Evilblog

Every pentester has it's own tool and technique for web app security auditing, Some time it depend on the type of website  we are pentesting. We are gonna see some common tool and technique that can help us to audit our web application security. Detecting web application firewall and other services You can start with by detecting is there any web application firewall in use? Later we can see if there's any way to bypass it.  Recommend tool :  fofa.so It is a cyberspace search engine launched by White Hat. It can help researchers or enterprises quickly match network assets by performing cyberspace mapping, for example, analyzing the scope of vulnerability.  shodan.io It is most poplar search engine among pentester for finding various online vulnerable IoT devices, online open ports f rom various web servers. wafw00f   This tool allow you to detect and identify what Web Application is in use that is protecting the website.  Bypassing Cloudfl

Recently i did a post on digital investigation of a backdoor PDF   in that post i defined PDF structure and how to analyse  these type of malicious files. In this post we will see another method of investigating these malicious file. We will separate all the attachments and Stream Objects from the malicious PDF file and then we will see if there is any malicious content like any listener IP address , dropper inside it. Creating the Malicious file STEP1. First i am gonna create an infected PDF for analysis , i won't create a listener as this is for tutorial purpose . I am gonna inject this exploit in a clean PDF file for this experiment as you can see below i am inserting the directory of the clean PDF file. And after running it i got the evil PDF Starting the Investigation We have created our file now it's time to investigate it. So clone in to this GitHub repository by typing git clone https://github.com/gdelugre/origami.git &am

What is this  In this post we will see how can we make our online activity less valuable from our ISP by generating random traffic.We will do this by generating random traffic which will random DNS and HTTP traffic in the background while you are visiting your regular web site and doing online activity . This will flood your online activity and your ISP won't get anything valuable that he can sell. How to do this  Doing this is very easy just follow some simple step as shown below  STEP 1. First open your terminal and clone in to this GitHub URL by typing git clone https://github.com/1tayH/noisy.git && cd noisy . STEP 2.  Now install dependencies by typing pip install request  STEP 3.  Now after installing dependencies just type python noisy.py --config config.json --timeout 50 . Here --config is for loading your configuration from config file , --timeout tell for how long you want it to run in second.  And it will start generati

In this post we are going to see a quick and short method to check most common privilege escalation vulnerability in windows. As we know there are lot of way to do privilege escalation attack on windows if you are doing a penetration testing and for post exploitation privilege escalation is important step so that you can execute further commands.   Checking for the misconfiguartion  STEP 1. As this is a quick and short method we are going to use a tool First download the compiled version of the tool from here  . STEP 2.  Now go to command prompt and type "beRoot" and then you will see what type of privilege escalation vulnerability you have . As we can see above i got multiple vulnerability and misconfiguration which can lead to privilege escalation . Some vulnerability which should be noted here is DLL hijacking which an attacker can use to inject his own malicious code into a legitimate DLL and you may not get idea if the process is malicious or

In this post we will see different technique on how can we detect a similar looking domain, phishing attack using that domain. We will see offline and online methods to detect these attacks. What is typosquatting When ever you search for a domain and sometime you mistype a domain suddenly then what you get with a similar looking domain is a phishing domain this is called typosquatting and this technique could be used to hack or phish you by providing fake and similar looking domain.And this is what we are going to look on how can we detect these similar looking domain and block them. Spotting the similar looking domains STEP 1. Open your terminal and type git clone https://github.com/elceef/dnstwist.git && cd dnstwist STEP 2. Now install the dependencies , in the dnstwist folder type apt-get install libgeoip-dev libffi-dev STEP 3. Now type BUILD_LIB=1 pip install -r requirements.txt   STEP 4. Now we will look for only those domai

In this post we are going to investigate a malicious PDF file , as we all know a PDF file can be infected with embedded objects,JavaScript code, encoded stream to exploit the PDF reader and these days this type of attacks are happening very often. We are getting these types of infected PDF very often through Email or from other communication services.  Basics Of PDF Structure Before we begin investigating our PDF we should first need to know about some basics of PDF file  which we need to understand the analysis. A PDF contain four parts  1. "Header" which contains information about the PDF version. 2. "Body" which contains objects that define operations performed by the file and embedded data like scripting code,images,text etc.  3."cross-reference table" lists the offsets inside the file which will be rendered by the PDF reader.  4. "Trailer" describes the location of the certain objects inside the body of the PDF and location of the cross-refe

In this post we are going to see a simple and easy way to detect a network sniffer or Man In The Middle who is intercepting our network and can sniff our password over the network. This is a basic and simple way to do a basic check for any intercept inside your network. However this is not enough to check these types of network attack but this can come handy when you are dealing with some script kiddie who is just using some script and don't know anything about what is he doing . What You Need To Know  You need to know about basics of networking. And apart from this i will tell you every step and will give you info about the command we are going to use. Steps For Detecting MITM Attack Before checking for the network intercept i am going to start capture plaintext password to show you that we are intercepting the network so that we can see that this method actually work or not. 1. So first i will start intercepting my network as shown below. 2. Now i wi

In this post we are going to learn how to detect and remove a backdoor malware which is listening through some TCP connection and later we will learn to detect and delete that malware which is listening through a periodic connection from its C2 domain. For this i am going to use a non-malicious program name "504lab" created by SANS institute it will create a backdoor on my system and my task is to find it and delete it from my system. I will attach link below so that you can practice it yourself. Before doing this we need to make sure our firewall is completely off so first we will stop our firewall, to do this go to your command prompt and type " netsh advfirewall set allprofiles state off "   Now go to directory where the program is located and start it through cmd prompt After executing, it will ask us to start another command prompt and execute netstat -aon command so that we can see what service are running on our network so start ano