To

Advertise
with us
Contact :
admin@hackercoolmagazine.com
 Copyright © 2016 Hackercool CyberSecurity (OPC) Pvt Ltd
All rights reserved. No part of this publication may be reproduced, distributed, or
transmitted in any form or by any means, including photocopying, recording, or other
electronic or mechanical methods, without the prior written permission of the
publishe -r, except in the case of brief quotations embodied in critical reviews and
certain other noncommercial uses permitted by copyright law. For permission
requests, write to the publisher, addressed “Attention: Permissions Coordinator,” at
the address below.
Any references to historical events, real people, or real places are used fictitiously. Na
-mes, characters, and places are products of the author’s imagination.

Hackercool Cybersecurity (OPC) Pvt Ltd.

Banjara Hills, Hyderabad 500034
Telangana, India.
Website :
www.hackercoolmagazine.com
Email Address :
admin@hackercoolmagazine.com
Information provided in this Magazine is
strictly for educational purpose only.
Please don't misuse this knowledge
to hack into devices or networks without
taking permission. The Magazine will not
take any responsibility for misuse of this
information.
 Then you will know the truth and the truth will set you free.
John 8:32

Edition 4 Issue 8
Hello Hackercoolians. Hope you are all fine and healthy. Welcome to our Eighth
Issue of this year. We have been hearing a lot about PrintNightmare since two months.
So we at Hackercool Magazine thought it good to include a Real World Hacking Scena
-rio about exploiting PrintNightmare in Real World. This sounds all too meaningful
since the vulnerability that affects the print spooler service of Microsoft is still refusing to
die.
Although Microsoft released a patch (KB5005652) to address this vulnerability,
another vulnerability in the print spooler service, CVE-2021-36958 came to light. An att-
acker successfully exploiting this vulnerability could execute malicious code with SYSTEM
privileges on the target system. This vulnerability is still unpatched and only protection is
disabling of the print spooler service.
The earlier patch (KB5005652) has caused its own share of problems in Enterprise.
This patch is causing some Enterprise users to reinstall print drivers or install new drive
-rs which can be done only with admin privileges. So users needed to be given admin
privileges to do that thus increasing further security risk.
Our RWHS in this Issue shows you one of the most common hacking scenario used
in Real World. In our next Issue, readers will see another scenario of exploiting Print
Nightmare. In the WiFi Security feature, we will go deep into Wireless Fidelity and see
how to crack WPA / WPA2 using three tools.
Metasploit This Month Feature has another exploit relating to Exiftool and that's
interesting. Apart from this, all our regular features are present.

“the printnightmare vulnerability is fresh, but already sensational"

 See what our Hackercool Magazine August 2021 Issue has in store for you.

Real World Hacking Scenario :

Exploiting PrintNightmare in Real World.

2. Wireless Security :
Let's get deep into Wi - Fi and then crack WPA using three tools.

3. Bypassing Antivirus :¬¬¬¬¬¬¬

AV | ATOR

4. Hacking Q & A :
Answers to some of the questions our redaers ask

5. Metasploit This Month :

¬¬¬Windows TokenMagic PE & Exif Tool Perl ANT Injection Modules

6. Online Security :
Spyware : Why the booming surveillance tech industry is vulnerable to corruption
¬¬¬¬and abuse.
7. Our Story :
The day I was most disappointed.

Downloads
Other Resources
 Exploiting PrintNightmare in Real World

Real World Hacking Scenario

Hi Hackercoolians. Print Nightmare is a vulnerability affecting the print
spooler service in Windows systems which was discovered and exploited widely recently.
Our readers have already learnt about it in our Previous Issue. This Real World
Hacking Scenario tries to explain about one scenario as to how this vulnerability can
be exploited in Real world.
,
Hi, I am Hackercool. People call me as Black hat but I consider myself as a script kiddie. As I ret-
urned to my hacking adventures, PrintNightmare has been reverberating in hacker circles. So I
decided to try hacking a system exploiting this vulnerability.
After a bit of pondering, I decided to take the exploitation route which is almost very common
in Real World Attacks. Get Initial access to a target system using a RAT (Remote Administration
Tool) and then use PrintNightmare vulnerability to elevate privileges.
It's only 9 days since the PrintNightmare vulnerability became public. So normally all the
Windows systems above Windows 7 are ripe targets. What more can a hacker ask for?
APT's, Ransomware gangs and hacking syndicates use many advanced RATs for their hacking
operations which are paid products. Many hacking groups sell these RATs in underworld hackin-
g forums. Although buying one is a good idea, many of these RATs allegedly have backdoors.
It’s like hacker getting hacked by the Black Hat hacker.
For this scenario, I will show you a RAT which is an open source one and free of any
backdoors. Its name is Quasar RAT. The download information of this RAT is given in our
Downloads section.
Quasar is a fast and light-weight Remote Administration Tool coded in C#. The features of this
RAT include
1. TCP network stream (IPv4 & IPv6 support)
2. Fast network serialization (Protocol Buffers)
3. Compressed (QuickLZ) & Encrypted (TLS) communication
4. UPnP Support
5. Task Manager
6. File Manager
7. Startup Manager
8. Remote Desktop
9. Remote Shell
10. Remote Execution
11. System Information1
12. Registry Editor
13. System Power Commands (Restart, Shutdown, Standby)
14. Keylogger (Unicode Support)
15. Reverse Proxy (SOCKS5)
16. Password Recovery (Common Browsers and FTP Clients) etc

The RAT is supported on Windows 10, Windows Server 2019, Windows Server 2016, Windows
8/8.1, Windows Server 2012, Windows 7, Windows Server 2008 and Windows Vista. If you need
to run this RAT on earlier Windows operating systems, you need to run Quasar RAT version 1.3
I downloaded the latest version of RAT. It will be downloaded as a Zip archive. As this RAT is
written in C# and needs to be compiled with visual Studio 2019 ++ with .NET Framework 4.5.2 or
higher (if you don't have .NET Framework, don't worry, the system will prompt you to install it
while compiling). The download information of Visual Studio too is given in our Downloads
section.
Once Visual Studio is finished downloading, install it. Then, extract the contents of the zip
archive (Quasar. You could do it before installing Visual Studio too. No probs). After the contents
are extracted, you will see a .sln file.

Start Visual Studio 2019 and open this .sln file as shown below.
The Quasar project will open as shown below.

Go to Tools > Options menu to make sure that the Nuget Package Manager is enabled. These are
needed in compilation of the Quasar RAT.

"PrintNightmare is a hot new target for ransomware groups. It will

allow these groups to quickly go from a single compromised workstation,
to access to the whole network."
- Lucas Gates,
Senior Vice President, Kroll.
Select Release

and then build it. To do this go to Build tab and select Build Quasar Server option as shown
below.
"Thus far, Microsoft’s patches have failed to fully address the problem.
As such, the consensus is that organisations should disable print services
on all systems where it isn’t needed."
- Lucas Gates,
Senior Vice President, Kroll.
Once the compilation of Quasar server is finished, it's time to compile the client. This can be don-
e as follows.
"PrintNightmare is one of the most significant and potentially
damaging vulnerabilities to have been identified for some time. It is vital
that organisations act now in order to protect themselves. We are assessing
the situation closely and will continue to provide updates
as and when we can."
- George Glass, Head Of Threat Intelligence
Click on Build and select "Build solution" option. Otherwise, use shortcut "CTRL+ SHift + B".
"CrowdStrike estimates that the PrintNightmare vulnerability coupled
with the deployment of ransomware will likely continue to be exploited by
other threat actors. We encourage organizations to always apply the latest
patches and security updates to mitigate known vulnerabilities and adhere
to security best practices to strengthen their security posture against
threats and sophisticated adversaries. "
- Liviu Arsene, CrowdStrike
In the folder in which the zip archive is extracted, you should be seeing a new folder named "bin"

As you go to the dead end in this folder, you will find our compiled executables : Quasar (server)
and Quasar Client (client).
The compilation is finished. Now let's create the client for this RAT. The client of any RAT
should run on the target system while the Server should run on the attacker system. To create the
client to be run on the target system (don’t confuse it with the earlier client we compiled) run the
Quasar Server. When you execute it for the first time, it will prompt you to create a certificate.
This certificate is needed to have information of all the clients connected and if it is deleted you
will lose all the connected clients. So save it at a safe location.
After the certificate is successfully created, the Quasar server opens as shown below.

Click on the "Builder" option to open the Client builder as shown below. Let's start configuring
the options. The client tag is used to identify the client and can be anything you want.
The vulnerability is dubbed PrintNightmare because the Spooler print
service fails to restrict access to the functionality that allows users to add
printers and related drivers.
Once you specify the tag, click to configure the "connection settings". Here, set the IP address of
the Attacker Machine (the machine you have compiled this Quasar RAT and on which Quasar
server is running). You can change the listening port if you like or you can keep the default one.
Click on "Add host" after setting these.

Keep the installation Settings, assembly settings and monitoring settings to default and build the
client. To do this, click on "Build Client".
By default, the client we create it will be named as "client-built". However, you can give any name
you want as shown below.
(In this scenario, I changed the name of the client to PrintNightmare_shield.exe. )
Now, I need to send this file to the target machine. What better way to send this than Social Engin
-eering. So I create a spear phishing email as shown below . Note that this scenario happened
before the patches for Print Nightmare were released. Here is the content of my spear phishing
email.

I have attached the client I just created as an attachment.

The plan is simple. I am suggesting a simple solution to PrintNightmare vulnerability by asking
them to download the attached client executable and run it. I am also trying to lure them to
disable their AntiVirus before executing it. Now, I go back to my Quasar Server.

The Quasar server is not listening by default. To start listening, I click on settings and then select
“start listening” option.
The Quasar server starts listening.

As soon as our victim falls for the trap and clicks on the malicious client, I will have a connection
as shown below.

Here, I have a connection from Windows 10 target. Now, let me show you what this RAT can do.
I right click on the connector session and I get to see all the options this RAT provides me.

Let's have a look at the target system information.

Our target PC’s name is "Reception" and the username who fell for me is user1. Let's see other
features of this RAT.
There is a option for a keylogger and remote desktop which can be very handy. I can also send
the victims to a specific website I like. You remember the scenario where I hacked a website,
hosted my malware on that website and lured the victims to the website? Here, I can think about
a similar scenario.

These are the client management options I have.

Let's get to administration options again. The Startup manager shows all the processes that started
running on system startup.
A Hacker group named Vice Society has been leveraging
PrintNightmare vulnerability off late. Vice Society is a new hacker
group that emerged in mid 2021. This group also has notably
targeted public school districts and other
educational institutions.
Similarly the task manager shows all the running tasks on the target system.

The "connections" option in the administration menu shows all the connections on the target syste-
m. What I want you to see is the established connection of the PrintNightmare shield executable
which has connected to our attacker system.
"Like any major subcomponenet of Windows, it's large and it's
complicated."
Using RATs, I can even execute remote commands on the target system.

Last but not least, I can shutdown or restart the target system whenever I like.
What about the File Manager and Remote Shell features. Let me show you practically.
It's time for privilege escalation. Since the patches for print nightmare are not yet released and
all the versions of Windows from Windows 7 to higher are vulnerable to PrintNightmare vulnerab
-ility I can just boldly assume that this system is vulnerable to PrintNightmare vulnerability.
So the only thing left for me is to upload one PrintNightmare Exploit to the target system and
run it. After some profound searching, I found a PrintNightmare privilege escalation script written
in C# sharp. The download information of this exploit is given in our Downloads section,
As it is written in C sharp, it can be compiled using same Visual Studio just like I compiled the
Quasar RAT.

The exploit is compiled successfully. It's time to upload this exploit on to the target system. This
can be done using the File Upload Manager of the Quasar RAT.
The exploit is successfully uploaded.

Now, I just open the Remote Shell .

"My own advice is install the patch, becasue it does protect against
some already known circulating, prewritten exploits, so you might as well
do it. But my recommendation would still be, your best bet, if you can
possibly afford it..is leave the print spooler turned off".
- Paul Ducklin, Principal Research Scientist, Sophos.
and move to the folder where we have uploaded the PrintNightmare exploit. and move to the
folder where we have uploaded the PrintNightmare exploit.
Once I am in the same folder as the exploit, I execute the exploit as shown below.

The exploit doesn't seem to work. No problem. There are many other PrintNightmare exploits we
can use. The download information for this particular PrintNightmare LPE exploit is given in our
Downloads section.
I upload the exploit on to the target system using the same method I have used earlier. Then
open Remote Shell and navigate into the directory where the PrintNightmareLPE exploit is uploa-
ded.
And right away execute it.

I got some error saying that the exploit did not find a file xconsole.exe. The file "xconcosle.exe" is
provided with the exploit itself. The problem is the exploit is looking for it at the wrong location.
It is looking for Xconsole.exe in C:\temp\testcase\xconsole.exe whereas that file is located in the
same directory where PrintNightmareLPE.exe is located.
The path C:\temp\testcase\ is not even present on the target system. So I create it using remote
shell and then upload the file xconsole.exe into that directory.
Now let's try executing PrintNightmareLPE.exe again.

I don't see anything on my side even now. So, using Quasar RAT, I open a Remote Desktop
Session on the target and see a CMD Window open. The good news is that that CMD window is
running with System Privileges. Can you see the system32 directory?

The exploit is indeed successful. So without delay, I create a new user named "hackercool" on the
target system.
Technology doesn't always age gracefully.
Then, I add this user "hackercool" to local administrators group.

Target has been compromised, Elvetaed privileges gained. Exploitation complete. Mission achiev-
ed.
This privilege escalation can also be performed using the Powershell script our readers have
seen in our previous Issue. How can it be done? After uploading the Powershell script on the
target using the File Manager option of the Quasar RAT,
"There is still a risk on any compromised computer that has the print
spooler running." - Paul Ducklin, Sophos.
I open a Remote Desktop session on the target and open Powershell on the target system.

I navigate to the directory where the Powershell script is uploaded and execute it in the same
way as shown the previous Issue.
There is another hacking group trying to exploit PrintNightmare
vulnerabilities. Named Magniber, the group normally uses
malvertising to spread attacks, then exploits any unpatched
vulnerabilities in the system. This group targets
South Korean targets usually.
By default, this action will create a new user named "adm1n" with administrator privileges on the
target system unless we specify a specific username. This user can be seen using the net user com
-mand.
With this, the scenario is complete.
 Let's Get Deep and Then Crack WPA Using 3 Tools

WIRELESS SECURITY
History of Wi-Fi
Wi-Fi is the name given to a family of wireless network protocols, based on the IEEE 802.11 famil-
y of standards. These are commonly used for local area networking of devices and also for Intern-
et access. Simply put, this allows nearby digital devices to exchange data using radio waves. No
need to mention what these devices are.
The beginning of Wi - Fi happened in the form of ALOHAnet which successfully connected
the Great Hawaiian Islands with a UHF wireless packet network in 1971. ALOHA net and the
ALOHA protocol in fact were precursors of Ethernet and 802.11 protocols.
After another 14 years, in 1985 a ruling by the U.S. Federal Communications Commission
released the band for unlicensed use. These frequency bands are the 2.4 gigahertz (120 mm) UHF
and 5 gigahertz (60 mm) SHF radio bands. These frequency bands are the same ones used by
equipment such as microwave ovens, wireless devices etc.
The first version of the 802.11 protocol was released in year 1997 and provided speed up to 2
Mbit/s. The 802.1a came as an improvement over the original standard. It operates in 5 GHz
band, uses a 52-subcarrier orthogonal frequency-division multiplexing (OFDM) and has speed of
mid 20 Mbit/s. This was replaced with 802.11b protocol in 1999 and this had 11 Mbit/s speed. It
is this protocol that would eventually make Wi -Fi popular.
In the same year, a non-profit association named Wi-Fi Alliance was formed which restricted
the use of the term Wi-Fi Certified to products that successfully complete interoperability certificat-
ion testing. By 2017, the Wi-Fi Alliance had more than 800 companies from around the world and
shipped over 3.05 billion Wi-Fi enabled devices by year 2019.
The first devices to use Wi-Fi connectivity were made by Apple which adopted this option in
their laptops. 802.11g was adopted to the 802.11 specification in year 2003. It operated in the 2.4
GHz microwave band and provided speed upto 11 Mbit/s. Another standard was adopted in yea-
r 2008, named 802.11n which operated in both 2.4 and 5 GHz and had a linkrates 72 to 600
Mbit/s. This standard was also known as WI-Fi 4.
Similarly, 802.11ac, 802.11ax and standards were also adopted later which further improved
speed and performance of Wi -Fi. Now, let us learn about some terms that frequently occur regar-
ding wireless.

Terminology Of Wi-Fi
Wireless Access Point (WAP) : A Wireless Access Point (WAP), commonly known as
Access Point (AP) is a networking hardware device that allows other Wi-Fi devices to connect to
it. This Access Point allows wireless devices to connect to wired devices and generally provides
internet. Mostly the Access Point is a Wi -Fi Router.

Wireless Client : A Wireless Device that connects to the Wireless Access Point to access inter
-net is known as a Wireless Client. Ex : all the devices that connect to a Wi- Fi Router.

Wireless Local Area Network (WLAN) : The Computer Network comprising of the
Wireless Access Point and two or more Wireless Clients is known as Wireless Local Area
Network. This is a LAN but without wires.
Service Set Identifier (SSID) : A Service Set Identifier (SSID) is the name of the Wireless
network. Normally, it is broadcast in the clear by Wireless Access Points in beacon packets to
announce the presence of a Wi -Fi network. The SSIDs can be up to 32 octets (32 bytes) long. For
Example, SSID in our first wireless hacking article is Hack_Me_If_You_Can.

Extended Service Set Identifier (ESSID) : An Extended Service Set Identifier (ESSID)
is a wireless network created by multiple access points. This is useful in providing wireless coverag
-e in a large building or area in which a single Access Point (AP) is not enough. However, this app
-ears as a single seamless network to users. The name is same as SSID.

Basic Service Set Identifier (BSSSID) : Previously our readers learnt that every hardwar
-e device in computing is hardcoded with a MAC Address. A BSSID is the MAC address of the
Access Point.

Channels : Readers have learnt that Wi- Fi operates in the frequency range of 2.5GHz and
5GHz. These frequency bands are divided into smaller frequency bands which are known as chan
-nels. Usually, these channels are of width 20MHz. The 2.5 GHz range is divided into 14 channels
each spaced 5Mhz apart to avoid interference and disturbance. Similarly, The 5GHz band is
divided into 24 channels.

(Image
Source :
Wikipedia )
In our First wireless hacking attack, the channel of our Access Point is 1.

Beacons : Beacons are one of the management frames in IEEE 802.11 based WLANs. A Beaco-
n Frame contains all the information about the network and is transmitted periodically to announ-
ce the presence of a wireless LAN and to synchronize the members of the WLAN.

Signal Strength : Wi-Fi signal strength refers to the strength of the Wi-Fi network connection.
The correct way to express Wi-Fi signal strength is mW but it is also very complex. So for simplic
-ity, the signal strength is expressed in as dBm, which stands for decibels relative to a milliwatt.
dBm works in negatives. For example, change the values here. -34 is a higher signal than -64 or
-94 because -80 is a much lower number.

Data ; Data needs no explanation.

Encryption : Encryption refers to the Wi fi Encryption protocol used for security. There are
three types of wireless encryption protocols at present. Wired Equivalent Privacy (WEP), Wi-Fi
Protected Access (WPA), and Wi-Fi Protected Access Version 2 (WPA2). More about them soon.

Authentication ; The authentication method used by wireless clients to authenticate with wire
-less access point. More about it soon too.

Cipher : Ciphers are standard security ciphers are part of Wi-FI security to enhance the security
of wireless networks. Example WPA can use either CCMP or TKIP ciphers.

Wardriving ; Wardriving is the act of searching for wireless networks while moving on a vehicl
-e using a wi fi enabled device like laptop or a smartphone. The term War driving originated from
the term wardialing, the method which was popularized by a character played by Matthew Brode-
rick in the film WarGames. There are other variants of Wardriving like Warbiking, Warcycling,
Warwalking which are similar to wardriving but use other modes of transportation.

Wi -Fi Security
Wired Equivalent Privacy : Wired Equivalent Privacy (WEP) is the first security algorithm
for IEEE 802.11 wireless networks that was introduced as part of the original 802.11 standard ratifi-
ed in 1997. As its name implies, the intention was to provide data confidentiality equivalent to that
of a traditional wired network.
WEP was the only encryption protocol available to 802.11a and 802.11b devices as these were
built before the WPA standard was released.
WEP was ratified as a Wi-Fi security standard in 1999. The first versions of WEP used only 64-
bit encryption as U.S.A restricted export of cryptographic technology.
WEP uses the Rivest Cipher 4 (RC4) for confidentiality and the Cyclic Redundancy Check
(CRC) 32 checksum for integrity. RC4 is a stream cipher known for simplicity and speed.
Standard 64-bit WEP uses a 40 bit key which is concatenated with a 24-bit initialization vector
(IV, remember something) to form the RC4 key. A 64-bit WEP key usually has a string of 10
hexadecimal (base 16) characters (0–9 and A–F). See Image below.
In 2005, a group from the US's FBI cracked a WEP
protected network in three minutes using publicly
available tools.
Each character in the key represents 4 bits. 10 digits of these 4 bits each give 40 bits. When we
add 24-bit Initialization Vector to this 40 bits, complete 64-bit WEP key is produced.
Some devices also allow the user to enter the key as 5 ASCII characters (0–9, a–z, A–Z), each
of which is turned into 8 bits using the character's byte value in ASCII. However, this restricts eac-
h byte to be a printable ASCII character, which is only a small fraction of possible byte values,
greatly reducing the possible keys.
After USA lifted restrictions on export of cryptographic technology, 128bit WEP key came into
Each digit is of 4 bits. 26 digits of these 4 bits each give 104 bits. When we add a 24-bit IV to this
104 bits produced the complete 128-bit WEP key. Most devices allowed the user to enter 13
ASCII characters as WEP key.

Although some vendors made 152-bit and 256-bit WEP systems also available, 128 bit WEP was
widely used.

Authentication System of WEP

WEP uses two methods of authentication.

1. Open System authentication

2. Shared Key authentication.
 1. Open System Authentication

In Open System authentication, the WLAN client that wants to connect to a Access Point doesn't
need any credentials during authentication. Simply put, no authentication occurs. Subsequently,
WEP keys are used for encrypting data frames. At this point, the client needs to have correct
WEP key.

2. Shared Key Authentication

In Shared key authentication, authentication takes place in a four-step challenge-response handsha

-ke :

Step 1: The client sends an authentication request to the Access Point.

Step 2: The Access Point replies with a clear-text challenge.

Step 3: The client encrypts the challenge-text using the configured WEP key and sends it back
in another authentication request.

Step 4: The Access Point decrypts the response. If this matches the challenge text, the Access
Point sends back a positive reply.

After the authentication and association is successful, the pre-shared WEP key is also used for encr
-ypting the data frames using RC4. Although Shared Key Authentication appears secure than
Open System Authentication, it is actually vice versa.

Weak Security Of WEP

WEP uses RC4 which is a stream cipher. Hence the same traffic key cannot be used twice. It is
due to this purpose that WEP uses Initialization Vectors (IVs). But the problem is WEP uses 24 bit
IVs for both 64 bit and 128 bit key. This 24bit IV is not long enough to ensure non-repetition on a
busy network. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5,000 packet
-s. So WEP key in a busy network can be easily cracked since it has lot of traffic.
Attackers can even create fake connections (just as we did using aireplay in previous Issue) to
generate more traffic and then crack the WEP key. As we have seen in our previous Issue, the mo
-re IVs we captured the faster it is to crack WEP and it usually only minutes to crack the WEP key
with besside-ng tool.

Cracking WPA / WPA2

Now, let's go directly to see how to crack WPA / WPA2. We will crack this WPA using three tool-
s. First, we will see how to do this with aircrack. The Attacker system is always Kali Linux. After
connecting the Alfa Wireless Wi-Fi adapter to system, I open a terminal and use iwconfig
command to see if the wireless adapter is connected or not. It is connected.
The Payment Card Industry (PCI) Security Standards Council updated
the Data Security Standard (DSS) to prohibit use of WEP as part of any
credit-card processing after 30 June 2010 and prohibit any new system
from being installed that uses WEP after 31 March 2009.
I start monitor mode on the wireless interface.

I once again use iwconfig command to see if monitor mode is started on the wireless interface.
It started. To see all the traffic being observed by the wireless interface, I run the command
airodump-ng on the wireless interface.

As you can see, this shows all the wireless traffic. There are many wireless networks available but
my target is the Wi-Fi Access point I named "Hack_Me_If_You_Can". I use the same airodump-
ng to target the MAC address of target’s Access point and route all the traffic it has to a file name-
d hc_wpa_crack.

After some time, we can see a client connecting to our Access Point.
For cracking WPA/WPA2, we don't need a lot of traffic. What we need is a WPA handshake.
WPA Handshake is a process through which a wireless client connects to a Wireless Access Point.
Since a client is already connected to our target Access Point, to get a WPA handshake, we need
to de authenticate that client. This can be done using aireplay-ng command as shown below.

As the client is de authenticated, it tries to connect again. Then, we successfully get a handshake
as shown below.

Now, all we have to do is run aircrack on the capture file as shown below.
The Wi -Fi password is successfully cracked and the key is "snowwhite".
Just like cracking WEP, even Cracking WPA can be automated using tool besside-ng. To do
this, we run besside-ng on the target wi-fi network.
Besside-ng automatically captures WPA handshake. Then all we have to do is run aircrack on the
wpa.cap file.
There is another tool to crack WEP / WPA / WPA2 that is totally GUI based. Fern Wifi
Cracker. Fern Wifi Cracker is inbuilt in Kali Linux. It can be started by running command fern-
wifi-cracker in terminal.
Select the wireless interface.
The tool will automatically scan for wireless networks (both WEP and WPA) and show their
numbers.

Click on the WPA networks to see all the WPA networks.

Select the Wi - Fi Access Point you want to target. Here our target is Hack_Me_If_You_Can.

The tool displays a message about requirement needed to crack WPA/WPA2. It is saying that at
least one client needs to be collected to the wireless access point to crack WPA. Click on "OK".
Select the Wordlist file.

The de authentication attack automatically starts.

Then the tool captures the handshake and starts automatically cracking it.

Send all your questions

to
editor@
hackercoolmagazine.com

The WPA key is successfully cracked. As you can see, the password is "snowwhite". Let's clear all
the doubts you have and you will soon get in our next Issue.
AV | ATOR

BYPASSING ANTIVIRUS
AV | Ator is a backdoor generator utility that uses cryptographic and injection techniques to by-
pass AV detection. The AV in AV | Ator stands for Anti Virus. Ator is character from the Italian
Film Series “Ator” who is a swordsman, alchemist, scientist, magician, scholar and engineer with
the ability to sometimes produce objects out of thin air.
Ator takes C# shellcode as input, encrypts it with AES encryption and generates an executable
file. Ator uses various methods to bypass Anti Virus. Some of them are,

Portable executable injection : In portable executable injection, malicious code is written

directly into a process (without a file on disk). Then, this code is executed by either invoking
additional code or by creating a remote thread. The displacement of the injected code introduces
the additional requirement for functionality to remap memory references.

Reflective DLL Injection : DLL injection is a technique used for running code within the
address space of another process by forcing it to load a dynamic-link library. This will overcome
the address relocation issue.

Thread Execution Hijacking : Thread execution hijacking is a process in which malicious

code is injected into a thread of a process.

Ator also has RTLO option that spoofs an executable file to look like having an "innocent" extens
-ion like 'pdf', 'txt' etc. E.g. the file "testcod.exe" will be interpreted as "tesexe.doc" and of course
we can set a custom icon. Ator can be run on both Windows and Linux. We need Mono to run
Ator on Linux.
Let's see how to install ATOR in kali. Clone the ATOR repository as shown below.

Then unzip the zip archive.

Install Mono as shown below.

After moving into the extracted directory, there will be an AVIATOR executable. We just need
to run it with Mono.

If you want to run ATOR in Windows, you can just download the compiled binaries from Github
. When you run the executable, the ATOR GUI opens.
Let's see all the options in detail.

1. It contains the encryption key that is used to encrypt the shellcode. Keep it default if you want.

2. It contains the IV used for AES encryption. Keep it default too.

3. Shellcode in C# format. It

4. It will show the encrypted payload.

5. The location to which the generated executable is to be saved.

6. Various Injection techniques.

7. Set a Custom Icon to the executable.

Let's create the shellcode using msfvenom.

Copy the shellcode and paste it in the payload column. Click on "Encrypt" to see the encrypted
payload in (4). Click on (7) to set a custom icon (we are using pdf icon). Select the path of the exe
-cutable (5) and select the injection technique (6) and click on "Generate EXE" button.
Here's the payload.

Before executing it on the target, start a listener on the attacker machine.

The backdoor generated by AV | Ator is no longer
undetectable by 2019. This is the price it paid for
its popularity. One temporary solution to this is to use a
C# obfuscator on the produced executable
to remain FUD.
As soon the payload is executed on the target, we will have a shell as shown below.

Answers to some questions related to hacking our readers ask

Hacking Q & A
Q : Why is my connection not secure the need of any password. All the systems and
when I connect to a hotspot with no devic es getting connected to this OPEN networ-
password as opposed to one with a pas k form a WLAN (same network). So a hacker
-sword? can easily scan for vulnerabilities and exploit
A : You know what is the one question that user your device in an OPEN network. There's no
-s most ask me. How to hack a system that is on restriction, right. That is the reason you should
a different LAN network. You know what that never connect to an OPEN wireless network.
means? hacking a system on the same network Send all your questions
is easy. All Wi-Fi networks without a password to
are called OPEN networks. So just like you any- editor@hackercoolmagazine.com
body can connect to this OPEN network without
 Windows TokenMagic & Exif Tool perl ANT Injection Modules

METASPLOIT THIS MONTH

Welcome to Metasploit This Month. Let us learn about the latest exploit modules of Metasploit
and how they fare in our tests.

Windows TokenMagic PE Module

TARGET: Windows 7 -10 v1803 TYPE: Local × MODULE : PE

×× ANTI-MALWARE : OFF

How long it has been since we have seen a Windows privilege escalation vulnerability? Ok, we
have seen one in just our previous Issue (wink, printnightmare). The Windows TokenMagic PE
Module duplicates the token of an elevated process and spawns a new process/ conducts a DLL
hijacking attack to gain SYSTEM level privileges. Since th -is is a privilege escalation module, we
need to get a meterpreter session with low privileges on the target. Let's see how this module work
-s. We have tested this module on Windows 7 Service Pack 1 target.

Background the initial meterpreter session and load the token magic exploit module as shown bel-
ow.
After setting all the options required, use check command to see if target is indeed vulnerable.

Then execute the module.

As we can see, we successfully gained a meterpreter session with SYSTEM privileges on the targe-
t.
"Is hacking ever acceptable? It depends on the motive."
- Charlie Brooker
 ExifTool ANT perl Injection Module

TARGET: ExifTool v7.44 to 12.23 TYPE: Local × MODULE : Exploit

×× ANTI-MALWARE : NA

ExifTool is a platform-independent Perl library plus a command-line application for reading, writi-
ng and editing meta information in a wide variety of files. The above mentioned versions of Exif
Tool are vulnerable to a Perl injection vulnerability that can be exploited to gain a shell using Perl
backticks. The vulnerability is present in DjVu parsing code of ExifTool.
What this module does is creates a malcious payload which when opened by the vulnerable
version of ExifTool gives a shell. We have tested this module on Ubuntu. The download informat
-ion of ExifTool is given in our Downloads section. It needs no installing. Just extract the zip archi-
ve.

Let's see how this module works. Load the ExifTool_djvu_injection exploit module as shown belo
-w.

"Is hacking ever acceptable? It depends on the motive."

- Charlie Brooker
Set all the required options and execute the module.

Let's copy this malicious file to the target system.

Before opening this file with exiftool, let's start a listener on the attacker system.
As soon as this malicious file is opened with exiftool,

A shell is obtained on the attacker system as shown below.

"One of my favourite books about hackers is 'Masters of Deception' about this

hacking group in the 1990s. Many of them didn't come from wealthy
families. These are kids that are very intelligent; they just happen to be
misdirected."
- Harper Reed
 Spyware : Why the booming surveillance tech industry is vulnerable to
corruption and abuse

Online Security
-re on the market. It can infiltrate victims’ device
Christian Kemp -s without their even having to click a malicious
link – a so-called “zero-click attack”. Once inside
Lecturer, Criminology
, the power Pegasus possesses to transform a
Anglia Ruskin University phone into a surveillance beacon is astounding.
It immediately sets to work copying
The world’s most sophisticated commercially messages, pictures, videos and downloaded cont
available spyware may be being abused, accordi -ent to send to the attacker. As if that’s not insidi-
-ng to an investigation by 17 media organisations ous enough, Pegasus can record calls and track
in ten countries. Intelligence leaks and forensic a target’s location while independently and secre
phone analysis suggests the surveillance software -tly activating a phone’s camera and microphone
, called Pegasus, has been used to target and spy . With this capability, an infected phone acts like
on the phones of human rights activists, investig- a fly on the wall, seeing, hearing and reporting
ative journalists, politicians, researchers and aca- back the intimate and sensitive conversations th-
demics. at it watches continuously.
NSO Group, the Israeli cyber intelligence firm There’s previous evidence of Pegasus
behind Pegasus, insists that it only licenses its misuse. It was implicated in the alleged hacking
spyware to vetted government clients in the nam of Jeff Bezos’ phone by the crown prince of
-e of combating trans- As if that’s not insidious enough, Pegasus Saudi Arabia in 2018.
national crime and terrorism.can record calls and track a target’s The following year, it was
It has labelled reports location while independently and secretly revealed that several
from investigative journalists
a “vicious and slanderous activating a phone’s camera and Indian lawyers and activists
had been targeted by a Pegasus attack
campaign” upon which it will no longer microphone. via WhatsApp.
comment. The new revelations suggest that Pegasus was us-
Yet the founder and chief executive of ed to watch Mexico’s president Andres Manuel
NSO Group previously admitted that “in some Lopez and 50 members of his inner circle – incl-
circumstances our customers might misuse the uding friends, family, doctors, and aides – when
system.” Given that the group has sold its spywa he was an opposition politician. Pegasus has also
-re to a reported 40 countries, including some wi been linked to the surveillance of Rahul Gandhi,
-th poor records of corruption and human rights the current political rival to Indian prime
violations, it’s alleged that Pegasus has been sign minister Narendra Modi.
-ificantly misused, undermining the freedom of A Pegasus infiltration has also now been
the press, freedom of thought and free and open found among phones belonging to the family an
democracies. -d friends of murdered journalist Jamal Khashog-
These revelations are the latest indication -gi, and there are indications that Pegasus may
that the spyware industry is out of control, with also have been used by a Mexican NSO client
licensed customers free to spy on political and ci to target the Mexican journalist Cecilio Pineda
-vilian targets as well as suspected criminals. We Birto, who was murdered in 2017.
may be heading to a world in which no phone is
safe from such attacks. Although the power of Pegasus is shocking,
spyware in its various forms is far from a new
Pegasus is regarded as the most advanced spywa
phenomenon. Basic spyware can be traced back state to violate our own rights to privacy. The
to the early 1990s. Now it’s a booming industry Pegasus revelations show we’ve arrived in a new
with thousands of eager buyers. , uncomfortable reality where highly sophisticate
At the base of the spyware industry are the -d spyware tools are sold on an open market. To
lesser snooping tools, sold for as little as $70 be under no illusion, we’re referring here to an
(£51) on the dark web, which can remotely acce- industry of for-profit malware developers creatin
ss webcams, log computer keystrokes and harve-
st location data. The use of such spyware by stal -g and selling the same types of tools – and some
-kers and abusive partners is a growing, concern times the very same tools – used by “bad
-ing issue. hackers” to bring businesses and government
Then of course there’s the global surveillance organisations to their knees.
estate that Edward Snowden lifted the curtain on In the wake of the Pegasus revelations,
in 2013. His leaks revealed how surveillance tool Edward Snowden has called for an international
-s were being used to amass a volume of citizens’
personal data that seemed to go well beyond the spyware ban, stating that we’re moving towards
brief of the intelligence agencies using them. a world where no device is safe. That will certai-
In 2017, we also learned how a secret team of nly be the case if Pegasus meets the same fate as
elite programmers at the US National Security Eternal Blue, with its source code finding its way
Agency had developed an advanced cyber- onto the dark web for use by criminal hackers.
espionage weapon called Eternal Blue, only for In the wake of the Pegasus revelations,
it to be stolen by the "We need to work together to end unlawful Edward Snowden has
hacker collective Shadowtargeted surveillnce. As Snowden said, we called for an internatio-
Brokers and sold on the dark web. need to chang the game." nal spyware ban, stating that
It was this spyware that would later we’re moving towards a world w-
be used as the backbone of the - Amnesty International
here no device is safe. That will certainly be the
infamous 2017 Wannacry ransomware attack, case if Pegasus meets the same fate as Eternal
which targeted the NHS and hundreds of other Blue, with its source code finding its way onto
organisations. the dark web for use by criminal hackers.
When the Snowden leaks were published,
many were shocked to learn of the scale of surve
illance that digital technologies had enabled. But The Article first
this mass spying was at least developed and con-
ducted within state intelligence agencies, who
appeared in The
had some legitimacy as agents of espionage. Coversation.
We’re no longer debating the right of the

Follow Hackercool Magazine For Latest Updates

 The Day I was most disappointed.

OUR STORY
I have waited for this day for a long time. Just and 8. He gave similar logic for disabling Anti -
like many of you, I was also interested in learnin virus and Firewall and said ms08_067 exploit do
-g hacking about a decade ago. -esn't run in presence of AV.
After lot of brainstorming and research, I saw Although , I was silenced outside, many
it good to take a course of Ethical Hacking to ac- questions were racing thru my mind. The most
hieve my goal. I had one apprehension though. important of them was how to ask my victim to
The courses were expensive but of short duratio disable Av and Firewall while attacking. Every
-n. Will I be able to learn hacking so fast? basic user used Anti Virus back then.
Having no other way to achieve my goal, I The course time finished before the time for
took the jump. After teaching about some basics moving to attacking latest Windows Os'es came.
like OSI model, Data link layer, TCP handshake Not willing to give up the passion of hacking,
etc , my favorite topic ( almost every aspiring I started my own research. For first year, I felt
hacker's favorite topic ) came. Ethical hacking was just a farce and bypassing
System Hacking. The target was Windows XP AV was a myth and none of the exploits would
and attacker system Backtrack. The selection of work in presence of AV.
target itself disappointed me. Windows 8 was rel Thankfully, I still continued my research and
-eased by then and Windows 7 was still the most very soon I delved into a different dimension of
popular Windows operating system. hacking where there were malware undetectable
To further increase burden on my disappo- by almost all antiviruses, where attackers convin-
intment, Firewall was turned off and Antivirus ced their victims to become victims by their own
disabled on the target system. I made my objecti choice etc
-on clear to my Trainer. Our Hackercool Magazine is the product my
The Trainer had logical explanations for my research of many years. Our Magazine teaches
objections. The first demo will be on XP and the Real World Ethical Hacking i.e how hacking
-n we will move to attacks on other OS like 7 works in Real World.

DOWNLOADS
1. Quasar RAT :
https://github.com/quasar/Quasar

2. EXIF Tool :
https://exiftool.org/

3. Visual Studio :
https://visualstudio.microsoft.com/

4. AV | ATOR :
https://github.com/Ch0pin/AVIator