Tuesday, October 30, 2018

PowerShell Troubleshooting commands

get-netIPConfiguration
get-netIPaddress

test-netconnection www.linkedin.com

resolve-dnsname www.linkedin.com

resolve-dnsname www.linkedin.com -type soa

route print - routing table

get-netroute -protocol Loal - destinaion prefix

Sunday, October 28, 2018

wpscan scanner

We will first enumerate the available WordPress logins using the enumerate user script. Enter the following command in the terminal:
wpscan -u https://<IP address>:12380/blogblog/ --enumerate u

Scanning SSL Kali Linux

sslscan website

heartbeat vulnerability


Another tool that performs a thorough sweep and analyzes the SSL/TLS configurations of a target service is SSLyze. To perform the majority of the basic tests in SSLyze, arguments should include the target server and the --regular argument. This includes tests for SSLv2, SSLv3, TLSv1, renegotiation, resumption, certificate information, HTTP GET response status codes, and compression support as follows:

root@KaliLinux:~# sslyze google.com --regular

Efficient technique using BurpSuite when spidering - Kali Linux

Proxy

Add the site to the scope


Spider tab - Options - application login - automatically submit these credentials

admin' or 1=1 --
password - NONE-blank

---

Target tab - activate spider

Target - site map tab
engagement tool - discover content - 
click session is not running button
brute force attack running


checks if a given domain uses laod-balancing

lbd website


wafw00f website - web application firewall attack commands

wafw00f website

WafW00f is a very useful Python script, capable of detecting the web application firewall (WAF). This tool is particularly useful when a penetration tester wants to inspect the target application server, and might get a fallback with certain vulnerability assessment techniques, for which the web application is actively protected by a firewall. Therefore, detecting the firewall sitting in between the application server and the Internet traffic not only improves a testing strategy, but also presents exceptional challenges for the penetration tester to develop advanced evasion techniques.

API Security Cheat Sheet - OWASP


Reverse shells - joke


Building security from scratch


OWASP, podcast

https://soundcloud.com/owasp-podcast/how-to-build-chapter-engagement-at-owasp

While at 2018 AppSec EU, I spoke with Sam Stepanyan and Grigorios Fragkos, chapter leaders of one of OWASP's largest chapters. The conversation centered around what does it take to grow a community, what does it take to lead a chapter.

Saturday, October 27, 2018

The registry - where to find where I was connected - Wireless

Alex wants to determine whether the user of a company-owned laptop accessed a malicious wireless access point. Where can he find the list of wireless networks that the system knows about?
  1. The registry
  2. The user profile directory
  3. The wireless adapter cache
  4. Wireless network lists are not stored after use.


The Windows registry stores a list of wireless networks the system has connected to in the registry under HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles. This is not a user-specific setting and is stored for all users in LocalMachine.

NMAP syn scan - half-open scan - just send a syn packet

nmap -T4 -v -PN -n -sS --top-ports 100 --maxparallelism 10 -oA nmapSYN IP

T - speed
v - verbose
PN - not to ping or identity
-n - no dns resolution

sS - syn packet scan

--top-ports 100

--max-parallelism 10

-oA - output

--------


nmap -T4 -v -PN -n -sA --top-ports 100 --maxparallelism 10 -oA nmapSYN IP

-sA - it never determins open ports

it is uses to map firewall ports -


----
aggressive option

nmap -T5 -PN -v -A -oA nmapcomplete IP


Who What Where When Why How



Human job replaced by robot


Emerging security challenges


Every organization has to be a part of this never-ending race against cyber attackers. If you fail to keep yourself ahead of your adversaries, you are likely to become the victim of attacks. In the coming years, defenders have to prepare themselves for some of the most emerging security challenges and threats. These are the following:


Slow security adaptation: Unlike networking and cloud transformation, cyber security solutions are not evolving at the expected rate. The traditional network segmentation has been replaced with a simplified and flat architecture, removing lots of network complexity. However, security solutions still use the traditional zone-based approach to mitigate threats.
Human error: As per the IBM Security service report, more than 95 % of investigated cyber incidents occurred due to human errors, such as system misconfiguration and insufficient patch management.
Third-party vendor security risk: In the world of interconnected businesses, organizations have to let other organizations store and use their information for better business operations, however, this can also lead to a bigger risk. If a third-party gets compromised, the organization is at the risk of losing business data. Most supply-chain attacks use sophisticated attack vectors that manage to bypass existing security systems.

Thursday, October 25, 2018

In order, which set of Linux permissions are least permissive to most permissive?

In order, which set of Linux permissions are least permissive to most permissive?
  1. 777, 444, 111
  2. 544, 444, 545
  3. 711, 717, 117
  4. 111, 734, 747


Linux permissions are read numerically as “owner, group, other.”

The numbers stand for read: 4, write: 2, and execute: 1. Thus, a 7 provides that person, group, or other with read, write, and execute. A 4 means read-only, a 5 means read and execute, without write, and so on. 777 provides the broadest set of permissions, and 000 provides the least.

chkrootkit - finding rootkits on your Kali Linux

chkrootkit

checking if Kali Linux is clean


Activate tor and proxychains on your Kali Linux

apt-get install tor

leafpad /etc/proxychains.conf


disable strict_chain adding a pound sign

Enable the Dynamic_chain - deleting the pound before the concept

Add the socks5 at the end

socks4  127.0.0.1 9050
socks5  127.0.0.1 9050



service tor start
to verify - service tor status

iceweasel ww.whatismyip.com

Activating Proxychains
proxychains iceweasel ww.whatismyip.com






Configuring SSH on Kali Linux

cd /etc/ssh

mkdir keys_backup_ssh
mv ssh_host_* keys_backup_ssh
dpkg-reconfigure openssh-server


service ssh start
service ssh stop

netstat -antp
liste where?


Essential programs on Kali Linux - Penetration test - kit

apt-get install preload
Using preload to Speed up Linux

apt-get install bleachbit
total privacy cleaner
advance - wiping free space

apt-get install bum
system performance
disable unnecessary services

apt-get install gnome-do
execute key app using keyboard

apt-get install apt-file
command search apt - allow reading apt file

apt-get install scrub
security deleting program - complain

apt-get install shutter
captures images from your desktop

apt-get install figlet
console looks professianal

leafpad /root/.bashrc
write your personal message at the end






apt-get dist-upgrade -y - general commands



leafpad kali_update.sh #sh is a shell script

             apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y

chmod +x kali_update.sh  #giving permition to the root


---
dpkg -l | grep zip 

apt- cache show zip


apt-get remove (package name)

leafpad /etc/

----



Install VMtools on Kali Linux - fixing an error

Install VMtools on Kali Linux

delete no auto
insert exec





Sunday, October 21, 2018

Jikto XSS

Jikto
In 2007, only a couple of years after the initial XSS propagation research, Hoffman demonstrated Jikto at ShmooCon. Jikto was a tool to demonstrate the impact of unmitigated XSS flaws, and what happens when you execute attacker-controlled code within a browser.
Advancing the methodology from earlier XSS self-propagation research and code, Jikto was designed to kick off a silent JavaScript loop that would either try to self-propagate, similar to Samy, or poll a central server for further commands. Although the code was constructed as an in-house demonstration, it was leaked and slowly found its way onto the broader Internet.
One of the more interesting enhancements found in Jikto was how it managed to bypass the SOP. It did this by loading both the Jikto code and the target origin content into the same-origin through a proxy (or cross-origin bridge). Initially Google Translate was used to proxy the separate requests, but Jikto could be modified to use other sites for proxying too.

Defense Against Session Hijacking

Session hijacking is tricky business, and IDS monitoring is only a calculated guess based on assumptions of traffic patterns. The Cisco IDS did a good job of monitoring T-Sight session hijacking, but in several cases, alarms were missed and a few attacks went completely unnoticed. For example, if the original client never communicated during the hijacking or if a client connection was reset before ACK storms occurred, the 3250 signature would never be triggered, and the attack would go through unnoticed. This is not the fault of IDS; it is just that not enough suspicious traffic is sent to provide a reliable detection. Prevention is the only true protection, and IDS or a super-human watching Ethereal packet sniffing traffic like the Matrix screen saver are too unreliable for all possibilities.


Session Hijacking, Session_Hijacking, example



The service controller (sccommand is a rich command you can use to start, stop, and manipulate services from the command line. This allows you to perform many of 
the same functions from the command line as you can do via the Services console.

CommandDescription
 C:\>sc query
SERVICE_NAME: Netlogon
DISPLAY_NAME: Netlogon
        TYPE               : 20  WIN32_
SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE,
PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
Lists all running services and drivers. The result on the left shows the results for a single service (the netlogon service), but the actual output shows details on all running services and drivers. The output can be quite extensive. Of course, you can capture the entire output with the redirect (>) symbol assc query > services.txt
Tip
The servicename shows the name of the service that you can use in other commands.
sc query state= all | inactive
C:\>sc query state= all
C:\>sc query state= inactive
Lists all servicesincluding servicesstopped, running, or paused.
Note
There is no space between state and =(state=), and there is a space between = and all (= all).

You can use state= inactive to list only services that are stopped or state= allto list all services, including those that are running and those that are stopped.

tail -f filename




The tail command displays the bottom part of text data. By default, the last ten lines are displayed. Use the -n option to display a different number of lines:
OptionDescription
-fDisplay the bottom part of a file and follow changes means to continue to display any changes made to the file.
-n +xDisplay from line number x to the end of the file.

Sunday, October 14, 2018

NIST Flow chart to Incident eradication and recovery


Use after free



Joana, a hacker, has discovered he can specifically craft a webpage that when viewed in a browser crashes the browser and then allows him to gain remote code execution in the context of the victim’s privilege level. The browser crashes due to an exception error when a heap memory that is unused is accessed. Which of the following BEST describes the application issue?


A.Integer overflow


B.Click-jacking


C.Race condition


D.SQL injection


E.Use after free


F.Input validation








Pointer management vulnerabilities


In languages that encourage or require the use of raw memory pointers (chiefly C and C++), it is possible to use pointers that are either uninitialized or no longer valid (“dangling”), leading to vulnerabilities such as use after free, double free, and many more. These vulnerabilities will corrupt the internal state of the program and usually allow an attacker to execute attacker-supplied code.






Use After Free Vulnerabilities


Heap buffers are valid for a lifetime, from the time they are allocated to the time they are deallocated via free or a realloc of size zero. Any attempts to write to a heap buffer after it has been deallocated can lead to memory corruption and eventually arbitrary code execution.




Use after free vulnerabilities are most likely to occur when several pointers to a heap buffer are stored in different memory locations and one of them is freed, or where pointers to different offsets into a heap buffer are used and the original buffer is freed. This type of vulnerability can cause unexplained heap corruption and is usually rooted out in the development process. Use after free vulnerabilities that sneak into release versions of software are most likely in areas of code that are rarely exercised or that deal with uncommon error conditions. The Apache 2 psprintf vulnerability disclosed in May of 2003 was an example of a use after free vulnerability, in which the active memory node was accidentally freed and then subsequently handed out by Apache's malloc-like allocation routine.

Johari Window


SAML uses which? - Fiddler

To prevent a third party from identifying a specific user as having previously accessed a service
provider through an SSO operation, SAML uses which of the following?

A.Transient identifiers
B.SOAP calls
C.Discovery profiles
D.Security bindings

In an SSO operation using SAML, what is the transient identifier designed to prevent?
A. a third party from identifying a specific user as having previously accessed a service provider
B. a third party from capturing data en route
C. the identity provider from creating multiple IDs
D. the service provider from performing multiple authentications
Answer: A

Explanation: To prevent a third party from identifying a specific user as having previously accessed a service provider through an SSO operation, SAML uses transient identifiers (only valid for a single login session) that will be different each time the user authenticates again but will stay the same as long as the user is authenticated.

SAML entities can operate in a variety of different roles. Valid SAML roles include which of the
following?
A. Attribute authority and certificate authority
B. Certificate authority and attribute requestor
C. Identity provider and service provider
D. Service provider and administrator


--------
The weakness in the SAML identity chain is the integrity of users. To mitigate risk, SAML systems need to use timed sessions, HTTPS, and SSL/TLS.

----------------------
Fiddler
The most important tool for troubleshooting ADFS is a free one called Fiddler. Fiddler is an HTTP proxy that allows you to look at the HTTP traffic in a friendly GUI. If you’ve used Wireshark or Netmon before for network tracing, you can think of Fiddler as an application-layer version of those tools. Get a copy of Fiddler and install it on your workstation. Next, go to this link and install the add-ons for Fiddler that enable you to easily work with HTML, XML, and so forth.
Download the Fiddler federation inspector from this site. This add-on will enable Fiddler to decode WS-Federation and SAML markup. Extract the .zip file and browse to the bin\Debug folder. Copy Thinktecture.FederationInspector.dll to C:\Program Files (x86)\Fiddler2\Inspectors. or wherever you installed Fiddler on your machine.

In order to look at encrypted ADFS traffic, you’ll need to configure Fiddler to intercept HTTPS traffic. To do this, launch Fiddler and go to Tools→Fiddler Options. On the HTTPS tab, check “Capture HTTPS CONNECTs” and “Decrypt HTTPs traffic.” Next, you will be prompted to generate a certificate for Fiddler to intercept SSL traffic and to configure Windows to trust the certificate. You’ll receive another confirmation to import the certificate and then finally a final confirmation after a User Account Control (UAC) prompt. Answer Yes to all of these prompts.

Burp Suite's architecture


Drown vulnerability

DROWNing HTTPS

The DROWN (CVE-2016-0800) vulnerability identifies a server that is open to a non-trivial attack that relies on SSLv2 support, to which at least a third of all internet servers were vulnerable as of March 2016. Attackers will take advantage of SSLv2 supported by an application using the same keys as are used to salt or help randomize TLS (the more recent protocol versions). By initiating tens of thousands of SSLv2 messages,  they are able to glean the keys used in more robust and current versions of TLS, and thus break the higher-grade encryption with stolen private keys. Once thought to be impractical based on the sheer number of messages believed to be needed; they also call this the million message attack; it is now known to be achievable through commercially available resources in hours using tens of thousands of messages.
Detecting DROWN vulnerabilities is as simple as seeing if SSLv2 is supported on the target server or any other servers sharing the same keys. Another tool that can be used to identify the vulnerability is located on the http://test.drownattack.com website.


POODLE – all bark, no bite - command to use

nmap -sV ; version-light ; script ssl-poodle -p 443 <host>

Padding Oracle On Downgraded Legacy Encryption (POODLE)

POODLE

Padding Oracle On Downgraded Legacy Encryption (POODLE), as its name indicates, is a padding oracle attack that abuses the downgrading process from TLS to SSLv3.
Padding oracle attacks require the existence of an oracle, which means a way of identifying when the padding of a packet is correct. This could be as simple as a padding error response from the server. This occurs when an attacker alters the last byte of a valid message and the server responds with an error. When the message is altered and doesn't result in an error, the padding was accepted for the value of that byte. Along with the IV, this can reveal one byte of the keystream and, with that, the encrypted text can be decrypted. Let's remember that IVs need to be sent along with the packages so that the recipient knows how to decrypt the information. This works very much like a blind SQL injection attack.
To achieve this, the attacker would need to achieve a man-in-the-middle position between the client and server and have a mechanism to make the client send the malicious probes. This last requirement can be achieved by making the client open a page that contains JavaScript code that performs that work.
Kali Linux doesn't include an out-of-the-box tool to exploit POODLE, but there is a Proof of Concept(PoC) to do this by Thomas Patzke on GitHub: https://github.com/thomaspatzke/POODLEAttack. It is left to the reader to test this PoC as an exercise.
Most of the time during web application penetration testing, it will be enough for you to see the SSLScan, SSLyze, or Nmap output to know if SSLv3 is allowed, so that a server is vulnerable to POODLE; also that no more tests are required to prove this factor to convince your client to disable a protocol that has been superseded for nearly 20 years and most recently declared obsolete.
Although POODLE is a serious vulnerability for an encryption protocol such as TLS, the complexity of executing it in a real-world scenario makes it much more likely that an attacker will use techniques such as SSL Stripping (https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf) to force a victim to browse over unencrypted protocols.

  • Web Penetration Testing with Kali Linux - Third Edition

  • By: Gilberto Najera-Gutierrez; Juned Ahmed Ansari
  • Publisher: Packt Publishing
  • Pub. Date: 

Hack the vote cartoon



Front and Back End


Presidential Alert - Joke


cartoon, privacy settings


Kaplan - Practice Exams, Pluralsight


Nmap - techniques


jQuery attack


CSRF XSS Session Hijacking


Tuesday, October 9, 2018

Dale's Meredith quotes


VERR_VMX_MSR_VMXON_DISABLED ao iniciar uma imagem da caixa virtual do Oracle



Falha ao abrir uma sessão para a máquina virtual

O VT-x está desativado no BIOS. (VERR_VMX_MSR_VMXON_DISABLED).

Código do resultado: E_FAIL (0x80004005)
Componente: Console
Interface: IConsole {8ab7c520-2442-4b66-8d74-4ff1e195d2b6}
Além disso, vejo que a guia de aceleração no Virtual Box está desativada.

Eu acredito que o VirtualBox está jogando esse erro por vários motivos. Muito irritante que seja um erro para tantas coisas.

Potenciais pegadinhas:

Você não habilitou o VT-x no VirtualBox e é necessário para a VM.
Para ativar: abra o vbox, clique na VM, clique na caixa de seleção Configurações ..., Sistema-> Aceleração-> VT-x.

Você não habilitou o VT-x no BIOS e é necessário.
Verifique o manual da placa-mãe, mas basicamente você deseja inserir o BIOS logo após a máquina liga (geralmente tecla DEL, F2, F12, etc) e encontrar tag "Avançado", digite "configuração de CPU", em seguida, ative "Tecnologia de Virtualização Intel".

Seu processador não suporta VT-x (por exemplo, um Core i3).
Nesse caso, seu BIOS e VirtualBox não devem permitir que você tente habilitar o VT-x (mas, se o fizer, provavelmente você obterá uma falha na VM).

Você está tentando instalar ou inicializar um sistema operacional convidado de 64 bits.
Eu acho que o sistema operacional de 64 bits requer verdadeira passagem da CPU, que requer o VT-x. (Um especialista em VM pode comentar sobre esse ponto).

Você está tentando alocar> 3 GB de RAM para a VM.
Semelhante ao ponto anterior, isso requer: (a) um sistema host de 64 bits; e (b) passagem de hardware verdadeira, isto é, VT-x.
Assim, para o meu pequeno mexer máquina que eu estou ressuscitando que tem 8 GB de RAM, mas apenas um Core i3 ye-olde, estou tendo sucesso se eu instalar: versão do Linux de 32 bits, alocando 2,5 GB RAM.

Ah, e onde quer que eu diga "VT-x" acima, isso obviamente se aplica igualmente à tecnologia de virtualização "AMD-V" da AMD.

Fierce - DNS reconnaissance


Fierce is presented by Schwager, in Fierce: A DNS reconnaissance tool for locating non-contiguous IP space (https://github.com/mschwager/fierce), GitHub © 2018, as follows:
Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains.

Fierce uses zone transfer, dictionary attacks, and reverse resolution to gather hostnames and subdomains along with the IP addresses of a domain, and it has the option to search for related names (for example, domain company.com, corpcompany.com, or webcompany.com). In the following example, we will use search to identify hostnames of google.com:

fierce -dns website

Zone transfer using dig


Famous quotes from Dale Meredith


Monday, October 8, 2018

Metadata removal/DLP tools


As DLP is an important method to avoid data loss. The above example is quite generic to get us some idea about how DLP works. Now as per our topic we are more interested in metadata removal. So there are also different tools available to remove metadata or we can also say them as metadata DLP tools. Some of those are mentioned below.

MetaShield Protector

MetaShield Protector is a solution which helps to prevent data loss through office documents published on the website. It is installed and integrated at web server level of the website. The only limitation of this is that, it is only available for IIS web server. Other than that It supports a wide range of office documents. Some of the popular file types are ppt, doc, xls, pptx, docx, xlsx, jpeg, pdf, etc. On a request for any of these document types, it cleans it on the fly and then delivers it. MetaShield Protector can be found at https://www.elevenpaths.com/services/html_en/metashield.html. The tool is available at https://www.elevenpaths.com/labstools/emetrules/index.html.

MAT

MAT or metadata anonymization toolkit is a graphical user interface tool which also helps to remove metadata from different types of files. It is developed in Python and utilizes hachoir library for the purpose. As earlier we discussed a bit about hachoir Python library and one of its project in hachoir-metadata portion, this is another project based on the same library. The details regarding the same can be found here https://mat.boum.org/.
The best thing about MAT is that it is open source and supports a wide range of file extensions such as png, jpeg, docx, pptx, xlsx, pdf, tar, mp3, torrent etc.

MyDLP

It is a product by Comodo which also provides wide range of security product and services. MyDLP is an one stop solution for different potential data leak areas. In an organization not only documents but also emails, USB devices, and other similar devices are potential source of data leak. And in this case it allows an organization to easily deploy and configure this solution to monitor, inspect, and prevent all the outgoing critical data. The details of MyDLP can be found here. http://www.mydlp.com.

OpenDLP

OpenDLP is an open source centrally managed data loss prevention tool released under the GPL. From a centralized web application it can identify sensitive data in different types of systems such as Windows and Unix as well as different types of databases such as MySQL and MSSQL. The project can be found here. https://code-google-com.eztncc.vccs.edu:2443/p/opendlp/.

Doc Scrubber

A freeware to scrub off hidden data from word documents (.doc). Some of its popular features are it allows to scrub multiple doc files at a time. Doc Scrubber can be downloaded from http://www.javacoolsoftware.com/dsdownload.html.

Removing Geo-tags

As we discussed earlier that how geotags can be dangerous for a user in an attacker point of view, as it reveals exact location about a user, here some settings in Picasa can help us to remove these geotags. Picasa, the image organizing and editing application by Google can help to remove geotags from images. The link to the help and support page is http://support.google.com.eztncc.vccs.edu:2048/picasa/bin/answer.py?hl=en&answer=70822.
We can also use Exif Tool discussed earlier to remove such data.
Though mainly metadata is used for the organization and linking of data it can also be critical during cyber investigations as well as pentest exercises. As discussed earlier, most of them are harmless but sometimes it can reveal some sensitive data. As many individuals as well as organizations are unaware of its existence, they don’t pay much attention to it. The solutions discussed above must be tried to make it easier to mitigate any risk arising from such information.

  • Hacking Web Intelligence

  • By: Nutan Kumar Panda; Sudhanshu Chauhan
  • Publisher: Syngress
  • Pub. Date: 
  • unknown: C20140008763
  • ISBN-13: 978-0-12-801912-2

Remote Hybrid and Office work