Pentoo Linux For Penetration Testing | Complete Tutorial


Pentoo Linux is a Live CD or USB, based on Gentoo Linux and designed for penetration testing and security assessment.

Moreover, it comes with a lot of penetration testing tools.

It can be as Kali Linux alternative for you.

Furthermore, Pentoo is also available in 32 and 64-bit architecture.

If you are a geek. Then Pentoo Linux can suite you.

It is not meant for beginners.

Pentoo Linux For Penetration Testing | Complete Tutorial:

Pentoo Linux is Gentoo Linux with a Pentoo theme.

It has a lot of highlights such as GPGPU cracking software, many security-focused tools and it can be customized to satisfy your needs.

Also Read: Androrat APK

Pentoo Linux Features:

  • Available in both 32-bit and 64-bit versions
  • Packet injection patched wifi drivers
  • Full UEFI including secure boot support
  • CUDA/OpenCL Enhanced cracking software
  • Kernel 4.17.4 and all needed patches for injection
  • XFCE 4.12
  • A lot of hacking and pen-testing tools (see the full list of tools)

Pentoo System Requirements:

A normal computer is enough to install Pentoo Linux.

Download and Installation:

  1. Download the Latest Pentoo ISO
  2. Verify the Pentoo ISO.
  3. Create a Live USB of Pentoo (you can set up it in a VM environment, but it may cause the failure of some features/tools)
  4. Then boot using the live USB.
  5. Configure your Internet and install Pentoo.

After a successful installation, you can proceed with Gentoo’s Package Manager and set up your environment.

Final Words:

Pentoo Linux is just Gentoo Linux with Pentoo overlays.

This distro is definitely not for beginners.

If you are a Linux expert then you can surely prefer this.

Pentoo comes with a lot of penetration testing tools to make your work easier.

HiddenEye – Modern Phishing Tool | Installation Guide [2020]


HiddenEye is an amazing tool to perform many attacks on the victims’ accounts.

It can be easily used as a keylogger, phishing tool, information gathering , etc.

This tool is perfect combination of variety of tools.

You can even use it as social engineering tool.

HiddenEye is supported on various platforms such as Kali Linux, Termux, Parrot OS, etc.

One can easily hack users’ social media account such as Twitter, Facebook, etc.

HiddenEye Highlights:

  • Can perform live attacks (IP, geolocation, country, etc.)
  • Captures victim’s keystrokes (using keylogger function)
  • Server URL type selection (selects between RANDOM URL and CUSTOM URL)
  • Numerous phishing pages (Facebook, Twitter, Instagram, Dropbox, Reddit, WordPress, Yahoo, and many more)
  • Android support (Termux/UserLand)


You need to check whether these are installed or not.

  • Python 3.*
  • PHP
  • sudo
  • pyngrok

Installing HiddenEye:

BlackArch official repository

sudo pacman -S hidden-eye

to run just use the following command:

sudo hiddeneye


git clone

Running (In Linux)

chmod 777 HiddenEye

sudo apt install python3-pip

cd HiddenEye

sudo pip3 install -r requirements.txt

sudo pip3 install requests

sudo pip3 install pyngrok




RUNNING (Arch Linux or Manjaro)

chmod 777 HiddenEye

sudo pacman -Syu

sudo pacman -S python-pip,

cd HiddenEye

sudo pip3 install -r requirements.txt

sudo pip3 install pyngrok

sudo python3


sudo ./    

Also Read: 1337x proxy

HiddenEye Installation For Android Users:


Install userland app from playstore.

Set up app and install kali from app. Set ssh username (anyname) and password. 

When kali will run it'll ask for password, type the ssh password. Then do su. After that kali will run on your device without root and do, apt update. For more info read here (

sudo apt install python3 python3-pip unzip php git

git clone

chmod 777 HiddenEye
cd HiddenEye

pip3 install -r requirements.txt && pip3 install requests


2) Installing (TERMUX APP)

First, install { Termux } from Playstore.

After opening Follow below commands One by one

pkg install git python php curl openssh grep

git clone -b Termux-Support-Branch
chmod 777 HiddenEye
pip install requests
cd HiddenEye



RouterSploit – Exploitation Framework Complete Tutorial [2020]


RouterSploit is an amazing exploitation framework made specifically for embedded devices.

This tool can be used by pentester to scan the security of cameras and routers.

RouterSploit Highlights:

  • Coded in Python.
  • Command-line interface.
  • Docker support.
  • Modular Tools.

Supported OS:

  1. MacOS.
  2. Linux.
  3. Android Phone.
  4. Windows.

Installing RouterSploit:


  • future
  • requests
  • paramiko
  • pysnmp
  • pycrypto


  • bluepy – bluetooth low energy

Installing in Kali Linux:

Follow the commands below:

apt-get install python3-pip
git clone
cd routersploit
python3 -m pip install -r requirements.txt

Bluetooth Low Energy support:

apt-get install libglib2.0-dev
python3 -m pip install bluepy

Installing in Ubuntu:

Follow the commands below:

sudo add-apt-repository universe
sudo apt-get install git python3-pip
git clone
cd routersploit
python3 -m pip install setuptools
python3 -m pip install -r requirements.txt

Bluetooth Low Energy support:

apt-get install libglib2.0-dev
python3 -m pip install bluepy

Installing on MacOS:

Follow the commands below:

git clone
cd routersploit
sudo python3 -m pip install -r requirements.txt

Installing on Docker:

Follow the commands below:

git clone
cd routersploit
docker build -t routersploit .
docker run -it --rm routersploit

How to Update RouterSploit?

You need to update RouterSploit often to avoid inconvenience.

New modules are shipped almost every day.

cd routersploit
git pull

How to use RouterSploit?


root@kalidev:~/git/routersploit# ./
 ______            _            _____       _       _ _
 | ___ \          | |          /  ___|     | |     (_) |
 | |_/ /___  _   _| |_ ___ _ __\ `--. _ __ | | ___  _| |_
 |    // _ \| | | | __/ _ \ '__|`--. \ '_ \| |/ _ \| | __|
 | |\ \ (_) | |_| | ||  __/ |  /\__/ / |_) | | (_) | | |_
 \_| \_\___/ \__,_|\__\___|_|  \____/| .__/|_|\___/|_|\__|
                                     | |
       Exploitation Framework for    |_|   by Threat9
            Embedded Devices
 Codename   : I Knew You Were Trouble
 Version    : 3.3.0
 Homepage   : - @threatnine
 Join Slack :

 Join Threat9 Beta Program -

 Exploits: 128 Scanners: 4 Creds: 165 Generic: 4 Payloads: 32 Encoders: 6

rsf >


To preform the Exploitation, just pick the module and set the target:

rsf > use exploits/
exploits/2wire/ exploits/asmax/ exploits/asus/ exploits/cisco/ exploits/dlink/ exploits/fortinet/ exploits/juniper/ exploits/linksys/ exploits/multi/ exploits/netgear/
rsf > use exploits/dlink/dir_300_600_rce
rsf (D-LINK DIR-300 & DIR-600 RCE) >

For completion use tab key.

To display options, type show:

rsf (D-LINK DIR-300 & DIR-600 RCE) > show options

Target options:

   Name       Current settings     Description                                
   ----       ----------------     -----------                                
   target                          Target address e.g.     
   port       80                   Target Port

Use run or exploit command to exploit the target:

rsf (D-LINK DIR-300 & DIR-600 RCE) > run
[+] Target is vulnerable
[*] Invoking command loop...
cmd > whoami

To set options:

rsf (D-LINK DIR-300 & DIR-600 RCE) > set target [+] {'target': ''}

It’s possible to check if the target is vulnerable to particular exploit:

rsf (D-LINK DIR-300 & DIR-600 RCE) > check
[+] Target is vulnerable

Run show info to display info about the exploit.

Scanning for Vulnerable Targets:

Scanners allow quickly to verify if the target is vulnerable to any exploits.

Use the same commands to display/set options, and also to run.

rsf (D-Link Scanner) > run
[+] exploits/dlink/dwr_932_info_disclosure is vulnerable
[-] exploits/dlink/dir_300_320_615_auth_bypass is not vulnerable
[-] exploits/dlink/dsl_2750b_info_disclosure is not vulnerable
[-] exploits/dlink/dns_320l_327l_rce is not vulnerable
[-] exploits/dlink/dir_645_password_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_615_info_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_rce is not vulnerable

[+] Device is vulnerable!
- exploits/dlink/dwr_932_info_disclosure

Official RouterSploit

Also Read: 1337x proxy

Final Words:

RouterSploit is an amazing tool to use.

If you face any issues regarding the RouterSploit. Make sure to comment down below. Our team CSHAWK will be in touch with you asap.

Sn1per – Automated Pentest Framework | Complete Tutorial


Sn1per is one of the most amazing pentest frameworks for automated vulnerability scanning.

The tool offers two different versions.

One is community(free) and another one professional(paid).

Sn1per Professional is Xero Security’s premium reporting addon for Professional Penetration Testers, Bug hunters, etc.

Furthermore, the tool uses some of the most amazing tools like sqlmap, sslscan, theharvester to scan for vulnerabilities for you.

Sn1per Highlights [Community Edition]:

  • Automatically collects basic recon (ie. whois, ping, DNS, etc.)
  •  Automatically launches Google hacking queries against a target domain
  •  Automatically enumerates open ports via NMap port scanning
  •  Automatically exploit common vulnerabilities
  •  Automatically brute forces sub-domains gathers DNS info and checks for zone transfers
  •  Automatically checks for sub-domain hijacking
  •  Automatically runs targeted NMap scripts against open ports
  •  Automatically runs targeted Metasploit scan and exploit modules
  •  Automatically scans all web applications for common vulnerabilities
  •  Automatically brute forces ALL open services
  •  Automatically test for anonymous FTP access
  •  Automatically run WPScan, Arachni, and Nikto for all web services
  •  Automatically enumerates NFS shares
  •  Automatically test for anonymous LDAP access
  •  Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities
  •  Automatically enumerate SNMP community strings, services, and users
  •  Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067
  •  Automatically tests for open X11 servers
  •  Performs high-level enumeration of multiple hosts and subnets
  •  Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
  •  Automatically gathers screenshots of all web sites
  •  Create individual workspaces to store all scan output
  •  Scheduled scans
  •  Slack API integration
  • API integration
  •  OpenVAS API integration
  •  Burpsuite Professional 2.x integration
  •  Shodan API integration
  •  Censys API integration
  •  Metasploit integration

Installing Sn1per

Installing the tool is quite simple.

You just need to look at some basics of Linux and you are good to go.

  1. Clone it from the github repo:
$ git clone

2. Navigating Sn1per directory and changing permissions of the script:

$ cd Sn1per
$ chmod +x

3. Final installation step

$ ./

Sn1per Installation Video:


Type -h to get all available modes:

sniper -t|--target <TARGET>

sniper -t|--target <TARGET> -o|--osint -re|--recon -fp|--fullportonly -b|--bruteforce

sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon

sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>

sniper -t|--target <TARGET> -m|--mode flyover -w|--workspace <WORKSPACE_ALIAS>

sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike

sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>

sniper -t|--target <TARGET> -m port -p|--port <portnum>

sniper -t|--target <TARGET> -fp|--fullportonly

sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>

[*] WEB MODE - PORT 80 + 443 ONLY!
sniper -t|--target <TARGET> -m|--mode web

sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>

sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>

sniper -t|--target <TARGET> -b|--bruteforce

sniper -t|--target <TARGET>

sniper -w <WORKSPACE_ALIAS> --reimport

sniper --status

sniper -u|--update

Editor’s choice:


  • NORMAL: Performs a basic scan of targets and open ports using both active and passive checks for optimal performance.
  • STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.
  • FLYOVER: Fast multi-threaded high-level scans of multiple targets (useful for collecting high-level data on many hosts quickly).
  • AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
  • NUKE: Launch full audit of multiple hosts specified in the text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.
  • DISCOVER: Parses all hosts on a subnet/CIDR (ie. and initiates a sniper scan against each host. Useful for internal network scans.
  • PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
  • FULLPORTONLY: Performs a full detailed port scan and saves results to XML.
  • MASSPORTSCAN: Runs a “fullportonly” scan on multiple targets specified via the “-f” switch.
  • WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
  • MASSWEB: Runs “web” mode scans on multiple targets specified via the “-f” switch.
  • WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.
  • WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.
  • WEBSCAN: Launches a full HTTP & HTTPS web application scan against Burpsuite and Arachni.
  • MASSWEBSCAN: Runs “webscan” mode scans of multiple targets specified via the “-f” switch.
  • VULNSCAN: Launches an OpenVAS vulnerability scan.
  • MASSVULNSCAN: Launches a “vulnscan” mode scans on multiple targets specified via the “-f” switch.

Final Words:

If you want you can surely give this tool a try.

Sn1per doesn’t automate the entire penetration testing but surely it does make it simpler.

If you liked our efforts in the Sn1per article. Make sure to leave a comment below. Any suggestions or questions are appreciated.

XSStrike – Advanced XSS Detection | Full Tutorial!


XSStrike literally makes XSS detection very simple!

It is very handy tool one can use.

What is XSStrike?

XSStrike is a cross-site scripting tool.

It is provided with four handwritten parsers, an intelligent payload generator, a great fuzzing engine, and an amazingly fast crawler.

XSStrike unlike other tools does not inject payloads.

It instead uses handmade parsers to test for web application’s various responses.

Also, it can scan of DOM XSS.

It can also crawl, fingerprint, and fuzz WAFs.

The tool requires Python 3.4+ to work.

Furthermore, it supports Linux, Mac, and even Windows.

Editor’s choice:

XSStrike Highlights:

  • Context analysis.
  • Configurable Core.
  • Highly Researched Work-flow.
  • Reflected and DOM XSS Scanning.
  • Multi-threaded crawling.
  • WAF detection & evasion, WAF Fingerprinting.
  • Handmade HTML & JavaScript parser.
  • Powerful fuzzing engine.
  • Intelligent payload generator.
  • Complete HTTP Support.
  • Powered by Photon, Zetanize, and Arjun.
  • Well documented code and regular updates.

Installing XSStrike:

  1. Cloning git repo.
$ git clone

2. Navigating directory and install the requirements:

$ cd XSStrike
$ pip install -r requirements.txt

3. Running XSStrike:

$ python xsstrike

XSStrike Usage:

To list all available arguments, type --help:

usage: [-h] [-u TARGET] [--data DATA] [-t THREADS]
                   [--fuzzer] [--update] [--timeout] [--params] [--crawl]
                   [--skip-poc] [--skip-dom] [--headers] [-d DELAY]

optional arguments:
  -h, --help            show this help message and exit
  -u, --url             target url
  --data                post data
  -t, --threads         number of threads
  -l, --level           level of crawling
  --fuzzer              fuzzer
  --update              update
  --timeout             timeout
  --params              find params
  --crawl               crawl
  --skip-poc            skip poc generation
  --skip-dom            skip dom checking
  --headers             add headers
  -d, --delay           delay between requests

How to use XSStrike Tool?

Using this tool is quite simple.

You just need to understand some of the Linux basics.

Don’t worry, we will guide you to use it step-by-step.

1. Scanning Single URL:

Option: -u or --url

To test a single webpage which uses the GET method:

$ python -u ""

Supplying POST data:

$ python -u "" --data "q=query"

2. Crawling:

Option: --crawl

To start crawling from the target webpage, run:

$ python -u "" --crawl

To find hidden parameters:

Option: --params

$ python -u "" --params

3. Skipping POC and DOM:

Option: --skip-poc

$ python -u "" --skip-poc

Option: --skip-dom

$ python -u "" --skip-dom


XSStrike is really amazing tool to find for XSS vulnerability in web applications.

You can use this tool for your convenience.

If you liked our content make sure to leave a comment down below and appreciate our team. If you are finding it difficult to use this tool you can leave your questions down below. Team CSHAWK will be soon in touch with you.

King Phisher – Phishing Campaign Toolkit | Full Tutorial


What is King Phisher?

King Phisher is an amazing tool to perform real-world phishing attacks.

It has a flexible architecture which allows you to full control over emails + server content.

King Phisher – Phishing Campaign Toolkit | Full Tutorial:

If you are looking for an open-source phishing tool built with Python.

King Phisher can be a great choice.

It is fully featured and flexible tool with no web interface.

Which makes it very difficult to detect the phishing server.

“According to the official documentation, it also supports sending messages with embedded images and determining when emails are opened with a tracking image.”

King Phisher Highlights:

  • Fully open-source means there are no limits on the use.
  • Run multiple phishing campaigns simultaneously.
  • View detailed graphs regarding the campaign results.
  • Send an email with embedded images for a more legitimate appearance.
  • Optional Two-Factor authentication.
  • Highly flexible to accommodate different phishing goals.
  • Powerful template system using the Jinja2 engine.
  • Ability to capture credentials.
  • SMS alerts regarding campaign status.
  • Web page cloning capabilities.
  • Integrated Sender Policy Framework (SPF) checks.
  • Easy installation without setting up an additional webserver.
  • Geolocation of phishing visitors.
  • Send an email with calendar invitations.
  • Plugin support for extending both the Client and Server.

Installing King Phisher:

Team CSHAWK recommend you to install King Phisher in /opt/king-phisher. Clone the repo:

$ cd /opt/ # or your desired installation directory git clone 
$ git clone

Then run the script (located in the tools directory), which will install all required packages and set up a default server configuration without any hassle:

$ cd king-phisher
$ cd tools
$ sudo ./

To see Install script options, use --help:

$ tools/ --help
Usage: [-h] [-n/-y]

King Phisher Install Script

optional arguments
-h, --help show this help message and exit
-n, --no answer no to all questions
-y, --yes answer yes to all questions
--skip-client skip installing client components
--skip-server skip installing server components

To install client, run the following command:

$ sudo ./ --skip-server

For quick installation, run the following command:

$ wget -q && \ 
$ sudo bash ./

Windows (Client only):

Click the “download” button at the bottom to download the latest build.

Basic Usage

In order to connect and start using client, you’ll need to start King Phisher server first.

Use the following command:

$ sudo ./KingPhisherServer

Many people encounter the following issue:

KingPhisherServer: error: the following arguments are required: config_file

If you are the one. Run the config script:

$ ./KingPhisherServer server_config.yml

* The King Phisher client connects over SSH to the server for communication.

The SSH service must be installed, configured, and started independently of the provided King Phisher install script.

To start the client, run this command:

$ python3 KingPhisher

Now, you’ll be prompt to enter the credentials (same as for SSH).


After you connect, you’ll need to confirm the server’s host key and SSH key passphrase.

If the client successfully connects to the server, you’ll see the campaign page.

Before you continue, configure your SMPT settings.

Video Tutorial:

Final Words:

King Phisher can be a very good tool for you to use.

If you found value in this article make sure to leave a comment down below and appreciate our hard work.

Andrax – Penetration Testing on Android | Complete Guide


Andrax is an amazing tool to convert your phone into a Linux device.

It enables all Android and ARM devices with root access and storage to become a weapon for Advanced Penetration Testing and Red Team operations.

If you are a geek, this tool can be a better option for you.

What is Andrax?

Andrax is a Penetration Testing Platform developed for Android Smartphones and ARM boards.

It has the ability to run on Android so it behaves like a common Linux distribution. This tool is developed by Weidsom Nascimento.

The Development of this tool began in Brazil in 2016 but now is available for international usage.

Andrax Highlights:

  • Portable: It can be installed on any android smartphone and any ARM board.
  • Open-Source: Makes the program more secure. Anyone can support.
  • Optimized: Requires minimal hardware resources.
  • 3000+ Tools: It has 3000+ tools for advanced penetration testing.
  • 4000+ Attacks: Can perform more than 4000 attacks.

Andrax Tools:

1. Information Gathering:

  • Dnsrecon
  • Whois
  • Raccoon
  • DNS-Cracker
  • Bind DNS tools
  • Firewalk

2. Password Cracking:

  • Ncrack
  • John The Ripper
  • Hydra

3. Network Hacking:

  • ARPSpoof
  • MITMProxy
  • EvilGINX2
  • Bettercap

4. Scanning:

  • Nmap – Network Mapper
  • Masscan
  • SSLScan
  • Amap

5. Wireless Hacking:

  • VMP Evil AP
  • Cowpatty
  • MDK3
  • Aircrack-NG Tool
  • Reaver

6. Website Hacking:

  • 0d1n
  • Wapiti3
  • XSSer
  • Commix
  • Recon-NG
  • PHPSploit
  • AbernathY-XSS
  • Photon
  • SQLMap
  • Payloadmask

7. Packet Crafting:

  • Hping3
  • Nping
  • Socat
  • Scapy
  • Hexinject
  • Ncat

8. Exploitation:

  • MetaSploit Framework
  • Rop-TOOL
  • RouterSploit Framework
  • Getsploit

Editor’s choice:

Download Andrax:

Downloading it is quite simple. Just click on the button provided below.


Requirement For Andrax:

  • Android 5.0 or later.
  • Rooted Phone. (Tutorial to Root) with supersu(superuser).
  • 4 GB internal Storage.
  • Unlocked Kernal.

Installing Andrax:

  1. Andrax has an automatic installer that downloads and configures the entire environment (download page). You should see the root access request, so just grant the permissions.
  2. Click ok to start downloading the core. After it, the core will be automatically installed.
  3. Wait until your device reboots and everything simply sets up.


Andrax is an amazing tool for Android devices.

It is not very difficult to use but for beginners, it might be a little scary.

But don’t worry everything must be okay after reading till here.

If you have any questions or suggestions regarding this article. Please do comment down below, Team CSHAWK will get in touch with you soon.


nasa hacked

NASA contractor DMI hit by ransomware, encrypting 2,583 servers and workstations!

The operators of the DopplePaymer ransomware announced that they had infected the network of one of NASA’s IT contractors.

The DopplePaymer ransomware gang revealed in a blog post that they had successfully breached the network of Maryland-based Digital Management Inc. (DMI).

The company provides managed IT and cybersecurity services to several Fortune 100 companies and a number of government agencies, including NASA.

At this time though, it is still unclear how far into DMI’s network the DopplePaymer gang was able to get or how many customer networks were breached.

However, based on the evidence so far, it is clear that the cybercriminals did manage to acquire NASA-related files from DMI. In an effort to support its claims, the DopplePaymer gang has posted 20 archive files on a dark web portal it operates.

Everything from NASA HR documents to project plans is included in the archives and the employee details found in them also match up to public LinkedIn records.

Additionally, the ransomware operators posted a list of 2,583 servers and workstations they claim are part of DMI’s internal network.

These servers and workstations have now been encrypted and are currently being held for ransom.

The reason the DopplePaymer gang released the archives and list of servers and workstations is to intimidate DMI into paying its ransom.

If the company refuses to do so, the cybercriminals will likely leak the rest of the files it has as revenge.

VMware Cloud Critical Vulnerability!

VMware Cloud

A flaw in VMware Cloud Director allows hackers to remotely execute code and take control of private clouds.

VMware Cloud Director is a cloud service-delivery platform used primarily for virtual data center management, expansion, and cloud migration, designed for cloud service providers and global enterprises.

The flaw was discovered in April by penetration testing firm Citadelo, which tracked it as CVE-2020-3956.

VMware gave it a CVSSV3 severity score of 8.8 – which classifies the vulnerability as “important” – and described it as a failure to properly handle input.

According to Citadelo, the flaw could lead to code execution and cloud takeover, but VMware was careful to note that the attacker would still require a level of authenticated access.

“An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution,” said VMware.

“This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface, and API access.”

The company pushed an advisory to its customers in mid-May, in which it explained all versions of VMware Cloud Director up to v 10.1.0 were affected.

Linux-bound vCloud Director 8x – 10x and PhotonOS appliances were also vulnerable.

Bug Hunter Rewarded $100K By Apple Inc. |Bhavuk Jain

bhavuk jain
Bhavuk Jain

Apple has awarded a bug bounty hunter $100,000 for finding and reporting a critical security issue that could lead to the takeover of third-party user accounts.

Researcher Bhavuk Jain discovered the vulnerability in the “Sign in with Apple” feature, a developer feature that allows users to sign in to services using Apple IDs.

Sign in with Apple was introduced to improve privacy and create sign-in procedures for third-party websites and apps using Apple’s ID and two-factor authentication processes, while also keeping tracking at bay.

However, Jain found a means to bypass authentication mechanisms and take over third-party user accounts, just by knowing a target’s email ID.

According to the bug bounty hunter, the security flaw existed due to how the iPad and iPhone maker handled client-side user validation requests.

Users can either be authenticated by Apple via a JSON Web Token (JWT) or a code generated by a server.

Users can choose whether or not to share their email ID with a third-party as part of the authentication process.

If the email ID is hidden, Apple generates a JWT token containing this information which is then used by the third-party service to authenticate a user.

However, the researcher found a validation conflict in how Apple handles JWT requests in comparison to the authentication provided when a user logs into their account before starting requests.

He found he could request JWTs for any email ID from Apple and when the signature of these tokens was verified using

Apple’s public key, they showed as valid.

This means an attacker could forge a JWT by linking any email ID to it and gaining access to the victim’s account.

The vulnerability has now been patched.

Skip to content