ID DEBIAN:DLA-1624-1:BB176 Type debian Reporter Debian Modified 2019-01-02T17:18:29
Description
Package : thunderbird
Version : 1:60.4.0-1~deb8u1
CVE ID : not yet available
Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code or denial of service.
For Debian 8 "Jessie", this problem has been fixed in version
1:60.4.0-1~deb8u1.
We recommend that you upgrade your thunderbird packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
{"kitploit": [{"lastseen": "2021-04-18T16:37:57", "bulletinFamily": "tools", "cvelist": [], "description": "[  ](<https://1.bp.blogspot.com/-NSEBkezV598/YHpKijF1FMI/AAAAAAAAV5I/kNv7MFSlTnw5qT0UYfETAxXtIo7ffJr7ACNcBGAsYHQ/s512/httpdoom_1_logo.png>)\n\n \n\n\nValidate large HTTP-based attack surfaces in a very fast way. Heavily inspired by [ Aquatone ](<https://github.com/michenriksen/aquatone> \"Aquatone\" ) . \n\n\n \n** Why? ** \n\n\nWhen I utilize Aquatone to flyover some hosts, I have some [ performance ](<https://www.kitploit.com/search/label/Performance> \"performance\" ) issues by the [ screenshot ](<https://www.kitploit.com/search/label/Screenshot> \"screenshot\" ) feature, and the lack of extension capabilities - like validating front-end technologies with a plugin-like system -, also, my codebase is mainly C# and Rust, and make the maintenance of a tool wrote in another language can lead to a lot of issues. \n\nWith these ideas in mind, HttpDoom is born. \n\n \n\n\n** Installing ** \n\n\nIn order to install HttpDoom, in the current release cycle, due to not have a runtime-independent build at this time ( ** only _ devel _ builds are available ** ), you ** must have .NET5 runtime (or SDK) - AKA ` dotnet ` \\- installed in your host ** , with the .NET toolchain available in your Linux or macOS (automatic installation for Windows is not supported at this time, your PR to installation script is welcome. WSL works fine): \n \n \n $ ./installer.sh\n\nThe installer script also updates (removing the current instalation) new releases of HttpDoom. \n\n \n** How this works? ** \n\n\nThe description ( ` --help ` ) of the CLI is all you need to know: \n \n \n HttpDoom: \n HttpDoom is a tool for response-based inspection of websites across a large \n surface. \n amount of hosts for quickly gaining an overview of HTTP-based attack \n \n Usage: \n HttpDoom [options] \n \n Options: \n -d, --debug Print [debugging](<https://www.kitploit.com/search/label/Debugging> \"debugging\" ) information \n -f, --follow-redirect HTTP client follow any automatic \n redirects (default is false) \n -m, --max-redirects Max automatic redirect depth when is \n enable (default is 3) \n -s, --screenshot Take screenshots from the alive host \n with ChromeDriver (default is false) \n -r, --screenshot-resolution Set screenshot resolution (default \n is 1366x768) \n -F, --capture-favicon Download the application favicon \n -h, --headers <headers> Set default headers to every request \n User-Agent) \n (default is just a random \n -t, --http-timeout <http-timeout> Timeout in milliseconds for HTTP \n requests (default is 5000) \n -T, --threads <threads> Number of concurrent threads \n (default is 20) \n -o, --output-directory Path to save the output directory \n <output-directory> \n -p, --ports <ports> Set of ports to check (default is \n 80, 443, 8080 and 8433) \n -P, --proxy <proxy> Proxy to use for HTTP requests \n -w, --w ord-list <word-list> List of hosts to flyover against \n (REQUIRED) \n --version Show version information \n -?, -h, --help Show help and usage information \n \n\n \n** But it is fast? ** \n\n\nLet's take a look on the result of a flyover agains 5000 hosts on default HttpDoom ports (80, 443, 8080 and 8433), running in the very first working release, with 2 threads (provided by a generic Amazon EC2 instance) agains the same settings on Aquatone 1.7.0: \n\nHttpDoom: \n \n \n ... \n [+] Flyover is done! Enumerated #31128 responses in 2.49 minute(s) \n [+] Got a total of #176 alive hosts! \n ... \n \n\nAquatone: \n \n \n ... \n Writing session file...Time: \n - Started at : 2020-12-20T08:27:43Z \n - Finished at : 2020-12-20T08:34:35Z \n - Duration : 6m52s \n ... \n \n\n> ** Note ** : The results of these tests can vary a lot based on a series of specific conditions of your host. Make the test locally and check which tool offers the best performance. \n\n \n** Output ** \n\n\nBy default, we create all the necessary directories, and we also randomly choose their names (you can set this up with ` -o ` , in doubt see ` --help ` ). \n\nWithin the main directory, a ` general.json ` file is created containing all the results in a single file (to facilitate the search or ingestion in some visual tool), which looks like this: \n \n \n [ \n { \n \"Domain\": \"google.com\", \n \"Addresses\": [ \n \"2800:3f0:4001:81a::200e\", \n \"172.217.28.14\" \n ], \n \"Requested\": \"https://google.com/\", \n \"Port\": 443, \n \"Content\": \"\\u003CHTML\\u003E\\u003CHEAD\\u003E\\u003Cmeta http-equiv=\\u0022content-type\\u0022 content=\\u0022text/html;charset=utf-8\\u0022\\u003E\\n\\u003CTITLE\\u003E301 Moved\\u003C/TITLE\\u003E\\u003C/HEAD\\u003E\\u003CBODY\\u003E\\n\\u003CH1\\u003E301 Moved\\u003C/H1\\u003E\\nThe document has moved\\n\\u003CA HREF=\\u0022https://www.google.com/\\u0022\\u003Ehere\\u003C/A\\u003E.\\r\\n\\u003C/BODY\\u003E\\u003C/HTML\\u003E\\r\\n\", \n \"ScreenshotPath\": \"C:\\\\Users\\\\REDACTED\\\\AppData\\\\Local\\\\Temp\\\\c14obxml.kfy\\\\Screenshots\\\\0086aea9-c4d4-4bbf-89d8-728e5d2ff184.png\", \n \"FaviconPath\": \"C:\\\\Users\\\\REDACTED\\\\AppData\\\\Local\\\\Temp\\\\c14obxml.kfy\\\\Favicons\\\\172d671c-636d-443b-b5b4-30ed6e10b8aa.ico\", \n \"Headers\": [ \n { \n \"Key\": \"Location\", \n \"Value\": [ \n \"https://www.google.com/\" \n ] \n }, \n { \n \"Key\": \"Date\", \n \"Value\": [ \n \"Tue, 02 Feb 2021 15:59:46 GMT\" \n ] \n }, \n { \n \"Key\": \"Cache-Control\", \n \"Value\": [ \n \"public, max-age=2592000\" \n ] \n }, \n { \n \"Key\": \"Server\", \n \"Value\": [ \n \"gws\" \n ] \n }, \n { \n \"Key\": \"X-XSS-Protection\", \n \"Value\": [ \n \"0\" \n ] \n }, \n { \n \"Key\": \"X-Frame-Options\", \n \"Value\": [ \n \"SAMEORIGIN\" \n ] \n }, \n { \n \"Key\": \"Alt-Svc\", \n \"Value\": [ \n \"h3-29=\\u0022:443\\u0022; ma=2592000\", \n \"h3-T051=\\u0022:443\\u0022; ma=2592000\", \n \"h3-Q050=\\u0022:443\\u0022; ma=2592000\", \n \"h3-Q046=\\u0022:443\\u0022; ma=2592000\", \n \"h3-Q043=\\u0022:443\\u0022; ma=2592000\", \n \"quic=\\u0022:443\\u0022; ma=2592000\" \n ] \n } \n ], \n \"Cookies\": [], \n \"StatusCode\": 301 \n }, \n // ... \n ]\n\nA directory called _ Individual Results _ is also created, indexing the results individually, categorically based on the name of the URI used for the request, as well the screenshots, if you use HttpDoom with option ` -s ` and favicons, if the site has one, and if you use HttpDoom with option ` -F ` : \n \n \n . \n \u251c\u2500\u2500 Favicons \n \u2502\u00a0\u00a0 \u251c\u2500\u2500 31be8e61-d90b-4b40-bcef-640fb31588e7.ico \n \u2502\u00a0\u00a0 \u2514\u2500\u2500 4e097b93-12f2-4f20-9582-547cc6d20312.ico \n \u251c\u2500\u2500 Individual Results \n \u2502\u00a0\u00a0 \u251c\u2500\u2500 http:google.com:80.json \n \u2502\u00a0\u00a0 \u2514\u2500\u2500 https:google.com:443.json \n \u251c\u2500\u2500 Screenshots \n \u2502\u00a0\u00a0 \u251c\u2500\u2500 1d395ce1-b329-4379-8d9e-2868ed41e67d.png \n \u2502\u00a0\u00a0 \u2514\u2500\u2500 a9f90f23-4d5c-4f13-ba3e-5d8f88aa3926.png \n \u2514\u2500\u2500 general.json \n \n\n> ** Note ** : The pattern of Individual Results files is ` scheme:address:port ` .But ` : ` can be an invalid character depending on what operational system you use HttpDoom. For deeper ACK, check the documentation of ` Path.GetInvalidFileNameChars() ` in MSDN. \n\n \n** Roadmap ** \n\n\nThe project are focused to be a really useful tool. \n\n * ** 0x00 ** : Make the satuday project work; \n * ** 0x01 ** : Baking the CLI options very similar to Aquatone; \n * ** 0x02 ** : Fix issues with large (5K+) hosts wordlists; \n * ** 0x03 ** : Well, this is not \"threads\" but work like, maybe need a better polishing; \n * ** 0x04 ** Screenshots because why not; \n * ** 0x05 ** : Create the community-driven [ fingerprint ](<https://www.kitploit.com/search/label/Fingerprint> \"fingerprint\" ) engine to enumerate [ vulnerabilities ](<https://www.kitploit.com/search/label/vulnerabilities> \"vulnerabilities\" ) on headers and bodies of the HTTP responses; \n \n\n\n** [ Download Httpdoom ](<https://github.com/filipi86/httpdoom> \"Download Httpdoom\" ) **\n", "edition": 1, "modified": "2021-04-18T12:30:00", "published": "2021-04-18T12:30:00", "id": "KITPLOIT:3237933707875599534", "href": "http://www.kitploit.com/2021/04/httpdoom-tool-for-response-based.html", "title": "HttpDoom - A Tool For Response-Based Inspection Of Websites Across A Large Amount Of Hosts For Quickly Gaining An Overview Of HTTP-based Attack Surface", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-17T23:14:47", "bulletinFamily": "tools", "cvelist": [], "description": "[  ](<https://1.bp.blogspot.com/-Yrc1qWcKW94/YHYxtJBL3CI/AAAAAAAAV44/gVb6wKxjjA8fhFfTr9v29aYHHquSoHzqwCNcBGAsYHQ/s640/tunnel.jpg>)\n\n \n\n\nAn open source serveo/ngrok alternative. \n\n \n\n\n** Deploy ** \n\n\nBuilds are made automatically for each commit to the repo and are pushed to Dockerhub. Builds are tagged using a commit sha, branch name, tag, latest if released on main. You can find a list [ here ](<https://hub.docker.com/r/antoniomika/sish/tags> \"here\" ) . Each release builds separate ` sish ` binaries that can be downloaded from [ here ](<https://github.com/antoniomika/sish/releases> \"here\" ) for various OS/archs. Feel free to either use the automated binaries or to build your own. If you submit a PR, images are not built by default and will require a retag from a maintainer to be built. \n\n 1. Pull the Docker image \n\n * ` docker pull antoniomika/sish:latest `\n 2. Run the image \n\n * docker run -itd --name sish \\ \n -v ~/sish/ssl:/ssl \\ \n -v ~/sish/keys:/keys \\ \n -v ~/sish/pubkeys:/pubkeys \\ \n --net=host antoniomika/sish:latest \\ \n --ssh-address=:22 \\ \n --http-address=:80 \\ \n --https-address=:443 \\ \n --https=true \\ \n --https-certificate-directory=/ssl \\ \n --authentication-keys-directory=/pubkeys \\ \n --private-key-location=/keys/ssh_key \\ \n --bind-random-ports=false\n\n 3. SSH to your host to communicate with sish \n\n * ` ssh -p 2222 -R 80:localhost:8080 ssi.sh `\n \n** Docker Compose ** \n\n\nYou can also use Docker Compose to setup your sish instance. This includes taking care of SSL via Let's Encrypt for you. This uses the [ adferrand/dnsrobocert ](<https://github.com/adferrand/dnsrobocert> \"adferrand/dnsrobocert\" ) container to handle issuing wildcard certifications over DNS. For more information on how to use this, head to that link above. Generally, you can deploy your service like so: \n \n \n docker-compose -f deploy/docker-compose.yml up -d\n\nThe domain and DNS auth info in ` deploy/docker-compose.yml ` and ` deploy/le-config.yml ` should be updated to reflect your needs. You will also need to create a symlink that points to your domain's Let's Encrypt [ certificates ](<https://www.kitploit.com/search/label/Certificates> \"certificates\" ) like: \n \n \n ln -s /etc/letsencrypt/live/<your domain>/fullchain.pem deploy/ssl/<your domain>.crt \n ln -s /etc/letsencrypt/live/<your domain>/privkey.pem deploy/ssl/<your domain>.key\n\nCareful: the symlinks need to point to ` /etc/letsencrypt ` , not a relative path. The symlinks will not resolve on the host filesystem, but they will resolve inside of the sish container because it mounts the letsencrypt files in /etc/letsencrypt, _ not _ ./letsencrypt. \n\nI use these files in my deployment of ` ssi.sh ` and have included them here for consistency. \n\n \n** Google Cloud Platform ** \n\n\nThere is a tutorial for creating an instance in Google Cloud Platform with sish fully setup that can be found [ here ](<https://github.com/antoniomika/sish/blob/main/deploy/gcloud.md> \"here\" ) . It can be accessed through [ Google Cloud Shell ](<https://cloud.google.com/shell> \"Google Cloud Shell\" ) . \n\n \n\n\n[ ** Open in Google Cloud Shell ** ](<https://ssh.cloud.google.com/cloudshell/editor?shellonly=true&cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fantoniomika%2Fsish&cloudshell_git_branch=main&cloudshell_tutorial=deploy%2Fgcloud.md>)\n\n \n** How it works ** \n\n\nSSH can normally forward local and remote ports. This service implements an SSH server that only handles forwarding and nothing else. The service supports multiplexing connections over HTTP/HTTPS with WebSocket support. Just assign a remote port as port ` 80 ` to proxy HTTP traffic and ` 443 ` to proxy HTTPS traffic. If you use any other remote port, the server will listen to the port for TCP connections, but only if that port is available. \n\nYou can choose your own subdomain instead of relying on a randomly assigned one by setting the ` --bind-random-subdomains ` option to ` false ` and then selecting a subdomain by prepending it to the remote port specifier: \n\n` ssh -p 2222 -R foo:80:localhost:8080 ssi.sh `\n\nIf the selected subdomain is not taken, it will be assigned to your connection. \n\n \n** Supported forwarding types ** \n \n** HTTP forwarding ** \n\n\nsish can forward any number of HTTP connections through SSH. It also provides logging the connections to the connected client that has forwarded the connection and a web interface to see full request and responses made to each forwarded connection. Each webinterface can be unique to the forwarded connection or use a unified access token. To make use of HTTP forwarding, ports ` [80, 443] ` are used to tell sish that a HTTP connection is being forwarded and that HTTP virtualhosting should be defined for the service. For example, let's say I'm developing a HTTP webservice on my laptop at port ` 8080 ` that uses websockets and I want to show one of my coworkers who is not near me. I can forward the connection like so: \n \n \n ssh -R hereiam:80:localhost:8080 ssi.sh\n\nAnd then share the link ` https://hereiam.ssi.sh ` with my coworker. They should be able to access the service seamlessly over HTTPS, with full websocket support working fine. Let's say ` hereiam.ssi.sh ` isn't available, then sish will generate a random subdomain and give that to me. \n\n \n** TCP forwarding ** \n\n\nAny TCP based service can be used with sish for TCP and alias forwarding. TCP forwarding will establish a remote port on the server that you deploy sish to and will forward all connections to that port through the SSH connection and to your local device. For example, if I was to run a SSH server on my laptop with port ` 22 ` and want to be able to access it from anywhere at ` ssi.sh:2222 ` , I can use an SSH command on my laptop like so to forward the connection: \n \n \n ssh -R 2222:localhost:22 ssi.sh\n\nI can use the forwarded connection to then access my laptop from anywhere: \n \n \n ssh -p 2222 ssi.sh\n\n \n** TCP alias forwarding ** \n\n\nLet's say instead I don't want the service to be accessible by the rest of the world, you can then use a TCP alias. A TCP alias is a type of forwarded TCP connection that only exists inside of sish. You can gain access to the alias by using SSH with the ` -W ` flag, which will forwarding the SSH process' stdin/stdout to the fowarded TCP connection. In combination with authentication, this will guarantee your remote service is safe from the rest of the world because you need to login to sish before you can access it. Changing the example above for this would mean running the following command on my laptop: \n \n \n ssh -R mylaptop:22:localhost:22 ssi.sh\n\nsish won't publish port 22 or 2222 to the rest of the world anymore, instead it'll retain a pointer saying that TCP connections made from within SSH after a user has authenticated to ` mylaptop:22 ` should be forwarded to the forwarded TCP tunnel. Then I can use the forwarded connection access my laptop from anywhere using: \n \n \n ssh -o ProxyCommand=\"ssh -W %h:%p ssi.sh\" mylaptop\n\nShorthand for which is this with newer SSH versions: \n \n \n ssh -J ssi.sh mylaptop\n\n \n** Authentication ** \n\n\nIf you want to use this service privately, it supports both public key and password authentication. To enable authentication, set ` --authentication=true ` as one of your CLI options and be sure to configure ` --authentication-password ` or ` --authentication-keys-directory ` to your liking. The directory provided by ` --authentication-keys-directory ` is watched for changes and will reload the authorized keys automatically. The authorized cert index is regenerated on directory modification, so removed public keys will also automatically be removed. Files in this directory can either be single key per file, or multiple keys per file separated by newlines, similar to ` authorized_keys ` . Password auth can be disabled by setting ` --authentication-password=\"\" ` as a CLI option. \n\nOne of my favorite ways of using this for authentication is like so: \n \n \n [email\u00a0protected]:~/sish/pubkeys# curl https://github.com/antoniomika.keys > antoniomika\n\nThis will load my public keys from GitHub, place them in the directory that sish is watching, and then load the pubkey. As soon as this command is run, I can SSH normally and it will authorize me. \n\n \n** Custom domains ** \n\n\nsish supports allowing users to bring custom domains to the service, but SSH key auth is required to be enabled. To use this feature, you must setup TXT and CNAME/A records for the domain/subdomain you would like to use for your forwarded connection. The CNAME/A record must point to the domain or IP that is hosting sish. The TXT record must be be a ` key=val ` string that looks like: \n \n \n sish=SSHKEYFINGERPRINT \n\nWhere ` SSHKEYFINGERPRINT ` is the fingerprint of the key used for logging into the server. You can set multiple TXT records and sish will check all of them to ensure at least one is a match. You can retrieve your key fingerprint by running: \n \n \n sish=SSHKEYFINGERPRINT \n \n\nIf you trust the users connecting to sish and would like to allow any domain to be used with sish (bypassing verification), there are a few added flags to aid in this. This is especially useful when adding multiple wildcard certificates to sish in order to not need to automatically provision Let's Encrypt certs. To disable verfication, set ` --bind-any-host=true ` , which will allow and subdomain/domain combination to be used. To only allow subdomains of a certain subset of domains, you can set ` --bind-hosts ` to a comma separated list of domains that are allowed to be bound. \n\nTo add certficates for sish to use, configure the ` --https-certificate-directory ` flag to point to a dir that is accessible by sish. In the directory, sish will look for a combination of files that look like ` name.crt ` and ` name.key ` . ` name ` can be arbitrary in either case, it just needs to be unique to the cert and key pair to allow them to be loaded into sish. \n\n \n** Load balancing ** \n\n\nsish can [ load balance ](<https://www.kitploit.com/search/label/Load%20Balance> \"load balance\" ) any type of forwarded connection, but this needs to be enabled when starting sish using the ` --http-load-balancer ` , ` --tcp-load-balancer ` , and ` --alias-load-balancer ` flags. Let's say you have a few edge nodes (raspberry pis) that are running a service internally but you want to be able to balance load across these devices from the outside world. By enabling [ load balancing ](<https://www.kitploit.com/search/label/Load%20Balancing> \"load balancing\" ) in sish, this happens automatically when a device with the same forwarded TCP port, alias, or HTTP subdomain connects to sish. Connections will then be evenly distributed to whatever nodes are connected to sish that match the forwarded connection. \n\n \n** Whitelisting IPs ** \n\n\nWhitelisting IP ranges or countries is also possible. Whole CIDR ranges can be specified with the ` --whitelisted-ips ` option that accepts a comma-separated string like \"192.30.252.0/22,185.199.108.0/22\". If you want to whitelist a single IP, use the ` /32 ` range. \n\nTo whitelist countries, use ` --whitelisted-countries ` with a comma-separated string of countries in ISO format (for example, \"pt\" for Portugal). You'll also need to set ` --geodb ` to ` true ` . \n\n \n** DNS Setup ** \n\n\nTo use sish, you need to add a wildcard DNS record that is used for multiplexed subdomains. Adding an ` A ` record with ` * ` as the subdomain to the IP address of your server is the simplest way to achieve this configuration. \n\n \n** Demo - At this time, the demo instance has been set to require auth due to abuse ** \n\n\nThere is a demo service (and my private instance) currently running on ` ssi.sh ` that doesn't require any authentication. This service provides default logging (errors, connection IP/username, and pubkey fingerprint). I do not log any of the password authentication data or the data sent within the service/tunnels. My deploy uses the exact deploy steps that are listed above. This instance is for testing and educational purposes only. You can deploy this extremely easily on any host (Google Cloud Platform provides an always-free instance that this should run perfectly on). If the service begins to accrue a lot of traffic, I will enable authentication and then you can reach out to me to get your SSH key whitelisted (make sure it's on GitHub and you provide me with your GitHub username). \n\n \n** Notes ** \n\n\n 1. This is by no means production ready in any way. This was hacked together and solves a fairly specific use case. \n * You can help it get production ready by submitting PRs/reviewing code/writing tests/etc \n 2. This is a fairly simple implementation, I've intentionally cut corners in some places to make it easier to write. \n 3. If you have any questions or comments, feel free to reach out via email [email protected] or on [ freenode IRC #sish ](<https://kiwiirc.com/client/chat.freenode.net:6697/#sish> \"freenode IRC #sish\" )\n \n** Upgrading to v1.0 ** \n\n\nThere are numerous breaking changes in sish between pre-1.0 and post-1.0 versions. The largest changes are found in the mapping of command flags and configuration params. Those have changed drastically, but it should be easy to find the new counterpart. The other change is SSH keys that are supported for host key auth. sish continues to support most modern keys, but by default if a host key is not found, it will create an OpenSSH ED25519 key to use. Previous versions of sish would aes encrypt the pem block of this private key, but we have since moved to using the native [ OpenSSH private key format ](<https://github.com/openssh/openssh-portable/blob/master/sshkey.c> \"OpenSSH private key format\" ) to allow for easy interop between OpenSSH tools. For this reason, you will either have to manually convert an AES encrypted key or generate a new one. \n\n \n** CLI Flags ** \n\n \n \n sish is a [command line](<https://www.kitploit.com/search/label/Command%20Line> \"command line\" ) utility that implements an SSH server that can handle HTTP(S)/WS(S)/TCP multiplexing, forwarding and load balancing. It can handle multiple vhosting and reverse tunneling endpoints for a large number of clients. Usage: sish [flags] Flags: --admin-console Enable the admin console accessible at http(s)://domain/_sish/console?x-authorization=admin-console-token -j, --admin-console-token string The token to use for admin console access if it's enabled (default \"S3Cr3tP4$$W0rD\") --alias-load-balancer Enable the alias [load balancer](<https://www.kitploit.com/search/label/Load%20Balancer> \"load balancer\" ) (multiple clients can bind the same alias) --append-user-to-subdomain Append the SSH user to the subdomain. This is useful in multitenant environments --append-user-to-subdomain-separator string The token to use for separating username and subdomain selection in a virtualhost (default \"-\") --authentication Require authentication for the SSH service -k, --authentication-keys-directory string Directory where public keys for public key authentication are stored. sish will watch this directory and automatically load new keys and remove keys from the authentication list (default \"deploy/pubkeys/\") -u, --authentication-password string Password to use for ssh server password authentication (default \"S3Cr3tP4$$W0rD\") --banned-aliases string A comma separated list of banned aliases that users are unable to bind -o, --banned-countries string A comma separated list of banned countries. Applies to HTTP, TCP, and SSH connections -x, --banned-ips string A comma separated list of banned ips that are unable to access the service. Applies to HTTP, TCP, and SSH connections -b, --banned-subdomains string A comma separated list of banned subdomains that users are unable to bind (default \"localhost\") --bind-any-host Bind any host when accepting an HTTP listener --bind-hosts string A comma separated list of other hosts a user can bind. Requested hosts should be subdomains of a host in this list --bind-random-aliases Force bound alias tunnels to use random aliases instead of user provided ones (default true) --bind-random-aliases-length int The length of the random alias to generate if a alias is unavailable or if random aliases are enforced (default 3) --bind-random-ports Force TCP tunnels to bind a random port, where the kernel will randomly assign it (default true) --bind-random-subdomains Force bound HTTP tunnels to use random subdomains instead of user provided ones (default true) --bind-random-subdomains-length int The length of the random subdomain to generate if a subdomain is unavailable or if random subdomains are enforced (default 3) --cleanup-unbound Cleanup unbound (unforwarded) SSH connections after a set timeout (default true) --cleanup-unbound-timeout duration Duration to wait before cleaning up an unbound (unforwarded) connection (default 5s) -c, --config string Config file (default \"config.yml\") --debug Enable debugging information -d, --domain string The root domain for HTTP(S) multiplexing that will be appended to subdomains (default \"ssi.sh\") --force-requested-aliases Force the aliases used to be the one that is requested. Will fail the bind if it exists already --force-requested-ports Force the ports used to be the one that is requested. Will fail the bind if it exists already --force-requested-subdomains Force the subdomains used to be the one that is requested. Will fail the bind if it exists already --geodb Use a geodb to verify country IP address association for IP filtering -h, --help help for sish -i, --http-address string The address to listen for HTTP connections (default \"localhost:80\") --http-load-balancer Enable the HTTP load balancer (multiple clients can bind the same domain) --http-port-override int The port to use for http command output. This does not effect ports used for connecting, it's for cosmetic use only --https Listen for HTTPS connections. Requires a correct --https-certificate-directory -t, --https-address string The address to listen for HTTPS connections (default \"localhost:443\") -s, --https-certificate-directory string The directory containing HTTPS certificate files (name.crt and name.key). There can be many crt/key pairs (default \"deploy/ssl/\") --https-ondemand-certificate Enable retrieving certificates on demand via Let's Encrypt --https-ondemand-certificate-accept-terms Accept the Let's Encrypt terms --https-ondemand-certificate-email string The email to use with Let's Encrypt for cert notifications. Can be left blank --https-port-override int The port to use for https command output. This does not effect ports used for connecting, it's for cosmetic use only --idle-connection Enable connection idle timeouts for reads and writes (default true) --idle-connection-timeout duration Duration to wait for activity before closing a connection for all reads and writes (default 5s) --load-templates Load HTML templates. This is required for admin/service consoles (default true) --load-templates-directory string The directory and glob parameter for templates that should be loaded (default \"templates/*\") --localhost-as-all Enable forcing localhost to mean all interfaces for tcp listeners (default true) --log-to-client Enable logging HTTP and TCP requests to the client --log-to-file Enable writing log output to file, specified by log-to-file-path --log-to-file-compress Enable compressing log output files --log-to-file-max-age int The maxium number of days to store log output in a file (default 28) --log-to-file-max-backups int The maxium number of rotated logs files to keep (default 3) --log-to-file-max-size int The maximum size of outputed log files in megabytes (default 500) --log-to-file-path string The file to write log output to (default \"/tmp/sish.log\") --log-to-stdout Enable writing log output to stdout (default true) --ping-client Send ping requests to the underlying SSH client. This is useful to ensure that SSH connections are kept open or close cleanly (default true) --ping-client-interval duration Duration representing an interval to ping a client to ensure it is up (default 5s) --ping-client-timeout duration Duration to wait for activity before closing a connection after sending a ping to a client (default 5s) -n, --port-bind-range string Ports or port ranges that sish will allow to be bound when a user attempts to use TCP forwarding (default \"0,1024-65535\") -l, --private-key-location string The location of the SSH server private key. sish will create a private key here if it doesn't exist using the --private-key-passphrase to encrypt it if supplied (default \"deploy/keys/ssh_key\") -p, --private-key-passphrase string Passphrase to use to encrypt the server private key (default \"S3Cr3tP4$$phrAsE\") --proxy-protocol Use the proxy-protocol while proxying connections in order to pass-on IP address and port information --proxy-protocol-listener Use the proxy-protocol to resolve ip addresses from user connections --proxy-protocol-policy string What to do with the proxy protocol header. Can be use, ignore, reject, or require (default \"use\") --proxy-protocol-timeout duration The duration to wait for the proxy proto header (default 200ms) --proxy-protocol-use-timeout Use a timeout for the proxy-protocol read -q, --proxy-protocol-version string What version of the proxy protocol to use. Can either be 1, 2, or userdefined. If userdefined, the user needs to add a command to SSH called proxyproto:version (ie proxyproto:1) (default \"1\") --redirect-root Redirect the root domain to the location defined in --redirect-root-location (default true) -r, --redirect-root-location string The location to redirect requests to the root domain to instead of responding with a 404 (default \"https://github.com/antoniomika/sish\") --service-console Enable the service console for each service and send the info to connected clients -m, --service-console-token string The token to use for service console access. Auto generated if empty for each connected tunnel -a, --ssh-address string The address to listen for SSH connections (default \"localhost:2222\") --tcp-aliases Enable the use of TCP aliasing --tcp-load-balancer Enable the TCP load balancer (multiple clients can bind the same port) --time-format string The time format to use for both HTTP and general log messages (default \"2006/01/02 - 15:04:05\") --verify-dns Verify DNS information for hosts and ensure it matches a connecting users sha256 key fingerprint (default true) --verify-ssl Verify SSL certificates made on proxied HTTP connections (default true) -v, --version version for sish -y, --whitelisted-countries string A comma separated list of whitelisted countries. Applies to HTTP, TCP, and SSH connections -w, --whitelisted-ips string A comma separated list of whitelisted ips. Applies to HTTP, TCP, and SSH connections \n\n \n \n\n\n** [ Download Sish ](<https://github.com/antoniomika/sish> \"Download Sish\" ) **\n", "edition": 1, "modified": "2021-04-17T21:30:00", "published": "2021-04-17T21:30:00", "id": "KITPLOIT:5858725565585323203", "href": "http://www.kitploit.com/2021/04/sish-httpswsstcp-tunnels-to-localhost.html", "title": "Sish - HTTP(S)/WS(S)/TCP Tunnels To Localhost Using Only SSH", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-17T14:45:09", "bulletinFamily": "tools", "cvelist": [], "description": "[  ](<https://1.bp.blogspot.com/-vC53ouNt_VU/YHYwLilxXMI/AAAAAAAAV4w/NatBA4yVXqgNYgLW5FmQyx2mpKX8XLMrQCNcBGAsYHQ/s989/Android-PIN-Bruteforce_1.png>)\n\n \n\n\nUnlock an Android phone (or device) by [ bruteforcing ](<https://www.kitploit.com/search/label/Bruteforcing> \"bruteforcing\" ) the lockscreen PIN. \n\nTurn your Kali Nethunter phone into a bruteforce PIN cracker for Android devices! \n\n** How it works ** \n\n\nIt uses a USB OTG cable to connect the locked phone to the Nethunter device. It emulates a keyboard, automatically tries PINs, and waits after trying too many wrong guesses. \n\n[Nethunter phone] <\\--> [USB cable] <\\--> [USB OTG adaptor] <\\--> [Locked Android phone] \n\nThe USB HID Gadget driver provides emulation of USB Human Interface Devices (HID). This enables an Android Nethunter device to emulate keyboard input to the locked phone. It's just like plugging a keyboard into the locked phone and pressing keys. \n\nThis takes just over 16.6 hours with a Samsung S5 to try all possible 4 digit PINs, but with the optimised PIN list it should take you much less time. \n\n \n\n\n** You will need ** \n\n\n * A locked Android phone \n * A Nethunter phone (or any rooted Android with HID kernel support) \n * USB OTG (On The Go) cable/adapter (USB male Micro-B to female USB A), and a standard charging cable (USB male Micro-B to male A). \n * That's all! \n\n \n\n\n** Benefits ** \n\n\n * Turn your NetHunter phone into an Android PIN cracking machine \n * Unlike other methods, you do not need ADB or USB debugging enabled on the locked phone \n * The locked Android phone does not need to be rooted \n * You don't need to buy special hardware, e.g. Rubber Ducky, Teensy, Cellebrite, XPIN Clip, etc. \n * You can easily modify the backoff time to crack other types of devices \n * It works! \n\n \n\n\n** Features ** \n\n\n * Crack PINs of any length from 1 to 10 digits \n * Use config files to support different phones \n * Optimised PIN lists for 3,4,5, and 6 digit PINs \n * Bypasses phone pop-ups including the Low Power warning \n * Detects when the phone is unplugged or powered off, and waits while retrying every 5 seconds \n * Configurable delays of N seconds after every X PIN attempts \n * Log file \n \n** Installation ** \n\n\nTBC \n\n \n** Executing the script ** \n\n\nIf you installed the script to /sdcard/, you can execute it with the following command. \n\n` bash ./android-pin-bruteforce `\n\nNote that Android mounts /sdcard with the noexec flag. You can verify this with ` mount ` . \n\n \n** Usage ** \n\n \n \n \n Android-PIN-Bruteforce (0.1) is used to unlock an Android phone (or device) by bruteforcing the lockscreen PIN. \n Find more information at: https://github.com/urbanadventurer/Android-PIN-Bruteforce \n \n Commands: \n crack Begin cracking PINs \n resume Resume from a chosen PIN \n rewind Crack PINs in reverse from a chosen PIN \n diag Display diagnostic information \n version Display version information and exit \n \n Options: \n -f, --from PIN Resume from this PIN \n -a, --attempts Starting from NUM incorrect attempts \n -m, --mask REGEX Use a mask for known digits in the PIN \n -t, --type TYPE Select PIN or PATTERN cracking \n -l, --length NUM Crack PINs of NUM length \n -c, --config FILE Specify configuration file to load \n -p, --pinlist FILE Specify a custom PIN list \n -d, --dry-run Dry run for testing. Does n't send any keys. \n -v, --verbose Output verbose logs \n \n Usage: \n android-pin-bruteforce <command> [options] \n \n\n \n** Supported Android Phones/Devices ** \n\n\nThis has been successfully tested with various phones including the Samsung S5, S7, Motorola G4 Plus and G5 Plus. \n\nIt can unlock Android versions 6.0.1 through to 10.0. The ability to perform a bruteforce attack doesn't depend on the Android version in use. It depends on how the device vendor developed their own lockscreen. \n\nCheck the Phone Database for more details [ https://github.com/urbanadventurer/Android-PIN-Bruteforce/wiki/Phone-Database ](<https://github.com/urbanadventurer/Android-PIN-Bruteforce/wiki/Phone-Database> \"https://github.com/urbanadventurer/Android-PIN-Bruteforce/wiki/Phone-Database\" )\n\n \n\n\n** PIN Lists ** \n\n\nOptimised PIN lists are used by default unless the user selects a custom PIN list. \n\n \n** Cracking PINs of different lengths ** \n\n\nUse the ` --length ` commandline option. \n\nUse this command to crack a 3 digit PIN, ` ./android-pin-bruteforce crack --length 3 `\n\nUse this command to crack a 6 digit PIN ` ./android-pin-bruteforce crack --length 6 `\n\n \n** Where did the optimised PIN lists come from? ** \n\n\nThe optimised PIN lists were generated by extracting numeric passwords from database leaks then sorting by frequency. All PINs that did not appear in the password leaks were appended to the list. \n\nThe optimised PIN lists were generated from _ Ga$$Pacc DB Leak _ (21GB decompressed, 688M Accounts, 243 Databases, 138920 numeric passwords). \n\n \n** The 4 digit PIN list ** \n\n\nThe reason that the 4 digit PIN list is used from a different source is because it gives better results than the generated list from _ Ga$$Pacc DB Leak _ . \n\n` optimised-pin-length-4.txt ` is an optimised list of all possible 4 digit PINs, sorted by order of likelihood. It can be found with the filename ` pinlist.txt ` at [ https://github.com/mandatoryprogrammer/droidbrute ](<https://github.com/mandatoryprogrammer/droidbrute> \"https://github.com/mandatoryprogrammer/droidbrute\" )\n\nThis list is used with permission from Justin Engler & Paul Vines from Senior Security Engineer, iSEC Partners, and was used in their Defcon talk, [ Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher (and C3BO) ](<https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Engler> \"Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher \\(and C3BO\\)\" )\n\n \n** Cracking with Masks ** \n\n\nMasks use [ regular expressions ](<https://www.kitploit.com/search/label/Regular%20Expressions> \"regular expressions\" ) with the standard grep extended format. \n\n` ./android-pin-bruteforce crack --mask \"...[45]\" --dry-run `\n\n * To try all years from 1900 to 1999, use a mask of ` 19.. `\n * To try PINs that have a 1 in the first digit, and a 1 in the last digit, use a mask of ` 1..1 `\n * To try PINs that end in 4 or 5, use ` ...[45] `\n\n \n\n\n** Configuration for different phones ** \n\n\nDevice manufacturers create their own lock screens that are different to the default or stock Android. To find out what keys your phone needs, plug a keyboard into the phone and try out different combinations. \n\nLoad a different configuration file, with the ` --config FILE ` commandline parameter. \n\nExample: ` ./android-pin-bruteforce --config ./config.samsung.s5 crack `\n\nYou can also edit the ` config ` file by customising the timing and keys sent. \n\nThe following configuration variables can be used to support a different phone's lockscreen. \n \n \n # Timing \n ## DELAY_BETWEEN_KEYS is the period of time in seconds to wait after each key is sent \n DELAY_BETWEEN_KEYS=0.25 \n \n ## The PROGRESSIVE_COOLDOWN_ARRAY variables act as multi-dimensional array to customise the progressive cooldown \n ## PROGRESSIVE_ARRAY_ATTEMPT_COUNT__________ is the attempt number \n ## PROGRESSIVE_ARRAY_ATTEMPTS_UNTIL_COOLDOWN is how many attempts to try before cooling down \n ## PROGRESSIVE_ARRAY_COOLDOWN_IN_SECONDS____ is the cooldown in seconds \n \n PROGRESSIVE_ARRAY_ATTEMPT_COUNT__________=(1 11 41) \n PROGRESSIVE_ARRAY_ATTEMPTS_UNTIL_COOLDOWN=(5 1 1) \n PROGRESSIVE_ARRAY_COOLDOWN_IN_SECONDS____=(30 30 60) \n \n ## SEND_KEYS_DISMISS_POPUPS_N_SECONDS_BEFORE_COOLDOWN_END defines how many seconds before the end of the cooldown period, keys will be sent \n # set to 0 to disable \n SEND_KEYS_DISMISS_POPUPS_N_SECONDS_BEFORE_COOLDOWN_END=5 \n ## SEND_KEYS_DISMISS_POPUPS_AT_COOLDOWN_END configures the keys that are sent to dismiss messages and popups before the end of the cooldown period \n SEND_KEYS_DISMISS_POPUPS_AT_COOLDOWN_END=\"enter enter enter\" \n \n ## KEYS_BEFORE_EACH_PIN configures the keys that are sent to prompt the lock screen to appear. This is sent before each PIN. \n ## By default it sends \"escape enter\", but some phones will respond to other keys. \n \n # Examples: \n # KEYS_BEFORE_EACH_PIN=\"ctrl_escape enter\" \n # KEYS_BEFORE_EACH_PIN=\"escape space\" \n KEYS_BEFORE_EACH_PIN=\"escape enter\" \n \n ## KEYS_STAY_AWAKE_DURING_COOLDOWN the keys that are sent during the cooldown period to keep the phone awake \n KEYS_STAY_AWAKE_DURING_COOLDOWN=\"enter\" \n \n ## SEND_KEYS_STAY_AWAKE_DURING_COOLDOWN_EVERY_N_SECONDS how often the keys are sent, in seconds \n SEND_KEYS_STAY_AWAKE_DURING_COOLDOWN_EVERY_N_SECONDS=5 \n \n ## DELAY_BEFORE_STARTING is the period of time in seconds to wait before the bruteforce begins \n DELAY_BEFORE_STARTING=2 \n ## KEYS_BEFORE_STARTING config ures the keys that are sent before the bruteforce begins \n KEYS_BEFORE_STARTING=\"enter\" \n \n\n \n** Popups ** \n\n\nWe send keys before the end of the cooldown period, or optionally during the cooldown period. This is to keep the lockscreen app active and to dismiss any popups about the number of incorrect PIN attempts or a low battery warning. \n\n \n** Test sending keys from the NetHunter phone ** \n \n** Test sending keys from the terminal ** \n\n\nUse ssh from your laptop to the NetHunter phone, and use this command to test sending keys: \n\nIn this example, the enter key is sent. \n\n` echo \"enter\" | /system/xbin/hid-keyboard /dev/hidg0 keyboard `\n\nIn this example, ctrl-escape is sent. \n\n` echo \"left-ctrl escape\" | /system/xbin/hid-keyboard /dev/hidg0 keyboard `\n\nNote: Sending combinations of keys in ` config ` file variables is different. Currently only ` ctrl_escape ` is supported. \n\nIn this example, keys a, b, c are sent. \n\n` echo a b c | /system/xbin/hid-keyboard /dev/hidg0 keyboard `\n\n \n** Test sending keys from an app ** \n\n\nThis Android app is a virtual USB Keyboard that you can use to test sending keys. \n\n[ https://store.nethunter.com/en/packages/remote.hid.keyboard.client/ ](<https://store.nethunter.com/en/packages/remote.hid.keyboard.client/> \"https://store.nethunter.com/en/packages/remote.hid.keyboard.client/\" )\n\n \n** How to send special keys ** \n\n\nUse this list for the following variables: \n\n * KEYS_BEFORE_EACH_PIN \n * KEYS_STAY_AWAKE_DURING_COOLDOWN \n * KEYS_BEFORE_STARTING \n\nTo send special keys use the following labels. This list can be found in the hid_gadget_test source code. \n\nKey label | Key label \n---|--- \nleft-ctrl | f6 \nright-ctrl | f7 \nleft-shift | f8 \nright-shift | f9 \nleft-alt | f10 \nright-alt | f11 \nleft-meta | f12 \nright-meta | insert \nreturn | home \nesc | pageup \nbckspc | del \ntab | end \nspacebar | pagedown \ncaps-lock | right \nf1 | left \nf2 | down \nf3 | kp-enter \nf4 | up \nf5 | num-lock \n \nTo send more than one key at the same time, use the following list: \n\n * ctrl_escape (This sends left-ctrl and escape) \n\nIf you need more key combinations please open a new issue in the GitHub issues list. \n\n \n** Customising the Progressive Cooldown ** \n\n\nThe following section of the ` config ` file controls the progressive cooldown. \n \n \n ## The PROGRESSIVE_COOLDOWN_ARRAY variables act as multi-dimensional array to customise the progressive cooldown \n ## PROGRESSIVE_ARRAY_ATTEMPT_COUNT__________ is the attempt number \n ## PROGRESSIVE_ARRAY_ATTEMPTS_UNTIL_COOLDOWN is how many attempts to try before cooling down \n ## PROGRESSIVE_ARRAY_COOLDOWN_IN_SECONDS____ is the cooldown in seconds \n \n PROGRESSIVE_ARRAY_ATTEMPT_COUNT__________=(1 11 41) \n PROGRESSIVE_ARRAY_ATTEMPTS_UNTIL_COOLDOWN=(5 1 1) \n PROGRESSIVE_ARRAY_COOLDOWN_IN_SECONDS____=(30 30 60) \n \n \n\nThe array is the same as this table. \n\nattempt number | attempts until cooldown | cooldown \n---|---|--- \n1 | 5 | 30 \n11 | 1 | 30 \n41 | 1 | 60 \n \n** Why can't you use a laptop? ** \n\n\nThis works from an Android phone because the USB ports are not bidirectional, unlike the ports on a laptop. \n\n \n** How Android emulates a keyboard ** \n\n\nKeys are sent using ` /system/xbin/hid-keyboard ` . To test this and send the key 1 you can use ` echo 1 | /system/xbin/hid-keyboard dev/hidg0 keyboard `\n\nIn Kali Nethunter, ` /system/xbin/hid-keyboard ` is a compiled copy of ` hid_gadget_test.c ` . This is a small program for testing the HID gadget driver that is included in the Linux Kernel. The source code for this file can be found at [ https://www.kernel.org/doc/html/latest/usb/gadget_hid.html ](<https://www.kernel.org/doc/html/latest/usb/gadget_hid.html> \"https://www.kernel.org/doc/html/latest/usb/gadget_hid.html\" ) and [ https://github.com/aagallag/hid_gadget_test ](<https://github.com/aagallag/hid_gadget_test> \"https://github.com/aagallag/hid_gadget_test\" ) . \n\n \n**\n\n\uf527 \n\nTroubleshooting ** \n \n** If it is not bruteforcing PINs ** \n \n** Check the orientation of the cables ** \n\n\nThe Nethunter phone should have a regular USB cable attached, while the locked phone should have an OTG adaptor attached. \n\nThe OTG cable should be connected to the locked Android phone. The regular USB cable should be connected to the Nethunter phone. \n\nRefer to the graphic on how to connect the phones. \n\n \n** Check it is emulating a keyboard ** \n\n\nYou can verify that the NetHunter phone is succesfully emulating a keyboard by connecting it to a computer using a regular charging/data USB cable. Open a text editor like Notepad while it is cracking and you should see it entering PIN numbers into the text editor. \n\nNote that you will not need an OTG cable for this. \n\n \n** Try restarting the phones ** \n\n\nTry powering off the phones and even taking out the batteries if that is possible. \n\n \n** Try new cables ** \n\n\nTry using new cables/adaptors as you may have a faulty cable/adaptor. \n\n \n** If it doesn't unlock the phone with a correct PIN ** \n\n\nYou might be sending keys too fast for the phone to process. Increase the DELAY_BETWEEN_KEYS variable in the config file. \n\n\uf4a1 \n\nIf you don't see 4 dots come up on the phone's screen then maybe it is not receiving 4 keys. \n**\n\n\uf50b \n\nManaging Power Consumption ** \n\n\nIf your phone runs out of power too soon, follow these steps: \n\n * Make sure both phones are fully charged to 100% before you begin \n * Reduce the screen brightness on both the victim phone and NetHunter phone if possible \n * Place both phones into Airplane mode, however you may want to enable WiFi to access the NetHunter phone via SSH. \n * The locked phone will power the NetHunter phone, because it appears as a keyboard accessory \n * Use a USB OTG cable with a Y splitter for an external power supply, to allow charging of the NetHunter phone while cracking \n * Take breaks to charge your devices. Pause the script with CTRL-Z and resume with the ` fg ` shell command. \n * Avoid the SEND_KEYS_STAY_AWAKE_DURING_COOLDOWN_EVERY_N_SECONDS configuration option. This will cause the locked phone to use more battery to keep the screen powered. Instead use the SEND_KEYS_DISMISS_POPUPS_N_SECONDS_BEFORE_COOLDOWN_END option (Default). \n \n** Check the Diagnostics Report ** \n\n\nUse the command ` diag ` display diagnostic information. \n\n` bash ./android-pin-bruteforce diag `\n\nIf you receive this message when the USB cable is plugged in then try taking the battery out of the locked Android phone and power cycling it. \n\n` [FAIL] HID USB device not ready. Return code from /system/xbin/hid-keyboard was 5. `\n\n \n** How the usb-devices command works ** \n\n\nThe diagnostics command uses the ` usb-devices ` script but it is only necessary as part of determining whether the USB cables are incorrectly connected. This can be downloaded from [ https://github.com/gregkh/usbutils/blob/master/usb-devices ](<https://github.com/gregkh/usbutils/blob/master/usb-devices> \"https://github.com/gregkh/usbutils/blob/master/usb-devices\" )\n\n \n** Use verbose output ** \n\n\nUse the ` --verbose ` option to check the configuration is as expected. This is especially useful when you are modifying the configuration. \n\n \n** Use the dry-run ** \n\n\nUse the ` --dry-run ` option to check how it operates without sending any keys to a device. This is especially useful when you are modifying the configuration or during development. \n\nDry run will: \n\n * Not send any keys \n * Will continue instead of aborting if the ` KEYBOARD_DEVICE ` or ` HID_KEYBOARD ` is missing. \n \n** HID USB Mode ** \n\n\nTry this command in a shell on the NetHunter phone: ` /system/bin/setprop sys.usb.config hid `\n\n \n**\n\n\uf4a3 \n\nKnown Issues ** \n\n\n * This cannot detect when the correct PIN is guessed and the phone unlocks. \n * Your phones may run out of \n\n\uf50b \n\nbattery before the correct PIN is found. \n * Don't trust phone configuration files from unknown sources without reviewing them first. The configuration files are shell scripts and could include malicious commands. \n \n**\n\n\uf680 \n\nRoadmap ** \n\n\n * [DONE] Works \n * [DONE] Detects USB HID failures \n * [DONE] Improve Usage and commandline options/config files \n * [DONE] Add bruteforce for n digit PINs \n * [DONE] Mask for known digits \n * [DONE] Crack PIN list in reverse (to find which recent PIN unlocked the device) \n * [DONE] Implement configurable lockscreen prompt \n * [DONE] Implement cooldown change after 10 attempts \n * [WORKING] Find/test more devices to bruteforce \n * Add progress bar \n * Add ETA \n * ASCII art \n * Nicer GUI for NetHunter \n * Implement for iPhone \n * Detect when a phone is unlocked (Use Nethunter camera as a sensor?) \n * Crack Android Patterns (try common patterns first) \n \n**\n\n\uf64b \n\nContributing ** \n\n\nPull requests are welcome. For major changes, please open an issue first to discuss what you would like to change. \n\nPlease make sure to update tests as appropriate. \n\n \n**\n\n\uf60e \n\nAuthors and acknowledgment ** \n\n\nDeveloped by Andrew Horton (@urbanadventurer). \n\n\uf44f \n\nThe following people have been very helpful: \n\n * Vlad Filatov (@v1adf): Testing many phones for the Wiki Phone Database \n \n** Motivation ** \n\n\nMy original motivation to develop this was to unlock a Samsung S5 Android phone. It had belonged to someone who had passed away, and their family needed access to the data on it. As I didn't have a USB [ Rubber Ducky ](<https://www.kitploit.com/search/label/Rubber%20Ducky> \"Rubber Ducky\" ) or any other hardware handy, I tried using a variety of methods, and eventually realised I had to develop something new. \n\n \n** Credit ** \n\n\nThe optimised PIN list is from Justin Engler (@justinengler) & Paul Vines from Senior Security Engineer, iSEC Partners and was used in their Defcon talk, [ Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher (and C3BO). ](<https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Engler> \"Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher \\(and C3BO\\).\" ) . \n\n \n** Graphics ** \n\n\nDesigned by Andrew Horton and gratefully using these free vector packs: \n\n * [ USB Ports Isometric Free Vector by VisionHeldup ](<https://www.vecteezy.com/vector-art/159576-usb-ports-isometric-free-vector> \"USB Ports Isometric Free Vector by VisionHeldup\" )\n * [ HDMI and USB Vector Set by Mary Winkler ](<https://www.vecteezy.com/vector-art/107006-hdmi-and-usb-vector-set> \"HDMI and USB Vector Set by Mary Winkler\" )\n * [ Isometric Data Security Illustration by Rizal.Medanguide ](<https://www.vecteezy.com/vector-art/661831-isometric-data-security-illustration> \"Isometric Data Security Illustration by Rizal.Medanguide\" )\n * Kali NetHunter Logo \n \n**\n\n\uf5ff \n\nComparison with other projects and methods to unlock a locked Android phone ** \n \n** What makes this project unique? ** \n\n\nI've been asked what makes this project unique when there are other open-source Android PIN cracking projects. \n\nAndroid-PIN-Bruteforce is unique because it cracks the PIN on Android phones from a NetHunter phone and it doesn't need the locked phone to be pre-hacked. \n\nIt works: \n\n * Without having to buy special hardware, such as a Rubber Ducky, Celebrite, or XPIN Clip. \n * Without ADB or root access (the phone doesn't have to be pre-hacked). \nProject | ADB/USB Debugging | Requires root | Requires $ hardware | Commercial \n---|---|---|---|--- \n \n\u2b50 \n\nAndroid-PIN-Bruteforce | No | No | Nethunter phone | No \ngithub.com/PentesterES/AndroidPINCrack | Yes | Yes | No | No \ngithub.com/ByteRockstar1996/Cracking-Android-Pin-Lock | Yes | Yes | No | No \ngithub.com/sch3m4/androidpatternlock | Yes | Yes | No | No \ngithub.com/georgenicolaou/androidlockcracker | Yes | Yes | No | No \ngithub.com/MGF15/P-Decode | Yes | Yes | No | No \ngithub.com/BitesFor/ABL | Yes | Yes | No | No \ngithub.com/wuseman/WBRUTER | Yes | No | No | No \ngithub.com/Gh005t/Android-BruteForce | Yes | No | No | No \ngithub.com/mandatoryprogrammer/droidbrute | No | No | Rubber Ducky $ | No \ngithub.com/hak5darren/USB-Rubber-Ducky | No | No | Rubber Ducky $ | Yes \ngithub.com/bbrother/stm32f4androidbruteforce | No | No | STM32F4 dev board $ | No \nhdb-team.com/product/hdbox/ | No | No | HDBOX $$ | Yes \nxpinclip.com | No | No | XPINClip $$ | Yes \ncellebrite.com/en/ufed/ | No | No | Cellebrite UFED $$$ | Yes \n \nSome of these projects/products are really awesome but they achieve a different goal to Android-PIN-Bruteforce. \n\nIf a project requires a gestures.key or password.key, I've listed it as requiring root. If a project requires a custom bootloader, I've listed that as requiring both ADB and root. If you would like your project listed in this table then please open a new issue. There are links to each of these projects in the \n\n\uf4da \n\nRelated Projects & Futher Reading section. \n**\n\n\uf62d \n\nRegular phone users ** \n\n\n * Try the top 20 PINs from the [ DataGenetics PIN analysis ](<https://datagenetics.com/blog/september32012/index.html> \"DataGenetics PIN analysis\" ) that apparently unlocks 26.83% of phones. \n * Use an SMS lock-screen bypass app (requires app install before phone is locked) \n * Use Samsung Find My Mobile (requires you set it up before phone is locked) \n * Crash the Lock Screen UI (Android 5.0 and 5.1) \n * Use the Google Forgot pattern, Forgot PIN, or Forgot password (Android 4.4 KitKat and earlier) \n * Factory Reset (you lose all your data \n**\n\n \n\n\nUsers who have already replaced their Android ROM ** \n\n\nIf the phone has already been rooted, has USB debugging enabled, or has adb enabled. \n\n * Flash the ` Pattern Password Disable ` ZIP using a custom recovery (Requires TWRP, CMW, Xrec, etc.) \n * Delete ` /data/system/gesture.key ` or ` password.key ` (requires root and adb on locked device) \n * Crack ` /data/system/gesture.key ` and ` password.key ` (requires root and adb on locked device) \n * Update sqlite3 database ` settings.db ` (requires root and adb on locked device) \n \n**\n\n\uf52c \n\nForensic Investigators ** \n\n\nThese methods can be expensive and are usually only used by specialised phone forensic investigators. \n\nIn order of difficulty and expense: \n\n * Taking advantage of USB debugging being enabled (Oxygen Forensic Suite) \n * Bruteforce with keyboard emulation ( \n\n\u2b50 \n\nAndroid-PIN-Bruteforce, RubberDucky attack, XPIN Clip, HBbox) \n * JTAG (Interface with TAPs (Test Access Ports) on the device board) \n * In-System Programming (ISP) (Involves directly connecting to pins on flash memory chips on the device board) \n * Chip Off (Desolder and remove flash memory chips from the device) \n * Clock Glitching / Voltage [ Fault Injection ](<https://www.kitploit.com/search/label/Fault%20Injection> \"Fault Injection\" ) (Hardware CPU timing attacks to bypass PIN restrictions) \n * Bootloader exploits (Zero-day exploits that attack the bootloader. GrayKey from Grayshift and Cellebrite) \n\nJTAG, ISP, and Chip Off techniques are less useful now because most devices are encrypted. I don't know of any practical attacks on phone PINs that use clock glitching, if you know of a product that uses this technique please let me know so I can include it. \n\n\uf575 \n\n** Security Professionals and Technical Phone Users ** \n\n\nUse the USB HID Keyboard Bruteforce with some dedicated hardware. \n\n * A RubberDucky and Darren Kitchen's Hak5 brute-force script \n * Write a script for a USB Teensy \n * Buy expensive forensic hardware \n * Or you can use Android-PIN-Bruteforce with your NetHunter phone! \n\nAttempts to use an otherwise awesome project Duck Hunter, to emulate a RubberDucky payload for Android PIN cracking did not work. It crashed the phone probably because of the payload length. \n\n \n\n\n** Related Projects & Futher Reading ** \n \n** USB HID Hardware without NetHunter ** \n\n\nhak5 12x17: Hack Any 4-digit Android PIN in 16 hours with a USB Rubber Ducky [ https://archive.org/details/hak5_12x17 ](<https://archive.org/details/hak5_12x17> \"https://archive.org/details/hak5_12x17\" )\n\nHak5: USB Rubber Ducky [ https://shop.hak5.org/products/usb-rubber-ducky-deluxe ](<https://shop.hak5.org/products/usb-rubber-ducky-deluxe> \"https://shop.hak5.org/products/usb-rubber-ducky-deluxe\" )\n\nUSB-Rubber-Ducky Payloads [ https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads ](<https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads> \"https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads\" )\n\nTeensy [ https://www.pjrc.com/teensy/ ](<https://www.pjrc.com/teensy/> \"https://www.pjrc.com/teensy/\" )\n\nBrute Forcing An Android Phone with a STM32F4Discovery Development Board [ https://github.com/bbrother/stm32f4androidbruteforce ](<https://github.com/bbrother/stm32f4androidbruteforce> \"https://github.com/bbrother/stm32f4androidbruteforce\" ) [ https://hackaday.com/2013/11/10/brute-forcing-an-android-phone/ ](<https://hackaday.com/2013/11/10/brute-forcing-an-android-phone/> \"https://hackaday.com/2013/11/10/brute-forcing-an-android-phone/\" )\n\nAutomated brute force attack against the Mac EFI PIN (Using a Teensy) [ https://orvtech.com/atacar-efi-pin-macbook-pro-en.html ](<https://orvtech.com/atacar-efi-pin-macbook-pro-en.html> \"https://orvtech.com/atacar-efi-pin-macbook-pro-en.html\" ) [ https://hackaday.io/project/2196-efi-bruteforcer ](<https://hackaday.io/project/2196-efi-bruteforcer> \"https://hackaday.io/project/2196-efi-bruteforcer\" )\n\nDroidbrute: An Android PIN cracking USB rubber ducky payload made efficient with a statistically generated wordlist. [ https://github.com/mandatoryprogrammer/droidbrute ](<https://github.com/mandatoryprogrammer/droidbrute> \"https://github.com/mandatoryprogrammer/droidbrute\" )\n\nDiscussion forum about the hak5 episode, and Android Brute Force 4-digit pin [ https://forums.hak5.org/topic/28165-payload-android-brute-force-4-digit-pin/ ](<https://forums.hak5.org/topic/28165-payload-android-brute-force-4-digit-pin/> \"https://forums.hak5.org/topic/28165-payload-android-brute-force-4-digit-pin/\" )\n\n \n** NetHunter HID keyboard attacks ** \n\n\nNetHunter HID Keyboard Attacks [ https://www.kali.org/docs/nethunter/nethunter-hid-attacks/ ](<https://www.kali.org/docs/nethunter/nethunter-hid-attacks/> \"https://www.kali.org/docs/nethunter/nethunter-hid-attacks/\" )\n\n \n** Linux Kernel HID support ** \n\n\nHuman Interface Devices (HID) [ https://www.kernel.org/doc/html/latest/hid/index.html# ](<https://www.kernel.org/doc/html/latest/hid/index.html#> \"https://www.kernel.org/doc/html/latest/hid/index.html#\" )\n\nLinux USB HID gadget driver and hid-keyboard program [ https://www.kernel.org/doc/html/latest/usb/gadget_hid.html ](<https://www.kernel.org/doc/html/latest/usb/gadget_hid.html> \"https://www.kernel.org/doc/html/latest/usb/gadget_hid.html\" ) [ https://github.com/aagallag/hid_gadget_test ](<https://github.com/aagallag/hid_gadget_test> \"https://github.com/aagallag/hid_gadget_test\" )\n\nThe usb-devices script [ https://github.com/gregkh/usbutils/blob/master/usb-devices ](<https://github.com/gregkh/usbutils/blob/master/usb-devices> \"https://github.com/gregkh/usbutils/blob/master/usb-devices\" )\n\n \n** Cracking Android PIN and Pattern files ** \n\n\nAndroidPINCrack - bruteforce the Android Passcode given the hash and salt (requires root on the phone) [ https://github.com/PentesterES/AndroidPINCrack ](<https://github.com/PentesterES/AndroidPINCrack> \"https://github.com/PentesterES/AndroidPINCrack\" )\n\nAndroid Pattern Lock Cracker - bruteforce the Android Pattern given an SHA1 hash (requires root on the phone) [ https://github.com/sch3m4/androidpatternlock ](<https://github.com/sch3m4/androidpatternlock> \"https://github.com/sch3m4/androidpatternlock\" )\n\n \n** General Recovery Methods ** \n\n\n[Android][Guide]Hacking And Bypassing Android Password/Pattern/Face/PI [ https://forum.xda-developers.com/showthread.php?t=2620456 ](<https://forum.xda-developers.com/showthread.php?t=2620456> \"https://forum.xda-developers.com/showthread.php?t=2620456\" )\n\nAndroid BruteForce using ADB & Shell Scripting [ https://github.com/Gh005t/Android-BruteForce ](<https://github.com/Gh005t/Android-BruteForce> \"https://github.com/Gh005t/Android-BruteForce\" )\n\n \n** Forensic Methods and Hardware ** \n\n\nPATCtech Digital Forensics: Getting Past the Android Passcode [ http://patc.com/online/a/Portals/965/Android%20Passcode.pdf ](<http://patc.com/online/a/Portals/965/Android%20Passcode.pdf> \"http://patc.com/online/a/Portals/965/Android%20Passcode.pdf\" )\n\nXPIN Clip [ https://xpinclip.com/ ](<https://xpinclip.com/> \"https://xpinclip.com/\" )\n\nHDBox from HDB Team [ https://hdb-team.com/product/hdbox/ ](<https://hdb-team.com/product/hdbox/> \"https://hdb-team.com/product/hdbox/\" )\n\nCellebrite UFED [ https://www.cellebrite.com/en/ufed/ ](<https://www.cellebrite.com/en/ufed/> \"https://www.cellebrite.com/en/ufed/\" )\n\nGrayKey from Grayshift [ https://www.grayshift.com/graykey/ ](<https://www.grayshift.com/graykey/> \"https://www.grayshift.com/graykey/\" )\n\n \n** PIN Analysis ** \n\n\nElectromechanical PIN Cracking with Robotic Reconfigurable Button Basher (and C3BO) [ https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Engler ](<https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Engler> \"https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Engler\" )\n\nDataGenetics PIN analysis [ https://datagenetics.com/blog/september32012/index.html ](<https://datagenetics.com/blog/september32012/index.html> \"https://datagenetics.com/blog/september32012/index.html\" )\n\n \n \n\n\n** [ Download Android-PIN-Bruteforce ](<https://github.com/urbanadventurer/Android-PIN-Bruteforce> \"Download Android-PIN-Bruteforce\" ) **\n", "edition": 1, "modified": "2021-04-17T12:30:00", "published": "2021-04-17T12:30:00", "id": "KITPLOIT:9135040515430489718", "href": "http://www.kitploit.com/2021/04/android-pin-bruteforce-unlock-android.html", "title": "Android-PIN-Bruteforce - Unlock An Android Phone (Or Device) By Bruteforcing The Lockscreen PIN", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}], "debian": [{"lastseen": "2021-04-17T22:21:04", "bulletinFamily": "unix", "cvelist": ["CVE-2019-16935", "CVE-2021-23336"], "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2628-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Anton Gladky\nApril 17, 2021 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : python2.7\nVersion : 2.7.13-2+deb9u5\nCVE ID : CVE-2019-16935 CVE-2021-23336\n\nTwo security issues have been discovered in python2.7:\n\nCVE-2019-16935\n\n The documentation XML-RPC server in Python 2.7 has XSS via the server_title\n field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in\n Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with\n untrusted input, arbitrary JavaScript can be delivered to clients that\n visit the http URL for this server.\n\nCVE-2021-23336\n\n The Python2.7 vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl\n and urllib.parse.parse_qs by using a vector called parameter cloaking. When\n the attacker can separate query parameters using a semicolon (;), they can\n cause a difference in the interpretation of the request between the proxy\n (running with default configuration) and the server. This can result in malicious\n requests being cached as completely safe ones, as the proxy would usually not\n see the semicolon as a separator, and therefore would not include it in a cache\n key of an unkeyed parameter.\n\n **Attention, API-change!**\n Please be sure your software is working properly if it uses `urllib.parse.parse_qs`\n or `urllib.parse.parse_qsl`, `cgi.parse` or `cgi.parse_multipart`.\n\n Earlier Python versions allowed using both ``;`` and ``&`` as query parameter\n separators in `urllib.parse.parse_qs` and `urllib.parse.parse_qsl`.\n Due to security concerns, and to conform with\n newer W3C recommendations, this has been changed to allow only a single\n separator key, with ``&`` as the default. This change also affects\n `cgi.parse` and `cgi.parse_multipart` as they use the affected\n functions internally. For more details, please see their respective\n documentation.\n\n\nFor Debian 9 stretch, these problems have been fixed in version\n2.7.13-2+deb9u5.\n\nWe recommend that you upgrade your python2.7 packages.\n\nFor the detailed security status of python2.7 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/python2.7\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 1, "modified": "2021-04-17T19:51:59", "published": "2021-04-17T19:51:59", "id": "DEBIAN:DLA-2628-1:6F808", "href": "https://lists.debian.org/debian-lts-announce/2021/debian-lts-announce-202104/msg00015.html", "title": "[SECURITY] [DLA 2628-1] python2.7 security update", "type": "debian", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "thn": [{"lastseen": "2021-04-17T10:35:40", "bulletinFamily": "info", "cvelist": [], "description": "[](<https://thehackernews.com/images/-17TK1-n1rhQ/YHqt-8SQ9VI/AAAAAAAACSw/QdSD5lzza9gMoouhfDSmmLjCHVUCk-rpwCLcBGAsYHQ/s0/fin7-hacker.jpg>)\n\nA high-level manager and systems administrator associated with the [FIN7 threat actor](<https://thehackernews.com/2018/08/fin7-carbanak-cobalt-hackers.html>) has been sentenced to 10 years in prison, the U.S. Department of Justice announced Friday.\n\n**Fedir Hladyr**, a 35-year-old Ukrainian national, is said to have played a crucial role in a criminal scheme that compromised tens of millions of debit and credit cards, in addition to aggregating the stolen information, supervising other members of the group, and maintaining the server infrastructure that FIN7 used to attack and control victims' machines.\n\nThe development comes after Hladyr pleaded guilty to conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking in September 2019. He was arrested in Dresden, Germany, in 2018 and extradited to the U.S. city of Seattle. Hladyr has also been ordered to pay $2.5 million in restitution.\n\n[](<https://go.thn.li/1-728-5> \"password auditor\" )\n\n\"This criminal organization had more than 70 people organized into business units and teams. Some were hackers, others developed the malware installed on computers, and still others crafted the malicious emails that duped victims into infecting their company systems,\" [said](<https://www.justice.gov/usao-wdwa/pr/high-level-organizer-notorious-hacking-group-fin7-sentenced-ten-years-prison-scheme>) Acting U.S. Attorney Tessa A. Gorman. \n\n\"This defendant worked at the intersection of all these activities and thus bears heavy responsibility for billions in damage caused to companies and individual consumers.\"\n\nAlso called Anunak, [Carbanak Group](<https://thehackernews.com/2019/04/carbanak-malware-source-code.html>), and the Navigator Group, the malware campaign unleashed by [FIN7](<https://malpedia.caad.fkie.fraunhofer.de/actor/anunak>) is estimated to have caused overall damage of more than $3 billion to banks, merchants, card companies, and consumers.\n\nThe attacks involved targeting the restaurant, gaming, and hospitality industries by sending spear-phishing emails containing decoy documents with the goal of plundering customer payment card data, which were then used or sold for profit in online underground marketplaces at least since 2015.\n\n[](<https://go.thn.li/2-300-5> \"password auditor\" )\n\nIn the U.S. alone, FIN7 has been responsible for the theft of more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations. Besides the U.S., FIN7 attackers left their fingerprints in a string of orchestrated intrusions against retailers in the U.K., Australia, and France. Some of its high-profile victims included Chipotle Mexican Grill, Chili's, Arby's, Red Robin, and Jason's Deli.\n\nAt the sentencing hearing, Hladyr said he had \"ruined years of my life and put [his] family through great risk and struggle.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-04-17T09:44:52", "published": "2021-04-17T09:44:00", "id": "THN:447465AE69751A666B33EBC4370C6171", "href": "https://thehackernews.com/2021/04/sysadmin-of-billion-dollar-hacking.html", "type": "thn", "title": "SysAdmin of Billion-Dollar Hacking Group Gets 10-Year Sentence", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-17T10:35:40", "bulletinFamily": "info", "cvelist": [], "description": "[](<https://thehackernews.com/images/-BeN3SCrdvzE/YHql-w24ujI/AAAAAAAAA90/wFRAe_o7kPkEdBkqfXnzs3uIRv6hV6KEgCLcBGAsYHQ/s0/cyber.jpg>)\n\nPeople talk about the cybersecurity job market like it's a monolith, but there are a number of different roles within cybersecurity, depending not only on your skill level and experience but on what you like to do.\n\nIn fact, Cybercrime Magazine came up with a list of [50 cybersecurity job titles](<https://cybersecurityventures.com/50-cybersecurity-titles-that-every-job-seeker-should-know-about/>), while CyberSN, a recruiting organization, came up with its own list of [45 cybersecurity job categories](<https://www.cybersn.com/cybersecurity-job-categories>).\n\nSimilarly, OnGig.com, a company that helps firms write their job ads, analyzed 150 cybersecurity job titles and came up with its [own top 30 list](<https://blog.ongig.com/job-titles/cyber-security-job-titles/>). This article is based on research I did with Springboard, one of the [first cybersecurity bootcamps with a job guarantee](<https://www.springboard.com/courses/cyber-security-career-track/>) and 1:1 mentorship.\n\nIn particular, CyberSeek.org, a joint industry initiative looking at the cybersecurity job market, offers an [interactive list](<https://www.cyberseek.org/pathway.html>) of not only the various positions within cybersecurity but offers you a career path showing how you can get promoted.\n\nThe complicated part is that these titles and roles generally aren't standardized, plus they constantly change as the industry itself evolves. The National Institute for Science and Technology, in its [National Initiative for Cybersecurity Education workforce framework](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181r1.pdf>), does try to standardize positions using the notions of:\n\n * Tasks (the action the person performs)\n * Knowledge (the concepts the person has to know)\n * Skills (the capability of performing an action) \n\nOrganizations can use these concepts to create roles and teams to perform the tasks they need.\n\nSomething else to keep in mind[: Human resources departments may not understand the cybersecurity job market](<https://storage.googleapis.com/stateless-www-cyberbit-com-liv/2021/01/2020-Cyberbit-SOC-Skills-Survey-1-1.pdf>) or how to hire people in that field, according to the 2020 SOC Skills Survey from Cyberbit.\n\nThere are a few distinctions we have to draw here. Cybersecurity job roles are differentiated by the level of experience required, but also whether or not you're red-team (offensive) or blue-team (defensive). Offensive roles (like penetration testers) will typically require more experience as you build your understanding of the defensive practice.\n\nSo what are some of the most common cybersecurity job roles, and how are they different from each other?\n\nSome more entry-level positions, typically requiring a certification such as a CompTIA Security+, include:\n\n * **Cybersecurity Analyst: **The cybersecurity analyst is responsible for protecting both company networks and data. In addition to managing all ongoing security measures, the analyst is also responsible for responding to security breaches and protecting company hardware, such as employee computers.\n * **Security Engineer: **Security engineers are tasked with planning and executing a company's information security strategy and maintaining all security solutions. They can also be responsible for documenting the security posture of their company and any issues or measures taken under their watch. Security engineers [tend to be more defensive than their analyst peers](<https://security.stackexchange.com/questions/140959/difference-between-a-security-analyst-and-a-security-engineer#140966>). \n * **Security Consultant: **The security consultant is responsible for evaluating a company's security posture on a contract basis, while also serving as an advisor to other IT employees. The goal of the consultant is threat management, and they will often plan, test, and manage the initial iterations of a company's security protocols. Consultants tend to be outside of an organization, while cybersecurity analysts will be internal. \n\nMore mid-level roles and more offensive roles, typically requiring a certification such as a [Certified Ethical Hacker](<https://www.springboard.com/blog/cybersecurity-certifications/>), include\n\n * **Advanced Threat Analyst: **The advanced threat analyst will monitor computer networks with the goal of preventing unauthorized access to files and systems. They also provide reports to senior leadership involving the technical defense capabilities of the company.\n * **Information Security Assessor: **The information security assessor reviews and makes recommendations about the security posture of a company. They do this by interviewing IT employees, reviewing the security of the network, and testing for vulnerabilities. The assessor also reviews the security policies and procedures of the company.\n * **Penetration Tester: **The penetration tester is hired to hack the company's computer networks legally. Testers may also use social engineering tactics and attempt to gain information by pretending to be someone of trust verbally. If vulnerabilities are found, the penetration tester will make recommendations to heighten security.\n\nHigher-level positions, typically requiring a certification such as Certified Information Systems Security Professional (CISSP) and at least five years of experience, include:\n\n * **Information Security Analyst: **The [information security analyst](<https://www.springboard.com/blog/security-analyst-requirements-salaries/>) is responsible for protecting the company network and maintaining all defenses against an attack. The analyst may also implement the company's disaster recovery plan in the event of network outages. Incidentally, according to OnGig, this is the most-requested cybersecurity job description by employers.\n * **Information Security Manager: **The information security manager develops policies and procedures aimed at securing the company network. They oversee information security analysts while ensuring that the company complies with information security standards and norms. As a manager, they are responsible for hiring and training new information security analysts.\n\nFinally, there's the **Chief Information Security Officer**. This is a mid-level executive position, often reporting to the Chief Technical Officer, Chief Information Officer, Chief Financial Officer, or even the Chief Executive Officer, and oftentimes represents the end-goal of cybersecurity career paths.\n\nThe CISO is responsible for overseeing the company's overall security plan. They are ultimately responsible for network security breaches and work with other executives to ensure departments comply with security standards.\n\nAs you can see, there are many possible titles for cybersecurity jobs, and it's important to know the most common ones. At the same time, it's also important to pay attention to how a particular company defines the role, so you end up in the right job for you.\n\nIf you're looking to build your skill set towards building a career in cybersecurity and a way to get started, [Springboard's cybersecurity bootcamp](<https://www.springboard.com/courses/cyber-security-career-track/>) is one of the first to offer a job guarantee in cybersecurity along with 1:1 mentorship with an industry expert -- get a job or your money back. \n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-04-17T09:13:23", "published": "2021-04-17T09:13:00", "id": "THN:180EAC48874C2DFA9F3B6459B071A133", "href": "https://thehackernews.com/2021/04/what-are-different-roles-within.html", "type": "thn", "title": "What are the different roles within cybersecurity?", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2021-04-17T09:58:45", "description": "Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (kernel memory exhaustion) or gain privileges via executing arbitrary code. AKA ZDI-CAN-13562.", "edition": 1, "cvss3": {}, "published": "2021-04-17T05:15:00", "title": "CVE-2021-3492", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-3492"], "modified": "2021-04-17T05:15:00", "cpe": [], "id": "CVE-2021-3492", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3492", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2021-04-17T09:58:45", "description": "The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.", "edition": 1, "cvss3": {}, "published": "2021-04-17T05:15:00", "title": "CVE-2021-3493", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-3493"], "modified": "2021-04-17T05:15:00", "cpe": [], "id": "CVE-2021-3493", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3493", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}], "nessus": [{"lastseen": "2021-04-18T06:48:26", "description": "The remote CentOS Linux 7 host has packages installed that are affected by a vulnerability as referenced in the\nCESA-2021:1145 advisory.\n\n - nettle: Out of bounds memory access in signature verification (CVE-2021-20305)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 1, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-04-17T00:00:00", "title": "CentOS 7 : nettle (CESA-2021:1145)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-20305"], "modified": "2021-04-17T00:00:00", "cpe": ["cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:nettle-devel", "p-cpe:/a:centos:centos:nettle"], "id": "CENTOS_RHSA-2021-1145.NASL", "href": "https://www.tenable.com/plugins/nessus/148745", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:1145 and\n# CentOS Errata and Security Advisory 2021:1145 respectively.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148745);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/04/17\");\n\n script_cve_id(\"CVE-2021-20305\");\n script_xref(name:\"RHSA\", value:\"2021:1145\");\n\n script_name(english:\"CentOS 7 : nettle (CESA-2021:1145)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 7 host has packages installed that are affected by a vulnerability as referenced in the\nCESA-2021:1145 advisory.\n\n - nettle: Out of bounds memory access in signature verification (CVE-2021-20305)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://lists.centos.org/pipermail/centos-announce/2021-April/048301.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ef6c4f35\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/327.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected nettle and / or nettle-devel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20305\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(327);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nettle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nettle-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'CentOS 7.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\npkgs = [\n {'reference':'nettle-2.7.1-9.el7_9', 'sp':'9', 'cpu':'i686', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nettle-2.7.1-9.el7_9', 'sp':'9', 'cpu':'x86_64', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nettle-devel-2.7.1-9.el7_9', 'sp':'9', 'cpu':'i686', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nettle-devel-2.7.1-9.el7_9', 'sp':'9', 'cpu':'x86_64', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nettle / nettle-devel');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "rst": [{"lastseen": "2021-04-16T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **3tsu[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-04-16T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 3[.]223.115.185 and CNAME records: HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com.\nWhois:\n Created: 2016-08-31 18:30:26, \n Registrar: TurnCommerce Inc DBA NameBrightcom, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:FBB7D586-02F5-3904-81A0-7F6F4ABE4B61", "href": "", "published": "2021-04-17T00:00:00", "title": "RST Threat feed. IOC: 3tsu.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-16T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **9dvn[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-04-16T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 3[.]223.115.185 and CNAME records: HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com.\nWhois:\n Created: 2017-06-29 18:53:26, \n Registrar: TurnCommerce Inc DBA NameBrightcom, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:07CD23F3-1DB3-36D8-AB42-C539C6EB3E6A", "href": "", "published": "2021-04-17T00:00:00", "title": "RST Threat feed. IOC: 9dvn.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-13T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **absorbent-spokes[.]000webhostapp.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **3**.\n First seen: 2020-02-17T03:00:00, Last seen: 2021-04-13T03:00:00.\n IOC tags: **malware**.\nDomain has DNS A records: 145[.]14.145.241 and CNAME records: us-east-1.route-1.000webhost.awex.io.\nWhois:\n Created: 2016-05-11 13:34:12, \n Registrar: Hostinger UAB, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-02-17T00:00:00", "id": "RST:1FF270C8-35A0-3E36-BA46-58D8C46148F7", "href": "", "published": "2021-04-17T00:00:00", "title": "RST Threat feed. IOC: absorbent-spokes.000webhostapp.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-16T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **abundantfinancial[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-04-16T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 3[.]223.115.185 and CNAME records: HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com.\nWhois:\n Created: 2013-10-09 18:22:23, \n Registrar: TurnCommerce Inc DBA NameBrightcom, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:6D92CACF-B9AB-3731-9B43-0DC7AE964825", "href": "", "published": "2021-04-17T00:00:00", "title": "RST Threat feed. IOC: abundantfinancial.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-16T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **accounts-dept-uk[.]nut.cc** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-04-16T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 18[.]233.211.15,34.233.0.77 and CNAME records: comingsoon.namebright.com,cdl-load-balancer-d355c01257186ce3.elb.us-east-1.amazonaws.com.\nWhois:\n Created: 2019-04-17 08:01:02, \n Registrar: unknown, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:C875B58D-5CC7-3261-983A-08E9E820B6F6", "href": "", "published": "2021-04-17T00:00:00", "title": "RST Threat feed. IOC: accounts-dept-uk.nut.cc", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-16T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **advertisedata[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-04-16T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 3[.]223.115.185 and CNAME records: HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com.\nWhois:\n Created: 2018-09-04 18:03:59, \n Registrar: TurnCommerce Inc DBA NameBrightcom, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:3F2EBA50-8653-3311-9194-A9E3FF227BFD", "href": "", "published": "2021-04-17T00:00:00", "title": "RST Threat feed. IOC: advertisedata.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-16T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **0nlinestore[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-04-16T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 3[.]223.115.185 and CNAME records: HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com.\nWhois:\n Created: 2018-09-07 18:47:11, \n Registrar: TurnCommerce Inc DBA NameBrightcom, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:43A18D3D-BEC1-35D3-BB1A-62727883E426", "href": "", "published": "2021-04-17T00:00:00", "title": "RST Threat feed. IOC: 0nlinestore.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-16T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **1-sec[.]tk** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-03-30T03:00:00, Last seen: 2021-04-16T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-30T00:00:00", "id": "RST:1E49CE89-0BBC-3925-98D6-54B7136E15E4", "href": "", "published": "2021-04-17T00:00:00", "title": "RST Threat feed. IOC: 1-sec.tk", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-16T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **1[.]magnoec.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-10-04T03:00:00, Last seen: 2021-04-16T03:00:00.\n IOC tags: **malware**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-10-04T00:00:00", "id": "RST:164C598C-7936-3003-886C-CEF446073CFB", "href": "", "published": "2021-04-17T00:00:00", "title": "RST Threat feed. IOC: 1.magnoec.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-16T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **1-jp[.]jp** in [RST Threat Feed](https://rstcloud.net/profeed) with score **4**.\n First seen: 2020-07-17T03:00:00, Last seen: 2021-04-16T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 66[.]51.119.82\nWhois:\n Created: 2020-06-07 21:00:00, \n Registrar: unknown, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-07-17T00:00:00", "id": "RST:7A6ADB18-D387-3E9A-997C-F6E0F8E9E56A", "href": "", "published": "2021-04-17T00:00:00", "title": "RST Threat feed. IOC: 1-jp.jp", "type": "rst", "cvss": {}}]}
