Beating 2-Factor Authentication

I can imagine how it goes.

The provider implements 2FA to its clients, using text messages only.

Clients adopt it. Then, clients claim they are not getting the text messages.

Business asks for IT: “Please, improve the 2FA system, texts messages are not enough”
IT thinks: “Ok, we can call the client if text messages are not working. Should we submit this system change to CSO approval?”
Business answers “No, it will delay the process and it is only a minor change”.

The rest of story is below.


Almost 06 hours of applications pentesting… by ISSA Kentucky

If you want to learn, there will always be a lot of sources. Here’s a gold one.

Hackers For Charity!!!

Kali Linux 1st impressions

Kali Linux is (or will be or is going to be) the new Backtrack, a Linux distribution dedicated to Security tests, hacking, forensics, or for dummies to realize they really need more study before using a Linux system to wrong behaviors.

Here, the first Metasploit / Kali webcast provided by Rapid7 and Offensive Security.

Kali has an advertising video, something amazing for an open source / non commercial tool. Congrats to Offensive Security guys.

I was able to download the 2Gb iso this week and here are my first impressions.

The first thing I noticed is the live CD options include a Forensic Boot, so one of the great Backtrack features was kept. \o/

The live mode detected my installed Windows 7 was hibernating, so it refused to mount it (at least it explained the reason to me).

I’m not sure if for the same reason (existing / sleeping OS in the hard drive), but terminal icon did not work in Live Mode. It gave me a “gnome-terminal” input / output error. I was able to shut Live Mode down using the upper-right corner icon “root”.


You can’t use “disk partitioning” to shrink your current installed O.S. and deploy Kali side by side with other systems if you have your current O.S. hibernating (it was a shot in the dark, I’ve discovered this like that guy whose head was hit by an apple and thought about gravity Isaac Newton).

If you don’t boot your original OS, and shut it down properly (no hibernation!!!!), Kali will offer only install options that would erase the entire disk.

To be honest, I could have erased this win7, but I wanted to see how Kali was going to treat existing systems, so I took some minutes to completely shut down Win7 and got back to Kali install screens.

One great thing: I was able to shrink my Windows 7 using percentage instead of choosing how many Gb I wanted to my original partition (I’ve chosen 60% for my fat windows).

After shrinking it, Kali offered me to install all linux partitions in the same free space or redivide the free space to separate /home, /usr, /var and /tmp.

I’ve decided to go “all in one” and my 80Gb hard drive was sliced in win7 (48Gb), ext4 (30.7Gb) and swap (1.3Gb).

Configuring a network mirror to download updates: good luck on filling the proxy credentials in that format http://user:password@proxy_IP:port. I’ve skipped it and later I edited /etc/bash.bashrc to include that info.

Testing GRUB Boot Loader with Windows 7 – first time after Kali installation.

1st, Mr Grub, it’s not a “Vista system”, it’s a Win7…

2nd. Invalid argument? What?! Ok, continue it… loading win7…

Of course, Windows 7 detected inconsistency in my NTFS partition and it asked for a check up (using the good’ol CHKDSK). I allowed it. Win7 finally loaded up and I’ve shut it down, after all, this should be a post about KALI!! LoL. Going back to it now.

Top 10 Security Tools division. For those with no real clue about where to start. Easiness is the word!

Here’s the list:

1 – Aircrack-ng (I would replace it for Gerix, since it’s more complete and user-friendly tool)

2 – burpsuite

3 – john the ripper

4 – Maltego

5 – Metasploit framework

6 – nmap

7 – sqlmap

8 – webscarab

9 – wireshark

10 – “zaproxy” – a.k.a Owasp Zap


– No more Ubuntu. Now, it’s Debian!! 🙂

– No more red background? Should be kept. After all, this kind of distro still represents the HELL for sysAdmins;

– Arduino IDE – for electronic components programming. Inclusion may have been inspired by latest Black Hat challenges or fuzzer presentations;

– Hardware Hacking, where you can find android tools. The next target for security researchers, indeed;

– Gerix is really not found. Am I missing something? Is it obsolete already? Or it was removed because it has those disgusting graphic mouse/click screens?

Anyway, there’s a lot to test before a new post. But I’m glad everyday more & more tools are being created or reorganized.

Bottom line is: Kali Linux replaced Backtrack, which now can be considered RETIRED. Kali is improved, reorganized, with more tools and some (at least one) removed, for some reason I still intend to understand better.

Edit 2: Be careful when installing outside packages from Debian resources. It can screw your Kali tools menu.

Useful commands:

apt-get install git live-build cdebootstrap

vim config/package-lists/kali.list.chroot

service postgresql start

service metasploit start