Subdomain Hijcking – Notes links & tools

I had previously read about Subdomain hijacking, but in all honesty I didn’t really “get it”. All that changed starting with this Security Fest talk by Frans Rosén entitled: DNS hijacking using cloud providers: Or more accurately I really started to get this going through Frans’s slides of the talk: I don’t want to explain the premise of this to you as it’s one of those you have to investigate yourself to really get to grips with it. But what I will do to (hopefully) bring your learning time down is detail below all of the links Frans mentions plus those from my Read More

Climbing Mount WebAppSec – Chrome Extensions

As we move “client-side” browsers are evermore important as they effectively become our operating system – Chromebook for example. Many of the tasks we undertake were traditionally hosted inside the operating system but are now accessed via the browser – email and document processing being the prime examples. As a consequence browser security has become critical. In order to extend our browser functionality we are dependent on 3rd party extensions. It is vital we check the privileges granted these extensions as they often demand unnecessary invasive access. To give an example, I recently needed an simple PDF viewer Chrome extension and noted the Read More

Climbing Mount WebAppSec – Discovering Directories & Files with ZAP

This is the second part of my mini-series on “Domain Discovery”. The first part is here. Following Jason Haddix’s Bug Hunters Methodology I’m at phase three: Mapping Discovering the domain falls into two parts. The first to the left of the domain (subdomains) and the second to the right of the domain (Directories/Files). In this post I will cover directories/files. As with subdomains the premise in discovering directories/files is to firstly enlarge the attack surface and in the process find some easier wins. Directories and files may be forgotten in the mists of time, or may be part of the website admin/functionality the Read More

OWASP Juice Shop Vulnerable Webapp

A couple of weeks ago Björn Kimminich released the Juice Shop Vulnerable Web Application at the OWASP AppSec Europe conference in Belfast. Why another vulnerable webapp for target practice? This from Github: Main Selling Points: Easy-to-install: Choose between node.js, Docker and Vagrant to run on Windows/Mac/Linux Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically Self-healing: The simple SQLite database is wiped and regenerated from scratch on every server startup Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board CTF-support: Challenge notifications optionally show a flag code for your Read More

Climbing Mount WebAppSec – Discovering Directories & Files with Wfuzz

This is the second part of my mini-series on “Domain Discovery”. The first part is here. Following Jason Haddix’s Bug Hunters Methodology I’m at phase three: Mapping Discovering the domain falls into two parts. The first to the left of the domain (subdomains) and the second to the right of the domain (Directories/Files). In this post I will cover directories/files. As with subdomains the premise in discovering directories/files is to firstly enlarge the attack surface and in the process find some easier wins. Directories and files may be forgotten in the mists of time, or may be part of the website admin/functionality the Read More

Climbing Mount WebAppSec – Discovering Subdomains

Following Jason Haddix’s Bug Hunters Methodology I’m at phase two: Discovery. Discovering the domain falls into two parts. The first to the left of the domain (subdomains) and the second to the right of the domain (Directories/Files). In this post I will cover subdomains. The premise in discovering subdomains is to firstly enlarge the attack surface and in the process find some easier wins. Subdomains may be forgotten in the mists of time; for example, originally set up for testing purposes, or a myriad other reasons that make them of interest to us. There’s a lot of solid tools out there Read More

Service Principal Name Scanning Active Directory

Dropping these notes here as a reminder for myself and might be useful for you: Scanning for services within Active Directory is best done utilising existing functionality to avoid detection. This is best achieved through Service Principal Names. Sean created a resource page of useful SPNs: His Active Directory recon code is here. And this is a talk given by Sean earlier this year entitled: Red vs. Blue: Modern Active Directory Attacks & Defense

Command and Control Using Powershell and Twitter

Initially I wanted to update and extend @obscuresec‘s Powershell Twitter Bot, the problem is this was written in early 2013 and relied on Twitter’s API 1 which required no authentication. The current Twitter API 1.1 does require authentication and encryption and although doable from the perspective of Powershell, the code is far too verbose for my purposes. With these hurdles I took a closer look at the modus operandi of the Russian criminal group using Hammertos and they avoided using the API and had the code simply reach out to the URL of the Twitter handle and look for a hashtag. I though this Read More

Raphael Mudge’s Advanced Threat Tactics Course

Going through Raphael Mudge’s Advanced Threat Tactics Course videos and blog post is akin to rummaging through treasure. Although this is a showcase for Cobalt Strike which is a *must have* tool for IT security Red Team operations and Adversary Simulation, it is so much more. For me, this course catapulted and solidified my thinking and is the pre-eminent single source of information for not only the tools of advanced threat simulation, but the underlying methodology and tradecraft. I’ll make no bones about it, I consider Cobalt Strike a masterpiece put together by a craftsman, and In case you think I’m going overboard, harmj0y described Read More

Powershell Remote Access Trojan – PoshRat

I’ve been going through @nikhil_mitt‘s 5-part blog series on Powershell Shells. It’s beautifully and meticulously laid out and covers: Day 1 – Interactive PowerShell shells over TCP (Click here) Day 2 – Interactive PowerShell shells over UDP (Click Here) Day 3 – Interactive PowerShell shells over HTTP/HTTPS (Click Here) Day 4 – Interactive PowerShell shells with WMI (Click Here) Day 5 – Interactive PowerShell shells over ICMP and DNS (Click Here) Nikhil is the author of offensive security Powershell tools Nishang and Kautilya and his blog post series is ideal if you want to roll up your sleeves and play with these tools manually, Read More