Jump to content
×
×
  • Create New...

Pentest With Rohit

Moderator
  • Posts

    31
  • Joined

  • Last visited

  • Days Won

    3

Pentest With Rohit last won the day on October 22 2021

Pentest With Rohit had the most liked content!

7 Followers

About Pentest With Rohit

Recent Profile Visitors

809 profile views

Pentest With Rohit's Achievements

Contributor

Contributor (5/14)

  • Dedicated
  • One Month Later
  • Week One Done
  • Collaborator Rare
  • Reacting Well

Recent Badges

14

Reputation

  1. In the Windows environment, hackers must be able to program low-level APIs. These widely used APIs have been grouped into seven categories to help readers gain a better understanding of the Windows API commonly used by hackers and to promote potential queries using API methods. We hope this will be beneficial to everyone’s learning. Process Create Process -- CreateProcess("C:\\windows\\notepad.exe",0,0,0,0,0,0,0,&si,&pi); WinExec("notepad",SW_SHOW); ShellExecute(0,"open","notepad","c:\\a.txt","",SW_SHOW); ShellExecuteEx(&sei); Traverse the process: CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); Process32First(hsnap,&pe32); Process32Next(hsnap,&pe32); Terminate the process: ExitProcess(0); TerminateProcess(hProc,0); Open process: OpenProcess(PROCESS_ALL_ACCESS,0,pid);\ Get process ID : GetCurrentProcesssId(); Get the path of the process executable file: GetModuleFileName(NULL,buf,len); GetProcessImageFileName(hproc,buf,len); Traverse process module information: CreateToolhelp32Snapshot(TH32CS_SNAPMODILE,pid); Module32First(hsnap,&mdl32); Module32Next(hsnap,&mdl2); Get the handle of the specified module: GetModuleHandle("kernel32.dll"); Get the function address in the module: GetProcessAddr(hmdl,"MessageBox"); Load DLL dynamically : LoadLibrary("user32.dll"); Uninstall the DLL : FreeLibrary(hDll); Get process command line parameters: GetCommandLine(); The 4- byte address after the GetCommandLine function address of any process is offset by one byte is the command line address. Read and write remote process data: ReadProcessMemory(hproc,baseAddr,buf,len,&size); WriteProcessMemory(hproc,baseAddr,buf,len,&size); Request memory: VirtualAlloc(0,size,MEM_COMMIT, PAGE_EXECUTE_READWRITE); VirtualAllocEx(hproc,0,size,MEM_COMMIT, PAGE_EXECUTE_READWRITE); Modify memory attributes: VirtualProtect(addr,size,PAGE_EXECUTE_READWRITE,&oldAddr); VirtualProtectEx(hproc,addr,size,PAGE_EXECUTE_READWRITE,&oldAddr); Free up memory: VirtualFree( addr, size, MEM_RELEASE); VirtualFreeEx(hproc, addr, size, MEM_RELEASE); Obtain the system version (Win NT/2K/XP<0x80000000) : getVersion(); Priority of read and write processes: SetPriorityClass(hproc,Normal); GetPriority(hproc); SetProcessPriorityBoost(hproc,true); GetProcessPriorityBoost(hproc,pBool); Two, thread Create a thread ( the thread function of CreateThread calls strtok , rand, etc. need to use _endthread() to release memory ) : CreateThread(0,0,startAddr,¶,0,&tid); _beginthread(startAddr,0,0); _beginthreadex(0,0,startAddr,0,0,&tid); CreateRemoteThread(hproc,0,0,func,¶,0,&tid); Get thread ID : GetCurrentThreadId(); Close the thread handle (reduce the number of times the kernel object is used to prevent memory leaks): CloseHandle(hthread); Suspend and activate threads ( maintenance pause times ) : SuspendThread(hthread); ResumeThread(hthread); Get the thread exit code: GetExitCode(hthread,&code); Wait for the thread to exit ( thread trusted state or timeout ) : WaitForSignleObject(htread,1000); WaitForMultipleObjects(num,handles,true,INFINITE); Traverse threads: CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0); Thread32First(hsnap,&mdl32); Thread32Next(hsnap,&mdl2); Get the thread function entry: ZwQueryInfomationThread(hthread,ThreadQuerySetWin32StartAddress,&buf,4,NULL); Open thread: OpenThread(THREAD_ALL_ACCESS,false,&tid); Get the module to which the thread function address belongs: GetMappedFileName(hproc,addr,buf,256); Read and write thread priority: SetThreadPriority(hthread,Normal); GetThreadPriority(hthread); SetThreadPriorityBoost(hproc,true); GetThreadPriorityBoost(hproc,pBool); Terminate the thread: ExitThread(5); TerminateThread(hthread,5); Thread synchronization critical section object: InitializeCriticalSection(&cs); EnterCriticalSection(&cs); LeaveCriticalSection(&cs); DeleteCriticalSection(&cs); Thread synchronization event kernel object: OpenEvent(EVENT_ALL_ACCESS,false,name); CreateEvent(NULL,false,true,NULL); WaitForSingleObject(hevnt,INFINITE); SetEvent(hevnt); ResetEvent(hevnt); Thread synchronization mutex kernel object: CreateMutex(NULL,false,NULL); WaitForSingleObject(hmutex,INFINITE); ReleaseMutex(hmutex); OpenMutex(MUTEX_ALL_ACCESS,false,name); Third, the registration form Create Key: RegCreateKeyEx(HKEY_CURRENT_USER,"TestNewKey",0,0,REG_OPTION_VOLATILE,KEY_ALL_ACCESS,0,&subkey,&state); Open key: RegCreateKeyEx(HKEY_CURRENT_USER,"Control Panel",0,KEY_ALL_ACCESS,&subkey); Close button: RegCloseKey(hkey); Traverse keys: RegEnumKeyEx(hsubkey,index,keyname,&nameSize,0,0,0,&time); FileTimeToSystemTime(&time,&systime); RegQueryInfo(hsubkey,0,0,0,&count,0,0,0,0,0,0,0); Delete key: RegDeleteKeyEx(hmainkey,subkeyName); Create value: RegSetValueEx(hsubkey,"test",0,REG_WORD,(BYTE*)&value,4); Traverse value: RegEnumValue(hsubkey,index,name,&nameSize,0,&type,valuebuf,valueLen); RegQueryValueEx(hsubkey,name,0,type,buf,&size); Delete value: RegDeleteValue(hsubkey,valuename); Four, document Create / Open File -- CreateFile("a.txt",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); Set the file pointer: SetFilePointer(hFile,0,NULL,FILE_END); Read and write files: ReadFile(hFile,buf,len,&size,0); WriteFile(hFile,buf,len,&size,0); Forcing the file to be written to the disk and clearing the file high-speed buffer: FlushFileuffers(hFile); [ Solution ] Lock file area: LockFile(hFile,0,0,100,0); UnlockFile(hFile,0,0,100,0); Copy files : CopyFi le(src,des,true); CopyFi leEx(src,des,func,¶,false, COPY_FILE_FAIL_IF_EXISTS); Move files: MoveFile(src,des); MoveFileEx(src,des,false); MoveFileWithProgress(src,des,fun,¶, MOVEFILE_COPY_ALLOWED); Delete Files: DeleteFile(filename); Get the file type (FILE_TYPE_PIPE) : GetFileType(hFile); Get file size: GetFileSize(hFile,&high); Get file attributes ( for example, FILE_ATTRIBUTE_DIRECTORY for & operation ) : GetFileAttributes(hFile); Traverse the file: FindFirstFile(nameMode,&wfd); FindNextFile(hFile,&wfd); Create a pipeline: CreatePipe(&hRead,&hWrite,&sa,0); Create a memory mapped file: CreateFile("d:\\a.txt",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,"myMap"); Load the memory mapped file: MapViewOfFile(hmap,FILE_MAP_ALL_ACCESS,0,0,0); Open the memory mapped file: OpenFileMapping(FILE_AMP_ALL_ACCESS,false,"myMap"); Unload the memory mapped file: UnmapViewOfFile(baseAddr); Force write memory mapped file to disk: FlushViewOfFile(baseAddr,len); Create a folder ( only one level can be created ) : CreateDirectory("D:\\a",NULL); CreateDirectory("C:\\a","D:\\b",NULL); Delete folder ( only empty folder can be deleted ) : RemoveDirectory("C:\\a"); Logical drive detection: GetLogicalDrives(); GetLogicalDriveStrings(len,buf); Get the drive type (DRIVE_CDROM) : GetDriveType("D:\\"); Five,The Network Open the network resource enumeration process ( winnetwk.h , Mpr.lib 😞 WNetOpenEnum(RESOURCE_GLOBAL,RESOURCETYPE_ANY,0,NULL,hnet); Enumerate network resources: WNetEnumResource(hnet,&count,pNetRsc,&size); Turn off the network resource enumeration process: WNetCloseEnum(hnet); Open and close the WinSocket library: WSAStartup(version,&wsa); WSACleanup(); Create a socket: socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); Bind the socket IP and port: bind(sock,&addr,len); Monitor TCP connection: listen(sock,10); Receive TCP connection request: accept(sock,&addr,&len); Client connection: connect(sock,&addr,len); Send TCP data: send(sock,buf,len,0); Receive TCP data: recv(sock,buf,len,0); Send UDP data: sendto(sock,buf,len,0,&addr,len); Receive UDP data: recvfrom(sock,buf,len,0,&addr,&len); 6-Service Open the SCM Service Control Manager: OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS); Create service: CreateService(mgr,"MyService"," MyService",SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START,SERVICE_ERROR_IGNORE,path,NULL,NULL,NULL,NULL,NULL); Open the service object: OpenService(mgr," MyService ",SERVICE_START); Start the service: StartService(serv,0,NULL); Query service status: QueryServiceStatus(serv,&state); Close the service handle: CloseServiceHandle(hdl); Connect to SCM : StartServiceCtrlDispatcher(DispatchTable); Register service control function: RegisterServiceCtrlHandler("MyServicer",ServiceCtrl); Set service status: SetServiceStatus(hss,&ServiceStatus); Control service: ControlService(serv,SERVICE_CONTROL_STOP,&state); Delete service: DeleteService(serv); Traverse service: EnumServicesStatus(hscm,SERVICE_WIN32|SERVICE_DRIVER,SERVICE_STATE_ALL,&srvSts,len,&size,&count,NULL); Query service configuration: QueryServiceConfig(hserv,&srvcfg,size,&size); 7-News Send a Messsage: SendMessage(HWND_BROADCAST,WM_LBUTTONDOWN,0,0); Receive messages: GetMessage(&msg,NULL,0,0); Delivery message: PostMessage(HWND_BROADCAST,WM_LBUTTONDOWN,0,0); Get news: PeekMessage(&msg,NULL,0,0); Conversion message: TranslateMessage (&msg); Distribute messages: DispatchMessage (&msg); Waiting for news: WaitMessage(); Send exit message: PostQuitMessage(0); Install the message hook: SetWindowsHookEx(WH_KEYBOARD,keyBoardProc,0,tid); Uninstall the message hook: UnhookWindowsHookEx(hhk);
  2. *In This Video You will get answers of all these questions and lot more than this* :- 1.) *What is Python?* 2.) *How Python Works?* 3.) *How to execute the first python program?* 4.) *What is VARIABLES AND DATA TYPES?* 5.) *What is STRINGS?* 6.) *How Strings Function Works?* 7.) *Understanding Strings Function Works likewise count,strip,lsrip,rstrip,count,replace and lot more?* 8.) *What is STRING FORMATTING?* *and lot more Guide in this so don't miss the chance*
  3. Interview questions that were asked to me last week hope this helps ppl here for interview preparations: Started with introduction and few things from my resume. Then asked 1) Why cybersecurity?why are you interested in this domain? 2) What part of cybersecurity your more interested in and what are you currently learnig? 3) Whats web application security?give an example why is it necessary?can you give another example? How do u fix those vulnerabilities? 4) What is risk? 5) What is vulnerability? 6) What are 4 mitigations of risk? 7) As you have opted specialization in computer networs can i ask few qts from this? what is a network? 8) Whats is load balancing? 9) Name the osi layers 10) Whats datalink layer 11) Whats session layer with example? 12 ) What is ARP whats its purpose? 13) What's ARP poisoning? 14) What is firewall whats its purpose?whats honey pot?where is it placed infront or behind firewall? 15) Whats IDS and IPS how are they different? Interested ones do reply your answers to this questions and I will rate your answers. 🤙🤙
  4. I Rohit aka Pentest With Rohit is currently working as a Accountant and Manager in a Private Firm Goyal Impex, I have nearly 4+ years experience in Information security field. I Am CyberSecurity Consultant,Programmer,Automation Lover,Ncc Cadet,Accountant and also Manager.I started my career as a CyberSec Teacher and moved to the Cyber Security field after a year and also contributing to the open source community as a developer. Literally To Nobody:-Girls after seeing my Intro(Reaction)
  5. Like Django debug mode, Laravel framework too leaks sensitive info via traceback. Shodan query: html:"Whoops! There was an error" In Laravel framework credentials are not hidden by default. So you can look for more credentials plus sensitive configurations. You can automate this process just changing the code in django debug mode automation. 1. Change the shodan query 2. Add more regex like Aws Access key/secret key That’s all.
  6. Let’s install the shodan module by executing the following command. pip install shodan import shodan SHODAN_API_KEY = "YOUR_SHODAN_API" api = shodan.Shodan(SHODAN_API_KEY) words = open("bug-bounty-wordlist.txt","r") django_debug_list = open("django-debug-list.txt","w") for word in words.readlines(): query = "html:'URLconf defined' ssl:"+word.strip('\n') try: results = api.search(query) print('Results found: {}'.format(results['total'])) for result in results['matches']: print(word) print('IP: {}'.format(result['ip_str'])) port = result['port'] if port in [80,443]: if port==443: ip = "https://"+result['ip_str'] else: ip = "http://"+result['ip_str'] else: ip = "http://"+result['ip_str']+":"+str(port) django_debug_list.write(ip+'\n') print('') except Exception as e: print(e) This shodan python module is an official wrapper around the shodan API. We can use all the filters specified in the shodan docs via this module. You need to get an api key in shodan.io by creating an account. Every year in November month as a black friday offer shodan provides a member account for $5. You can afford it. In the above program, we have opened a domain wordlist file and iterate it over the loop then construct the shodan query which can be passed to shodan search api function which returns a list of dictionaries. You can check the IP address manually or you can automate that process also. Okay Let’s automate import requests,re django_debug_list = open("django-debug-list.txt","w") regex = r"(?:mongodb|redis):\/\/" for ip in django_debug_list.readlines(): try: response = requests.post(url=ip.rstrip("\n")+"/admin",data= {},verify=False) if re.search(regex,response.content): print("Mongodb/Redis URI Found") except Exception as e: print(e) Here you can see regex to match mongodb:// or redis:// or both. You can see a function rstrip that is used to remove something right in the strings, here I removed the new line (\n) character. I passed a parameter verify=False that means I tell the program to don’t verify the ssl certificate of the server. You can use your own regex to match something else other than mongodb/redis URI.
  7. ABOUT THE SERIES This is the first video and series by Pentest With Rohit in Bug Bounty.This series demonstrates the hands-on automation using python for each topic mentioned in the video. This series gives you a basic idea of how to automate something to reduce the repetitive tasks and perform automated ways of OSINT and Reconnaissance.This series also gives you the overview of the python programming in the python crash course section.Because we will need python programming basic knowledge.. WHY DO WE NEED AUTOMATION? Repetitive manual work wastes our time and energy. It may exhaust you from what you are doing.So we need to automate these repetitive tasks to save our time and energy to focus on other areas WHY PYTHON? Python is very easy to learn for newcomers and beginners. It has simplified syntax so anybody can easily read and understand the code. There are lots of tools and modules available for python to do our tasks by writing a few lines of code that is why i have choosen python for this series. Watch To Know More About This Series Then Just Click Here
  8. Covered:- 1.From Where to Learn OWASP TOP 10 Fastly _ Unknown Components with Known Vulnerabilities 2.SQL injection Theory and Practical Both_ Owasp Top 10 3.XML External Entity XXE Processing Vulnerability With Theory and Practical Both _ Owasp Top 10 4.HTTP Host header attacks With Theory and Practical Both _ Owasp Top 10 5.Session Token in URL _ Owasp Top 10 6.Session Fixation Vulnerability Theory and Practical Both _ Owasp Top 10 7.Left Over Debug Code Vulnerability Theory and Practical Both _ Owasp Top 10 8.Cross site scripting XSS Reflected_Stored and Dom With Theory and Practical Both _ Owasp Top 10 9.Privilege Escalation Theory and Practical Both _ Owasp Top 10 10.SSRF Vulnerability With Theory and Practical Both _ Owasp Top 10 Do not Forget To Follow.So That you can get pop msg for updates in future Post. I hope you like and love the same this course as you liked the previous one.I have given hint of upcoming course in one video watch that too.
  9. Waiting Eagerly