Amnesic Incognito Live System: Tails

Amnesic Incognito Live System: Tails CyberPunk Amnesic Incognito Live System Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship almost anywhere you… http://ift.tt/1Nukf2P http://ift.tt/2aM8QhC
Anúncios

Amnesic Incognito Live System: Tails

Amnesic Incognito Live System: Tails CyberPunk Amnesic Incognito Live System Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship almost anywhere you… http://ift.tt/1Nukf2P http://ift.tt/2aM8QhC

WebApp Penetration Testing: Local File Inclusion (LFI) – Penetration Testing in Linux

What is a local file inclusion (LFI) vulnerability?

LFI allows an attacker to include a file on a server through a browser. When a Web application does not properly filter the input data, there may be a vulnerability that allows an attacker to manipulate input data, inject path traversal characters, and other files that contain web servers.

Vulnerability Code Example

As shown in the following figure, this is a PHP code that have local file inclusion vulnearbility:

Identify LFI in the WEB application

LFI vulnerabilities are easily recognized and utilized. Any one contains the WEB server file script, for the next step LIF test, is a good entry point, for example:

For the penetration tester, you can try to manipulate the file location parameters to use it, like the following:

The above is to show the contents of the /etc/passwd file on UNIX or LINUX systems.

The following figure is in a WEB application, the successful use of LFI vulnerability in the example:

Technique for bypass WAF

PHP ExpectPHP “expect://” allows the implementation of system commands, however, PHP expect module is not enabled by default.

PHP file://The following figure is a POST request with payload:
The following figure using php://input attack DVWA, contains a “ls” command, as follows:

PHP://filterPHP php: // filter allows infiltration testers to include local files and encode the output data with BASE64. Of course, the output data encoded with BASE64 needs to be decoded to restore the original content.Examples of attacks are as follows:
The output of the results of BASE64 decoding.

PHP ZIPThe PHP ZIP wrapper handles the uploaded .zip file on the server side, and the attacker can upload a ZIP file through a flawed file upload function and execute the server-side ZIP filter via LFI. A typical attack instance looks like this:1. Create a PHP bounce SHELL (SHELL.php).

2. Compress it into a .zip file.

3. Upload this .zip file to the remote server.

4. Use PHP ZIP package to extract PHP SHELL, use “php? Page = zip: //path/to/file.zip%23shell”.

5. The above command will be extracted as a file named SHELL.php file, if the server does not add. Php suffix, you can add by renaming.

If the file upload function does not allow uploading a ZIP file, you can try to bypass the file upload limit using various methods.

Execute LFI with /proc/self/environUse the local file contains a vulnerability to see if you can include the /proc/self/environ file. And then into the User-Agent header into the PHP code may attack success. If the code is successfully injected into the User-Agent header, the local file contains the vulnerability will use and execute /proc/self/environ, for reloading the environment variable, and finally execute your bounce shell.

Null ByteBy adding “nullbytes” to the URL encoding, such as “00%”, in some cases can bypass the filtering in the web application. Typically, after the increase of the empty character, the back-end WEB application may be released or not processed for the input, which can bypass the WEB application blacklist filter.Here are some examples of special LFI null bytes:

Truncate LFITruncation is another technique that bypasses the blacklist. By injecting a long parameter into a loopholes in a file containing mechanism, the WEB application may have to “cut it” (truncate) the input parameters, which may bypass the input filter TheLFI truncated instance:

Log file
Log file contamination is done by writing code that injects the target system into the log file. Often, when accessing some open services on the target system, the system automatically writes the access record to the log file, which makes it possible to write the code to the log. For example, when using a URL that contains a PHP bounce shell to access the target system, the target system returns a 404 page and creates an apache’s access record that contains the previous PHP bounce shell. The use of previously found documents containing loopholes, you can parse the apache log files, thus the implementation of the log PHP rebound shell.After the source code is imported into the target system’s log file, the next step is to determine the location of the log file. In the investigation and discovery phase of the penetration test of the WEB server, we usually collect the information of the target system by scanning. A good starting point is to find the default log path of the recognized operating system and WEB server.

Send a bounce shell by mail to the target machineIf the target machine forwards the e-mail directly or through another machine on the network and stores the message in the system’s www-data user (or other apache user), it is entirely possible to send a bounce shell by email to the target of. If the domain name does not exist MX records, but SMTP can access, then it is possible to connect to the target mail server, and to www-data / apache users to send mail. Mail to send to the current user is running apache, which can ensure that the user account has access to the user’s mail data directory, and the data injected PHP rebound shell. In this example, the user account is www-data, the mail directory is / var / spool / mail / www-data.In an actual attack, first use a list of known UNIX / LINUX account names to enumerate the target system as follows:

As above: Use the smtp-user-enum script to confirm that the www-data user account exists in the system.

The following picture shows the process of sending mail to telnet to www-data users:

The following figure shows the www-data mail offline file containing shell code that was sent past PHP bounce.

Use netcat to monitor the local 80 port, for the target system PHP rebound SHELL back, as shown below, PHP SHELL successful rebound:

The post WebApp Penetration Testing: Local File Inclusion (LFI) appeared first on Penetration Testing in Linux. http://ift.tt/2qepH0M http://ift.tt/2aM8QhC

WebApp Penetration Testing: Local File Inclusion (LFI) – Penetration Testing in Linux

What is a local file inclusion (LFI) vulnerability?

LFI allows an attacker to include a file on a server through a browser. When a Web application does not properly filter the input data, there may be a vulnerability that allows an attacker to manipulate input data, inject path traversal characters, and other files that contain web servers.

Vulnerability Code Example

As shown in the following figure, this is a PHP code that have local file inclusion vulnearbility:

Identify LFI in the WEB application

LFI vulnerabilities are easily recognized and utilized. Any one contains the WEB server file script, for the next step LIF test, is a good entry point, for example:

For the penetration tester, you can try to manipulate the file location parameters to use it, like the following:

The above is to show the contents of the /etc/passwd file on UNIX or LINUX systems.

The following figure is in a WEB application, the successful use of LFI vulnerability in the example:

Technique for bypass WAF

PHP ExpectPHP “expect://” allows the implementation of system commands, however, PHP expect module is not enabled by default.

PHP file://The following figure is a POST request with payload:
The following figure using php://input attack DVWA, contains a “ls” command, as follows:

PHP://filterPHP php: // filter allows infiltration testers to include local files and encode the output data with BASE64. Of course, the output data encoded with BASE64 needs to be decoded to restore the original content.Examples of attacks are as follows:
The output of the results of BASE64 decoding.

PHP ZIPThe PHP ZIP wrapper handles the uploaded .zip file on the server side, and the attacker can upload a ZIP file through a flawed file upload function and execute the server-side ZIP filter via LFI. A typical attack instance looks like this:1. Create a PHP bounce SHELL (SHELL.php).

2. Compress it into a .zip file.

3. Upload this .zip file to the remote server.

4. Use PHP ZIP package to extract PHP SHELL, use “php? Page = zip: //path/to/file.zip%23shell”.

5. The above command will be extracted as a file named SHELL.php file, if the server does not add. Php suffix, you can add by renaming.

If the file upload function does not allow uploading a ZIP file, you can try to bypass the file upload limit using various methods.

Execute LFI with /proc/self/environUse the local file contains a vulnerability to see if you can include the /proc/self/environ file. And then into the User-Agent header into the PHP code may attack success. If the code is successfully injected into the User-Agent header, the local file contains the vulnerability will use and execute /proc/self/environ, for reloading the environment variable, and finally execute your bounce shell.

Null ByteBy adding “nullbytes” to the URL encoding, such as “00%”, in some cases can bypass the filtering in the web application. Typically, after the increase of the empty character, the back-end WEB application may be released or not processed for the input, which can bypass the WEB application blacklist filter.Here are some examples of special LFI null bytes:

Truncate LFITruncation is another technique that bypasses the blacklist. By injecting a long parameter into a loopholes in a file containing mechanism, the WEB application may have to “cut it” (truncate) the input parameters, which may bypass the input filter TheLFI truncated instance:

Log file
Log file contamination is done by writing code that injects the target system into the log file. Often, when accessing some open services on the target system, the system automatically writes the access record to the log file, which makes it possible to write the code to the log. For example, when using a URL that contains a PHP bounce shell to access the target system, the target system returns a 404 page and creates an apache’s access record that contains the previous PHP bounce shell. The use of previously found documents containing loopholes, you can parse the apache log files, thus the implementation of the log PHP rebound shell.After the source code is imported into the target system’s log file, the next step is to determine the location of the log file. In the investigation and discovery phase of the penetration test of the WEB server, we usually collect the information of the target system by scanning. A good starting point is to find the default log path of the recognized operating system and WEB server.

Send a bounce shell by mail to the target machineIf the target machine forwards the e-mail directly or through another machine on the network and stores the message in the system’s www-data user (or other apache user), it is entirely possible to send a bounce shell by email to the target of. If the domain name does not exist MX records, but SMTP can access, then it is possible to connect to the target mail server, and to www-data / apache users to send mail. Mail to send to the current user is running apache, which can ensure that the user account has access to the user’s mail data directory, and the data injected PHP rebound shell. In this example, the user account is www-data, the mail directory is / var / spool / mail / www-data.In an actual attack, first use a list of known UNIX / LINUX account names to enumerate the target system as follows:

As above: Use the smtp-user-enum script to confirm that the www-data user account exists in the system.

The following picture shows the process of sending mail to telnet to www-data users:

The following figure shows the www-data mail offline file containing shell code that was sent past PHP bounce.

Use netcat to monitor the local 80 port, for the target system PHP rebound SHELL back, as shown below, PHP SHELL successful rebound:

The post WebApp Penetration Testing: Local File Inclusion (LFI) appeared first on Penetration Testing in Linux. http://ift.tt/2qepH0M http://ift.tt/2aM8QhC

Doomed Thermostat

It is amazing how the game Doom has been ported to so many things. Enter one more port, where the hardware in question is a Honeywell Prestige thermostat.

In his video, [cz7asm] shows us the game running quite nicely on the 480 x 272 LCD with an NES controller plugged into the USB port originally intended for software updates. The thermostat runs on a STM32F429 which is an ARM9 processor that has the juice to pull it off. The Doom engine being used is based on Chocolate Doom, an open source port of the game, and the binaries can be downloaded for Windows and Mac. The source code is also available as a download for your tinkering pleasure. This project by [cz7asm] is extended from a code on GitHub by [floppes] that was meant for the STM32F429IDISCOVERY evaluation board.

The author shares his code for the STM32F4 on Dropbox as a zip and in order to compile it, the Atmel BSP for GNU GCC is used. The video below demonstrates the hack in action and, though there is no sound yet, the satisfaction that comes from such modifications is its own reward.

What else can you run Doom on? How about a calculator or maybe the Intel Edison or even an ATM machine! If there is a processor with enough muscle power, hackers will find a way to run Doom on it. So have you seen any alien computers lately that you think can be hacked?

Filed under: ARM, classic hacks http://ift.tt/2qJEeW0 http://ift.tt/2aM8QhC

Doomed Thermostat

It is amazing how the game Doom has been ported to so many things. Enter one more port, where the hardware in question is a Honeywell Prestige thermostat.

In his video, [cz7asm] shows us the game running quite nicely on the 480 x 272 LCD with an NES controller plugged into the USB port originally intended for software updates. The thermostat runs on a STM32F429 which is an ARM9 processor that has the juice to pull it off. The Doom engine being used is based on Chocolate Doom, an open source port of the game, and the binaries can be downloaded for Windows and Mac. The source code is also available as a download for your tinkering pleasure. This project by [cz7asm] is extended from a code on GitHub by [floppes] that was meant for the STM32F429IDISCOVERY evaluation board.

The author shares his code for the STM32F4 on Dropbox as a zip and in order to compile it, the Atmel BSP for GNU GCC is used. The video below demonstrates the hack in action and, though there is no sound yet, the satisfaction that comes from such modifications is its own reward.

What else can you run Doom on? How about a calculator or maybe the Intel Edison or even an ATM machine! If there is a processor with enough muscle power, hackers will find a way to run Doom on it. So have you seen any alien computers lately that you think can be hacked?

Filed under: ARM, classic hacks http://ift.tt/2qJEeW0 http://ift.tt/2aM8QhC

Linux commands to view all the connection process specified information – Penetration Testing in Linux

A function that often needs to be used to locate a network failure in a process is to find information about all connections. Usually find a port connection information using ss or netstat can easily get, if it is active with other machines to establish the connection information can be obtained through the lsof command.

For example, I want to see the process frps all the current pid connection information, first obtain the process:

ps -ef|grep frps

The result is:

wcl 4721 1 0 10:27 ? 00:00:01 ./frps

You can see the process pid 4721 , and then through the lsof command to view all the TCP connection information :

lsof -p 4721 -nP | grep TCP

frps 4721 wcl 4u IPv6 117051764 0t0 TCP *:7000 (LISTEN)
frps 4721 wcl 6u IPv6 117051765 0t0 TCP *:7003 (LISTEN)
frps 4721 wcl 7u IPv6 117092563 0t0 TCP 139.129.11.120:7000->116.231.70.223:61545 (ESTABLISHED)
frps 4721 wcl 8u IPv6 117092565 0t0 TCP *:6000 (LISTEN)
frps 4721 wcl 9u IPv6 117334426 0t0 TCP 139.129.11.120:7000->116.237.93.230:64898 (ESTABLISHED)
frps 4721 wcl 10u IPv6 117053538 0t0 TCP 139.129.11.120:7000->115.231.20.123:41297 (ESTABLISHED)
frps 4721 wcl 11u IPv6 117053540 0t0 TCP *:6005 (LISTEN)
frps 4721 wcl 12u IPv6 117334428 0t0 TCP *:6004 (LISTEN)

From the lsof output can clearly see the frps process to monitor the five ports, and in the 7000 port on the establishment of the three connections , connect the two ends of the ip information can also be found.

The -nP parameter of lsof is used to display the ip address and port number as normal numeric types, otherwise it may be represented by aliases.

The post Linux commands to view all the connection process specified information appeared first on Penetration Testing in Linux. http://ift.tt/2qb9dr7 http://ift.tt/2aM8QhC