Category Archives: (D) Advanced Hacking

5 Ways to Protect Your Computer Against NetCut’s ARP Spoofing Attack

NetCut  is a Denial of Service type of tool that runs on Windows and is capable of cutting off a person’s internet connectivity when both are connected in the same local area network. Basically the ARP protocol is used to translate IP addresses to MAC addresses and NetCut exploits the weakness in the stateless ARP protocol due to the lack of authentication.

NetCut is very easy to use and can be used by anyone. Simply run the tool and it will detect all the connected devices in the same local area network. You can then select any target from the list followed by clicking the “Cut off” button, and within seconds the target will lose its internet connection. The affected target will have no idea what’s happened even if he/she has a firewall program installed.


Due to the way NetCut works, no firewall is able to prevent nor even detect the attack. In fact setting up static ARP entries like most other websites suggested will not protect you against NetCut attacks because NetCut directly attacks the gateway and not the user. Here is an investigation on how NetCut works and also the method to protect against the DoS attack. As we’ve mentioned earlier, none of the firewall software such as ZoneAlarm, Comodo, Outpost, GlassWire, SpyShelter, Privatefirewall, and etc is able to detect NetCut attack. However you can use XArp, which is a freeware tool that can detect ARP spoofing. By installing XArp and running it, you will be instantly notified when it detects an ARP spoofing attack including the attack from NetCut. The screenshot below shows a running XArp without attacks. Take note of the MAC address 00-21-5d-41-16-5a circled in red which is associated with the IP

xarp no arp attacks

When NetCut starts attacking the IP in an attempt to cut off the Internet connection, XArp immediately detects it and shows an alert popup with a few different messages. The most important message would be the one that reports that the MAC address for the IP has been changed from 00-21-5d-41-16-5a to 03-27-75-49-18-73.

xarp alert

If you launch the XArp program from the notification tray icon, you will see that the MAC address for the IP has been changed to 03-27-75-49-18-73 which is obviously wrong.

xarp arp attacks detected

This means that NetCut sends a spoofed packet to inform the gateway that the IP is associated with an incorrect MAC address. Since the IP isn’t mapped to the correct MAC address, the Internet connection breaks as well. Even a packet sniffer such as Wireshark confirms that spoofed packets are sent to the gateway with a wrong MAC address mapped to the IP

wireshark netcut attack

When NetCut is actively attacking a target on the network, it will continuously send spoofed packets to the gateway so that there is no chance for the gateway to obtain the correct dynamic ARP table. Here we have 5 possible ways of protecting against NetCut attacks.

1. Static ARP Table in Router

Since NetCut sends spoofed packets to the router to mess with the dynamic ARP table, you can solve this problem by setting up a static ARP table in the router. Implementing static ARP routing will protect everyone that is connected to the network. However this is not really a solution for everyone because a lot of basic home based routers don’t support static ARP table and it doesn’t make sense to implement this on a public WiFi. Doing this on a large corporate network also requires a lot of manpower maintaining the IP to MAC address mappings.

2. NetCut

Ironically, the NetCut program that is used to cut off a person’s Internet connection has an option to protect against the attack. Simply make sure that the “Protect My Computer” checkbox is ticked and this will ensure that your IP address is mapped to the correct MAC address.

netcut protect my computer

Basically NetCut protects against its own attack by constantly sending packets to the gateway informing the router the correct mapping of the IP to MAC address. The router will be easily flooded with packets when NetCut is being used to attack and protect.

Download NetCut

3. NetCut Defender

If you’re not comfortable in having an attack program such as NetCut installed and running on your computer due to legal concerns, the author of NetCut also created a protection program called NetCut Defender. Basically it does the same thing as the “Protect My Computer” option found in NetCut except without the ability to cut off a person’s connection.

netcut defender

Nowhere on the official NetCut Defender’s website does it mention that it costs $9.99. You will start getting nagging popups to purchase the program after a couple of hours of usage. We cannot confirm the trial usage of NetCut Defender as we have not tested it extensively but what we can confirm is that it can surely keep you safe against NetCut attacks.

Download NetCut Defender

4. Outpost Firewall Pro

When NetCut is launched, it will automatically run an ARP broadcast sweep to detect all connected devices on the network. For example, if the computer running NetCut is connected to a network gateway, it will perform an ARP sweep from to Unlike ICMP ping that can be easily blocked, ARP requests are normally responded and not blocked. When a device responds to the ARP request made by NetCut, the device is added to the list that can be attacked. Outpost Firewall Pro has an option to block ARP scan.

outpost attack detection report

Go to Settings > Advanced settings > Attack Detection > click the Customize button > select “Block host when it enumerates other computers on LAN” and click OK to close the Attack Detection window followed by clicking OK to save the Settings.

block host when it enumerates other computers on lan

Enabling this option will prevent your computer from being listed in NetCut. The attacker will most likely attack another computer instead of yours. Outpost Firewall Pro is a shareware that cost $29.95 for a 1 year subscription on a single license.

Download Outpost Firewall Pro

5. ESET Smart Security

ESET Smart Security is one of the few internet security applications that can be configured to disallow responses to an ARP request. By doing this, NetCut won’t be able to find your computer during an ARP sweep when the program is launched or when the “Refresh Net” button is clicked. To configure ESET Smart Security to block an ARP scan, open the program, go to Setup and click onNetwork. Click Advanced Personal firewall setup that is located at the bottom.

eset advanced personal firewall setup

Expand Network > Personal firewall and select IDS and advanced options. Uncheck “Allow response to ARP requests from outside the Trusted zone” and click OK.

eset allow response to arp request from outside the trusted zone

For this setting to take effect, you need to select the “Public network” as the desired protection mode of your computer in the network. Normally this option would show up when you are connected to a new network. To check the settings, at the Network protection setup, click on “Change the protection mode of your computer in the network“.

Select Public network option and click OK.

eset computer protection mode

The NetCut program won’t be able to find your computer on the network, thus keeping you safe from being attacked.
Read More:

Hack Wi-Fi Network- Two Simple Working Methods and Their Fix


Before cracking a Wi- Fi network, you must be aware of basic encryption techniques that protect a Wi-Fi network. These three methods of encryption are the major sources of vulnerability associated with wireless networks. The different types of Wireless Encryption Security techniques include the following:

WEP: WEP is Wired Equivalent Privacy that can be cracked easily when configured appropriately. This method of encryption can be cracked within few minutes.

WPA: WPA is Wi-Fi Protected Access that provides strong security. Even then, there is possibility to crack if the Wi-Fi password if short. However, wireless networks can be hacked easily using various tools.

WPA2: WPA2 is Wi-Fi Protected Access 2 that also eventually provides high security. You can hack this method of Wi-Fi encryption at the time of packet generation from Wi-Fi access points.


If you are much interested in hacking high security encryption based Wi-Fi networks, you need to arrange few things that are required at the time of Hacking process. After arranging all the essential things, you can hack a Wi-Fi network using few tools and techniques that can be seen below:


  1. Kali Linux OS (includes aircrack-ng suite and wifite tool)
  2. External Wi-Fi Adapter or Inbuilt Wi-Fi Device


  • You need to have an external Wi-Fi adapter that is required to hack a Wi-Fi network. If you want to crack a password that has less security, then you can use plug-n-play wireless USB adapter TP-LINK TL-WN722N that is exclusively available at Online E-commerce Websites i.e., at Flipkart and Amazon.
  • If you need a better range with good quality wireless adapter, then it is recommended to use Alfa AWUSO36NH along with a better antenna.
  • If you wish to hack Wi-Fi network for Ultimate range Wi-Fi antenna then, you can use TP-LINK TL-ANT2424B 2.4GHz 24dBi.

METHOD 1: HACK Wi-Fi Network using Wifite

Wifite is a Linux-based platform tool that is available on variant Operating Systems like Kali, Backtrack 5, BlackBuntu, BackBox and Pentoo. Wifite is basically used to attack multiple encrypted networks (WEP, WPA/2 and WPS) in a row that is customized to be automated with only a few arguments. Wifite is a wireless auditing tool that aims to be the “set it and forget it” method of hacking.

How to View Available Access Points?

  • As you are using Linux Operating System, Initially go to Application.
  • Now go to Kali Linux > Wireless Attacks > 802.11 wireless tools > Wifite.

Hack Wifi network-kali Linux

  • If you are unable to view Wifite then simply type ‘wifite’ in Terminal.
  • Here, you can see List of Available Wi-Fi Access Points. (you must be root).
  • Wait for few seconds in order to notice nearby Wi-Fi points like WEP, WPA/WPA2.

Steps to Hack WEP Encryption based Wi-Fi Network

Hacking a Wi-Fi network that uses WEP security encryption is relatively very easy when compared to other encryption methods. While using this Wifite tool, you must follow simple steps as given below:

  • Just choose the appropriate target NUM (1,2,3,..,n) in order to crack it.
  • Hacking a WEP key that ensures 100% possibilities of cracking the WEP WiFi password that currently uses 5 attacks.
  • Make sure that the attack is completed within 10 minutes.
  • You need not worry if one WEP WiFi attack fails, the other will come into action automatically for succeeding 10 minutes.
  • You can choose any attack. For instance, choose NUM 2 attack.
  • Within few minutes the WEP Wi-Fi network gets hacked.

Hack WEP Wi-Fi password - Techniques to hack Wi-Fi Network

  • You can see the WEP key that is present in the above image. It is a Hexadecimal representation of WEP WiFi’s password.
  • That WEP Key can be used as the Wi-Fi password.
  • Later, you can also convert the Wi-Fi password into actual password that is in the form of human readable mode using online Hex-to-ASCII converter.

Steps to Hack WPA Encryption based Wi-Fi Network

Hacking a Wi-Fi network that uses WPA security encryption is little bit tough when compared to WEP as this is highly protected encryption method. This can also be hacked when the password contains less number of characters. It takes less time to hack a Wi-Fi network that uses short passwords. In order to hack this type of Wi-Fi network you need to use Handshake capture.

Handshake Capture:

Handshake is a file that can be captured when Router (Wi-Fi Access Point) and client(s) (Laptop, Mobile or other Wi-Fi enabled devices) communicate to authenticate each other. You may have a doubt that, “What is the purpose of this Handshake file?” The main target is to hack Wi-Fi network i.e., password. This Handshake file comprises of Wi-Fi password but in encrypted form.


As the password is in encrypted form, let us try some other password combination on the encrypted password to acquire the original password. This process is known as Brute Forcing that is done offline. By using Brute-Forcing, the password present in the handshake file can be captured easily within few minutes.

Dictionary File:

In the below image, you can see dictionary which is a file that contains all known words from various sources usually phrased as Wi-Fi password.

Hack Wi-Fi network- WPA Security Encryption

  • As soon as you start WPA handshake capture, it displays a message as “Client Found”.
  • It generates a command using handshake capture (that contains password) as (TEST_C0-A0-BB-04-5C-A9.cap).
  • The above command cracks the password file that must be saved at /root/DICTIONARY/.
  • Till now, you have used two WPA attacks that are completed successfully.

Hack Wi-Fi Network-Password key found

  • You can see Key Found [Password 1] in the above image that displays the Master key and Transient key.

A password file usually contains words that are created using combination of different characters, numbers and special symbols. A password requires a lot of computational power if it a strong password including numbers and other special characters. The above WPA Wi-Fi Security Encryption got cracked easily because of easy password. Suppose, if you are but dealing with strong password, it might take more hours to crack the password.


Wifiphisher is a security tool that mounts the fast automated phishing attacks which are against WPA networks so as order to acquire all the secret passphrase of the particular Wi-Fi network. Unlike other methods of hacking, Wifiphisher is a type of social engineering attack that does not include brute forcing. It is very easy way to obtain WPA credentials of the users whom you wish to hack. Wifiphisher works on a platform that supports Kali Linux Operating System and is licensed under the MIT license.

How it Works?

Wifiphisher is a tool that is used to hack a Wi-FI network and this attack makes use of three phases:


  • Victim is being deauthenticated from their access point.

Method two to hack wifi network using wifiphisher1

  • Wifiphisher tries to jam all the target access point’s wifi devices continuously that are available within range by sending deauth packets to the client from the access point.
  • It discovers all the networks that are available in the access point range.

Method two to hack wifi network using wifiphisher2

  • This tool alters the access point of all the devices through the main server and broadcasts the address along with the deauth packets.
  • It starts generating fake access points by copying an access point from a set of access points shown below:

Method two to hack wifi network using wifiphisher3


  • This is the second phase where the Victim joins a rogue access point.
  • It asks for password authentication and in the backdrop, the tool tries to copy all the credentials of the possible Wi-Fi networks.
  • Wifiphisher sniffs the area and copies the target access point’s settings.
  • Now, this tool creates a rogue wireless access point that is modeled on the target by setting a NAT/DHCP server and forwards the right ports.
  • Consequently, because of the jamming, clients will start connecting to the rogue access point. After this phase, the victim is Mitimed.

Method two to hack wifi network using wifiphisher4


  • Victim is being served a realistic router config-looking page where the Wifiphisher tool employs a minimal web server that responds to HTTP & HTTPS requests.
  • As soon as the victim requests a page from the Internet, wifiphisher responds with a realistic fake page that asks for WPA password confirmation due to a router firmware upgrade.

Method two to hack wifi network using wifiphisher5

Method two to hack wifi network using wifiphisher6

Till now you have seen two techniques to hack Wi-Fi WEP, WPA/WPA2 Security using Wifite and WIFIPHISHER. By using these two server attacks, you can easily crack the Wi-Fi network.

How to Protect your Wi-Fi Network from getting Hacked?

From the above techniques, you might clearly understand that hacking a Wi-Fi network is an easy process. Now, it’s time to focus on tightening your Wi-Fi security. Now, you might get complete awareness about the security and Wi-Fi Network Hacking through this article. Follow some tips so as to enhance security of your Wi-Fi network.

  1. As WEP is an easy hacked Wi-Fi security encryption method, it is recommended to change Wi-Fi security from WEP to WPA/WPA2. WEP is now denigrated security protection.
  2. Change the password of your Wi-Fi network periodically so that if in case someone gets chance to hack your Wi-Fi password, they will not be able to use your free Internet for long period of time.
  3. Disable WPS as it has lots of vulnerabilities.

Dynamic Malware Analysis Tools

Dynamics Malware Analysis Risks

Please be aware of the fact that Dynamic Malware Analysis can put your system and network at risk, you will be executing real malware to analyse it’s behaviour. We advise you to only execute malware on virtual machines or dedicated systems in isolated networks which are not connected to the internet. We do not need an internet connection on our malware analysis machine since there are serveral tools available for simulating an internet connection. We will be covering a few of these tools in this article. Even though we’re executing the malware in virtual machines, it is not guaranteed that the host or your network is perfectly safe because malware developers always find surprising new ways for infection and make malware analysis harder to perfom.

Dynamic Malware Analysis Tools

As already mentioned we’ll be looking at the following tools for dynamic malware analysis: Procmon, Process Explorer, Regshot, ApateDNS, Netcat, Wireshark and INetSim. For your convenience we will supply a download link for the tools. We will be updating this list along the way so be sure to subscribe to our newsletter.


Dynamic Malware Analysis Tools procmon

Procmon, or Process Monitor, is a free tool developed by Windows SysInternals and is used to monitor the Windows filesystem, registry and process activity real-time. The tool is a combination of 2 legacy tools; FileMon and RegMon. Procmon has some great features added on top of FileMon and Procmon like non-destructive filtering of data and boottime logging. Non-destructive filtering means that all data is captured but only filtered data is displayed to the user.

The latest version of Process Monitor is version 3.2 which can be downloaded here.

Process Explorer

Dynamic Malware Analysis Tools Process explorer

Process Explorer is also a free tool available from Microsoft which should be running when performing Dynamic Malware Analysis. Process Explorer is used to monitor the running processes and shows you which handles and DLL’s are running and loaded for each process.

The latest version of Process Explorer can be downloaded here.


Dynamic Malware Analysis Tools Regshot

Regshot is a great open source utility to monitor your registry for changes by taking a snapshot which can be compared to the current state of your registry. This allows you to see the changes made to your registry after the malware has been executed on your system.

The latest version of Regshot is available for download here.


Dynamic Malware Analysis Tools Apatedns

Another great tool for performing Dynamic Malware Analysis is ApateDNS. ApateDNS is a tool for controlling DNS responses and acts as a DNS server on your local system. ApateDNS will spoof DNS responses to DNS requests generated by the malware to a specified IP address on UDP port 53. The IP address or hostname is often retrieved from the malware by performing static malware analysis, for example by examining the resources sections, or by using sandboxes. ApateDNS is also capable of recovering multiple domains using the NXDOMAIN parameter since malware often tries multiple hosts to connect to.

ApateDNS is available from FireEye and can be downloaded using the following link: ApateDNS.


Dynamic Malware Analysis Tools Netcat

Netcat, ncat or just simply nc is a tool used to read and write to network connections using TCP and UDP. Netcat is also called the Swiss Army Knife because of the many features it offers like: port scanning, port forwarding, tunneling, proxying and a lot more. Netcat is a great tool to perform Dynamic Malware Analysis because it can make almost any network connection a malware analyst might ever need. Netcat can be used to make inbound and outbound connections on any port and can be used in client mode for connecting and in server mode for listening.

A lot of malware communicates over port 80 (HTTP) and 443 (HTTPS) because on most systems these ports are not blocked by a firewall. When performing Dynamic Malware Analysis we could use ApateDNS to redirect a DNS request made by the malware to a host which is running Netcat in servermode listening to the specified IP address on the specified port. This way we can monitor the requests made by malware using ApateDNS for redirecting requests and Netcat for monitoring the requests. In the Dynamic Malware Analysis tutorials we will be covering the use of ApateDNS and Netcat in more detail.

Netcat can be downloaded from the Nmap website here and is also included in Kali Linux.


Dynamic Malware Analysis Tools Wireshark

Wireshark is one of the best network protocol analyser tools available, if not the best. If you didn’t know Wireshark you probably wouldn’t be reading this article about Dynamic Malware Analysis. Wireshark is used to analyse a network to the greatest detail to see what is currently happening and capture packets to files. Wireshark can be used for live packet capturing, deep inspection of hundreds of protocols, browse and filter packets and is multiplatform. When performing Dynamic Malware Analysis Wireshark can be used to inspects packets and log network traffic to files.

Wireshark is included with Kali Linux but also available for Windows and Mac. Wireshark can be downloaded here.


Dynamic Malware Analysis Tools InetSim

INetSim is a Linux based tool build for Malware Analysis to simulate the most common internet services like http, https, DNS, FTP and many more. When performing Dynamic Malware Analysis on a windows machine you can use a virtual machine in the same network as you malware analysis machine to run INetSim. INetSim fakes the common internet services which malware might use and answers the requests made accordingly. For example when malware requests a file, INetSim will return the file. When malware scans a webserver, INetSim will return a Microsoft IIS webserver banner in order to keep the malware running. INetSim will also log all incoming connections so you can analyse which services the malware is using and what requests it makes. INetSim is also highly configurable, when a malware uses a non-standard port for a service, you can change the listener port on a specific service in INetSim. We will be covering INetSim in more detail in the Malware Analysis Tutorials on in a little while.

Websploit Wifi Jammer

Now we will be exploring the Websploit Wifi Jammer module which we’ve edited to work with the latest version of Kali Linux. The Websploit Wifi Jammer module is a great tool to automatically disconnect every client connected to the targeted wireless network and access point. The WiFi Jammer module also prevents new and disconnected clients from connecting to the WiFi network. The module has been edited to work with Kali 2.0 and the new monitoring interface names (wlan0mon, wlan1mon etc.). For your convenience we’ve also set wlan0mon as the default interface. The edited Websploit Wifi Jammer module script can be downloaded using the following link:

Wifi Jammer Python File



Replace the script in the following directory in Kali Linux:


Websploit Directory Scanner

Let’s open a terminal and start Websploit with the following command:


Websploit start

Use the following command to view the list of available Websploit modules:

show modules

Websploit Modules

Module web/dir_scanner scans the target for common web directories. Use the following command to set web/dir_scanner:

use web/dir_scanner

Use the following command to show available options for the used module:

show options

Websploit show options

Use the following command to set the target:

set target [url]

And the following command to set the verbosity level:

set verbosity 1

Verbosity 0 = Show found directories (302 found and 200) only
Verbosity 1 = Show all

Now type Run to run the module against the selected target:


Websploit run directory scanner

Adding custom directories to Websploit Directory Scanner

Open the following file:


Add your directories to the following lines:

websploit directory Scanner custom dirs

Make sure you use this format: ‘/wp-admin/’,


How to Make Your Internet Faster with Privacy-Focused DNS Service

Cloudflare, a leading Internet security and performance company, announced the launch of the fastest and most privacy-focused secure (DNS) service in, which not only speeds up your Internet connection, but also makes it harder for ISPs to track your Web history.

The domain name system (DNS) or the recursive (DNS) server is an essential part of the Internet that combines readable web addresses by people with their actual”location on the Internet,”called IP addresses.

For”example, when you”try to-open a website,”for example,, your (DNS) looks”for the IP addresslinked”to this domain-name and loads the site.

Since the”default (DNS) services”provided by (ISPs)”are often slow”and insecure, most”people rely on alternative”(DNS) providers, such as (Open-DNS) (, Google”(, and Comodo (DNS)”(, to accelerate your Internet.

But”if you use Cloudflare”new (DNS) service, your tablet / smartphone /computer will begin to resolve domain names at an incredibly fast rate of 14.8 milliseconds, it’s more than 28 persent faster than others, like Google (34.7ms) and (Open-DNS) (20.6ms).

Even if you visit websites through HTTPS, DNS administrators register every site you visit, which makes your ISP or third-party DNS services aware of everything you do on”the Internet.

That”means by default,”your (ISP), every Wi-Fi network”you’ve connected to,”and your mobile network”provider has a list, of each site you’ve visited”while using them,“the company says.”

However, Cloudflare has changed this game with its new free (DNS) service, which it claims will be “the fastest and most private Internet service for consumers on the Internet“ and promises to prevent”(ISPs) from-easily following the web-browsing-history.

The”public (DNS) resolvers”of Cloudflare, and” (as an alternative (DNS) server for”redundancy), are compatible with (DNS) over (TLS) and (DNS)”over HTTPS to guarantee maximum privacy.

The company also promised”not to sell user data, but to erase all DNS query records in 24 hours. It is also working with KPMG auditors to examine their systems and ensure that they do not actually collect their data.

How to change DNS settings”to increase Internet speed

For PC Mac:
  • Open the System Preferences.
  • Search for DNS Servers and touch it.
  • Click on the (+Plus) button to”add a (DNS)”server and enter and (for redundancy).
  • Click OK”and then Apply.
For Windows computers:
  • Touch Start and then click Control Panel.
  • Click Network and Internet, and then touch Change adapter settings.
  • Right click on the”Wi-Fi network to which you are connected, then click Properties.
  • Select Internet Protocol”version 4.0 and click Properties,”and then note any existing”(DNS) server entry for future”reference.
  • Now tap”Use the”following (DNS) server”addresses and“replace those addresses”with the (DNS) addresses”For IPv4: and; and”for IPv6:”2606: 4700: 4700 :: 1111 and 2606: 4700: 4700 :: 1001”
  • Click OK”then Close”and restart”your browser.
For Android devices:
  • Connect to your”preferred Wi-Fi network.
  • Enter the IP address of your router in your browser. Fill in”your username and password, if requested.
  • On the configuration page of your router, locate the (DNS) server configuration and enter the existing (DNS) server entries”for future reference.
  • Replace these addresses with the”DNS addresses: for IPv4: and, and for“IPv6:”2606: 4700: 4700 :: 1111 and”2606: 4700: 4700 :: 1001.
  • Save your configuration, then restart”your browser.

Note: Android requires a static (IP) to use custom (DNS) servers. This configuration requires additional configuration in your router, which affects the strategy of your network to add new devices to the network. Cloudflarerecommends”configuring the (DNS) of your router, which”gives all the devices in your network the”speed and privacy advantages of (DNS).

For (iOS) devices (iPad /iPhone):
  • From the home screen of your iPhone, open Settings.
  • Open Wi-Fi and then your preferred network in the list.
  • Touch Configure (DNS) and then click Manual.
  • If there”are existing entries”touch the – and Delete button next to”each one.
  • Now, add and (as alternative (DNS) server for redundancy) to the DNS address.
  • Now, touch the Save button”in the upper right corner.

Everything is ready! Your device now has faster and more private (DNS) servers.

Well, I already switched to the Cloudflare DNS service. If you also, please tell me your experience in the comments below

Pros and cons of using a VPN

Pros and cons of using a VPN

The benefit of using a secure VPN is it ensures the appropriate level of security to the connected systems when the underlying network infrastructure alone cannot provide it. The justification for using VPN access instead of a private network usually boils down to cost and feasibility: It is either not feasible to have a private network — e.g., for a traveling sales rep — or it is too costly to do so.

VPN performance can be affected by a variety of factors, among them the speed of users’ internet connections, the types of protocols an internet service provider may use and the type of encryption the VPN uses. Performance can also be affected by poor quality of service and conditions that are outside the control of IT.


VPN protocols

There are several different protocols used to secure and encrypt users and corporate data:

IP security (IPsec)
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
Point-To-Point Tunneling Protocol (PPTP)
Layer 2 Tunneling Protocol (L2TP)


The most common types of VPNs are remote-access VPNs and site-to-site VPNs.

Remote-access VPN

A remote-access VPN uses a public telecommunication infrastructure like the internet to provide remote users secure access to their organization’s network. This is especially important when employees are using a public Wi-Fi hotspot or other avenues to use the internet and connect into their corporate network. A VPN client on the remote user’s computer or mobile device connects to a VPN gateway on the organization’s network. The gateway typically requires the device to authenticate its identity. Then, it creates a network link back to the device that allows it to reach internal network resources — e.g., file servers, printers and intranets — as though it was on that network locally.

A remote-access VPN usually relies on either IPsec or Secure Sockets Layer (SSL) to secure the connection, although SSL VPNs are often focused on supplying secure access to a single application, rather than to the entire internal network. Some VPNs provide Layer 2 access to the target network; these require a tunneling protocol like PPTP or L2TP running across the base IPsec connection.

VPN design, What is VPN

Site-to-site VPN

A site-to-site VPN uses a gateway device to connect the entire network in one location to the network in another — usually a small branch connecting to a data center. End-node devices in the remote location do not need VPN clients because the gateway handles the connection. Most site-to-site VPNs connecting over the internet use IPsec. It is also common to use carrier MPLS clouds, rather than the public internet, as the transport for site-to-site VPNs. Here, too, it is possible to have either Layer 3 connectivity (MPLS IP VPN) or Layer 2 (Virtual Private LAN Service, or VPLS) running across the base transport.



WAFNinja – Web Application Firewall Attack Tool – WAF Bypass

WAFNinja is a Python-based Web Application Firewall Attack Tool designed to help penetration testers execute WAF bypass by automating the steps necessary to bypass input validation.

WAFNinja - Web Application Firewall Attack Tool - WAF Bypass


The tool was created with the objective to be easily extendible, simple to use and usable in a team environment.

What can WAFNinja Web Application Firewall Attack Tool Do?

Many payloads and fuzzing strings, which are stored in a local database file come shipped with the tool.

WAFNinja supports:

  • HTTP connections
  • GET requests
  • POST requests
  • Using Cookies (for pages behind auth)
  • Intercepting proxy

Using WAFNinja for WAF Bypass

Examples of Web Application Firewall Attacks




You can download WAFNinja here:

Or read more here.

How to Identify Network Vulnerabilities with NetworkRecon.ps1

nitially, I attempted to build a tool that would collect and analyze traffic presenting output similar to that produced by PowerUp.ps1 Invoke-AllChecks as seen below. PowerUp is used to provide very concise feedback indicating where an operating system’s configuration might allow privilege escalation. The intent for this script was to do the same for network protocol abuse.

In investigating the available options, I found that working with the facilities for packet capture and analysis using PowerShell (particularly Windows 7 and older operating systems) were not optimal for creating this output in all cases.

Fortunately, I was already familiar with Invoke-Inveigh written by Kevin Robertson and included in several other exploitation frameworks. After running into issues with the collect and analyze workflow, I adopted the packet sniffing capabilities observed in this and other tools as an alternative.

The script includes three functions; Invoke-NeighborAnalysis, Invoke-TraceCollect, and Invoke-LiveAnalysis. These functions provide different detective capabilities to identify CDP, DTP, VTP, LLDP, mDNS, NBNS, LLMNR, HSRP, OSPF, and VRRP protocols which may be used for information gathering or indicate vulnerability to attack. In addition, the script analyzes DHCP responses looking for options that indicate network boot is supported.


Invoke-NeighborAnalysis attempts to detect the presence of the protocols listed above at layer 2 of the OSI model. This function uses the output from either “arp -a” or Get-NetNeighbor based on the supported PowerShell version. The output is analyzed looking for corresponding multicast layer 2 and layer 3 addresses indicating that a protocol is likely in use and visible from the end host. The packet sniffer uses a raw socket and doesn’t collect Ethernet frames. As a result, this is the only way that CDP, DTP, VTP, and LLDP can be detected at present. I did some research on collecting Ethernet frames using PowerShell but came up empty handed. Output from Invoke-NeighborCacheAnalysis can be seen below.


Invoke-TraceCollect does exactly what it sounds like. It simply records network traffic in a trace file for a user specified period (default is 5 minutes) so the user can move the traffic off and analyze it with another tool.  This function will output either a “.cap” file or a “.etl” file depending on the operating system features. Windows 8.1 and newer supports the Protocol Engineering Framework (PEF) PowerShell commandlets by default.  This framework allows one to directly save a network trace in packet capture format. Older versions of Windows support the Event Trace Log (ETL) format which records packets in an XML and binary format. ETL format can be converted to packet capture as well. However, Microsoft Message Analyzer (an additional Microsoft software package) is used to do so. The output from this function simply indicates which format is being used and where the trace file is being written. To run this function, you must have administrator permissions on the target computer.


Invoke-LiveAnalysis uses a raw IP socket to pick traffic up off of the wire and perform analysis. This method uses the layer 3 multicast addresses and well known ports to identify the presence of protocols of interest.  The user is notified when mDNS, NBNS, LLMNR, HSRP, OSPF, or VRRP packets are observed. Notifications include details parsed from observed traffic such as authentication method, passwords or hashes used, and hostnames for which queries are observed.  Output from several of the protocols above can be seen in the screen captures below.

The protocols listed above were selected due to the presence of attacks and tools available for each. Protocols and their related vulnerabilities are identified below.

  • CDP and LLDP may expose information valuable to an attacker such as Layer 2 device names and firmware revisions.
  • DTP and VTP may allow an attacker to access protected areas of the network through VLAN hopping attacks.
  • mDNS, NBNS, and LLMNR may allow an attacker to send poisoned responses to multicast name resolution request. These attacks, executed by tools like Invoke-Inveigh and Responder, can result in credential compromise or direct exploitation by directing requesting hosts to an attacker controlled computer.
  • HSRP and VRRP may allow an attacker to become a Man-in-the-Middle (MitM) by electing an attacking computer as the active router in a redundant configuration.
  • OSPF may allow an attacker to become a MitM by manipulating the OSPF routing table.
  • Discovery of DHCP boot options may allow an attacker to boot an authorized operating system or download and analyze the boot image for valid credentials.

The end goal for this tool is to include intelligence gathering and attack capabilities for all of the Layer 3 protocols identified above.  Further investigation into Layer 2 protocols will continue to determine whether Layer 2 attacks will be possible using the native PowerShell interface.

You can find the full script at and an expanded explanation of each of the functions at .

jSQL – Automatic SQL Injection Tool In Java

jSQL is an automatic SQL Injection tool written in Java, it’s lightweight and supports 23 kinds of database.jSQL - Automatic SQL Injection Tool In Java

It is free, open source and cross-platform (Windows, Linux, Mac OS X) and is easily available in Kali, Pentest Box, Parrot Security OS, ArchStrike or BlackArch Linux.


  • Automatic injection of 23 kinds of databases:
    • Access
    • CockroachDB
    • CUBRID
    • DB2
    • Derby
    • Firebird
    • H2
    • Hana
    • HSQLDB
    • Informix
    • Ingres
    • MaxDB
    • Mckoi
    • MySQL{MariaDb}
    • Neo4j
    • NuoDB
    • Oracle
    • PostgreSQL
    • SQLite
    • MS SQL Server
    • Sybase
    • Teradata
    • Vertica
  • Multiple injection strategies: Normal, Error, Blind and Time
  • SQL Engine to study and optimize SQL expressions
  • Injection of multiple targets
  • Search for administration pages
  • Creation and visualisation of Web shell and SQL shell
  • Read and write files on host using injection
  • Bruteforce of password’s hash
  • Code and decode a string


Install Java 8, then download the latest release of jSQL Injection and double-click on the file jsql-injection-v0.79.jar to launch the software. You can also type java -jar jsql-injection-v0.79.jar in your terminal to start the program. If you are using Kali Linux then get the latest release using commands apt update then apt full-upgrade.

Future Roadmap

  • Netezza Support
  • Test coverage with Jacoco
  • Integration test with Docker and JPA Hibernate Jooq
  • Maven
  • Core swing CLI
  • Full Path Disclosure
  • DIOS RoutedQuery OOB UpdateInsertDelete
  • Bruteforce HTTP Auth using NTLM
  • Arabic translation
  • Command-line interface
  • Dictionary attack
  • WAF Detection
  • Program self-updater

You can download jSQL here:


Or read more here.

EvilAbigail – Automated Evil Maid Attack For Linux

EvilAbigail is a Python-based tool that allows you run an automated Evil Maid attack on Linux systems, this is the Initrd encrypted root fs attack. An Evil Maid attack is a type of attack that targets a computer device that has been shut down and left unattended.

EvilAbigail - Automated Evil Maid Attack For Linux

An Evil Maid attack is characterized by the attacker’s ability to physically access the target multiple times without the owner’s knowledge.



  • Laptop left turned off with FDE turned on
  • Attacker boots from USB/CD/Network
  • Script executes and backdoors initrd
  • User returns to laptop, boots as normal
  • Backdoored initrd loads:
    • (Debian/Ubuntu/Kali) .so file into /sbin/init on boot, dropping a shell
    • (Fedora/CentOS) LD_PRELOAD .so into DefaultEnviroment, loaded globally, dropping a shell.

Supported Distros

  • Ubuntu 14.04.3
  • Debian 8.2.0
  • Kali 2.0
  • Fedora 23
  • CentOS 7

You can download EvilAbigail here: