P4wnP1 the Pi Zero W USB attack Platform

The P4wnP1 is an exciting and feature rich USB attack platform that runs on a Raspberry Pi Zero.

featured item

The P4wnP1 turns your Pi Zero/Zero W into a physical security Ethical Hacking pentest tool. In this article, we will cover installing P4wnP1 on a Pi Zero W and using several of its payloads against a target system running Windows 10.

For this article, you will need:

  • Rasberry Pi Zero W (I purchased mine from adafruit.com with a case)
  • Raspberry Pi Power Adapter
  • MicroSD Memory card
  • MicroSD card writer
  • P4wnP1 software

You will also need a target computer to plug the P4wnP1 into (I used a Windows 10 PC) and a secondary computer to SSH into the Pi to control and modify the P4wnP1.

Continue reading article on dantheiotman.com

 

Advertisements

New Version of Kali Linux (1.1.0) Released!

Kali Linux 110

After two years of development, a new version of Kali Linux is available! Version 1.1.0 of Kali Linux, arguably the greatest penetration testing platform available, is now ready for download.

The update contains a slew of system updates and fixes, plus some new wallpapers and it seemed even some new Metasploit splash screens.

If you already have Kali Installed, just:

  • apt-get update
  • apt-get dist-upgrade

VMWare images of 1.1.0 are available at Offensive Security.

Check it out!

If you are new to Kali Linux, or a veteran that wants to learn more, check out my step by step, How-To book, “Basic Security Testing with Kali Linux” on Amazon.com.

Hacking the Holidays! Computer Security Book Gift Ideas

Santa Hacker 2

Got a computer security guru on your shopping list and don’t know what to get them? Or tired of getting socks and sweaters for Christmas and want something you can really use? We have put together a list of some of the best selling security books for 2014!

Check out these excellent computer security books:

 

Basic Security Testing Kali LinuxBasic Security Testing with Kali Linux

Great book for those new to the security field or seasoned expert looking for a reference guide. Learn computer security testing with easy to follow, step-by-step tutorials using Kali Linux. In-depth sections on Metasploit,  Exploiting Windows and Linux Systems, Wi-Fi security testing, Social Engineering attacks and much more. If you are looking for a security book to get you started in the field, this is it!

 

Red Team Field Manual 1RTFM: Red Team Field Manual

A no fluff, but thorough reference guide for serious Red Team members who routinely find themselves on a mission without Google or the time to scan through a man page. The RTFM contains the basic syntax for commonly used Linux and Windows command line tools, but it also encapsulates unique use cases for powerful tools such as Python and Windows PowerShell.

 

 

Black Hat PythonBlack Hat Python: Python Programming for Hackers and Pentesters

A follow-up to the perennial best-seller Gray Hat Python, Justin Seitz’s Black Hat Python explores the darker side of Python’s capabilities—writing network sniffers, manipulating packets, infecting virtual machines, creating stealthy trojans, extending the popular web hacking tool Burp Suite, and more.

 

 

Art of Memory ForensicsThe Art of Memory Forensics

Memory forensics provides cutting edge technology to help investigate digital attacks Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. Experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics-now the most sought after skill in the digital forensics and incident response fields.

 

Hacker PlaybookThe Hacker Playbook: Practical Guide To Penetration Testing

Just as a professional athlete doesn’t show up without a solid game plan, ethical hackers, IT professionals, and security researchers should not be unprepared, either. The Hacker Playbook provides them their own game plans. Written by a longtime security professional and CEO of Secure Planet, LLC, this step-by-step guide to the “game” of penetration hacking features hands-on examples and helpful advice.

 

Looking for more ideas?

We hope you enjoyed the list, have a great Holiday season!

 

Thousands of Vulnerabilities in NOAA Satellite System

jpss1_3_450

A Memorandum released last week by the Office of Inspector General revealed that numerous “High-Risk” security vulnerabilities were found in the Joint Polar Satellite System’s (JPSS) Ground System.

According to the report, a security audit of NOAA’s Information Technology security program found serious security issues with the JPSS Ground System which gathers information from  weather satellites and provides it to worldwide users. It also provides command and control for current and future weather satellites.

The system is considered a “High Impact” IT system, or a system “for which the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic effect on organizational operations, organizational assets or individuals.”

The report showed that the number of High-Risk vulnerabilities rose from 14,486 in the first quarter of 2012 to 23,868 in the second quarter of 2014:

JPSS Ground System Vulnerabilities

As you can see from the chart, the vulnerabilities have gone up and down over the last couple years as vulnerabilities have been found and patched. But overall the current vulnerabilities are about 2/3 higher than in the beginning of 2012.

High-Risk vulnerabilities are defined in the report as ones that are “relatively easy for attackers to exploit and gain control over system components.” The vulnerabilities found seem the same as would be found in any corporate security audit and including the following issues:

  • Out of date software or missing security patches
  • Insecurely configured software
  • Unnecessary user privileges
  • Passwords and auditing settings do not meet policy standards
  • Unnecessary software applications that need to be removed or disabled

The issues found even included the “Heartbleed” vulnerability, which has since been remediated.

The numerous other vulnerabilities are of major concern and the software tools to exploit some of the vulnerabilities are publicly available. For the full report, check out the “Correspondance” PDF link on the Inspector General page.