Home Security Hacking
Category:

Hacking

The word “hacking” has two definitions. The first definition refers to the hobby/profession of working with computers. The second definition refers to breaking into computer systems. While the first definition is older and is still used by many computer enthusiasts (who refer to cyber-criminals as “crackers”), the second definition is much more commonly used.

Bypass Web Application Firewall using WAFNinja - blackMORE Ops
Denial-of-Service Attack (DoS)HackingHow toSecurity

Bypass Web Application Firewall using WAFNinja

by blackMOREOps
written by blackMOREOps

WAFNinja is a CLI python tool that helps penetration testers to bypass Web Application Firewall by automating steps necessary for bypassing input validation. WAFNinja supports HTTP connections, GET and POST requests and the use of Cookies in order to access pages restricted to authenticated users. It also supports intercepting proxy, so yes MITM for you.

Bypass Web Application Firewall using WAFNinja - blackMORE Ops

The tool was created with the objective to be easily extendible, simple to use and usable in a team environment.

Supported web methods:

  • HTTP connections
  • GET requests
  • POST requests
  • Using Cookies (for pages behind auth)
  • Intercepting proxy

Using WAFNinja for WAF Bypass

wafninja.py [-h] [-v] {fuzz, bypass, insert-fuzz, insert-bypass, set-db} ...

More examples

fuzzing

python wafninja.py fuzz -u "https://www.target.com/index.php?id=FUZZ" 
-c "phpsessid=value" -t xss -o output.html

Bypass WAG

python wafninja.py bypass -u "https://www.target.com/index.php"  -p "Name=PAYLOAD&Submit=Submit"         
-c "phpsessid=value" -t xss -o output.html

Insert fuzz

python wafninja.py insert-fuzz -i select -e select -t sql

Video demo

Here a complete video of a workshop that will teach you how to attack an application secured by a WAF. The moderator  describes WAF bypassing techniques and offers a systematic and practical approach on how to bypass web application firewalls based on these techniques. This video introduces WAFNinja, a tool that helps to find multiple vulnerabilities in firewalls.

Complete slides can be found here.

Reference

1 comment
0 FacebookTwitterPinterestThreadsBlueskyEmail
Hacking remote desktop protocol using rdpy - blackMORE Ops
HackingHow toSecurity

Hacking remote desktop protocol using rdpy

by blackMOREOps
written by blackMOREOps

RDPY is a Microsoft RDP Security Tool developed in pure Python with RDP Man in the Middle proxy support. This allows a user to record sessions and develop honeypot functionality. It supports both Microsoft RDP (Remote Desktop Protocol) protocol client and server side. RDPY supports standard RDP security layer, RDP over SSL and NLA authentication (through ntlmv2 authentication protocol). This article will briefly go over on hacking remote desktop protocol using rdpy and different usage of it.

Hacking remote desktop protocol using rdpy - blackMORE Ops

RDPY Features

RDPY provides the following RDP and VNC binaries :

  • RDP Man In The Middle proxy which record session
  • RDP Honeypot
  • RDP screenshoter
  • RDP client
  • VNC client
  • VNC screenshoter
  • RSS Player

Included binaries and usage

Dependencies are only needed for pyqt4 binaries :

  • rdpy-rdpclient
  • rdpy-rdpscreenshot
  • rdpy-vncclient
  • rdpy-vncscreenshot
  • rdpy-rssplayer

dpy-rdpclient

rdpy-rdpclient is a simple RDP Qt4 client.

$ rdpy-rdpclient.py [-u username] [-p password] [-d domain] [-r rss_ouput_file] [...] XXX.XXX.XXX.XXX[:3389]

You can use rdpy-rdpclient in a Recorder Session Scenario, used in rdpy-rdphoneypot.

rdpy-vncclient

rdpy-vncclient is a simple VNC Qt4 client .

$ rdpy-vncclient.py [-p password] XXX.XXX.XXX.XXX[:5900]

rdpy-rdpscreenshot

rdpy-rdpscreenshot saves login screen in file.

$ rdpy-rdpscreenshot.py [-w width] [-l height] [-o output_file_path] XXX.XXX.XXX.XXX[:3389]

rdpy-vncscreenshot

rdpy-vncscreenshot saves the first screen update in file.

$ rdpy-vncscreenshot.py [-p password] [-o output_file_path] XXX.XXX.XXX.XXX[:5900]

rdpy-rdpmitm

rdpy-rdpmitm is a RDP proxy allows you to do a Man In The Middle attack on RDP protocol. Record Session Scenario into rss file which can be replayed by rdpy-rssplayer.

$ rdpy-rdpmitm.py -o output_dir [-l listen_port] [-k private_key_file_path] [-c certificate_file_path] [-r (for XP or server 2003 client)] target_host[:target_port]

Output directory is used to save the rss file with following format (YYYYMMDDHHMMSS_ip_index.rss) The private key file and the certificate file are classic cryptographic files for SSL connections. The RDP protocol can negotiate its own security layer If one of both parameters are omitted, the server use standard RDP as security layer.

rdpy-rdphoneypot

rdpy-rdphoneypot is an RDP honey Pot. Use Recorded Session Scenario to replay scenario through RDP Protocol.

$ rdpy-rdphoneypot.py [-l listen_port] [-k private_key_file_path] [-c certificate_file_path] rss_file_path_1 ... rss_file_path_N

The private key file and the certificate file are classic cryptographic files for SSL connections. The RDP protocol can negotiate its own security layer. If one of both parameters are omitted, the server use standard RDP as security layer. You can specify more than one files to match more common screen size.

rdpy-rssplayer

rdpy-rssplayer is use to replay Record Session Scenario (rss) files generates by either rdpy-rdpmitm or rdpy-rdpclient binaries.

$ rdpy-rssplayer.py rss_file_path

References

1 comment
0 FacebookTwitterPinterestThreadsBlueskyEmail
Create MITM Test Environment using Snifflab
HackingHow toKali LinuxLinuxSecurity

Create MITM Test Environment using Snifflab

by blackMOREOps
written by blackMOREOps

Snifflab is a technical test environment for capturing and decrypting WiFi data transmissions. Snifflab creates a WiFi hotspot that is continually collecting all the packets sent over it. All connected clients’ HTTPS communications are subjected to a “Man-in-the-middle” attack, whereby they can later be decrypted for analysis. This article presents a brief overview on Snifflab and how to create MITM Test Environment using Snifflab.

Create MITM Test Environment using Snifflab

Motivation

Researchers and end-users alike often seek to understand what data their mobile device is sending to third parties. Unfortunately, monitoring one’s phone to see what, and to whom, data is sent is not exactly simple. Using packet capture software on Android is impossible without first rooting the device, and even then, difficult to use and export saved data. There are no applications to capture packets on iOS.

How it works

A researcher simply connects to the Snifflab WiFi network, is prompted to install a custom certificate authority on the device, and then can use their device as needed for the test.

All traffic on the network is logged by a Raspberry Pi dedicated to that task (“PCAP Collecting Machine”, in the Figure). The traffic is cloned by a Great Scott Gadgets Throwing Star LAN Tap, which routes it both to its destination, and to our Raspberry Pi. The Pi continually collects packet data, creating new packet capture (pcap) files at a regular interval, or once the active file reaches a configurable size. Saved files are regularly transferred to another machine (“Backup Machine”) for persistent storage. Users with SSH access to the Pi can also manually restart the pcap service, to get instant access to the captured packets, instead of waiting for the interval.

The custom certificate that each client must install enables the proxy server (“MITM Proxy Machine”) through which Snifflab routes its traffic to intercept HTTPS requests to the outside world, and re-encrypt them using certificates generated on-the-fly. This allows for the researcher to later decrypt most captured network traffic sent over HTTPS.

On the backup machine, the researcher has access to all previously-collected PCAPs, organized into folders by date, with each file named by the unix time at which the capture began.

The researcher may then open up the collected PCAP(s) in Wireshark or their utility of choice to analyze and decrypt the traffic.

Using SNIFFLab MITM Enivronment

SNIFFlab.py -h
    -i (specify the network interface)
    -s (specify the file size limit)
    -t (specify the time interval, in seconds, between new PCAP files)
    -f (specify a filename suffix to append to each PCAP.
    -u (specify a ssh username for a remote backup)
    -h (specify a ssh host for remote backup)
    -p (specify the path on the remote host for backup)

Reference:

0 comments
0 FacebookTwitterPinterestThreadsBlueskyEmail
WPSeku - Wordpress Security Scanner - blackMORE Ops
HackingLinuxSecurityWordPress

WPSeku – Wordpress Security Scanner

by blackMOREOps
written by blackMOREOps

WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.
WPSeku - Wordpress Security Scanner - blackMORE Ops

Features of WPSeku WordPress Security Scanner

WPSeku supports various types of scanning including:

  • Testing for XSS Vulnerabilities
  • Testing for SQL Injection Vulnerabilities
  • Testing for LFI Vulnerabilities
  • Bruteforce login via xmlrpc
  • Username Enumeration
  • Proxy Support
  • Method (GET/POST)
  • Custom Wordlists
  • Custom user-agent

It also uses the WPVulnDB Vulnerability Database API at https://wpvulndb.com/api.

Installation

$ git clone https://github.com/m4ll0k/WPSeku.git wpseku
$ cd wpseku
$ pip install -r requirements.txt
$ python wpseku.py

Usage

python wpseku.py –target https://site.com –ragent

\ \      / /  _ \/ ___|  ___| | ___   _ 
 \ \ /\ / /| |_) \___ \ / _ \ |/ / | | |
  \ V  V / |  __/ ___) |  __/   <| |_| |
   \_/\_/  |_|   |____/ \___|_|\_\\__,_|
                                         
|| WPSeku - Wordpress Security Scanner   
|| Version 0.2.1                         
|| Momo Outaadi (M4ll0k)                 
|| https://github.com/m4ll0k/WPSeku


Usage: ./wpseku.py [--target|-t] https://localhost
		-t --target		Target URL (eg: https://localhost)
		-x --xss		Testing XSS vulns
		-s --sql		Testing SQL vulns
		-l --lfi		Testing LFI vulns
		-q --query		Testable parameters (eg: "id=1&test=1")
		-b --brute		Bruteforce login via xmlrpc
		-u --user		Set username, default=admin
		-p --proxy		Set proxy, (host:port)
		-m --method		Set method (GET/POST)
		-c --cookie		Set cookies
		-w --wordlist	Set wordlist
		-a --agent		Set user-agent
		-r --redirect	Redirect target url, default=True
		-h --help		Show this help and exit

Examples:
		wpseku.py --target https://localhost
		wpseku.py -t https://localhost/wp-admin/post.php -m GET -q "post=49&action=edit" [-x,-s,-l]
		wpseku.py --target https://localhost --brute --wordlist dict.txt
		wpseku.py --target https://localhost --brute --user test --wordlist dict.txt

Credits and Contributors

Original idea and script from WPScan Team (https://wpscan.org/)

WPScan Vulnerability Database (https://wpvulndb.com/api)

0 comments
0 FacebookTwitterPinterestThreadsBlueskyEmail
Gain root access in macOS High Sierra #iamroot - blackMORE Ops - 1
HackingHow toSecurity

Gain root access in macOS High Sierra #iamroot

by blackMOREOps
written by blackMOREOps

It’s a rather embarrassing a bug that was discovered by developer Lemi Ergin that allows anyone to gain root access in macOS High Sierra with a blank password. Gain root access in macOS High Sierra #iamroot - blackMORE Ops - 1Yes, all you need to do is just press enter enough times and you’re root. In fact everyone now using #iamroot just to poke fun at @Apple for this mess. This bug works when attempting to access an administrator’s account on an unlocked Mac, and it also provides access at the login screen of a locked Mac. This bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment. It’s not clear how such a significant bug got past Apple, but it’s likely this is something that the company will immediately address. Until the issue is fixed, you can enable a root account with a password to prevent the bug from working.

How to do #iamroot

Follow below steps from any kind of Mac account, admin or guest:

  1. Open System Preferences
  2. Choose Users & Groups
  3. Click the lock to make changes
  4. Type “root” in the username field
  5. Move the mouse to the Password field and click there, but leave it blank
  6. Click unlock, and it should allow you full access to add a new administrator account.

At the login screen, you can also use the root trick to gain access to a Mac after the feature has been enabled in System Preferences. At the login screen, click “Other,” and then enter “root” again with no password. This allows for admin-level access directly from the locked login screen, with the account able to see everything on the computer.

In case you think this is funny, well experts are also poking fun at Apple and there’s major tweetstorm going on.


So, if you were able to do it, leave a comment with nothing but “it worked #iamroot”. Enjoy

1 comment
0 FacebookTwitterPinterestThreadsBlueskyEmail
Newer Posts
Older Posts
@2021 - All Right Reserved. Designed and Developed by PenciDesign