archive-sk.com » SK » H » HELL.SK

Total: 66

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Web | blog from.hell
    clean history cache cookies flash LSO Cookies Manager cookie editing creating Exif Viewer or FxIF view exif info Flashblock blocks flash Disconnect me tracking and more HTTPS everywhere force https Hackbar usefull stuff HTML Regex Data Extractor regex extract from html source Live HTTP Headers http headers NoScript a must have Proxy Selector simple proxy select Wappalyzer identifies software on websites Chrome Disconnect me tracking and more HTTPS everywhere force https Adblock Plus adverts tracking banners cookie editor cookies and 19 Extensions to Turn Google Chrome into Penetration Testing tool July 25 2013 Web spam wordpress WordPress comment spam You have comments disabled in your updated WordPress trackback turned off CAPTCHA in place and spam comments still popup Hope this short post will bring more light into your situation and offer a quick help The possible reason for the spam is no surprise trackback pingback The setting Allow link notifications from other blogs pingbacks and trackbacks won t allow trackbacks in the new posts but all of your older posts still have trackback enabled To check the trackback status of your post from mysql use the following query SELECT ping status FROM wp posts And afterwards set the status to

    Original URL path: https://from.hell.sk/blog/category/webz/ (2016-05-02)
    Open archived version from archive


  • oneliners | blog from.hell
    content About wordlists Tag Archives oneliners August 9 2013 Web oneliners python ruby web Simple HTTP server oneliner Python python m SimpleHTTPServer 8080 Ruby ruby r webrick e s WEBrick HTTPServer new Port 8080 DocumentRoot Dir pwd trap INT s

    Original URL path: https://from.hell.sk/blog/tag/oneliners/ (2016-05-02)
    Open archived version from archive

  • python | blog from.hell
    content About wordlists Tag Archives python August 9 2013 Web oneliners python ruby web Simple HTTP server oneliner Python python m SimpleHTTPServer 8080 Ruby ruby r webrick e s WEBrick HTTPServer new Port 8080 DocumentRoot Dir pwd trap INT s

    Original URL path: https://from.hell.sk/blog/tag/python/ (2016-05-02)
    Open archived version from archive

  • ruby | blog from.hell
    content About wordlists Tag Archives ruby August 9 2013 Web oneliners python ruby web Simple HTTP server oneliner Python python m SimpleHTTPServer 8080 Ruby ruby r webrick e s WEBrick HTTPServer new Port 8080 DocumentRoot Dir pwd trap INT s

    Original URL path: https://from.hell.sk/blog/tag/ruby/ (2016-05-02)
    Open archived version from archive

  • web | blog from.hell
    for example won t work on Debian default vhost logs since they are readable only by root Including proc 31508 fd 5 the lstat64 and readlink magic will drive directly to the obscure and hard to guess location of access log home www example com private rawlogs access log in this example In this attack the only variables are the process ID of a disposable apache thread mod and the file descriptor number with the first three reserved for stdin out err As said before the process ID must be the one of some application with an open file descriptor to the target and Apache satisfies this requirement this means that in case of mod it s possible to directly use proc self since interpreter execution happens inside Apache When CGIs are used it s possible to go back up to the Apache PID reading the 4rd column proc self stat if necessary iterate Since mod php is the common case proc self is normally enough to carry a successful attack this makes the process uninfluenced by the presence of Grsec user only proc for example The second variable was the file descriptor number and greatly depends on the target setup and load since file descriptors can belong to a range of resources like pipes sockets and naturally files Some of the fd points to logfiles and only two of them are the ones of the target vhost At the moment of writing we are unaware of methods to directly guess the right number but the tool attached to this document speeds up the process and automatically gives hints on the logfile type and usage Note that fd to logfiles are the first opened by apache and this is especially true for non threaded MPMs like prefork In such condition the right fd number mainly depends on the number of vhosts loaded before the one containing the vulnerable application under attack As final attack the right proc self fd X will be included and the injected payload executed While writing this article and trying to give a complete and accurate information a paper came to our attention LOCAL FILE INCLUSIONS by G Brain http www g brain net tutorials local file inclusions txt It exposes a similar and possibly better technique we were not aware of that is self contained doesn t require two different stages one to inject the payload in the log and one to actually include the logfile and non resilient doesn t leave any payload in logs Summarizing proc self environ contains user inputs like an env var named HTTP USER AGENT containing the data specified in the User Agent request header that turn it in a useful volatile storage for LFI2RCE attacks It also contains other user controlled data beyond UA curl http example com index php page proc self environ cmd ls H User Agent PHP RCE php passthru GET cmd The greatest advantage of this attack is that the whole path is static

    Original URL path: https://from.hell.sk/blog/tag/web/ (2016-05-02)
    Open archived version from archive

  • Nmap performance and evasion
    trip time The response of a probe will return within For example 200 and initial rtt timeout 150 on fast networks min rate Send packets no slower than per second Nmap will send no less then of packets per second For example 1000 Its good to combine with max retries Caps number of port scan probe retransmissions To lower the retransmit rate on stable networks you can set it even to 0 if you are very confident that no packet will be dropped Evasion data length Append random data to sent packets Makes the scan less suspicious evades default Snort rule for zero byte pings For example to emulate a ping from Widnows set the value to 32 forlinux to 56 T 0 Set timing template The paranoid timing is to wait 5min for a probe ehm the 15sec option will do it too Or you can fine tune it with scan delay 1000 Delay between probes min rtt timeout max parallelism 1 max hostgroup 1 To scan only one target at a time f mtu fragment packets optionally w given MTU The good old packet fragmentation D decoy1 decoy2 ME Cloak a scan with decoys You can specify decoys

    Original URL path: https://from.hell.sk/blog/2013/08/09/nmap-performance-and-evasion/ (2016-05-02)
    Open archived version from archive

  • network | blog from.hell
    rtt timeout Specifies probe max round trip time The response of a probe will return within For example 200 and initial rtt timeout 150 on fast networks min rate Send packets no slower than per second Nmap will send no less then of packets per second For example 1000 Its good to combine with max retries Caps number of port scan probe retransmissions To lower the retransmit rate on stable networks you can set it even to 0 if you are very confident that no packet will be dropped Evasion data length Append random data to sent packets Makes the scan less suspicious evades default Snort rule for zero byte pings For example to emulate a ping from Widnows set the value to 32 forlinux to 56 T 0 Set timing template The paranoid timing is to wait 5min for a probe ehm the 15sec option will do it too Or you can fine tune it with scan delay 1000 Delay between probes min rtt timeout max parallelism 1 max hostgroup 1 To scan only one target at a time f mtu fragment packets optionally w given MTU The good old packet fragmentation D decoy1 decoy2 ME Cloak a scan

    Original URL path: https://from.hell.sk/blog/category/network/ (2016-05-02)
    Open archived version from archive

  • guides | blog from.hell
    on stable networks you can set it even to 0 if you are very confident that no packet will be dropped Evasion data length Append random data to sent packets Makes the scan less suspicious evades default Snort rule for zero byte pings For example to emulate a ping from Widnows set the value to 32 forlinux to 56 T 0 Set timing template The paranoid timing is to wait 5min for a probe ehm the 15sec option will do it too Or you can fine tune it with scan delay 1000 Delay between probes min rtt timeout max parallelism 1 max hostgroup 1 To scan only one target at a time f mtu fragment packets optionally w given MTU The good old packet fragmentation D decoy1 decoy2 ME Cloak a scan with decoys You can specify decoys to hide your scan in a list of fake scan sources ME represents where your host will be placed in the list a good choice is a value greater than 6 You can even use RND to generate random addresses S IP Address Spoof source address The results will be sent to the spoofed address and not to you In case tou want some else to blamed and annoyt the IDS scanflags Customize TCP scan flags To set specifig flags FINPSH is like Xmass scan without URG dns servers or n to avoid reverse DNS lookups that can query targets DNS servers October 22 2009 Other guides Leave a comment TCP IP Stack Hardening source http www cromwell intl com security security stack hardening html Disable ICMP broadcast echo activity sysctl w net ipv4 icmp echo ignore broadcasts 1 Disable ICMP routing redirects sysctl w net ipv4 conf all accept redirects 0 sysctl w net ipv6 conf all accept redirects 0 sysctl

    Original URL path: https://from.hell.sk/blog/tag/guides/ (2016-05-02)
    Open archived version from archive