BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
A vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners. This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners.
Vulnerabilities: ºPath Traversal/LFI: 816 test cases, implemented in 816 jsp pages (GET & POST) ºRemote File Inclusion (XSS via RFI): 108 test cases, implemented in 108 jsp pages (GET & POST) ºReflected XSS: 66 test cases, implemented in 64 jsp pages (GET & POST) ºError Based SQL Injection: 80 test cases, implemented in 76 jsp pages (GET & POST) ºBlind SQL Injection: 46 test cases, implemented in 44 jsp pages (GET & POST) ºTime Based SQL Injection: 10 test cases, implemented in 10 jsp pages (GET & POST) ºPassive Information Disclosure/Session Vulnerabilities (inspired/imported from ZAP-WAVE): 3 test cases of erroneous information leakage, and 2 cases of improper authentication / information disclosure – implemented in 5 jsp pages ºExperimental Tase Cases (inspired/imported from ZAP-WAVE): 9 additional RXSS test cases (anticsrf tokens, secret input vectors, tag signatures, etc), and 2 additional SQLi test cases (INSERT) – implemented in 11 jsp pages (GET & POST) False Positives: º7 different categories of false positive Reflected XSS vulnerabilities (GET & POST ) º10 different categories of false positive SQL Injection vulnerabilities (GET & POST) º8 different categories of false positive path traversal/LFI vulnerabilities (GET & POST) º6 different categories of false positive remote file inclusion vulnerabilities (GET & POST) Additional Features: ºA simple web interface for accessing the vulnerable pages ºAn auto-installer for the mysql database schema (/wavsep-install/install.jsp) ºSample detection & exploitation payloads for each and every test case ºDatabase connection pool support, ensuring the consistency of scanning results
MagSpoof is a device that can spoof/emulate any magnetic stripe or credit card. It can work “wirelessly”, even on standard magstripe/credit card readers, by generating a strong electromagnetic field that emulates a traditional magnetic stripe card. MagSpoof does not enable you to use credit cards that you are not legally authorized to use. The Chip-and-PIN and Amex information is not implemented and using MagSpoof requires you to have/own the magstripes that you wish to emulate. Simply having a credit card number and expiration is not enough to perform transactions. MagSpoof does allow you to perform research in other areas of magstripes, microcontrollers, and electromagnetism, as well as learn about and create your own devices similar to other existing, commercial technologies such as Samsung MST and Coin.
º Allows you to store all of your credit cards and magstripes in one device º Works on traditional magstripe readers wirelessly (no NFC/RFID required) º Can disable Chip-and-PIN (code not included) º Correctly predicts Amex credit card numbers + expirations from previous card number (code not included) º Supports all three magnetic stripe tracks, and even supports Track 1+2 simultaneously º Easy to build using Arduino or other common parts
How MagSpoof Works MagSpoof emulates a magnetic stripe by quickly changing the polarization of an electromagnet, producing a magnetic field similar to that of a normal magnetic stripe as if it’s being swiped. What’s incredible is that the magstripe reader requires no form of wireless receiver, NFC, or RFID — MagSpoof works wirelessly, even with standard magstripe readers. The stronger the electromagnet, the further away you can use it (a few inches in its current iteration). MagSpoof also uses inexpensive, off the shelf parts, and can be built with almost nothing more than an Arduino, wire and a battery! I use a motor driver to provide a reasonable amount of power. Normally electromagnets have an iron core, however we lose the core for the sake of space and portability. Also, while the iron core does make the electromagnet more efficient, we still produce more than enough power to work. MagSpoof improves on new cards such as Coin. I’m a customer of Coin, and while I love their app and the card, the card actually works a very small percentage of the time. After looking over Coin’s FCC docs, I noticed they use two coils to produce a (very small) electromagnetic field, however it’s severely deficient and the card works less than 50% of the time for me, sadly. I found that by emulating a card with MagSpoof, if I send Track 1 one way, and then send Track 2 reversed, every card reader will assume I simply swiped a card back and forth, use the data from both tracks and my strong electromagnet, and properly read all of the data. This is extremely effective, uses only a single coil, and works for both tracks simultaneously. This also allows MagSpoof to work on Track 3. Additionally, if you’re using a Chip card with Coin, you still need to bring your actual credit card to dip, however because MagSpoof can disable Chip-and-PIN (see below), it does not require you to bring your card with you. Hardware
ºAtmel ATtiny85(microcontroller) An Atmel ATtiny85 is the microcontroller to drive the entire system. It stores all of the magnetic stripe / credit card data. In a thinner, credit-card sized (0.8mm thick!) version, I use an [ATtiny10]. ºL293D H-Bridge(motor driver)
I use an L293D H-bridge to drive the electromagnet. The L293D is a motor driver, but motors are actually driven by the electromagnet(s) and magnets inside of them. Any standard driver should work here. Technically the L293D doesn’t work down at 3.7V (voltage of the LiPo battery), but it works surprisingly well. In the credit-card size version, I suggest using a the TI DRV8835 or TI DRV8833. º24AWG Magnet Wire(coil) I use somewhere around ~24AWG magnet wire to act as the coil to produce the electromagnetic field. This piece of wire incredibly produces an electromagnetic field that makes the card reader believe a card is being swiped. Incredible. By rapidly controlling the polarization of this field, the magstripe reader believes the flipped bits of a real card are being swiped through the reader. º100mAh 3.7V LiPo battery(the powah)
A small 100mAh 3.7V lipo battery powers our contraption. For the credit card size version (not shown here), I use a battery from PowerStream.
º100µF Capacitor Keep enough energy in this capacitor to provide the electromagnet with power when we need it, otherwise it will pull too much current and reset the microcontroller. This is the capacitor kit I use as it has all the standard values I’d need.
0Day to Buy
Anti-Spy
Exposed Leak
#Op
Cyber War
Home
Hacking Tools
Hacking Online Tools
Pr1v8
Google Hacking DB
All
