Archive for July, 2016

Original Article appeared here:
http://thehackernews.com/2015/12/internet-of-things-search-engine.html
Meet an all-new Hacker’s Search Engine similar to Shodan – Censys.
At the end of last month, security researchers from SEC Consult found that the lazy manufacturers of home routers and Internet of Things (IoT) devices have been re-using the same set of hard-coded cryptographic keys, leaving around 3 millions of IoT devices open to mass hijacking.
But how did the researchers get this number?
Researchers uncovered these devices with the help of Censys – a new search engine that daily scans the whole Internet for all the vulnerable devices.

Censys Maintains Complete Database of Everything on The Internet

Censys is similar to hacker’s search engine Shodan, which is designed specifically to locate any devices that have been carelessly plugged into the Internet without much attempt at preventing unauthorized access.
However, Censys employs a more advanced method to find vulnerabilities in the devices and make the Internet a safer place.
Censys is a free search engine that was originally released in October by researchers from the University of Michigan and is powered by the world’s biggest search engine Google.
Censys is part of an open source project that aims at maintaining a “complete database of everything on the Internet,” helping researchers and companies unearth Online security mishaps and vulnerabilities in products and services.

How Does Censys Work?

Censys collects information on hosts and websites via daily scans of the IPv4 address space – the internet protocol version 4 that routes the majority of the Internet traffic today.
In order to do so, the new search engine uses two companion tools:
  • ZMap – an open-source network scanner
  • ZGrab – an application layer scanner
Censys then maintains a database of how hosts and websites are configured, allowing researchers to query the data through a search interface, report builder, and SQL engine.
ZMap scans over 4 Billion IP addresses on the Internet and collects new data every day. It also helps determine whether the machines on the internet have security vulnerabilities that should be fixed before being exploited by the hackers.

“We have found everything from ATMs and bank safes to industrial control systems for power plants. It’s kind of scary,” said Zakir Durumeric, the researcher leading the Censys project at the University of Michigan.

Obvious flaws in addition to issues caused by IT administrator failures can also be found.
Here’s the MIT Technology Review on Censys, titled “A Search Engine for the Internet’s Dirty Secrets.”
More details on the Censys architecture and functionalities are available in the team’s research paper.
If you would like to give Censys a try, you can follow the step-by-step tutorial offered by the developers.

 

With iPhone 7 not having a 3.5mm port. Here a brilliant way to convert your old earphones to bluetooth earphones!

 

Picture of Convert Any Headphones to Bluetooth Wireless
IMG_2230.JPG
IMG_2229.JPG

The purpose of this instructable is to eliminate the headphone wire between my iPhone and headphones. The wire would constantly snag on things while at work and be ripped out from the headphones(3.5mm jack on the headphones). The “under the shirt” method worked however it was annoying at times and could still be caught on things.

Materials Used:
1.  A pair of your favorite headphones* – I used my Studio Beats by Dr. Dre
*if your headphones do not have a 3.5mm jack on them, the headphone cord can be shortened permanently or just wrapped around the headband!

2. Stereo Bluetooth Headset
http://www.aliexpress.com/item/1PCS-3-5mm-Jack-Wireless-Bluetooth-4-0-Car-Audio-Adapter-Stereo-AUX-Phone-Music-Receiver/32648159752.html

3. Short 3.5mm Stereo patch cable
I had one lying around the house that i purchased from Radio Shack ages ago.

4. A few Velcro cable ties

Now comes the fun part!
       ASSEMBLY!

Step 1: Attach Bluetooth with Velcro straps

Picture of Attach Bluetooth with Velcro straps
IMG_2233.JPG
IMG_2235.JPG
IMG_2238.JPG
Velcro straps were cut to fit around the band.
I put them on tight with fuzzy velcro side down – or – the side that contacts the headphone bandA shorter patch cable would be ideal but this works just fine.I called my brother to test sound quality and he said that he could hear me fine, even with the location of the mic

Original instructions here!

http://www.instructables.com/id/Convert-Any-Headphones-to-Bluetooth-Wireless/

I updated with working links!

Found this interesting article on http://www.dotnet-tricks.com/Tutorial/webapi/Y95G050413-Difference-between-ASP.NET-MVC-and-ASP.NET-Web-API.html

Most people tend to think MVC and web api are the same thing. Well not really!

 

While developing your web application using MVC, many developers got confused when to use Web API, since MVC framework can also return JSON data by using JsonResult and can also handle simple AJAX requests. In previous article, I have explained the Difference between WCF and Web API and WCF REST and Web Service and when to use Web API over others services. In this article, you will learn when to use Web API with MVC.

Asp.Net Web API VS Asp.Net MVC

  1. Asp.Net MVC is used to create web applications that returns both views and data but Asp.Net Web API is used to create full blown HTTP services with easy and simple way that returns only data not view.
  2. Web API helps to build REST-ful services over the .NET Framework and it also support content-negotiation(it’s about deciding the best response format data that could be acceptable by the client. it could be JSON,XML,ATOM or other formatted data), self hosting which are not in MVC.
  3. Web API also takes care of returning data in particular format like JSON,XML or any other based upon the Accept header in the request and you don’t worry about that. MVC only return data in JSON format using JsonResult.
  4. In Web API the request are mapped to the actions based on HTTP verbs but in MVC it is mapped to actions name.
  5. Asp.Net Web API is new framework and part of the core ASP.NET framework. The model binding, filters, routing and others MVC features exist in Web API are different from MVC and exists in the new System.Web.Httpassembly. In MVC, these featues exist with in System.Web.Mvc. Hence Web API can also be used with Asp.Net and as a stand alone service layer.
  6. You can mix Web API and MVC controller in a single project to handle advanced AJAX requests which may return data in JSON, XML or any others format and building a full blown HTTP service. Typically, this will be called Web API self hosting.
  7. When you have mixed MVC and Web API controller and you want to implement the authorization then you have to create two filters one for MVC and another for Web API since boths are different.
  8. Moreover, Web API is light weight architecture and except the web application it can also be used with smart phone apps.
What do you think?

A question that regularly pops up in the Framer community is how to use Framer if you’re using a PC. Currently, Framer Studio is only available on a Mac but the Framer.js framework, that powers Framer Studio, is free and open source. That means if you’re using Windows, Linux or on a Mac but still on the fence about purchasing Framer Studio, you can still create Framer prototypes.

framerjs-github

For most of us, we want to do as little configuration as possible — that’s where Atom comes in.Atom is a free, text editor from GitHub that’s modern and customizable to do almost anything without ever touching a config file.

atom-logo

Keep in mind is that Framer.js is written in JavaScript. Because Framer Studio uses theCoffeeScript programming language, which has a slightly different syntax that eventually gets compiled down to JavaScript, the majority of the Framer prototypes and examples you’ll see will be written in CoffeeScript. If you wanted to learn from any of these examples, you would need to first convert the code to JavaScript to run with Framer.js.

With a few simple steps, Atom takes care of that for us so we’ll be able to create Framer prototypes using CoffeeScript and preview them on our PC, Linux, or Mac machine. Let’s get started:

1. Download and install Atom

Go to the Atom website and look for the button to download. The button should be specific for your platform.

atom-download

  • If you’re on a Mac, you’ll download a zip file. Simply unzip it, move it to your Applications folder and run Atom
  • If you’re on a PC, run the installer and then open Atom
  • If you’re on Linux, download and install the Debian package or RPM package

2. Install Packages

When you launch Atom for the first time, you should see a welcome guide.

atom-welcome

Click on the “Install a Package” button on the right pane and then Open Installer.
atom-welcome-open-installer

The Install Packages screen should appear. If the future, you can also access this Settings screen through Preferences and then the install tab.

atom-settings-install

Search for the “coffee-compile” package and install it. This allows you to save your CoffeeScript file in the editor and it will convert it to Javascript. You may notice there are a few different packages that come up in the search results that do the same thing – these should work as well but I haven’t tested all of them.

atom-coffee-compile

Search for the “atom-html-preview” package and install it. This allows you to get a live preview when you make changes to the code.

atom-html-preview

If you click the Packages tab, you should now see your 2 new installed packages under the Community Packages section.

community-packages

3. Update Package Settings

If you installed the coffee-compile package, click the Settings button and check the “Compile on Save without Preview” option. This will automatically compile the file when you save and not show you the JavaScript.

compile-on-save-no-preview

4. Download the Framer.js Starter Template

You can download the template here or by going to the Get Started section of the Framer.js GitHub page and clicking the download link.

framerjs-template

Once downloaded, unzip the file and open up the Framer folder.

framer-js-template

Framer Generator is an application for Mac that comes bundled with Framer.js. It allows you to import layers directly out of Photoshop and Sketch files into your Framer projects . This feature is built into Framer Studio.

Let’s look at the files in the project folder in more detail:

  • /framer/framer.js — This is the JavaScript file that powers the interactions and animations you are able to create for your prototypes. You shouldn’t be touching this file unless you want to replace it with a newer version.
  • /framer/framer.js.map — This is a SourceMap file. It maps the code within a compressed file back to it’s original position in a source file to allow you to debug code for compressed file. You don’t need to worry about it and like the framer.js file, you don’t want to touch this file either.
  • /images/background.png & /images/icon.png — The icon image is used in the default prototype and the background image is just a black background that is specified in the CSS.
  • app.js — Here’s where you would write your JavaScript code for your prototypes. We’ll be writing CoffeeScript code that will generate this app.js file for us.
  • index.html — Open this file in a WebKit browser — such as Google Chrome or Safari to view your prototype. If you look at it, it includes the framer.js and app.js file that we looked at earlier.

5. Open up the Project folder in Atom

Go to File – Add Project Folder and open up the Framer Project folder template.

atom-project-js

6. Rename app.js to app.coffee

Right-click on the app.js file and then select rename.

atom-rename

Change the file extension from .js (JavaScript) to .coffee (CoffeeScript).

atom-rename-coffee

7. Write your CoffeeScript code

Delete the code that is in app.coffee since it’s in JavaScript. You can now write your CoffeeScript code in the file. If you’re not sure where to start, copy and paste the following example code.

Save your file when you’re done writing your code and you should see an app.js file appear in your project folder.

atom-compile-js

8. Preview your Prototype

Click the index.html file in the sidebar and then go to Packages – Preview HTML – Enable Preview

atom-enable-preview

You should now see your Framer prototype that you can interact with on your Windows machine.

framer-atom

Note that although there is a live preview, updating the app.coffee file doesn’t trigger a refresh. You’ll need to make your updates to app.coffee, save it to generate a new app.js, and then in your index.html file, make a change – such as adding a return to one line or deleting a blank line. The prototype will then refresh with your newest code.


Now that you’re able to use Framer on Windows, I can’t wait to see what prototypes you come up with. If Atom isn’t your style, you can also check out a Framer video I did as part of my Rapid Prototyping with Framer course for O’Reilly where I also show you how you can use Framer with another text editor, Brackets, as well as with online code editors like CodePen.

In my personal opinion, if you’re on a Mac and plan on using Framer past the trial period,Framer Studio is well worth the price for the amount of time you’ll save with features like easily creating new projects, instant visual feedback, inline error checking, code completion and much more.

Do you have any tips or additional questions for using Framer on Windows? Let me know with a comment below or share your thoughts with me on Twitter (@kennycheny).

InfoSec skills are in such high demand right now. As the world continues to turn everything into an app and connect even the most basic devices to the internet, the demand is only going to grow, so it’s no surprise everyone wants to learn hacking these days.

However, almost every day I come across a forum post where someone is asking where they should begin to learn hacking or how to practice hacking. I’ve compiled this list of some of the best hacking sites to hopefully be a valuable resource for those wondering how they can build and practice their hacking skill set. I hope you find this list helpful, and if you know of any other quality hacking sites, please let me know in the comments, so I can add them to the list.

1. CTF365

On CTF365 users build and defend their own servers while launching attacks on other users’ servers. The CTF365 training environment is designed for security professionals who are interested in training their offensive skills or sysadmins interested in improving their defensive skills. If you are a beginner to infosec, you can sign up for a free beginner account and get your feet wet with some pre-configured vulnerable servers.

2. OVERTHEWIRE

OverTheWire is designed for people of all experience levels to learn and practice security concepts. Absolute beginners are going to want to start on the Bandit challenges because they are the building blocks you’ll use to complete the other challenges.

3. HACKING-LAB

Hacking-Lab provides the CTF challenges for the European Cyber Security Challenge, but they also host ongoing challenges on their platform that anyone can participate in. Just register a free account, setup vpn and start exploring the challenges they offer.

4. PWNABLE.KR

pwnable.kr focuses on ‘pwn’ challenges, similar to CTF, which require you find, read and submit ‘flag’ files corresponding to each challenge. You must use some sort of programming, reverse-engineering or exploitation skill to access the content of the files before you are able to submit the solution.

They divide up the challenge into 4 skill levels: Toddler’s Bottle, Rookiss, Grotesque and Hacker’s Secret. Toddler’s Bottle are very easy challenges for beginners, Rookiss is rookie level exploitation challenges, Grotesque challenges become much more difficult and painful to solve and, finally, Hacker’s Secret challenges require special techniques to solve.

5. IO

IO is a wargame from the createors of netgarage.org, a community project where like-minded people share knowledge about security, AI, VR and more. They’ve created 3 versions, IO, IO64 and IOarm, with IO being the most mature. Connect to IO via SSH and you can begin hacking on their challenges.

6. SMASHTHESTACK

SmashTheStack is comprised of 7 different wargames – Amateria, Apfel (currently offline), Blackbox, Blowfish, CTF (currently offline), Logic and Tux. Every wargame has a variety of challenges ranging from standard vulnerabilities to reverse engineering challenges.

7. MICROCORRUPTION

Microcorruption is an embedded security CTF where you have to reverse engineer fictional Lockitall electronic lock devices. The Lockitall devices secure the bearer bounds housed in warehouses owned by the also fictional Cy Yombinator company. Along the way you’ll learn some assembly, how to use a debugger, how to single step the lock code, set breakpoints, and examine memory all in an attempt to steal the bearer bonds from the warehouses.

8. REVERSING.KR

reversing.kr has 26 challenges to test your cracking and reverse engineering abilities. The site hasn’t been updated since the end of 2012, but the challenges available are still valuable learning resources.

9. HACK THIS SITE

Hack This Site is a free wargames site to test and expand your hacking skills. It features numerous hacking missions across multiple categories including Basic, Realistic, Application, Programming, Phonephreaking, JavaScript, Forensic, Extbasic, Stego and IRC missions. It also boasts a large community with a large catalog of hacking articles and a forum for to have discussions on security related topics. Finally, they’ve recently announced they are going to be overhauling the dated site and codebase, so expect some big improvements in the coming months.

10. W3CHALLS

W3Challs is a pentesting training platform with numerous challenges across different categories including Hacking, Cracking, Wargames, Forensic, Cryptography, Steganography and Programming. The aim of the platform is to provide realistic challenges, not simulations and points are awarded based on the difficulty of the challenge (easy, medium, hard). There’s a forum where you can discuss and walkthrough the challenges with other members.

11. PWN0

pwn0 is the VPN where (almost) anything goes. Go up against pwn0bots or other users and score points by gaining root on other systems.

12. EXPLOIT EXERCISES

Exploit Exercises provides a variety of virtual machines, documentation and challenges that can be used to learn about a variety of computer security issues such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and general cyber security issues.

13. RINGZER0 TEAM ONLINE CTF

RingZer0 Team Online CTF offers a ton of challenges, 234 as of this post, that will test your hacking skills across multiple categories including Cryptography, Jail Escaping, Malware Analysis, SQL Injection, Shellcoding and more. After you successfully complete a challenge, you can write up your solution and submit it to the RingZer0 Team. If your write up is accepted, you’ll earn RingZer0Gold which can be exchanged for hints during future challenges.

14. HELLBOUND HACKERS

Hellbound Hackers offers traditional exploit challenges, but they also offer some challenges that others don’t such as web and app patching and timed challenges. The web and app patching challenges have you evaluating a small snippet of code, identifying the exploitable line of code and suggesting a the code to patch it. The timed challenges have the extra constraint of solving the challenge in a set amount of time. I thought these two categories were a cool differentiator from most other CTF sites.

15. TRY2HACK

Try2Hack provides several security oriented challenges for your entertainment and is one of the oldest challenge sites still around. The challenges are diverse and get progressively harder.

16. HACK.ME

Hack.me is a large collection of vulnerable web apps for practicing your offensive hacking skills. All vulnerable web apps are contributed by the community and each one can be run on the fly in a safe, isolated sandbox.

17. HACKTHIS!!

HackThis!! is comprised of 50+ hacking levels with each worth a set number of points depending on its difficulty level. Similar to Hack This Site, HackThis!! also features a lively community, numerous hacking related articles and news, and a forum where you can discuss the levels and a security related topics that might be of interest to you.

18. ENIGMA GROUP

Enigma Group has over 300 challenges with a focus on the OWASP Top 10 exploits. They boast nearly 48,000 active members and host weekly CTF challenges as well as weekly and monthly contests.

19. GOOGLE GRUYERE

Google Gruyere shows how web application vulnerabilities can be exploited and how to defend against these attacks. You’ll get a chance to do some real penetration testing and actually exploit a real application with attacks like XSS and XSRF.

20. GAME OF HACKS

Game of Hacks presents you with a series of code snippets, multiple choice quiz style, and you must identify the correct vulnerability in the code. While it’s not nearly as in depth as the others on this list, it’s a nice game for identifying vulnerabilities within source code.

21. ROOT ME

Root Me hosts over 200 hacking challenges and 50 virtual environments allowing you to practice your hacking skills across a variety of scenarios. It’s definitely one of the best sites on this list.

22. CTFTIME

While CTFtime is not a hacking site like the others on this list, it is great resource to stay up to date on CTF events happening around the globe. So if you’re interested in joining a CTF team or participating in an event, then this is the resource for you.

 

Source:

https://hackerlists.com/hacking-sites/