Friday, November 5, 2021

[TryHackMe] Linux Privilege Escalation

 

1) Through sudo find out executable applications:

$ sudo -l

After that, pinpoit the resolution at https://gtfobins.github.io/


2) Seek SUID and SGID:

$ find / -perm -4000 -o -perm -2000 -type f 2>/dev/null

Exploitation is located at https://gtfobins.github.io/#+suid


Saturday, October 30, 2021

[TryHackMe] FireFox Add-ons

 HackBar (Hacking tools)

https://addons.mozilla.org/en-US/firefox/addon/hackbar-free/


Cookie Quick Manager (Manipulate Cookies)

https://addons.mozilla.org/en-US/firefox/addon/cookie-quick-manager/


FoxyProxy (Easily switch Proxy settings)

https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/


User Agent String Switcher (Change Browser's User Agent property)

https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher/


Wappalyzer (Find out targets' platforms)

https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/

[TryHackMe] DNS Inspection and Reconnaissance Takeaway

 1) Manual Discovery

whois (whois tryhackme.com)

nslookup (nslookup -type=MX tryhackme.com 8.8.4.4)

dig (dig @8.8.4.4 tryhackme.com MX)


2) Automated Discovery

gobuster (gobuster dns -d DOMAIN -w /usr/share/seclists/Discovery/DNS/namelist.txt)


3) OSINT

DNS Dumpster (https://dnsdumpster.com/)

Shodan (https://www.shodan.io/)

[TryHackMe] Web Security Inspection and Reconnaissance Takeaway

 1) Manual Discovery

Robots.txt

Sitemap.xml

Favicon (https://wiki.owasp.org/index.php/OWASP_favicon_database)

HTTP Header (curl $URL -v)


2) OSINT

Google Hacking

Wappalyzer (https://www.wappalyzer.com/)

WayBackMachine (https://archive.org/web/)

GitHub

S3 Bucket


3) Automated Discovery

Seclists

ffuf (ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u http://URL/FUZZ)

dirb (dirb http://URL/ /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt)

gobuster (gobuster dir -u http://URL/ -w /usr/share/seclists/Discovery/Web-Content/common.txt)

Sunday, October 24, 2021

[wifi][wireless][802.11] Conversion between Monitor Mode and Managed Mode in Kali

 Check the status of wireless adapters:

# iw dev


Turn Managed Mode into Monitor Mode assume the wireless adapter is named wlan1:

# ip link set wlan1 down

# iw wlan1 set monitor control

# ip link set wlan1 up


Turn back to Managed Mode:

# ip link set wlan1 down

# iw wlan1 set type managed

# ip link set wlan1 up

Sunday, October 10, 2021

[Threat Intelligence] Checklist updated on 20211010

 1) Check News related to the company (Use labels)

2) Check Security Advisories sent by US-CERT etc. (Use libraries)

3) Check changes of regulations (such as FFIEC, DFS 500, GLBA, OCC, SWIFT, CHIPS FEDLINE, ISO27001/27002, NIST SP800, FIPS 140-2, PCI-DSS)

4) New vulnerabilities (Use libraries and CVE/Bugtraq)

5) New threats (Use libraries)

6) Data Leakage Investigation (Use Spider and keywords to Dark Web and dark markets)

7) Reputation Investigation (Use Spider and keywords to check forums)

8) Phishing website Investigation

9) Crawl Hacker forums for the company's confidential data

10) Google Hacking to check if there is any web-based backdoor sitting in the company's website

11) Third Party Passive Vulnerability Scan's results (Use Shodan, ZoomEye)

12) Third Party Web Security Scan (Use www.immuniweb.com/websec, ssl lab)

13) Blacklist/SPAM List checking (Use IP ranges and domains)

14) Check if the company's IP addresses are in Botnet lists

15) Check if the company's emails have been compromised (Use https://haveibeenpwned.com/ and https://hacked-emails.com/)

16) Check DNS records (Use domains and IP ranges)

17) Honeypot/Sandbox Analysis

18) Suspicious Traffic Analysis

19) APT groups research (Use ATT&CK, FireEye APT Group, CyberMonitor@GitHub): specify those APTs' targets (e.g. industries and geographies), and see if your organization hits their target scopes

20) IOC search, analysis, and apply (to SIEM, NIDPS, Firewall, Anti-Virus, Anti-SPAM, etc.)

21) Action Plan

Monday, October 4, 2021

[John the Ripper][Password Cracker] John the Ripper


Show all supporting decryption formats:

root@kali:~# john --list=formats


Crack Windows passwords:

root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT ./windows.txt 


Crack ZIP passwords:

root@kali:~# zip2john ./nmap.zip > ./nmap_zip_hash.txt ; john --wordlist=/usr/share/wordlists/rockyou.txt --format=PKZIP ./nmap_zip_hash.txt


Sunday, October 3, 2021

[eCPPT] Examples of DNS Zone Transfer

#dig @10.50.96.5 foocampus.com -t AXFR +nocookie


#host -t axfr foocampus.com 10.50.96.5

Friday, October 1, 2021

[Hash|MD5|SHA256] Hash Identifier and Cracker

Hash Identifier:

https://hashes.com/en/decrypt/hash


Hash Online Cracker:

https://crackstation.net/


Offline Cracker:

https://www.openwall.com/john/

Thursday, September 30, 2021

Offline verify malware through VirusTotal besides using YARA.

 1) Open a CMD, go to the suspicious sample's folder, and type:

> certutil -hashfile suspicious_file.exe MD5

> certutil -hashfile suspicious_file.exe SHA256


2) Record the hashes shown in the output of those two commands above.


3) Open a web browser, go to https://www.virustotal.com/gui/home/search, and search the above-mentioned hashes.

Wednesday, September 29, 2021

[YARA] Yara Rulesets

https://github.com/Yara-Rules/rules

https://github.com/advanced-threat-research/Yara-Rules

https://github.com/reversinglabs/reversinglabs-yara-rules

https://github.com/bartblaze/Yara-rules/tree/master/rules



More references could be found at https://github.com/InQuest/awesome-yara#rules

Friday, August 6, 2021

[bug bounty] Tool List #1

 Browser Add-on:

Foxy Proxy

Cookie Editor

Builtwith


Proxy:

Burp Suite

Zap


Fuzzer:

wfuzz


Directory Buster:

dirbuster


Domain Enumeration:

knockpy

sublist3r


Directory:

SecLists


Spider:

Scrapy


Encoder/Decoder:

Cyber Chef


CMS Detection:

WhatCMS (https://whatcms.org/)


SQL Injection:

sqlmap


Web Vulnerability Scan:

Striker

Monday, May 31, 2021

[metasploit][msfconsole]Metasploit Framework AutoPwn

 P.S.: There is a backup of AutoPwn at https://github.com/d3m0n4l3x/tools/blob/master/db_autopwn.rb


1) Install/Upgrade Metasploit Framework:

# cd ~

# curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall


2) Download and install db_autopwn plugin:

# git clone https://github.com/hahwul/metasploit-autopwn

# cd metasploit-autopwn

# cp ./db_autopwn.rb /opt/metasploit-framework/embedded/framework/plugins/


3) Start Metasploit's database, namely PostGreSQL:

# systemctl start postgresql


4) Create a user, test1, in the database:

# su postgres

$ cd ~

$ createuser test1 -P


5) Create a database object named msf_db, owned by the user, test1:

$ createdb --owner=test1 msf_db


6) Connect to the database in Msfconsole by the root:

$ exit

# /opt/metasploit-framework/bin/msfconsole

msfconsole> db_connect test1:test1@127.0.0.1/msf_db


7) Check the status of the database's connection:

msfconsole> db_status


8) Scan the target first (assume the target is 192.168.0.1):

msfconsole> db_nmap 192.168.0.1


9) Load db_autopwn:

msfconsole> load db_autopwn


10) Automatically attack the target:

msfconsole> db_autopwn -t -p -e 192.168.1.1

[metasploit][msfconsole]Metasploit Framework Resource Script

 [Generate a Resource script]

# msfconsole

msfconsole> ...

msfconsole> makerc demonalex.rc


[Resource Script Location]

# cd /opt/metasploit-framework/embedded/framework/scripts/resource/                                                                                        

# ll


[Read and Launch a script in Shell]

# cat /opt/metasploit-framework/embedded/framework/scripts/resource/demonalex.rc

# msfconsole -r /opt/metasploit-framework/embedded/framework/scripts/resource/demonalex.rc


[Read and Launch a script in Msfconsol]

msfconsole> more demonalex.rc

msfconsole> resource demonalex.rc

Sunday, May 30, 2021

[metasploit][msfconsole] Upgrade Metasploit Framework in Kali Linux (20210530)

#cd ~

#curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall

#/opt/metasploit-framework/bin/msfconsole

Saturday, March 20, 2021

Use NMAP to identify Microsoft Exchange Vulnerabilities.

Reference:

https://github.com/microsoft/CSS-Exchange/tree/main/Security

https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

https://www.exploit-db.com/exploits/49663


PS: The NMAP script, http-vuln-exchange.nse, has been created by Microsoft Senior Threat Intelligence Analyst Kevin Beaumont to identify those Microsoft Exchange servers vulnerable to the recent Exchange vulnerabilities including CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.


# cd /usr/share/nmap/scripts

# wget https://raw.githubusercontent.com/GossiTheDog/scanning/main/http-vuln-exchange.nse

# nmap TARGET_IP -p 443 —script http-vuln-exchange

Sunday, February 21, 2021

[DLP]DLP Test Websites

https://dlptest.com/

http://dataleaktest.com/

https://www.dlp-test.com/

https://www.dlptest.net/

[DLP][Snort]Snort Rules for DLP

 #Credit Card Number Identification:

alert tcp any any <> any any (pcre:”/4d{3}(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}/”;msg:”VISA card number detected in cleartext”;content:”visa”;nocase;sid:9000000;rev:1;)

alert tcp any any <> any any (pcre:”/5d{3}(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}/”;msg:”MasterCard number detected text”;content:”mastercard”;nocase;sid:9000001;rev:1;)

alert tcp any any <> any any (pcre:”/6011(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}/”;msg:”Discover card number detected text”;content:”discover”;nocase;sid:9000002;rev:1;)

alert tcp any any <> any any (pcre:”/3d{3}(s|-)?d{6}(s|-)?d{5}/”;msg:”American Express card number text”;content:”amex”;nocase;sid:9000003;rev:1;)


#Idenfiy Social Security Number:

alert tcp any any <> any any (pcre:”/d{3}(s|-)?d{2}(s|-)?d{4}/”;msg:”Social Security Number is found”;content:”ssn”;nocase;sid:9000004;rev:1;)


Saturday, February 20, 2021

[SSL][PKI][OpenSSL]OpenSSL Cheatsheet

 Reference: https://cheatography.com/albertx/cheat-sheets/openssl/


Installation:

# apt-get update

# apt-get install openssl


Generating Key-ring:

The following example is to generate a 4096 bit private key and export it to a key file:

# openssl genrsa -out ./private-key.key 4096

Or generate a password-protected private key as such:

# openssl genrsa -aes256 -out ./private-key.key 4096

The public key could be generated upon the key-ring as shown below:

# openssl rsa -in ./private-key.key -RSAPublicKey_out -out ./pubic-key.key


Add/Remove Password-Protected function on a private key:

Adding Password-Protected function could be done as follows:

# openssl rsa -aes256 -in ./private-key.key -out ./private-key.encrypted.key

And Removing Password-Protected function is done as shown below:

# openssl rsa -in ./private-key.encrypted.key -out ./private-key.key


Creating Certificate Signing Request (CSR):

Creating a Certificate Signing Request (CSR) by using an existing private key:

# openssl req -new -key ./private-key.key -out ./request.csr

Read the CSR file:

# openssl req -text -noout -in ./request.csr

Read the public key from the CSR file:

# openssl req -pubkey -noout -in ./request.csr


Sign a certificate through Certificate Signing Request (CSR):

# openssl ca -in ./request.csr -out ./certificate.crt -config ./CA/config/openssl.cnf

Read the information sitting in the certificate:

# openssl x509 -text -noout -in ./certificate.crt

Extract the public key from the certificate:

# openssl x509 -pubkey -noout -in ./cert.crt


Generating Key-ring and Self-Signed Certificate concurrently:

# openssl req -newkey rsa:2048 -nodes -keyout /etc/ssl/certs/key.pem -x509 -days 365 -out /etc/ssl/certs/certificate.pem

Or:

# openssl req -newkey rsa:2048 -nodes -keyout ./private-key.key -x509 -days 365 -out ./cert.crt


Identifying Key-ring and Certificate:

Utilize MD5 hash function to identify all files:

# openssl dgst -md5 ./* 2>/dev/null


Combine Private Key and Certificate into PKCS #12 format file:

# openssl pkcs12 -export -out ./cert_key.p12 -inkey ./private-key.key -in ./certificate.crt