Building sniffer on the basis of ESP32. Listening on Wi-Fi, aiming at Bluetooth!

One day, GS Labs research and development center launched a project to identify possible bugs and vulnerabilities in its systems. However, the tested device chosen to run the application was pretty tricky: no way to install the root and no Ethernet connection. The only available communication methods were Wi-Fi and a remote control with a few buttons – so, who knows what’s going to be transferred via Wi-Fi? Hackers do not like uncertainty. Hackers like certainty. I had a couple of ESP32-based debug boards at home (the ESP32-PICO-KIT), and decided to build a Wi-Fi sniffer with the potential to be upgraded to a Bluetooth sniffer.

Read full article →


Linux post-exploitation. Advancing from user to super-user in a few clicks

This article is dedicated to some of the most popular and, more importantly, working post-exploitation utilities for Linux servers. You are about to learn how to manipulate the system, gain root access, or steal valuable data right away. Learn what to do after penetrating protected corporate perimeters, bypassing dozens of detection systems and honeypots, or even getting physical access to the target system. Expand your possibilities and become a super-user!

Read full article →


Counter-Forensics. Protecting your smartphone against the Five Eyes

The Editorial Board decided to publish this material after reviewing a large number of articles in various periodicals, including technical ones. All these publications, with no exceptions, repeat the same trivial recommendations: “use a complex screen lock code”, “enable the fingerprint scanner”, “disable Smart Lock”, “make use of two-factor authentication”, and the most sarcastic recommendation for many Android users: “update your OS”. No doubt, all these steps make sense, but are they sufficient to make your phone secure? We believe not.

Read full article →


FUCK 2FA! Bypassing two-factor authentication with Modlishka

Underground forums are full of offers to hack an account or two (or sell you the login credentials of some ten million accounts if you like). In most cases, such attacks involve phishing (sorry, social engineering) and use fake authentication pages. However, this method is ineffective if the user gets pushed a prompt or receives a text message with a six-digit verification code. I am going to demonstrate how to breach the two-factor authentication system by hacking a Google account belonging to one of this magazine’s humble editors.

Read full article →