Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label Firewall. Show all posts
Showing posts with label Firewall. Show all posts

Sunday, January 28, 2018

Detect And Bypass Web Application Firewalls And Protection Systems - WhatWaf



Features
  • Ability to run on a single URL with the -u/--url flag
  • Ability to run through a list of URL's with the -l/--list flag
  • Ability to detect over 40 different firewalls
  • Ability to try over 20 different tampering techniques
  • Ability to pass your own payloads either from a file or from the terminal
  • Payloads that are guaranteed to produce at least one WAF triggering
  • Ability to bypass firewalls using both SQLi techniques and cross site scripting techniques
  • Ability to run behind Tor
  • Ability to run behind multiple proxy types (socks4, socks5, http, https)
  • Ability to use a random user agent, personal user agent, or custom default user agent
  • More to come...

Installation
Installing whatwaf is super easy, all you have to do is the following:
Have Python 2.7, Python 3.x compatibility is being implemented soon:
sudo -s << EOF
git clone https://github.com/ekultek/whatwaf.git
cd whatwaf
chmod +x whatwaf.py
pip2 install -r requirements.txt
./whatwaf.py --help

Proof of concept
First we'll run the website through WhatWaf and figure out which firewall protects it (if any):



Next we'll go to that website and see what the page looks like:



Hmm.. that doesn't really look like Cloudflare does it? Let's check what the HTTP headers server and cookies say:



And finally, lets try one of the bypasses that it tells us to try:



Demo vĂ­deo






Share:

Saturday, September 3, 2016

Web Application Firewall using DFA - Raptor WAF v0.2



Raptor WAF is a simple web application firewall made in C, using KISS principle, to make poll use select() function, is not better than epoll() or kqueue() from *BSD but is portable,  the core of match engine using DFA to detect XSS, SQLi and path traversal.

No more words, look at the following :


WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections and XSS...
  • You can block XSS, SQL injection attacks and path traversal with Raptor
  • You can use blacklist of IPs to block some users at config/blacklist ip.txt
  • You can use IPv6 and IPv4 at communications
  • At the future DoS protector, request limit, rule interpreter and Malware detector at uploads.
  • At the future SSL/TLS...


to run:

$ git clone https://github.com/CoolerVoid/raptor_waf
$ cd raptor_waf; make; bin/raptor

Example

Up some HTTPd server at port 80
$ bin/Raptor -h localhost -p 80 -r 8883 -w 4 -o loglog.txt
you can test at http://localhost:8883/test.php

Look the docs

https://github.com/CoolerVoid/raptor_waf/blob/master/doc/raptor.pdf

Tests:

509 of attacks, detect and block 349, 68% of attacks blocked



Steps to create your WAF(web application firewall) in C

Following definition (like OWASP), a WAF is a piece of software intended to protect a web app that is on the level of the application. nowadays, a WAF is not defined by the web app, it’s not a customized solution specific to that application but similarly to a general software firewall, where one that contains parameters to protect against intrusion in a wide variety of frameworks and codes. Trying clear your mind, there is overlap between the different types of firewalls. Software and hardware firewalls are used in their own right to protect networks. However, WAFs with their specialized function for web applications, can take the form input of either of those two main types. Per default, a firewall uses a blacklist, protecting against an individual, previously logged attacks. Additionally, it can also use a white list, providing allowable users and instances of interaction for the application, another function is block SQL Injection attacks and XSS attacks… Another context  WAFs can create random tokens and put in forms to try blocks web robots and automated attacks, this practice can try mitigate CSRF pitfalls. Before you ask “How i can do  it?”, i gotta bring to you some principles, anyway the theory around facts…


Have two common WAFs:

1- Uses plugin in HTTPd to get information of data INPUT or OUTPUT, before finish he gets the request and block some contents, this function focuses at HTTP METHODs POST, GET…  


 2- This way, is my favorite, is a independent reverse proxy server, he bring all requests of the client to the proxy, the proxy makes some analysis in the content, if not block, he send all the information to the external server… 

  
Number One is a cold, this path is not fully portable… other bad thing you need create a diferent plugin each HTTPd, something to apache another to NGINX, IIs, lighttpd…  its not cool! If you are not a good low level programmer… you can try use twisted of python, is easy make reverse proxy with it, but is not good way, because not have good performance in production… if you piss off for it, study the Stevens book of sockets. Its OK, the title of this post is “create waf in C”, Task fully done here and commented and with some documentations in LaTex… relax, you can get it in this repository:


Share:

Sunday, August 28, 2016

Firewall and IDS Evasion / Bypassing the Firewalls and IDS/IPS - NMAP Scanning Tutorial





This post is for penetration testers that face issues with scanning the Corporate networks with firewalls deployed and are unable to bypass the Firewall or an IDS/IPS .
Firewall is generally a software or hardware to protect private network from public network.This is a trouble maker for the Penetration testers as they are not able to bypass this added layer of security .
Well the good news here is that we can use Nmap options to bypass the firewalls , IDS/IPS .
If a penetration tester can bypass firewall then half game is won for the penetration tester. In this tutorial you will learn how to bypass and test firewall using the NMAP options.


NMAP options to Bypass the Firewall :



-f (fragment packets):

This option is to make it harder to detect the packets. By specifying this option once, Nmap will split the packet into 8 bytes or less after the IP header. This makes the detection of Nmap sent packets difficult .

–mtu:

With this option, you can specify your own packet size fragmentation. The Maximum Transmission Unit (MTU) must be a multiple of eight or Nmap will give an error and exit. This helps in Firewall Evasion .

-D (decoy):

By using this option, Nmap will send some of the probes from the spoofed IP addresses specified by the user. The idea is to mask the true IP address of the user in the logfiles. The user IP address is still in the logs. You can use RND to generate a random IP address or RND:number to generate the <number> IP address. The hosts you use for decoys should be up, or you will flood the target. Also remember that by using many decoys you can cause network congestion, so you may want to avoid that especially if you are scanning your client network.

–source-port <portnumber> or –g (spoof source port):

This option will be useful if the firewall is set up to allow all incoming traffic that comes from a specific port.

–data-length:

This option is used to change the default data length sent by Nmap in order to avoid being detected as Nmap scans.

–max-parallelism:

This option is usually set to one in order to instruct Nmap to send no more than one probe at a time to the target host.

–scan-delay <time>:

This option can be used to evade IDS/IPS that uses a threshold to detect port scanning activity. Setting the Scan delay is always a good idea when you want to evade any security device .

Sources : Nmap.org

OffSec 

http://nmap.org/book/man-bypass-firewalls-ids.html
Share:

Sunday, June 26, 2016

Identifies and Fingerprints Web Application Firewall (WAF) Products - WAFW00F




WAFW00F allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.


How does it work?

To do its magic, WAFW00F does the following:
  • Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions
  • If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is
  • If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks
For further details, check out the source code on the main site, github.com/sandrogauci/wafw00f .

What does it detect?

It detects a number of WAFs. To view which WAFs it is able to detect run WAFW00F with the -l option. At the time of writing the output is as follows:

$ ./wafw00f -l

^ ^
_ __ _ ____ _ __ _ _ ____
///7/ /.' \ / __////7/ /,' \ ,' \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
<
...'

WAFW00F - Web Application Firewall Detection Tool

By Sandro Gauci && Wendel G. Henrique

Can test for these WAFs:

Anquanbao
Juniper WebApp Secure
IBM Web Application Security
Cisco ACE XML Gateway
F5 BIG-IP APM
360WangZhanBao
ModSecurity (OWASP CRS)
PowerCDN
Safedog
F5 FirePass
DenyALL WAF
Trustwave ModSecurity
CloudFlare
Imperva SecureSphere
Incapsula WAF
Citrix NetScaler
F5 BIG-IP LTM
Art of Defence HyperGuard
Aqtronix WebKnight
Teros WAF
eEye Digital Security SecureIIS
BinarySec
IBM DataPower
Microsoft ISA Server
NetContinuum
NSFocus
ChinaCache-CDN
West263CDN
InfoGuard Airlock
Barracuda Application Firewall
F5 BIG-IP ASM
Profense
Mission Control Application Shield
Microsoft URLScan
Applicure dotDefender
USP Secure Entry Server
F5 Trafficshield

How do I use it?

For help please make use of the --help option. The basic usage is to pass it a URL as an argument. 

Example:


$./wafw00f https://www.ibm.com/

^ ^
_ __ _ ____ _ __ _ _ ____
///7/ /.' \ / __////7/ /,' \ ,' \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
<
...'

WAFW00F - Web Application Firewall Detection Tool

By Sandro Gauci && Wendel G. Henrique

Checking https://www.ibm.com/
The site https://www.ibm.com/ is behind a Citrix NetScaler
Number of requests: 6

How do I install it?

The following should do the trick:
python setup.py install
or
pip install wafw00f


Share:

Wednesday, February 3, 2016

Web Application firewall to Train Attacks - Raptor WAF



Raptor is an Open Source Tool, yout focus is study of attacks and find intelligent ways to block attacks.

Raptor is made in pure C, don’t use regex or other common ways to block attacks, yes is diferent and fast like a raptor dinosaur, Raptor follow principle KISS (Keep It Simple), you can use Raptor to simulate attacks and bypasses at wafs.


WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections and XSS...
  • You can block XSS, SQL injection attacks and path traversal with Raptor
  • You can use blacklist of IPs to block some users at config/blacklist ip.txt
  • You can use IPv6 and IPv4 at communications
  • At the future DoS protector, request limit, rule interpreter and Malware detector at uploads.
  • At the future SSL/TLS...


to run:

$ git clone https://github.com/CoolerVoid/raptor_waf
$ cd raptor_waf; make; bin/raptor

Example

Up some HTTPd server at port 80
$ bin/Raptor -h localhost -p 80 -r 8883 -w 4 -o loglog.txt
you can test at http://localhost:8883/test.php

Look the docs

https://github.com/CoolerVoid/raptor_waf/blob/master/doc/raptor.pdf

Tests:

509 of attacks, detect and block 349, 68% of attacks blocked



Share:

Monday, January 18, 2016

IDS evasion - Inundator




IDS/IPS/WAF Evasion & Flooding Tool

inundator is a multi-threaded, queue-driven, IDS evasion tool. Its purpose is to anonymously flood intrusion detection systems (specifically Snort) with traffic designed to trigger false positives via a SOCKS proxy in order to obfuscate a real attack.

inundator would be used whenever you feel there is a significant chance the attack you’re about to perform may be detected by the target’s intrusion detection system. You would launch inundator prior to starting the attack, and continue running it well after you have finished the attack. The hope is that if your attack is detected by the IDS, the alert will be buried among several thousand false positives, thus minimizing the chance of an IDS analyst detecting the real attack.

inundator is full featured, multi-threaded, queue-based, supports multiple targets, and requires the use of a SOCKS proxy for anonymization. Via Tor, inundator is capable of generating around 1000 false positives per minute. Via a high-bandwidth SOCKS proxy, you might be able to generate ten times that amount.






IDS evasion: Inundator Features

ºParses Snort rules files to generate false positive attacks
ºSupport for multiple targets (FQDN, ip addr range, subnet in CIDR format)
ºMulti-threaded
ºQueue-based
ºSOCKS support

Dependencies:

ºNmap
ºPerl (>= 5.10)
ºNet::SOCKS (>=0.03)
ºNet::CIDR (>= 0.11)
ºSnort’s rules files
ºOinkmaster (for keeping Snort rules up to date)
ºTor (If you don’t have a remote SOCKS proxy to exploit.)


When would I use Inundator?

Whenever you feel like it. Seriously. It’s anonymous, so why not watch the world burn?

Example Scenarios:

ºBefore, during, and after a real attack to bury any potential alerts among a flood of false positives.

ºSeriously mess with an IDS analyst and keep an InfoSec department busy for days investigating false positives.

ºTest the effectiveness of an intrusion detection or prevention system. Less alerts means a better product; more alerts means a horrible product.


How does Inundator work?

At a high level, Inundator builds an attack queue, organized by destination port, by parsing the content: and uricontent: fields from Snort’s poorly written pattern-matching rules. Inundator then builds a target queue by peforming a port scan to identify open TCP ports on each target provided by the user. Once the queues have been built, Inundator will launch the requested number of worker threads. Each worker thread will select a random target from the target queue, as well as a random open port on the selected target. A random attack for the selected port will then be selected from the attack queue, and this information is used to build a completely innocent packet or request that contains patterns matching typical intrusion detection rules. The crafted attack will then be sent to the target via a SOCKS proxy (we default to Tor’s local proxy.) This procedure is repeated in an infinite loop by each worker thread until the user aborts.

Quite obviously, the actual ruleset used by the target intrusion detection system will play a very large part in whether our crafted attacks trigger a false positive. Inundator will generate an overwhelming number of false positives on systems which use extremely poor pattern matching rules, and little to no false positives on systems which use well written rules, heuristic-based detection, or anomaly-based detection mechanisms.


Downloading and Installing Inundator.

The preferred method of installation for all other .deb-based distributions is via our software repository. This is by far the best and simplest way of installing Inundator and its dependencies.

Add our repository to /etc/apt/sources.list:

deb http://inundator.sourceforge.net/repo/ all/

Next, download and install our GPG key:

wget http://inundator.sourceforge.net/inundator.asc
apt-key add inundator.asc

Then you can automatically pull in Inundator and all its dependencies:

aptitude update
aptitude install inundator





Share:

Sunday, August 30, 2015

InstalaĂ§Ă£o e ConfiguraĂ§Ă£o do Firewall pfSense 2.2.4


O PfSense Ă© um dos mais conceituados Firewalls do mercado. AlĂ©m de ser Free, Ă© uma poderosa ferramenta que pode ser usada para configuraĂ§Ă£o de servidores DHCP, NTP, controlador de VPN, Proxy, Filtros de Pacotes e vĂ¡rios outros serviços referentes a segurança de ambientes corporativos.
Ele Ă© baseado no sistema operacional FreeBSD, portanto seu kernel Ă© leve e contĂ©m somente o necessĂ¡rio para o funcionamento do firewall.

ConfiguraĂ§Ă£o do Ambiente Virtual


No tutorial estarei instalando o sistema operacional no VirtualBox. Lembrando que para que o sistema de Firewall funcione corretamente, Ă© necessĂ¡rio que a mĂ¡quina fĂ­sica ou virtual contenha pelo menos duas placas de rede. Uma iremos configurar com DHCP e conectar o modem de internet e na outra serĂ¡ estĂ¡tica para a porta de comunicaĂ§Ă£o da rede interna.

Vamos começar criando o ambiente. No Virtualbox vĂ¡ em Novo > DĂª o nome para a MĂ¡quina, no caso, PfSense > Selecione BSD como Sistema Operacionel e FreeBSD 64 Bits.



Agora Ă© sĂ³ prosseguir criando o disco virtual e a memĂ³ria RAM, o BSD Ă© um sistema muito leve, portanto 128 de RAM jĂ¡ Ă© o suficiente para a instalaĂ§Ă£o. PorĂ©m se for aplicar em um ambiente real, coloque 512 mb, 1 Gb dependendo da quantidade de hosts da sua rede.

Criei duas placas virtuais em modo bridge no VirtualBox para demonstrar certinho como se faz.

VĂ¡ nas configurações da MĂ¡quina Virtual > Rede > Nos adaptadores 1 e 2, habilite os mesmos, coloque em modo Bridge, selecione a placa e clique em "Ok" deixando as duas iguaizinhas. Ok, vamos dar o Boot no Sistema.




Download do PfSense 2.2.4


O PfSense Ă© um sistema que roda em cima do FreeBSD, ou seja, ele Ă© muito, mas muito leve. Vamos baixĂ¡-lo direto da pĂ¡gina de Download do site oficial do sistema.

Link: https://www.pfsense.org/download/mirror.php?section=downloads

Neste link selecione a arquitetura do seu sistema e em seguida selecione a opĂ§Ă£o "Live CD With Installer". Em seguida clique em alguma das mirrors e faça o Download do arquivo compactado.




O arquivo "pfSense-LiveCD-2.2.4-RELEASE-amd64.iso.gz" que vai ser baixado estĂ¡ numa compactaĂ§Ă£o gzip, entĂ£o vocĂª nĂ£o irĂ¡ conseguir descompactĂ¡-lo com o tar.

# gzip -d  pfSense-LiveCD-2.2.4-RELEASE-amd64.iso.gz

Agora ele irĂ¡ descompactar a ISO pra gente conseguir prosseguir normalmente.


InstalaĂ§Ă£o do Firewall 


Inicie o VirtualBox selecionando a ISO do pfSense para dar o boot inicial. Na tela de Boot, vocĂª vai se deparar com a opĂ§Ă£o do PfSense para a utilizaĂ§Ă£o em modo LiveCD, ou seja, utilizĂ¡-lo sem a necessidade de instalaĂ§Ă£o. Aperte 1 para iniciar o Boot default do sistema em modo Multi User. 




Logo depois de selecionar a opĂ§Ă£o 1, ele vai descompactar o Kernel e te pedir o modo que quer que o sistema inicie. Logo, espere o tempo de boot acabar para ele iniciar o installer. Nele digite a opĂ§Ă£o 99 para iniciar a instalaĂ§Ă£o do sistema. 



Selecione a OpĂ§Ă£o Accept These Settings e dĂª Enter para prosseguir. Logo selecione Quick/Easy Install e Enter e Enter para começar a instalaĂ§Ă£o do Software.


ApĂ³s a instalaĂ§Ă£o Ă© hora de customizar o Kernel. Mas calma, o Kernel Standard do FreeBSD jĂ¡ vem o mais genĂ©rico e funcional possĂ­vel para o bom funcionamento do Firewall. Selecione a opĂ§Ă£o Standard e prossiga. 


ApĂ³s a instalaĂ§Ă£o Ă© sĂ³ selecionar a opĂ§Ă£o reboot. É legal entrar no menu de dispositivos e desmarcar a ISO do PfSense depois de fazer o reboot pra evitar que ele tente reinstalar novamente. 

Na hora do boot Ă© sĂ³ selecionar F1, Enter que ele vai voltar na tela padrĂ£o do PfSense. Mais uma vez selecione a opĂ§Ă£o 1 e aguarde o boot do sistema. 

Agora ele vai pedir pra vocĂª configurar a VLAN que ele vai trabalhar, ou seja, atribuir os IPs as placas de rede que instalamos na mĂ¡quina. Note que ele reconheceu as duas, e provavelmente atribuiu a identificaĂ§Ă£o delas como em0 e em1



Selecione a opĂ§Ă£o 2 para atribuir um endereço para as placas. Vamos fazer assim:

em0 -> Vai receber uma configuraĂ§Ă£o DHCP para conexĂ£o com a internet
em1 -> Vai receber uma configuraĂ§Ă£o com um IP EstĂ¡tico da rede interna

Selecione 2) Set interface(s) IP address > Selecione a OpĂ§Ă£o 1 para editar a placa em0 e em seguida selecione Yes(y) para atribuir o endereço DHCP para IPv4, Novamente para o IPv6 e mais uma vez para o Web configurator. 


Selecione 2) Set interface(s) IP address > Selecione a opĂ§Ă£o 2 para editar a placa em1 e em seguida atribua um IP Fixo pra ela, logo atribua a subrede. Eu atribui como 24 para setar o padrĂ£o. 

Agora no navegador, digite o IP fixo atribuido Ă  placa de rede.

http://IP-DO-SERVIDOR



As credenciais Default sĂ£o 

Username: admin
Password: pfsense

Agora avance e altere as configurações de host e DNS, rede conforme o a sua necessidade e troque a senha do admin no final da configuraĂ§Ă£o e dĂª um reload no firewall. 




Como vocĂªs puderam ver nĂ£o Ă© necessĂ¡ria muita tĂ©cnica para instalar o PfSense. 

Depois da configuraĂ§Ă£o Ă© sĂ³ acessar a URL novamente e acessar o painel de controle do firewall. 
Nele Ă© possĂ­vel realizar configurações de VPN, Proxy, Firewall, DNS, NTP, redirecionamento de portas e etc. Breve mais postagens abordando os mĂ³dulos do PfSense. 




Fonte: Internet

Offensive Sec
Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition