martes, 12 de mayo de 2020

Walfrido Lopez | Yellow Belt | Hac-King-Do Training Certification by Computer Security Student (CSS)

Hac-King-Do Training Certification by Computer Security Student (CSS)
Walfrido Lopez | Yellow Belt | Hac-King-Do Training Certification by Computer Security Student

Yellow Belt
1APPROVED2019-10-04NMAP: Lesson 3: Use ZENMAP and NMAP on BackTrack 5 R1
2APPROVED2020-02-11NMAP: Lesson 4: Create an Inventory File with nmap
3APPROVED2019-10-04NESSUS: Lesson 2: Install Nessus on BackTrack 5R1
4APPROVED2019-10-04NESSUS: Lesson 3: Scan with Nessus on BackTrack 5R1
5APPROVED2019-09-29Metasploit: MS08-067: BackTrack5R1: Establishing A Shell To The Vulnerable Machine
6APPROVED2019-10-11Metasploit: MS08-067: BackTrack5R1: Establishing A VNCShell & rdesktop to Victim Machine
7APPROVED2019-11-16Metasploit: MS10-018: BackTrack5R1: Create Malicious Link, Get Password, Set Backdoor
8APPROVED2020-03-29Damn Vulnerable Windows XP: Lesson 2: How to setup the Adobe Flash Player Exploit
9APPROVED2020-04-05Metasploit: Lesson 13: Illustrate Adobe Flash Player Exploit
10APPROVED2020-04-05Damn Vulnerable Windows XP: Lesson 4: How to setup the RealVNC Weak Password Exploit
11APPROVED2020-04-05Metasploit: Lesson 14: Illustrate RealVNC Weak Password Exploit
12APPROVED2019-11-10Sniffing Traffic: Lesson 1: Using TCPDUMP to Capture and Crack Base64 Encryption
13APPROVED2020-04-05Damn Vulnerable Windows XP: Lesson 5: How to setup the UltraVNC 1.0.2
14APPROVED2020-04-05Metasploit: Lesson 15: Illustrate the UltraVNC 1.0.2 Remote Exploit
15APPROVED2020-04-05Damn Vulnerable Windows XP: Lesson 6: How to setup the TFTPD32 Long Filename Buffer Overflow
16APPROVED2020-04-05Metasploit: Lesson 16: Illustrate the TFTPDWIN v0.4.2 Long Filename Buffer Overflow Exploit, Set NetCat Backdoor

viernes, 6 de diciembre de 2019

CVE-2019-12750: Symantec Endpoint Protection Local Privilege Escalation – Part 1

CVE-2019-12750: Symantec Endpoint Protection Local Privilege Escalation – Part 1

A malicious application can take advantage of a vulnerability in Symantec Endpoint Protection to leak privileged information and/or execute code with higher privileges, thus taking full control over the affected host.

Products Affected
  • Symantec Endpoint Protection v14.x < v14.2 (RU1)
  • Symantec Endpoint Protection v12.x < 12.1 (RU6 MP10)
  • Symantec Endpoint Protection Small Business Edition v12.x < 12.1 (RU6 MP10c)


A few months ago, while looking for a local privilege escalation vulnerability in the latest version of Symantec Endpoint Protection (SEP v14.2 Build 2486) software, we encountered a vulnerability that was hidden for several years.
In addition, the latest security updates around the kernel pool allocations that were introduced in Windows 10 v1809 gave us the opportunity to implement a different approach in order to successfully exploit this vulnerability in the latest version currently available; v1909.
Since the two approaches we used are quite different between them, we decided to split this write-up into two parts.
In the first part, we will be discussing the actual bug and how we took advantage of it in earlier Windows versions, Windows 7 to 10 v1803, without additional kernel mode execution control requirements.
In the second part, we will go through a more sophisticated approach that required further analysis of the vulnerable products due to the newly introduced Low Fragmentation Heap (LFH) for kernel mode pool allocations, in Windows 10 v1809 onwards, which broke the first exploitation method. This was necessary in order to obtain code execution in kernel mode while bypassing additional exploitation mitigations such as SMEP and KASLR.

LINK HERE: https://labs.nettitude.com/blog/cve-2019-12750-symantec-endpoint-protection-local-privilege-escalation-part-1/

jueves, 5 de diciembre de 2019

Web Application Penetration Testing Course URLs

Web Application Penetration Testing Course URLs

by Daniel Durnea https://www.facebook.com/Ro0tX

Phase 1 – History

      1.   History of Internet - https://www.youtube.com/watch?v=9hIQjrMHTv4 

Phase 2 – Web and Server Technology
1.     Basic concepts of web applications, how they work and the HTTP protocol - https://www.youtube.com/watch?v=RsQ1tFLwldY&t=7s
2.     HTML basics part 1 - https://www.youtube.com/watch?v=p6fRBGI_BY    
3.     HTML basics part 2 - https://www.youtube.com/watch?v=Zs6lzuBVK2w  
4.     Difference between static and dynamic website - https://www.youtube.com/watch?v=hlg6q6OFox         Q 
5.     HTTP protocol Understanding - https://www.youtube.com/watch?v=JFZMyhRTVt0 
6.     Parts of HTTP Request -https://www.youtube.com/watch?v=pHFWGN-upGM
7.     Parts of HTTP Response - https://www.youtube.com/watch?v=c9sMNc2PrMU 
8.     Various HTTP Methods - https://www.youtube.com/watch?v=PO7D20HsFsY 
9.     Understanding URLS - https://www.youtube.com/watch?v=5Jr-_Za5yQM 
10.  Intro to REST - https://www.youtube.com/watch?v=YCcAE2SCQ6k 
11.  HTTP Request & Response Headers - https://www.youtube.com/watch?v=vAuZwirKjW   s  
12.  What is a cookie - https://www.youtube.com/watch?v=I01XMRo2ESg 
13.  HTTP Status codes - https://www.youtube.com/watch?v=VLH3FMQ5BIQ 
15.  Authentication with HTTP - https://www.youtube.com/watch?v=GxiFXUFKo1     
16.  HTTP basic and digest authentication - https://www.youtube.com/watch?v=GOnhCbDhMzk  
17.  What is “Server-Side” - https://www.youtube.com/watch?v=JnCLmLO9LhA
18.  Server and client side with example - https://www.youtube.com/watch?v=DcBB2Fp8WN            I  
20.  Introduction to UTF-8 and Unicode - https://www.youtube.com/watch?v=sqPTR_v4qFA  
22.  HTML encoding - https://www.youtube.com/watch?v=IiAfCLWpgII&t=109          
23.  Base64 encoding - https://www.youtube.com/watch?v=8qkxeZmKmOY 
24.  Hex encoding & ASCII - https://www.youtube.com/watch?v=WW2SaCMnHdU 

Phase 3 – Setting up the lab with BurpSuite and bWAPP

1.     Setup lab with bWAPP - https://www.youtube.com/watch?v=dwtUn3giwTk&index=1&list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV

Phase 4 – Mapping the application and attack surface
2.     Mapping application using robots.txt - https://www.youtube.com/watch?v=akuzgZ75zr  k  
3.     Discover hidden contents using dirbuster - https://www.youtube.com/watch?v=--nu9Jq07gA
4.     Dirbuster in detail - https://www.youtube.com/watch?v=2tOQC68hAcQ
5.     Discover hidden directories and files with intruder - https://www.youtube.com/watch?v=4Fz9mJeMNk   I  
6.     Identify application entry points - https://www.youtube.com/watch?v=IgJWPZ2OKO8&t=34s
8.     Identify client and server technology - https://www.youtube.com/watch?v=B8jN_iWjtyM
9.     Identify server technology using banner grabbing (telnet) - https://www.youtube.com/watch?v=O67M-U2UOAg  10. Identify server technology using httprecon - https://www.youtube.com/watch?v=xBBHtS-dwsM

Phase 5 – Understanding and exploiting OWASP top 10 vulnerabilities

      1.   A closer look at all owasp top 10 vulnerabilities - https://www.youtube.com/watch?v=avFR_Af0KGk

7.     Missing functional level access controls  - https://www.youtube.com/watch?v=VMv_gyCNGpk&list=PLoyY7ZjHtUUVLs2fy-ctzZDSPpawuQ28d&index=7
9.     Using components with known vulnerabilities   - https://www.youtube.com/watch?v=bhJmVBJ-F-4&index=9&list=PLoyY7ZjHtUUVLs2fy-ctzZDSPpawuQ28d

2.     Broken authentication and session management  - https://www.youtube.com/watch?v=mruO75ONWy8&index=2&list=PLyqga7AXMtPPuibxp1N0TdyDrKwP9H_jD


Phase 6 – Bypassing client-side controls
1.     What is hidden forms in HTML - https://www.youtube.com/watch?v=orUoGsgaYAE 
2.     Bypassing hidden form fields using tamper data - https://www.youtube.com/watch?v=NXkGX2sPw7       I
3.     Bypassing hidden form fields using Burp Suite (Purchase application) - https://www.youtube.com/watch?v=xahvJyUFTfM 
4.     Changing price on eCommerce website using parameter tampering - https://www.youtube.com/watch?v=A-ccNpP06Zg
6.     Cookie tampering with tamper data- https://www.youtube.com/watch?v=NgKXm0lBecc  
7.     Cookie tamper part 2 - https://www.youtube.com/watch?v=dTCt_I2DWgo 
8.     Understanding referer header in depth using Cisco product - https://www.youtube.com/watch?v=GkQnBa3C7WI&t=35s  
9.     Introduction to ASP.NET viewstate - https://www.youtube.com/watch?v=L3p6Uw6SSX   
10.  ASP.NET viewstate in depth - https://www.youtube.com/watch?v=Fn_08JLsrmY
11.  Analyse sensitive data in ASP.NET viewstate - https://msdn.microsoft.com/en-us/library/ms972427.aspx?f=255&MSPPError=-2147217396

Phase 7 – Attacking authentication/login
1.     Attacking login panel with bad password - Guess username password for the website and try different combinations
2.     Brute-force login panel - https://www.youtube.com/watch?v=25cazx5D_vw 
3.     Username enumeration - https://www.youtube.com/watch?v=WCO7LnSlskE
4.     Username enumeration with bruteforce password attack - https://www.youtube.com/watch?v=zf3-pYJU1c4
5.     Authentication over insecure HTTP protocol - https://www.youtube.com/watch?v=ueSG7TUqoxk
6.     Authentication over insecure HTTP protocol - https://www.youtube.com/watch?v=_WQe36pZ3mA
7.     Forgot password vulnerability - case 1 - https://www.youtube.com/watch?v=FEUidWWnZwU 
8.     Forgot password vulnerability - case 2 - https://www.youtube.com/watch?v=j7-8YyYdWL4
9.     Login page autocomplete feature enabled - https://www.youtube.com/watch?v=XNjUfwDmHGc&t=33s
11.  Insecure distribution of credentials - When you register in any website or you request for a password reset using forgot password feature, if the website sends your username and password over the email in cleartext without sending the password reset link, then it is a vulnerability.

Phase 8 – Phase 8 - Attacking access controls (IDOR, Priv esc, hidden files and directories)

Completely unprotected functionalities
1.     Finding admin panel - https://www.youtube.com/watch?v=r1k2lgvK3s0
2.     Finding admin panel and hidden files and directories - https://www.youtube.com/watch?v=Z0VAPbATy1A
3.     Finding hidden webpages with dirbusater - https://www.youtube.com/watch?v=--nu9Jq07gA&t=5s

Insecure direct object reference4.     IDOR case 1 - https://www.youtube.com/watch?v=gci4R9Vkulc
5.     IDOR case 2 - https://www.youtube.com/watch?v=4DTULwuLFS0
6.     IDOR case 3 (zomato) - https://www.youtube.com/watch?v=tCJBLG5Mayo

Privilege escalation
      7.     What is privilege escalation - https://www.youtube.com/watch?v=80RzLSrczm   c
8.     Privilege escalation - Hackme bank - case 1 - https://www.youtube.com/watch?v=g3lv__87cWM
9.     Privilege escalation - case 2 - https://www.youtube.com/watch?v=-i4O_hjc87Y

Phase 9 – Attacking data stores (Various types of injection attacks - SQL|MySQL|NoSQL|Oracle, etc.)

Bypassing login panel
1.     Basics of MySQL - https://www.youtube.com/watch?v=yPu6qV5byu4
2.     Bypassing login panel -case 1 - https://www.youtube.com/watch?v=TSqXkkOt6oM
3.     Bypass login panel - case 2 - https://www.youtube.com/watch?v=J6v_W-LFK1c

SQL injection
12.  Part 12 - POST parameter injection double query based - https://www.youtube.com/watch?v=tjFXWQY4LuA&index=12&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro
13.  Part 13 - POST parameter injection blind boolean and time based - https://www.youtube.com/watch?v=411G-4nH5jE&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro&index=10
23.  Part 23 - Bypassing addslashes - charset mismatch - https://www.youtube.com/watch?v=du-jkS6-sbo&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro&index=1 

NoSQL injection
      1.     Abusing NoSQL databases - https://www.youtube.com/watch?v=lcO1BTNh8r     
2.     Making cry - attacking NoSQL for pentesters - https://www.youtube.com/watch?v=NgsesuLpyO  g

Xpath injection
     1.     Detailed introduction - https://www.youtube.com/watch?v=2_UyM6Ea0Yk&t=3102       s
2.     Practical 1 - bWAPP - https://www.youtube.com/watch?v=6tV8EuaHI9   
3.     Practical 2 - Mutillidae - https://www.youtube.com/watch?v=fV0qsqcScI 
4.     Practical 3 - webgoat - https://www.youtube.com/watch?v=5ZDSPVp1Tp           

LDAP injection
      1.     Introduction and practical 1 - https://www.youtube.com/watch?v=-TXFlg7S9k    
2.     Practical 2 - https://www.youtube.com/watch?v=wtahzm_R8e   

Phase 10 – Attacking back-end components (OS command injection, XMl interpreters, mail services, etc.)

OS command injection
      1.   OS command injection in bWAPP - https://www.youtube.com/watch?v=qLIkGJrMY9