Port Full Scan

Effective Service Enumeration In this post we will address one of the tasks that haunts every pentester or red team operator, service enumeration. Its challenging task for every red team operator / pentester, specially when confronted with a Class A network address range for the first time. A typical service enumeration technique is comprised of: Host discovery: Create a list of live hosts (as close to 100%) as possible. Port Scanning: Find the exposed services...… (Read More)

Rop Aventures

In this post we will dive into and old MSRPC Vulnerabilty specifically NetPathCanonicalize. Understanding the bug The vulnerabilty is a stack corruption bug, in short the main objective is to remove ‘..' form a path, and do so its using a recursive call, the problem happends when the ‘..' forces the recution to go beyond the last element of the path. You can find the full bug analysis decompiling-ms08-067 Its old bug… Yes, theirs lots...… (Read More)

Strong Password change

Hey what’s up, yeah i know its been a long time since i posted something. Strong password change Over the last years alot of things have been said about strong passwords and the meaning of a strong password, as the CPU power increases the number and range of charecters also increase. This makes things hard at many levels, from the users prespective think about a string that meets all the requesits and remember it, it’s...… (Read More)

Wordlist Prosessor

Happy new year. ( yeah.i know i been busy ) The last year end up been a cool year with a great end, i was speaker at two events with something i been working on for while now password cracking. Every thing started some time ago after googling around about password cracking, that i first shared with my colleagues after a small poc, and since to me everything less then 100% isn’t worth spending time...… (Read More)

Install Openvas 8 with Postgres on Kali linux Rolling

This one is something that took quite some time to pull off while searching, most of the information I found was either wrong or incomplete, so here we go. Objectives Build openvas with postgresql support. Make required configuration changes to Kali linux source, such as service scripts. Create .deb package with kali linux source. Requirements To pull this off I will be using the Kali Linux Rolling v4.6.4, other than the usual build tools we...… (Read More)

Wordpress Admin Login Proctection Myths

Some time last week, I found some posts on the web suggesting that one could protect the “broken” Wordpress authentication with the weirdest ideas from ip blocking plugins, to HTTP Basic Authentication in front of the wp-login.php. Yeah I think they are funny to. In this post I will try explain why this is a horrible idea. Their are many ways to make the attacker’s life difficult, one the most effective is, to make the...… (Read More)

Infosecinstitute CTF 2 - LEVEL 9

This will be solution for Level 9 Practical Web Hacking CTF #2. This level we are told that we have a broken Session management, as i explained in level 5 this usualy means we have a broken session id, and the usual flaws are: Depercated hashing algorithm like md5,md4 sha1 etc. Unsafe session ids based on time or user imput. After looking at the session id i noticed what might be familiar encoding style, to...… (Read More)

Infosecinstitute CTF 2 - LEVEL 8

This will be solution for Level 8 Practical Web Hacking CTF #2. This level we have file upload Unrestricted file uploads form, the objective is to bypass the protection in place and find a way to upload and execute our javascript payload. The vulnerabilities are usualy about the detection of the file type, the usual implementations are: File type based on extention (the worst kind there is!) This is usualy a bad idea becuase from...… (Read More)

Infosecinstitute CTF 2 - LEVEL 7

This will be solution for Level 7 Practical Web Hacking CTF #2. This level we have a simple login screen, the objective is to exploit a A3 Cross-Site_Scripting, this types of vulnerabilities exploit the interpreter in the browser to achieve client site code execution (Javascript). session hijacking Cross-Site Request Forgery The objective is to inset a html tag with our name in it, for that we need to see some details about the implementation. After...… (Read More)

Infosecinstitute CTF 2 - LEVEL 6

In this level we have a simple comment application Cross-Site Request Forgery. In this level the objective is to create a payload to be added as a comment in a way that when other users visit the page a request is executed when the page loads, in this scenario we have to exploit the vulnerabilities: Cross site scripting. Cross-Site Request Forgery. The second vulnerability is not actually on the level it self, the objective is...… (Read More)

Infosecinstitute CTF 2 - LEVEL 5

This will be solution for Level 5 Practical Web Hacking CTF #2. In this Level is about access controls, this vulnerability happeds when an application either has bad access control implementation, the most common is related to session management, issues like the use of md5 or any other depercated week hashing algorithm, unsafe random. Im both cases the application follows the execution without proper validation, Access control. In this case the objective is to make...… (Read More)

Infosecinstitute CTF 2 - LEVEL 13

This will be solution for Level 13 Practical Web Hacking CTF #2. This level we are told that we have to find a way to redirect our selfs to other domain, this means that we need to exploit a Unvalidated Redirect or Forward. The the information we need is given to us after the last level as seen in the picture. We can try to excute a direct redirect with the same parameter and the...… (Read More)

Infosecinstitute CTF 2 - LEVEL 12

This will be solution for Level 12 Practical Web Hacking CTF #2. In this level unfortunately we have a very realistic example of how easy it is to bruteforce web applications, our objective is to try to bruteforce a login and password. The procedure is very simple we need to collect the information that would allow us to execute the requested as if it were made by the browser. Tasks Collect input names. find the...… (Read More)