries ##Method 'hci_open_dev(0)' opens a raw socket to the first HCI device. ##In socket object we will set the properity HCI_FILTER to be able to recieve all HCI events and packets type. ##now inside while loop we will read 3 bytes from socket 1. first byte represents the type of HCI packet 2. second is HCI byte 3. length of the packet i.e. packet is dumped bytewise in hexedecimal unless type is a HCI_ACLDATA_PKT and if so we print the whole packet as ASCII string you can find the whole code in the following repository Bluetooth Sniffer Checkout some more hacking scripts SECURING SYSTEM

Bluetooth Spoofing

For two different chipsets Ericsson and CSR codes exist that allows us to set new bluetooth address ,which makes spoofing possible. we can examine chipset of our bluetooth dongle by runnning command 'hcidump -a' Lets start digging into the code ##required libraries ##check if bluetooth adddress is passed as an arguement to this script or not and if not simply print usage and exit ##split the bluetooth address by colon into its bytes ##open the raw socket to the hci device with help of 'hci_open_dev()' method ##this is a cryptical vendor command ,here we are appending the new bluetooth address in the CSR-vendor comamnd ##change the command to hexadecimal else ASCII value of single chars get set ##Now finally we send the command via HCI to the firmware. and once we update the bluetooth address we must reset the chip ,as this can be simply done by unplugging dongle and plugging it again. you can check the whole code in this repository bluetooth spoofin

blue bug exploit

some bluetooth device may contain a hidden channel that is not listed by sdp and to which one connect without any password protection. once connected one can send any AT command and the mobile phone will execute without question. This can be used to completely remote control the device. The possibility of this exploit go from reading the phone book , calender to sending the messages ,making calls etc. Search for nokia AT commands and start executing them while performing this attack. Lets start writing the code ##required libraries ##check if proper arguements are passed to the script or not and if not simply exit ##set the arguement values to the variable ##create a socket object from lightblue library and pass the bluetooth address and the channel id to the connect method of the socket object. and connect to the device. ##once the connection is made start executing the nokia AT commands and once we will exit the loop we will simply close the socket connection You ca

Blue Snarf Exploit

The Blue Snarf exploit connects to an OBEX-Push profile, which is implemented on most devices without any authentication, and tries to retrieve the telephone book as well as the calendar by issuing a OBEX GET. ##Required Libraries ##Check if required arguements are passed to script or not and if not exit ##assign the arguements passed to the variables ##create an object of the obex client and pass the parameters and connect ##open both the 'phonebook.vcf' and 'calender.vcf' files to store the data and use the get() method of lightblue to download the files. get method needs two parameter first is dictionary where key consist of path to the remote file ,and second the parameter is an open writable file handle in which content of file gets written and close the file handle via .close() method ##disconnect the connection made You can check the whole code under this repository blue_snarf_exploit Checkout some more hacking scripts

OBEX (OBject EXchange)

OBEX (OBject Exchange) is a communications protocol that facilitates binary transfers between bluetooth enabled devices. ##Libraries required ##check if the required arguements passed to script or not and if not exit ##assign the values recieved over arguements to the variables ##firstly we will create a new OBEXClient object by calling the "OBEXClient() and pass the Bluetooth address and channel as parameter" Then method connect tries to connect to the specified tupel ,and if the connection is made we use the put() method to send a file The first parameter for the put() method is dictionary ,this just defines the what the name of the file will be on remote device and second parameter is a file handle to a binary opened file.and the connections and socket are closed. You can check the complete code in this repo : OBEX Checkout some more hacking scripts SECURING SYSTEM BLUETOOTH

RCOMM Channel Scanner

Each service can be listed via SDP ,but its not an actual requirement .So thats where the RCOMM comes into the picture ,it will try to access all the 30 channels to see what is running on the target address. We can consider RCOMM scanning as the port scanning for bluetooth . It is making a full connection to each channel, no packet tricks, no nothing. If it reaches a channel that needs further authorization the owner of the scanned device is asked to authorize it and for an encrypted link layer to even enter a password. If the owner chooses to not authorize the connection the socket connection is closed. The user interaction needs time. Time we can use to determine whether the port is really closed or filtered. ##Implementation details: The Idea is to call the function alarm before executing connect. If the connect call doesn’t return before timeout seconds are reached the signal SIGALRM gets triggered, which executes our handler function sig_alrm_handler(), that was previously

SDP(Service Discovery Protocol) - Browser

SDP(Service Discovery Protocol) : A bluetooth device can be queried which services it offers. It returns information about the channel the service is running on ,the used protocol ,the service name and a short description. For this we will use the python module `bluetooth` ,for bluetooth related operations. ##Required libraries ##check if the parameters required to this script are passed or not and if not exit and print usage. ##use find_service() method ,it recieves the target address as parameter and return a list of services. As the list contains the dictionaries which items are the described properties service until list returned is not empty. you can clone the whole code in the following git repo : SDP Browser Checkout some more hacking scripts SECURING SYSTEM BLUETOOTH ATTACKS STEALING AND SNIFFING ATTACKS KALI LINUX HACKING COMMANDS CHEATSHEET

Bluetooth Scanner with python

Bluetooth is a wireless voice and data transmission technology, which can be built into mobile phones, PDAs, USB sticks, keyboards, mices, headsets, printers, telephone facilities in cars, navigation systems, new modern advertisement posters, umbrellas etc. In contrast to infrared, Bluetooth doesn’t rely on direct visual contact to connect to devices. Lets start the scripting the bluetooth scanner in the python we will use existing libraries for this . ##Modules Required - lightblue - bluetooth First of all we need to start our bluetooth device / turn on the bluetooth ##Method finddevices() returns the list of tuples as (hardware address ,device name ,device class) we can set the optional param getnames=False by doing this we can skip the name resolution but it maye take some extra time as bluetooth makes an extra connection just to resolve every name. you can clone the whole script from this repository : bluetooth_scanner Checkout some more hackin

python code to Scrap images from google

Introduction Web scraping is a mechanism of using bots to extract data / content from the internet / website . The web scraping software may directly access the World Wide Web using the Hypertext Transfer Protocol or a web browser. While web scraping can be done manually by a software user, the term typically refers to automated processes implemented using a bot or web crawler. It is a form of copying in which specific data is gathered and copied from the web, typically into a central local database or spreadsheet, for later retrieval or analysis. [source wiki] How to scrap images from google? we will use python as a base language and libraries like beautifulsoap ,selenium ,os ,time etc to create a scraper from scratch. ## Required Libraries ## 'download_image' : Method to download each image with help of requests library and if the status returned is 200 then we will write the image into our machine via file handling. ## 'download_failed : it is a variable with w

Stealing wifi passwords with python

This only works in the windows machine since windows only support the command 'netsh wlan show profiles' ##required libraries ##"netsh wlan show profile" is a command to fetch the network names to which the system has connected ,execute this command with help of subprocess library ##fetch all network names from with the help of regex from the output of the netsh command executed with help of subprocess and once we filter the network names we will run another netsh commmand this time with network name as parameter along with key=clear ,this will show the password in plain text ,and then we will add the passwords to our string variable f_output. ##once the passwords are fetched we will start appending them into the text file. ##we can even send this password as mail to ourself from our own mail-id in case this is given to victim's in executable form . we need to fill in the mail-id as well password to make it work. NOTE : we can even add this as the func

backdoor in Python

##Backdoor based on TCP server and client with python Server side code : '' " is the code which will be running on the attacker's machine" ##required libraries ## create socket object ## generate_socket_and_listen method is to generate socket (i.e. bind an ip address with the port number) and listen for the incoming connections ## once the victim opens the executable in his/her machine ,and the socket recieved the incoming connection ,then shell method will be executed . since we have the shell from the victims machine we can do anything like perform any os command ,or execute manually written commands like get ,download ,start ,upload "download -> download files from victim's machine" "upload -> upload files to victim's machine" "get -> download files from the internet to victim's machine" "start-> start other applications on victim's machine" ## we will use

Sniffer for email credentials

##Library required ##Variables defined ##Callback function ,when this function is called we check to make sure it has a data payload whether the payload contains the typical USER or PASS mail commands and if we detect an authentication string ,we print out the server we are sending it to and the actual data types of the packet . ##We added a filter that only includes the traffic destined for the common mail ports like "110 (POP3) ,143 (IMAP) ,25 (SMTP)" as well as we used the parameter "store" which is when set to '0' ensures that scapy isn't keeping the packets in memory. If we want to sniff for longer time then its a good idea to keep "store=0" so that it won't be consuming vast amounts of RAM. NOTE: execute this script with admin/root permissions Code repostory : sniffer_for_email_credentials Checkout some more hacking scripts SECURING SYSTEM

Sniffer with no Filter

Below code is a simple sniffer that sniffs the packet and dumps its content. ##Library required ##Callback function ,will recieve each sniffed packet ##this will sniff the packets on all interfaces with no filtering NOTE: the script should be executed as admin/root in order to make it work code repository : sniffer_with_no_filter Checkout some more hacking scripts SECURING SYSTEM BLUETOOTH ATTACKS STEALING AND SNIFFING ATTACKS KALI LINUX HACKING COMMANDS CHEATSHEET TROJAN AND BACKDOORS DICTIONARY AND BURTEFORCING ATTACKS MAN IN THE MIDDLE ATTACKS 1. Sign & Verify message 1. Bluetooth discovery 1. Stealing saved wifi password from windows 1. Hacking commands with Kali Linux

TCP proxy

Benifits of Tcp proxy we can forward the traffic from host to host as well as useful when assessing network based software. So in this code we will continually read from local ,process and send to remote ,read from remote ,process and send to local until there is no more data detected. ## we will firstly take the command line arguements and then fire up a server loop that listens that listens for connections. once any connection request comes in ,we hand it off to 'proxy_handler' ,which does all the sending and recieving of bits to either side of the data stream. ## we will make sure that we should not be initiating a connection to the remote side and request data before going into our main loop. Then we will use the 'recieve_from' function which we reuse for both side of the communication ,it simply takes in a connected socket object and performs a recieve. Then we will dump the contents of packets so that we can inspect it for anything interesting .then we pa

Dictionary Attacks

Passwords are not generally stored in plaintext form. crypt() is a one way hash function that expects a plaintext password and a salt value for input and then outputs a hash with the salt value prepended to it. This hash is mathematically irreversible ,meaning that it is impossible to determine the original password using only the hash. So if user wants to authenticate user will enter the password and then hash corresponding to that password will be generated ,and if the hash matches with the hash stored in file ,then user entered the correct password .In this way without storing the password in plaintext form we can have authentication here. With this mechanism ,we can think of that the even encrypted password stored in the file is useful ,so we can have a dictionary attack here by hashing each word in the wordlist and compare it with the hash stored in the file ,so in this way we can crack the password. Dictionary Attack program will just needs to read word from file ,hash each