-
Hacking Websphere
Background Notes on how I approach HCL (IBM) WebSphere servers. Details Hunting for WebSphere servers IBM WebSphere (now owned by HCL) is a Byzantine beast of a content management system. However, this works in our favor, because there are some unique paths that one can look for to locate WebSphere servers. The WebSphere Portal and WebSphere Content Manager (WCM) both tend to have URL paths that begin with /wps/. The Portal tends to be (but isn’t always) pathed as /wps/portal/, whereas WCM is usually pathed as /wps/wcm/.…more
-
How To: Rotate Your Ip Address
Background Often, one needs to generate a new IP for every request sent to a target. This is quite useful for getting around rate-limiting controls that may be present. Details The easiest way to do this is by using fireprox, a tool which relies on the AWS API Gateway service that is accessible via the free tier of AWS. Getting started is simple: Download fireprox from the above link Create an AWS account Generate security keys by going to “My Security Credentials” in your AWS account (should be a menu option in the dropdown under your account name once you’re logged into AWS) Execute fireprox with your security keys, specifying the target you’d like to rotate the source IP with Here’s an example:…more
-
One Second Analysis Followup: Credentials Posted to Pastebin
As a followup to last week’s post regarding the number of stolen account credentials that show up on Pastebin daily, I’ve collected enough data to get a more accurate picture of the posting rate. As a reminder, here was the first day’s data: Start time: 20171113 2100UTC Credentials parsed to date: 792,488 Clean (unproblematic) credentials: 734,807 Unique clean credentials: 475,653 Credentials parsed to date: I’ve had a homebrew pastebin scraper analyzing new pastes, watching for email addresses, for a while now.…more
-
Amazon AWS Insecure S3 Buckets Redux
In a previous post, I discussed the problems with insecure Amazon AWS S3 buckets, and introduced a simple Python program to hunt for them. Since that time about two months ago, there have been numerous other breaches, including DoD’s CENTCOM and its social media spying program OUTPOST. So, I’ve updated the code in the Github repository above to do slightly more thorough scanning, including patterns matching the bucket names used in recent breaches.…more
-
One Second Analysis: Credentials Posted to Pastebin
Super-quick analysis of account credentials (username/password pairs, in various forms) posted to Pastebin over roughly a day: Start time: 20171113 2100UTC Credentials parsed to date: 792,488 Clean (unproblematic) credentials: 734,807 Unique clean credentials: 475,653 Credentials parsed to date: I’ve had a homebrew pastebin scraper analyzing new pastes, watching for email addresses, for a while now. This is where the number of credentials extracted stood as of Start time. Clean (unproblematic) credentials: I wrote a somewhat lazy parser that attempts to help me identify patterns in the extracted paste bodies so I can more effectively grab credentials pasted in a variety of formats.…more
-
Learning remote enumeration (Part 2)
In Part 1, I introduced some sound methodology for approaching remote enumeration, which I now realize needs a bit of revision. It’s not that it’s a bad approach, it’s just too aggressive and would potentially miss certain aspects of the target that may prove useful or time-saving. Act like a user, not a hacker The first thing I’ve learned is that it’s best to act like a user, not an attacker.…more
-
Quick tips for linux screenshots from the shell
As part of your workflow, you may need to take multiple screenshots quickly. There are several methods to do this within Linux, but the easiest and most efficient I’ve found is called import. The manpage deatails all the options, but my most typical usage is simply: import foo.png (substituting the actual name I want to use for “foo”, of course) This will cause your cursor to change to crosshairs. You can then position the crosshairs and draw a bounding box around the area you want to capture by pressing and holding the left mouse button.…more
-
Learning remote enumeration (Part 1)
When many people hear the term “enumeration”, they think “port scanning.” But enumeration is so much more than that. There are two major categories of enumeration: Remote enumeration Local enumeration To properly perform remote enumeration on an unknown target, I prefer the following steps: Quickly determine what hosts are on the network Quickly port scan the discovered hosts for low-hanging fruit Perform a more thorough port scan of the discovered hosts Begin enumerating the hosts via the various available services Start looking for possible remote vulnerabilities 1.…more