Botnet

         

A botnet or robot network is a group of computers running a computer application controlled and manipulated only by the owner or the software source. The botnet may refer to a legitimate network of several computers that share program processing amongst them.

Usually though, when people talk about botnets, they are talking about a group of computers infected with the malicious kind of robot software, the bots, which present a security threat to the computer owner. Once the robot software (also known as malicious software or malware) has been successfully installed in a computer, this computer becomes a zombie or a drone, unable to resist the commands of the bot commander.

A botnet may be small or large depending on the complexity and sophistication of the bots used. A large botnet may be composed of ten thousand individual zombies. A small botnet, on the other hand may be composed of only a thousand drones. Usually, the owners of the zombie computers do not know that their computers and their computers’ resources are being remotely controlled and exploited by an individual or a group of malware runners through Internet Relay Chat (IRC)

There are various types of malicious bots that have already infected and are continuing to infect the internet. Some bots have their own spreaders – the script that lets them infect other computers (this is the reason why some people dub botnets as computer viruses) – while some smaller types of bots do not have such capabilities.

Different Types of Bots

Here is a list of the most used bots in the internet today, their features and command set.

XtremBot, Agobot, Forbot, Phatbot

These are currently the best known bots with more than 500 versions in the internet today. The bot is written using C++ with cross platform capabilities as a compiler and GPL as the source code. These bots can range from the fairly simple to highly abstract module-based designs. Because of its modular approach, adding commands or scanners to increase its efficiency in taking advantage of vulnerabilities is fairly easy. It can use libpcap packet sniffing library, NTFS ADS and PCRE. Agobot is quite distinct in that it is the only bot that makes use of other control protocols besides IRC.

UrXBot, SDBot, UrBot and RBot

Like the previous type of bot, these bots are published under GPL, but unlike the above mentioned bots these bots are less abstract in design and written in rudimentary C compiler language. Although its implementation is less varied and its design less sohisticated, these type of bots are well known and widely used in the internet.

GT-Bots and mIRC based bots

These bots have many versions in the internet mainly because mIRC is one of the most used IRC client for windows. GT stands for global threat and is the common name for bots scripted using mIRC. GT-bots make use of the mIRC chat client to launch a set of binaries (mainly DLLs) and scripts; their scripts often have the file extensions .mrc.
Malicious Uses of Botnets

Types Of Botnet Attacks

Denial of Service Attacks

A botnet can be used as a distributed denial of service weapon. A botnet attacks a network or a computer system for the purpose of disrupting service through the loss of connectivity or consumption of the victim network’s bandwidth and overloading of the resources of the victim’s computer system. Botnet attacks are also used to damage or take down a competitor’s website.

Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.

Any Internet service can be a target by botnets. This can be done through flooding the website with recursive HTTP or bulletin-board search queries. This mode of attack in which higher level protocols are utilised to increase the effects of an attack is also termed as spidering.

Spyware

It’s a software which sends information to its creators about a user’s activities – typically passwords, credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential information held within that company. There have been several targeted attacks on large corporations with the aim of stealing sensitive information, one such example is the Aurora botnet.

Adware

Its exists to advertise some commercial entity actively and without the user’s permission or awareness, for example by replacing banner ads on web pages with those of another content provider.

Spamming and Traffic Monitoring

A botnet can also be used to take advantage of an infected computer’s TCP/IP’s SOCKS proxy protocol for networking applications. After compromising a computer, the botnet commander can use the infected unit (a zombie) in conjunction with other zombies in his botnet (robot network) to harvest email addresses or to send massive amounts of spam or phishing emails.

Moreover, a bot can also function as a packet sniffer to find and intercept sensitive data passing through an infected machine. Typical data that these bots look out for are usernames and passwords which the botnet commander can use for his personal gain. Data about a competitor botnet installed in the same unit is also mined so the botnet commander can hijack this other botnet.

Access number replacements are where the botnet operator replaces the access numbers of a group of dial-up bots to that of a victim’s phone number. Given enough bots partake in this attack, the victim is consistently bombarded with phone calls attempting to connect to the internet. Having very little to defend against this attack, most are forced into changing their phone numbers (land line, cell phone, etc.).

Keylogging and Mass Identity Theft

An encryption software within the victims’ units can deter most bots from harvesting any real information. Unfortunately, some bots have adapted to this by installing a keylogger program in the infected machines. With a keylogger program, the bot owner can use a filtering program to gather only the key sequence typed before or after interesting keywords like PayPal or Yahoo mail. This is one of the reasons behind the massive PayPal accounts theft for the past several years.

Bots can also be used as agents for mass identity theft. It does this through phishing or pretending to be a legitimate company in order to convince the user to submit personal information and passwords. A link in these phishing emails can also lead to fake PayPal, eBay or other websites to trick the user into typing in the username and password.

Botnet Spread

Botnets can also be used to spread other botnets in the network. It does this by convincing the user to download after which the program is executed through FTP, HTTP or email.

Pay-Per-Click Systems Abuse

Botnets can be used for financial gain by automating clicks on a pay-per-click system. Compromised units can be used to click automatically on a site upon activation of a browser. For this reason, botnets are also used to earn money from Google’s Adsense and other affiliate programs by using zombies to artificially increase the click counter of an advertisement.

Keylogger Tutorial

Keylogger Tutorial

Keylogger monitor the keys typed in a user can easily find user passwords and other information a user may not wish others to know about.

Keyloggers, as a surveillance tool, are often used by employers to ensure employees use work computers for business purposes only. Unfortunately, keyloggers can also be embedded in spyware allowing your information to be transmitted to an unknown third party.

About keyloggers

key loggersA keylogger is a program that runs in the background, recording all the keystrokes. Once keystrokes are logged, they are hidden in the machine for later retrieval, or shipped raw to the attacker. The attacker then peruses them carefully in the hopes of either finding passwords, or possibly other useful information that could be used to compromise the system or be used in a social engineering attack. For example, a keylogger will reveal the contents of all e-mail composed by the user. Keylogger is commonly included in rootkits.

A keylogger normally consists of two files: a DLL which does all the work and an EXE which loads the DLL and sets the hook. Therefore when you deploy the hooker on a system, two such files must be present in the same directory.

There are other approaches to capturing info about what you are doing.

* Some keyloggers capture screens, rather than keystrokes.
* Other keyloggers will secretly turn on video or audio recorders, and transmit what they capture over your internet connection.

A keyloggers might be as simple as an exe and a dll that are placed on a machine and invoked at boot via an entry in the registry. Or a keyloggers could be which boasts these features:

* Stealth: invisible in process list
* Includes kernel keylogger driver that captures keystrokes even when user is logged off (Windows 2000 / XP)
* ProBot program files and registry entries are hidden (Windows 2000 / XP)
* Includes Remote Deployment wizard
* Active window titles and process names logging
* Keystroke / password logging
* Regional keyboard support
* Keylogging in NT console windows
* Launched applications list
* Text snapshots of active applications.
* Visited Internet URL logger
* Capture HTTP POST data (including logins/passwords)
* File and Folder creation/removal logging
* Mouse activities
* Workstation user and timestamp recording
* Log file archiving, separate log files for each user
* Log file secure encryption
* Password authentication
* Invisible operation
* Native GUI session log presentation
* Easy log file reports with Instant Viewer 2 Web interface
* HTML and Text log file export
* Automatic E-mail log file delivery
* Easy setup & uninstall wizards
* Support for Windows (R) 95/98/ME and Windows (R) NT/2000/XP

Tools:

Ardamax Keylogger is a keystroke recorder that captures user’s activity and saves it to an encrypted log file. The log file can be viewed with the powerful Log Viewer. Use this tool to find out what is happening on your computer while you are away, maintain a backup of your typed data automatically or use it to monitor your kids. Also you can use it as a monitoring device for detecting unauthorised access. Logs can be automatically sent to your e-mail address, access to the keylogger is password protected. Besides, Ardamax Keylogger logs information about the Internet addresses the user has visited.

This invisible spy application is designed for 2000, XP, 2003, Vista and Windows 7.

• Security – allows you to protect program settings, Hidden Mode and Log file.
• Application monitoring – keylogger will record the application that was in use that received the keystroke!
• Time/Date tracking – it allows you to pinpoint the exact time a window received a keystroke!
• Powerful Log Viewer – you can view and save the log as a HTML page or plain text with keylogger Log Viewer.
• Small size – Ardamax Keylogger is several times smaller than other programs with the same features. It has no additional modules and libraries, so its size is smaller and the performance is higher.
• Ardamax Keylogger fully supports Unicode characters which makes it possible to record keystrokes that include characters from Japanese, Chinese, Arabic and many other character sets.
• It records every keystroke. Captures passwords and all other invisible text.

Other Features:

• Windows 2000/2003/XP/Vista/Windows 7 support
• Monitors multi-user machines
• Automatic startup
• Friendly interface
• Easy to install

Download Ardamax Keylogger(1.94Mb)

Perfect Keylogger for Windows 98/2000/XP/Vista and Windows 7

The latest, improved and most stealth version of Perfect Keylogger is now available only after purchase. To protect the product from abuse and improve its quality for the registered users, we no longer offer the trial version of the latest builds. The localized versions of Perfect Keyloger and 64-bit version are also available after purchase. The last public version is still available, but keep in mind that it’s not the latest and may be flagged by security software.

Download Perfect keylogger

SweetSecurity - Network Security Monitoring on Raspberry Pi Type Devices

SweetSecurity - Network Security Monitoring on Raspberry Pi Type Devices

Scripts to setup and install Bro IDS, Elasticsearch, Logstash, Kibana, and Critical Stack on any device.

Installation:

sudo python setup.py

Follow prompts to enter appropriate information for chosen installation type

Installation Types

• Full Install: This will install Bro IDS, Critical Stack (optional), Logstash, Elasticsearch, Kibana, Apache, and Sweet Security Client/Server. Choose this option ONLY if you have 2GB of memory or more.
• Sensor Only: This will install Bro IDS, Critical Stack (optional), Logstash, and Sweet Security Client
• Web Server Only: This will install Elasticsearch, Kibana, Apache, and Sweet Security Server

New Functionality:

• Modularized Installation - Choose to deploy all the tools on one device, or split among multiple for better performance.

1. Full Install - Deploy Bro IDS, Critical Stack, Elasticsearch, Logstash, Kibana, Apache, and Sweet Security
2. Sensor Install - Deploy Bro IDS, Critical Stack, Logstash, and Sweet Security
3. Web Admin Install - Deploy Elasticsearch, Kibana, and Apache

• ARP Spoofing - Full code to monitor all network traffic out of the box without network changes.
• Complete Bro Log Support - All Bro log files are now normalized by Logstash
• Kibana Content - Searches, Visualizations, and Dashboards are now included
• Architecture Support - Now supports installing on non ARM architectures
• Custom NMAP Pre-Fix - updated NMAP pre-fixes based on the IEEE OUI list
• Web Administration - apache/flask based web administration to manage known devices and system health

Prerequisites

Most of the dependencies will be installed during installation. However you will need to make sure these are followed before trying to install the code.

Supported Operating Systems

• Raspbian Jessie
• Debian Jessie
• Ubuntu 16.04

Supported Hardware

• RaspberryPi 3
• x86
• x86_64

System Requirements

• ARM, x86, or x86_64 CPU
• 2GB RAM
• 8GB Disk Storage
• 100 MB NIC (Recommended 1GB) Note: 2GB of storage is required while the Raspberry Pi 3 only has 1GB. The code can be split to run on two devices, such as two Raspberry Pi's or a Raspberry Pi and AWS.

Fixes:

• Optimized Logstash Config
• Updated Bro IDS to 2.5.1
• Updated Logstash to version 5.5.1
• Updated Elasticsearch to version 5.5.1
• Update kibana to version 5.5.1

Download SweetSecurity

jSQL An Automatic SQL Injection Tool Written in Java

jSQL An Automatic SQL Injection Tool Written in Java

jSQL Injection is a lightweight application used to find database information from a distant server.

It is free, open source and cross-platform (Windows, Linux, Mac OS X).

jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in other distributions like Pentest Box, Parrot Security OS, ArchStrike or BlackArch Linux.

Features

• Automatic injection of 23 kinds of databases: Access, CockroachDB, CUBRID, DB2, Derby, Firebird, H2, Hana, HSQLDB, Informix, Ingres, MaxDB, Mckoi, MySQL{MariaDb}, Neo4j, NuoDB, Oracle, PostgreSQL, SQLite, SQL Server, Sybase, Teradata and Vertica
• Multiple injection strategies: Normal, Error, Blind and Time
• SQL Engine to study and optimize SQL expressions
• Injection of multiple targets
• Search for administration pages
• Creation and vizualisation of Web shell and SQL shell
• Read and write files on host using injection
• Bruteforce of password's hash
• Code and decode a string

Installation  Install Java 8, then download the latest release of jSQL Injection and double-click on the file jsql-injection-v0.79.jar to launch the software.

You can also type java -jar jsql-injection-v0.79.jar in your terminal to start the program.
If you are using Kali Linux then get the latest release using commands apt update then apt full-upgrade.

Download jSQL Tool

Disclaimer:
Attacking web-server is illegal without prior mutual consent. The end user is responsible and obeys all applicable laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

XSStrike: A Python Script Designed To Detect And Exploit XSS Vulnerabilities

XSStrike is a python script designed to detect and exploit XSS vulnerabilities.

A list of features XSStrike has to offer:

•  Fuzzes a parameter and builds a suitable payload
•  Bruteforces parameters with payloads
•  Has an inbuilt crawler like functionality
•  Can reverse engineer the rules of a WAF/Filter
•  Detects and tries to bypass WAFs
•  Both GET and POST support
•  Most of the payloads are hand crafted
•  Negligible number of false positives
•  Opens the POC in a browser window

Installing XSStrike

Use the following command to download it

git clone https://github.com/UltimateHackers/XSStrike/

After downloading, navigate to XSStrike directory with the following command

cd XSStrike

Now install the required modules with the following command


pip install -r requirements.txt

Now you are good to go! Run XSStrike with the following command

python xsstrike

Using XSStrike

You can enter your target URL now but remember, you have to mark the most crucial parameter by inserting "d3v<" in it.

For example: target.com/search.php?q=d3v&category=1

After you enter your target URL, XSStrike will check if the target is protected by a WAF or not. If its not protected by WAF you will get three options

1. Fuzzer: It checks how the input gets reflected in the webpage and then tries to build a payload according to that.

2. Striker: It brute-forces all the parameters one by one and generates the proof of concept in a browser window.

3. Spider: It extracts all the links present in homepage of the target and checks parameters in them for XSS.

4. Hulk: Hulk uses a different approach, it doesn't care about reflection of input. It has a list of polyglots and solid payloads, it just enters them one by one in the target parameter and opens the resulted URL in a browser window.

XSStrike can also bypass Website Application Firewall (WAFs)

Watch Video:

  

Download

XSStrike: A Python Script Designed To Detect And Exploit XSS Vulnerabilities

XSStrike is a python script designed to detect and exploit XSS vulnerabilities.

A list of features XSStrike has to offer:

•  Fuzzes a parameter and builds a suitable payload
•  Bruteforces parameters with payloads
•  Has an inbuilt crawler like functionality
•  Can reverse engineer the rules of a WAF/Filter
•  Detects and tries to bypass WAFs
•  Both GET and POST support
•  Most of the payloads are hand crafted
•  Negligible number of false positives
•  Opens the POC in a browser window

Installing XSStrike

Use the following command to download it

git clone https://github.com/UltimateHackers/XSStrike/

After downloading, navigate to XSStrike directory with the following command

cd XSStrike

Now install the required modules with the following command


pip install -r requirements.txt

Now you are good to go! Run XSStrike with the following command

python xsstrike

Using XSStrike

You can enter your target URL now but remember, you have to mark the most crucial parameter by inserting "d3v<" in it.

For example: target.com/search.php?q=d3v&category=1

After you enter your target URL, XSStrike will check if the target is protected by a WAF or not. If its not protected by WAF you will get three options

1. Fuzzer: It checks how the input gets reflected in the webpage and then tries to build a payload according to that.

2. Striker: It brute-forces all the parameters one by one and generates the proof of concept in a browser window.

3. Spider: It extracts all the links present in homepage of the target and checks parameters in them for XSS.

4. Hulk: Hulk uses a different approach, it doesn't care about reflection of input. It has a list of polyglots and solid payloads, it just enters them one by one in the target parameter and opens the resulted URL in a browser window.

XSStrike can also bypass Website Application Firewall (WAFs)

Watch Video:

  

Download

How To Send An HTML E-mail Using Python Code

How To Send An HTML E-mail Using Python Code

Python is a fully-functional programming language that can do anything almost any other language can do, at comparable speeds. "Modules" are pre-written Python code that you "import" in your Python program.

Simple Mail Transfer Protocol (SMTP) is a protocol, which handles sending e-mail and routing e-mail between mail servers.

Python provides smtplib module, which defines an SMTP client session object that can be used to send mail to any Internet machine with an SMTP or ESMTP listener daemon.


Here is a simple syntax to create one SMTP object, which can later be used to send an e-mail −

import smtplib
smtpObj = smtplib.SMTP( [host [, port [, local_hostname]]] )

Here is the detail of the parameters:

host: This is the host running your SMTP server. You can specifiy IP address of the host or a domain name like tutorialspoint.com. This is optional argument.

port: If you are providing host argument, then you need to specify a port, where SMTP server is listening. Usually this port would be 25.

local_hostname:  If your SMTP server is running on your local machine, then you can specify just localhost as of this option.

An SMTP object has an instance method called sendmail, which is typically used to do the work of mailing a message. It takes three parameters −

• The sender - A string with the address of the sender.
• The receivers - A list of strings, one for each recipient.
• The message - A message as a string formatted as specified in the various RFCs.

Example

Here is a simple way to send one e-mail using Python script. Try it once

#!/usr/bin/python

import smtplib

sender = 'from@anydomain.com'
receivers = ['to@toanydomain.com']

message = """From: From Person <from@anydomain.com>
To: To Person <to@toanydomain.com>
Subject: SMTP e-mail test

This is a test e-mail message.
"""

try:
   smtpObj = smtplib.SMTP('localhost')
   smtpObj.sendmail(sender, receivers, message)         
   print "Successfully sent email"
except SMTPException:
   print "Error: unable to send email"

Here, you have placed a basic e-mail in message, using a triple quote, taking care to format the headers correctly. An e-mail requires a From, To, and Subject header, separated from the body of the e-mail with a blank line.

To send the mail you use smtpObj to connect to the SMTP server on the local machine and then use the sendmail method along with the message, the from address, and the destination address as parameters (even though the from and to addresses are within the e-mail itself, these aren't always used to route mail).

If you are not running an SMTP server on your local machine, you can use smtplibclient to communicate with a remote SMTP server. Unless you are using a webmail service (such as Hotmail or Yahoo! Mail), your e-mail provider must have provided you with outgoing mail server details that you can supply them, as follows −

smtplib.SMTP('mail.your-domain.com', 25)

Sending an HTML e-mail using Python

When you send a text message using Python, then all the content are treated as simple text. Even if you include HTML tags in a text message, it is displayed as simple text and HTML tags will not be formatted according to HTML syntax. But Python provides option to send an HTML message as actual HTML message.

While sending an e-mail message, you can specify a Mime version, content type and character set to send an HTML e-mail.

Example

Following is the example to send HTML content as an e-mail. Try it 

#!/usr/bin/python

import smtplib

message = """From: From Person <from@anydomain.com>
To: To Person <to@toanydomain.com>
MIME-Version: 1.0
Content-type: text/html
Subject: SMTP HTML e-mail test

This is an e-mail message to be sent in HTML format

<b>This is HTML message.</b>
<h1>This is headline.</h1>
"""

try:
   smtpObj = smtplib.SMTP('localhost')
   smtpObj.sendmail(sender, receivers, message)         
   print "Successfully sent email"
except SMTPException:
   print "Error: unable to send email"

Sending Attachments as an E-mail

To send an e-mail with mixed content requires to set Content-type header to multipart/mixed. Then, text and attachment sections can be specified within boundaries.

A boundary is started with two hyphens followed by a unique number, which cannot appear in the message part of the e-mail. A final boundary denoting the e-mail's final section must also end with two hyphens.

Attached files should be encoded with the pack("m") function to have base64 encoding before transmission.

Example

Following is the example, which sends a file /tmp/test.txt as an attachment. Try it once −

#!/usr/bin/python

import smtplib
import base64

filename = "/tmp/test.txt"

# Read a file and encode it into base64 format
fo = open(filename, "rb")
filecontent = fo.read()
encodedcontent = base64.b64encode(filecontent)  # base64

sender = 'webmaster@anydomain.com'
reciever = 'xyz@gmail.com'

marker = "AUNIQUEMARKER"

body ="""
This is a test email to send an attachment.
"""
# Define the main headers.
part1 = """From: From Person <me@domain.com>
To: To Person <xyz@gmail.com>
Subject: Sending Attachement
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=%s
--%s
""" % (marker, marker)

# Define the message action
part2 = """Content-Type: text/plain
Content-Transfer-Encoding:8bit

%s
--%s
""" % (body,marker)

# Define the attachment section
part3 = """Content-Type: multipart/mixed; name=\"%s\"
Content-Transfer-Encoding:base64
Content-Disposition: attachment; filename=%s

%s
--%s--
""" %(filename, filename, encodedcontent, marker)
message = part1 + part2 + part3

try:
   smtpObj = smtplib.SMTP('localhost')
   smtpObj.sendmail(sender, reciever, message)
   print "Successfully sent email"
except Exception:
   print "Error: unable to send email"

Enjoy the Code..

Source