The Moroccan Geek

Des bits d'information qui enrichissent votre quotidien!

Changement D’adresse!

Moroccan Geek Change d’adresse! Retrouvez le blog a l’adresse suivante : Moroccangeek.net

Moroccan Geek is now hosted on a new address : Moroccangeek.net

Advertisements

Google hack Database Tool

Google hack DB Tool is a database tool with almost 8,000 entries. It allows administrators the ability to check their site for vulnerabilities based on data stored in Google. With Google Hack Database tool you can find out if your website has indexed vulnerabilities in Google.

So be sure to scan your public facing web applications frequently and eliminate all vulnerabilities!

Features of the Google Hack DB tool:

  • Find information disclosure.
  • Find sensitive files.
  • Find sensitive directories.
  • Find vulnerable software.
  • Find personal information.

These tool is really fast and will help to eliminate most of the known vulnerabilities that web application developers tend to do easily , simply and most important fast and accurate.

Download Google Hack Database Tool v1.0 here

Source : Pentestit

The Security Auditor’s Research Assistant

The Security Auditor’s Research Assistant (SARA) is a third generation network security analysis tool that that has been available and actively updated for over 10 years, based on the SATAN model, it Checks for common old holes, backdoors, trust relationships, default cgi, common logins, open shares, and much more. It is updated twice a month to address the latest threats :

1-Operates under Unix, Linux, MAC OS/X or Windows (through coLinux) OS’.

2-Integrates the National Vulnerability Database (NVD).

3-Performs SQL injection tests.

4-Performs exhaustive XSS tests.

5-Can adapt to many firewalled environments.

6-Support remote self scan and API facilities.

7-Used for CIS benchmark initiatives.

8-Plug-in facility for third party apps.

9-CVE standards support.

10-Enterprise search module.

11-Standalone or daemon mode.

12Free-use open SATAN oriented license.

To Download it : SARA

Source : packetstormsecurity.org

Débloquez les modems HUAWEI pour utiliser toute carte 3G.

Il est possible de débloquer les différents modèles du modem huawei cités ci-dessous pour utiliser n’importe quelle carte 3G facilement et gratuitement.
les modems concernés :
Huawei E1152
Huawei E1550
Huawei E1550 Kyivstar
Huawei E1552
Huawei E1553
Huawei E156 / E156B / E156C / E156G
Huawei E160 / E160G / E160X
Huawei E161
Huawei E1612
Huawei E1630
Huawei E166 / E166G
Huawei E169 / E169G
Huawei E170
Huawei E172
Huawei E1750
Huawei E1752
Huawei E1756
Huawei E176
Huawei E1762
Huawei E180
Huawei E1820

A vos clicks:
1- Télécharger HUAWEI CODE WRITER qui va vous permettre de débloquer le modem et d’écrire le code de déblockage sur le modem.

L’extension du ficheir est .jpg, car wordpress ne permet pas d’uploader des fichiers de type .rar ou .exe, telecharger le et changer l’extension en .rar.

Si vous avez des problemes pour le telecherger, penser a clicker dessus avec la touche droite de votre sours, et “enregister la cible du lien sous”.

2- branchez votre Modem et exécutez HUAWEI CODE WRITER.

3- Cliquer sur “Please select Com Port” puis sur la fenêtre qui s’affiche cliquez sur “Detect”, selectionnez votre modem puis “Accept”.

4-Votre modem doit être détecte, a cet instant cliquer sur “Unlock Modem”.

5- une fenêtre apparaitra vous demandant le ” Unlock CODE”  et en meme temps certaines informations apparaiteront dans le fenetre centrale de l’application.

6- Recuperer le Phone IMEI et qui va nous servir pour calculer le “Unlock Code”.

7- rendez vous sur ce lien http://www.bb5.at/huawei.php?imei=**************** en remplacant les étoiles par le numero IMEI qui vous avez récupéré .

Vous devez avoir une page du genre :

8- récuperez le code Unlock et renseignez le dans la fenêtre de l’application.

Et finalement Ok, attendez un instant et vous allez avoir un message vous indiquant que votre modem est bien débloqué.

 

 

Apple Spy on You!

Few weeks ago before the launch of visitors series on MBC, An ad was broadcasted thought the MBC’s Group channels, with a woman that show up on a white background after losing signal on TV, and said “We Came in Peace!”.; nothing special about that, it’s just an ad!( especially for the V lovers and people whom were waiting for it), but the strange about that is that Aljazeera Tv replies by a report, that said  that the MBC channels were hacked by the MOSSAD  ( the national intelligence agency of Israel)  to show that message and to communicate with Arabian people and to try to change their minds!

Recently another information was broadcasted by the same channel, this time is about Apple and The Iphone.

http://www.facebook.com/video/video.php?v=112100622187271

The Tv report in the video (Arabic only ) aims to prove that the Iphone is used by Apple to spy on the customers and to collect informations about them, their locations and even to use the front and back cameras, the microphone and the sensors to retrieve instant pictures and conversations.

The report is based on apple patent application that describes methods that may enable the iPhone and iPad to “sense” the user, detecting voice prints, faces, activity patterns and even heartbeats. If unauthorised use is detected, then many security measures could be activated.

But what aljazzera missed up is that the informations and data collected aren’t sent to apple but to the owner’s email, to allow him to track his phone, save data remotely or wipe out the device.

Maybe Aljazeera is going to release another rumor with the lunch of HTC Sense 3 which allow the same thing (not totally!), who could know?!?

NMAP on Android

I’ll show you in this topic how to run NMAP on your Smartphone, and exactly on Android Phone!!!

Nmap is one of the most wanted software used by pentesters, it help to gather informations about ports and services running on a machine, services fingerprinting, detecting Os version… it can run on android too by followind these steps.

First of all you need to download the cross compiled arm nmap from here.

Then connect your phone to your pc and on adb:

adb remount
adb push nmap.zip /sdcard/nmap.zip
adb shell (following on shell)
su
cd /data/local
mkdir bin
cd bin
cp /sdcard/nmap.zip .
unzip nmap.zip
chmod 755 *

After that you can run nmap (nmap -v -iR 5 -PN -p 80 –n) using the terminal emulator like on a normal pc!

The downloaded version is 4.0 if you want to test the 5.30beta1 have a look at this!

Pentest using Android: The Iphone & N900 beat again!

After getting my new phone, an android one (The Samsung Spica i5700), I’ve started looking around on how could I use it as to pentest , the first step was to know the possibilities of the beast, so I started gathering some information about the specifications & the possibilities of The spica.

The spica comes with a 800 Mhz processor with a BCM4329 wifi chipset, which not allow the injection mode for the moment, comparing to the Apple iphone or The N900.

I forgot about the The injection mode to focus on metasploit!,

Metasploit needs to be fully ported to jRuby before it will run on the Android platform.actually We can use it and it can run on android devices offring some Basic operations (Reverse connect shells, meterpreter, etc still don’t work.) but it crashes a lot! HD Moore and his stuff are making serious progress above and maybe we will have a fully ported MSF with the release of the 3.5 metasploit Framework.

Browsing the android market, i found some interesting apps like the Netscan and the Network Discovery wich allows to discover host connected trought the network and get some basic informations like ips,mac addresses, masks… Wifiscanner can help too, to get information about Wifi network and their encryption, and Port scandroid can scan ports but it’s nothing comparing to the Nmap which is avaible and compatible with android (Fully Ported!)

Other tools like ConnectBot(SSh Client) or RemoteVnc are avaible for free on the market.

Python, Perl, JRuby, Lua, BeanShell, JavaScript, Rhino are Fully/partially ported to android and runs quite well (thanks to the devs grous !)

Pentesting with Android still in his first stages comparing to the iphone and N900, that offers a complete set of fully working pentesting tools that run smoothly; but the high speed growing of the google mobile Os and the next release of android for x86 architecture will offer some interesting stuffs in the near future, and maybe , we gonna witness the birth of a fully compatible pentesting framework on Android.

But for those who don’t want to wait, they can use their android devices without android OS to pentest, by emulating a linux operating system!

How could you do this?!? Stay tuned on moroccangeek and you’ll get the full article Soon!

The Good Pentester.

I was looking around for some stuffs about pentesting and I found an excellent article talking about how to get hired as a pentester.

Being a good (Perfect!) pentester doesn’t mean to just be able to run some tools, exploit some systems, and charge the client, but a good Pentester should have certain criteria and methodology of work and some fluency in communication and listening skills, to explain the problems and recommendations and be understood by the clients.
Master the tools and principles of testing is important, but understanding their approaches and methodologies is paramount, by having perfect knowledge of the OSSTMM (Open Source Security Testing Methodology Manual), the OWASP (Open Web Application Security Project), ISSAF (Information Systems Security Assessment Framework) and the guidelines on Network Security Testing by NIST.
Regarding certifications (CEH, CISM, CISA, MCSE, CCNA, CWNP …), they are not mandatory but favorable and desirable.
In addition to the technical side, the tester will have to meet clients and interact with them, with all confidence and with a professional strength of marketing and business, and should especially understand the value of the service he provide to the customer and respect the Non-Disclosure Agreements.

As there are many tools that perform the exact same function, the pentester must have its own customized list of tools that he had gathered and tested.

Android RootKit

Two security researchers From “Spider Labs”, have made the demo of a rootkit for Android At the Defcon, which once installed on a phone (either directly or via an application available on android market) allows the attacker to have a full root remote access to the phone. The connection is established by initiating an outgoing TCP connection via 3G or WiFi. The attacker could steal data, or control the phone.

This rootkit was developed in 2 weeks, and has been distributed on DVD to those who attended the conference, and possibly gonna be avaible on internet in the upcoming weeks, pushing the manufacturers to patch their phones and to focus more on their security.