Hacking has never been easier. No longer do you need to learn your skills from the ground up. Now, there are several ways into this occupation that require little, if any, effort. For a fee, you can join a hacking group and take money from their successful exploits. This angle is especially popular in the ransomeware world where ransomeware-as-a- service (RaaS) is booming. A member can decide for themselves their degree of participation. The more you participate, the more you make. You, as a member, can be supported in developing your own ransomware and helped in finding victims. Yes, you will have to give the administrators a percentage of your take, but they are good businesspeople and will not take unfair advantage of you.
Now, there’s another angle available. You can pick up, for free, a complete hacking package. Of course, you might wonder how someone would be allowed to put together a complete hacking package without getting themselves into a lot of trouble. That’s easy. You market the package as a pentesting tool; a tool that allows anyone to test the integrity of their own network. The Social-Engineer Toolkit has been around for years and it is advertised as “an open-source penetration testing framework designed for social engineering.” The developers are well-aware of the fact that this comprehensive toolkit is a must for hackers. They, therefore, issue this disclaimer.
DISCLAIMER: This is only for testing purposes and can only be used where strict consent has been given. Do not use this for illegal purposes, period.
Well, that may legally get them off the hook, but it’s unlikely to dissuade dedicated hackers.
This tool kit comes with a complete manual, but, it may not be so easy for everyone to tweak the exploits to do what they want them to. It is surprisingly comprehensive and “it has incorporated attacks never before seen in an exploitation toolset.” Here are some of the main topics, any of which can be exploited by the would-be hacker.
And if you go to the spearphishing section, you will find some templates available for your emails. Of course the hacker, er, I mean, pentester, would have to tweak these for their particular needs.
In short, in the wrong hands, there is plenty of material here for a hacker to do damage or make a fortune. But, hackers aren’t supposed to use it, remember?
But recently, a new exploit kit has arrived which comes with no disclaimers. In fact, The Python SE Dopp Kit only speaks of tools that can be used to attack a target. The drawback here would be that the hacker would have to be familiar with the Python programming language. However, tutorials are available.
Since this kit is shameless in what its purposes are, I’d like to look more closely at what it can do. First of all, it is divided into 5 main sections, each of which contains tools or modules for specific purposes. Those sections are Annoyance Modules, Phishing Tools, Recon Tools, Misc Tools, and Exploitation Tools.
These are what they appear to be. Why anyone would want to use them is difficult to say. They include email, SMS, and call bombing. In other words, their purpose is to overwhelm the target with nonstop messages amounting to something similar to a Distributive Denial of Service (DDoS) attack. One reason for this could be to distract the target and then launch a more serious attack.
These include the following.
Dead code scraper – Puts useless code into malware to make it difficult to analyze.
Dead comment scraper – Scrape data from foreign websites to insert into malware as comments to hinder attribution. In other words, make it look like the malware came from another country.
Critical news search – Search foreign/local news in order to create phishing lures. This enables hackers to take advantage of a timely topic to make more legitimate looking phishing emails.
SMS sender – send phishing sms messages.
email sender – send phishing emails.
Template injector – inject macro-enabled template into a .docx to enable macros with a .docx file. This avoids email filters that may block some attachments.
These tools help gather information about a target before the hacker launches an attack. They can also be used to uncover vulnerable software.
Critical news search – Search foreign/local news in order to create phishing lures.
License plate – Ever wonder why the news blocks out license plate numbers? This tool gathers data about a target’s vehicle based on a license plate.
Username search – Search multiple platforms for the same username. This helps in gathering more information and make better phishing lures.
Business keyword search – Search for potential targets. Hackers may want to find people in particular industries. Ransomware hackers, for example, like to target medical care facilities because they are most likely to pay.
IP address info – Gather information based on an IP address.
County email finder – Find emails of county employees.
Government employee salary records – Search salary records of government employees. Most people don’t realize that all federal employee salaries are publicly available here. For example, here is someone you may know.
Federal workers could be targeted and they may not know how public their information is. They may be surprised by a phishing email that mentions their salary and makes it look like the hacker has extensive information on them. This approach is often employed in extortion scams.
Phone number validator – Gather information based on a target’s phone number.
Find SSID location – If you have an SSID for a WIFI access point, this tool will find the location of it. This refers to a target’s router.
Search for SSIDs – Search for any SSID.
Misc and Exploit Tools
Email validator – Check whether or not an email is valid. Why waste your time on a fake email?
Exploit search – Search for available exploits for a certain software & version. Extremely important if you know what software the target uses.
Password generator – Generate a password
Temporary SMS – Receive SMS messages to a temporary phone number. Helps in receiving a validation code.
CSRF exploit generator – Generate a cross-site request forgery (CSRF) exploit. Send someone a link to a malicious website.
Reverse shell generator – Generate a reverse shell payload. Attack across a firewall, for example.
XSS payload list – Cross-site-scripting attack. Using the target’s browser to launch an attack.
And all of this, and more, is available for free! The only difference between this and the pentester kit is that this one shamelessly admits to be a collection of hacking tools. It also does not, as far as I know, contain such a comprehensive manual. But if you’ve ever wondered why so much hacking seems to be going on these days, I think you have some answers.