Pentest/CTF Take-aways(search refs to change all broken refs)

Windows Active Directory Port 88 (kerberos), 389 (ldap), 636 (ldap), 3268 (ldap) SYSVOL content found If SYSVOL content found. And if GPP (Group Policy Preferences) is applied, there will be a Groups.xml file that contains credentials in Policies directory somewhere. Find it use: find . -iname "groups.xml" GPP Password Hash found Use gpp-decrypt tools to…

HackingTheArtOfExploitation

Programming Objdump Examine compiled binary. reader@hacking:~/booksrc $ objdump -D a.out | grep -A20 main.: 08048374 <main>: 8048374: 55 push %ebp 8048375: 89 e5 mov %esp,%ebp 8048377: 83 ec 08 sub $0x8,%esp 804837a: 83 e4 f0 and $0xfffffff0,%esp 804837d: b8 00 00 00 00 mov $0x0,%eax 8048382: 29 c4 sub %eax,%esp 8048384: c7 45 fc 00…

TheHackerPlaybook II

Disclaimer BECAUSE OF THE RELEASE DATE OF THE BOOK, EVERYTHING HERE NEEDS FURTHER TEST. DON’T TAKE ANYTHING AND EXPECT IT TO WORK OFF THE BAT. Scanning the Network Passive Discovery Checklist Recon-NG (API key needed for http://ipinfodb.com/register.php) Discovery Spiderfoot (http://www.spiderfoot.net/) Creating Password Lists Tools Checklist Wordhound (https://bitbucket.org/mattinfosec/wordhound.git) Brutescrape(https://github.com/cheetz/brutescrape) Compromised Lists like Adobe users.tar.gz https://github.com/cheetz/adobe_password_checker/blob/master/foundpw.csv https://github.com/cheetz/adobe_password_checker…

Hands On Penetration Testing on Windows – Chapter 1

Table of Contents Bypassing Network Access Control Bypassing MAC Filtering Set Up Tools Required Set Up Detail Bypassing Network Access Control Bypassing MAC Filtering You have physical access to the facility. And have found yourself an operational VoIP phone (or whatever that has an MAC address to connect to the internal network) and it\’s MAC…

Getting Real With BugBounty – Passive Recon

Table of Contents Disclaimer Passive Recon BuiltWith Shodan.io Censys.io Hunter.io Summary Disclaimer Anything here on my blog, this article, and all the other one, are for education purpose. Any misuse of the information is at your own risk. 声明 此博客任何文章,包括本篇,仅供学习使用。任何滥用信息的行为,作者概不负责。 What Perter Kim (author of THP) suggests is to get your hands dirty. And the…

TheHackerPlayBook I – Section III – The Throw

Table of Contents Web Application Exploitation SQL Injection (SQLi) Crosssite Scripting (XSS) Cross-site Request Forgery (CSRF) Session Token Entropy Fuzzing/Input validation Business Logic Summary Web Application Exploitation First things first, two good resources for webapp pentest. OWASP WebApp Testing Guid The Web Application Hacker’s Handbook SQL Injection (SQLi) TODO Read more about SQL database, how…

TheHackerPlayBook I – Section II – The Drive

Table of Contents General Idea The Mentality Thing The Difference Wthin Responsibility Engagement Time Section II – The Drive – Exploiting Scanner Findings About Payloads DEP and ASLR DEP ASLR Take Aways General Idea This is going to be a notes taking article upon reading the book The Hacker Play Book I. I will stop…