| ### Keybase proof | |
| I hereby claim: | |
| * I am andresriancho on github. | |
| * I am andresriancho (https://keybase.io/andresriancho) on keybase. | |
| * I have a public key whose fingerprint is 0FA5 D462 EA05 CBBF EAEE 1F14 E0ED B201 A7B2 7B69 | |
| To claim this, I am signing this object: |
| using System; | |
| using System.Linq; | |
| using System.Collections.Generic; | |
| class app { | |
| static void Main() { | |
| string[] names = { "Burke", "Connor", "Frank", | |
| "Everett", "Albert", "George", | |
| "Harris", "David" }; |
When implementing 2FA it's a bad idea to generate the QR image containing the TOTP secret using Google charts:
<img src="https://chart.googleapis.com/
chart?chl=otpauth%3A%2F%2Ftotp%2F...secret%3Dacl...mwv&chs=200x200&cht=qr" />Google tracks all your internet moves and could easily exploit this vulnerability to bypass 2FA:
| import re | |
| import random | |
| from burp import IBurpExtender, IBurpExtenderCallbacks, ISessionHandlingAction | |
| class BurpExtender(IBurpExtender, ISessionHandlingAction): | |
| NAME = "Add X-Forwarded-For" |
| <?php | |
| $proxy = 'http://127.0.0.1:8080'; | |
| $ch = curl_init(); | |
| curl_setopt($ch, CURLOPT_URL,"http://www.w3af.org/"); | |
| curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); | |
| curl_setopt($ch, CURLOPT_PROXY, $proxy); | |
| $headers = array(); |
| [pablo:/tmp/expansion] $ ls -la | |
| total 40916 | |
| drwxrwxr-x 2 pablo pablo 4096 feb 11 16:50 . | |
| drwxrwxrwt 10 root root 41885696 feb 11 16:50 .. | |
| -rw-rw-r-- 1 pablo pablo 0 feb 11 16:39 -T | |
| -rwxrwxrwx 1 pablo pablo 24 feb 11 16:50 test.sh | |
| -rw-rw-r-- 1 pablo pablo 0 feb 11 16:40 -TT whoami;`bash test.sh` | |
| [pablo:/tmp/expansion] $ cat test.sh | |
| touch test.sh-was-run | |
| [pablo:/tmp/expansion] $ zip test.zip * |
| import random | |
| from lib.core.enums import PRIORITY | |
| __priority__ = PRIORITY.NORMAL | |
| def dependencies(): | |
| pass | |
| def tamper(payload, **kwargs): | |
| headers = kwargs.get("headers", {}) |
I would like to build a network bugging device that can be connected to any Ethernet network and grants the attacker access through a reverse VPN.
Since we don't want to go to jail the attacker's VPN server would be a Tor hidden service and the buggin device would perform a reverse connection over Tor. No direct connection to the attacker's IP address will ever be made.
All traffic between the attacker and the device will be encrypted by both Tor and the VPN.
It must be trivial for the attacker to route traffic from nmap, w3af, OpenVAS, metasploit and any other security tools through the VPN tunnel. Extra points if the VPN is Layer 2 and allows the attacker to run ARP-spoofing attacks (ssh layer 2 VPN?)
$ gem cert --add <(curl -Ls https://raw.githubusercontent.com/thesp0nge/dawnscanner/master/certs/paolo_at_dawnscanner_dot_org.pem)
Added '/CN=paolo/DC=dawnscanner/DC=org'
$ gem install dawnscanner -P MediumSecurity
ERROR: While executing gem ... (Gem::Security::Exception)
certificate /CN=paolo/DC=codesake/DC=com not valid after 2015-01-27 17:25:01 UTC
$
| FROM tomcat:7.0.63-jre8 | |
| # Download WAVSEP | |
| WORKDIR /usr/local/tomcat/webapps/ | |
| RUN wget https://github.com/sectooladdict/wavsep/archive/wavsep-v1.5-war.zip | |
| RUN mv wavsep-v1.5-war.zip wavsep.war |