Category SysAdmin

If you follow me on Twitter @xxByte you must have seen the tweets about scaning a large scope of IPs and how did I approach that.

The goal: To scan all TCP ports (0-65536) of ~800 IPs spread across Europe and detect any low hanging fruits using automated tools or manual assessment in the most efficient way with the least resources needed.

The approach:

Let’s first do some math. Scanning 65536 TCP ports on 800 IPs means:
65536 x 800 = 52428800. That’s 52428800 SYN packet out and waiting for a SYN ACK reply packets in total.

To have the rest of the project requirements we need to scan each open port with deeper script scan and version detection scan, which means even more packets.

At such scale we cannot afford to script scan blindly all TCP ports...

If you work in security and don’t encrypt your drives, maybe you should consider something else 😉

I recently was trying to make peace with Windows 10 co-living with Kali 2019 and it was really painful process. Each time I got one side working the other side was complaining.

Eventually it boils down to this:

1- Install Windows 10 fully (including setting up a user, and password, etc.) Failign to do so will corupt the encrypted partition of kali

2- Install Kali until you reach the step to partition the disk. Choose “Manual”

3- now create 3 partitions:
– one is for /boot (~256mb)
– one for swap area (8-10gb)
– the rest is for the root mount /

4- now go to “Encrypt partition” and click “Yes” for writing the current partitions

5- now choose wherever you have swap and root...

Getting snort to work under Windows is a pain in the ass, so I wrote a quick guide on how I got it working and shared some config files which will save you hours of work.

All can be accessed under my github page: https://github.com/AddaxSoft/snort-windows/

Enjoy

1. create an iptables.rules file in /etc/

I’m a great believer in automation; as one of my interviewers said to me once: If we do it twice; we automate it.
I adopted this style throughout my work; hence I wanted to show how would I upgrade/update the WordPress core and plugins using cron to keep all my blogs and sites secure and up to date with security patches.

1- get & install wp-cli (how/where)
2- write a script to use wp-cli to update WordPress [see attached code]

Wait; did I say BackTrack? Yes Backtrack is still a cool (outdated) distro for hacking!
If for some odd reasons you still need to use BackTrack in 2017 (hello? have you heard of Kali), I won’t judge you.
Maybe you’re doing your OSCE and need an image that is still in the course / labs

This post is meant to save you some time if you haven’t used BackTrack for a while and need to get some things done with it.

1. We want to change the root password

We mentioned before how did we switch to SSL since 2017.

I want to add here how to set HSTS to prevent a wellknown SSL attack called SSL-Strip.

• What is SSL Strip?

You can watch the full talk to understand in details how this works here.
Basically the attacker is somehow (we don’t care how) a MITM setting in between the victim and the authentic server.
The attacker in this case can do a downgrade attack on SSL and transfer all HTTPs connection to the normal plain text HTTP connections.
Now the attack can simply sniff all data being communicated between the victim and the server.
The attacker is also free now to change the data and execute other attacks such as injecting malware into the traffic.

• What is HSTS

HSTS or HTTP Strict Transport Security allows web servers to declare that web b...

As part of any post exploitation in a security auditing or testing engagement you will want to gather as much info as you want about the victim to be able to target your next victim in the chain.

Having said that sometimes you stumble upon strange files, encrypted data, and network traffic that you don’t know what to do with it. One of these was an .sdf file related to hmailserver. The last is an open source mail server, you can read more about it here.

When gaining access to this server you will want to read this file:

A sample output would look something like this:

I have previously demonstrated how to protect wp-admin and wp-login files in word-press website.
I wanted to do more. Something like: Attacking those attackers.

What Crashes Browsers?
What crashes applications is what hackers call: Buffer Overflow Exploit. Hackers use them to take control of applications/browsers to gain full system access later on. More about buffer-overflows here.
We are not interested to take control of the attacker’s system; Although that will be very ‘cool’ – maybe the next stage? 😉
We are more interested to stop them i.e: Crash their browsers, fuzzing and brute-force tools.

Results.
Amazingly I was able to reduce attacks from 4000~ to around 70 only!

What is happening behind the scenes?

If you want to mask requests of an external domain using your domain. You can use this two lines into your Apache conf file (under virtual hosts)
Use [P] flag to create a proxy-tunnel from your main domain to the external domain.

Rewrite On
RewriteRule ^(.*) http://domainOrIP/$1 [P]

[P] is for Proxy – hence your proxy modules have to be enabled:
ln -s ../mods-available/proxy* /etc/apache2/mods-enabled/

Also enable slotmem
ln -s ../mods-available/slotmem_* /etc/apache2/mods-enabled/

Restart apache
service apache2 restart

Et Voila!