Today’s live tool demonstration is going to feature cracking SSH services using two of my favorite CLI hacking tools: Hydra and Patator.

Hydra is a commonly used tool that is use to brute force against web application servers, as well as commonly used to crack SSH, FTP, and RDP protocol services

Patator is a more advanced tool that is able to work with more services than Hydra, so it comes in handy when you need to crack something that is out of the typical scope of Hydra. It also has much more fine tune options that let you control the overall quality of the attack itself.

Disclaimer

As always, personal disclaimer, any and all information for this is strictly for educational purposes and I do not condone any form of illegal activity, nor am I responsible for anything you should use this information for. DO NOT pen-test on anyone's network unless it is your own, or you have permission to do so. Now, let’s begin!

- The Hacker Who Laughs 🕸🕸🎃🕸🕸

Click to View More

Today, we are going to address a popular topic going around in the latest Cyber Security news outlet, the new Windows Recall feature that’s just released for Windows 11.

It’s no shocker that there are some ahem… “major” security related concerns that have been circulating about it for the past few weeks since its official announcement and release.

I’m going to talk a bit about how it works, and of course, like always, I’ll explain the dangers of it. In the more advanced version of the articles, I’m going to go over how some of the core API functions work, and how we can exploit them. Much like how in the DLL injection article where I mention there will be a followup article later on with live footage to show the exploit, the same will be the case with this article as well. This is to ensure you have the proper knowledge and that it marinates before we dive into the real thing.

Security is something that is HIGHLY neglected during many software development projects. I’ve talked a bit about this before, but if security is not kept in mind, it can lead to some pretty crazy stuff, like for example, OpenAuth and SSO. If you would like to see what I’m talking about in regards to that, you can check that this article.

This article is a part of the Danger! Series, which is where I raise more Cyber Security awareness about critical flaws and vulnerabilities that exist within various system infrastructures, including any protocols and data communication methods, and the Dangers of what could happen should they be exploited to the fullest extent. I also go over various mitigation strategies that can be used to prevent them as well. If by chance there is an exploit video for me showing the full potential risk, it will be included in the advance version of this article for PAID patreon members only!

Disclaimer

As always, personal disclaimer, any and all information for this is strictly for educational purposes and I do not condone any form of illegal activity, nor am I responsible for anything you should use this information for. DO NOT pen-test on anyone's network unless it is your own, or you have permission to do so. Now, let’s begin!

- The Hacker Who Laughs 🕸🕸🎃🕸🕸

Click to View More

Today, I’m going to cover an IMPORTANT topic, HTTP request methods. I’m going to keep it real simple and go over all the basics for all of them in full detail so you understand how each one functions, as it’s important in order for you to properly understand how HTTP/HTTPS data communications function on a lower level.

We’ve talked about how the internet works, and things like port forwarding, the TCP/IP handshake, etc, but we’ve yet to discuss the actual HTTP methods you constantly see in stuff like burp suite for example.

For this article, there will be a video, demonstrating how to use HTTP methods via burp suite. As always, this will be for paid patreon members only.

For this article, we are ONLY going to talk about some of the basic ones you should know first: GET, POST, PUT, DELETE. Any other ones mentioned later on will be for paid patreon members only.

Disclaimer

As always, personal disclaimer, any and all information for this is strictly for educational purposes and I do not condone any form of illegal activity, nor am I responsible for anything you should use this information for. DO NOT pen-test on anyone's network unless it is your own, or you have permission to do so. Now, let’s begin!

- The Hacker Who Laughs 🕸🕸🎃🕸🕸

Click to View More

This week we will be going over how to write a more advanced version of the Man-In-The-Browser exploit. It features some new techniques that could be of use to you.

I’ll also be covering a few modules in python to stack with the exploit so you can further extend and do a lot more with it.

This demonstration will cover how to keylog end user credentials with the exploit, and then post them to a remote server, specifically the one that we wrote in last bi-weekly’s issue regarding how to write a “HTTP Server” in Pyhton3.

Pay close attention to this video as we are combining past things we’ve learned to make the exploit 10 times better.

Disclaimer

As always, personal disclaimer, any and all information for this is strictly for educational purposes and I do not condone any form of illegal activity, nor am I responsible for anything you should use this information for. DO NOT pen-test on anyone's network unless it is your own, or you have permission to do so. Now, let’s begin!

- The Hacker Who Laughs 🕸🕸🎃🕸🕸

Click to View More

This week’s tool tutorial I’ll be covering how to use SQLMap to perform RCE execution on a remote system featuring HackTheBox’s “Vaccine” machine”.

SQLMap can be used for a lot more than just performing SQL injections and dumping databases that are vulnerable to the technique. It can also be used to perform RCE execution and pop you a reverse shell.

I’ll also be demonstrating something that has been highly requested, which is creative more advanced interactive shell upgrades once you land RCE against a system.

One of the biggest things you’ll often notice after you land RCE, is that you require a “ptty” shell which is a more interactive legit /bin.bash shell that can execute more advanced, if not all commands on the remote target system. IT’S CRUCIAL YOU KNOW HOW TO DO THIS AS IT’S PRACTICAL AND YOU’LL OFTEN HAVE TO DO SO.

Disclaimer

As always, personal disclaimer, any and all information for this is strictly for educational purposes and I do not condone any form of illegal activity, nor am I responsible for anything you should use this information for. DO NOT pen-test on anyone's network unless it is your own, or you have permission to do so. Now, let’s begin!

- The Hacker Who Laughs 🕸🕸🎃🕸🕸

Click to View More

This week I’ll be teaching you how to program a Joystick module for Arduino. This is part in the making for a more advanced lab that is coming up, which WILL require you to know how to do this.

I’ll also be covering some smart techniques and tricks on how to program the module correctly since it can be tricky for beginners to program it correctly on their first try.

We’ll be putting what we’ve learned so far about how to program: switches, LED pins, as well as analog all into one go, as well as the overall basics on how to physically setup.

There of course will be photos on how to setup the module properly so you can see everything I’m doing.

Disclaimer

As always, personal disclaimer, any and all information for this is strictly for educational purposes and I do not condone any form of illegal activity, nor am I responsible for anything you should use this information for. DO NOT pen-test on anyone's network unless it is your own, or you have permission to do so. Now, let’s begin!

- The Hacker Who Laughs 🕸🕸🎃🕸🕸

Click to View More

Today, I’m going to dive into a super sensitive topic, one that I don't recommend if it’s not your cup of tea. I’m going to be talking about CSAM, which is short for “Child Sexual Abuse Material”. I’m going to talk about what it is, as well as recent activities by various social media platforms that encourage the spawn of it, and how our very own Cyber Security practices can be used to help aid Cyber criminals and other illegal activity on the internet.

The main goal for today is to talk about how data encryption and secure communications aid CSAM on various social media and communications platforms: Facebook(Meta), WhatsApp, Telegram, etc etc.

Data encryption and secure communication methods such as SSL and TLS, although it can be used to protect end users and prevent interceptions via man in the middle attacks, as well as render data infeasible, it can also aid threat actors and CSAM criminals, enabling them to go undetected and remain anonymous(depending on how smart they are on the internet).

I’m also going to talk a bit about how our privacy laws and policies can also aid threat actors as well.

We often forget that laws not only protect the innocent, but also criminals at the same time. It’s one of the biggest reasons in the event of a real situation where there is a threat to the safety of others concerning certain forms of data, business infrastructures refuse to disclose it unless there is a certain process they undergo to safely do so.

This article is a part of the Danger! Series, which is where I raise more Cyber Security awareness about critical flaws and vulnerabilities that exist within various system infrastructures, including any protocols and data communication methods, and the Dangers of what could happen should they be exploited to the fullest extent. I also go over various mitigation strategies that can be used to prevent them as well. If by chance there is an exploit video for me showing the full potential risk, it will be included in the advanced version of this article for PAID patreon members only!

Disclaimer

As always, personal disclaimer, any and all information for this is strictly for educational purposes and I do not condone any form of illegal activity, nor am I responsible for anything you should use this information for. DO NOT pen-test on anyone's network unless it is your own, or you have permission to do so. Now, let’s begin!

- The Hacker Who Laughs 🕸🕸🎃🕸🕸

Click to View More

Today I’m going to talk about the metasploit framework, what it is, and why it’s a STAPLE tool in EVERY hacker's arsenal, whether it be for beginners or experienced hackers.

I’ve gone over how to use it for certain exploits, but I’ve never fully shown: how to set it up, what all the options mean, advanced options, how to chain and combine stuff, etc. I’m going to show you the most practical way to use the framework so that you can effortlessly hack it like a pro in no time.

I’m also going to show you one CRITICAL thing that commonly gets overlooked when using the framework. It’s an abundance of FREE knowledge, one that if you know how to use it, you’ll become one of the most skilled and dangerous hackers of all time. Think of the Metasploit as all your “past lives”. You have access to all of that information. You just need to learn how to use it properly.

This article will of course be video oriented, and will only be available to PAID patreon members only.

It’s no shocker that it’s a staple tool in every hacker’s tool belt, but shockingly enough, due to how times have changed, I don’t quite see it picked up by newcomers or talked about enough anymore. I know it still sees light and people use it, but nowadays I rarely hear anyone post or even talk about it, and it’s one of the standard tools much like aircrack-ng. People forget that a lot of newer tools are based on the original ones that are known and loved by the hacker community.

Recently one of my favorite authors (Tags her name), ran into an issue where someone thought recommending Aircrack-NG was a horrible idea due to how old it is, when it is in face one of THE best pentesting tools hands down to seamlessly crack various wireless encryption: WEP, WPA, WPA2, etc. Even most pentesting methodologies or tools mimic it in some shape or format just like with metasploit.

Disclaimer

As always, personal disclaimer, any and all information for this is strictly for educational purposes and I do not condone any form of illegal activity, nor am I responsible for anything you should use this information for. DO NOT pen-test on anyone's network unless it is your own, or you have permission to do so. Now, let’s begin!

- The Hacker Who Laughs 🕸🕸🎃🕸🕸

Click to View More

For today's tool demonstration, we are going to be diving more into the metasploit framework, as well as previous techniques involving IOT hacking to dive into web cam hacking.

One of the many features of the meterpreter shell from the metasploit framework, is that it allows you to tap into the camera feed of the IOT device you breached, meaning you can grab live video time footage of the end user, as well as any meta data that will give away their coordinates and location if you would like to strip that using tools we've covered like exiftool.

Disclaimer

As always, personal disclaimer, any and all information for this is strictly for educational purposes and I do not condone any form of illegal activity, nor am I responsible for anything you should use this information for. DO NOT pen-test on anyone's network unless it is your own, or you have permission to do so. Now, let’s begin!

- The Hacker Who Laughs 🕸🕸🎃🕸🕸

Click to View More

For today's software engineering content, we are going to dive into how to write out form requests to implement various HTTP methods from scratch, as well as how to setups basic HTML file from scratch.

I will be showing you how to setup form requests, as well as: text inputs, password inputs, submit modules, and lastly, file uploads for an html page.

The goal of this, is to get you into the habit of knowing how HTML code works and how to tamper with it.

Pay close attention to how I'm writing the code, as you'll need to know this for the upcoming lab that is set to launch soon.

Source code, like always, will be in the attachments section bellow.

Disclaimer

As always, personal disclaimer, any and all information for this is strictly for educational purposes and I do not condone any form of illegal activity, nor am I responsible for anything you should use this information for. DO NOT pen-test on anyone's network unless it is your own, or you have permission to do so. Now, let’s begin!

- The Hacker Who Laughs 🕸🕸🎃🕸🕸

Click to View More