Summer Madness 2010 updates: May 2020

How To Run Online Kali Linux Free And Any Devices

$$$ Bug Bounty $$$

What is Bug Bounty ?

A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards individuals for discovering and reporting software bugs. Bug bounty programs are often initiated to supplement internal code audits and penetration tests as part of an organization's vulnerability management strategy.

Many software vendors and websites run bug bounty programs, paying out cash rewards to software security researchers and white hat hackers who report software vulnerabilities that have the potential to be exploited. Bug reports must document enough information for for the organization offering the bounty to be able to reproduce the vulnerability. Typically, payment amounts are commensurate with the size of the organization, the difficulty in hacking the system and how much impact on users a bug might have.

Mozilla paid out a $3,000 flat rate bounty for bugs that fit its criteria, while Facebook has given out as much as $20,000 for a single bug report. Google paid Chrome operating system bug reporters a combined $700,000 in 2012 and Microsoft paid UK researcher James Forshaw $100,000 for an attack vulnerability in Windows 8.1. In 2016, Apple announced rewards that max out at $200,000 for a flaw in the iOS secure boot firmware components and up to $50,000 for execution of arbitrary code with kernel privileges or unauthorized iCloud access.

While the use of ethical hackers to find bugs can be very effective, such programs can also be controversial. To limit potential risk, some organizations are offering closed bug bounty programs that require an invitation. Apple, for example, has limited bug bounty participation to few dozen researchers.

More information

Mythbusters: Is An Open (Unencrypted) WiFi More Dangerous Than A WPA2-PSK? Actually, It Is Not.

Introduction

Whenever security professionals recommend the 5 most important IT security practices to average users, one of the items is usually something like: "Avoid using open Wifi" or "Always use VPN while using open WiFi" or "Avoid sensitive websites (e.g. online banking) while using open WiFI", etc.

What I think about this? It is bullshit. But let's not jump to the conclusions. Let's analyze all risks and factors here.

During the following analysis, I made two assumptions. The first one is that we are comparing public WiFi hotspots with no encryption at all (referred to as Open), and we compare this to public WiFi hotspots with WPA2-PSK (and just hope WEP died years before). The other assumption is there are people who are security-aware, and those who just don't care. They just want to browse the web, access Facebook, write e-mails, etc.

The risks

Let's discuss the different threats people face using public hotspots, compared to home/work internet usage:

1. Where the website session data is not protected with SSL/TLS (and the cookie is not protected with secure flag), attackers on the same hotspot can obtain the session data and use it in session/login credentials stealing. Typical protocols affected:

HTTP sites
HTTPS sites but unsecured cookie
FTP without encryption
IMAP/SMTP/POP3 without SSL/TLS or STARTTLS

2. Attackers can inject extra data into the HTTP traffic, which can be used for exploits, or social engineer attacks (e.g. update Flash player with our malware) – see the Dark Hotel campaign

3. Attackers can use tools like SSLStrip to keep the user's traffic on clear text HTTP and steal password/session data/personal information

4. Attackers can monitor and track user activity

5. Attackers can directly attack the user's machine (e.g. SMB service)

WPA2-PSK security

So, why is a public WPA2-PSK WiFi safer than an open WiFi? Spoiler alert: it is not!

In a generic public WPA2-PSK scenario, all users share the same password. And guess what, the whole traffic can be decrypted with the following information: SSID + shared password + information from the 4-way handshake. https://wiki.wireshark.org/HowToDecrypt802.11

If you want to see it in action, here is a nice tutorial for you

http://www.lovemytool.com/blog/2010/05/wireshark-and-tshark-decrypt-sample-capture-file-by-joke-snelders.html

Decrypted WPA2-PSK traffic

Any user having access to the same WPA2-PSK network knows this information. So they can instantly decrypt your traffic. Or the attackers can just set up an access point with the same SSID, same password, and stronger signal. And now, the attacker can instantly launch active man-in-the-middle attacks. It is a common belief (even among ITSEC experts) that WPA2-PSK is not vulnerable to this attack. I am not sure why this vulnerability was left in the protocol, if you have the answer, let me know. Edit (2015-08-03): I think the key message here is that without server authentication (e.g. via PKI), it is not possible to solve this.

Let me link here one of my previous posts here with a great skiddie tool:

http://jumpespjump.blogspot.nl/2014/04/dsploit.html

To sum up, attackers on a WPA2-PSK network can:

Decrypt all HTTP/FTP/IMAP/SMTP/POP3 passwords or other sensitive information
Can launch active attacks like SSLStrip, or modify HTTP traffic to include exploit/social engineer attacks
Can monitor/track user activity

The only difference between open and WPA2-PSK networks is that an open network can be hacked with an attacker of the skill level of 1 from 10, while the WPA2-PSK network needs and an attacker with a skill level of 1.5. That is the difference.

The real solutions

1. Website owners, service providers should deploy proper (trusted) SSL/TLS infrastructure, protect session cookies, etc. Whenever a user (or security professional) notices a problem with the quality of the service (e.g. missing SSL/TLS), the service provider has to be notified. If no change is made, it is recommended to drop the service provider and choose a more secure one. Users have to use HTTPS Everywhere plugin.

2. Protect the device against exploits by patching the software on it, use a secure browser (Chrome, IE11 + enhanced protection), disable unnecessary plugins (Java, Flash, Silverlight), or at least use it via click-to-play. Also, the use of exploit mitigations tools (EMET, HitmanPro Alert, Malwarebytes AntiExploit) and a good internet security suite is a good idea.

3. Website owners have to deploy HSTS, and optionally include their site in an HSTS preload list

4. Don't click blindly on fake downloads (like fake Flash Player updates)

5. The benefits of a VPN is usually overestimated. A VPN provider is just another provider, like the hotspot provider, or the ISP. They can do the same malicious stuff (traffic injecting, traffic monitoring, user tracking). Especially when people use free VPNs. And "Average Joe" will choose a free VPN. Also, VPN connections tend to be disconnected, and almost none of the VPN providers provide fail secure VPNs. Also, for the price of a good VPN service you can buy a good data plan and use 4G/3G instead of low-quality public hotspots. But besides this, on mobile OSes (Android, iOS, etc.) I strongly recommend the use of VPN, because it is not practically feasible to know for users which app is using SSL/TLS and which is not.

6. Use a location-aware firewall, and whenever the network is not trusted, set it to a Public.

7. In a small-business/home environment, buy a WiFi router with guest WiFi access possibility, where the different passwords can be set to guest networks than used for the other.

Asking the question "Are you using open WiFi?", or "Do you do online banking on open WiFi?" are the wrong questions. The good questions are:

Do you trust the operator(s) of the network you are using?
Are the clients separated?
If clients are not separated, is it possible that there are people with malicious intent on the network?
Are you security-aware, and are you following the rules previously mentioned? If you do follow these rules, those will protect you on whatever network you are.

And call me an idiot, but I do online banking, e-shopping, and all the other sensitive stuff while I'm using open WiFi. And whenever I order pizza from an HTTP website, attackers can learn my address. Which is already in the phone book, on Facebook, and in every photo metadata I took with my smartphone about my cat and uploaded to the Internet (http://iknowwhereyourcatlives.com/).

Most articles and research publications are full of FUD about what people can learn from others. Maybe they are just outdated, maybe they are not. But it is totally safe to use Gmail on an open WiFi, no one will be able to read my e-mails.

PS: I know "Average Joe" won't find my blog post, won't start to read it, won't understand half I wrote. But even if they do, they won't patch their browser plugins, pay for a VPN, or check the session cookie. So they are doomed to fail. That's life. Deal with it.

Related word

ISPY: Exploiting EternalBlue And BlueKeep Vulnerabilities With Metasploit Easier

About ISPY:
   ISPY is a Eternalblue (MS17-010) and BlueKeep (CVE-2019-0708) scanner and exploiter with Metasploit Framework.

   ISPY was tested on: Kali Linux and Parrot Security OS 4.7.

ISPY's Installation:
   For Arch Linux users, you must install Metasploit Framework and curl first:
pacman -S metasploit curl

   For other Linux distros not Kali Linux or Parrot Security OS. Open your Terminal and enter these commands to install Metasploit Framework:

   Then, enter these commands to install ISPY:

How to use ISPY?

ISPY's screenshots:

About the author:

On Github: @Cyb0r9
On Youtube: Cyborg
On Ask Fm: Cyborg
Email: TunisianEagles@protonmail.com

Disclaimer: Usage of ispy for attacking targets without prior mutual consent is illegal.
ispy is for security testing purposes only

Download ISPY

How Do I Get Started With Bug Bounty ?

How do I get started with bug bounty hunting? How do I improve my skills?

These are some simple steps that every bug bounty hunter can use to get started and improve their skills:

Learn to make it; then break it!
A major chunk of the hacker's mindset consists of wanting to learn more. In order to really exploit issues and discover further potential vulnerabilities, hackers are encouraged to learn to build what they are targeting. By doing this, there is a greater likelihood that hacker will understand the component being targeted and where most issues appear. For example, when people ask me how to take over a sub-domain, I make sure they understand the Domain Name System (DNS) first and let them set up their own website to play around attempting to "claim" that domain.

Read books. Lots of books.
One way to get better is by reading fellow hunters' and hackers' write-ups. Follow /r/netsec and Twitter for fantastic write-ups ranging from a variety of security-related topics that will not only motivate you but help you improve. For a list of good books to read, please refer to "What books should I read?".

Join discussions and ask questions.
As you may be aware, the information security community is full of interesting discussions ranging from breaches to surveillance, and further. The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do. There are two very popular bug bounty forums: Bug Bounty Forum and Bug Bounty World.

Participate in open source projects; learn to code.
Go to https://github.com/explore or https://gitlab.com/explore/projects and pick a project to contribute to. By doing so you will improve your general coding and communication skills. On top of that, read https://learnpythonthehardway.org/ and https://linuxjourney.com/.

Help others. If you can teach it, you have mastered it.
Once you discover something new and believe others would benefit from learning about your discovery, publish a write-up about it. Not only will you help others, you will learn to really master the topic because you can actually explain it properly.

Smile when you get feedback and use it to your advantage.
The bug bounty community is full of people wanting to help others so do not be surprised if someone gives you some constructive feedback about your work. Learn from your mistakes and in doing so use it to your advantage. I have a little physical notebook where I keep track of the little things that I learnt during the day and the feedback that people gave me.

Learn to approach a target.
The first step when approaching a target is always going to be reconnaissance — preliminary gathering of information about the target. If the target is a web application, start by browsing around like a normal user and get to know the website's purpose. Then you can start enumerating endpoints such as sub-domains, ports and web paths.

A woodsman was once asked, "What would you do if you had just five minutes to chop down a tree?" He answered, "I would spend the first two and a half minutes sharpening my axe."
As you progress, you will start to notice patterns and find yourself refining your hunting methodology. You will probably also start automating a lot of the repetitive tasks.

Related links

BurpSuite Introduction & Installation

What is BurpSuite?
Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.

In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed.

Everyone has their favorite security tools, but when it comes to mobile and web applications I've always found myself looking BurpSuite . It always seems to have everything I need and for folks just getting started with web application testing it can be a challenge putting all of the pieces together. I'm just going to go through the installation to paint a good picture of how to get it up quickly.

BurpSuite is freely available with everything you need to get started and when you're ready to cut the leash, the professional version has some handy tools that can make the whole process a little bit easier. I'll also go through how to install FoxyProxy which makes it much easier to change your proxy setup, but we'll get into that a little later.

Requirements and assumptions:

Mozilla Firefox 3.1 or Later Knowledge of Firefox Add-ons and installation The Java Runtime Environment installed

Download BurpSuite from http://portswigger.net/burp/download.htmland make a note of where you save it.

on for Firefox from https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/

If this is your first time running the JAR file, it may take a minute or two to load, so be patient and wait.

Video for setup and installation.

You need to install compatible version of java , So that you can run BurpSuite.

More info

PortWitness - Tool For Checking Whether A Domain Or Its Multiple Sub-Domains Are Up And Running

PortWitness is a bash tool designed to find out active domain and subdomains of websites using port scanning. It helps penetration testers and bug hunters collect and gather information about active subdomains for the domain they are targeting.PortWitness enumerates subdomains using Sublist3r and uses Nmap alongwith nslookup to check for active sites.Active domain or sub-domains are finally stored in an output file.Using that Output file a user can directly start testing those sites.

Sublist3r has also been integrated with this module.It's very effective and accurate when it comes to find out which sub-domains are active using Nmap and nslookup.

This tool also helps a user in getting the ip addresses of all sub-domains and stores then in a text file , these ip's can be used for further scanning of the target.

Installation

git clone https://github.com/viperbluff/PortWitness.git

BASH
This tool has been created using bash scripting so all you require is a linux machine.

Usage

bash portwitness.sh url

Download PortWitness

More info

Ophcrack

" Ophcrack is an open source (GPL license) program that cracks Windows LM hashes using rainbow tables. The program includes the ability to import the hashes from a variety of formats, including dumping directly from the SAM files of Windows. There is also a Live CD version which automates the retrieval, decryption, and cracking of passwords from a Windows system. Rainbow tables for LM hashes of alphanumeric passwords are provided for free by the developers. These tables can crack 99.9% of alphanumeric passwords of up to 14 characters in usually a few seconds, and at most a few minutes. Larger rainbow tables (for LM hashes of passwords with all printable characters, including symbols and space) are available for purchase from Objectif Securité. Starting with version 2.3, Ophcrack also cracks NT hashes. This is necessary if generation of the LM hash is disabled (this is default on Windows Vista), or if the password is longer than 14 characters (in which case the LM hash is not stored)." read more...

Website: http://ophcrack.sourceforge.net

More info

Linux Stack Protection By Default

Modern gcc compiler (v9.2.0) protects the stack by default and you will notice it because instead of SIGSEGV on stack overflow you will get a SIGABRT, but it also generates coredumps.

In this case the compiler adds the variable local_10. This variable helds a canary value that is checked at the end of the function.
The memset overflows the four bytes stack variable and modifies the canary value.

The 64bits canary 0x5429851ebaf95800 can't be predicted, but in specific situations is not re-generated and can be bruteforced or in other situations can be leaked from memory for example using a format string vulnerability or an arbitrary read wihout overflowing the stack.

If the canary doesn't match, the libc function __stack_chck_fail is called and terminates the prorgam with a SIGABORT which generates a coredump, in the case of archlinux managed by systemd and are stored on "/var/lib/systemd/coredump/"

❯❯❯ ./test
*** stack smashing detected ***: terminated
fish: './test' terminated by signal SIGABRT (Abort)

❯❯❯ sudo lz4 -d core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000.lz4
[sudo] password for xxxx:
Decoding file core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000
core.test.1000.c611b : decoded 249856 bytes

❯❯❯ sudo gdb /home/xxxx/test core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000 -q

We specify the binary and the core file as a gdb parameters. We can see only one LWP (light weight process) or linux thread, so in this case is quicker to check. First of all lets see the back trace, because in this case the execution don't terminate in the segfaulted return.

We can see on frame 5 the address were it would had returned to main if it wouldn't aborted.

Happy Idea: we can use this stack canary aborts to detect stack overflows. In Debian with prevous versions it will be exploitable depending on the compilation flags used.
And note that the canary is located as the last variable in the stack so the previous variables can be overwritten without problems.

More info

How Do I Get Started With Bug Bounty ?

Continue reading

Theharvester: Email Harvesting Throughout Year

You might have harvested many things upto now but what we are going to harvest today is something bad :)

Requirements:

A Linux box (I'm using Kali Linux)
theharvester program (already available in Kali Linux)

So what does theharvester harvest? Well it harvests email addresses. theharvester is an Information gathering tool. If you want a list of emails to spam you can get that easily from theharvester tool and go on Spamming (I'm joking its illegal). It's a security tool that helps you in pentesting an organization (as always it can be used for evil as well). You can gather emails from an organization and look for potential victims to attack or use brute-force techniques to get their passwords or Social Engineer them into doing something that will let you compromise some or all systems in the organization. Uhh there are so many things that you can do when you have access to someone's email address.

OK stop talking and start doing.

Fire up a terminal in your kali box and type this command:

theharvester -d hotmail.com -l 50 -b google

In a small amount of time you'll see your terminal flooded with 200 hotmail.com email address. What does this command mean?

theharvester is the tool name that we are using
-d <domain_name> specifies the domain (or website) who's email addresses we're looking for, in our case it was hotmail.com
-l <number> specifies the number of results that we want in the output, I limited it to 50
-b <source> specifies the source on which to look for email addresses, I specified google as the source

Besides google we can specify any of the follow as source:
google, googleCSE, bing, bingapi, pgp, linkedin, google-profiles, people123, jigsaw, twitter, googleplus, all
Here the last entry all means look in every available source.

Let's say you wanted to look in every available source they you should specify the following command:

theharvester -d hotmail.com -b all

-f is another great flag which can be utilized to save the output in case we want to SPAM them later (just kidding) or for other reasons (I'm thinking positive). -f flag saves the result in html or xml format. Let's do just that:

theharvester -d gmail.com -l 50 -b google -f emailaddresses.html

here -f flag is followed by the location where we want to store the file and the name of file, in our case we stored it in our pwd (present working directory) with the name emailaddresses.html.

Above picture shows an html output generated by harvester.

That's it for this tutorial hope to see you next time!

Related word

CEH: Gathering Host And Network Information | Scanning

Scanning

It is important that the information-gathering stage be as complete as possible to identify the best location and targets to scan. After the completion of footprinting and information gathering methodologies, scanning is performed.
During scanning, the hacker has vision to get information about network an hosts which are connected to that network that can help hackers to determine which type of exploit to use in hacking a system precisely. Information such as an IP addresses, operating system, services, and installed applications.

Scanning is the methodology used to detect the system that are alive and respond on the network or not. Ethical hackers use these type of scanning to identify the IP address of target system. Scanning is also used to determine the availability of the system whether it is connected to the network or not.

Types Of Scanning

Network Scanning	Identifies IP addresses on a given network or subnet
Port Scanning	Determines open, close, filtered and unfiltered ports and services
Vulnerability Scanner	Detect the vulnerability on the target system

Port Scanning

Port scanning is the process of identifying open and available TCP/IP ports on a system. Port-scanning tools enable a hacker to learn about the services available on a given system. Each service or application on a machine is associated with a well-known port number. Port Numbers are divided into three ranges:

Well-Known Ports: 0-1023
Registered Ports: 1024-49151
Dynamic Ports: 49152-6553

Network Scanning

Network scanning is performed for the detection of active hosts on a network either you wanna attack them or as a network administrator. Network-scanning tools attempt to identify all the live or responding hosts on the network and their corresponding IP addresses. Hosts are identified by their individual IP addresses.

Vulnerability Scanning

This methodology is used to detect vulnerabilities of computer systems on a network. A vulnerability scanner typically identifies the operating system and version number, including applications that are installed. After that the scanner will try to detect vulnerabilities and weakness in the operating system. During the later attack phase, a hacker can exploit those weaknesses in order to gain access to the system. Moreover, the vulnerability scanner can be detected as well, because the scanner must interact over the network with target machine.

The CEH Scanning Methodology

As a CEH, you should understand the methodology about scanning presented in the figure below. Because this is the actual need of hackers to perform further attacks after the information about network and hosts which are connected to the network. It detects the vulnerabilities in the system bu which hackers can be accessible to that system by exploitation of that vulnerabilities.

El Cuento De "La Princesita De Ocho Piernas"

Hoy, cuando me he sentado a escribir el post diario de El lado del mal no quería ponerme a escribir de algo profesional. Tengo tres artículos rondando mi cabeza sobre temas técnicos y profesionales, pero hoy no me apetecía depurarlos y plasmarlos. Hoy hace sol, y quería dejar que el calor me bañara un poco. Quería dejar que el calorcito sacar algo más humano para el texto del día.

Figura 1: El cuento de "La princesita de ocho piernas"

Así que, os he traído uno de los cuentos que narro a Mi Hacker y Mi Survivor cuando el tiempo me lo permite. Como todo buen papaéte estoy sufriendo la pre-adolescencia de una niña, y si no la controlas, sus peticiones son infinitas. Me piden de todo y me compran - y hackean - con dibujos, manualidades, etcétera. Pero no las puedo dar todo lo que quieren.

View this post on Instagram
... y así me hackean mis salvajes }:)
A post shared by Chema Alonso (@chemaalonso) on May 17, 2020 at 2:51am PDT

No les puedo dar todo lo que quieren para que aprendan a priorizar y discernir entre lo que es necesario y lo que es accesorio. Entre la necesidad y el capricho, así que aprovechando a los personajes del Dragón Matías, el Rey Papá, Princesita, Chiquitina, Rapidín, Serpentina, etcétera, les creé este cuento "de mi boca" que os dejo hoy por aquí.

La Princesita de Ocho Piernas

Érase una vez que se era, una princesita muy presumida a la que su padre, el Rey Papá, cuidaba con mucho esmero y detalle. La Princesita era una niña estudiosa y trabajadora, aunque con algún arrebato de rabieta propio de su efervescencia debido a su edad. Con casi doce años estaba a punto de convertirse en una preciosa adolescente, y de vez en cuando – y solo de vez en cuando –, la energía que atesoraba le jugaba una mala pasada en su comportamiento.

No era nada grave, pero os voy a narrar la aventura que sucedió cuando el Dragón Matías, amigo personal del Rey Papá, se enfadó con Princesita y le impuso un curioso castigo.

Todo comenzó cuando la dulce princesita se acercó con sus grandes ojos color miel y le dijo a su papaete:

- "Rey Papá, Rey Papá, ¿me comprarías unos zapatos nuevos para el vestido nuevo que me compré la semana pasada".

El Rey Papá la miró, y sorprendido la contestó:

- "Princesita mía, compramos el vestido para los zapatos nuevos que tenías, ¿cómo es que ahora quieres unos zapatos nuevos para ese mismo vestido?"

La Princesita comenzó un principio de rabieta y dijo:

- "Rey Papá, Rey Papá, es que ya no me gustan esos zapatos y quiero otros nuevos. No seas malo con tu princesita y cómprame unos nuevos".

El Rey Papá refunfuñó e intentó hacer entrar en razón a la joven Princesita, pero lo único que obtuvo como respuesta a sus razonamientos fuero llantos, rabieta y más quejas de la joven que parecía la niña más desdichada del mundo. Tras media hora de llantos y quejas de la princesita, al final el Rey Papá claudicó y prometió llevar a su hija al día siguiente a comprar unos nuevos zapatos.

Llegado ese día, apareció en la puerta del castillo del Rey Papá su amigo el Dragón Matías para irse a volar por las montañas. Hacía tiempo que no salían juntos y habían quedado para ir al lago de la montaña del norte a darse unos baños en agua cristalina. Cuando llegó feliz, el Rey Papá le dijo:

- "Perdona Dragón Matías, se me olvidó que hoy teníamos la excursión y le he prometido a la princesita que la llevaría a comprar unos zapatos nuevos. Vamos a tener que cancelar la excursión".

El Dragón Matías se quedó consternado, pero no por la cancelación repentina de la excursión, sino por la evolución que estaba siguiendo la pequeña princesita. El Dragón Matías había cuidado de ella y de su hermana "Chiquitinia" desde que nacieron y estos ataques compra compulsiva y caprichosa no le parecían nada bien.

- "Rey Papá", dijo el Dragón Matías, "Tú eres consciente de que Princesita no necesita para nada esos zapatos, y que esta siendo caprichosa, ¿Verdad? ¿No crees que deberías hablar con ella y explicarla que no debería comprarse cosas que no necesite?

El Rey Papá le dio la razón al Dragón Matías y se excusó diciendo que se había puesto muy pesada y no sabía cómo conseguir que se tranquilizara. En ese momento el Rey Papá se sintió un poco avergonzado, pero el Dragón Matías lo consoló.

- "¿Me dejas hablar con ella, Rey Papá?", dijo el Dragón Matías.

El Rey Papá accedió a la petición, y permitió que el Dragón Matías hablara con Princesita. Esta se puso muy contenta cuando vio a su amigo "Matiítas" y le dio un fuerte abrazo. Después, el Dragón Matías habló con ella:

- "Princesita, obligar al Rey Papá a que te compre cosas que no necesitas por medio de llantos, rabietas y enfados, no está bien. Tú sabes que él te quiere muchísimo y no puede verte sufrir, pero es malo para tu educación tener todo lo que quieras aunque no lo necesites"

Princesita se enfadó mucho al oír eso. No quería quedarse sin sus zapatos nuevos, así que empezó a regañar al Dragón Matías por decirle eso.

- "Además", dijo la Princesita, "Los necesitó."

El Dragón Matías la miró pensativo y dijo:

- "No, no los necesitas, pero te voy a dar una pequeña lección. A partir de ahora, tantos zapatos nuevos tendrás, tantos zapatos nuevos necesitarás".

La Princesita se enfado mucho con el Dragón Matías pero siguió con sus planes y obligó al Rey Papá, poniendo sobre la mesa la promesa que le había sacado el día anterior, que la llevara de compras a por los nuevos zapatos. Y se compró unos nuevo y muy caros.

A la mañana siguiente llegó la sorpresa. Cuando Princesita se levantó por la mañana se encontró que tenía cuatro piernas en lugar de tener dos como todas las niñas. Al principio se asustó, pero luego recordó las palabras del Dragón Matías y, en lugar de reflexionar sobre la situación, decidió retar al viejo dragón.

Se vistió con un vestido precioso y se puso cuatro zapatos. Dos en sus dos pies izquierdos y dos en sus dos pies derechos, y se fue a por el Rey Papá sonriendo y decidida a continuar demostrando al Rey Papá y al Dragón Matías quién es la que mandaba en esa situación.

- "Rey Papá, mira que bien me quedan los zapatos nuevos con mis nuevas piernas que tengo gracias al Dragón Matías. Lo que pasa es que ahora necesito quita-y-pon así que tenemos que ir a comprar ahora mismo dos pares de zapatos nuevos".

El Rey Papá no daba crédito a lo que veía, pero Princesita iba feliz con sus cuatro piernas y sus dos pares de zapatos puestos a la vez. Así que, después de superar el susto y de aguantar unos lloros, gritos y pataletas de Princesita, accedió a llevar la de compras a por dos nuevos pares de zapatos.

A la vuelta, el Dragón Matías esperaba al Rey Papá y Princesita. Cuando llegaron, la joven Princesita traía en las manos bolsas con las nuevas compras. Dos nuevos pares de zapatos recién comprados. Cuando llegó a la altura del Dragón Matías le enseñó presumidamente sus cuatro piernas con sus dos pares de zapatos puestos y las bolsas con los nuevos. El Dragón Matías sonrió y dijo:

- "Recuerda Princesita, tantos zapatos tendrás, tantos zapatos necesitarás".

Princesita puso sus zapatos nuevos en el guardarropa de su habitación, en el armario destinado para ellos, y se fue feliz a dormir con sus nuevas compras. Ir de compras le hacía muy feliz y ganar al Dragón Matías y salir con la suya más todavía.

Pero al día siguiente…

Princesita se despertó y se alarmó. Su cama estaba llena de piernas. Le habían crecido cuatro nuevas piernas por la noche y eso ya no le gustaba nada. Tenía ocho piernas y parecía una araña, y eso no le gustaba nada, así que, en pijama, se fue corriendo y llorando a ver al Rey Papá:

- "Papaete, papaete, tengo ocho piernas y parezco una araña.. . Buahhhh, Buahhh".

El Rey Papá esperaba en el salón junto a su amigo el Dragón Matías, que la miró con detenimiento y dijo:

- "Bueno, Princesita, ahora ya has visto lo malo que es hacer de un capricho una necesidad, ¿verdad? Dime una cosa, ¿prefieres tener dos piernas y necesitar solo un par de zapatos o tener cuatro pares de zapatos y necesitarlos todos?"

Princesita, llorando, dijo:

- "Buahh, Buahhh, prefiero tener dos piernas y necesitar solo un par de zapatos. Pero por favor, vuelve a hacer que sea una niña normal".

El Dragón Matías, sopló un humo desde dentro y bañó a Princesita en el calor de su aliento. Cuando el humo se fue, la niña volvió a ser una persona de solo dos piernas.

- "Vete a tu habitación, Princesita, y vístete para desayunar. Yo quiero hablar con el Rey Papá", dijo el Dragón Matías.

Princesita se fue feliz, y el Dragón Matías se quedó mirando seriamente al Rey Papá, para decirle:

- "¿Has visto Rey Papá lo que sucede si le das a una Princesita más de lo que necesita? Harás que su capricho se convierta en una necesidad y dejará de ser una niña normal. Y eso nunca la hará feliz, como has visto".

El Rey Papá se sintió fatal y se disculpó ante el Dragón Matías, por haber dejado que los caprichos de su hija dictaran sus acciones y por haber faltado a su cita del lago. Se abrazaron, y al día siguiente disfrutaron de una preciosa excursión.

Por otro lado, a partir de ese día, Princesita siempre pensó muy mucho que es lo que necesitaba realmente, no fuera a ser que le salieran cuatro brazos, dos bocas, os dos cabezas. ¿Quién se puede fiar de los caprichos?

Y colorín colorado… FIN.

Otros cuentos de mi boca:

- Pequeñas historias de mi boca para hackers & survivors

- El Gigante de los juguetes

- La Hormiguita Valiente

- Serpentina y los quesos olorosos

- El batería suplente de los Goo Goo Dolls

- Papá Noel y el niño de la torre del reloj de Telefónica

Saludos Malignos!

Autor: Chema Alonso (Contactar con Chema Alonso)