How many people are going to by a Raspberry Pi 4 this morning and when it arrives, put it on a shelf and never actually do anything with it?
Follow
Click to Follow digininja
Robin
@digininja
Hacker, coder, climber, runner. Co-founder of SteelCon, freelance tester, author of many tools. Always trying to learn new things.
Advocate
Robin’s posts
We
really
really
really
really
really
really
really
really
really
really
really
really
really
really
really
really
really
really
really
need to stop setting cisco/cisco as our default creds
It is a sad state for a company when an internal security team has to get an external tester to report on vulns they know exist just so they can take them to management to consider getting them fixed.
The to 731 people who have DVWA exposed to the internet, I apologise for CVE-2023-39848, I recommend you temporarily remove them from the internet till I can create a patch.
More info on hiding HTTP requests, this time using Pipelining:
Just learned that in Vim, you can format a JSON block by selecting it and then doing the following:
:%!jq .
This is brilliant when pasting single line objects in from Burp.
Does anyone on the nmap team work at Samsung? My washing machine said 7 minutes remaining, I went back 10 minutes later and it still said 5 mins left
Just learnt that if you put a + in front of an nmap script name when passing it to --script, it forces the script to run, even if a fingerprint doesn't match.
A very useful little feature.
Just got SQLi through the contents of a PDF which gets zipped then uploaded where it is unzipped, passed through pdftotext, my injection string extracted and then concatenated into the SQL statement.
Never had something so convoluted before!
Just published a new lab for playing with NoSQL Injection
digi.ninja/projects/nosql
If you dont see it try again in an hour when DNS updated
On phone to bank:
Hi, I've found some bugs on your site
OK, I've just checked with the tech team, there are no bugs
Erm...
Happy new year.
For anyone still up and hacking, here is a new lab to play with.
Web Cache Poisoning, to go with the post from
poison.digi.ninja
If anyone is thinking of writing a blog post and worries "no one will read it", those two I just released were written purely for me, if no one else read them, that's fine. I wrote them to learn how fronting works. Putting it down in really words helps cement things.
Write it!
Someone just reported an SQLi vuln in DVWA
New blog post, a walk through of using Burp Suite macros and session handler
Forgot to announce earlier, I published a new blog post, hiding Bash history, techniques to avoid your commands ending up in the history file:
Don't be afraid to say to clients "sorry I can't do that job, I don't have the right skill set".
Taking a job and then trying to learn how to do it sometimes works but often ends up with the client getting much less than they pay for or deserve.
Build partnerships, pass work on
Not one, but two new blog posts. A 101 on domain fronting with an explanation of how it all works
digi.ninja/blog/domain_fr
And then a fully worked example using AWS CloudFront
Just found MS08-067 on a client network. It's been a while since I last saw that in the wild.
New project, vuLnDAP, a vulnerable web app with an LDAP backend
Just asked for a new feature. In Repeater, hover over an encoded string and it decodes. I want the same functionality in the Proxy.
Would anyone else like to see this? It needs votes to get it implemented.
read image description
ALT
New blog post, using XSS to grab CSRF tokens and then use them to submit the form
New OWASP Top 10 is out, some interesting changes.
owasp.org/Top10/
I'm definitely seeing more auth and access control issues than SQLi and XSS now.
New blog post, Shellshock and the Telnet USER variable
digi.ninja/blog/telnet_sh
Nothing new, just documenting how to exploit it as I couldn't find info out there
Just had a nice email from the CVE team at confirming that they have rejected CVE-2023-39848.
This is my first interaction with CVEs and it gives me confidence that there are sensible people behind the program and it isn't just automated and ignored by humans.
New blog post, going from SNMP config injection to shell:
Would anyone be interested in a class on developing your own Remote Access Trojan? Learning Windows APIs and stuff like that?
Asking for a friend who knows his stuff.
New project, The Authentication Lab.
Read about it:
digi.ninja/projects/authl
Play on it:
authlab.digi.ninja
Clone it:
Security through obsolescence - Just popped a CCTV camera but don't have the ancient browser plugins to be able to view its stream.
I use an email system that only allows fingerprint as second factor. My fingerprints are trashed from climbing last night. Had to enrol Sam's finger then have him authenticate me into mail.
A 5 year old now has full access to my inbox and I don't!
It's amazing what a difference 9 years makes. Pippa is growing up fast.
Happy birthday to my little one.
Stop moaning, it is for security reasons. Everyone knows that long passwords are less secure.
To be extra safe, they need to remove pasting as well so attackers must type each password when they try a brute force attack
I really don't understand 3 month notice periods. Do you really think the person will still be motivated to act in the company interest for a quarter or a year after they quit?
Get them out of the door as quickly as possible
A new month, a new update to CeWL. It used to only pull content from pages which returned 200, it now pulls content from any pages letting you scrape custom 404s, error pages and content leaked on redirects.
github.com/digininja/CeWL
Just checked in at hotel, been told I only paid for single bed but got a double as all available. Been asked, with straight face, to stick to one side and not sprawl across both sides. There is also a set of pillows down the middle to help enforce it
She's come a long way in ten years. This is the first bit of many bits of cake this weekend.
Happy birthday Pippa!
If you want to frustrate Burp users, have certain keywords like "postgresql" randomly apear in hidden fields on the site. The SQLi scanner will go mad!
I did some testing for a bank a few years ago and as part of it had to open a live account. I managed to screw up the account and got a penny locked into it and still 2 years later they can't move that penny and can't close the account.
Does anyone else have a password they can type from muscle memory but couldn't write down unless thought about really hard?
New project, HTTP Traceroute. Follow redirects collecting all info and cookies on the way digi.ninja/projects/http_
Third part of the domain fronting series, this time looking at Cloudflare and ESNI:
digi.ninja/blog/cloudflar
While it may not technicly be domain fronting, it is close enough for me.
I've not got a big ego or expect everyone to know who I am, but if you are trying to recruit me, spend 5 minutes with google so you don't have to ask "can you write your own tools?" and "do you attend conferences?"
Replying to
I really feel for that developer or group. I imagine the time spent trying to debug caused by this, the hours of head banging, to finally work out what was going wrong.
Then having a sincere desire to prevent anyone else from having the same hard time as they did.
If you panic at the thought of a vuln scan taking down your network then you probably aren't at the point of needing a vuln scan
If you are testing a mobile app and don't want to keep entering a long random password, set up a Burp match rule to swap xxx for the password. Makes life a lot easier!
Replying to
I write reports that a lot of people don't bother reading
Replying to
There needs to be a bottle of hand sanitizer on the side of it
1.2 mile swim, 56 mile bike, 13.1 mile run, completed in 6:25. Outlaw X 70.3 complete
Replying to
Don't worry, we are safe again, the CVE has been rejected!
nvd.nist.gov/vuln/detail/CV
You can ask put your instances back online again.
Free book on Wifi testing with Kali by Vivek from
I have a big "no recruiters" thing on LinkedIn and it includes a message that says any recruiters who contact me have to pay £50 to charity.
Just had one try to connect, I pointed this out and she said sorry and has honoured the donation.
Second one in two years.
Pippa: dad, have we got any newspapers?
Me: why?
P: so I can practice hiding secret codes in them in case I grow up to be a spy
I worry for the day she starts preparing in case she becomes a mortician
A nice way to exploit Tomcat when you have access to the host-manger rather than the full manager app
certilience.fr/2019/03/tomcat
Dump unformatted JSON into vim, select it then do
:json_pp
and get nicely formatted JSON back. Very cool! Also works with ranges
Current setup:
Windows VM VPN to client, connect through Putty in CyberArk to linux box
Linux box reverse tunnel Squid proxy to my DC
My test box tunnel Squid from DC to local
Burp connects to local Squid
Browser connects to Burp
And it is all working - Tunnelling is great!
Huge props to Hannah from for creating this little extension to save all browsed images to disk.
github.com/HannahLaw-Port
Will be very easy to extend to save other file types.
Client's hosting company:
"We can't let you test their live system as it may expose data from other clients on that box"
Me:
"Wouldn't your other clients like to know if their data could be exposed in this way?"
Hosts:
"Erm"
Replying to
Looks like I need to go back to school and learn some safe coding techniques so I can fix up the rest of the app.
After I'm done I'll rename it DWA.
Just called todays client, her first words to me:
Are you ready to start penetrating me?
This is going to be an interesting test!
Companies, if you are creating videos to advertise your awesome security product, remember, some of us will go through it frame by frame looking at screenshots. Using a 14 year old version of Nmap doesn't look good in a new product!
Just managed domain fronting against Cloudflare where the only observable hosts in any watchers logs would be the cloudflare domain and an ASCII penis.
Write up is coming shortly :)
I've got RCE in PHP through call_user_func but I can only pass in a function name, no arguments.
I can call phpinfo and get that displayed.
Are there any other PHP functions that don't require parameters that could leak info or do damage?
Got a gmail account with 20 char random password. Someone just managed to guess it and tried to log in. Google blocked it and alerted me
CSRF injecting XSS using jQuery to pull internal content then post it out to my capture site.
I love doing PoC's that aren't just alert boxes!
Just been to the NPR site and got an offer of either accepting cookies and tracking or viewing a text only version of the site. This is great, I want more text only sites.
Closing a load of terminals and got confused why one wouldn't close, then realised it was a screenshot.
It is going to be one of those days!
I've just been offered 79 USD to hack a Gmail account for someone.
They obviously think I'm a criminal and that I'm cheap!
Just had someone claiming that they couldn't have fallen victim to a drive by browser attack as they only go to HTTPS based sites. They then clicked on a HTTP link that I told them had more info in.
You don't have to be vulnerable to be attacked, just human.
Quote
Just heard on Start Trek Discovery:
"The probe did multiple SQL injections"
Looks like it's true, testers will have a job for life and many more to come.
Student I tweeted about a few weeks ago who got a really good dissertation mark despite problems just got offered his first infosec job within 2 hours of being interviewed. Dissertation and another project were main talking points.
Always worth keeping going, stuff can pay off
Web developers, in a checkout system, never take pricing information from the client side. However much you obfuscate it it can be fiddled with
Just ran the new CodeQL SAST against DVWA and it looks like we don't have any vulnerabilities after all. Might have to rename it to just DWA now
Just told my builder that I break into banks for a living, he asked me to fix his printer.
Replying to
Do they not know that you give your hacking secrets away for free on YouTube?
Been on Twitter 13 years.
Posted around 74k of tweets.
Averaged out, that is:
5700 per year
475 per month
16 per day
I hope one or two of those have helped people out.
Pwnie Award submissions are open. I think CREST definitely deserve one for an amazing job of sweeping all the cheating under the nearest rug.
docs.google.com/forms/d/e/1FAI
I've just seen someone recommending using a VPN to bypass the Virgin Media outage.
If you connect through the VPN you don't use the Virgin stuff they say.
Got to love tech advice from people who don't understand how it works.
If I did a multi-part blog post going from creating a simple API with Swagger, implementing it in a language, then testing it with Postman and Burp. Would people be interested in it?
It won't be soon, but I'm getting ideas from the test I'm on so can make notes if useful.
You know when you are getting desperate on a test when trying to inject XSS and SQLi through transcribed voicemail messages
Any time I think organising is too much effort, I see the happiness it brings to people and it all becomes worth it again.
Getting penalised on a quote for asking for more information on the systems client wants testing. Says everyone else has quoted without the details so why do I want them?
Spec: "Test the API between two boxes"
My question: "Give details on API, no. endpoints etc"
Reasonable?
