Zobber

# Exploit Title: Cisco IP Phone 11.7 - Denial of Service (PoC)
# Date: 2020-04-15
# Exploit Author: Jacob Baines
# Vendor Homepage: https://www.cisco.com
# Software Link: https://www.cisco.com/c/en/us/products/collaboration-endpoints/ip-phones/index.html
# Version: Before 11.7(1)
# Tested on: Cisco Wireless IP Phone 8821
# CVE: CVE-2020-3161
# Cisco Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs
# Researcher Advisory: https://www.tenable.com/security/research/tra-2020-24

Zobber

Here's a decent list of me blackbox testing API 
http://site.com/?q=x
*/?q=y <= idor
*/?q=<img> => test xss
*/?q=http://IP:PORT => test ssrf
*/?q=file:///etc/passwd => file include
/?q=/./../index.php => Path traversal
/?q=x' or x=" or x=\  => sqli
/?q[]=x  <= change datatype

Zobber

#### Install JAVA 
JAVA 11
apt-get install default-jre
nano /etc/environment
add -> JAVA_HOME"/usr7lib/jvm/java-11-openjdk-amd64/"
source /etc/environment
echo $JAVA_HOME

#### Install ElasticSearch and Test
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

Zobber

# Check if Fail2Ban is Running
FAIL2BAN=`ps ax | grep fail2ban | grep -v grep | awk {'print $1'}` && if [ -n "$FAIL2BAN" ]; then printf "\n[INFO] Fail2Ban is running and the PID is %s\n\n" $FAIL2BAN; else printf "\n [INFO] Fail2Ban is not running\n\n"; fi
# alias to list hidden files of a folder
alias lh='ls -a | egrep "^\."'
# grep: find in files
egrep -in "this|that" *.dat
# Salty detailed directory listing...
ls -saltS [dirname]
# play all songs under current directory smoothly as background job
nice -n0 ls | mpg321 -@- &

Zobber

# Top ten (or whatever) memory utilizing processes (with children aggregate) - Can be done without the multi-dimensional array
ps axo rss,comm,pid | awk '{ proc_list[$2] += $1; } END { for (proc in proc_list) { printf("%d\t%s\n", proc_list[proc],proc); }}' | sort -n | tail -n 10
# Download last file from index of
NAME=`wget --quiet URL -O - | grep util-vserver | tail -n 1 | sed 's|</a>.*||;s/.*>//'`; wget URL$UTILVSERVER;
# Delete newline
tr -d "\n" < file1 > file2
# which procs have $PATH_REGEX open?
find /proc -regex '/proc/[0-9]+/smaps' -exec grep -l "$PATH_REGEX" {} \; | cut -d'/' -f2
# Adding formatting to an xml document for easier reading
xmllint --format <filename> > <output file>

Zobber

# Run the last command as root
sudo !!
# Serve current directory tree at http://$HOSTNAME:8000/
python -m SimpleHTTPServer
# Save a file you edited in vim without the needed permissions
:w !sudo tee %
# change to the previous working directory
cd -
# Runs previous command but replacing
^foo^bar

Zobber

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.2-amd64.deb
sudo dpkg -i filebeat-7.6.2-amd64.deb


#####  Modify /etc/filebeat/filebeat.yml to set the connection information:

output.elasticsearch:
  hosts: ["<es_url>"]
  username: "elastic"
  password: "<password>"

Zobber

Grep hostnames from ssl certificate

echo | openssl s_client -connect example\.com | openssl x509 -noout -text | grep DNS

Zobber

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
sudo apt-get install libmaxminddb-dev postfix curl git


git clone --recursive https://github.com/zeek/zeek

cd zeek
./configure
make
sudo make install

Zobber

zq -f text "cut ts,id.orig_h,id.orig_p,conn_state,history,orig_ip_bytes,resp_ip_bytes" conn.log;zq "sum(orig_bytes)" conn.log;zq "avg(orig_bytes)" conn.log;zq "history="D"|count ()" conn.log

#Zeekurity Zeek_IDS. Remote Windows Network audit. (SSH).

ssh [email protected] -p2223 .....  zeek -S -Q -C -r - -e 'redef LogAscii::use_json=T;' local.bro bro-scripts/scripts/geo/geo policy/frameworks/files/extract-all-files.bro

 watch -n2 -c 'tree -aJhD| jq . | ccze -A'