20 January

7:00 AM

By Autor

In: android, pcap, tcpdump, Termux

Creating a PCAP file on an Android devices (root/non-root)

Capturing network traffic and saving it as a PCAP file is a common practice for log analysis, debugging, and security auditing. Below is a comprehensive guide for both rooted and non-rooted Android devices, including the use of Termux and VPN-based solutions.

For Rooted Devices

Rooted devices provide more flexibility as you can directly access low-level network interfaces. The following methods are recommended:

Method 1: Using tcpdump

2. Install tcpdump:

Download the tcpdump binary:

wget https://www.tcpdump.org/release/tcpdump-4.99.4.tar.gz

Extract and install:

tar -xvf tcpdump-4.99.4.tar.gz
cd tcpdump-4.99.4
./configure
make
make install

Alternatively, you can copy a precompiled tcpdump binary to your phone using ADB:
```
adb push tcpdump /data/local/tmp/
adb shell chmod +x /data/local/tmp/tcpdump
```

2. Run tcpdump:

Open a terminal app (like Termux or a terminal emulator).

Run tcpdump to capture packets:

/data/local/tmp/tcpdump -i any -w /sdcard/capture.pcap

Stop the capture with Ctrl+C.

3. Transfer the PCAP File:

Use ADB or file transfer to copy the file to your computer for analysis:
```
adb pull /sdcard/capture.pcap
```

Method 2: Using Shark for Root

Shark for Root is a graphical frontend for tcpdump.

Steps:

Install Shark for Root from a trusted APK source.
Open the app and start capturing packets.
Save the capture when done.
Transfer the PCAP file to your computer for analysis.

For Non-Rooted Devices

Non-rooted devices can still capture traffic using apps that leverage a local VPN interface. However, these methods may have limitations (e.g., inability to capture traffic outside the app scope).

Method 1: Using Packet Capture

Packet Capture is an Android app available on the Play Store.

Steps:

Install Packet Capture from the Play Store.
Launch the app and start capturing traffic.
If capturing HTTPS traffic, follow the instructions to install the app’s SSL certificate.
Stop the capture and save the file as a PCAP.
Transfer the PCAP file to your computer for further analysis.

Method 2: Using tPacketCapture

tPacketCapture is another non-root option available on the Play Store.

Steps:

Install tPacketCapture.
Launch the app and start capturing.
Save the log in PCAP format.
Transfer the file for analysis.

Using Termux for PCAP Capture

Termux allows for terminal-based operations on non-rooted or rooted devices.

For Rooted Devices in Termux

Install tcpdump in Termux:
```
pkg install tcpdump
```
Run tcpdump:
```
tcpdump -i any -w /sdcard/capture.pcap
```
- Replace /sdcard/capture.pcap with your desired file path.
Stop the Capture:
- Use Ctrl+C to end the process.
Transfer the File:
```
adb pull /sdcard/capture.pcap
```

For Non-Rooted Devices in Termux

Non-rooted Termux users can use VPN-based apps to capture traffic while managing the PCAP files in Termux.

Analyzing HTTPS Traffic

Decrypt HTTPS Traffic

Install the capturing app’s SSL certificate.
Configure your network or browser to trust the certificate.
Use tools like Wireshark to decode HTTPS streams.

Transfer and Analysis

Transfer PCAP File:

Use ADB:
```
adb pull /sdcard/capture.pcap
```
Or upload to cloud storage (Google Drive, Dropbox).

Analyze with Wireshark:

Open Wireshark on your computer.
Load the PCAP file:
```
File -> Open -> Select capture.pcap
```
Analyze the captured traffic using filters and protocols.

This guide provides detailed instructions for both rooted and non-rooted devices, covering a range of tools and methods.

17 January

9:30 AM

By Autor

In: Nmap

No comments

Nmap – Comprehensive Guide

Note:
The guides provided in this article are comprehensive overviews designed to give a solid understanding of the topics covered. While they include detailed instructions and best practices, they are not intended to serve as complete tutorials for every aspect of the subject. Readers are encouraged to explore additional resources and documentation for in-depth knowledge and specific implementations. Always exercise caution and ensure compliance with applicable laws and ethical guidelines when applying the information shared in these guides.

What is Nmap?

Nmap (Network Mapper) is a powerful open-source network scanning tool used for network discovery, security auditing, and vulnerability assessment. It is widely used by red teamers, penetration testers, and network administrators to identify active hosts, services, operating systems, and potential security flaws.

Installation & Setup

System Requirements

✅ Recommended OS: Linux (Kali, Parrot, Ubuntu, Debian, Arch, NixOS), Windows, macOS
✅ Dependencies: Root/admin privileges for advanced scanning

Install Nmap

Using APT (Debian-based systems)

sudo apt update && sudo apt install nmap

Using Pacman (Arch-based systems)

sudo pacman -S nmap

Using Homebrew (macOS)

brew install nmap

Verify Installation

nmap --version

3️⃣ Basic Nmap Usage

Scan a Single Target

nmap 192.168.1.1

Scan a Subnet

nmap 192.168.1.0/24

Detect OS and Services

nmap -A 192.168.1.1

Scan Specific Ports

nmap -p 22,80,443 192.168.1.1

Aggressive Scan for More Information

nmap -T4 -A -v 192.168.1.1

Scan with Stealth (SYN Scan)

sudo nmap -sS 192.168.1.1

Detect Vulnerabilities with NSE Scripts

nmap --script vuln 192.168.1.1

Alternatives to Nmap

- Masscan – Ultra-fast port scanner
- Zmap – High-speed internet-wide scanner
- RustScan – Faster scanning with Nmap integration
- Angry IP Scanner – Simple GUI-based scanner

Advanced Nmap Techniques

Evasion Tactics – Using fragmented packets, decoys, and spoofing
Firewall Bypass – Scanning with randomized source ports
DNS Brute-Force – Enumerating subdomains
Banner Grabbing – Extracting service information

Red Teaming Best Practices with Nmap

✔ Avoid noisy scans that trigger alerts.
✔ Use decoy scans (-D RND:10) to mask source identity.
✔ Leverage NSE scripts for targeted attacks.
✔ Combine with Metasploit for post-exploitation.

Blue Team’s Advanced Hunting Techniques

Monitor unusual network scanning activity.
Implement rate limiting on sensitive assets.
Use IDS/IPS to detect aggressive scans.
Analyze NetFlow logs for reconnaissance attempts.

Detection & Countermeasures (Blue Team Perspective)

Block excessive ICMP and SYN requests.
Enable network segmentation to restrict scanning.
Use honeypots to detect unauthorized probing.
Deploy EDR solutions to flag abnormal network activity.

Best Practices for Ethical Use

✔ Always obtain permission before scanning networks.
✔ Follow ethical hacking guidelines and responsible disclosure policies.
✔ Test in a controlled lab before scanning real environments.
✔ Stay updated with new scanning techniques and Nmap scripts.

6:00 AM

By Autor

In: SET, Social-Engineer Toolkit

No comments

Social-Engineer Toolkit (SET) – Comprehensive Guide

What is the Social-Engineer Toolkit (SET)?

The Social-Engineer Toolkit (SET) is an open-source framework for social engineering penetration testing. It allows red teamers to perform attacks such as credential harvesting, phishing, and payload delivery to test an organization’s security posture against social engineering threats.

Installation & Setup

System Requirements

✅ Recommended OS: Kali Linux, Parrot OS, Ubuntu, Debian, Arch, NixOS
✅ Dependencies: Python

Install SET

Using APT (Debian-based systems)

sudo apt update && sudo apt install set

Using GitHub (Latest Version for Any Linux OS)

git clone https://github.com/trustedsec/social-engineer-toolkit.git
cd social-engineer-toolkit
sudo python3 setup.py install

Verify Installation

setoolkit

Basic Usage of SET

Launch SET

sudo setoolkit

Main Attack Vectors

1) Spear-Phishing Attack Vector – Send fake emails with malicious payloads
2) Website Attack Vectors – Clone websites for credential harvesting
3) Infectious Media Generator – Create malicious USB drops
4) Create a Payload and Listener – Generate and deploy backdoors
5) Wireless Access Point Attack – Fake Wi-Fi for credential theft

Example: Cloning a Website for Credential Harvesting

sudo setoolkit
# Select "2) Website Attack Vectors"
# Select "3) Credential Harvester Attack Method"
# Enter the website URL to clone

Alternatives to SET

- Evilginx – Advanced phishing with two-factor bypass
- GoPhish – Open-source phishing framework
- BeEF – Browser exploitation framework
- HiddenEye – Phishing and social engineering toolkit

Advanced SET Techniques

Malicious Macro Attacks – Embedding payloads in Office documents
BYPASS AV Payloads – Obfuscating payloads for better success rates
Multi-Stage Attacks – Combining phishing with payload delivery
Integration with Metasploit – Enhancing exploitation capabilities

Red Teaming Best Practices with SET

✔ Use personalized phishing campaigns for realistic simulations.
✔ Leverage OSINT to craft convincing social engineering scenarios.
✔ Deploy payloads with obfuscation techniques for stealth.
✔ Test campaigns on isolated networks before live use.

Blue Team’s Advanced Hunting Techniques

Monitor email traffic for phishing patterns.
Detect fake login pages with domain analysis tools.
Educate employees on recognizing phishing attempts.
Use endpoint security solutions to block malicious payloads.

Detection & Countermeasures (Blue Team Perspective)

Enable Multi-Factor Authentication (MFA) to prevent credential theft.
Use email filtering to block phishing attempts.
Monitor unusual access requests in SIEM solutions.
Conduct regular phishing awareness training.

Best Practices for Ethical Use

✔ Always obtain permission before launching phishing campaigns.
✔ Follow ethical hacking guidelines and responsible disclosure policies.
✔ Educate organizations on improving security against social engineering.
✔ Stay updated with the latest SET modules and attack techniques.

16 January

11:30 PM

By Autor

In: C2, Responder

No comments

Responder – Comprehensive Guide

What is Responder?

Responder is a powerful tool used in network penetration testing to capture and relay NTLM hashes via LLMNR, NBT-NS, and MDNS poisoning. It is widely used by red teamers to perform man-in-the-middle attacks within internal networks to obtain credentials and escalate privileges.

Installation & Setup

System Requirements

✅ Recommended OS: Linux-based systems (Kali Linux, Parrot OS, Ubuntu, Debian, Arch, NixOS)
✅ Dependencies: Python

Install Responder

Using APT (Debian-based systems)

sudo apt update && sudo apt install responder

Using GitHub (Latest Version for Any Linux OS)

git clone https://github.com/lgandx/Responder.git
cd Responder
sudo python3 Responder.py -h

Basic Usage of Responder

Start Responder on a Specific Interface

sudo python3 Responder.py -I eth0

Analyze Captured Hashes

cat Responder-Session.log

Enable SMB & HTTP Authentication Relaying

sudo python3 Responder.py -I eth0 -wF

Alternatives to Responder

- Inveigh – A .NET equivalent for Windows environments
- MITMf – Man-in-the-Middle attack framework
- Bettercap – Versatile network attack tool
- Ettercap – Traditional MITM attack tool

Advanced Responder Techniques

WPAD Attack – Exploiting proxy auto-discovery settings
NTLM Relay Attack – Relaying captured hashes for privilege escalation
Custom Poisoning Rules – Fine-tuning responses for better stealth

Red Teaming Best Practices with Responder

✔ Run on isolated VLANs for stealth.
✔ Combine with NTLM relay tools like ntlmrelayx.
✔ Modify Responder.conf to avoid unnecessary noise.
✔ Leverage WPAD exploitation for proxy authentication attacks.

Blue Team’s Advanced Hunting Techniques

- Monitor unusual LLMNR/NBT-NS requests on the network.
- Disable LLMNR and NBT-NS if not required.
- Use network segmentation to reduce exposure.
- Deploy host-based firewall rules to restrict SMB communication.

Detection & Countermeasures (Blue Team Perspective)

- Enable SMB signing to prevent NTLM relay attacks.
- Monitor endpoint logs for repeated authentication failures.
- Use Sysmon and Splunk for in-depth analysis of poisoning attempts.
- Implement conditional access policies for privileged accounts.

Best Practices for Ethical Use

✔ Always obtain permission before using Responder in an environment.
✔ Follow ethical hacking guidelines and responsible disclosure policies.
✔ Test in a controlled lab to understand tool behavior before deploying.
✔ Stay updated with the latest versions to ensure reliability and effectiveness.

3:30 PM

By Autor

In: android, pcap, Termux

No comments

Guide to Capturing PCAP Files on Android Devices

This guide provides detailed instructions for capturing network traffic on both rooted and non-rooted Android devices, including options for using Termux with relevant tools. Capturing traffic is essential for log analysis and debugging purposes. Let's break it down.

1. Rooted Devices

Rooted devices provide full access to system files and network interfaces, enabling robust packet capture capabilities.

1.1 Using tcpdump

tcpdump is a command-line tool for capturing network packets. Here’s how to use it on a rooted Android device.

Step-by-Step Instructions:

Install tcpdump:

Download the tcpdump binary compatible with Android from a trusted source (e.g., https://www.tcpdump.org).
Transfer the binary to your device:
```
adb push tcpdump /data/local/tmp
```

Change permissions to make it executable:

adb shell
su
chmod 755 /data/local/tmp/tcpdump

Another way to install tcpdump:

Download the tcpdump binary:

wget https://www.tcpdump.org/release/tcpdump-(version).tar.gz

Extract and install:

tar -xvf tcpdump-(version).tar.gz
cd tcpdump-(version)
./configure
make
make install

Alternatively, you can copy a precompiled tcpdump binary to your phone using ADB:
```
adb push tcpdump /data/local/tmp/
adb shell chmod +x /data/local/tmp/tcpdump
```

Capture Network Traffic:
- Run tcpdump to start capturing traffic:
```
/data/local/tmp/tcpdump -i any -w /sdcard/capture.pcap
```
  - -i any: Captures traffic from all interfaces.
  - -w: Specifies the output file in PCAP format.
Stop the Capture:
- Use Ctrl+C in the terminal to stop the capture.
Transfer PCAP File:
- Transfer the file to your computer for analysis:
```
adb pull /sdcard/capture.pcap
```

1.2 Using Shark for Root

Shark for Root is a GUI-based frontend for tcpdump.

Steps:

Download and install Shark for Root from a trusted source.
Grant root permissions when prompted.
Start capturing traffic using the app’s interface.
Save the PCAP file and transfer it for analysis.

2. Non-Rooted Devices

For non-rooted devices, you can use apps that leverage VPN-based traffic capturing.

2.1 Using Packet Capture App

The Packet Capture app uses a local VPN to intercept traffic.

Steps:

Install Packet Capture:
- Download the app from the Play Store.
Configure SSL Decryption (Optional):
- Install the app’s SSL certificate to capture HTTPS traffic.
- Follow the app’s instructions to add the certificate to your device.
Start Capturing Traffic:
- Open the app and start the VPN service.
- Perform network activities you want to analyze.
Export PCAP File:
- Stop the capture and export the file in PCAP format.
- Transfer the file for analysis.

2.2 Using tPacketCapture

tPacketCapture is another app that operates similarly to Packet Capture.

Steps:

Install the app from the Play Store.
Launch the app and start the capture.
Perform network activities and stop the capture.
Export the PCAP file.

3. Using Termux (Rooted or Non-Rooted)

Termux is a terminal emulator for Android that can work with various tools, including tcpdump.

3.1 Installing tcpdump in Termux

Steps:

Install Termux:
- Download Termux from the Play Store or F-Droid.
Install Required Packages:
- Update and install packages:
```
pkg update && pkg upgrade
pkg install tsu tcpdump
```
Capture Traffic:
- For rooted devices:
```
tsu
tcpdump -i any -w /sdcard/capture.pcap
```
- For non-rooted devices (limited to Termux session traffic):
```
tcpdump -i any -w capture.pcap
```
Stop the Capture:
- Use Ctrl+C to stop capturing traffic.
Transfer File:
- Use ADB or cloud storage to move the PCAP file to your computer.

3.2 Combining with Other Tools

You can use additional tools with Termux for enhanced capabilities:

OpenVPN: To route traffic through a VPN and capture it.
SSLsplit: To decrypt HTTPS traffic (requires root).

4. Analyzing the PCAP File

Once you’ve captured the traffic, transfer the PCAP file to a computer for analysis using tools like Wireshark or tshark.

Steps for Wireshark:

Open Wireshark on your computer.
Load the PCAP file:
- File > Open > Select the PCAP file.
Analyze the captured traffic using Wireshark’s filters and visualization tools.

5. Troubleshooting

No Traffic Captured:

Ensure permissions are granted for storage and internet access.
For non-rooted devices, verify the VPN is active.

Incomplete Traffic (HTTPS):

Install and configure an SSL certificate for the capture tool.

PCAP File Not Found:

Check the output path specified in the capture tool.
Ensure the tool has write permissions.

This guide provides a detailed approach for both rooted and non-rooted Android devices.

3:30 PM

By Autor

In: C2, CME, CrackMapExce

No comments

CrackMapExec - Comprehensive Guide

What is CrackMapExec?

CrackMapExec (CME) is a powerful post-exploitation and lateral movement tool designed to audit large Active Directory (AD) networks. It simplifies password spraying, credential validation, privilege escalation, and enumeration across Windows environments. CME is widely used by red teams and penetration testers for gaining and maintaining access within AD networks.

Installation & Setup

System Requirements

✅ Recommended OS: Kali Linux, Parrot OS, Ubuntu
✅ Dependencies: Python3, Impacket, SMB Protocol Libraries

Install CrackMapExec

For Debian/Ubuntu-based Systems

sudo apt update && sudo apt install crackmapexec -y

For Arch Linux

sudo pacman -S crackmapexec

From Source (Latest Version)

git clone https://github.com/Porchetta-Industries/CrackMapExec.git
cd CrackMapExec
pip3 install -r requirements.txt
python3 setup.py install

Basic Usage of CrackMapExec

Enumerate Hosts in a Network

crackmapexec smb 192.168.1.0/24

Check Credentials Against SMB Shares

crackmapexec smb 192.168.1.10 -u Administrator -p Password123

Password Spraying Attack

crackmapexec smb 192.168.1.0/24 -u userlist.txt -p passwordlist.txt

Execute Commands on Remote Hosts

crackmapexec smb 192.168.1.10 -u admin -p password --exec "whoami"

Alternatives to CrackMapExec

- Impacket – Collection of Python scripts for AD exploitation
- Metasploit SMB modules – SMB-based enumeration and exploitation
- SMBExec – Similar tool for executing commands on remote machines
- Pupy RAT – Post-exploitation and lateral movement framework

Advanced CrackMapExec Techniques

Stealthy Credential Dumping – Using CME with Mimikatz for retrieving NTLM hashes
Kerberos Attacks – Leveraging CME for Pass-the-Ticket (PtT) and Golden Ticket Attacks
Privilege Escalation – Identifying misconfigured SMB shares for exploitation

Red Teaming Best Practices with CrackMapExec

✔ Use valid credentials to avoid triggering detection alerts.
✔ Rotate usernames and passwords in password spraying attacks.
✔ Limit execution to reduce noise in logs.
✔ Use encrypted C2 channels for executing commands.

Blue Team’s Advanced Hunting Techniques

Monitor SMB authentication logs for unusual login attempts.
Analyze failed login patterns to detect password spraying.
Use endpoint detection tools to track suspicious command execution.
Detect unusual NTLM authentication requests in logs.

Detection & Countermeasures (Blue Team Perspective)

Enable SMB signing to mitigate credential relay attacks.
Limit excessive AD permissions to prevent lateral movement.
Implement strong password policies to resist brute force attacks.
Use honeypots to detect unauthorized network enumeration attempts.

Best Practices for Ethical Use

✔ Always obtain permission before using CME in an environment.
✔ Follow ethical hacking guidelines and responsible disclosure policies.
✔ Test in a controlled lab to understand tool behavior before deploying.
✔ Stay updated with the latest versions to ensure reliability and effectiveness.

📢 Found this guide useful? Share it with your team!

12:00 PM

By Autor

In: ActiveDirectory, AD, BloodHound

No comments

BloodHound – Comprehensive Guide

What is BloodHound?

BloodHound is a powerful Active Directory (AD) attack analysis and visualization tool used by red teams and penetration testers to map out attack paths in an AD environment. By collecting and analyzing user and group permissions, trust relationships, and AD misconfigurations, attackers can identify privilege escalation routes and lateral movement opportunities.

BloodHound is an essential tool for red teaming, adversary simulation, and security auditing to uncover vulnerabilities within an AD infrastructure.

Installation & Setup

System Requirements

✅ Recommended OS: Kali Linux, Parrot OS, Ubuntu, Windows
✅ Dependencies: Neo4j (graph database) & BloodHound GUI
✅ PowerShell or C# collectors to gather AD data

Install BloodHound

For Debian/Ubuntu-based Systems

sudo apt update && sudo apt install bloodhound -y

For Arch Linux

sudo pacman -S bloodhound

For Windows

Download the latest release from GitHub and install manually.

Setting Up Neo4j Database

sudo apt install neo4j -y
neo4j console

Launching BloodHound

To start the BloodHound GUI:

bloodhound

Collecting Data & Mapping AD Networks

Using SharpHound to Gather AD Data

Invoke-BloodHound -CollectionMethod All -Domain YOURDOMAIN.local -OutputDirectory C:\Users\Public

Uploading Data to BloodHound

After collecting AD data, upload the JSON files into the BloodHound GUI for visualization.

Common Queries to Identify Attack Paths

Find Shortest Path to Domain Admins
Identify Kerberoastable Accounts
Analyze ACL Misconfigurations

Alternatives to BloodHound

- PingCastle – Lightweight AD security scanner
- Aclpwn – Automated privilege escalation path analysis
- Purple Knight – AD security assessment tool
- AD Explorer – Microsoft tool for AD enumeration

Advanced BloodHound Techniques

Stealth Data Collection – Using encrypted C2 channels to exfiltrate data
GPO Exploitation – Identifying misconfigured Group Policy Objects for privilege escalation
Abusing AD Trusts – Mapping inter-forest attack paths
Custom Cypher Queries – Writing custom database queries for specific attack analysis

Red Teaming Best Practices with BloodHound

✔ Limit data collection scope to avoid detection.
✔ Encrypt and obfuscate data transfers to evade network monitoring.
✔ Use compromised accounts with legitimate access to avoid triggering alerts.
✔ Delete collected data after exploitation to reduce footprint.

Blue Team’s Advanced Hunting Techniques

Monitor PowerShell & SharpHound execution logs.
Track anomalous AD queries & database connections.
Detect and block unauthorized SMB & LDAP requests.
Use YARA rules to detect SharpHound activity.

Detection & Countermeasures (Blue Team Perspective)

Enable advanced logging & SIEM integration to track BloodHound use.
Restrict excessive AD permissions to minimize exposure.
Monitor Neo4j & BloodHound processes for unauthorized access.
Harden AD security policies to prevent privilege escalation.

Best Practices for Ethical Use

✔ Always obtain permission before running BloodHound in a live environment.
✔ Follow ethical hacking guidelines and responsible disclosure practices.
✔ Test in a lab environment to simulate real-world scenarios safely.
✔ Regularly update BloodHound to leverage the latest security features.