Red Team

Hacking Websphere

Background Notes on how I approach HCL (IBM) WebSphere servers. Details Hunting for WebSphere servers IBM WebSphere (now owned by HCL) is a Byzantine beast of a content management system. However, this works in our favor, because there are some unique paths that one can look for to locate WebSphere servers. The WebSphere Portal and WebSphere Content Manager (WCM) both tend to have URL paths that begin with /wps/. The Portal tends to be (but isn’t always) pathed as /wps/portal/, whereas WCM is usually pathed as /wps/wcm/.…more

How To: Hunting For Data Leaks In Google FireBase

Background In mid-2018, Appthority released a report detailing a vulnerability in Google's firebase.io, a database backend used by thousands of mobile apps. Details Potentially sensitive data is available via accessing URLs of the form https://<APPNAME>.firebaseio.com/.json. By so doing, you can gain access to all unprotected data in that particular database. If your organization develops and/or deploys mobile apps, you should check to see whether they are using FireBase, and if so, whether any data is being exposed.…more

How To: Asset Discovery Using DNS And SSL

Background There are times, more often than we’d like to admit, that we need to do asset discovery on our own organization (or, for you red teamers, other people’s!). This is actually simpler than you’d think, as long as you know the domains associated with the organization. Process First, create a text file containing the domains you’re interested in, one per line. Next, use OpenSSL to get a list of Subject Alternative Names (SANs) from any certificates present on the domains:…more

How To: Check For Symantec Certificates From the Command Line

Background Starting with Chrome 66 and Firefox 60, Symantec SSL certificates issued before June 1, 2016 will be distrusted. With Chrome 70 and Firefox 63, all Symantec SSL certs issued before December 1, 2017 will be distrusted. This creates a need to quickly scan for those certs. Use OpenSSL to check This is a fairly simple task with OpenSSL: $ timeout 1 openssl s_client -showcerts -connect my.domain.name:443 | openssl x509 -noout -startdate This will tell you the start date for a site’s certificate.…more

How To: Using Tor From The Command Line

If you’re going to be doing work in the “dark web”, it’ll be useful to understand how to quickly and easily run commands via Tor. First, assuming you’re using Linux, install Tor: sudo apt install tor Next, edit /etc/tor/torrc: sudo vi /etc/tor/torrc Find the line containing the following: #ControlPort 9051 …and uncomment it. Next, find the following line: #CookieAuthentication 1 Uncomment it, and change 1 to 0. Finally, restart the tor service:…more

Analyst Tip: Testing Firewall Egress

A quick tip for testing available TCP egress, using nc, bash, and allports.exposed: for i in {1..1023}; do nc -vz -w 1 allports.exposed $i; done This will use nc with the -v, -z, and -w switches to attempt to connect to allports.exposed on TCP ports 1 through 1023. -v requests verbose output, -z puts nc in scanning mode, and -w 1 tells nc to time out after one second. You may need to adjust the value supplied with -w according to the anticipated latency of the network you’re on.…more

Hunting For Insecure Amazon S3 Buckets

Breaches caused by insecurely-configured Amazon S3 buckets are not new. Researchers have been sounding the alarm since 2013. However, S3-related breaches continue to make the news. Last Friday (20170901), researchers announced the discovery of records for four million Time Warner Cable customers due to an improperly secured Amazon S3 bucket. Amazon has been proactive in raising awareness of this issue. However, the problem persists, and is widespread. Let’s be clear: The problem here isn’t just one of potential exposure of PII.…more

Walking through a basic buffer overflow

I’m learning about buffer overflows in preparation for the PWK course and OSCP exam. I haven’t touched assembly language in more than 20 years, and the protections present in modern OSes just didn’t exist back when I first learned all this (let alone the fact that I was working on 680x0 and 650x assembly at the time). After trying desperately to make the mental leap from the 1990s to modern operating systems and following along in Aleph One’s Smashing The Stack For Fun And Profit, I decided to use the material from Chapter 16 of Georgia Weidman’s excellent Penetration Testing: A Hands-On Introduction to Hacking, and write this to ensure I understand exactly what I’m doing and what’s going on in that chapter.…more