hacking - BREAKDEV

hacking

A collection of 12 posts

Hacked Discord - Bookmarklet Strikes Back

Hacked Discord - Bookmarklet Strikes Back

Discord accounts are getting hacked. This is my analysis of how most recent bookmarklet attacks work, with guidelines on what Discord can do to mitigate these attacks.

Evilginx 2.4 - Gone Phishing

evilginx Featured

Evilginx 2.4 - Gone Phishing

"Gone Phishing" 2.4 update to your favorite phishing framework is here. May the phishing season begin!

Pwndrop - Self-hosting Your Red Team Payloads

pwndrop Featured

Pwndrop - Self-hosting Your Red Team Payloads

Pwndrop is a self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV.

Evilginx 2.3 - Phisherman's Dream

Evilginx 2.3 - Phisherman's Dream

Welcome to 2019! As was noted, this will be the year of phishing automation. We've already seen a release of new reverse-proxy tool Modlishka and it is only January. This release would not have happened without the inspiration I received from Michele Orru (@antisnatchor), Giuseppe Trotta (@Giutro) and Piotr Duszyński

Evilginx 2.2 - Jolly Winter Update

Evilginx 2.2 - Jolly Winter Update

Tis the season to be phishing! I've finally found some free time and managed to take a break to work on preparing a treat for all of you phishing enthusiasts out there. Just in time for the upcoming holiday season, I present you the chilly Evilginx update. [Download Evilginx 2

Evilginx 2.1 - The First Post-Release Update

Evilginx 2.1 - The First Post-Release Update

About 2 months ago, I've released Evilginx 2. Since then, a lot of you reported issues or wished for specific features. Your requests have been heard! I've finally managed to find some time during the weekend to address the most pressing matters. [>> Download Evilginx 2 from GitHub <<](https://github.com/

Evilginx 1.1 Release

Evilginx 1.1 Release

Hello! Today I am bringing you another release of Evilginx with more bug fixes and added features. The development is going very well and the feedback from you is terrific. I've managed to address most of the requests you sent me on GitHub and I hope to address even more

Evilginx 1.0 Update - Up Your Game in 2FA Phishing

Evilginx 1.0 Update - Up Your Game in 2FA Phishing

Welcome back! It's been just a couple of weeks since Evilginx release and I'm already swimming in amazing feedback. This encouraged me to spend more time on this project and make it better. The first release was more of a proof of concept, but now I want to make it

Evilginx - Advanced Phishing with Two-factor Authentication Bypass

Evilginx - Advanced Phishing with Two-factor Authentication Bypass

Welcome to my new post! Over the past several months I've been researching new phishing techniques that could be used in penetration testing assignments. Almost every assignment starts with grabbing the low-hanging fruit, which are often employees' credentials obtained via phishing. In today's post I'm going to show you how

Sniping Insecure Cookies with XSS

Sniping Insecure Cookies with XSS

In this post I want to talk about improper implementation of session tokens and how one XSS vulnerability can result in full compromise of a web application. The following analysis is based on an existing real-life web application. I cover the step-by-step process that lead to administrator's account take over

How I Hacked an Android App to Get Free Beer

How I Hacked an Android App to Get Free Beer

Just recently I stumbled upon an Android app that lets you receive free products in various pubs, restaurants or cafes in exchange for points accumulated with previous purchases. When the purchase is made, you let the vendor know that you want to receive points. In the app you select the

Defeating Antivirus Real-time Protection From The Inside

Defeating Antivirus Real-time Protection From The Inside

Hello again! In this post I'd like to talk about the research I did some time ago on antivirus real-time protection mechanism and how I found effective ways to evade it. This method may even work for evading analysis in sandbox environments, but I haven't tested that yet. The specific