Had a little bit of trouble figuring it out, so adding the format that I found here:
# wfuzz -c -z file,/usr/files/userfile -z file,/usr/files/passfile –ntlm FUZZ:FUZ2Z https:///
In a nutshell, the -z coincides with the “FUZZ”. Each subsequent payload/FUZZ combination points to the FUZ2Z or FUZ3Z and so on.
289 total views, no views today
defaults write com.apple.screencapture location ~/Pictures/
325 total views, 1 views today
Since this is a reference for when I forget:
export PATH=$PATH:<whatever else to add to the path>
293 total views, no views today
- Save as foo.c
- Compile gcc foo.c -o foo
- sudo chmod u+s foo
240 total views, no views today
Once sshdroid (https://play.google.com/store/apps/details?id=berserker.android.apps.sshdroid&hl=en) is installed on a rooted device, start zipping around, like in /data/user/0/<packagename>/shared_prefs
But to log on, first might need to turn off “Enable root” in sshdroid. But after logging in to: ssh root@<ip> -p 2222 then simply su.
310 total views, no views today
ADB, the Android Debugging Bridge. If you want it to connect to Android > 4.2.2, or in other words, anything from this century, you can’t use anything less than ADB 1.0.31. By default, mobisec comes with 1.0.29, so even if the device is rooted, the device appears to be offline.
To upgrade adb: First download android-sdk-linux, from here: https://developer.android.com/studio/index.html near the bottom where is says “Just the tools” Once you download, unzip and all that, cd into android-sdk-linux and run: tools/android update sdk –no-ui
To get 32-bit adb: http://askubuntu.com/questions/710426/android-sdk-on-ubuntu-32bit, as of this writing, it resulted in version 1.0.32 of adb.
Installing Drozer: (Drozer site) Need the .apk for the device, and the platform. Both are available at the Drozer page. Start up the agent on the device, and it should be running on tcp:31415, then do the port forwarding in the platform. If the device and the platform connect, all good, and fire away!
Extra Drozer Modules: https://github.com/mwrlabs/drozer-modules
Drozer User’s Guide:
If we get:
mobisec@mobisec:~$ adb devices
List of devices attached
8753afe5 no permissions
Then stop and start the server with sudo.
Another good resource: https://securitycafe.ro/2015/07/08/mobile-penetration-testing-using-drozer/
Video overview by the developer: https://www.concise-courses.com/infosec/drozer/
283 total views, 1 views today
As others have done with their blog, I plan to use this as a repository of things I learn, not a “I’m a ninja on this topic, read this to learn everything!”, quite the opposite actually.
Testing android app, get the .apk file, simply download it onto the device and double click the file to install it. Once the file installs, it will be runnable.
To open an .apk file, change the extension to .zip and unzip it. That will include manifests, xml files of information and dex file(s), which is the actual java code that can be decompiled with something like dex2jar (included in Mobisec). Then simply use JD-GUI to read the class files!
195 total views, no views today
This is kinda cool. One way of enumerating usernames is to try a username against a login screen and have the error message tell you “That username doesn’t exist.” Or try to create a new account and have the system tell you “That username already exists.” But if a site is coded properly, it won’t give you that kind of info, making username enumeration (ie. figuring out valid and existing usernames) harder. So how about figuring them out with a timing attack?
When a username and password are submitted to a site for checking, they’re sent to a database and the dbms needs to find the username, and when it finds the row with the username, it checks the password hash against what exists in the database. However if the username doesn’t exist, the dbms doesn’t need to bother checking the password hash. It can just return the generic fail message. This small difference can be seen in the response time. In a recent test, I created a list of 50 usernames and 5 were known good. I interspersed the valid usernames in with all the invalid ones. I used the same password for every attempt, and ran them through Burp Intruder. The result was that the five good returned the slowest response times. There was one invalid password mixed in, but out of the six slowest responses, my five valid usernames were right there. Knowing this, I could do some open source searches for potential usernames and test them against a login screen. I did also test usernames of varying length and it didn’t change the results. Just in case of having a list with mostly valid usernames, I could also pad it with likely garbage usernames, things like “aaaaaaaaa” or “nekdhspfacshabdfks”. This one will be fun to try again in future assessments.
242 total views, 1 views today
In my first test, I worked with my manager. It was a web test and one that was pretty solid. However one fun thing was something I saw in a presentation at BSides Baltimore last week. A bad password policy may be a low finding. A lack of bad auth attempt lockout feature may be a low finding. A username enumeration may be a low finding. However, if a site has all three? That is a critical finding. If you can enumerate a list of valid usernames (just check LinkedIn for names and figure out the username format) and then throw the top 1000 passwords against a list of usernames, you’ll get in.
Some other stuff too, but also wrote the report and sent it in. Looking forward to the next one!
173 total views, no views today
Welp, I get to start in an area that I probably know least about, Windows. I’m sure someday I’ll look back and think this was silly easy, because of the fact that I have access through one set of credentials. However, the goal is to get administrator, or even better, system access. So I’m learning about how Windows keeps track of that sort of thing.
Starting with Security Accounts Manager (SAM), the database of where password hashes are stored. At this point, I’m guessing it’s akin to the /etc/shadow file. Now to figure out where it is and how to access it, because it appears that only the system level user actually has access.
265 total views, no views today