Welcome to The Forum

Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to

existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile

and so much more. This message will be removed once you have signed in.

Active Hackers

The best community of active hackers. This community has been working in hacking for more than 10 years.

 

Hacker Forum

Hacker from all countries join this community to share their knowledge and their hacking tools

    Hacking Tools

    You can find thousands of tools shared by hackers. RAT's, Bot's, Crypters FUD, Stealers, Binders, Ransomware, Mallware, Virus, Cracked Accounts, Configs, Guides, Videos and many other things.

      PRIV8

      Become a Priv8 user and access all parts of the forum without restrictions and without limit of download. It only costs 100 dollars, and it will last you for a lifetime.

      Read Rules

      In this community we follow and respect rules, and they are the same for everyone, regardless of the user's rank. Read the rules well not to be prohibited.

      Sign in to follow this  
      Followers 0
      dEEpEst

      FakesApp: A Vulnerability in WhatsApp

      By dEEpEst, in Bugs & Exploits

      Recommended Posts

      dEEpEst    35,228

      dEEpEst
      Staff
      Posted

      As of early 2018, the Facebook-owned messaging application, WhatsApp, has over 

      Hidden Content

        Give reaction to this post to see the hidden content.
      with over 

      Hidden Content

        Give reaction to this post to see the hidden content.
       and 

      Hidden Content

        Give reaction to this post to see the hidden content.
      messages sent every day. With so much chatter, the potential for online scams, rumours and fake news is huge. It doesn’t help then, if threat actors have an additional weapon in their arsenal to leverage the platform for their malicious intentions.

      Check Point Research, however, recently unveiled new vulnerabilities in the popular messaging application that could allow threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers immense power to create and spread misinformation from what appear to be trusted sources.

      Our team observed three possible methods of attack exploiting this vulnerability – all of which involve social engineering tactics to fool end-users. A threat actor can:

      1. Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
      2. Alter the text of someone else’s reply, essentially putting words in their mouth.
      3. Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.

      Following the process of Responsible Disclosure, Check Point Research informed WhatsApp of their findings. From Check Point Research’s view, we believe these vulnerabilities to be of the utmost importance and require attention.

      Please read below for our full technical analysis.

      Demonstration Video of the Attacks in Action

      Technical Analysis

      As is well known, WhatsApp encrypts every message, picture, call, video or any other type of content you send so that only the recipient can see it. What’s more, not even WhatsApp has the ability to view those messages.

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 1: WhatsApp Encrypted Chat

      These encryption processes caught our attention and we decided to try to reverse WhatsApp’s algorithm to decrypt the data. Indeed, after decrypting the WhatsApp communication we found that WhatsApp is using the “

      Hidden Content

        Give reaction to this post to see the hidden content.
      ” to do so.

      By converting this protobuf2 data to Json we were able to see the actual parameters that are sent and manipulate them in order to check WhatsApp’s security.

      The outcome of our research is a Burp Suit Extension and 3 Manipulation methods.
      To start the manipulation, though, we first have to get the private and public key of our session and fill it in our burpsuit extension.

      If you are interested in a detailed explanation about how the encryption actually works behind the scenes, please read the encryption paragraph at the end of this blog post.

      Accessing the Keys

      The keys can be obtained from the key generation phase from WhatsApp Web before the QR code is generated:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 2: Public and Private Key of the Communication

      After we take these keys we need to take the “secret” parameter which is sent by the mobile phone to WhatsApp Web while the user scans the QR code:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 3: The Secret Key from the WebSocket

      As a result of this, our extension will look like the below:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 4: WhatsApp Decoder Burp Extension

      After clicking on “Connect”, the extension connects to the extension’s local server, which will perform all the tasks required for the extension.

      Manipulating WhatsApp

      By decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This allowed us to then be able to manipulate them and start looking for security issues.

      This resulted in us being able to carry out a variety of attack types, which are described below.

       

      Attack 1: Change the Identity of a Sender in a Group Chat, Even If They Are Not a Member of the Group

      In this attack, it is possible to spoof a reply message to impersonate another group member and even a non-existing group member, for example, ‘Mickey Mouse’.

      To impersonate someone from the group, all the attacker need do is catch the encrypted traffic:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 5: Encrypted WhatsApp Communication

      Once the traffic is captured, he can simply send it to an extension which will then decrypt the traffic:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 6: Decrypting the WhatsApp Message
      By Using Our Extension

      The interesting parameters to note here are:

      • conversation – This is the actual content which is sent.
      • participant – This is the participant that actually sent the content.
      • fromMe – This parameter indicates if I sent the data or someone else in the group.
      • remoteJid – This parameter indicates to which group/contact the data is sent.
      • id – The id of the data. The same id will appear in the phone databases.

      And this is the point where interesting things begin to happen…

      For example, we can change the conversation to something else. The message with the content “Great!” sent by a member of a group, for instance, could be changed to something else like: “I’m going to die, in a hospital right now” and the participant parameter could also be changed to someone else from the group:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 7: A Spoofed Reply Message

      Note that we have to change the id to something else because it is already sent and appears in the database.

      In order to make everyone see the new spoofed message the attacker needs to reply to the message he spoofed, quoting and changing that message (“Great”) in order for it be sent to everyone in the group.

      As you can see in the below screenshot, we created a new group where no previous messages were sent, and by using the method from above we were able to create a fake reply.

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 8: The Original Conversation

      The ‘participant’ parameter can also be a text or a phone number of someone that is not in the group, which would cause everyone in the group to believe that it actually is sent from this participant.

      For example:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 9: Changing The Content Of The Message
      By Using Our Debugging Tool

      …and the result will look like this:

      Hidden Content

        Give reaction to this post to see the hidden content.

      This would again be sent to everyone in the group as before.

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 10: Reply To a Message That Sent From
      Someone Outside of the Group

      Attack 2: Changing a Correspondent’s Reply To Put Words in Their Mouth

      In this attack, the attacker is able to manipulate the chat by sending a message back to himself on behalf of the other person, as if it had come from them. By doing so, it would be possible to incriminate a person, or close a fraudulent deal, for example.

      In order to spoof the messages, we have to manipulate the ‘fromMe parameter in the message, which indicates who sent the message in the personal chat.

      This time we will capture the outgoing message from WhatsApp Web before it is even sent to our Burp Suite. In order to do that we can put a break point on the aesCbcEncrypt function and take the data from the ‘a’ parameter:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 11: OutGoing Message Manipulation

      We will then copy this data to our Burp extension and select the outgoing direction. By pressing on “Decrypt”, our extension will decrypt the data:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 12: Decryption of Outgoing Message

      After changing it to false and encrypting it back we then get the below result:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 13: Encryption of Outgoing Message

      We have to then modify the ‘a’ parameter in our browser, and the result will be a push notification with the content. In this way it is even possible to spoof the entire chat.

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 14: Sending Messages To Myself
      on Behalf of Someone Else.

      The whole conversation will then look like this:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 15: Sending Messages To Myself
      on Behalf of Someone Else

      Attack 3: Send a Private Message in a Chat Group But When The Recipient Replies, The Whole Group Sees It.

      In this attack, it is possible to send a message in a group chat that only a specific person will see, though if he replies to this message, the entire group will see his reply.

      In this way it is possible to manipulate a certain member of the group and ‘trip them up’ in order to have them reveal information to the group that they may otherwise not want them to know.

      We found this attack vector while we reversed the Android mobile app. In this instance, we found that if the attacker manipulates a simple message in the group, such as “We are the team”, we will actually find this message in ‘/data/data/com.whatsapp/databases/msgstore.db’ database – as seen below.

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 16: Sending a Private Message in the Group Chat

      We will find this message in ‘/data/data/com.whatsapp/databases/msgstore.db’ database

      Then, if we open the conversation on a mobile phone by using the sqlite3 client and issue the following command:

      SELECT * FROM messages;

      We will see the following data:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 17: Manipulation of the Database

      In order to send a message to the group, but restrict it to only a specific group member, we have to set his number under the ‘remote_resource parameter.

      The trick here is to simply change the ‘key_from_me parameter from 0 to 1

      Having done this, we will then run the following command and update the key_from_me and the data:

      update messages set key_from_me=1,data=”We, all know what have you done!” where _id=2493;

      The attacker needs to then close and reopen his WhatsApp to force the application to send the new message. After doing so, the result will be as below:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Notice that only the victim received the message?

      If the victim writes something as a response, everybody in the group will get his response, but if he will reply to the message only he will see the replied content and all the others will see the original message…!!

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      WhatsApp Encryption Explained

      Source code: 

      Hidden Content

        Give reaction to this post to see the hidden content.

      Let’s start with WhatsApp Web. Before generating the QR code, WhatsApp Web generates a Public and Private Key that is used for encryption and decryption.

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 23: Private and Public Key of the Conversation

      Let’s call our private Key ‘priv_key_list’ and our public Key ‘pub_key_list.

      These keys were created by using curve25519_donna by using random 32 bytes.

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 24: Encryption Process Curve25519

      To decrypt the data we will start to create a decryption code. This will take the private key from WhatsApp Web instead of the random bytes because we need to have the same keys in order to decrypt the data:

      self.conn_data[“private_key”] = curve25519.Private(“”.join([chr(x) for x in priv_key_list]))
      self.conn_data[“public_key”]  = self.conn_data[“private_key”].get_public()

      assert (self.conn_data[“public_key”].serialize() == “”.join([chr(x) for x in pub_key_list]))

      Then, after the QR code is created, after scanning it with a phone we can send the following information to Whatsapp Web over a websocket:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 25: The Secret Key From WebSocket

      The most important parameter here is secret which then passes to setSharedSecret. This will divide the secret into multiply parts and configure all the cryptographic functions we need in order to decrypt the WhatsApp traffic.

      First, we can see that there is a translation from String ‘e’ into Array and some slices which divide the secret into two parts: ‘n’, which is the first 32 bytes and ‘a’, which is the characters from 64th byte to the end of the ‘t’.

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 26: Getting the SharedSecret

      And if we dive into the function’ ‘E.SharedSecret’, we can see that it uses two parameters which were the first 32 bytes and the private key from the QR generation:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 27: Getting the SharedSecret

      Following this, we can then update our python code and add the following line:

      self.conn_data[“shared_secret”] = self.conn_data[“private_key”].get_shared_key(curve25519.Public(self.conn_data[“secret”][:32]), lambda key: key)

      Next we have the expended which is 80 bytes:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 28: Extending the SharedSecret

      By diving in we can see that the function uses the HKDF function. So we found function ‘pyhkdf’ and use it in our code to expend the key in the same way that WhatsApp did:

      shared_expended = self.conn_data[“shared_secret_ex”] = HKDF(self.conn_data[“shared_secret”], 80)

      We next have the hmac validation function which takes the expended data as parameter ‘e’ and divides it into 3 parameters:

      • i – the first 32 bytes of shared_expended
      • r – 32 bytes from the 32 byte
      • o – 16 bytes from the 64 byte

      There is also the parameter, ‘s’, which is a concatenation of the parameter ‘n’ and ‘a’, from the function before which forms part of our secret.

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 29: HmacSha256

      Then the function HmacSha256 will be called with the parameter ‘r’ and it will sign the data with the parameter ‘s’, after that ‘n’ we will receive the hmac verifier which will be compared to ‘r’, which is a slice of ‘t’ from 32byte to 64 bytes, and ‘t’ is our secret in the array format, as seen previously.

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 30: Checking the validity of the messages

      In python it will look like this:

      check_hmac = HmacSha256(shared_expended[32:64], self.conn_data[“secret”][:32] + self.conn_data[“secret”][64:]) if check_hmac != self.conn_data[“secret”][32:64]:
      raise ValueError(“Error hmac mismatch”)

      The last encryption related function in this block is ‘aesCbcDecrypt’ which uses the parameter ‘s’ which is a concatenation between the data from byte 64 to the end of expended shared and the data from  byte 64 of the secret, and ‘i’ which is the first 32bytes of expended shared.

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 31: Getting the AES key and the MAC key

      The result is the decrypted key which we will use later. So, if we translate the code it will look like this:

      keysDecrypted = AESDecrypt(shared_expended[:32], shared_expended[64:] + self.conn_data[“secret”][64:]) After the decryption, we will have new ‘t’ which is the  first 32 bytes, which is the encryption key, and the next 32 bytes, which is the mac key:

      self.conn_data[“key”][“aes_key”] = keysDecrypted[:32]
      self.conn_data[“key”][“mac_key”] = keysDecrypted[32:64]

       

      The whole code will then look like this:

      self.conn_data[“private_key”] = curve25519.Private(“”.join([chr(x) for x in priv_key_list]))
      self.conn_data[“public_key”]  = self.conn_data[“private_key”].get_public()

      assert (self.conn_data[“public_key”].serialize() == “”.join([chr(x) for x in pub_key_list]))

      self.conn_data[“secret”] = base64.b64decode(ref_dict[“secret”])
      self.conn_data[“shared_secret”] = self.conn_data[“private_key”].get_shared_key(curve25519.Public(self.conn_data[“secret”][:32]), lambda key: key)

      shared_expended = self.conn_data[“shared_secret_ex”] = HKDF(self.conn_data[“shared_secret”], 80)

      check_hmac = HmacSha256(shared_expended[32:64], self.conn_data[“secret”][:32] + self.conn_data[“secret”][64:])

      if check_hmac != self.conn_data[“secret”][32:64]:
      raise ValueError(“Error hmac mismatch”)

      keysDecrypted = AESDecrypt(shared_expended[:32], shared_expended[64:] + self.conn_data[“secret”][64:])

      self.conn_data[“key”][“aes_key”] = keysDecrypted[:32]
      self.conn_data[“key”][“mac_key”] = keysDecrypted[32:64]

      So, after we have the code that can regenerate all the encryption parameters needed we can continue to the decryption process.

      To do that we start with capturing a message:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 32: The Encrypted Incoming Message

      As you can see, the message is split into two parts: the tag and the data. We will use the following function to decrypt the message:

      def decrypt_incoming_message(self, message):
      message = base64.b64decode(message)
      message_parts = message.split(“,”, 1)
      self.message_tag = message_parts[0]
      content = message_parts[1]

      check_hmac = hmac_sha256(self.conn_data[“mac_key”], content[32:])
      if check_hmac != content[:32]:
      raise ValueError(“Error hmac mismatch”)

      self.decrypted_content = AESDecrypt(self.conn_data[“aes_key”], content[32:])
      self.decrypted_seralized_content = whastsapp_read(self.decrypted_content, True)

      return self.decrypted_seralized_content

      As you can see, we receive the data in base64 format in order to copy the Unicode data easily, In Burp we can encode the data to base64 by simply pressing ctrl+b and pass it to the function decrypt_incomping_message. This function splits the tag from the content and checks if our key can decrypt the data by comparing the hmac_sha256(self.conn_data[“mac_key“], content[32:]) with content[:32].

      If everything fits we can continue to the AES decryption step which uses our aes key and the content from the 32byte.

      This content contains first the IV ,which is in size of aes block size, and then the actual data:

      self.decrypted_content = AESDecrypt(self.conn_data[“aes_key”], content[32:])

      The output of this function will be a protobuf, which looks like this:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 33: The Decrypted Message with Protobuf

      In order to translate it to json we will use the ‘whatsapp_read function.

      WhatsApp Encryption Explained (Decrypt Incoming Message):

      In order to decrypt a message, we first have to understand how the WhatsApp protocol works so we started by debugging the function e.decrypt:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 34: ReadNode Function

      This function will trigger readNode which has the following code:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 35: ReadNode Function

      We translated all the code to python to represent the same function which looks like this:

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      This code first reads a byte from the stream and moves it to char_data. It then tries to read the list size of the incoming stream by using the function read_list_size.

      Then we got another byte which we will call token_byte that will be passed to read_string and looks like this:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 36: ReadString Function

      This code uses getToken and passes our parameter as a position in the token array:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 37: getToken Function

      This is the first item whatsapp sends in the communication, then we translated all the functions in the function readString and continued with the debugging:

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      Next you can see the function ‘readAttributes’ in the function readNode:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 38: readAttribues function

      This function just continues to read more bytes from the stream and parse them via the same token list we saw before when we parsed the “action” token, which will look like this:

      Hidden Content

        Give reaction to this post to see the hidden content.

      So the second parameter that WhatsApp sends is the actual action to the messenger where we can see that WhatsApp sent {add:”replay”} which means a new message arrived.

      Basically we will continue with the code until we get to the end of readNode which will give us the three parts of the message that was sent:

      1. some token
      2. some token attributes
      3. the encoded protobuf message

      So, until this point we got the first and the second part easily by rewriting all the functions to python, which is very straight forward.

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 39: Decrypted Array

      Next we have to deal with the third parameter which is the protobuf and decrypt it.

      To get the protobuf we can look at the protobuf scheme implemented by Whatsapp and just copy it into a clean .proto file which can be obtained from here:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 40: protobuf

      The indexes can be also copied from Whatsapp protobuf schema and compiled to python protobuf file by using:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Then we can translate the protobuf to json easily by using the python functions generated by the protobuf…

      Hidden Content

        Give reaction to this post to see the hidden content.

      …and the result will look like this:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 41: Decrypted Data

      After implementing that inside our extensions we were able to decrypt the communication:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 42: Using Our Extension to Decrypt the Data

       

      WhatsApp Encryption Explained (Encrypt Incoming Message)

      The encryption process is pretty much the same as the encryption but in the opposite order, so this time we will reverse the writeNode function:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 43: writeNode function

      Which is implemented like this:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 44: writeNode function

      As you can see this time we already have the token and the token attributes which we have to translate to its position in the token lists, and then just reimplement all the function in the same way as we did in the readNode:

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      The code is very straight forward; first we check if the node we got is in length of three. Then we multiply the number of token attributes by two and pass it to writeListStart which will write the start of the list character and then the list size (the same thing that we saw in readNode):

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      After we have the start list we will get into writeString which performs the same thing as readString, as you can see “action” translated to ten which is “action” position in the tokens index and so on:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 45: writeToken function

      We translated the code and all the functions, which look like the below:

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      then the code go into writeAttributes which will translate the attributes and from then to writeChildren which will translate the actual data.

      Hidden Content

        Give reaction to this post to see the hidden content.

      Figure 46: writeChildren function

      We  translated this function which looks like the below:

      Hidden Content

        Give reaction to this post to see the hidden content.

      This way we build the data back, so our code that decrypts and encrypts the messages will look like this:

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      To simplify the encryption process we changed the actual writeChildren function and added another instance type to make the encryption simpler:

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      The result is the encryption and decryption of incoming data.
      To decrypt outgoing data please see code our github:

      Hidden Content

        Give reaction to this post to see the hidden content.

      Share this post

      Link to post
      Share on other sites
      Guest
      This topic is now closed to further replies.
      Sign in to follow this  
      Followers 0
      Go To Topic Listing

      • Similar Content

        • itsMe
          WordPress WhatsApp Support v2.0.9
          By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. More than 1 billion people in over 180 countries use WhatsApp. WordPress WhatsApp Support plugin provides better and easy way to communicate visitors and customers directly to your support person. It runs on your own WordPress site, allowing you full control over your support via WhatsApp.
          Hidden Content
          Give reaction to this post to see the hidden content.

          Hidden Content
          Give reaction to this post to see the hidden content.
        • itsMe
          WhatsApp Chat Support - jQuery Plugin
          By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. jQuery WhatsApp chat support plugin that provides a quick and easy way to interact with your clients. This plugin will allow your customers to send WhatsApp messages directly to your support team. You can just add this click-to-chat plugin in your existing HTML website template or theme.
          Hidden Content
          Give reaction to this post to see the hidden content.
          Hidden Content
          Give reaction to this post to see the hidden content.
        • itsMe
          Sendroid v3.1.3 - Ultimate Bulk SMS, WhatsApp and Voice Messaging Script with White-Label Reseller System
          By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Sendroid Ultimate is a bulk SMS portal software and SMS reseller tool designed for bulk SMS service providers, SMS resellers and bulk SMS marketers.
          Hidden Content
          Give reaction to this post to see the hidden content.

          Hidden Content
          Give reaction to this post to see the hidden content.
        • itsMe
          Wapiti 3.0.5 - Web-application vulnerability scanner
          By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Wapiti works as a “black-box” vulnerability scanner, that means it won’t study the source code of web applications but will work like a fuzzer, scanning the pages of the deployed web application, extracting links and forms and attacking the scripts, sending payloads and looking for error messages, special strings or abnormal behaviors.
          General features
              Generates vulnerability reports in various formats (HTML, XML, JSON, TXT…).
              Can suspend and resume a scan or an attack (session mechanism using sqlite3 databases).
              Can give you colors in the terminal to highlight vulnerabilities.
              Different levels of verbosity.
              Fast and easy way to activate/deactivate attack modules.
              Adding a payload can be as easy as adding a line to a text file.
          Browsing features
              Support HTTP, HTTPS, and SOCKS5 proxies.
              Authentication on the target via several methods: Basic, Digest, Kerberos or NTLM.
              Ability to restrain the scope of the scan (domain, folder, page, url).
              Automatic removal of one or more parameters in URLs.
              Multiple safeguards against scan endless-loops (for example, limit of values for a parameter).
              Possibility to set the first URLs to explore (even if not in scope).
              Can exclude some URLs of the scan and attacks (eg: logout URL).
              Import of cookies (get them with the wapiti-getcookie tool).
              Can activate / deactivate SSL certificates verification.
              Extract URLs from Flash SWF files.
              Try to extract URLs from javascript (very basic JS interpreter).
              HTML5 aware (understand recent HTML tags).
              Several options to control the crawler behavior and limits.
              Skipping some parameter names during attack.
              Setting a maximum time for the scan process.
              Adding some custom HTTP headers or setting a custom User-Agent.
          Supported attacks
              Database Injection (PHP/ASP/JSP SQL Injections and XPath Injections)
              Cross Site Scripting (XSS) reflected and permanent
              File disclosure detection (local and remote include, require, fopen, readfile…)
              Command Execution detection (eval(), system(), passtru()…)
              XXE (Xml eXternal Entity) injection
              CRLF Injection
              Search for potentially dangerous files on the server (thank to the Nikto db)
              Bypass of weak htaccess configurations
              Search for copies (backup) of scripts on the server
              Shellshock
              DirBuster like
          Wapiti supports both GET and POST HTTP methods for attacks.
          It also supports multipart and can inject payloads in filenames (upload).
          Display a warning when an anomaly is found (for example 500 errors and timeouts) Makes the difference between permanent and reflected XSS vulnerabilities.
          Module names
          The aforementioned attacks are tied to the following module names :
              backup (Search for copies and scripts)
              blindsql (SQL injection vulnerabilities detected with time-based methodology)
              buster (DirBuster like a module)
              crlf (CR-LF injection in HTTP headers)
              delay (Not an attack module, prints the 10 slowest to load web pages of the target)
              exec (Code execution or command injection)
              file (Path traversal, file inclusion, and XXE)
              htaccess (Misconfigured htaccess restrictions)
              nikto (Look for known vulnerabilities by testing URL existence and checking responses)
              permanent XSS (Rescan the whole target after the xss module execution looking for previously tainted payloads)
              shellshock (Test Shellshock attack, see https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 )
              sql (Error-based SQL injection detection)
              xss (XSS injection module)
          Changelog v3.0.5
              SQL: boolean based blind SQL injection support added
              Report: added CSV as output format
              Cookie: you can drop cookies from HTTP responses with –drop-set-cookie
              Cookie: you can load cookies from your browser with -c <chrome or firefox>
              Session: fixed an issue that might cause URLs being rescanned when resuming a session
              CMS: New modules to detect versions and installed modules for WordPress and Drupal
              Fingerprinting: several issues fixed on mod_wapp
              Crawler: HTTP requests are processed concurrently for faster crawling. Check the new –tasks option.

          Hidden Content
          Give reaction to this post to see the hidden content.
        • itsMe
          Ethical Hacking: Vulnerability Analysis
          By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Description
          In order to assess—and ultimately, decrease—an organization’s risk, IT security professionals must first evaluate and reduce existing vulnerabilities. If you’re working to strengthen network security at your organization, it’s essential to have a solid grasp of the processes, methodologies, and tools needed to assess vulnerabilities. In this course, security expert Lisa Bock takes a deep dive into the topic of vulnerability scanning, covering what you need to know to find and address weaknesses that attackers might exploit. Lisa goes over the basics of managing organizational risk, discusses vulnerability analysis methodologies, and shows how to work with vulnerability assessment tools, including Nikto and OpenVAS. Plus, she shares tools and strategies for defending the LAN. Lisa also includes challenge chapters to test your knowledge of each section, along with solutions videos for each challenge.
          Note: The Ethical Hacking series maps to the 20 parts of the EC-Council Certified Ethical Hacker (CEH) exam (312-50) version 11.
          Topics include:
              Common causes of vulnerabilities
              Identifying and assessing vulnerabilities
              The Common Vulnerability Scoring System (CVSS)
              Outsourcing vulnerability analysis
              Leveraging Nikto and other vulnerability assessment tools
              Securing mobile devices
              Defending the LAN
          Hidden Content
          Give reaction to this post to see the hidden content.

          Hidden Content
          Give reaction to this post to see the hidden content.