fredag, mai 22, 2020

ASIS CTF Quals 2015 - Sawthis Writeup - Srand Remote Prediction


The remote service ask for a name, if you send more than 64 bytes, a memory leak happens.
The buffer next to the name's is the first random value used to init the srand()


If we get this value, and set our local srand([leaked] ^ [luckyNumber]) we will be able to predict the following randoms and win the game, but we have to see few details more ;)

The function used to read the input until the byte \n appears, but also up to 64 bytes, if we trigger this second condition there is not 0x00 and the print shows the random buffer :)

The nickname buffer:



The seed buffer:



So here it is clear, but let's see that the random values are computed with several gpu instructions which are decompiled incorrectly:







We tried to predict the random and aply the gpu divisions without luck :(



There was a missing detail in this predcitor, but there are always other creative ways to do the things.
We use the local software as a predictor, we inject the leaked seed on the local binary of the remote server and got a perfect syncronization, predicting the remote random values:




The process is a bit ugly becouse we combined automated process of leak exctraction and socket interactive mode, with the manual gdb macro.




The macro:



















Related news


The Pillager 0.7 Release

I spent the last couple days recoding the Pillager, getting rid of bugs, optimizing code, making it more extendable and more solid overall. So this post is to release the new code.  However, with that being said, the Pillager is in mass revision right now and I added some more developers to the team to add a whole host of new database attacking features as well as moving past databases and into other areas of post exploitation pillaging. Soon to be released..  As usual this tool and any tool i create is based on my issues when performing penetration tests and solves those problems.. If you have any insight or comments i will certainly take them into consideration for future releases.

For now check out Version 0.7.. Named searches and Data searches via external config files are now functioning properly as well as other bugs fixed along the way... Drop this in a BT5 VM and make sure you have your DB python stuff installed per the help docs and you should be good to go.  If you are looking to use oracle you are going to have to install all the oracle nonsense from oracle or use a BT4r2 vm which has most of the needed drivers minus cxoracle which will need to be installed.

http://consolecowboys.org/pillager/pillage_0.7.zip



Ficti0n$ python pillager.py
 
[---] The Database Pillager (DBPillage) [---]
[---] CcLabs Release [---]
[---] Authors: Ficti0n, [---]
[---] Contributors: Steponequit [---]
[---] Version: 0.7 [---]
[---] Find Me On Twitter: ficti0n [---]
[---] Homepage: http://console-cowboys.blogspot.com [---]

Release Notes:
 --Fixed bugs and optimized code
 --Added Docstrings
 --Fixed Named and Data searches from config files                 

About:
The Database Pillager is a multiplatform database tool for searching and browsing common
database platforms encountered while penetration testing. DBPillage can be used to search
for PCI/HIPAA data automatically or use DBPillage to browse databases,display data.
and search for specified tables/data instances.
DBpillage was designed as a post exploitation pillaging tool with a goal of targeted
extraction of data without the use of database platform specific GUI based tools that
are difficult to use and make my job harder.

Supported Platforms:
        --------------------
-Oracle
-MSSQL
-MYSQL
        -PostGreSQL
     

        Usage Examples:
        ************************************************************************
        
        For Mysql Postgres and MsSQL pillaging:
        ---------------------------------------
        python dbPillage -a [address] -d [dbType] -u [username] -p [password]
        
        
        For Oracle pillaging you need a SID connection string:
        ------------------------------------------------------
        python dbPillage-a [address]/[sid] -d [dbType] -u [username] -p [password]
        

        Grab some hashes and Hipaa specific:(Default is PCI)
        ------------------------------------
        python dbPillage -a [address] -d [dbType] -u [username] -p [password] --hashes -s hipaa


Drop into a SQL CMDShell:
-------------------------
        python dbpillage.py -a [address] -d [dbType] -u [username] -p [password] -q

Config file specified searches:
-------------------------------
Search for data Items from inputFiles/data.txt:
        python dbpillage.py -a [address] -d [dbType] -u [username] -p [password] -D

Search for specific table names from inputFiles/tables.txt:
python dbpillage.py -a [address] -d [dbType] -u [username] -p [password] -N

     
     
        Switch Options:
        ---------------------
        -# --hashes = grab database password hashes
        -l --limit  = limit the amount of rows that are searched or when displaying data (options = any number)
        -s --searchType = Type of data search you want to perform (options:pci, hipaa, all)(PCI default)
        -u --user = Database servers username
        -p --pass = Password for the database server
        -a --address = Ipaddress of the database server
        -d --database = The database type you are pillageing (options: mssql,mysql,oracle,postgres)
        -r --report = report format (HTML, XML, screen(default))
        -N --nameSearch = Search via inputFiles/tables.txt
        -D --dataSearch = Targeted data searches per inputFiles/data.txt
-q --queryShell = Drop into a SQL CMDshell in mysql or mssql
     
     
        Prerequisites:
        -------------
        python v2  (Tested on Python 2.5.2 BT4 R2 and BT5 R3 - Oracle stuff on BT4r2 only unless you install the drivers from oracle)
        cx_oracle (cx-oracle.sourceforge.net)
        psycopg2  (initd.org/psycopg/download/)
        MySQLdb   (should be on BT by default)
        pymssql   (should be on BT by default)
     

Related news
  1. House Hacking
  2. Kali Hacking
  3. Defcon Hacking
  4. Hardware Hacking
  5. Sean Ellis Growth Hacking
  6. Sean Ellis Growth Hacking
  7. Curso Hacking Etico
  8. Curso Completo De Hacking Ético
  9. Hacking Raspberry Pi
  10. Hacking Time
  11. Hacking Con Python
  12. Cosas De Hackers
  13. Mindset Hacking Nacho
  14. Curso De Hacking Etico
  15. Hacking Python
  16. Hacker Blanco

British Airline EasyJet Suffers Data Breach Exposing 9 Million Customers' Data

British low-cost airline EasyJet today admitted that the company has fallen victim to a cyber-attack, which it labeled "highly sophisticated," exposing email addresses and travel details of around 9 million of its customers. In an official statement released today, EasyJet confirmed that of the 9 million affected users, a small subset of customers, i.e., 2,208 customers, have also had their

via The Hacker News

Related links


  1. Que Estudia Un Hacker
  2. Hacking Etico
  3. Como Aprender A Hackear

Goddi (Go Dump Domain Info) - Dumps Active Directory Domain Information



Based on work from Scott Sutherland (@_nullbind), Antti Rantasaari, Eric Gruber (@egru), Will Schroeder (@harmj0y), and the PowerView authors.

Install
Use the executables in the releases section. If you want to build it yourself, make sure that your go environment is setup according to the Go setup doc. The goddi package also uses the below package.
go get gopkg.in/ldap.v2

Windows
Tested on Windows 10 and 8.1 (go1.10 windows/amd64).

Linux
Tested on Kali Linux (go1.10 linux/amd64).
  • umount, mount, and cifs-utils need to be installed for mapping a share for GetGPP
apt-get update
apt-get install -y mount cifs-utils
  • make sure nothing is mounted at /mnt/goddi/
  • make sure to run with sudo

Run
When run, will default to using TLS (tls.Client method) over 636. On Linux, make sure to run with sudo.
  • username: Target user. Required parameter.
  • password: Target user's password. Required parameter.
  • domain: Full domain name. Required parameter.
  • dc: DC to target. Can be either an IP or full hostname. Required parameter.
  • startTLS: Use to StartTLS over 389.
  • unsafe: Use for a plaintext connection.
PS C:\Users\Administrator\Desktop> .\godditest-windows-amd64.exe -username=testuser -password="testpass!" -domain="test.local" -dc="dc.test.local" -unsafe
[i] Begin PLAINTEXT LDAP connection to 'dc.test.local'...
[i] PLAINTEXT LDAP connection to 'dc.test.local' successful...
[i] Begin BIND...
[i] BIND with 'testuser' successful...
[i] Begin dump domain info...
[i] Domain Trusts: 1 found
[i] Domain Controllers: 1 found
[i] Users: 12 found
[*] Warning: keyword 'pass' found!
[*] Warning: keyword 'fall' found!
[i] Domain Admins: 4 users found
[i] Enterprise Admins: 1 users found
[i] Forest Admins: 0 users found
[i] Locked Users: 0 found
[i] Disabled Users: 2 found
[i] Groups: 45 found
[i] Domain Sites: 1 found
[i] Domain Subnets: 0 found
[i] Domain Computers: 17 found
[i] Deligated Users: 0 found
[i] Users with passwords not set to expire: 6 found
[i] Machine Accounts with passwords older than 45 days: 18 found
[i] Domain OUs: 8 found
[i] Domain Account Policy found
[i] Domain GPOs: 7 found
[i] FSMO Roles: 3 found
[i] SPNs: 122 found
[i] LAPS passwords: 0 found
[i] GPP enumeration starting. This can take a bit...
[i] GPP passwords: 7 found
[i] CSVs written to 'csv' directory in C:\Users\Administrator\Desktop
[i] Execution took 1.4217256s...
[i] Exiting...

Functionality
StartTLS and TLS (tls.Client func) connections supported. Connections over TLS are default. All output goes to CSVs and are created in /csv/ in the current working directory. Dumps:
  • Domain users. Also searches Description for keywords and prints to a seperate csv ex. "Password" was found in the domain user description.
  • Users in priveleged user groups (DA, EA, FA).
  • Users with passwords not set to expire.
  • User accounts that have been locked or disabled.
  • Machine accounts with passwords older than 45 days.
  • Domain Computers.
  • Domain Controllers.
  • Sites and Subnets.
  • SPNs and includes csv flag if domain admin (a flag to note SPNs that are DAs in the SPN CSV output).
  • Trusted domain relationships.
  • Domain Groups.
  • Domain OUs.
  • Domain Account Policy.
  • Domain deligation users.
  • Domain GPOs.
  • Domain FSMO roles.
  • LAPS passwords.
  • GPP passwords. On Windows, defaults to mapping Q. If used, will try another mapping until success R, S, etc... On Linux, /mnt/goddi is used.


Related news


  1. Hacking Simulator
  2. Hacking Music
  3. Hacking Usb
  4. Hacking Videos
  5. Hacking Con Buscadores
  6. Hacking Day
  7. Chema Alonso Wikipedia
  8. Hacking Programs
  9. Hackers Informaticos Contactar

torsdag, mai 21, 2020

CertCrunchy - Just A Silly Recon Tool That Uses Data From SSL Certificates To Find Potential Host Names


It just a silly python script that either retrieves SSL Certificate based data from online sources, currently https://crt.sh/, https://certdb.com/, https://sslmate.com/certspotter/, and https://censys.io or given an IP range it will attempt to extract host information from SSL Certificates. If you want to use Censys.io you need to register for an API key.

How to install
git clone https://github.com/joda32/CertCrunchy.git
cd CertCrunchy
sudo pip3 install -r requirements.txt

How to use it?
Very simply -d to get hostnames for a specific domain
-D to get hostnames for a list of domains (just stuff it in a line-delimited text file)
-I to retrieve and parse certificates from hosts in a netblock / IP range (e.g. 192.168.0.0/24)
-T the thread count makes stuff faster, but don't over do it
-o Output file name
-f Output format CSV or JSON, CSV is the default
for the rest, I'm still working on those :)

API keys and configs
All API keys are stored in the api_keys.py file below is a list of supported APIs requiring API keys.
  1. Censys.oi https://censys.io
  2. VirusTotal https://www.virustotal.com/en/documentation/public-api/

Continue reading

SubOver - A Powerful Subdomain Takeover Tool


Subover is a Hostile Subdomain Takeover tool designed in Python. From start, it has been aimed with speed and efficiency in mind. Till date, SubOver detects 36 services which is much more than any other tool out there. The tool is multithreaded and hence delivers good speed. It can easily detect and report potential subdomain takeovers that exist. The list of potentially hijackable services is very comprehensive and it is what makes this tool so powerful.

Installing
You need to have Python 2.7 installed on your machine. The following additional requirements are required -
  • dnspython
  • colorama
git clone https://github.com/Ice3man543/SubOver.git .
cd SubOver
# consider installing virtualenv
pip install -r requirements.txt
python subover.py -h

Usage
python subover.py -l subdomains.txt -o output_takeovers.txt
  • -l subdomains.txt is the list of target subdomains. These can be discovered using various tool such as sublist3r or others.
  • -o output_takeovers.txtis the name of the output file. (Optional & Currently not very well formatted)
  • -t 20 is the default number of threads that SubOver will use. (Optional)
  • -V is the switch for showing verbose output. (Optional, Default=False)

Currently Checked Services
  • Github
  • Heroku
  • Unbounce
  • Tumblr
  • Shopify
  • Instapage
  • Desk
  • Tictail
  • Campaignmonitor
  • Cargocollective
  • Statuspage
  • Amazonaws
  • Cloudfront
  • Bitbucket
  • Squarespace
  • Smartling
  • Acquia
  • Fastly
  • Pantheon
  • Zendesk
  • Uservoice
  • WPEngine
  • Ghost
  • Freshdesk
  • Pingdom
  • Tilda
  • Wordpress
  • Teamwork
  • Helpjuice
  • Helpscout
  • Cargo
  • Feedpress
  • Freshdesk
  • Surge
  • Surveygizmo
  • Mashery
Count : 36

FAQ
Q: What should my wordlist look like?
A: Your wordlist should include a list of subdomains you're checking and should look something like:
backend.example.com
something.someone.com
apo-setup.fxc.something.com

Your tool sucks!
Yes, you're probably correct. Feel free to:
  • Not use it.
  • Show me how to do it better.

Contact
Twitter: @Ice3man543

Credits


Related posts


  1. Hacking Linux Distro
  2. Hacking-Lab
  3. Body Hacking
  4. Ingeniería Social. El Arte Del Hacking Personal Pdf
  5. Curso De Hacker Gratis Desde Cero
  6. Libro Hacker

PHoss: A Password Sniffer


"PHoss is a sniffer. A normal sniffer software is designed to find problems in data communication on the network. PHoss is designed to know some protocols which use (or may use) clear text passwords. Many protocols are designed to use secure authentication. For fallback they define a lowest level of authentication using clear text. Many companies use this lowest fallback definition as standard setting to make the product working in many environments." read more...

Download: http://www.phenoelit-us.org/phoss/download.html

Read more


  1. Libros Hacking Pdf
  2. Raspberry Pi Hacking
  3. Hacking 2019
  4. Nfc Hacking
  5. Cómo Se Escribe Hacker
  6. Growth Hacking Examples
  7. Viral Hacking
  8. Live Hacking
  9. Master Hacking Etico
  10. Hacking Books
  11. Live Hacking
  12. Hacking Pdf
  13. Blog Seguridad Informática
  14. Curso De Ciberseguridad Y Hacking Ético
  15. Kali Hacking

Android SSHControl V1.0 Relased!!!

Hoy sabado 15, he subido al Market de Android la versión 1.0 de SSHControl, con nuevas funcionalades y la esperada opción "Custom Commands".






Esta aplicación permite controlar tus servidores linux, bsd y unix con solo un dedo, mediante esta app Android.
Y soluciona las siguientes problemáticas:
- Manejar una shell desde el pequeño teclado de un móvil es engorroso.
- Leer todos los resultados de un comando en la pantalla del móvil, nos dejamos la vista.

Esta app permite interactuar con servidores remotos simplemente haciendo pulsaciones en la pantalla, mediante un explorador de ficheros, de conexiones, etc..

Las funcionalidades nuevas de esta versión 1.0 son:

- Administración del Firewall Iptables.
- Opción de Custom Commands, tal como había prometido.

Las funcionalidades ya presentes en la v0.8 son:

- escalada a root mediante su y sudo
- gestor de procesos
- explorador de ficheros, editor de ficheros, editor de permisos.
- monitorización y baneo de conexiones
- Visualizadores de logs
- administrador de drivers
- estadisticas de disco

Para la versión 2.0 preveo:

- Escuchar música remota
- Descarga de ficheros (wget)
- Transferencia segura de ficheros entre servidores (scp)
- Gestures, para administrar los sitemas en plan minority report :)

App disponible en el market para 861 tipos de dispositivos y pronto disponible en tablets.

https://market.android.com/details?id=net.ssh.SSHControl

Cualquier sugerencia de mejora: sha0 [4t] badchecksum [d0t] net

Read more


  1. Libro De Hacking
  2. Hacking Wifi Windows
  3. Hacking Linux
  4. Kali Hacking
  5. Phishing Hacking
  6. Como Hackear
  7. Hacking Games
  8. Hacking Madrid
  9. Curso Hacking Etico Gratis
  10. Curso Ethical Hacking
  11. Raspberry Pi Hacking
  12. Como Hackear
  13. Chema Alonso Libros
  14. Hacking Apps
  15. Growth Hacking Tools
  16. Rom Hacking Pokemon

Learning Web Pentesting With DVWA Part 3: Blind SQL Injection

In this article we are going to do the SQL Injection (Blind) challenge of DVWA.
OWASP describes Blind SQL Injection as:
"Blind SQL (Structured Query Language) injection is a type of attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal , the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible."
To follow along click on the SQL Injection (Blind) navigation link. You will be presented with a page like this:
Lets first try to enter a valid User ID to see what the response looks like. Enter 1 in the User ID field and click submit. The result should look like this:
Lets call this response as valid response for the ease of reference in the rest of the article. Now lets try to enter an invalid ID to see what the response for that would be. Enter something like 1337 the response would be like this:

We will call this invalid response. Since we know both the valid and invalid response, lets try to attack the app now. We will again start with a single quote (') and see the response. The response we got back is the one which we saw when we entered the wrong User ID. This indicates that our query is either invalid or incomplete. Lets try to add an or statement to our query like this:
' or 1=1-- -
This returns a valid response. Which means our query is complete and executes without errors. Lets try to figure out the size of the query output columns like we did with the sql injection before in Learning Web Pentesting With DVWA Part 2: SQL Injection.
Enter the following in the User ID field:
' or 1=1 order by 1-- -
Again we get a valid response lets increase the number to 2.
' or 1=1 order by 2-- -
We get a valid response again lets go for 3.
' or 1=1 order by 3-- -
We get an invalid response so that confirms the size of query columns (number of columns queried by the server SQL statement) is 2.
Lets try to get some data using the blind sql injection, starting by trying to figure out the version of dbms used by the server like this:
1' and substring(version(), 1,1) = 1-- -
Since we don't see any output we have to extract data character by character. Here we are trying to guess the first character of the string returned by version() function which in my case is 1. You'll notice the output returns a valid response when we enter the query above in the input field.
Lets examine the query a bit to further understand what we are trying to accomplish. We know 1 is the valid user id and it returns a valid response, we append it to the query. Following 1, we use a single quote to end the check string. After the single quote we start to build our own query with the and conditional statement which states that the answer is true if and only if both conditions are true. Since the user id 1 exists we know the first condition of the statement is true. In the second condition, we extract first character from the version() function using the substring() function and compare it with the value of 1 and then comment out the rest of server query. Since first condition is true, if the second condition is true as well we will get a valid response back otherwise we will get an invalid response. Since my the version of mariadb installed by the docker container starts with a 1 we will get a valid response. Lets see if we will get an invalid response if we compare the first character of the string returned by the version() function to 2 like this:
1' and substring(version(),1,1) = 2-- -
And we get the invalid response. To determine the second character of the string returned by the version() function, we will write our query like this:
1' and substring(version(),2,2) = 1-- -
We get invalid response. Changing 1 to 2 then 3 and so on we get invalid response back, then we try 0 and we get a valid response back indicating the second character in the string returned by the version() function is 0. Thus we have got so for 10 as the first two characters of the database version. We can try to get the third and fourth characters of the string but as you can guess it will be time consuming. So its time to automate the boring stuff. We can automate this process in two ways. One is to use our awesome programming skills to write a program that will automate this whole thing. Another way is not to reinvent the wheel and try sqlmap. I am going to show you how to use sqlmap but you can try the first method as well, as an exercise.
Lets use sqlmap to get data from the database. Enter 1 in the User ID field and click submit.
Then copy the URL from the URL bar which should look something like this
http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit
Now open a terminal and type this command:
sqlmap --version
this will print the version of your sqlmap installation otherwise it will give an error indicating the package is not installed on your computer. If its not installed then go ahead and install it.
Now type the following command to get the names of the databases:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id
Here replace the PHPSESSID with your session id which you can get by right clicking on the page and then clicking inspect in your browser (Firefox here). Then click on storage tab and expand cookie to get your PHPSESSID. Also your port for dvwa web app can be different so replace the URL with yours.
The command above uses -u to specify the url to be attacked, --cookie flag specifies the user authentication cookies, and -p is used to specify the parameter of the URL that we are going to attack.
We will now dump the tables of dvwa database using sqlmap like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa --tables
After getting the list of tables its time to dump the columns of users table like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa -T users --columns
And at last we will dump the passwords column of the users table like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa -T users -C password --dump
Now you can see the password hashes.
As you can see automating this blind sqli using sqlmap made it simple. It would have taken us a lot of time to do this stuff manually. That's why in pentests both manual and automated testing is necessary. But its not a good idea to rely on just one of the two rather we should leverage power of both testing types to both understand and exploit the vulnerability.
By the way we could have used something like this to dump all databases and tables using this sqlmap command:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id --dump-all
But obviously it is time and resource consuming so we only extracted what was interested to us rather than dumping all the stuff.
Also we could have used sqlmap in the simple sql injection that we did in the previous article. As an exercise redo the SQL Injection challenge using sqlmap.

References:

1. Blind SQL Injection: https://owasp.org/www-community/attacks/Blind_SQL_Injection
2. sqlmap: http://sqlmap.org/
3. MySQL SUBSTRING() Function: https://www.w3schools.com/sql/func_mysql_substring.asp
Related news
  1. Hacking Simulator
  2. Hacking Etico Libro
  3. Como Hacker
  4. Hacking Forums

onsdag, mai 20, 2020

ANNOUNCEMENT: Submitters Of Papers And Training For Global AppSec DC 2019 (Formerly AppSec USA)

We had an overwhelming turnout out of submissions for Call for Papers and Call for Training for the OWASP Global AppSec DC 2019 (formerly AppSec USA)  We want to give each submission the time deserved to evaluate each before choosing.  Keeping that in mind the notifications of acceptance and thanks will be CHANGED to July 1, 2019.  We appreciate your understanding and patience in this matter.

Related posts
  1. Kali Hacking
  2. Best Hacking Games
  3. Windows Hacking
  4. Hacking Music
  5. Como Ser Un Buen Hacker
  6. Master Hacking Etico
  7. Libros Hacking
  8. Curso De Hacking Etico
  9. Chema Alonso Wikipedia
  10. Manual Del Hacker
  11. Hacking Madrid
  12. Car Hacking

tirsdag, mai 19, 2020

Networking | Switching And Routing | Tutorial 1 | 2018


Welcome to my new series of tutorials about networking. Moreover in this series I'll discuss briefly each and every thing related to routing and switching. After that you will able to pass an exam of HCNA, CCNA etc. First of all you have to know which software is used by which company such as Huawei used its own software named eNSP while Cisco used its own software named Cisco Packet Tracer. After that you have to know that how to download and install both of the software in your computer systems. So the purpose of this blog is to give you people an overview about how to download and install both of them.

What is a Network? 

First of all we must have to know about what is a network. So the network is the interconnection of two or more than two devices in such a way that they can communicate each other. In computer networks we can say that the interconnection of two or more than two end devices (computer, laptops, printers etc) for the sake of sending and receiving some amount of data is known as computer network.

What is Internet?  

The very simple and easily understandable definition of a internet is "The network of networks". Now what is meant by that? When different networks from the different areas or at the same areas wanna communicate with each other then internet formed. So we can say that "Internet is the interconnection of different networks in such a way that networks can communicate with each other".



Spaghetti's Features:
   Fingerprints:
  • Server:
  • Web Frameworks (CakePHP,CherryPy,...)
  • Web Application Firewall (Waf)
  • Content Management System (CMS)
  • Operating System (Linux,Unix,..)
  • Language (PHP,Ruby,...)
  • Cookie Security
   Discovery:
  • Bruteforce:Admin Interface
    Common Backdoors
    Common Backup Directory
    Common Backup File
    Common Directory
    Common FileLog File
  • Disclosure: Emails, Private IP, Credit Cards
   Attacks:
  • HTML Injection
  • SQL Injection
  • LDAP Injection
  • XPath Injection
  • Cross Site Scripting (XSS)
  • Remote File Inclusion (RFI)
  • PHP Code Injection
   Other:
  • HTTP Allow Methods
  • HTML Object
  • Multiple Index
  • Robots Paths
  • Web Dav
  • Cross Site Tracing (XST)
  • PHPINFO
  • .Listing
   Vulns:
  • ShellShock
  • Anonymous Cipher (CVE-2007-1858)
  • Crime (SPDY) (CVE-2012-4929)
  • Struts-Shock
Spaghetti Example:
python spaghetti --url example.com --scan 0 --random-agent --verbose


More articles