How To Hack Your Bank Account “$1 Million” using Kali Linux

Disclaimer. Okay, we are not actually going to “hack” your bank account. But we are going to quickly use the developer tools to manipulate text on our browser.

  1. Log into your bank account.
  2. Find your bank and the current amount.
  3. Open up the Developer Tools ( Menu Option > More tools > Web Developer Tools
  4. In the top left of the developer window, select the mouse. This should let you go to the web page, click on your “account balance”.
  5. Double click and change your “account balance” to $1 Million.

Congratulations! You are a millionaire. At least on paper.

*If you honestly were looking for a way to hack your bank account for 1 million dollars… Stop…

Operation Triangulation – iOS Zero-click APT Exploit Info

Quick Summary: Operation Triangulation is an iOS zero-click exploit that will self destruct, looks to have been used since at least 2019, works on iOS 15.7, unsure if it works on iOS 16. Can collect location, mic recordings, photos, and manipulate iMessages. First point of entry is from an iMessage message, that compromises the device, after compromise, the message gets deleted.

https://securelist.com/operation-triangulation/109842/

https://www.kaspersky.com/about/press-releases/2023_kaspersky-reports-on-new-mobile-apt-campaign-targeting-ios-devices

https://arstechnica.com/information-technology/2023/06/clickless-ios-exploits-infect-kaspersky-iphones-with-never-before-seen-malware/

Links for checking for infection.

https://securelist.com/find-the-triangulation-utility/109867/

https://github.com/KasperskyLab/triangle_check

The following is a list of C&C domains from the securelist.com article. Did a quick DNS lookup for each domain and they currently have the following records & IP addresses. Note that these can change at any time and some of the IP addresses are/can be shared with other legitimate websites if it is on a shared hosting provider.

addatamarket.net - sandy.ns.cloudflare.com, doug.ns.cloudflare.com - No A records, or TXT
backuprabbit.com - nelci.ns.cloudflare.com, morgan.ns.cloudflare.com - No A records, or TXT
businessvideonews.com - ns2.dnsowl.com, ns3.dnsowl.com, ns1.dnsowl.com - 198.251.81.30, 209.141.38.71, 107.161.23.204
cloudsponcer.com - Cloudflare, kipp.ns.cloudflare.com, joyce.ns.cloudflare.com
datamarketplace.net - ns78.domaincontrol.com, ns77.domaincontrol.com, 34.98.99.30
mobilegamerstats.com - ns1.bitdomain.biz, No A records, TXT=v=spf1 redirect=_spf.mailhostbox.com
snoweeanalytics.com - cody.ns.cloudflare.com, arlee.ns.cloudflare.com - 104.21.76.6, 172.67.184.201
tagclick-cdn.com - ns4.bitdomain.biz, ns3.bitdomain.biz, ns2.bitdomain.biz, ns1.bitdomain.biz - No A records, TXT=v=spf1 redirect=_spf.mailhostbox.com"
topographyupdates.com - nero.ns.cloudflare.com, dalary.ns.cloudflare.com - 104.21.27.67, 172.67.141.199
unlimitedteacup.com - nelci.ns.cloudflare.com, javon.ns.cloudflare.com - 104.21.55.58, 172.67.145.72
virtuallaughing.com - elaine.ns.cloudflare.com, braden.ns.cloudflare.com - 104.21.60.240, 172.67.202.140
web-trackers.com - dns1.registrar-servers.com, dns2.registrar-servers.com - 15.164.228.250
growthtransport.com - ns3.dnsowl.com, ns2.dnsowl.com, ns1.dnsowl.com - 198.251.81.30, 107.161.23.204, 209.141.38.71
anstv.net - ns64.domaincontrol.com, ns63.domaincontrol.com. - 93.90.223.185
ans7tv.net - ns37.domaincontrol.com,ns37.domaincontrol.com - 93.90.223.185

List of domains

addatamarket.net
backuprabbit.com
businessvideonews.com
cloudsponcer.com
datamarketplace.net
mobilegamerstats.com
snoweeanalytics.com
tagclick-cdn.com
topographyupdates.com
unlimitedteacup.com
virtuallaughing.com
web-trackers.com
growthtransport.com
anstv.net
ans7tv.net

List of IPv4 addresses used

107.161.23.204
198.251.81.30
209.141.38.71
34.98.99.30
172.67.184.201
104.21.76.6
172.67.141.199
104.21.27.67
172.67.145.72
104.21.55.58
104.21.60.240
172.67.202.140
15.164.228.250
209.141.38.71
198.251.81.30
93.90.223.185

Bash command to get an updated IP address list. bad.txt contains all the above domain names.

for i in `cat bad.txt` ; do dig $i a +short >> badips.lst; done

Check DNS logs

If you have a DNS server, you can check to see if there has been any name resolution by using the following. Change named.log to your dns log

# list=""addatamarket.net"
"backuprabbit.com"
"businessvideonews.com"
"cloudsponcer.com"
"datamarketplace.net"
"mobilegamerstats.com"
"snoweeanalytics.com"
"tagclick-cdn.com"
"topographyupdates.com"
"unlimitedteacup.com"
"virtuallaughing.com"
"web-trackers.com"
"growthtransport.com"
"anstv.net"
"ans7tv.net""

# for domain in $list; do echo $domain && sudo grep -i $domain /var/log/named.log; done

Setup Mikrotik capture traffic

Mikrotik packet sniffer settings to capture traffic coming or going to the above IP addresses.

/tool sniffer
set file-limit=32000KiB file-name=Triangulation filter-ip-address="107.161.23.20\
    4/32,198.251.81.30/32,209.141.38.71/32,34.98.99.30/32,172.67.184.201/32,104.\
    21.76.6/32,172.67.141.199/32,104.21.27.67/32,172.67.145.72/32,104.21.55.58/3\
    2,104.21.60.240/32,172.67.202.140/32,15.164.228.250/32,209.141.38.71/32,198.\
    251.81.30/32,93.90.223.185/32" 

You can then start the sniffer by running Tools -> Packet Sniffer Settings -> Start

or run

/tool/sniffer/start

Resolution

Apple issued an update that fixes the kernel part of the vulnerability.

https://securelist.com/triangledb-triangulation-implant/110050/

How to Bypass NVIDIA NVENC Limits on RTX Cards on Linux

It appears that NVIDIA has limited the number of NVEncoding streams on consumer GPUs. Guess it is so people have to buy the more expensive professional cards.

Fortunately, the limit is only applied to the driver, and there is a patch available that let’s us bypass the limiter.

https://github.com/keylase/nvidia-patch

Install Patch

This assumes you already have the driver installed. If you do not, or run into issues with the commands below, refer to the above link.

Download the tool

https://github.com/keylase/nvidia-patch/archive/refs/heads/master.zip

wget https://github.com/keylase/nvidia-patch/archive/refs/heads/master.zip

Unzip the file

unzip nvidia-patch-master.zip

Run the patch script

cd nvidia-patch-master
sudo bash ./patch.sh

And we are finished!

Further reading

NVIDIA has a matrix of which cards support how many streams etc.

https://developer.nvidia.com/video-encode-and-decode-gpu-support-matrix-new

And while we are on the topic of artificial limits, check out the vGPU license bypass

https://github.com/KrutavShah/vGPU_LicenseBypass

Reversing Obfuscated Phishing Email

Ran across an email that had an attachment named Payment.htm. This kind of phishing attack isn’t anything new, but the htm file had some interesting obfuscation inside of it.

https://news.trendmicro.com/2022/10/31/html-email-attachments-phishing-scam/

Doing some online searching brought up the following analysis on Joe Sandbox

https://www.joesandbox.com/analysis/831537/0/html

Opening up the file in a virtual a Kali virtual machine, starts to load what appears to look like a Microsoft Sharepoint site. Notice the URL is the local file. It’s setup to pull the photos from the web. Since the VM had no internet available, the images never loaded.

After spinning around for a second, it loads the “log on page”, already populated with our email address. Note I changed the email address before taking the screenshot.

Typing in a random password and hitting Sign in triggers the sign in page.

Notice the ipinfo.io network connection

Going to https://ipinfo.io/json gives us a good bit of info about our IP address, location etc. It looks like this information is requested and then sent to the hackers.

Since there was not an internet connection, the malicious htm web page never received the IP information and so didn’t continue on to the next stage, it just sat there loading. Should be able to setup a fake local server and feed it the information to continue on to the next stage. Or we can just do some static code analysis

Base64, Base64 and more Base64

Opening up the file in a text editor shows tons of Base64 encoded data. The file is only about 20 lines long, but the individual lines are super long.

This first section of Base64 encoded data is by far the shortest. atob is a javascript function that decodes Base64 data. There are multiple atob functions, meaning that to actually get the data, we’ll need to decode the data multiple times. Or we can just copy out the atob functions, and run them directly in Node.js to get the output.

This is fairly easy to do, run nodejs from the command line, set the variable, and print it to console

# nodejs
> let b64 = atob(atob(etc...etc...etc...))
> console.log(b64)

Unfortunately, the next few lines are too large to do what we just did. What we can do is duplicate the file, then delete all non javascript text. Next we can replace the beginning lines where it says “document.head……atob” to

console.log(atob(atob(atob(.....))));

After we have cleaned up the file and made those changes, we save it, and now run it as a javascript file.

nodejs ./Payment.htm

If we want to, we can pipe the output into another file with the > operator

nodejs ./Payment.htm > Decoded_Payment.js

Deobfuscating the important stuff

Looking at the decoded code shows that there is still some obfuscated stuff in that last line.

The var _0x8378= array contains a lot of human unreadable text.

Fortunately, this is not hard to decode at all. In a terminal, launch nodejs again, copy the whole array as a variable, and then just print the whole array.

nodejs
> var _0x8378 [.....]
> > console.log(_0x8378);
[
  '.loaderxBlock',
  'querySelector',
  '.overlay',
  '.loginForm',
  '.lds-roller',
  '#logoPage2',
  '.backArrow',
  '.emailBlock',
  '.passwordBlock',
  '#next',
  '#signin',
  '.emailInvalid',
  '.passwordError',
  '.passwordNull',
  '#boilerText',
  '.passwordImput',
  '.emailInput',
  'ssvv',
  'getAttribute',
  'rrt',
  'getElementById',
  '#bbdy',
  '.canvas',
  '.imgclass',
  '.loader',
  '.logerMe',
  '.tittleText',
  'aHR0cHM6Ly9zdXBwb3J0Lm1pY3Jvc29mdC5jb20vZW4tdXMvb2ZmaWNlL2ZpeC1vbmVkcml2ZS1zeW5jLXByb2JsZW1zLTA4OTliMTE1LTA1ZjctNDVlYy05NWIyLWU0Y2M4YzQ2NzBiMg==',                                                                                                                                 
  'test',
  'Email =',
  'log',
  'load html',
  'href',
  'location',
  '#',
  'backgroundImage',
  'style',
  'body',
  'dXJsKCdodHRwczovL2FhZGNkbi5tc2F1dGgubmV0L3NoYXJlZC8xLjAvY29udGVudC9pbWFnZXMvYmFja2dyb3VuZHMvMl9iYzNkMzJhNjk2ODk1Zjc4YzE5ZGY2YzcxNzU4NmE1ZC5zdmcnKQ==',                                                                                                                             
  'display',
  'none',
  'block',
  'value',
  '5823592882:AB1830h83D83DjWmnaEao398JHEXhueXE83',
  '-839602468',
  'aHR0cHM6Ly9hcGkudGVsZWdyYW0ub3Jn',
  'aHR0cHM6Ly9pcGluZm8uaW8vanNvbg==',
  'userAgent',
  'navigator',
  '0',
  'padStart',
  'getDate',
  'getMonth',
  'getFullYear',
  '/',
  'json',
  'ip',
  'city',
  'country',
  'org',
  'postal',
  '/bot',
  '/sendMessage?chat_id=',
  '&text=<b>OFFICE365-HTML-LOGS@ZERO</b>%0A[',
  '] ',
  '%0A<b>USER-AGENT: </b>',
  '%0A<a>see me: @mrcew</a>%0A<b>EMAIL: </b><pre>',
  '</pre>%0A<b>PASSWORD: </b><a>',
  '</a>%0A<b>Location: </b>IP: ',
  ' | CITY: ',
  ' | COUNTRY: ',
  ' | ORG: ',
  ' | POSTAL: ',
  '&parse_mode=html',
  'obago!',
  'borderColor',
  '#0067b8',
  'onLine',
  'reload',
  '.emailLabel',
  'innerHTML',
  'grid',
  'red',
  'click',
  'addEventListener',
  'length',
  'Done 2 times',
  'replace',
  '',
  ' ',
  'src',
  'keyup',
  'keyCode',
  'preventDefault'
]

Notice we have some more Base64 encoded URLs.

These are easy to decode.

> console.log(atob("aHR0cHM6Ly9zdXBwb3J0Lm1pY3Jvc29mdC5jb20vZW4tdXMvb2ZmaWNlL2ZpeC1vbmVkcml2ZS1zeW5jLXByb2JsZW1zLTA4OTliMTE1LTA1ZjctNDVlYy05NWIyLWU0Y2M4YzQ2NzBiMg=="));
https://support.microsoft.com/en-us/office/fix-onedrive-sync-problems-0899b115-05f7-45ec-95b2-e4cc8c4670b2
> console.log(atob("dXJsKCdodHRwczovL2FhZGNkbi5tc2F1dGgubmV0L3NoYXJlZC8xLjAvY29udGVudC9pbWFnZXMvYmFja2dyb3VuZHMvMl9iYzNkMzJhNjk2ODk1Zjc4YzE5ZGY2YzcxNzU4NmE1ZC5zdmcnKQ=="));
url('https://aadcdn.msauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.svg')
> console.log(atob("aHR0cHM6Ly9hcGkudGVsZWdyYW0ub3Jn"));
https://api.telegram.org
> console.log(atob("aHR0cHM6Ly9pcGluZm8uaW8vanNvbg=="));
https://ipinfo.io/json

The last URL is the ipinfo.io one we saw in the browser developer tools. Some of the variables from the above variable also seem to map to the return info from ipinfo.

Decoding base64 “atob” in Javascript NodeJS

atob() is a javascript function that decodes base64 encoded text. btoa() is the encoding function. We can use NodeJS to dedcode atob() functions. For instance, we can lanch nodejs woth

nodejs

and decode the sting SGVsbG8gV29ybGQgIQ==

console.log(atob("SGVsbG8gV29ybGQgIQ=="));

If we wanted to break that down into a couple variables we can do something like the following.

> var b64 = atob("SGVsbG8gV29ybGQgIQ==")
> console.log(b64");

You can also create a javascript file and then run the file with nodejs.

var b64 = atob(atob("U0dWc2JHOGdWMjl5YkdRZ0lRPT0="))

console.log(b64);

We can then run the file with

nodejs ./file.js

In the file the string “Hello World !” is double encoded so we process it twice with the “atob(atob(base64);”

There is more info available at the following links

https://www.npmjs.com/package/atob
https://developer.mozilla.org/en-US/docs/Web/API/atob

Check out the following article if you want to use Python to decode base64.

Send/Receive a File with Netcat

For clarity of instructions, we will use the following terminology.

Server = Remote system, typically like a web server
Client = Local system, the computer/vm you are using

Download file from Server

Server

Run the following command on the server.

cat file.txt | nc -l -p 1234

Client

Now on the client we can download the file with the following. Change the IP to the Server IP address

nc 192.168.1.20 1234 > file.txt

Upload from Client to Server

If we want to reverse this, aka. send a file from the client to the server, we can do the following

Server

This will write the file to file.txt

nc -l -p1234 -q 1 > file.txt < /dev/null

Client

Send file.txt to 192.168.1.20. Change the file and IP address as needed.

cat file.txt | nc 192.168.1.20 1234

https://superuser.com/questions/98089/sending-file-via-netcat

Directory Traversal – Burp Suite

Here are a couple different ways to do directory traversal.

More detailed information is available at the following site.
https://portswigger.net/web-security/file-path-traversal

  1. Normal directory traversal
  2. URL Encoding
  3. Getting around applications that strip directory traversal sequences
  4. Using a null byte

Directory Traversal

What exactly is directory traversal anyway? Well, it is pretty much exactly what it sounds like. We traverse directories by manipulate the file path, for something like an image, to get something more valuable like the passwd file.

In it’s most basic form, we can add ../../../../../etc/passwd to a file path and instead of pulling an image, we get the passwd file.

For instance, if we load an image on a website, it’s file path on the server may be something like /var/www/html/image.png. If we right click on an image and open in a new tab and inspect the URL, we can see this path. “Note: Web servers have a root directory for all the website files. Generally web files’ root starts there not / root of the machine.”

Now if we remove image.png and replace it with ../ (../ on Linux/macOS or ..\ on Windows) we’ll go backwards one directory. String them together and we can go back to the root of the drive. Then we can add /etc/passwd (Or replace with whatever file we want) and load the contents of that file.

Most web applications should have some sort of protections in place to guard against directory traversal. Let’s go over a few ways to get around it.

URL Encoding

URL encoding sometimes can work and is simple to do. In Burp, select the file path, right click, Convert selection -> URL -> URL-encode all characters.

You can also try double encoding. Encode once, select the encoded text and encode again.

In the above screenshots, ../../etc/passwd becomes “%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%36%35%25%37%34%25%36%33%25%32%66%25%37%30%25%36%31%25%37%33%25%37%33%25%37%37%25%36%34”

Getting around applications that strip directory traversal sequences

Sometimes the web app can strip out text that it knows is directory traversal characters/sequences. For instance, it sees ../ in the requested url and just strips it out.

We can do something like the following sequence to get around it.

....//....//etc/passwd

That is 4 periods, followed by 2 slashes. What happens is the web app reads the URL, goes hey ../ is not allowed, bye bye! Removes the two instances of ../ and forwards the URL on. Which ends up being

../../etc/passwd

Which is just perfect for our use case.

Using a Null Byte

If the application is using the file extension to validate that an image or other file is loaded, instead of say passwd, we can try using a null byte. A null byte is used to terminate a string.

../../etc/passwd%00.png

What can end up happening is the web application sees the .png or .jpg at the end and goes “oh that is a valid extension, carry on” and then the system reads the line and sees the null byte and says “Oh null byte! end of file path, here is your file.”

Hydra – Socket error: Connection reset by peer

[VERBOSE] Disabled child 2 because of too many errors
[VERBOSE] Disabled child 6 because of too many errors
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error

Looks like the issue can happen if you have too many threads going at once. Lower the amount of threads your using with -t. Recommended amount for ssh is 4.

hydra -L usernames.txt  -P "passwords.txt" 192.168.1.20 ssh -t4

Hashcat examples

Rule based attack

Use a wordlist and best64 rules to try and crack a wordpress hash. Using rockyou.txt as an example.

-m Specifies the hash type

hashcat -m 400 wordpress.hash -r rules/best64.rule wordlist/rockyou.txt

wordpress.hash is a text file that contains the password hash. You can list multiple hashes in the file

Example contents of file

bob@localhost:~$ cat wordpress.hash 
$P$BeJ2ZWVgSx/rR8ifcTFyjq1ouCCWwu0
bob@localhost:~$

Brute force

Attempt every 8 numeric combination for a WPA2 key.

hashcat -m 2500 -a3 capture.hccapx ?d?d?d?d?d?d?d?d

Hashcat built in Charsets

You can swap out the ?d from the above command with any of the built in character sets below.

  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  d | 0123456789
  h | 0123456789abcdef
  H | 0123456789ABCDEF
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff

More information
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
Rule based attacks are recommended
https://hashcat.net/wiki/doku.php?id=rule_based_attack

Generate Password list using Crunch

Install crunch and then generate a word list with the following command. The 8 8 tells crunch to generate combinations that have a minimum and maximum length of 8. All the numbers from 1-0 tells crunch to use these characters, -o writes to output file.

Change options if desired.

crunch 8 8 1234567890 -o 8numberchars.lst

Further reading. https://tools.kali.org/password-attacks/crunch