Pentester's life

Bypassing CSRF tokens with Python’s CGIHTTPServer to exploit SQLi

October 9, 2017 — 0 Comments

HTTP Headers, web application

HTTP Strict Transport Security, the practical explanation

September 12, 2017 — 2 Comments

tools development, web application

Python for pentesters, the practical version

September 11, 2017 — 3 Comments

Pentesting considerations and analysis on the possibility of full pentest automation

So, when we speak of automation in this scenario, it’s important to distinguish between three desirable features that ought to be guaranteed in the process:
Accurately rating the findings; Not causing collateral damage; and Detection.
So let’s take a look at each.

Twofish Crypter with DNS (CName) password retrieval, x64 shellcode decryption, and execution

A crypter is code that decrypts a previously encrypted payload, in this case a shellcode, and will then execute it. To encrypt it, and not do it as most others have, I chose one of the algorithms that went through the final round of AES: Twofish, by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson. But to make this one unique, I decided not to request the password to decrypt the payload from the user (usually as the first parameter to the executable in the command line) but, instead, to get it from a DNS request (CNAME record).

Polymorphic and smaller versions of three shell-storm’s x64 shellcodes, including the smallest execve /bin/sh

[Update 13 Jan 2018] ExploitDB has published the 3 shellcodes written in this blog post. Linux/x86-64 – Execute /bin/sh Shellcode (24 bytes) Linux/x86-64 – Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes) Linux/x86-64 – execve(“/sbin/iptables”, [“/sbin/iptables”, “-F”], NULL) Shellcode (43 bytes) Looking at the smallest x64 shellcodes (section Linux / Intel x86-64) in […]

Custom x64 encoder with a basic polymorphic engine implementation

I’ll develop a python encoder that will XOR the payload, byte by byte, with a randomly generated byte value, and also generate a polymorphic stub in x64 to decode that payload, by brute-forcing all 256 possibilities. Even though bypassing anti-virus systems is not the only purpose of encoders, it certainly is the most exciting one, and hence the detailed focus on this one subject throughout this post.

x64 Egg hunting in Linux systems

There isn’t much when it comes to egg hunters, and even less when it comes to x64 ones. And the ones out there on exploit-db and shell-storm do leave a lot to be explained, and some… let’s just say I can’t imagine the authors even bothered to test them, let alone read Skape’s paper on Safely Searching […]

Pentester's life

Try harder… and then go a little deeper.

Archive

Bypassing CSRF tokens with Python’s CGIHTTPServer to exploit SQLi

HTTP Strict Transport Security, the practical explanation

Python for pentesters, the practical version