crypt0b0y crypt0b0y

This article can also be found in Hack in the Box Magazine

##0x00 Abstract## Discretion is a necessity when performing a penetration test. The job is to test a network's defenses as well as the security team's ability to detect and respond to an incident, while being as discrete as possible. Neohapsis Labs looked into the obstacles and solutions for developing a communication channel with a device residing in a protected and monitored network. This paper will discuss these findings. A new tool demonstrating some of these techniques will also be discussed. This paper will also speculate as to defensive solutions for such threats.

##Table of Contents##

0x01 -- Introduction
0x02 -- Attacks and Defenses
0x02.01 -- Network Address Translation / Port Address Translation (NAT/PAT)
0x02.02 -- Ingress Port Filtering

Opening and closing an SSH tunnel in a shell script the smart way

I recently had the following problem:

From an unattended shell script (called by Jenkins), run a command-line tool that accesses the MySQL database on another host.
That tool doesn't know that the database is on another host, plus the MySQL port on that host is firewalled and not accessible from other machines.

We didn't want to open the MySQL port to the network, but it's possible to SSH from the Jenkins machine to the MySQL machine. So, basically you would do something like

ssh -L 3306:localhost:3306 remotehost

	hashcat (v6.2.6) starting in benchmark mode

	Benchmarking uses hand-optimized kernel code by default.
	You can use it in your cracking session by setting the -O option.
	Note: Using optimized kernel code limits the maximum supported password length.
	To disable the optimized kernel code in benchmark mode, use the -w option.

	* Device #1: WARNING! Kernel exec timeout is not disabled.
	This may cause "CL_OUT_OF_RESOURCES" or related errors.
	To disable the timeout, see: https://hashcat.net/q/timeoutpatch

	#!/usr/bin/env python2
	# coding: utf-8

	import os,socket,threading,time
	#import traceback

	allow_delete = False
	local_ip = socket.gethostbyname(socket.gethostname())
	local_port = 8888
	currdir=os.path.abspath('.')

	#!/bin/bash

	# first login and store the cookie
	wget --post-data='name=USERNAME&pass=PASSWORD&op=Log%20in' --save-cookies=my-cookies.txt --keep-session-cookies "https://private.site.com" > /dev/null 2>&1

	# now we can scrape the site (353 pages)
	for i in {0..353}
	do
	echo "grabbing page $i..."
	wget --cookies=on --keep-session-cookies --load-cookies=my-cookies.txt "https://private.site.com/people?page=$i" > /dev/null 2>&1

	#!/usr/env python

	###############################################################################################################
	## [Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script
	## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift
	##-------------------------------------------------------------------------------------------------------------
	## [Details]:
	## This script is intended to be executed locally on a Linux box to enumerate basic system info and
	## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text
	## passwords and applicable exploits.