Gamma Group Writeup
by Phineas Fisher, 2014
| Remark |
|---|
| 31337 |
| Gamma Group |
| FOIA |
| FOIA request |
| “demystifying hacking and inspire others to hack shit” |
| Truecrypt 7.1a |
| Whonix |
| Tor |
| cantenna |
| aircrack |
| reaver |
| general OPSEC recommendations |
| shut up! |
| v& (vanned) |
| hacking over Tor is slow |
| nmap |
| sqlmap |
| nikto |
| public IP for catching reverse shells |
| use hacked servers or VPS paid with bitcoin |
| fierce.pl |
| reconnaissance |
| whois |
| CIDR |
| reverse whois lookups |
| whois lookups |
| Google -inurl directive |
| DomainTools |
| SNMP scanning is underrated |
| git, GitHub |
| FTP |
| weak credentials, default passwords |
| stratfor |
| VOIP |
| IP camera |
| router |
| webserver |
| .svn directory |
| backups |
| phpinfo |
| WhatWeb |
| wpscan |
| CMS-Explorer |
| Joomscan |
| custom apps tend to have more bugs |
| get copies of target’s web software to test and observe locally |
| pirate software |
| ZAP |
| view source to find strings to identify software |
| hack adjacent/similar sites to see how they work |
| SQL injection |
| url parameter |
| Apache mod_security |
| sqlmap –tamper=‘tamper/modsecurityversioned.py’ |
| php shell |
| JavaScript |
| bypassing client-side verifications |
| Weevely |
| Damn Vulnerable Web App |
| LFI |
| file upload checks done client-side |
| 403 Forbidden |
| /BackOffice |
| MySQL |
| intercepting proxy |
| magic quotes |
| sqlmap –file-read |
| source code |
| “root over 50% of Linux servers you encounter in the wild with two easy scripts: Linux Exploit Suggester and unix-privesc-check |
| Debian |
| cron privilege escalation |
| webalyzer |
| cron timezone restart bug |
| /etc/localtime |
| pivoting, lateral movement |
| firewall |
| tarball of static-linked binaries |
| NSE scripts: nfs-x, smb-x |
| whistleblower |
| FinSpy |
| command and control |
| DDoS |
| GPU |
| scan, find vulns, exploit methodology |
| exploiting web browsers |
| Java |
| Flash |
| Microsoft Office |
| phishing |
| Metasploit browser autopwn |
| fake Flash updater |
| social engineering |
| apache access log is readable root only, but can be accessed as /proc/self/fd/x |
| socat |
| static linking |
| guerilla warfare |
| Book Recommendations |
|---|
| The Web Application Hacker’s Handbook |
| Hacking: The Art of Exploitation |
| The Database Hacker’s Handbook |
| The Art of Software Security Assessment |
| A Bug Hunter’s Diary |
| Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier |
| TCP/IP Illustrated |