Resources
- OWASP ZAP and Web Sockets – digininja.org
With the slow uptake of HTML5, web sockets are going to start being seen in more and more applications so I figured I’d better learn how to test them before being put in front of them on a client test and having to learn as I went along.
- SSH Brute Force The 10 Year Old Attack That Still Persists – blog.sucuri.net
One of the first server-level compromises I had to deal with in my life was around 12 ago, and it was caused by a SSH brute force attack. A co-worker set up a test server and chose a very weak root password for it. A few days later, the box was owned running IRC bots and trying to compromise the rest of the network.
- F5 Networks BIG-IP Cookie Decoded – blog.whitehatsec.com
Have you ever seen a BIG-IP Cookie? Maybe you are just wondering what they are? In this post I will attempt to explain what a BIG-IP Cookie is and why they are important to a web application. Also I’ve linked to a tool (below) to help identify information leakage in BIG-IP Cookies that can reveal internal network information.
Tools
- vFeed The Open Source Cross Linked VDB v0.4.0 released (Support of OpenVAS, DISA/IAVM…) – toolswatch.org
vFeed framework is an open source naming scheme concept that provides extra structured detailed third-party references and technical characteristics for a CVE entry through an extensible XML schema.
- WCE v1.41beta released (minor release) – hexale.blogspot.com
WCE 1.41beta released. This is a minor release.
- PowerSploit: The Easiest Shell Youll Ever Get – pentestgeek.com
PowerSploit is a collection of security-related modules and functions written in PowerShell. PowerSploit is already in both BackTrack and Kali, and its code is utilized by other awesome tools like SET so you may already be using it! Many of the scripts in the project are extremely useful in post-exploitation in Windows environments. The project was started by Matt Graeber who is the author of the function we will use in this tutorial: Invoke-Shellcode.
- Enumerating web services with classify.webbies.py – security.sunera.com
classify.webbies.py is a Python script that captures and presents a high-level overview of all the web listeners within a defined scope. This allows the user to spot the more interesting web targets with efficiency and relative ease, regardless of the number of discovered web services. The script will enumerate the web listener to determine if the service is using SSL, the banner of the web service, the title of the web application, and if the web application has any interactive components such as forms and logins. Last, the script can also take a screenshot of the web application.
- WMIS: The Missing Piece of the Ownage Puzzle – passing-the-hash.blogspot.com
The unsung hero of the PTH-Suite is definitely WMIS. It has replaced several other tools that I previously used to pass the hash. It is essentially the Linux equivalent to WMIC and the “process call create” query. The advantage of WMI over other methods of remote command execution is that it doesn’t doesn’t rely on SMB and starting a service on the remote host. In most cases, it flies beneath the radar and it just might be the easiest way to get a shell on a remote host all without writing to the disk.
Vulnerabilities
- Researchers hack Verizon device, turn it into mobile spy station – reuters.com
Two security experts said they have figured out how to spy on Verizon Wireless mobile phone customers by hacking into devices the U.S. carrier sells to boost wireless signals indoors.
- SIM Cards Have Finally Been Hacked, And The Flaw Could Affect Millions Of Phones – forbes.com
Security researcher Karsten Nohl says some SIM cards can be compromised because of wrongly configured Java Card software and weak encryption keys.
Other News
- Nations Buying as Hackers Sell Flaws in Computer Code – nytimes.com
On the tiny Mediterranean island of Malta, two Italian hackers have been searching for bugs — not the island’s many beetle varieties, but secret flaws in computer code that governments pay hundreds of thousands of dollars to learn about and exploit.
Leave A Comment