image
As with many exploits, remote and local file inclusions are only a problem at the end of the encoding. Of course it takes a second person to have it. Now this article will hopefully give you an idea of protecting your website and most importantly your code from a file iclusion exploit. I’ll give code examples in PHP format. Let’s look at some of the code that makes RFI / LFI exploits possible. <a href=index.php?page=file1.php> Files </a> <? Php $ page = $ _GET [page]; include ($ page); ?> Now obviously this should not be used. The $ page entry is not fully cleared. $ page input is directed directly to the damn web page, which is a big “NO”. Always remove any input passing through the browser. When the user clicks on “File” to visit “files.php” when he visits the web page, something like this will appear. http: //localhost/index.php? page = files.php Now if no one has cleared the input in the $ page variable, we can have it pointed to what we want. If hosted on a unix / linux server, we can display the password as configuration files for shaded or uncleaned variable input. Viewing files on the server is a “Local File Inclusion” or LFI exploit. This is no worse than an RFI exploit. http: //localhost/index.php? page = .. / .. / .. / .. / .. / .. / etc / passwd The code will probably return to / etc / passwd. Now let’s look at the RFI aspect of this exploit. Let’s get some of the codes we’ve taken before. <a href=index.php?page=file1.php> Files </a> <?…

image
This shell is the ultimate WinRM shell for hacking/pentesting. WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. A standard SOAP based protocol that allows hardware and operating systems from different vendors to interoperate. Microsoft included it in their Operating Systems in order to make life easier to system administrators. This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only if you have credentials and permissions to use it. So we can say that it could be used in a post-exploitation hacking/pentesting phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate purposes by system administrators as well but the most of its features are focused on hacking/pentesting stuff. Features Load in memory Powershell scripts Load in memory dll files bypassing some AVs Load in memory C# (C Sharp) assemblies bypassing some AVs Load x64 payloads generated with awesome donut technique AMSI Bypass Pass-the-hash support Kerberos auth support SSL and certificates support Upload and download files List remote machine services without privileges Command History WinRM command completion Local files completion Colorization on output messages (can be disabled optionally) Help Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S]…

image
This project produces open-source code to generate rainbow tables as well as use them to look up password hashes. While the current release only supports NTLM, future releases aim to support MD5, SHA-1, SHA-256, and possibly more. Both Linux and Windows are supported! For more information, see the project website: https://www.rainbowcrackalack.com/ Volunteering The project for generating NTLM 9-character tables is now underway! If you create 5 tables for us, your name will be listed on the project website as a project supporter. If you create 200 tables, we will mail you a free magnetic hard drive containing NTLM 9-character tables with 50% efficiency. Ships world-wide! If you have modern GPU equipment and you'd like to contribute, please reach out using this form to coordinate efforts. NTLM Tables Currently, NTLM 8-character tables are available for free download via Bittorrent . For convenience, they may also be purchased on an SSD with a USB 3.0 external enclosure. Examples Generating NTLM 9-character tables The following command shows how to generate a standard 9-character NTLM table: # ./crackalack_gen ntlm ascii-32-95 9 9 0 803000 67108864 0 The arguments are designed to be comparable to those of the original (and now closed-source) rainbow crack tools. In order, they mean: Argument | Meaning —|— ntlm | The hash algorithm to use. Currently only "ntlm" is supported. ascii-32-95 | The character set to use. This…

image
The Brave Privacy Browser is your fast, safe private web browser with ad blocker, private tabs and pop-up blocker. Browse without being tracked by advertisers, malware and pop-ups. ** Fast & Secure Web Browser ** No external plugins or settings! Brave privacy browser simply provides the most secure, lightning fast web browser for Android. Enjoy browsing without popups (pop up blocker), ads, malware and other annoyances. ** AdBlock Web Browser ** The Brave Privacy Browser App is designed with a built-in AdBlocker (pop up blocker). Brave's free adBlocker protects you from ads which track you as you browse the web, securing your privacy. ** Automatic Privacy – AdBlock Browser Protection ** The Brave Privacy Browser App also protects you with leading privacy and security features such as HTTPS Everywhere (encrypted data traffic), script blocking, 3rd party cookie blocking and incognito private tabs. ** App Features ** Private browser Free built-in AdBlocker Pop up blocker (blocks ads) Safe private browsing Invasive Ad free web browser Sync Bookmarks securely Free tracking protection web browser Https Everywhere (for security) Script Blocker 3rd party cookie blocker Private bookmarks Browsing history Recent and private tabs Fast, free, private search engine ** Brave Rewards ** With your old browser, you paid to browse the web by viewing ads. Now, Brave welcomes you to the new Internet. One where your time is valued, your personal data is kept…

image
Burp Suite extension to discover assets from HTTP response using passive scanning. Refer our blog Asset Discovery using Burp Suite for more details. The extension is now part of the BApp store and can be installed directly from the Burp Suite. https://portswigger.net/bappstore/d927f0065171485981d6eb49a860fc3e Description Passively parses HTTP response of the URLs in scope and identifies different type assets such as domain, subdomain, IP, S3 bucket etc. and lists them as informational issues. Setup Setup the python environment by providing the jython.jar file in the ‘Options' tab under ‘Extender' in Burp Suite. Download the extension . In the ‘Extensions' tab under ‘Extender', select ‘Add'. Change the extension type to ‘Python'. Provide the path of the file ‘Asset_Discover.py’ and click on ‘Next'. Usage Add a URL to the ‘Scope' under the ‘Target' tab. The extension will start identifying assets through passive scan. Requirements Jython 2.7.0 Burp Suite Pro v2.1 Code Credits A large portion of the base code has been taken from the following sources: OpenSecurityResearch CustomPassiveScanner PortSwigger example-scanner-checks Download…

image
Easier network scanning with NetAss2 (Network Assessment Assistance Framework). Make it easy for Pentester to do penetration testing on network. Dependencies nmap (tool) zmap (tool) Installation git clone https://github.com/zerobyte-id/NetAss2.git cd NetAss2 sudo chmod +x install.bash sudo ./install.bash Run netass2 Existing Menu – HOST DISCOVERY – PORT SCAN ON SINGLE HOST – MASSIVE PORT SCAN VIA DISCOVERED HOSTS – MASSIVE PORT SCAN VIA LIST ON FILE – SINGLE PORT QUICK SCAN VIA NETWORK BLOCK – MULTIPLE PORT QUICK SCAN VIA NETWORK BLOCK – SHOW REPORTS Screenshot (Documentation) Download…

image
Subdomain Scan With Ping Method. Flags | Value | Description —|—|— –hostname | example.com | Domain for scan. –output | | Records the output with the domain name. –list | /tmp/lists/example.txt | Lister for subdomains. Installation go get github.com/tismayil/rsdl clone repo and build ( go build rsdl.go ) Used Repos. GO Spinner : github.com/briandowns/spinner – [ go get github.com/briandowns/spinner ] GO Ping : github.com/sparrc/go-ping – [ go get github.com/sparrc/go-ping ] Download…

image
IMPORTANT When using source or by downloading the code directly from the repository, it is important to run the database upgrade script if you experience any errors referring to missing tables or columns in the database. Changes to the database are committed to the cacti.sql file which is used for new installations and committed to the installer database upgrade for existing installations. Because the version number does not change until release in the develop branch, which will result in the database upgrade not running, it is important to either use the database upgrade script to force the current version or update the version in the database. Running Database Upgrade Script sudo -u cacti php -q cli/upgrade_database.php –forcever=`cat include/cacti_version` Updating Cacti Version in Database update version set cacti = ‘1.1.38'; _ Note: _ Change the above version to the correct version or risk the installer upgrading from a previous version. About Cacti is a complete network graphing solution designed to harness the power of RRDtool's data storage and graphing functionality providing the following features: Remote and local data collectors Device discovery Automation of device and graph creation Graph and device templating Custom data collection methods User, group and domain access controls All of this is wrapped in an intuitive, easy to use interface that makes sense for both LAN-sized installations and…

image
HAL [/hel/] is a comprehensive reverse engineering and manipulation framework for gate-level netlists focusing on efficiency, extendability and portability. HAL comes with a fully-fledged plugin system, allowing to introduce arbitrary functionalities to the core. Apart from multiple research projects, HAL is also used in our university lecture Introduction to Hardware Reverse Engineering . Features Natural directed graph representation of netlist elements and their connections Support for custom gate libraries High performance thanks to optimized C++ core Modularity: write your own C++ Plugins for efficient netlist analysis and manipulation (e.g. via graph algorithms) A feature-rich GUI allowing for visual netlist inspection and interactive analysis An integrated Python shell to exploratively interact with netlist elements and to interface plugins from the GUI Update v1.1.0 Support for Xilinx Unisim, Xilinx Simprim, Synopsys 90nm, GSCLIB 3.0 and UMC 0.18µm libraries is now added API Documentation The C++ documentation is available here . The Python documentation can be found here . Quick Start Install or build HAL and start the GUI via hal -g . You can list all available options via hal [–help|-h] . We included some example netlists in examples together with the implementation of the respective example gate library in plugins/example_gate_library . For instructions to create your own gate library and other useful tutorials,…

image
A script to enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated. This script (optionally) accepts GCP user/service account credentials and a keyword. Then, a list of permutations will be generated from that keyword which will then be used to scan for the existence of Google Storage buckets with those names. If credentials are supplied, the majority of enumeration will still be performed while unauthenticated, but for any bucket that is discovered via unauthenticated enumeration, it will attempt to enumerate the bucket permissions using the TestIamPermissions API with the supplied credentials. This will help find buckets that are accessible while authenticated, but not while unauthenticated. Regardless if credentials are supplied or not, the script will then try to enumerate the bucket permissions using the TestIamPermissions API while unauthenticated. This means that if you don't enter credentials, you will only be shown the privileges an unauthenticated user has, but if you do enter credentials, you will see what access authenticated users have compared to unauthenticated users. WARNING: If credentials are supplied, your username can be disclosed in the access logs of any buckets you discover. TL;DR Summary Given a keyword, this script enumerates Google Storage buckets based on a number of permutations generated from the keyword. Then, any discovered bucket will be output. …