WhatsApp is the most widely used messenger in the world. It has more than two billion active user base which is great. We have adopted WhatsApp in our life and we use this for our very personal works, like personal media shearing and chats. But there is a catch.

Why we can’t trust Whatsapp?

While WhatsApp is a popular messaging platform known for its end-to-end encryption, which theoretically provides a high level of security for private chats, there are still some reasons why individuals might have concerns about trusting the platform completely. Here are a few factors to consider:

Ownership by Facebook: WhatsApp is owned by Facebook, and there have been concerns about how user data is shared between the two platforms. While WhatsApp messages are end-to-end encrypted and Facebook claims not to have access to them, there have been changes to the privacy policy that allow for some data sharing between WhatsApp and Facebook.

Privacy Policy Changes: WhatsApp has updated its privacy policy in the past, leading to controversy and concerns about how user data is handled. While the end-to-end encryption remains intact, other data such as metadata, contacts, and account information may be collected and shared for various purposes.

Government Access: In some cases, governments may request access to user data for legal or security reasons. While WhatsApp claims not to have a backdoor for such access, the legal landscape can vary, and there have been instances of government requests for data.

So that’s pretty much clear that we need another platform from for our private message. Telegram and Signal is good alternative of Whatsapp. In this detailed article we are going to discuss how we can install Signal and Telegram on our Linux System, we are using Kali Linux here. But we can use the same method on any Debian based Linux distribution (Ubuntu, Mint, Elementary etc).

Signal

Signal is an open-source privacy focused software for private/group messaging and calls. It can be the perfect alternative to WhatsApp. Signal has almost the same interface like WhatsApp. It has encryption and a lot of more privacy than WhatsApp. Even Edward Snowden and Elon Musk recommended using Signal.

Use Signal

— Elon Musk (@elonmusk) January 7, 2021

Signal is available on various platforms. It is available for mobile devices Android and iOS. It also has desktop applications for Windows, Mac and Linux. We don’t give any link for Linux Download. We will show the process here.

How to install Signal on Linux

To install Signal on Linux we can use the following method.

First of all we need to Install Signal’s official public software signing key by using following commands one by one:

wget -O- https://updates.signal.org/desktop/apt/keys.asc |

sudo apt-key add -

The screenshot of the command is following:

This might take some time and ask for the root password.

After this we need to add Signal’s repository to our list of repositories by using following command:

echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" |
  sudo tee -a /etc/apt/sources.list.d/signal-xenial.list

We can copy and paste this command to our terminal to add the repository.

Then we just need to update our system by using following command:

sudo apt-get update

After the updating process complete we can install Signal desktop app by using following command:

sudo apt install signal-desktop

This will take some time to download (111 MB) and install.

After finishing the process we can find Signal desktop applications on our application list.

Now we just need to link our phone’s Signal app with our PC by scanning the QR code. It’s not like the WhatsApp Web, because in WhatsApp Web our both devices need to connect to the internet. Here after scanning we can use our PC as a primary device.

Our chats are saved on our device not in their server (like WhatsApp) so we can’t see the mobile chats on the PC.

Telegram

Telegram is already a very popular messaging and media sharing platform. We don’t think it needs any special introduction. It also supports cross platform. It also has mobile and desktop versions.

It is also available for mobiles on Play store and app store. Also it is available for Windows, Mac and Linux (64bit and 32bit).

It is also open-source and the source code is available on their GitHub repository.

How to install Telegram on Linux

To download it on our Linux system we just need to download it from the official website. Then we can download it’s Linux version (we are in 64 bit).

It will download a tar.xz compressed file. After downloading it we can find it on our Downloads folder. We need to extract the compressed file and we got two binary files as we can see in the following screenshot:

Here, we just need to double click on the “Telegram” file and it will be started. We can use it as a separate Telegram account or we can link our mobile devices via QR code. It will show us desktop notification of new chats.

Note: This installation of Telegram does not “install” the app on our system, but it will add a ‘Telegram’ app shortcut to our system app launcher/app menu. Just remember to not delete the binary file it links to!

There are some more privacy messengers on the market (Wikr, Utopia), but these are the most wanted. So we discussed these and their installation on Linux. We usually prefer Signal more than Telegram. Tell us about personal choice in the comment section.

Love our articles? Make sure to follow us to get all our articles directly on notification. We are also available on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Whatsapp Channel & Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.

In our some previous articles (Scalpel, Foremost etc) we have discussed how to can run digital forensics on hard disk drives. But data is not only stores there this included RAM and the swap partition, or paging, file, which is an area of the hard disk drive.

Now the issue is RAM’s data is very volatile, means the data in the RAM easily lost, when there are no electrical charge or current in the RAM chip. With the data on RAM being the most volatile, it ranks high in the order of volatility and must be forensically acquired and preserved as a matter of high priority.

Many types of data & forensics artifacts reside in Random Access Memory (RAM) and the paging file. They are might be login passwords, user information, running and hidden processes or even encrypted passwords are just some of the many types of interesting data that can be found when we run digital forensics test of RAM.

In our this article we use Volatility Framework to perform memory forensics on our Kali Linux system.

Volatility Framework is an open-source, cross-platform framework that comes with many useful plugins that provide us very good information from the snapshot of memory. This also known as memory dump.

The concept of Volatility is very old but it’s works like magic. Not only analyzing running and hidden processes, is also a very popular choice for malware analysis.

As we said Volatility Framework is a cross platform framework. It can be run on any OS (32 and 64 bit) that supports Python including:

• Windows XP, 7, 8,8.1, and Windows 10.
• Windows Server 2003, 2008, 2012/R2, and 2016.
• Linux 2.6.11 – 4.2.3 (including Kali, Debian, Ubuntu, CentOS, and more).
• macOS Leopard (10.5.x) and Snow Leopard (10.12.x) and newer.

Volatility supports several memory dump formats (both 32- and 64-bit), including:

• Windows crash and hibernation dumps (even Windows 7 and earlier).
• VirtualBox.
• VMWare .vmem dump.
• VMware saved state and suspended dumps—.vmss/.vmsn.
• Raw physical memory—.dd.
• Direct physical memory dump over IEEE 1394 FireWire.
• Expert Witness Format (EWF)—.E01.
• QEMU (Quick Emulator).

Even we can convert between these formats and boosts of being able use Volatility with other tools.

Before use Volatility Framework we need to create a memory dump for testing. We can use several tools such as FTK imager, Helix, LiME can be used to acquire the memory image or memory dump. Then it can be investigated and analyzed by the Volatility Framework.

For this tutorial we are going to use a Windows XP image (named cridex.vmem) which is downloaded from here. Volatility have uploaded lots of memory samples publicly available for testing there. We can use them for our practice with the Volatility Framework and enhance our skills. We can download as many as we like and we can use various plugins available in Volatility. In the following screenshot we can see that our dump image is saved on our Desktop for easy access.

Using Volatility in Kali Linux

Volatility Framework comes pre-installed with full Kali Linux image. We can see the help menu of this by running following command:

volatility -h

Then we got the help of Volatility Framework as we can see in the following screenshot:

If we scroll down a little bit on the help menu we can find the list of all plugins within Volatility Framework.

This list comes in handy when performing analysis as each plugin comes with it’s own short description. In the following screenshot we can see a plugin with it’s description.

Gaining Information using Volatility

This imageinfo plugin will tell us about the image. The format for using plugins in Volatility is:

volatility -f [filename] [plugin] [options_if_required]

Now we have stored our image file on Desktop so first we change our working directory by using cd Desktop command. Then we run imageinfo plugin to check information of the image by applying following command:

volatility -f cridex.vmem imageinfo

In the following screenshot we can see the information about our image file.

In the above screenshot we can see some information about the image used, including the suggested operating system and Image Type (Service Pack), the Numbers of Processor used and the date and time of the image. Some valuable information we got from this image is listed:

• WinXP: Windows XP.
• SP3: Service Pack 3.
• x86: 32 bit architecture.

We also can see the suggested profiles WinXPSP2x86 (Windows XP Service Pack 2×86), WinXPSP3x86 (Windows XP Service Pack 3×86) but in the image type section we can see that service pack is 3 so we can use “WinXPSP3x86” profile for our analysis.

Process Analysis using Volatility on Kali

To identify & link connected processes, their ID’s, running time and offset locations within the RAM image, we need these four plugins to get started:

1. pslist
2. pstree
3. psscan
4. psxview

1. Pslist Plugin on Volatility

This plugin or tool shows a list of all running processes, also it gives very crucial information like, Process ID (PID) and the Parent PID (PPID). Not only that it also shows the time when the processes started.

Let we run the pslist first then we explain the things. We use following command:

volatility --profile=WinXPSP3x86 -f cridex.vmem pslist

The following screenshot shows the output of the preceding command:

The Finding are discussed following

In the above screenshot we can see the System, winlogon.exe, services.exe, svchost.exe, and explorer.exe services are all started first and then followed by reader_sl.exe, alg.exe, and finally wuauclt.exe.

The PID identifies the process and the PPID identifies the parent of the process. Looking at the pslist output, we can see that the winlogon.exe process has a PID of 608 and a PPID of 368. The PPID’s of the services.exe and the lsass.exe processes (directly after the winlogon.exe process) are both 608, indicating that winlogon.exe is in fact the PPID for both services.exe and lsass.exe.

For those new to process IDs and processes themselves, a quick Google search can assist with identification and description information. It is also useful to become familiar with many of the startup processes in order to readily point out processes that may be unusual or suspect.

The timing and order of the processes should also be noted as these may assist us in investigations. In the above screenshot, we can see that several processes, including explorer.exe, spoolsv.exe, and reader_sl.exe, all started at the same time of 02:42:36 UTC+0000. We can also tell that explorer.exe is the PPID of reader_sl.exe.

In this analysis, we can see that there are two instance of wuauclt.exe with svchost.exe as the PPID.

2. Pstree Plugin on Voltility

pstree is another process identification command that can be used to list processes. pstree shows output the same list of processes as the pslist command did in previous, but identification is also used to know which one child process and which one is parent process.

To run pstree we use following command:

volatility --profile=WinXPSP3x86 -f cridex.vmem pstree

Following screenshot shows the output of the preceding command:

In the above screenshot, the last two processor listed are explorer.exe and reader_sl.exe. The explorer.exe is not indented, while reader_sl is indented, indicating that sl_reader is the child process and explorer.exe is the parent process. This is how we can identify the parent process and child process.

3. Psscan Plugin on Volatility

With the help of pslist and pstree we have checked the running processes, now it’s time look for inactive and even hidden processes using psscan. Now this hidden processes may be caused by malwares (like rootkits), and they are well known for doing just that to evade discovery by users & antivirus programs.

To check the inactive process using psscan we can use following command:

volatility --profile=WinXPSP3x86 -f cridex.vmem psscan

The output of the command shows in the following screenshot:

Now we can compare the outputs of both paslist and psscan to find any anomalies.

3. Psxview Plugin on Volatility

As with psscan, the psxview plugin is used to find and list hidden processes. With psxview however, a variety of scans are run, including pslist and psscan.

To run the psxview we apply following command:

volatility --profile=WinXPSP3x86 -f cridex.vmem psxview

The output of the command shows in the following screenshot:

Analyzing Network Services & Connections using Volatility

Volatility can be used to find and analyze active, terminated, and hidden connections along with ports and processes. All the protocols are supported and Volatility also reveals details of ports used by the processes including the times the processes were started.

To do this we are going to use the following three commands:

1. connections
2. connscan
3. sockets

1. Connection Plugin on Volatility

The connections command lists active connections at that time. It also displays local and remote IP with the ports and PID. The connection command can be used only for Windows XP and Microsoft 2003 server (both 32 bit and 64 bit).

To use the connections command in Volatility we can use following command:

volatility --profile=WinXPSP3x86 -f cridex.vmem connections

The following screenshot shows the output of the connections command and we can see the IP address (both local and remote) along with the port numbers and PID.

2. Connscan Plugin on Volatility

The connections command displayed only on connection as active at that time. To see a list of connections that have been terminated, we can use the connscan command. This connscan command is also only for Windows XP and 2003 Server (both 32 bit and 64 bit) systems.

To use connscan we run the following command:

volatility --profile=WinXPSP3x86 -f cridex.vmem connscan

The screenshot of this command is following:

In the above screenshot we can see that same local address was previously connected to another Remote Address with the IP address 125.19.103.198 on port 8080. The PID of 1484 is proof that connection was made by the explorer.exe (tested on pslist earlier).

Here we got the Remote IP address. Now for more information we can search the IP address on some IP Look up web services like https://whatismyipaddress.com/ip-lookup or https://www.ip2location.com/demo. We got some additional information from there as we can see in the following screenshot.

We can get IP details like, ISP (Internet Service Provider) name, Continent, Country and City. We also got a map co-ordinate of the city.

3. Sockets Plugin on Volatility

We use the sockets plugin to give additional connectivity information listening sockets.

To use sockets plugin we can use following command:

volatility --profile=WinXPSP3x86 -f cridex.vmem sockets

We can see the output of the command in the following screenshot:

We can see in the above that only UDP and TCP protocols are showing in this case. But sockets plugin supports all types of protocols.

Dynamic Link Libraries Analysis using Volatility

DDL a.k.a. Dynamic Link Libraries are only for Microfost (Windows & Servers). It contains code that can be used by multiple programs simultaneously.

Inspection of a process’s running DDLs and the version information of files and products may assist in correlating processes. Processes and DLL information should also be analyzed as they relate to the user accounts. For these tests we can use the following plugins:

1. verinfo
2. dlllist
3. getsids

1. Verinfo plugin on Volatility

This plugin lists version information as we can see in the plugin name (verinfo) about PE (portable executable) files. The output of this file is usually quite lengthy and so can be run in a separate terminal, if we not wish to continuously scrool through the current terminal to review past plugin command lists and output.

We can use verinfo plugin by running following command:

volatility --profile=WinXPSP3x86 -f cridex.vmem verinfo

The screenshot of the command is following:

2. Dlllist plugin on Volatility

This dlllist plugin lists all running DLLs at that time in memory. DLLs are composed of code that can be used by multiple programs concurrently.

We can use the dlllist plugin by running the following command:

volatility --profile=WinXPSP3x86 -f cridex.vmem dlllist

The following screenshot shows the output of the command:

3. Getsids plugin on Volatility

To identify all users we can use Security Identifier (SID). The getsids command has four very useful items in the order in which the processes were started (refer to pslist and pstree command screenshots).

To run the getsids we can use following command:

volatility --profile=WinXPSP3x86 -f cridex.vmem getsids

The screenshot of the command is following:

The format for the getsids plugin output is like following:

[Process] (PID) [SID] (User)

On the first line of the output we can see follwoing:

System (4): S-1-5-18 (Local System)

Here we explained in following bullets:

• Process : System
• PID : 4
• SID : S-1-5-18
• User : Local System

If the last number if SID is in a range of 500, that indicates the user with adminstratative privileges. For an example:

S-1-5-32-544 (Administrators)

Here we got something when we are scrolling down the getsids output, we can see that a user called Robert with an SID of S-1-5-21-789336058 (non-admin) has used started or accessed explorer.exe PID 1484.

Resgistry Analysis

Information about every users, settings, programs and the Windows operating system itself can be found within the registry. Even encrypted passwords can be found in the registry.

In the Windows registry analysis, we will be using the following two plugins.

1. hivescan
2. hivelist

1. Hivescan plugin on Volatility

This hivesan plugin display the physical locations of available registry hives.

To use this plugin we need to run following command:

volatility --profile=WinXPSP3x86 -f cridex.vmem hivescan

We can see the physical locations of available registry hives in the following screenshot:

2. Hivelist plugin on Volatility

Hivelist plugin is used for more details (and helpful) information on registry hives and locations with RAM. This plugin shows the details of Virtual and Physical address along with the easier readable plaintext names and locations.

We use following command to run hivelist plugin on Volatility

volatility --profile=WinXPSP3x86 -f cridex.vmem hivelist

The output shows in the following screenshot:

In the above screenshot we can see information about vitual and physical address.

Password Dumping using Volatility

We know that Windows password stored on the SAM (Security Accounts Manager) file on Windows. This SAM file stores hashd passwords for usernames in Windows system. This file can’t be accessed by any user when the Windows system is on.

When we have used the hivelist command (previous screenshot) we have seen the SAM file if we carefully checked the output.

We can see the SAM file during using hivelist plugin

Timeline Investigation using Volatility

We can check timeline of all the events that took place when the image was acquired by using timeliner plugin on Volatility.

Although we have an idea of what took place within this scenario, many other dumps may be quite large and far more detailed and complex. The timeliner plugin will groups details by time and includes process, PID, process offser, DDLs used, registry details and other useful information.

To run timeliner command, we type the following command:

volatility --profile=WinXPSP3x86 -f cridex.vmem timeliner

The output shows in the following screenshot:

This may produce long ouput and we need to scrool to see the full output.

Malware analysis

One of most important feature of Voatility is malfind plugin. This plugin is used to find, or at least direct us toward hints of malware that may have been injected into various processes.

The output of malfind plugin may be very lenghty so we should be run it in a separate terminal to avoid constant scrolling when reviewing the other plugin’s output.

The command used to run malfind pluin will be following:

volatility --profile=WinXPSP3x86 -f cridex.vmem malfind

We can see the output on the following screenshot:

We can see a very long output here. To be more specific we can use -p flag to analyse a specific PID. As we have discovered previously (pslist plugin), winlogon.exe is assigned to PID 608. To analyze this specific PID in malfind we use following command:

volatility --profile=WinXPSP3x86 -f cridex.vmem malfind -p 608

The output of the command shown in the following screenshot:

Final Thoughts

In this article, we looked at memory forensics and analysis using some of the many plugins available within the Volatility Framework on our Kali Linux system.

One of the first, and most important, steps in working with Volatility is choosing the profile that Volatility will use throughout the analysis. This profile tells Volatility Framework what type of operating system is being used. Once the profile was chosen, we were able to successfully perform process, network, registry, DLL, and even malware analysis using this versatile framework.

As we’ve seen, Volatility can perform several important functions in digital forensics and should be used together with other tools we’ve used previously to perform in-depth and detailed forensic analysis and investigations.

Be sure to download more publicly available memory images and samples to test our skills in this area. Experiment with as many plugins as we can and of course, be sure to document our findings and consider sharing them online.

This is how we can perform Digital forensics on RAM and the swap partition etc using our Kali Linux system with the help of Volatility Framework.

Love our articles? Make sure to follow us on Twitter and GitHub, we post article updates there. To join our KaliLinuxInfamily, join our Telegram Group & Whatsapp Channel. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.

Our in this platform we usually talk about various applications and their uses to check loopholes on systems. But penetration testers not only uses software applications, they also need some hardware to perform the tasks. In this detailed article we are going to cover hardware devices & gadgets used by an ethical hacker. Let’s start with a warning.

Warning:- This article is written for educational purpose only. To make it more ethical, we just only talk about the hardware devices publicly available in Amazon. Using these devices on our own for educational purpose isn’t crime, but using these devices against others without proper permission is illegal. So use these devices responsibly, we and Amazon will not be responsible for talking and selling these kind of product.

Lets start with a computer, most of cybersecurity experts prefer laptops, not desktops because laptops are portable. We had wrote an entire article about best laptops for Kali Linux, Moving forward ethical hackers uses some other hardware devices that is our main topic for today.

1. Raspberry Pi 4

Raspberry Pi dominating the market of single board computers (SBC). This device used by almost every security personals.

This is very useful we can install entire Kali Linux on this credit card sized computer. Raspberry Pi also can be used in many other projects. Cybersecurity experts use it on various way. We can see in Mr. Robot Season 1 Episode 5, how Elliot hacked the climate control network to destroy magnetic tapes.

There are unlimited uses of raspberry pi for an ethical hacker. This device is a must have for everyone on infosec and programming field.

2. Raspberry Pi Zero W

This is a small handheld computer, ideal for carrying the best penetration testing software tools, and to handle all the external hardware hacking tools. The most known Cybersecurity distro for it is P0wnP1 A.L.O.A. and Kali Linux. P4wnP1 is a highly customizable USB attack platform, based on a low cost Raspberry Pi Zero or Raspberry Pi Zero W. The successor of P4wnP1 is called P4wnP1 A.L.O.A. We recommend the USB type-A pongo-pin adapter shown in the above picture.

We also can use it a headless system (without monitor). This device connected with a power bank in our bag and we can control it from our mobile device on our hand(using VNC).

3. USB Rubber Ducky

USB Rubber ducky is created and developed by Hak5. Nearly every computing devices accepts human input from keyboards, hence the ubiquitous HID specification – or Human Interface Device. Keyboards announce themselves to computers as HID devices and are in turn automatically recognized and accepted.

The USB Rubber Ducky delivers powerful payloads in seconds by taking advantage of the target computers inherent trust all while deceiving humans by posing as an ordinary USB drive.

In simple words, if we plug it on a computer, the computer think it is a keyboard and it will inject (type, save and execute) our preset payload on the computer. There are lots of payload available for this device. Also we can easily write our own code.

This is one of the bast way to compromise a system having physical access.

4. WiFi Pineapple

The Wi-Fi pineapple is the original Wi-Fi attack tool developed by Hak5. There are three different models available from Hak5. They all are good, here we choose Mark VII model for it’s value for money.

This will automate the auditing of WiFi networks and saves the results. We can control it with awesome web based interface. This is really a very good product for security testing o wireless networks.

5. HackRF One

HackRF One from Great Scott Gadgets is a Software Defined Radio peripheral capable of transmission or reception of radio signals from 1 MHz to 6 GHz. Designed to enable test and development of modern and next generation radio technologies. We can read and manipulate radio frequencies using this device.

HackRF One is an open-source hardware platform that can be used as a USB peripheral or programmed for stand- alone operation. This SDR offers one important improvement compared to other cheap alternatives. But the Radio Frequency (RF) quality isn’t good as expected.

6. Ubertooth One

Ubertooth One is the most famous Bluetooth hacking tool we can find on the market. It is an open source 2.4 GHz wireless development platform suitable for Bluetooth hacking. Commercial Bluetooth monitoring equipment can easily be priced at over $10,000 , so the Ubertooth was designed to be an affordable alternative platform for monitoring and development of new BT, BLE and similar wireless technologies.

Ubertooth One is designed primarily as an advanced Bluetooth receiver, offering capabilities beyond that of traditional adapters, which allow for it to be used as a BT signal sniffing and monitoring platform. Although the device hardware will accommodate signal broadcasting, the firmware currently only supports receiving and minimal advertising channel transmission features.

7. WiFi Deauther Watch

As the name said it’s a deauther, it de-authenticate the WiFi users and they got disconnected. It’s not a jammer. It uses ESP8266 WiFi development board to do so. Here it’s watch version is looks super cool gadget for every hacker.

While a jammer just creates noise on a specific frequency range (i.e. 2.4 GHz), a deauthentication attack is only possible due to a vulnerability in the Wi-Fi (802.11) standard. The deauther does not interfere with any frequencies, it is just sending a few Wi-Fi packets that let certain devices disconnect. That enables us to specifically select every target. A jammer just blocks everything within a radius and is therefore highly illegal to use.

8. USB Killer

Computers doesn’t check the current flowing through USB, because it uses computers own power and can’t transmit more voltage. But what if we took an advantage of this to burn our (using on others is totally illegal) entire system.

When plugged into a device, the USB Killer rapidly charges its capacitors from the USB power lines. When the device is charged, -200VDC is discharged over the data lines of the host device. This charge/discharge cycle is repeated many times per second, until the USB Killer is removed. As the result target device becomes burned and unrepairable.

Its compact size and flash-drive style housing makes it an important device in every pen-tester’s toolkit. It can be used multiple times as we want.

9. Bad USB

This is a super alternative of USB Rubber Ducky. This device contains customized HW based on Atmega32u4 and ESP-12S. This device allows keystrokes to be sent via Wi-Fi to a target machine. The target recognizes the Ducky as both a standard HID keyboard and a serial port, allows interactive commands and scripts to be executed on the target remotely.

Attacker can easily carry it as a thumb drive and plug into any PC to inject payload, running own command on it, it also can be controlled over WiFi. It looks like innocent USB thumb drive, which is a great advantage. But this is doesn’t have faster speed like USB Rubber Ducky.

10. Hardware Keylogger

A hardware keylogger can be inserted between USB keyboard and computer. It captures all the keystrokes made from the keyboard, must have thing for every cybersecurity expert.

This is a basic hardware keylogger. It has 16 MB storage. Which is sufficient to capture keystrokes for a year generally. Later we can remove it and plug on our computer to read the keystrokes. Some keyloggers comes with WiFi controlling and SMS controlling functionality. No software can detect it’s there.

11. Adafruit Bluefruit LE Sniffer

Adafruit
luefruit LE Friend is programmed with a special firmware image
thatturns it into an easy to use Bluetooth Low Energy sniffer. We can
passively capture data exchanges between two Bluetooth Low Energy (BLE)
devices, pushing the data into Wireshark,
the open source network analysis tool, where you can visualize things
on a packet level, with useful descriptors to help us make sense of the
values without having to crack open the 2000 page Bluetooth 4.0 Core
Specification every time.

Note:
We can only use this device to listen on Bluetooth Low Energy devices!
It will not work on Bluetooth (classic) devices. Firmware V2 is an
improved firmware from Nordic now has better Wireshark-streaming sniffer
software that works with all OS for live-streamed BLE sniffing. The
sniffer firmware cannot be used with the Nordic DFU bootloader firmware,
which means that if we want to reprogram this device you must use a J-Link (and a SWD programmer board). We cannot over-the-air (OTA) reprogram it.

12. Micro-controllers

There are lots of micro-controllers used by ethical hackers. Some of them are must have in a ethical hackers backpack.

NodeMCU ESP8266

ESP8266 is a $6 WiFi development board and it can be used in various way, we can make WiFi deauther by our own. It also can be used to create phishing pages over WiFi.

Arduino Pro Micro

This tiny micro-controller is one of the best choice for ethical hackers. We can make our own DIY USB Rubber Ducky.

Arduino Pro Micro is really good thing at a very low price. But if we want to change the script then we need to reset and upload new script on it from our computer.

13. RTL-SDR

RTL-SDR is a very cheap software defined radio that uses a DVB-T TV tuner dongle based on the RTL2832U chip-set.

It can be used to intercept radio frequencies. We can use it for listening others conversations. It is also able to intercept GSM mobile calls and SMS. It is very useful for cybersecurity experts.

14. Proxmark3 NFC RFID Card Reader

Owning
a Promark3 means owing the most powerful and most complete device
RFID/NFC (LF & HF) testing in the frequencies of 125KHz / 134KHz /
13.56MHz.

This
devices can make read the data of RFID and NFC cards and then make a
copy of it. We can write the new copies on blank cards provided with
this package. We we need more we can buy more blank cards on Amazon.

Therefore,
investing some more bucks in upgrading it, it’s not a bad idea. To
improve its range we need the extended range antennas for LF and HF.

Another
new and nice upgrade for it, is the Blue Shark Bluetooth 2.0 upgrade,
that permits controlling the proxmark3 wirelessly plus adding an
external battery to create an autonomous proxmark3 that can be connected
and controlled from your computer or smartphone. The Walrus NFC
application has been updated to permit control by Bluetooth. It also
fixes the high temperature concerns adding a metal cooler.

WiFi Adapters (Monitor Mode & Packet Injection)

WiFi adapter specially which supports monitor mode and packet injection is essential for WiFi penetration testing. So most of the hackers uses it. We had noticed that Alfa makes awesome adapters for cyber-security personals. We already discussed it on our Best WiFi adapter for Kali Linux article. Please check out that article before buying an WiFi adapter.

Something Extra

This is the gadgets for hackers we can directly buy from Amazon and help us on our ethical hacking journey. There are some more gadgets used by hackers but talking about them will be not ethical here. Most of them manufactured from china and available on some online stores. There are some cool stores like Hak5, but in this article we discussed about some gadgets which are openly available on Amazon.

Warning:- Using the above devices is not illegal. They are selling publicly on Amazon. But using these devices to harm anyone is totally illegal. We listed them for educational purpose and to learn how to safe ourselves from these kind of devices. If anyone uses this devices to harm anyone then we are not responsible for that, Amazon also not responsible. So use this devices responsibly, always remember:

That’s for today. Love our articles? Make sure to follow us on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack comes pre-installed with Kali Linux.

During penetration testing sometimes we got sometimes we got some port opened on some web application. Ports are open for using services. Services like SSH, FTP, HTTP, SMTP etc. We usually use nmap to scan a network.

We can see in the above nmap scan result, this network’s SSH and FTP ports are opened (port 21 and 22). If we can login through SSH then we got the terminal of the system and if we login through FTP then we got the file manager of the system.

We can try various tools to crack them like Hydra. But in this article we are going to learn about Ncrack.

Firstly we run following command to check the helps of Ncrack. Ncrack uses brute force attacks to crack network credentials. We have found lots of network admins using default or easy password, we can crack them using Ncrack in minutes.

ncrack --help

We can see a very big list of options in the help section as we can see in the following screenshot:

Without going much deeper let’s check an basic example of Ncrack brute force attack.

To use Ncrack against a service we can use following command:

ncrack -U path/of/usernamelist -P path/of/passwordlist <ip address or domain name>:port -v

So, if we want to attack on our localhost target using real username and password list, then our command will be following:

ncrack -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt 192.168.43.205:21 -v

Here we have used infamous SecLists, which comes preinstalled with Kali Linux. The output we can see in the following screenshot:

In the above screenshot we can see that Ncrack successfully cracked the credentials. The credentials are username:admin, password:password. Not only our target, there are lots of users around the world still using default or easy passwords.

Ncrack also comes with a default (small) username and password list to attack. To use it we can use following command:

ncrack 192.168.225.51:21 -v

This command will use the default password list comes with Ncrack. It has some default username and password lists. The screenshot is following:

If we need to run Ncrack’s brute force attack against ssh (port 22) then we can use following command:

ncrack whatsapp5.com:22 -v

We can find other Ncrack commands using ncrack –help command.

This is the way we can find low security usernames and passwords of FTP, SSH,  web server or web application. 

In this article we learn how we can use Ncrack on Kali Linux.

Disclaimer:- Use of Ncrack against a network without proper permission is illegal & serious crime. We can test our own system for low security password. If anyone do any illegal activity then we are not responsible for that.

Liked our article? Then make sure to follow our Twitter and GitHub we post new article updates there. To connect directly with us please join our Telegram group.

For any problem or question please comment down in the comment section.