tag:blogger.com,1999:blog-55826959809249243372024-03-05T02:10:36.562-08:00AtucomA blog about coding, Infosec, penetration testing, and random topicsUnknownnoreply@blogger.comBlogger241125tag:blogger.com,1999:blog-5582695980924924337.post-16090458951708938832020-11-20T08:29:00.001-08:002020-11-20T08:29:24.498-08:00AWS EC2 & Quick FTP Server Sometimes you just need to transfer some files back and forth over FTP and want something quick and easy. There are a couple of caveats to getting a one-liner-ish FTP server running in AWS EC2 or lightsail:Additional ports must be opened. Lightsail by default opens 80 & 22. You'll have to also open 21 & 8000-9000 for the following to work. Or you know, open it all because yolo.File Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-88706225858280927742020-07-15T14:43:00.001-07:002020-07-15T14:43:11.294-07:00Python Debugging: Output Function Name and ArgsSprinkling print statements everywhere gets annoying so here is a decorator that does 99% of what I need when it comes to debugging function input.
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-72818932550178480502020-02-26T13:58:00.000-08:002020-02-26T13:58:26.792-08:00Simple DLL To Pop A CMD ShellBelow is some sample code to pop a cmd shell upon execution of the DLL. Pretty great for testing various code injection techniques. Compile it as a DLL project in Visual Studio to generate the .dll file.
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-27747502847751404632020-02-12T07:29:00.000-08:002020-02-18T09:31:33.500-08:00A Better, More Modern, HTML Link GrabberLots of examples of HTML <a> link grabbers simply parse the source code of the page for a links and output that. I'm sure I don't need to say that technique is antiquated and doesn't really work that well with modern web applications and front-end frameworks. Everybody and their mother just loves modifying HTML using javascript. The old method would miss that stuff badly.
Take the Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-82736036484089455032019-12-12T14:29:00.000-08:002019-12-12T14:29:09.393-08:00Pillage Thycotic Secret ServerIf you want to grab all the secrets from Thycotic's secret server, use the SOAP API to pull them out. Assuming you have valid domain creds, run the following script.
<!-- HTML generated using hilite.me -->
#!/usr/bin/env python3
from zeep import Client
#Connect to the soap api endpoint
client = Client("https://secretserver.example.com/SecretServer/webservices/SSWebservice.asmx?wsdl")
#grab Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-78062828770291315122019-12-10T11:09:00.000-08:002019-12-10T11:09:26.979-08:00Round Robin SMB AuthPassword sprays are very noisy internally. If the target has any sort of alerting in place, they'll see the spray light up their dashboard like a christmas tree. However, often times the alerts are only set up to count failed logins from a single IP. Spread out the auth and you may skirt around their detections:
Instead of throwing your auth attempts at one IP, throw them at many:
<!-- HTML Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-4213742509187070792019-12-04T09:12:00.001-08:002019-12-04T09:12:48.915-08:00Blacklist IPs Without CaringClients often give out a blacklist of IPs to not touch in an environment. Manually handling that in all the for loops and parsing can be a complete nightmare. It's way easier to make your box simply never speak to those blacklisted IPs at all, regardless of what commands you run. You can do this by implementing the blacklist within iptables.
Place the blacklist IPs or CIDRs in a file called "Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-38375615058344574662019-11-20T10:17:00.000-08:002019-11-21T11:24:08.317-08:00Crack JWTs with JohnTheRipperVery simple, just paste your entire JWT into a text file like this one from WebGoat:
<!-- HTML generated using hilite.me -->
cat > webgoat-jwt.txt
eyJhbGciOiJIUzI1NiJ9.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-38005402423023126572019-08-20T19:22:00.000-07:002019-08-20T19:22:14.635-07:00Send text message via AWSAssuming you've already done "aws configure"
aws sns publish --phone-number 11231234 --message "a thing happened"Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-46289900685679394972019-07-25T11:22:00.000-07:002019-07-25T11:22:28.869-07:00Windows Override Command Execution (Image File Execution Options)When you run a command at the windows cmd prompt, such as schtasks.exe, klist.exe, driverquery.exe, etc, Windows searches a registry setting for default options to execute the file.
The location is:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<nameOfEXE>
Oddly, Windows checks the same registry key regardless of where it actually found the Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-7066296084748621092019-07-10T16:18:00.000-07:002019-07-10T16:18:00.494-07:00Calculate proper length of antenna for better signalTo increase signal quality, make sure the antenna length matches the frequency you are receiving at. I've had a 20-40 db increase in signal just by extending or retracting my antenna a couple of inches. A simple process is this:
Have on hand a ruler with centimeter markings (I use a retractable tailor tape measure)
Open your calculator and do 300 / your_frequency (in mhz) = wavelength
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-16738856104428604802019-07-10T16:00:00.002-07:002019-07-10T16:00:28.468-07:00How to loopback audio from one app to another for SDRPiping the decoded audio from one application to another can be super annoying in linux. Fortunately there is a utility in apt that makes it dead easy (at least on Ubuntu). Simple steps:
apt install pavucontrol
start your applications (gqrx/fldigi/direwolf/whatever)
execute pavucontrol
In the "Playback" tab, make sure your "output" app is showing up and bouncing the sound meter
In the "Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-59484801025433039012019-07-10T15:52:00.001-07:002019-07-10T16:24:57.771-07:00Decoding APRS via SDRAPRS uses packet radio and FLDIGI doesnt support it for some ungodly reason. You can chain a few tools together to get the decoded output.
Plug in and attach your RTLSDR, or whatever, to your VM
start up GQRX, start receiving
Tune to 144.390 to get an APRS signal (North American calling freq for APRS)
Set the following:
Filter Width: Wide
Filter Shape: Sharp
Mode: Narrow FM
AGC: Fast
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-63630372266280301622019-04-02T14:51:00.003-07:002019-04-02T14:51:56.582-07:00Google/AWS/Azure IP RangesGoogle Cloud, Amazon AWS, and Microsoft Azure publish their IP ranges for their cloud platforms.
Amazon:
https://ip-ranges.amazonaws.com/ip-ranges.json
one-liner:
curl https://ip-ranges.amazonaws.com/ip-ranges.json | grep 'ip_prefix' | cut -d '"' -f 4
Microsoft Azure:
https://www.microsoft.com/en-gb/download/details.aspx?id=41653
one-liner:
cat Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-84024288255463144642019-01-18T20:56:00.001-08:002019-01-18T20:56:57.128-08:00Productivity Tactic: Fear Masked as ProcrastinationI pride myself on noticing patterns in life. A particular pattern I've noticed in myself as well many others is this: Procrastination is pain avoidance. Now that may seem obvious in certain regards but what definitely wasn't obvious is that procrastination is really a manifestation of fear.
Think about it - you have an idea, a great idea, an exciting idea, you start fleshing out a couple detailsUnknownnoreply@blogger.com1tag:blogger.com,1999:blog-5582695980924924337.post-53742652221556474792018-12-21T15:40:00.001-08:002019-11-21T11:26:13.902-08:00Python - Choose a Function at RandomIf you need to randomly select from a number of defined functions, this is a simple way to achieve that:
<!-- HTML generated using hilite.me -->import random
def function_A(some_var):
return("{} - A".format(some_var))
def function_B(some_var):
return("{} - B".format(some_var))
def function_C(some_var):
return("{} - C".format(some_var))
#Run a random Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-61147051917446842242018-12-14T12:32:00.004-08:002018-12-14T12:46:52.512-08:00SSH Port Forwards In Simpler TermsI love SSH, I love port forwards, I love all they allow you to do. I hate my memory and all it forgets to do. I decided to write the following so I can easily recall the syntax and meaning for SSH port forwards (-L & -R).
Firstly, both use the same syntax (order of parameters doesn't matter):
ssh root@someVPS -i ~/.ssh/whateverKey -L localhost:2323:localhost:2424
ssh root@someVPS -i ~/.ssh/Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-16660426871182305012018-11-28T12:48:00.000-08:002019-11-21T11:27:46.057-08:00Keep Track Of Your Source IPPentesters/RedTeamers often need to track their outgoing IPs for Blue Teams to be able to correlate activity and know if an attack is shceduled activity or something else.
Below is a script that will reach out, grab your public IP, and if it's different from the last entry, enter it into a log file. I use crontab to execute it at the top of every minute.
<!-- HTML generated using hilite.me -->Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-17827775806752110892018-11-26T14:09:00.000-08:002018-11-26T14:09:18.650-08:00Ways to Enumerate UsersA couple of methods to identify usernames that can then be used in other areas of a pentest are below. I added as many as I could think of. I limited it to ones mostly seen from the public Internet.
WebApp login error username enumeration (custom per webapp, use python/burp)
WebApp URL/Cookie differences (customer per webapp, use python/burp)
Document Metadata from google dork (https://Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-31974390339803878962018-09-18T11:19:00.003-07:002019-11-21T11:29:08.035-08:00Saner Bash Commands Inside PythonAs great as Python is, sometimes the dev's make really weird decisions regarding defaults. A perfect example is running shell commands inside Python 3+. For some reason the dev thought it was a good idea to make the subprocess "run" method _not_ capture the output from stdout or stderr by default. I find this incredibly annoying and it constantly result in me having to look up the syntax since I Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-74900917037496333382018-08-30T09:32:00.000-07:002018-08-30T09:32:41.073-07:00Download All Corporate Git ReposDepending on the client you are testing, they may have an internal development team that checks code into a git repo. The vast majority of the clients I've seen implement the Atlassian suite of tools, typically containing an internally hosted Bitbucket.
The Bitbucket web interface has a search feature for looking for code snippets. It's absolutely awful. It's like an off brand tonka toys reject Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-44331517001292627972018-08-29T19:28:00.000-07:002018-08-29T19:28:47.411-07:00Brute Force LDAP Names (or how I kinda downloaded LDAP)Running queries over a network using the ldapsearch tool can be a bit annoying. It's especially annoying when you constantly run into the "size limit exceeded" result when you get large responses.
I decided to write a little tool to recursively and conditionally search LDAP for CN entries (basically AD account names) and download them locally. If it detects the error size limit error, it Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-33463333653866323772018-08-23T07:37:00.000-07:002018-08-23T08:52:24.919-07:00Apache Struts 2 Vulnerability & Exploit (CVE-2018-11776)Yesterday a new vulnerability in certain versions of Apache Struts (2.3 - 2.3.34, 2.5 - 2.5.16)was discovered that leads to RCE. It requires both vulnerable versions as well as vulnerable configurations.
The gist of the issue is that if you have a vulnerable configuration that doesn't lend a namespace to struts, struts will take the user-specified namespace instead. Fortunately, it takes the Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-5582695980924924337.post-86394468989845611052018-08-15T10:41:00.000-07:002018-08-15T14:27:19.249-07:00Twitter Controlled Anything - Micropython on ESP32I recently purchased an ESP32 from amazon for testing purposes and a colleague mentioned you could install a minimalist python environment on them for control. To say the least, I was intrigued.
I wanted to be able to control a light (or anything really) using tweets. Below are the instructions/scripts I wrote to get it working. First comes the prerequisites:
ESP32 (duh)
A VPS, Pi, or Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5582695980924924337.post-55379284236189686332018-08-02T15:44:00.000-07:002018-08-02T15:44:50.335-07:00Top 100 Ingredients From HomeChef RecipesI love cooking, I consider it my primary hobby outside of infosec/coding. I had HomeChef for several months and absolutely loved it, I looked forward to each selection every week and always got to try some new techniques/flavors/combinations I probably would never had tried on my own.
Every meal they sent us had a double-sided recipe page to guide you through the process. I noticed something at Unknownnoreply@blogger.com0