Friday, September 8, 2017

When there is nobody Talking To You (TTY)- POST EXPLOITATION

Now this is also a very critical place where we see a lot of challenges. One of them is getting an interactive shell on the compromised box but unable to run su or login.

Recently i was in the same place and thanks to the Pentesting-Monkey who has an awesome blog for this one here 
(http://pentestmonkey.net/blog/post-exploitation-without-a-tty)

If you have python installed, we all know about the famous pty.spwan TTY 

python -c ‘import pty; pty.spawn(“/bin/sh”)’

but there are situations where PYTHON is not installed. 

In such situations when nobody TTY, one should try and start EXPECT in the first place ;)

(http://en.wikipedia.org/wiki/Expect)

sh-3.2$ expect sh.exp
spawn sh
sh-3.2$ su -
Password:********
localhost ~ #

Special Thanks to Mr Pen Test Monkey as always :)

XML-RPC- NOTHING FANCY

XML-RPC- Nothing fancy about this post but can be a good read..

This has been in discussion for long on how important is this in the context of worpress security and is the inherent risk is okay to be digested..

XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism.[1] "XML-RPC" also refers generically to the use of XML for remote procedure call, independently of the specific protocol. This article is about the protocol named "XML-RPC". 

https://en.wikipedia.org/wiki/XML-RPC

There are multiple functionalities that is being used as a part of this XML-RPC.

XML Remote Procedure Call as it is called as is used for providing powers to many of these features in WordPress:

Like if you want to connect to the website using your smartphone

It is used in the context when other sites refer to your site in the form of Trackbacks or pingbacks.

But with respect to this there are also some security issues that popped up. One of them was Brute Force attacks which was because of one of functionality with respect to the system.multicall as this one allows the user(or attacker) to send multiple request on a single command.

One very awesome example was showed by Mr Daniel Cid at Sucuri in 2015: He showcased on how to bypass the blocking mechanism and bruteforce the password with some 3 or 4 HTTP request attempts.

You can read about it here (https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html)

I know this is typical solution but is also the best way which is to turn the XML-RPC off. One of the ways can be adding a deny tag in your .htaccess file or you can also use the DISABLE XML-RPC plugin by wordpress which can be found here (https://wordpress.org/plugins/disable-xml-rpc/)

Monday, August 21, 2017

DATASPLOITING

I recently decided to get my hands on the famous OSINT tool called as datasploit(https://datasploit.readthedocs.io/en/latest/#overview)

I will be posting this as and when i explore a new feature in it. 

The installation is pretty straight Forward and is mentioned in the docs as well.

here are some of the challenges that you might face. Just install the dependencies and you will be good to go.


Here are the steps

root@dragon:/home# git clone
https://github.com/datasploit/datasploit

root@dragon:/home/# sudo apt-get install python-dev

root@dragon:/home/# sudo apt-get install libxml2-dev libxslt1-dev

IF these dependencies doesnt help you get started use the below one as well along with the others you installed earlier.

root@dragon:/home/# sudo apt-get install build-essential autoconf libtool pkg-config python-opengl python-imaging python-pyrex python-pyside.qtopengl idle-python2.7 qt4-dev-tools qt4-designer libqtgui4 libqtcore4 libqt4-xml libqt4-test libqt4-script libqt4-network libqt4-dbus python-qt4 python-qt4-gl libgle3 python-dev libssl-dev

root@dragon:/home/datasploit# pip install -r requirements.txt

root@dragon:/home/datasploit# mv config_sample.py config.py


root@dragon:/home/datasploit# nano config.py

And here you have to give the API's that you have created. 

I will come back with some other awesome features of this very soon.





Wednesday, March 22, 2017

hiberfil.sys

OMG, I found a file in the root drive in my HDD which is so huge and i don't know what it does..

The files are hiberfil.sys and pagefile.sys. Though there were other files but these were the giant ones and i was really curious to free up my HDD from it.



When in Doubt.. Google it:)

After some googling i found out that the culprit is my habit of hibernating my machine very often.

The file hiberfil.sys was something which actually stores the current state of my machine and by state i mean memory.

Now to delete this file you need to disable the hibernate mode and then probably try deleting it.

Okay so where to disable it. Of course there is a GUI version of the option available. Its a good exercise to find it :):)

Lets do some command line scoring.

So open a command prompt and mind you that you have to be the obvious guy "The Administrator"

powercfg -h off


This is the command which will help you disable the hibernation mode. yes you guessed it right. the 'on' switch will help you bring back the same.

Voila the file is gone as soon as you turn this option off.




Enjoy


Tuesday, February 21, 2017

Offensive Security Certified Professional (OSCP) : A JOURNEY WHICH CANNOT BE FORGOTTEN..



When there is a doubt.. GOOGLE :)

Offensive Security Certified Professional (OSCP)

You cannot know on how much excited i am right now writing this review for one of the most prestigious examination of Security Industry. OSCP (Offensive Security Certified Professional)

Whenever I used to read a review I used to ask myself on I am ever going to write one and YES I TRIED HARDER..

This has been itching me back from the BACKTRACK days which finally ended in KALI.

Here are some thoughts of mine for this awesome TRANCE JOURNEY :)

I have been hearing about the Methodologies of PenTesting since the start of my career but came to know about its real importance through the lab environment that was provided as a part of OSCP examination. You will get complete exposure towards various steps like Reconnaissance, Enumeration, Vulnerability Assessment, Exploitation and Reporting.

And believe me by the end of 1st machine in the labs you will come to know the importance of Information Gathering and why people say that the more you know your target the easier is to attack it.

You can check out the details about the exam and things HERE

HERE is a Link to the Syllabus of the course

The course has some awesome data with respect to Kali Environment and basic LINUX scripting and administration along with some cool tools introduction as well. It also mentions about various techniques and methodologies for various phases of a pen test and gives you an awesome feeling on how an attacker actually attacks.

I was like. Seriously.... Kewwwwwwwwwwwwwlllllll....

Here are some pointers from my side:

You should concentrate on the following stuff:

  • Linux Basic Commands Administration
  • Windows Command Line(LINK)
  • Linux Command Line (LINK)

These guys are just amazing.. :)

  • OWASP Top 10 (LINK)
  • Basics of Scripting- Choose your language. Bash or python will be a good choice
  • VulnHub (LINK)

This is pretty amazing and a good place to start. There are a lot of things to learn on this link for sure :)

I would say no other certification was able to make me learn and i mean it, it made me learn stuff. And the credit goes to the Awesome LAB ENVIRONMENT. Ofcourse the exam teaches you a lot of stuff as well, one of them being able to perform under pressure.  

Some more links for your access and reference are as below:

And i totally was addicted to this website throughout my whole OSCP journey. Sometimes scared, sometimes demotivated and sometimes very motivated.. This link has it all
I will keep on adding whenever i have time :)

P.S: Don't forget to jazz up your playlist of your favorite music. It is very important :):)


Monday, February 20, 2017

HTTP HEADER Analysis via getheader utility..

I love this one in my arsenal. You can get more details HERE

The tool is given to us by Mr Nathan (@httphacker) .

WHAT IS IT ??

It is a cool python script. Oh did i say PYTHON. Ah man i love this snakey language.
  • It is a HTTP header analysis vulnerability tool. 
  • It is automated in nature
  • It identifies security Vulnerabilities
  • It identifies lack of protection in HTTP headers
Okay so lets do some command exercise...

To download just clone it from git repository as below:

git clone https://github.com/httphacker/gethead.git

Make sure you have Python installed.

You will see a file called as gethead.py. Now it is as easy to run any python program which is 

python gethead.py http://<URL>

Lets see how the results look like. I have done a couple of them here as shown in screen shots:


This is such a cool tool. The source code is at your use and you can play around with it as per your requirements. You can add or edit or delete and make appropriate use of the same as per your need. :):)

Unfortunately there has no more work done after the 0.1 version. I am waiting eagerly for its upgraded features for sure. Are you  ?

Let me know via comments if you guys made any changes to find any new issues or vulnerabilities.

Happy HUNTING:)

Sunday, February 19, 2017

WAF ByPASS Trick-- SIMPLE and SWEET

This post originates from the BLOG of Mr Haddix (Link HERE) which is one of the most interesting hacks i have seen. Simple and Sweet

WAF- Web Application Firewall(OWASP Definition)or (Wiki Definition)

It is a very awesome strategy for the DID (Defense in Depth) Model as they offer a great means of keeping the malicious data outside the boundary's of the Web Application but are of course not a substitute for the flaw in the application.

The industry has adopted WAF in a significant manner and Pen Testers encounter them very often in their tests.

Usually the WAF is placed before the WebServer so that the malicious traffic is sorted out before it can reach the application asset.

There are a couple of ways in which we can identify the existence of a WAF. One of the ways can be checking out a cookie as some WAF's add their own cookie in the communication.


Another method can be examining the HTTP headers as WAFs may make the header to be changed or re-written.

There may also be a possibility of a WAF if the sessions are expiring very quickly.

Sometimes we end up getting the bad characters as well which might be an indication of a WAF.

Also there are a couple of automated tools which gives us some indication for WAF.

One such tool is called as WAFWOOF. Nmap our favorite also has a script which can be called via the NSE engine to check the presence of a WAF.

You can also look into the following blog for more details on detection

(http://foxtrot7security.blogspot.in/2012/01/real-world-waf-detection-and-bypass.html)

Now lets look into on how can we evade this evil boy.

Usually we use the payloads in encoded format to evade the rules of WAF but gone were those days (still it works for a couple of them).

One of the other ways is described below but before that lets look on why this thing actually works.

Ideally the WAF should look for a proper lookup into the originating or incoming request the WAF sometimes if not configured properly keeps on looking on to the request HTTP Headers. 

If it does so we have a lot of headers in control that we can take advantage of like:
  • X-forwarded-for
  • X-remote-IP
  • X-originating-IP
  • x-remote-addr
So here we are going to fool the WAF to believe that the request was from itself by adding the following request header and pointing it to localhost.

GET /?login.aspx HTTP/1.1
Host: 192.168.56.104
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
X-originating-IP: 127.0.0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1

There are various things that we can play around with the use of these headers. I love this image from @Jhaddix



Now lets see on how can this be automated via BURP(mostly everybodys fav proxy)

Open up BURP proxy and navigate to the PROXY tab.Click on the OPTIONS tab and scroll down to the MATCH and REPLACE section.

Here we are going to add some rules for our mission.

Click on Add and you will get a window asking some options. Give the details as:

In the TYPE section choose REQUEST HEADER
In the REPLACE section write the header you want to use
In the comment section write some comments significant to the rule
Click OK and you are good to go.

Refer the screenshot below.



Once added just enable the same by checking the check box next to your rule as shown below and VOILAA you are good to go :)



HAPPY HUNTING :)