[Experience] My new cellular number and possible security risks.

I recently moved to a new place and bought a new mobile connection from one of the cellular providers. Number got activated and then I created a new WhatsApp account. After I successfully opened my new WhatsApp, daily I started receiving many messages from the people I never ever met, complete strangers. They thought that the number belongs to a person, let’s say X. Initially I thought, OK this might be a normal thing because they might be contacting the person after a long time, and unaware that the person might have changed his/her number. I started telling them "wrong number". I have no idea whether the previous owner of this number was a politician or a famous/infamous person. But I keep getting many calls and messages intended to that person X. Some added me in to a few WhatsApp groups (work/personal). Getting frustrated.

People started sending sensitive documents, personal messages as well. And being a security pro, this led me to write a post regarding the possible security risks associated with this small 'wrong number' mistake. 

1) A Sender without verifying the receiving person, or his number started sending sensitive/confidential documents. This is a mistake from the sender and before you pass anything over any medium of communication, make sure that the receiver details are correct. 

2) Don't add people whom you don't know in to a WhatsApp group. 

3) Better avoid using WhatsApp for your job related or official purposes. There is a high chance of making a mistake by sending chats/files to the wrong person/group.

4) Now assume, the receiver is a evil person. He can impersonate the person, stole his/her identity and can perform social engineering attacks.  

5) The receiver can also misuse the confidential/sensitive information for illegal purposes.

So how to avoid such incidents?

1) Be cautious. You do your actions carefully. Make sure, you are communicating with the right person. 

If a person is not using his mobile connection for a period of time, for example 6 months, then the provider may cease the connection and release the number again in the market.

2) Enable two-step verification. So that, nobody can create/clone another WhatsApp for the same number on another device.

3) Don't sent your personal information, work related data over WhatsApp. I know the world is now running using WhatsApp. More than office communicator, people rely on WhatsApp. This is very wrong and unprofessional.

4) In your WhatsApp privacy -> Groups settings, restrict the people who can add you in to new Groups. 

Note: Some old guy started flirting as well. I guess the previous owner of the number was a female. Though i informed him that you are sending messages to the wrong person, he acknowledged and the very next day he started sending me new messages. 😆

I have blocked so many numbers and exited groups. Now thinking of deleting my WhatsApp. 😤

 

Read More

PrintSpoofer Windows Privilege Escalation tool : Usage and Illustration.

Lets talk about PrintSpoofer tool. This tiny tool is used for Windows Privilege Escalation. If the target server having the SeImpersonatePrivilege enabled and by using this tool, you can perform the Privilege escalation.

1) Look for the ways to elevate the privileges in the target machine. Run whoami /priv 

Check for the weakness in Windows Server where certain service accounts are required to run with elevated privileges utilizing the SeImpersonatePrivilege. Mostly people use Hot Potato to take advantage of this privilege function. But Hot Potato is successful only if the DCOM enabled in the target server. [Read more on this]. Here comes the usage of PrintSpoofer tool. You can abuse and exploit this with PrintSpoofer tool, even if the DCOM is disabled in the target server.

1) Get the code from Github.

https://github.com/itm4n/PrintSpoofer

Clone the directory. Note that, if you are trying to compile the code in a Linux machine, you may encounter compile error as it requires windows.h header file. 

I have used the Visual Studio in my windows machine and compiled the code to produce an exe output (PrintSpoofer.exe)

2) I have already gained the initial access in to the machine as a normal user. Means i do have the machine access and i can upload files in to it. I activated a simplepython web-server in my local machine and  from the target machine, downloaded PrintSpoofer.exe.

3) Once downloaded successfully, then just execute it to elevate the privileges. 

4) You have acquired the administrative privileges.

 

Read More

Free courses and Online Training List.

Free courses and free contents. Build a skill. Invest some time and litt up.

1) GCFGlobal.
200+ courses ranging from MS office to Cyber Security.
https://edu.gcfglobal.org/en/topics/

2) OpenLearn
Courses on , well almost everything.
https://www.open.edu/openlearn/free-courses/full-catalogue

3) Alison
Free and huge catalog of courses.
https://alison.com/

Read More

Bypassing Client-Side Filtering

When a user input something in the website such as adding a comment or uploading a file, these things can be verified for the validity and authenticity by using two methods. Client-Side or Server-Side filtering. When it is Client side, the filtering happens in the browser itself. Where as in Server side, the user input is sent back to the Server and then the server will validate the user input. Based on that, the user can successfully input something in to the website.
Server side filtering are comparatively harder to figure out as the code won't be passed to the end user. But when in comes to Client side filtering, the user/attacker can easily find out the filtering methods and may bypass the filtering using various methods.

There are four major ways to bypass the client-side file upload filter:

1. Turn off JavaScript in your browser . Most of the filtering check is accomplished by using a java script. So disabling the JavaScript in your browser may disable any kind of checks. But this may not be mostly successful as the JavaScript may possess additional features that affects the site functionality.
2. Intercept and modify the incoming page. When the page is loaded, there will be additional scripts to verify the uploading file. The script can be in java, which will look for the file extension, or magic number, file size etc. If any of these conditions doesn't met, then the file uploaded might be unsuccessful. An easier way is to delete such filtering from the scripts or sometimes, deleting the entire script might work as well.
3. Intercept and modify the file upload.When the file is uploaded, intercept the packet and edit the parameters such as MIME, so that the file filtering can be bypassed. You can perform this using tools such as Burp Suite.
4. Send the file directly to the upload location. If you are able to find out the upload location, you can perform a POST function to upload the file directly to the site location.

Read More

[Fix] Python pip install/ImportError

Ok, I was trying to run a python script which is written in version 2 and while executing, i am getting the error "ImportError: No module named requests". Which means the python script is calling to import the module named requests. This particular module doesn't comes inbuilt with the python installation. So i tried to install the module in my system. Since the script is in version python 2, i need to import the module for python 2. Unfortunately, the normal pip command seems deprecated (Python2 is End of Life as well) and spend some time to find the exact command. 

Here is the way to fix. 

root@kali:~/Desktop# sudo apt-get install python-pip python-dev build-essential

This will download all the essential files. Then run the command to install your desired module. In my case "requests".

root@kali:~/Desktop# pip install requests

For Python version 3, this is very easy and straight forward. No need to run the first command if your are running only python3.

root@kali:~/Desktop# pip3 install requests

Read More

OWASP Top 10 : Injection Attacks

Injection Attacks.

 This can be broadly classified in to two major kinds. SQL injection and Command Injection.

SQL Injection : Occurs when the user input is passed to SQL queries. And as a result, the attacker can access the database and do what ever he want. He can manipulate the tables, delete etc. 

Command Injection : This occurs when user input is passed to the the target system as system commands. The attacker is able to execute arbitrary system commands on application servers.

The best way to prevent injection attacks is ensuring that user controlled input is not interpreted as queries or commands. Or simply known as input validation. This can be done in different ways:

Using an allow list: when a user input is sent to the target server, this input is compared to a list of safe input or characters. If the input is marked as safe, then it is processed.
Stripping input: If the input contains suspicious characters, these characters are stripped off before they are processed.
    
Command Injection occurs when server-side code (like PHP) in a web application makes a system call on the hosting machine using commands such as passthru . Such  web vulnerability allows an attacker to take advantage of that made system call to execute operating system commands on the target server. By exploiting the vulnerability, an attacker can spawn a reverse shell to become the user that the web server is running as. Once the attacker has a foothold on the web server, they can start the usual enumeration of your systems and start looking for ways to pivot around.

Read More

THM Walkthrough : Git Happens

THM Room : Git Happens

Link : https://tryhackme.com/room/githappens 

Perform a Directory scan. Here i used Gobuster.

Git directory found. Same you can find using the nmap scan.

If you browse the address, you can see the login page. finding the credential is the goal of this room. If you go through the page source, you can find some javascript. You can try to decode to find something relevant.

You can also browse through the site pages to find hints. However i couldn't find anything relevant. I found some logs though.

I used gitdumper.sh script to dump all the items to my local machine. Link (https://raw.githubusercontent.com/internetwache/GitTools/master/Dumper/gitdumper.sh)

 Checkout

Go through the logs to find the commit history (reference : https://git-scm.com/book/en/v2/Git-Basics-Viewing-the-Commit-History)

Based on the hint/statement, look for the commit entry made by Boss and checkout.

Check out again using the new entry. And go through the index.html file.

You can find the credentials in the index.html file. The password is the flag. 

 

Read More

Root credentials for Latest Kali Linux [ver 2020.1 & later]

Kali had changed to a non-root user policy by default since the release of 2020.1.Which means, the old  root/toor credentials won't work by default.

When some one login to the Kali linux using the new default credentials kali/kali , they wont be having the root privileges. Even unable to view the IP Address using the ifconfig command.

So the command not found, due to the lack of privileges.

To solve this, you can run the command in sudo.

#sudo ifconfig will give you the result. But executing all commands with sudo is bit inconvenience.

So let''s activate the root user.

#sudo su

and then reset the password using #passwd root

Enter your new password for the root user.

Restart Kali or switch user, and then login with root and the new password that you've set.

Read More

Nutanix .NEXT Conference and Free certification.

Good news to all NCP/NCAP/NCSE aspirants. Nutanix Global .NEXT event, happening September 8th – September 10th, 2020. All .NEXT attendees will receive a voucher to take the NCP, NCAP, or NCSE exams for FREE through October 15.
 
 Registration link : https://www.nutanix.com/next/register.html
 Explore more : https://next.nutanix.com/education-blog-78/training-and-certification-programs-at-the-global-next-digital-experience-37850

Read More

Azure Cloud Security # Consolidated Notes and Documentations.

Consolidated list of documentations and tutorials related to Microsoft Azure Cloud Security. Can be used to perform a deep dive on Azure security and for the preparation of Azure Security certification.

Feel free to share. Happy learning.

Preparation Notes

• Mizrosoft Azure Services #Index

• Scaling Up/Vertical Scaling vs Scaling Out/Horizontal Scaling.

• What are Azure availability sets?

• Difference between Azure management groups, Subscriptions and Resource groups

• Azure Active Directory : Overview.
  

• Azure Active Directory User Types and RBAC built-in roles
  

• Azure Active Directory User Source of Authority (SoA)
  

• Application Registration in Azure Active Directory
  

• Azure Active Directory Identity Protection.

• Azure AD Connect Overview.

• Azure Front Door : Overview.

• Hardening your Azure cloud platform and best practices.

Security Documentation Glossary.

• Azure Well-Architected Framework
• Introduction to Azure security
• Azure security documentation
• Using customer-managed keys in Azure Key Vault with Storage Service Encryption
• Start using Azure Active Directory Privileged Identity Management
  
• Privileged Identity Management documentation
  
• What is Azure Security Center?
  
• Azure Security Center documentation
  
• What is Conditional Access?
• Microsoft Security Development Life-cycle
  
• Azure Information Protection documentation
• Azure Sentinel documentation
  
• Azure Key Vault
• Azure Security Center for IoT documentation
• Azure Dedicated HSM documentation
• Azure DDoS Protection Standard overview
• Microsoft security architecture recommendations
• Become an Azure Sentinel Ninja: The complete level 400 training

Read More