diff --git a/src/_components/footer.vto b/src/_components/footer.vto index c1011eb..e343574 100644 --- a/src/_components/footer.vto +++ b/src/_components/footer.vto @@ -21,14 +21,6 @@

OTHER TOOLS

- - {{ site.malware_notes.name }} - - {{ site.malware_notes.name }} -

OTHER TOOLS

- - {{ site.malware_notes.name }} - :8000/scp -o socat
+## SSH Login + +We might be able to login SSH on the target host if we know the credentials. + +```bash +ssh user@127.0.0.1 +``` + +
+ ## Mounting Check disks or mounted folders and we might be able to see the directories of the host system. diff --git a/src/exploit/cryptography/algorithm/aes-cbc-padding-oracle-attack.md b/src/exploit/cryptography/algorithm/aes-cbc-padding-oracle-attack.md index 273a9be..b1d97c4 100644 --- a/src/exploit/cryptography/algorithm/aes-cbc-padding-oracle-attack.md +++ b/src/exploit/cryptography/algorithm/aes-cbc-padding-oracle-attack.md @@ -4,19 +4,15 @@ description: tags: - Cryptography refs: -date: 2022-12-10 +date: 2024-07-28 draft: false --- -## PadBuster +## Automation -**[PadBuster](https://github.com/AonCyberLabs/PadBuster)** is automated script for performing Padding Oracle attacks. It’s useful to decrypt AES. +### PadBuster -```sh -padbuster [options] -``` - -Belows are some examples. +[PadBuster](https://github.com/AonCyberLabs/PadBuster) is an automated script for performing Padding Oracle attacks. It’s useful to decrypt AES. ```sh # Encrypted Sample -> 2hN2bBPw== @@ -24,9 +20,30 @@ Belows are some examples. # -encoding: 0->Base64, 1->Lower Hex, 2->Upper Hex, 3->NET UrlToken, 4->WebSafe Base64 padbuster https://vulnerable.com/?data=2hN2bBPw== 2hN2bBPw== 16 -encoding 0 +# -bruteforce: Brute force against the first block +padbuster https://vulnerable.com/?data=2hN2bBPw== 2hN2bBPw== 16 -encoding 0 -bruteforce + # -cookies: specify cookie value padbuster https://vulnerable.com/ 2hN2bBPw== 8 -encoding 0 -cookies "secret=2hN2bBPw==" # -plaintext: specify plain text padbuster https://vulnerable.com/ 2hN2bBPw== 8 -encoding 0 -cookies "secret=2hN2bBPw==" -plaintext "user=admin" ``` + +### Padre + +[Padre](https://github.com/glebarez/padre) is an advanced exploiter for Padding Oracle attacks against CBC mode encryption. + +```sh +# Cookie +padre -u 'https://example.com/profile.php' -cookie 'SESS=$' 'ABCD==' + +# Path +padre -u 'https://example.com/profile/$' 'ABCD==' + +# -e: Specify encode type ('b64' or 'lhex') +padre -u 'https://example.com/profile/$' -e lhex '1234abcd...' + +# -err: Error response contents pattern (regex) +padre -u 'https://example.com/profile/$' -err 'Error' 'ABCD==' +``` \ No newline at end of file diff --git a/src/exploit/memory/memory-forensics.md b/src/exploit/memory/memory-forensics.md index a5a1240..e7186f1 100644 --- a/src/exploit/memory/memory-forensics.md +++ b/src/exploit/memory/memory-forensics.md @@ -4,7 +4,7 @@ description: Memory Forensics is the analysis of the volatile memory, mainly Ran tags: - Forensics refs: -date: 2024-05-29 +date: 2024-07-28 draft: false --- @@ -22,6 +22,8 @@ vol -h However, it’s recommended to download it from the GitHub repository if you want the latest stable version. +
+ ## Target: Common ```bash @@ -29,6 +31,8 @@ However, it’s recommended to download it from the GitHub repository if you wan val -f example.vmem banner ``` +
+ ## Target: Linux ```bash @@ -43,52 +47,55 @@ vol -f example.vmem linux.malfind.Malfind ```sh # Determine the operating system -python3 vol.py -f example.vmem windows.info +vol -f example.vmem windows.info # Dump password hashes -python3 vol.py -f example.vmem windows.hashdump +vol -f example.vmem windows.hashdump # Print command line history -python3 vol.py -f example.vmem windows.cmdline.CmdLine +vol -f example.vmem windows.cmdline.CmdLine # List all of the processes -python3 vol.py -f example.vmem windows.pslist +vol -f example.vmem windows.pslist # Scan processes. -python3 vol.py -f example.vmem windows.psscan.PsScan +vol -f example.vmem windows.psscan.PsScan # List processes in a tree based on their parent process ID. -python3 vol.py -f example.vmem windows.pstree.PsTree +vol -f example.vmem windows.pstree.PsTree # Lists hidden processes -python vol.py -f example.vmem windows.ldrmodules +vol -f example.vmem windows.ldrmodules # Scans for network objects present in a particular windows memory image. -python3 vol.py -f example.vmem windows.netscan.NetScan +vol -f example.vmem windows.netscan.NetScan + +# Scan for file objects present in a Windows memory image. +vol -f example.vmem windows.filescan.FileScan +vol -f example.vmem windows.filescan.FileScan | grep -# Scan for file objects present in a windows memory image. -python3 vol.py -f example.vmem windows.filescan.FileScan -python3 vol.py -f example.vmem windows.filescan.FileScan | grep +# Scan for MFT file objects present in a Windows memory image. +vol -f example.vmem windows.mftscan.MFTScan # Lists process memory ranges that potentially contain injected code. -python3 vol.py -f example.vmem windows.malfind.Malfind +vol -f example.vmem windows.malfind.Malfind # Dumps -python3 vol.py -f example.vmem -o dumps windows.malfind.Malfind --dump +vol -f example.vmem -o dumps windows.malfind.Malfind --dump # Lists the loaded modules in a particular windows memory image. -python3 vol.py -f example.vmem windows.dlllist.DllList +vol -f example.vmem windows.dlllist.DllList # Specifies PID -python3 vol.py -f example.vmem windows.dlllist.DllList --pid +vol -f example.vmem windows.dlllist.DllList --pid # Dumps -python3 vol.py -f example.vmem -o dumps windows.dlllist.DllList --dump +vol -f example.vmem -o dumps windows.dlllist.DllList --dump # Dump files mkdir dumps # --pid: PID of the targets is found by pslist -python3 vol.py -f example.vmem -o dumps windows.dumpfiles.DumpFiles --pid -python3 vol.py -f example.vmem -o dumps windows.dumpfiles.DumpFiles --physaddr +vol -f example.vmem -o dumps windows.dumpfiles.DumpFiles --pid +vol -f example.vmem -o dumps windows.dumpfiles.DumpFiles --physaddr ```
## Redline -[Redline](https://fireeye.market/apps/211364) is an endpoint security tool which provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile. \ No newline at end of file +[Redline](https://fireeye.market/apps/211364) is an endpoint security tool which provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile. diff --git a/src/exploit/reconnaissance/subdomain/subdomain-discovery.md b/src/exploit/reconnaissance/subdomain/subdomain-discovery.md index e3aa327..c7250c1 100644 --- a/src/exploit/reconnaissance/subdomain/subdomain-discovery.md +++ b/src/exploit/reconnaissance/subdomain/subdomain-discovery.md @@ -5,17 +5,24 @@ tags: - DNS - Reconnaissance refs: -date: 2024-07-17 +date: 2024-07-28 draft: false --- +## Online Tools + +- [Subdomain Finder](https://subdomainfinder.c99.nl/) +- [nmmapper](https://www.nmmapper.com/) + +
+ ## Automation -Reference: [https://medium.com/@DrakenKun/how-to-find-subdomain-takeover-using-httpx-dig-5c2351d380b4](https://medium.com/@DrakenKun/how-to-find-subdomain-takeover-using-httpx-dig-5c2351d380b4) +Reference: [How to find subdomain takeover using httpx + dig](https://medium.com/@DrakenKun/how-to-find-subdomain-takeover-using-httpx-dig-5c2351d380b4) ### Subfinder -To set API keys, add them to `$HOME/.config/subfinder/provider-config.yaml`. See [https://docs.projectdiscovery.io/tools/subfinder/install#post-install-configuration](https://docs.projectdiscovery.io/tools/subfinder/install#post-install-configuration) for details. +To set API keys, add them to `$HOME/.config/subfinder/provider-config.yaml`. See [the ProjectDiscovery's Documentation](https://docs.projectdiscovery.io/tools/subfinder/install#post-install-configuration) for details. ```sh # -all: Use all sources for enumeration @@ -50,13 +57,7 @@ site:*.example.com -site:www.example.com
-## Online Tools - -- **[nmmapper](https://www.nmmapper.com/)** - -
- ## Subdomain Takeover -After enumerating, it’s worth to check the [Subdomain Takever](/exploit/reconnaissance/subdomain-takeover). +After enumerating, it’s worth to check the [Subdomain Takever](/exploit/reconnaissance/subdomain/subdomain-takeover/). diff --git a/src/exploit/reconnaissance/subdomain/subdomain-takeover.md b/src/exploit/reconnaissance/subdomain/subdomain-takeover.md index e5d63eb..f744309 100644 --- a/src/exploit/reconnaissance/subdomain/subdomain-takeover.md +++ b/src/exploit/reconnaissance/subdomain/subdomain-takeover.md @@ -12,7 +12,7 @@ draft: false ## Automation -First we need to enumerate subdomains. See [Subdomain Discovery](/exploit/reconnaissance/subdomain-discovery) for doing that. Then we can httpx for checking HTTP response status for each subdomain. +First we need to enumerate subdomains. See [Subdomain Discovery](/exploit/reconnaissance/subdomain/subdomain-discovery/) for doing that. Then we can httpx for checking HTTP response status for each subdomain. ### httpx