aws penetration testing

Summary of password scanning and cracking in penetration testing0x00 preface a test always involves "password" and "encryption and decryption ". In the process of stepping on, attempts to use weak passwords are an essential process, from capturing chickens in xx to hashes in the Intranet, from personal PCs to network devices/industrial control facilities, password scanning will not be forgotten as long as password authentication is still performed in

, RES resource file, assets configuration file, Lib library file, We can search directly for Smali files and resource files to find links and so on.Use the app to find your website real IPIn addition to the app service side of the vulnerability, there is a more fun way to use, through the collection of sub-domain IP in the app to find the real IP of the target site, according to experience, most of the app's interface is not using services such as CDN.Embarrassing Encyclopedia Real IPSecond, Htt

Metasploit penetration testing of Ubuntu 12.04 (1) This article is mainly about entertaining exercises. Share the Attack Details, including some script files from various sources modified by the original author. The Penetration Process is not the focus. The biggest reason is that the second half of the article is still worth learning about persistence attacks. B

Penetration Testing of changba (entering several backend and O M systems and configuring VPN) A penetration test of changba. Attackers can obtain a large amount of sensitive information, access several backend and O M systems (wiki, cacti, erp, etc.), and dial in a VPN Server. Entry point: https://wiki.changba.com OpenSSL heart bleeding exists. Capture the acco

Ruby Framework for penetration testing WordPress websites and systems: WordPress Exploit Framework This Ruby framework contains some modules that can penetration test WordPress websites and systems. Users can also develop their own modules to expand their functions.What are the conditions for running it?Make sure Ruby 2.2.x is installed on the system. Open a comm

Vulnerability exploitation in penetration testing1. Search for vulnerabilities in the target system In the previous article on penetration testing, this article describes how to collect information about the target system. Next, we will take any Kioptrix as an example to describe how to exploit the vulnerability.On exploit-db.com websites, it is generally possibl

first three-bit decimal number by 256^3 or 16,777,216 (256 of 3): 172*16,777,216=2,885,681,152Multiply the second three-bit decimal number by 256^2 or 65,536 (256 of the 2 Parties): 168*65,536=11,010,048Multiply the third three-bit binary number by 256 (256 of 1): 23*256=5,888Finally, multiply the fourth three-bit binary number by 1 (256 of 0): 113*1=113Add the final result of the above four formulas: 2,885,681,152+11,010,048+5,888+113=2,896,697,201Finally this decimal number is the last equiva

, the result is as follows:　　 From the results, the null scan will also scan the results, only labeled open/filtered.5.3 Ack ScanIn the case of a firewall, we do not get valid information from a NULL scan, and now we do an ACK scan.　　 Still not scanned for valid information, in order to test the ACK scan and null scan, we add a setting that configures the HTTPS service on the target host and adds a rule to the firewall, allowing HTTPS access, i.e. open 443 port. (commands can be executed on Ubun

), ( injection Burst data statement)) A+from+information_ Schema.tables+group+by+a) b) #Injection BURST Data statementSelect+concat (0x3a,database (), 0x3a,user (), 0x3a,version (), 0x3a,@ @datadir)Select+table_name+from+information_schema.tables+where+table_schema=database () +limit+0,1Delay injectionSelect Benchmark (5000000, MD5 (' Test ')) from user where id=1 and 1=1SELECT * from user where id=1 or 1= (select Benchmark (5000000, MD5 (' Test ')))Select if (ASCII (substring (version ()), SELE

attempt, of course, you can also brute force hack.16. Do not neglect XSS, do not neglect cookie,xss can steal cookies, but also a number of magical, learn to understand; Cookies can be forged, cookies can be injected, and cookies can be injected around the vast majority of firewalls.17. Usually do station more collect path Ah, source Ah, tools ah, enrich their "weapons" library; it is best to record their invasion steps, or after the reflection, I generally remember in txt, in addition to do ex

As more and more companies focus on data security when developing programs, they often encrypt database connections and encrypt some sensitive data in the database to prevent data from being easily stolen! Therefore, we often findSome encrypted connection strings are found during database connection. For those who have no adverse effects, it is possible thatWill be stopped here! However, we usually cannot meet this requirement, so we need to have some knowledge about reverse encryption and decry

the Kioptrix Web service, and we need to use instructions to get the returned information. Enter: And HEAD / HTTP 1.1 then press two times to enter to see the results of the output:　　 　　 Here the output of the content of the HTTP header, the above information indicates that the target machine ran apache/2.2.8, the system for the ubuntu;php version of Php/5.2.4-2.4.2 Using NCAT to get a flagThis process is similar to NC. Refer to the 4.1 content.4.3 using smbclient to get a flagTCP port 139 is a

further process the results.In addition, dig has some other valuable commands. List bind versions # dig +nocmd txt chaos VERSION.BIND @sn1.example.com +noall +answerThis command determines the BIND version information that is running on the server and is valuable for finding vulnerabilities. Reverse DNS LookupsResolves the IP address to a domain name, except Nslookup can also use the dig command to accomplish this task. # dig +nocmd +noall +answer -x 180.149.132.47

preceding content as waitalone. Reg, and double-click the import button to exit the trend-free antivirus software. 2. crack the password of the McAfee antivirus software The password for unlocking the McAfee antivirus software user interface is saved in the following registry path:HKEY_LOCAL_MACHINE \ SOFTWARE \ Mcafee \ protected topprotectionIn fact, the sub-key UIP is the password to be unlocked on the anti-virus software user interface. It is the MD5 ciphertext. You can directly decrypt

written by the other side, you can also use the above tools to identify whether the other side of the thinkphp and other frameworks. The enemy, Baizhanbudai.FB Netizen H4DE5 SupplementWell, let me add some of the tools I've used myself to:1, http://www.gpsspg.com/2, http://websth.com/3, http://www.showjigenzong.com/4, http://hd2001562.ourhost.cn/5, http://www.cz88.net/6, http://so.baiduyun.me/7, http://nmap.online-domain-tools.com/8, http://az0ne.lofter.com/post/31a51a_131960c This blog also ha

program has previously exposed the vulnerability. If it is written by the other side, you can also use the above tools to identify whether the other side of the thinkphp and other frameworks. The enemy, Baizhanbudai.?FB Netizen H4DE5 SupplementWell, let me add some of the tools I've used myself to:1,http://www.gpsspg.com/2,http://websth.com/3,http://www.showjigenzong.com/4,http://hd2001562.ourhost.cn/5,http://www.cz88.net/6,http://so.baiduyun.me/7,http://nmap.online-domain-tools.com/8,http://az

name.Please search the Apache server in the United States: App:apache Country:usPlease search the UK Sendmail server: App:sendmail country:ukFor a complete country code, see: Country code-Wikipedia IP AddressIP: Searches for a specified IP address.Google's public DNS server: ip:8.8.8.8 CIDRThe CIDR segment of the IP. Example: CIDR:8.8.8.8/244.web App Search Component NameApp: the component name.Ver: Component version.Apache httpd, version 2.2.16:app: "Apache httpd" ver: "2.2.16"Operating system

error, regardless of it, not a moment to slow down a bitA bunch of error messages, wait a while, the results come outNext look at the admin table what, 5 threads too fast, this time 3, continue to explodeThere are no known security devices or server performance issues, and 3 threads still have a connection reset.Burst 4 Columns with the following:Now, let's see what's in these columns.After a long wait, the data burst.You can see that the password is encrypted, 32-bit, should be MD5 encryption,

and recompile. and use Hex.hta to get 16 binary.1Mysql> Show variables like'%plugin%';2+---------------+-------------------------+3| variable_name | Value |4+---------------+-------------------------+5| Plugin_dir | /usr/lib64/mysql/plugin |6+---------------+-------------------------+7 1RowinchSet (0.00sec)8 9Mysql>Select*From func; #检查是否已经有人导出过了TenMysql>SelectUnhex ('Hexcode') into DumpFile'/usr/lib64/mysql/plugin/mysqludf.so'; OneQuery OK,1Row affected (0.01SEC) #需要有/usr/lib64/mysql/plugin/Wr

AppScanAutomate dynamic application Security testing (DAST) and interactive application security testing (IAST) for modern WEB applications and services. A comprehensive JavaScript execution engine that supports WEB 2.0, JavaScript, and AJAX frameworks. SOAP and REST Web service tests that cover XML and JSON infrastructure support wssecurity Standard, XML encryption, and XML signing. Detailed vulnerability