I discovered https://hackerone.com recently. It's a platform companies can sign up for that gives them an avenue for researchers to disclose security vulnerabilities about their site along the lines of "responsible disclosure".
I was curious as to what vulnerabilities were published, and their amounts. Well, when a vulnerability is made public, hackerone puts it on their site with the amount on the same page. Having done network pentests for the last 4 years (professionally) it's hard not to lolwtfbbq at how easy/simple it is to identify some of the bugs listed, and a lot of them are paying out hundreds of dollars for what amounts to about 30 seconds of work.....i'm in the wrong business...
In any case, i've parsed through their public listing and compiled a list of links for people to read. At the time of this blog post, 240 vulnerabilities were publicly released:
https://hackerone.com/reports/38232
https://hackerone.com/reports/38170
https://hackerone.com/reports/37622
https://hackerone.com/reports/26935
https://hackerone.com/reports/32570
https://hackerone.com/reports/8846
https://hackerone.com/reports/33935
https://hackerone.com/reports/20873
https://hackerone.com/reports/36264
https://hackerone.com/reports/501
https://hackerone.com/reports/35102
https://hackerone.com/reports/33083
https://hackerone.com/reports/34112
https://hackerone.com/reports/32825
https://hackerone.com/reports/33091
https://hackerone.com/reports/31168
https://hackerone.com/reports/28832
https://hackerone.com/reports/29288
https://hackerone.com/reports/27357
https://hackerone.com/reports/31383
https://hackerone.com/reports/26527
https://hackerone.com/reports/29491
https://hackerone.com/reports/12497
https://hackerone.com/reports/27651
https://hackerone.com/reports/29360
https://hackerone.com/reports/29328
https://hackerone.com/reports/27704
https://hackerone.com/reports/29839
https://hackerone.com/reports/29480
https://hackerone.com/reports/29331
https://hackerone.com/reports/28865
https://hackerone.com/reports/18501
https://hackerone.com/reports/14552
https://hackerone.com/reports/28150
https://hackerone.com/reports/27987
https://hackerone.com/reports/27704
https://hackerone.com/reports/28450
https://hackerone.com/reports/28449
https://hackerone.com/reports/28445
https://hackerone.com/reports/15412
https://hackerone.com/reports/27404
https://hackerone.com/reports/27166
https://hackerone.com/reports/27511
https://hackerone.com/reports/27846
https://hackerone.com/reports/27389
https://hackerone.com/reports/26700
https://hackerone.com/reports/5314
https://hackerone.com/reports/26825
https://hackerone.com/reports/25332
https://hackerone.com/reports/25334
https://hackerone.com/reports/14631
https://hackerone.com/reports/17506
https://hackerone.com/reports/25281
https://hackerone.com/reports/23098
https://hackerone.com/reports/16414
https://hackerone.com/reports/15762
https://hackerone.com/reports/18507
https://hackerone.com/reports/25160
https://hackerone.com/reports/21110
https://hackerone.com/reports/12708
https://hackerone.com/reports/23386
https://hackerone.com/reports/10468
https://hackerone.com/reports/12583
https://hackerone.com/reports/23363
https://hackerone.com/reports/11414
https://hackerone.com/reports/18698
https://hackerone.com/reports/17160
https://hackerone.com/reports/21210
https://hackerone.com/reports/17474
https://hackerone.com/reports/22093
https://hackerone.com/reports/16330
https://hackerone.com/reports/6700
https://hackerone.com/reports/21069
https://hackerone.com/reports/17688
https://hackerone.com/reports/18279
https://hackerone.com/reports/21150
https://hackerone.com/reports/16568
https://hackerone.com/reports/8284
https://hackerone.com/reports/8281
https://hackerone.com/reports/7779
https://hackerone.com/reports/21248
https://hackerone.com/reports/15166
https://hackerone.com/reports/15852
https://hackerone.com/reports/14570
https://hackerone.com/reports/20861
https://hackerone.com/reports/20671
https://hackerone.com/reports/10373
https://hackerone.com/reports/7608
https://hackerone.com/reports/6665
https://hackerone.com/reports/10081
https://hackerone.com/reports/9919
https://hackerone.com/reports/9921
https://hackerone.com/reports/5442
https://hackerone.com/reports/6702
https://hackerone.com/reports/12685
https://hackerone.com/reports/2598
https://hackerone.com/reports/8082
https://hackerone.com/reports/13959
https://hackerone.com/reports/18851
https://hackerone.com/reports/18850
https://hackerone.com/reports/18849
https://hackerone.com/reports/18721
https://hackerone.com/reports/17903
https://hackerone.com/reports/18295
https://hackerone.com/reports/17909
https://hackerone.com/reports/17896
https://hackerone.com/reports/7264
https://hackerone.com/reports/18691
https://hackerone.com/reports/18389
https://hackerone.com/reports/6322
https://hackerone.com/reports/6268
https://hackerone.com/reports/6195
https://hackerone.com/reports/6194
https://hackerone.com/reports/14699
https://hackerone.com/reports/17540
https://hackerone.com/reports/17383
https://hackerone.com/reports/10563
https://hackerone.com/reports/13748
https://hackerone.com/reports/13388
https://hackerone.com/reports/15362
https://hackerone.com/reports/16718
https://hackerone.com/reports/16571
https://hackerone.com/reports/16392
https://hackerone.com/reports/16315
https://hackerone.com/reports/4461
https://hackerone.com/reports/2628
https://hackerone.com/reports/12588
https://hackerone.com/reports/11410
https://hackerone.com/reports/15785
https://hackerone.com/reports/7813
https://hackerone.com/reports/2168
https://hackerone.com/reports/1533
https://hackerone.com/reports/11927
https://hackerone.com/reports/13286
https://hackerone.com/reports/7266
https://hackerone.com/reports/11861
https://hackerone.com/reports/10554
https://hackerone.com/reports/1538
https://hackerone.com/reports/6704
https://hackerone.com/reports/10037
https://hackerone.com/reports/8724
https://hackerone.com/reports/9318
https://hackerone.com/reports/10829
https://hackerone.com/reports/6182
https://hackerone.com/reports/6674
https://hackerone.com/reports/4836
https://hackerone.com/reports/6353
https://hackerone.com/reports/10297
https://hackerone.com/reports/9774
https://hackerone.com/reports/7531
https://hackerone.com/reports/5933
https://hackerone.com/reports/7369
https://hackerone.com/reports/7357
https://hackerone.com/reports/6883
https://hackerone.com/reports/4256
https://hackerone.com/reports/9391
https://hackerone.com/reports/9375
https://hackerone.com/reports/5928
https://hackerone.com/reports/7803
https://hackerone.com/reports/2140
https://hackerone.com/reports/6877
https://hackerone.com/reports/7041
https://hackerone.com/reports/7036
https://hackerone.com/reports/6935
https://hackerone.com/reports/6350
https://hackerone.com/reports/2421
https://hackerone.com/reports/6907
https://hackerone.com/reports/6872
https://hackerone.com/reports/6871
https://hackerone.com/reports/7441
https://hackerone.com/reports/6910
https://hackerone.com/reports/7277
https://hackerone.com/reports/6884
https://hackerone.com/reports/7121
https://hackerone.com/reports/6626
https://hackerone.com/reports/6389
https://hackerone.com/reports/6380
https://hackerone.com/reports/5786
https://hackerone.com/reports/4561
https://hackerone.com/reports/3039
https://hackerone.com/reports/4409
https://hackerone.com/reports/2127
https://hackerone.com/reports/4690
https://hackerone.com/reports/4689
https://hackerone.com/reports/4638
https://hackerone.com/reports/3441
https://hackerone.com/reports/2427
https://hackerone.com/reports/3986
https://hackerone.com/reports/4114
https://hackerone.com/reports/3930
https://hackerone.com/reports/3921
https://hackerone.com/reports/2575
https://hackerone.com/reports/2559
https://hackerone.com/reports/3596
https://hackerone.com/reports/3227
https://hackerone.com/reports/1675
https://hackerone.com/reports/3455
https://hackerone.com/reports/2439
https://hackerone.com/reports/2735
https://hackerone.com/reports/3356
https://hackerone.com/reports/2777
https://hackerone.com/reports/2622
https://hackerone.com/reports/2617
https://hackerone.com/reports/2625
https://hackerone.com/reports/2652
https://hackerone.com/reports/2584
https://hackerone.com/reports/2221
https://hackerone.com/reports/914
https://hackerone.com/reports/2170
https://hackerone.com/reports/2245
https://hackerone.com/reports/2228
https://hackerone.com/reports/2233
https://hackerone.com/reports/2224
https://hackerone.com/reports/916
https://hackerone.com/reports/2107
https://hackerone.com/reports/2106
https://hackerone.com/reports/1509
https://hackerone.com/reports/1356
https://hackerone.com/reports/960
https://hackerone.com/reports/809
https://hackerone.com/reports/774
https://hackerone.com/reports/742
https://hackerone.com/reports/727
https://hackerone.com/reports/737
https://hackerone.com/reports/738
https://hackerone.com/reports/713
https://hackerone.com/reports/547
https://hackerone.com/reports/523
https://hackerone.com/reports/500
https://hackerone.com/reports/499
https://hackerone.com/reports/487
https://hackerone.com/reports/477
https://hackerone.com/reports/400
https://hackerone.com/reports/390
https://hackerone.com/reports/353
https://hackerone.com/reports/321
https://hackerone.com/reports/288
https://hackerone.com/reports/284
https://hackerone.com/reports/280
https://hackerone.com/reports/120
Wednesday, December 10, 2014
Wednesday, September 17, 2014
Super Simple Shell Spawner in C
I needed this code for a project i was working on. Keeping it here for posterity:
#include "stdlib.h" int main(){ system("/bin/sh"); }
Labels:
Programming,
Shells
Monday, September 15, 2014
"Hacking" Wireless Mics
This isn't really a hack. Wireless Mics are glorified walkie-talkies with a little extra speech smoothing fanciness.
I was playing around with some Sony wireless mics and i noticed a label on the back stating the frequency they operate in. The label said "638.125-661.875". I grabbed my hackrf one and plugged it in. It should be noted that in that frequency range, an RTL-SDR dongle would work as well.
Once I plugged in my HackRF One, I ran hackrf_info to make sure it was recognized and then started gqrx.
I tuned gqrx to the start of the range, 638.125. I was pleased to find that this was the frequency used by "Channel 1" setting on the wireless mic. I flipped the switch on the mic, and bam. A very strong signal appeared on my screen. I centered the cursor over that, adjusted the squelch to tune out the background noise and turned up the volume so i could hear. Lo, and behold thats all that was needed.
Turns out that the wireless mics simply are FM transmitters broadcasting the audio so the receiver unit can pick it up. Well, in this set up my hackrf is the receiver.
Now, once i learned this i kind of facepalmed a little.
Someone asked me what the big deal is with this. I told them that lots of times the communications being held over these wireless mics can be confidential. Broadcasting confidential info usually is what people try to avoid.
A great real word example of utilizing this info would be if a reporter is doing an interview with a high profile individual and wants everything to be kept secret until the airing. Well, if someone knew the building the recording was happening, they could record the audio of the wireless mic and break the story first.
Or worse, use the story info to determine if they should carry out hits to keep people quiet.
Thursday, July 17, 2014
Physical Pentest Tactic: Be Modest With The Car
This may seem like it's obvious to some people but i've heard some stupid stories.
I'm going to make this simple. When renting a car for your physical pentest, don't get the mustang. Don't get any car that is going to attract attention. Get a bland car in a bland color. Something like a gray Toyota Camry or boring SUV.
Why get an SUV if you are only one person? Dumpster diving. I cant tell you how much more crap an SUV can hold than a midsize car.
I once had to go back to the client site 3 times to get as much stuff as the SUV could hold on another site. You never want to do that. You want to get in, get what you need, and get out. The longer you stay in a particular location, the higher your chances of getting caught.
Therefore, get a bland, boring looking SUV if you can. Otherwise get a midsize car. Avoid compacts if you are planning on doing any dumpster diving.
EDIT:
Another aspect of choosing a car that is actually very important for night operations - Make sure all the lights can be turned off quickly and manually.
Few things are more annoying than pulling up to a spot and turning off the car only to have the lights linger on for a minute or so while you awkwardly stare off waiting for them to switch off.
The best option would be the ability to have all the lights off (interior and exterior) while the car is still on. But for most cases, its better to leave the car engine off.
I'm going to make this simple. When renting a car for your physical pentest, don't get the mustang. Don't get any car that is going to attract attention. Get a bland car in a bland color. Something like a gray Toyota Camry or boring SUV.
Why get an SUV if you are only one person? Dumpster diving. I cant tell you how much more crap an SUV can hold than a midsize car.
I once had to go back to the client site 3 times to get as much stuff as the SUV could hold on another site. You never want to do that. You want to get in, get what you need, and get out. The longer you stay in a particular location, the higher your chances of getting caught.
Therefore, get a bland, boring looking SUV if you can. Otherwise get a midsize car. Avoid compacts if you are planning on doing any dumpster diving.
EDIT:
Another aspect of choosing a car that is actually very important for night operations - Make sure all the lights can be turned off quickly and manually.
Few things are more annoying than pulling up to a spot and turning off the car only to have the lights linger on for a minute or so while you awkwardly stare off waiting for them to switch off.
The best option would be the ability to have all the lights off (interior and exterior) while the car is still on. But for most cases, its better to leave the car engine off.
Labels:
Redteam
Physical Pentest App - Scanner Radio
Police scanners can get expensive. Especially since today most police stations are moving over to digital (trunked) communications. I had bought a Yaesu VX8DR so i wouldnt have to worry about missing a frequency. Well it turns out it doesnt do trunking comms so i was fucked... Well, not so much.
A free alternative, although time delayed is using an android app called "Scanner Radio". Most locations in America have a entry for their county or city or whatever for dispatch.
I love having it in my ear while a case a place or do car recon. It's pretty simple, if you hear about a report for a suspicious vehicle in your area, move to another location.
I use the app whenever there is trunked comms for the area my target is in. There is however a delay, and that delay is dependent on what location you are in. I know in Chicago its about a 60 second delay between what happens on the radio and what comes through the app. You have to remember that the audio has to be received by the equipment, transmitted to the servers, relay over the cell network to your phone. That can take a bit.
The best solution is a realtime radio. The second best is the app. It's better than nothing.
A free alternative, although time delayed is using an android app called "Scanner Radio". Most locations in America have a entry for their county or city or whatever for dispatch.
I love having it in my ear while a case a place or do car recon. It's pretty simple, if you hear about a report for a suspicious vehicle in your area, move to another location.
I use the app whenever there is trunked comms for the area my target is in. There is however a delay, and that delay is dependent on what location you are in. I know in Chicago its about a 60 second delay between what happens on the radio and what comes through the app. You have to remember that the audio has to be received by the equipment, transmitted to the servers, relay over the cell network to your phone. That can take a bit.
The best solution is a realtime radio. The second best is the app. It's better than nothing.
Physical Pentest Tactic: Try Everything
It takes a certain kind of person to do a physical pentest well. They have to have balls. They have to be willing to take risks normal people wouldn't take. And most importantly, that risk taking should be accompanied by a level of curiosity. The thought of "I wonder whats behind this door" or "I wonder where these stairs go" are a huge portion of discovering potential vulnerabilities.
We all like to think that a "properly done" pentest includes a holywood-esque layout of the building with every exit and entry points with real time updates of the guard patrols and all that fancy movie crap. The reality is that is extremely rare. The recon you do beforehand can only give you a certain picture of whats happening.
1. Do they have guards?
2. Do they have guards all night long?
3. Do they guards patrol? outside? regular intervals?
4. Are there guard changes? what time?
5. IS THERE A CLEANING CREW? do they exit the building often to throw out trash?
6. etc, etc.
One of the physical tests I was on we were lucky enough to have multiple people (usually they are all solo). After doing internal recon and figuring out the security system and how it works, and where it was placed and all that stuff we decided to check out the place more up close and personal.
We determine that the security system in place supposed to work based off of sounds. If it detected the sound of someone walking around or breaking the window or something like that, the audio was supposed to be pumped back to the monitoring station to determine if it was an intruder or something accidentally hit the window. The whole system was created to reduce false positives and having the police called out when it was actually nothing.
Well we wanted to test how sensitive the system was just be fore we hightailed it out. So as we were done checking out the rest of the building, we were all in the SUV and drove up to the last door to see if the alarm would trip if we rattled the door. My friend got out of the car and firmly pushed on the door. Me with my binoculars was watching the LEDs on the alarm system for a change from green to blinking red, meaning it went off. Well, after the push the lights didnt go off. We dont him to really go at it, shake the door hard. He pushed really hard, and then pulled really hard to do the motion over and over again and holy shit. THE DOOR OPENED. That door, the door we saved for last was the one door in the whole place that was unlocked completely. The hilariousness and elation faded quickly as I saw the LED go from green to blinking red. From reading the alarm system documentation we had about 30 seconds to GTFO before the cops were called.
After a bout of screaming because my friend thought we told him to go inside when in fact we told him to get inside the car (lmfao, that was funny beyond belief). We got in the car and got out of the area. Found a dark parking lot to park that allowed us to see the target from across the street. We waiting, scrunched down in our seats. It's amazing how many cars are out driving around at 3am. After about 6 minutes i hear on the police radio that there was a burglar alarm set off at the location. Less than a minute later the cop shows up checking out the place. Then another cops shows up.
The moral of the story: never assume a door is locked. CHECK EVERYTHING.
We all like to think that a "properly done" pentest includes a holywood-esque layout of the building with every exit and entry points with real time updates of the guard patrols and all that fancy movie crap. The reality is that is extremely rare. The recon you do beforehand can only give you a certain picture of whats happening.
1. Do they have guards?
2. Do they have guards all night long?
3. Do they guards patrol? outside? regular intervals?
4. Are there guard changes? what time?
5. IS THERE A CLEANING CREW? do they exit the building often to throw out trash?
6. etc, etc.
One of the physical tests I was on we were lucky enough to have multiple people (usually they are all solo). After doing internal recon and figuring out the security system and how it works, and where it was placed and all that stuff we decided to check out the place more up close and personal.
We determine that the security system in place supposed to work based off of sounds. If it detected the sound of someone walking around or breaking the window or something like that, the audio was supposed to be pumped back to the monitoring station to determine if it was an intruder or something accidentally hit the window. The whole system was created to reduce false positives and having the police called out when it was actually nothing.
Well we wanted to test how sensitive the system was just be fore we hightailed it out. So as we were done checking out the rest of the building, we were all in the SUV and drove up to the last door to see if the alarm would trip if we rattled the door. My friend got out of the car and firmly pushed on the door. Me with my binoculars was watching the LEDs on the alarm system for a change from green to blinking red, meaning it went off. Well, after the push the lights didnt go off. We dont him to really go at it, shake the door hard. He pushed really hard, and then pulled really hard to do the motion over and over again and holy shit. THE DOOR OPENED. That door, the door we saved for last was the one door in the whole place that was unlocked completely. The hilariousness and elation faded quickly as I saw the LED go from green to blinking red. From reading the alarm system documentation we had about 30 seconds to GTFO before the cops were called.
After a bout of screaming because my friend thought we told him to go inside when in fact we told him to get inside the car (lmfao, that was funny beyond belief). We got in the car and got out of the area. Found a dark parking lot to park that allowed us to see the target from across the street. We waiting, scrunched down in our seats. It's amazing how many cars are out driving around at 3am. After about 6 minutes i hear on the police radio that there was a burglar alarm set off at the location. Less than a minute later the cop shows up checking out the place. Then another cops shows up.
The moral of the story: never assume a door is locked. CHECK EVERYTHING.
Labels:
Redteam
Physical Pentest Gear: The Clipboard
I've done several physical pentests in the past (and current) and one piece of gear that never ceases to amaze me on how useful it is is the clipboard. I'm not talking about your grandfather's clipboard. I'm talking about today's modern clipboard. It has wifi for auto note taking and a camera to transmit pictures. Ok i'm just messing with you it doesn't have all that. But it still is incredibly useful.
I was doing a physical one day and was on the social engineering portion of the test, AKA: me walking around the office trying to get sensitive documents. I came across an empty cubicle that was being used to store a bunch of bankers boxes (think stereotypical cardboard boxes with the handle holes and tops). Well, I peeked inside one of the boxes and giggled at what I found. Thousands of documents with handwritten credit card info dating back several years. That was in one box. One box of about 2 dozen.
I took a couple snapshots with my camera but couldn't get a good photo because of the lighting/not enough time. So I grabbed a couple documents (they were old, just as a PoC) and took a picture of the pile of boxes. The clipboard I was carrying was perfect to quickly stash these papers:
http://www.amazon.com/Saunders-SlimMate-Plastic-Clipboard-00558/dp/B00290OG6I/ref=sr_1_3
Any clipboard with a similar compartment will do. You can stash a surprising amount of documents in those things. Waaaay more than you need to prove your point.
Once I was back at the hotel I took much better shots, included it in the report and when everything was done and over, I securely mailed the documents back to my point of contact. That "Sensitive Documents Not Stores Securely" finding was a small finding in an otherwise juicy report and that clipboard made my life way easier during the entire SE portion of the test.
There is also the added benefit of having a clipboard in your hand subconsciously insinuates to other people that you are a person of authority, a decision maker, someone that should probably be treated a little better than any old average joe. That thought tends to arise from two different personalities.
1. The person wants to suck up to you (the teachers pet syndrome)
2. I don't want to get in trouble (the teachers ruler syndrome)
There is a third personality type who is tends to hate authority figures but you can usually defuse those types of people by being very confident and most importantly - very polite/kind. Kindness in authority figures tends to be fairly disarming to the vehemently authority-opposed.
So there you go, just like an EDC (every day carry), every object in your blackbag should have multiple uses. I'd suggest adding a compartment clipboard to yours asap.
It may seem like a small and insignificant addition at first, but I guarantee that you will be happy you bought it.
I was doing a physical one day and was on the social engineering portion of the test, AKA: me walking around the office trying to get sensitive documents. I came across an empty cubicle that was being used to store a bunch of bankers boxes (think stereotypical cardboard boxes with the handle holes and tops). Well, I peeked inside one of the boxes and giggled at what I found. Thousands of documents with handwritten credit card info dating back several years. That was in one box. One box of about 2 dozen.
I took a couple snapshots with my camera but couldn't get a good photo because of the lighting/not enough time. So I grabbed a couple documents (they were old, just as a PoC) and took a picture of the pile of boxes. The clipboard I was carrying was perfect to quickly stash these papers:
http://www.amazon.com/Saunders-SlimMate-Plastic-Clipboard-00558/dp/B00290OG6I/ref=sr_1_3
Any clipboard with a similar compartment will do. You can stash a surprising amount of documents in those things. Waaaay more than you need to prove your point.
Once I was back at the hotel I took much better shots, included it in the report and when everything was done and over, I securely mailed the documents back to my point of contact. That "Sensitive Documents Not Stores Securely" finding was a small finding in an otherwise juicy report and that clipboard made my life way easier during the entire SE portion of the test.
There is also the added benefit of having a clipboard in your hand subconsciously insinuates to other people that you are a person of authority, a decision maker, someone that should probably be treated a little better than any old average joe. That thought tends to arise from two different personalities.
1. The person wants to suck up to you (the teachers pet syndrome)
2. I don't want to get in trouble (the teachers ruler syndrome)
There is a third personality type who is tends to hate authority figures but you can usually defuse those types of people by being very confident and most importantly - very polite/kind. Kindness in authority figures tends to be fairly disarming to the vehemently authority-opposed.
So there you go, just like an EDC (every day carry), every object in your blackbag should have multiple uses. I'd suggest adding a compartment clipboard to yours asap.
It may seem like a small and insignificant addition at first, but I guarantee that you will be happy you bought it.
Labels:
Redteam
Wednesday, July 16, 2014
Ruby - What quarter a date is in
I have a report i have to generate every week and it requests all items of a particular status since the begining of the current quarter. Everyone like to say "Just use activerecord!". Fuck you.
Here is the simple ruby code that will do it:
require 'Date'
def whatQuarter(date)
thisYear = Time.new.year #just a filler year
if (Date.parse("#{thisYear}-01-01")..Date.parse("#{thisYear}-03-31")).cover?(date) #date range for quarter1
return 'Q1'
elsif (Date.parse("#{thisYear}-04-01")..Date.parse("#{thisYear}-06-30")).cover?(date)
return 'Q2'
elsif (Date.parse("#{thisYear}-07-01")..Date.parse("#{thisYear}-09-30")).cover?(date)
return 'Q3'
elsif (Date.parse("#{thisYear}-10-01")..Date.parse("#{thisYear}-12-31")).cover?(date)
return 'Q4'
end
end
def sameQuarter?(date1, date2)
if whatQuarter(date1) == whatQuarter(date2)
return true
else
return false
end
end
I'm sure there is something retarded about that code but it seems to work for me :/
EDIT:
I shortened everything and made it easier on the eyes:
Here is the simple ruby code that will do it:
def whatQuarter(date)
thisYear = Time.new.year #just a filler year
if (Date.parse("#{thisYear}-01-01")..Date.parse("#{thisYear}-03-31")).cover?(date) #date range for quarter1
return 'Q1'
elsif (Date.parse("#{thisYear}-04-01")..Date.parse("#{thisYear}-06-30")).cover?(date)
return 'Q2'
elsif (Date.parse("#{thisYear}-07-01")..Date.parse("#{thisYear}-09-30")).cover?(date)
return 'Q3'
elsif (Date.parse("#{thisYear}-10-01")..Date.parse("#{thisYear}-12-31")).cover?(date)
return 'Q4'
end
end
def sameQuarter?(date1, date2)
if whatQuarter(date1) == whatQuarter(date2)
return true
else
return false
end
end
I'm sure there is something retarded about that code but it seems to work for me :/
EDIT:
I shortened everything and made it easier on the eyes:
require 'Date' def whatQuarter(date) thisYear = Time.new.year #just a filler year case when (Date.parse("#{thisYear}-01-01")..Date.parse("#{thisYear}-03-31")).cover?(date) then return 'Q1' when (Date.parse("#{thisYear}-04-01")..Date.parse("#{thisYear}-06-30")).cover?(date) then return 'Q2' when (Date.parse("#{thisYear}-07-01")..Date.parse("#{thisYear}-09-30")).cover?(date) then return 'Q3' when (Date.parse("#{thisYear}-10-01")..Date.parse("#{thisYear}-12-31")).cover?(date) then return 'Q4' end end def sameQuarter?(date1, date2) whatQuarter(date1) == whatQuarter(date2) ? true : false end
Labels:
Programming,
Ruby
Tuesday, July 15, 2014
LM Hashing Policy - Changes to the same password
No password set for account:
blah1(current):1019:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Password of 'Password1' when LM is allowed
blah2(current):1021:e52cac67419a9a2238f10713b629b565:64f12cddaa88057e06a81b54e73b949b:::
Password of 'Password1' when LM is disabled
blah3(current):1020:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
Basically if LM is disabled then the machine will substitute a "blank" value for the LM field (aad3b435b51404eeaad3b435b51404ee) and then continue on normally with the NTLM portion.
If the password is larger than 14 characters, the LM portion will have the blank value (aad3b435b51404eeaad3b435b51404ee). This is regardless of whether or not LM is disabled.
LM hashing is enabled/disabled by the existence of a DWORD reg key 'NoLMHash' in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa that is set to '1'
Labels:
Password Cracking,
Windows
Monday, July 14, 2014
Transferring Files Using Netcat
It's probably one of the most well known and simplest ways of transferring files in an emergency. You simply pipe a file to a listening netcat service and have the client output the connection to a file.
Start/Share the file:
nc -l 5678 < file.blah
That line will start listening for connections on port 5678. Once a connection is made, it will spit out the contents of file.blah to the client. If you have the following netcat line listening on the "client" side then it will spit the contents it gets to a file:
nc example.com 5678 > file.blah
i like to md5 check the file afterward to make sure network gnomes didn't mess up the data somehow.
Pretty simple and straightforward.
Start/Share the file:
nc -l 5678 < file.blah
That line will start listening for connections on port 5678. Once a connection is made, it will spit out the contents of file.blah to the client. If you have the following netcat line listening on the "client" side then it will spit the contents it gets to a file:
nc example.com 5678 > file.blah
i like to md5 check the file afterward to make sure network gnomes didn't mess up the data somehow.
Pretty simple and straightforward.
Labels:
Network
Friday, July 11, 2014
Netcat with SSL
Recently i needed to troubleshoot some requests to an HTTPS server. Instead of going through the hassle of setting up mitmproxy to middle the SSL connection, I just decided to point to to an empty listening port. After all, all I really needed was to see what GET requests it was making.
You can set up a netcat like server that supports SSL using ncat (the tool that comes with nmap).
ncat --ssl --listen 4443
If you want it to stay open after the first connection, append '--keep-open' to the end. And if you want some verbosity to whats going on, add '-vv' to get more info.
There are supposedly a bunch of different ways to get a netcat like interface for SSL but ncat gave me the least trouble.
You can set up a netcat like server that supports SSL using ncat (the tool that comes with nmap).
ncat --ssl --listen 4443
If you want it to stay open after the first connection, append '--keep-open' to the end. And if you want some verbosity to whats going on, add '-vv' to get more info.
There are supposedly a bunch of different ways to get a netcat like interface for SSL but ncat gave me the least trouble.
Labels:
Network
Wednesday, July 9, 2014
Encodings (personal notes)
This is not supposed to be pretty, just for me:
ENCODINGS N' SHIT
From hex to string
print("\x41") #will print "A" since 41 is the hex of capital A
A
From string to hex
"A".encode("hex")
41
From hex to string (again)
"41".decode("hex")
A
encoder/decode supports hex, base64, utf-8, rot13, and a bunch others (https://docs.python.org/2/library/codecs.html#standard-encodings)
URL encode:
import urllib
urllib.quote_plus("HOLA\":!@$")
HOLA%22%3A%21%40%24
ENCODINGS N' SHIT
From hex to string
print("\x41") #will print "A" since 41 is the hex of capital A
A
From string to hex
"A".encode("hex")
41
From hex to string (again)
"41".decode("hex")
A
encoder/decode supports hex, base64, utf-8, rot13, and a bunch others (https://docs.python.org/2/library/codecs.html#standard-encodings)
URL encode:
import urllib
urllib.quote_plus("HOLA\":!@$")
HOLA%22%3A%21%40%24
Labels:
Programming
Wednesday, July 2, 2014
Python script to grab the title of a page
#!/usr/bin/env python import urllib2 import sys from BeautifulSoup import BeautifulSoup #expects "http://example.com" as argument try: urllib2.urlopen(sys.argv[1]) except urllib2.HTTPError, e: print sys.argv[1], '--- HTTPERROR' quit() soup = BeautifulSoup(urllib2.urlopen(sys.argv[1])) if soup.title: print sys.argv[1], "--- ", soup.title.string else: print sys.argv[1], '--- NULL'
Labels:
Programming,
Python
Thursday, June 19, 2014
Getting Internal IP from WebDAV via PROPFIND method using curl
I wanted a curl line that would grab the disclosed internal IP from a webserver.
It turns out that you need to specify an empty host header, and the content length of 0 for it to work.
If you dont specify the empty host header, it will just spit back the XML with whatever host header you specify. And you need a content length of 0 because the server expects a content length header :/
Below is the curl line to get the IP in the body of the message:
curl -v -k -H "Host:" -H "Host;" -H "Content-Length: 0" -X PROPFIND http://example.com:1234
It turns out that you need to specify an empty host header, and the content length of 0 for it to work.
If you dont specify the empty host header, it will just spit back the XML with whatever host header you specify. And you need a content length of 0 because the server expects a content length header :/
Below is the curl line to get the IP in the body of the message:
curl -v -k -H "Host:" -H "Host;" -H "Content-Length: 0" -X PROPFIND http://example.com:1234
Labels:
Web
Friday, February 14, 2014
Cool Bash Trick: Constantly updating a "status" line in bash script
Lots of times i'm dealing with repetitius data and i dont like that it can take up so much of my screen when i'm really only outputting something like "Portion 3 is done" and the only thing that updates is the number.
It's annoying to have a screen full of:
Portion 1 is done
Portion 2 is done
Portion 3 is done
Portion 4 is done
...
I'd like it if only one line is used to tell me the current done portion. Well, it turns out there is a way to do this with bash scripts.
It turns out there is "\r" which means carriage return. So if you output a carriage return WITHOUT a newline then you essentially clear that line of text.
A simple double for loop to visually see what i'm talking about:
It's annoying to have a screen full of:
Portion 1 is done
Portion 2 is done
Portion 3 is done
Portion 4 is done
...
I'd like it if only one line is used to tell me the current done portion. Well, it turns out there is a way to do this with bash scripts.
It turns out there is "\r" which means carriage return. So if you output a carriage return WITHOUT a newline then you essentially clear that line of text.
A simple double for loop to visually see what i'm talking about:
for j in $(seq 1 10); do for i in $(seq 1 20); do printf "$i is part of $j \r" sleep .1 done done
Labels:
Bash,
Programming
Subscribe to:
Posts (Atom)