I have a Raspberry Pi implant that I can drop on a network.  When connected, it will grab an address from DHCP but I won't know its address.  I could have it open up an SSH connection but I don't want a persistent outbound connection.  What I would like is for it to get its internal address, ping something, and relay its IP back to me.  Something as simple as a single GET request hitting the logs on a server from which I can parse it out.  

    The supposed logical method is to use:  socket.gethostbyname(socket.gethostname())

    The problem with that method in most modern nix installs is the response:  '127.0.0.1'


    I often get asked why people should care about their web server getting hacked.  The argument for their lack of concern is the fact that their web server isn’t on their corporate network so they are isolated from any potential harm. 

    If I were to replace all of the photos on your website with cat memes, would you care?  Take this a step further with something offensive.  So now I have your attention -- or at least I think I do.  It gets worse. 

    If your site is vulnerable to cross site scripting, we can do the Internet's version of graffiti.  Pretty simple stuff if you don't sanitize inputs.  Also about as dangerous as cat memes in that we're introducing different content but causing no real harm unless you don't like cats. 


    In order to defend against attacks, you have to understand the attack vectors and weigh the risks.  A meterpreter shell generated into an .exe file with msfvenom won't make it through email and if it somehow did manage to make its way to a desktop, it would immediately get gobbled up by the antivirus software.  I know this for a fact because I've generated said payload and dropped it onto a desktop.  I'm not worried about .exe files.  On the other hand, I consider Microsoft Office documents a potential risk.  

    I can block .exe files but I cannot block Microsoft Office documents without angering the masses.  With that in mind, what's the exposure?  Depends on the users, no?  The sender is also a factor. 


    Every so often, I come across a challenge that has a password encrypted zip file.  And every so often I realize I've switched my working laptop and I no longer have Jumbo John installed.  Recently I encountered that exact scenario and when I attempted to install Jumbo John, something went sideways.  Rather than digging through it, and knowing that I'm about to switch my working laptop in the very near future, I decided to use a script instead.

    Honestly, after going this route, I'm not exactly sure why this isn't a better approach.  Perhaps if I weren't using a wordlist?  Multithreading?  Dunno.  Anyway, I think I can count exactly one time I've come across a zip file with a password in my work.  Given that this situation only arises during CTF situations, the script works and I don't have to install anything.


    I attended Cactuscon this past weekend and there was a talk on cracking Active Directory hashes.  When I entered the room (late), it was standing room only.  For a few minutes, I listened in but eventually ended up leaving because the gist of the talk is something I already practice.  Essentially, build a cracking machine, dump the Active Directory hashes, and check for weak passwords.

    My cracking machine is a Dell Precision 3600 Series workstation with an NVidia 8GB GPU.  Without the GPU, using my 400MB wordlist, it takes approximately 2.5 hours to exhaust the list.  With the GPU, it takes 7 minutes.  It's a modest cracking machine and its purpose isn't to win any contests.  I just want to get through a reasonable wordlist in a reasonable amount of time.  This meets that goal.  


    I wrote it up a small script using bWAPP as my DB target to give an example of how to connect to a remote MySQL DB, querying a table for a partial expression.  The bWAPP "secret" column does not have a lot of data to query but if you throw in "a", you'll return two rows:

    (1, u'A.I.M.', u'6885858486f31043e5839c735d99457f045affd0', This email address is being protected from spambots. You need JavaScript enabled to view it.', u'A.I.M. or Authentication Is Missing', None, 1, None, 1)
    (2, u'bee', u'6885858486f31043e5839c735d99457f045affd0', This email address is being protected from spambots. You need JavaScript enabled to view it.', u'Any bugs?', None, 1, None, 1)

    ------

    import mysql.connector

    mydb = mysql.connector.connect(
    host="192.168.0.49",
    user="root",
    passwd="bug",
    database="bWAPP"
    )
    while True:
        table = 'users'
        print
        string = raw_input("[*] Enter search query: ")

        mycursor = mydb.cursor()

        mycursor.execute("SELECT * FROM "+table + " WHERE secret REGEXP '"+string+"'")
        myresult = mycursor.fetchall()

        for x in myresult:
            print(x)





     


    © 2020 sevenlayers.com