-
Hacking Websphere
Background Notes on how I approach HCL (IBM) WebSphere servers. Details Hunting for WebSphere servers IBM WebSphere (now owned by HCL) is a Byzantine beast of a content management system. However, this works in our favor, because there are some unique paths that one can look for to locate WebSphere servers. The WebSphere Portal and WebSphere Content Manager (WCM) both tend to have URL paths that begin with /wps/. The Portal tends to be (but isn’t always) pathed as /wps/portal/, whereas WCM is usually pathed as /wps/wcm/.…more
-
How To: Rotate Your Ip Address
Background Often, one needs to generate a new IP for every request sent to a target. This is quite useful for getting around rate-limiting controls that may be present. Details The easiest way to do this is by using fireprox, a tool which relies on the AWS API Gateway service that is accessible via the free tier of AWS. Getting started is simple: Download fireprox from the above link Create an AWS account Generate security keys by going to “My Security Credentials” in your AWS account (should be a menu option in the dropdown under your account name once you’re logged into AWS) Execute fireprox with your security keys, specifying the target you’d like to rotate the source IP with Here’s an example:…more
-
How To: Hunting For Data Leaks In Google FireBase
Background In mid-2018, Appthority released a report detailing a vulnerability in Google's firebase.io, a database backend used by thousands of mobile apps. Details Potentially sensitive data is available via accessing URLs of the form https://<APPNAME>.firebaseio.com/.json. By so doing, you can gain access to all unprotected data in that particular database. If your organization develops and/or deploys mobile apps, you should check to see whether they are using FireBase, and if so, whether any data is being exposed.…more
-
How To: Asset Discovery Using DNS And SSL
Background There are times, more often than we’d like to admit, that we need to do asset discovery on our own organization (or, for you red teamers, other people’s!). This is actually simpler than you’d think, as long as you know the domains associated with the organization. Process First, create a text file containing the domains you’re interested in, one per line. Next, use OpenSSL to get a list of Subject Alternative Names (SANs) from any certificates present on the domains:…more
-
Solving The WHOIS GDPR Problem
Identifiers, not identities Recently, ICANN received a letter explaining that the WHOIS database, which contains registration information for all existing domain names on the Internet, will be in violation of the European General Data Protection Regulations (GDPR) law when it goes into effect on May 25, 2018. ICANN has responded, stating in essence that it has no solution to put in place prior to that date, and it needs an exemption, at least temporarily.…more
-
How To: Check For Symantec Certificates From the Command Line
Background Starting with Chrome 66 and Firefox 60, Symantec SSL certificates issued before June 1, 2016 will be distrusted. With Chrome 70 and Firefox 63, all Symantec SSL certs issued before December 1, 2017 will be distrusted. This creates a need to quickly scan for those certs. Use OpenSSL to check This is a fairly simple task with OpenSSL: $ timeout 1 openssl s_client -showcerts -connect my.domain.name:443 | openssl x509 -noout -startdate This will tell you the start date for a site’s certificate.…more
-
DIY Threat Intel: Monitoring Phishing Domains and Typosquatting
Being able to receive alerts when a new domain is registered that closely matches an existing domain you own can be a valuable source of threat intelligence. So valuable, in fact, that several services incorporate such notification as part of their product offering. However, you don’t need to pay for this sort of service. You can build the functionality rather easily, for free! What You’ll Need For this how-to, you’ll need access to some source of newly-registered domain information.…more
-
How To: Scanning For SSL Certificates From the Command Line
Background Recently, there was a Remote Code Execution (RCE) vulnerability discovered in Palo Alto Firewalls. I found out about this through a post on the Full Disclosure mailing list by the researcher who discovered it. Even more recently, another post was made, with a script to test for the vulnerability. In that post, the author states they used a Shodan search to locate Palo Alto firewalls. While they don’t specify what search they used, I suspect it is something similar to:…more
-
How To: Enriching IPs With Python
I need a certain amount of enrichment on IP addresses multiple times per day. While certain tools and controls have built-in enrichment, I often find myself sitting at a shell prompt needing the same or similar info quickly. So, I decided to write something that will take an IPv4 address as an argument, and return the data I need in an easily-parsable format. The code is available here. Usage The code takes an IPv4 address as input, and outputs the following:…more
-
How To: Mitigating Web Session Replay Information Leakage
Background There has been a lot of talk in the news lately about security issues surrounding web-based session replay. The issue is a simple one: many popular websites are now running scripts that record every keystroke and every mouse movement, allowing them to replay your entire visit to their website, as though they’re looking over your shoulder. However, that data’s being collected and retained by third parties, not the websites themselves.…more