Author: DN

Tesla announce big bounty contest of $900,000 for hackers

Tesla cars have opened up its software and devices for a high-profile hacking contest that is being organized by Pwn2Own in Vancouver. The winner will get a Tesla Model 3, and there are other prizes of more than $900,000 worth.

The biggest prize of $250,000 will be awarded to one who will hack an execute code on the car’s gateway, autopilot, or Vehicle Controller Secondary (VCSEC). Gateway inside a car is responsible for the powertrain, chassis, and other components, while the autopilot is a driver assistant feature that is to help a driver in control lane changing, parking, and other driving functions, and VCSEC is for security functions.

“Tesla essentially pioneered the concept of the connected car with their Model 3 sedan, and in partnership with Tesla, we hope to encourage even more security research into connected vehicles as the category continues to expand,” the Zero Day Initiative said in its blog on the contest.

The hacking attack would be carried on a Model S mid-range rear wheel drive vehicle, and the target areas are:
·       Modem or tuner for $100,000
·       Wi-Fi or Bluethooth for $60,000
·       Three infotainment system targets for a total of $205,000
·       Gateway, autopilot or VCSEC for $250,000
·       Autopilot DoS for $50,000
·       Key FOB or phone-as-key for $100,000

A security researcher at Trend Micro said that “Since 2007, Pwn2Own has become an industry-leading contest that encourages new areas of vulnerability research on today’s most critical platforms.”

“Over the years we have added new targets and categories to direct research efforts toward areas of growing concern for businesses and consumers.”

 Tesla is the only car manufacturer who has openly participating in a hacking contest.

iPhone users get nude photos while travelling on public transport

Increasingly people are being sent nude photos from strangers without their consent. It’s called cyber-flashing.

Graphic images are sent to people’s phones via features like Bluetooth, and AirDrop on iPhones.

Police in London says it’s a growing problem.

Anyone in a public space even kids could have a photo like that pop up on their phone if they have features like AirDrop switched on. People around the world have reported it happening on them on public transports like planes and trains.

When people receive these graphic images and don’t know who they’re from or what their motives are only that they’re nearby it can cause serious distress.

Some people are saying that Apple needs to remove its photo preview feature.

Apple, however, told BBC that users who are facing issues can just change their privacy settings.

Meanwhile, campaigners want a new law to tackle cyber-flashing. But for now, as according to Apple, if you face issues, you have to just change your privacy settings so that you cannot get the photos you don’t want to see.

Police have also asked people to report this form of harassment.

Domained – Multi Tool Subdomain Enumeration

Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains that are passed to EyeWitness for reporting.

This produces categorized screenshots, server response headers and signature based default credential checking. It is written in Python heavily leveraging Recon-ng.

Domains Subdomain Enumeration Tools Leveraged

Subdomain Enumeraton Tools:

  • Sublist3r
  • enumall
  • Knock
  • Subbrute
  • massdns
  • Recon-ng
  • Amass
  • SubFinder

Reporting + Wordlists:

  • EyeWitness
  • SecList (DNS Recon List)
  • LevelUp All.txt Subdomain List

Domained Subdomain Enumeration Tool Usage

–install/–upgrade Both do the same function – install all prerequisite tools
–vpn Check if you are on VPN (update with your provider)
–quick Use ONLY Amass and SubFinder
–bruteall Bruteforce with JHaddix All.txt List instead of SecList
–fresh Delete old data from output folder
–notify Send Pushover or Gmail Notifications
–active EyeWitness Active Scan
–noeyewitness No Eyewitness
-d The domain you want to preform recon on
-b Bruteforce with subbrute/massdns and SecList wordlist
-s n Only HTTPs domains
-p Add port 8080 for HTTP and 8443 for HTTPS

Subdomain Enumeration Examples

First Steps are to install required Python modules and tools:

sudo pip install -r ./ext/requirements.txt
sudo python –install

Example 1 – Uses subdomain (Sublist3r (+subbrute), enumall, Knock, Amass, and SubFinder)

python -d

Example 2: – Uses subdomain with seclist subdomain list bruteforcing (massdns, subbrute, Sublist3r, Amass, enumall, and SubFinder), adds ports 8443/8080 and checks if on VPN

python -d -b -p –vpn

Example 3: – Uses subdomain with large-all.txt bruteforcing (massdns, subbrute, Sublist3r, Amass, enumall and SubFinder)

python -d -b –bruteall

Example 4: – Uses subdomain and only Amass and SubFinder

python -d –quick

Example 5: – Uses subdomain, only Amass and SubFinder and notification

python -d –quick –notify

Example 6: – Uses subdomain with no EyeWitness

python -d –noeyewitness

Note: –bruteall must be used with the -b flag

You can download Domained here:

Or read more here.

Read the rest of Domained – Multi Tool Subdomain Enumeration now! Only available at Darknet.