Reddit Breach Highlights Limits of SMS-Based Authentication

Reddit.com today disclosed that a data breach exposed some internal data, as well as email addresses and passwords for some Reddit users. As Web site breaches go, this one doesn’t seem too severe. What’s interesting about the incident is that it showcases once again why relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security.

Link: https://krebsonsecurity.com/2018/08/reddit-breach-highlights-limits-of-sms-based-authentication/

Dirhunt – Find Web Directories Without Bruteforce

Dirhunt is a web crawler optimize for search and analyze directories. This tool can find interesting things if the server has the “index of" mode enabled. Dirhunt is also useful if the directory listing is not enabled. It detects directories with false 404 errors, directories where an empty index file has been created to hide things and much more.$ dirhunt http://website.com/Dirhunt does not use brute force. But neither is it just a crawler. This tool is faster than others because it minimizes requests to the server. Generally, this tool takes between 5-30 seconds, depending on the website and the server.Read more about how to use Dirhunt in the documentation. FeaturesProcess one or multiple sites at a time.Process ‘Index Of’ pages and report interesting files.Detect redirectors.Detect blank index file created on directory to hide things.Process some html files in search of new directories.404 error pages and detect fake 404 errors.Filter results by flags.Analyze results at end. InstallIf you have Pip installed on your system, you can use it to install the latest Dirhunt stable version:$ sudo pip3 install dirhuntPython 2.7 & 3.4-3.6 are supported but Python 3.x is recommended. Use pip2 on install for Python2.There are other installation methods available. VideoDownload Dirhunt

Link: http://feedproxy.google.com/~r/PentestTools/~3/hs6s7NA7xO8/dirhunt-find-web-directories-without.html

Plant Your Flag, Mark Your Territory

Many people, particularly older folks, proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — from utilities and mobile phones to retirement benefits and online banking services. The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you.

Link: https://krebsonsecurity.com/2018/06/plant-your-flag-mark-your-territory/

Librarian Sues Equifax Over 2017 Data Breach, Wins $600

In the days following revelations last September that big-three consumer credit bureau Equifax had been hacked and relieved of personal data on nearly 150 million people, many Americans no doubt felt resigned and powerless to control their information. But not Jessamyn West. The 49-year-old librarian from a tiny town in Vermont took Equifax to court. And now she’s celebrating a small but symbolic victory after a small claims court awarded her $600 in damages stemming from the 2017 breach.

Link: https://krebsonsecurity.com/2018/06/librarian-sues-equifax-over-2017-data-breach-wins-600/

Burpa – A Burp Suite Automation Tool

A Burp Suite Automation Tool With Slack Integration.Requirementsburp-rest-apiBurp Suite ProfessionalslackclientUsage$ python burpa.py -h################################################### __ / /_ __ ___________ ____ _ / __ \/ / / / ___/ __ \/ __ `/ / /_/ / /_/ / / / /_/ / /_/ / /_.___/\__,_/_/ / .___/\__,_/ /_/ burpa version 0.1 / by 0x4D31 ###################################################usage: burpa.py [-h] [-a {scan,proxy-config,stop}] [-pP PROXY_PORT] [-aP API_PORT] [-rT {HTML,XML}] [-r {in-scope,all}] [-sR] [-sAT SLACK_API_TOKEN] [–include-scope [INCLUDE_SCOPE [INCLUDE_SCOPE …]]] [–exclude-scope [EXCLUDE_SCOPE [EXCLUDE_SCOPE …]]] proxy_urlpositional arguments: proxy_url Burp Proxy URLoptional arguments: -h, –help show this help message and exit -a {scan,proxy-config,stop}, –action {scan,proxy-config,stop} -pP PROXY_PORT, –proxy-port PROXY_PORT -aP API_PORT, –api-port API_PORT -rT {HTML,XML}, –report-type {HTML,XML} -r {in-scope,all}, –report {in-scope,all} -sR, –slack-report -sAT SLACK_API_TOKEN, –slack-api-token SLACK_API_TOKEN –include-scope [INCLUDE_SCOPE [INCLUDE_SCOPE …]] –exclude-scope [EXCLUDE_SCOPE [EXCLUDE_SCOPE …]]TEST:$ python burpa.py http://127.0.0.1 –action proxy-config################################################### __ / /_ __ ___________ ____ _ / __ \/ / / / ___/ __ \/ __ `/ / /_/ / /_/ / / / /_/ / /_/ / /_.___/\__,_/_/ / .___/\__,_/ /_/ burpa version 0.1 / by 0x4D31 ###################################################[+] Checking the Burp proxy configuration …[-] Proxy configuration needs to be updated[+] Updating the Burp proxy configuration …[-] Proxy configuration updated$ python burpa.py http://127.0.0.1 –action scan –include-scope http://testasp.vulnweb.com –report in-scope –slack-report################################################### __ / /_ __ ___________ ____ _ / __ \/ / / / ___/ __ \/ __ `/ / /_/ / /_/ / / / /_/ / /_/ / /_.___/\__,_/_/ / .___/\__,_/ /_/ burpa version 0.1 / by 0x4D31 ###################################################[+] Retrieving the Burp proxy history …[-] Found 4 unique targets in proxy history[+] Updating the scope …[-] http://testasp.vulnweb.com included in scope[+] Active scan started …[-] http://testasp.vulnweb.com Added to the scan queue[-] Scan in progress: %100[+] Scan completed[+] Scan issues for http://testasp.vulnweb.com: – Issue: Robots.txt file, Severity: Information – Issue: Cross-domain Referer leakage, Severity: Information – Issue: Cleartext submission of password, Severity: High – Issue: Frameable response (potential Clickjacking), Severity: Information – Issue: Password field with autocomplete enabled, Severity: Low – Issue: Cross-site scripting (reflected), Severity: High – Issue: Unencrypted communications, Severity: Low – Issue: Path-relative style sheet import, Severity: Information – Issue: Cookie without HttpOnly flag set, Severity: Low – Issue: File path traversal, Severity: High – Issue: SQL injection, Severity: High[+] Downloading HTML/XML report for http://testasp.vulnweb.com[-] Scan report saved to /tmp/burp-report_20170807-235135_http-testasp.vulnweb.com.html[+] Burp scan report uploaded to SlackDownload Burpa

Link: http://feedproxy.google.com/~r/PentestTools/~3/rH37EgRftO0/burpa-burp-suite-automation-tool.html

DNSBin – Tool To Test Data Exfiltration Through DNS (RCE and XXE)

DNSBin is a simple tool to test data exfiltration through DNS and help test vulnerability like RCE or XXE when the environment has significant constraint. The project is in two parts, the first one is the web server and it’s component. It offers a basic web UI, for most cases you won’t need more than this. The client part offers a python script which allows data to be transfered in both direction through DNS using the web service.Demohttp://dnsbin.zhack.ca/Setup and installationDNSThe current DNS setup that I have for the demo server is the following one. Do note that I did this with trial and error, so the setup may be overcomplicated or may have issues. If you are more knowledgeable feel free to open an issue.Add a “A" record for the domain "dns1.zhack.ca" that points to "192.99.55.194".Add a "A" record for the domain "ns1.zhack.ca" that points to "192.99.55.194".Add a "NS" record for the domain "d.zhack.ca" with the value "dns1.zhack.ca".Add a "NS" record for the domain "d.zhack.ca" with the value "ns1.zhack.ca".Web HostingIt’s highly recommended to start the DNS receiver and WebSocket endpoint with the Node.JS module "forever".forever start index.jsFor the frontend, the file "index.html" can be hosted on the webserver of your choice. Make sure that the WebSocket URL points to your server.ClientThe client script requires "dnspython" to be installed on both end. Whether you are sending or receiving data, you must first start the script on the machine that’s outside of the restricted zone. The script will provide you with a unique token that you must pass when running the script on the machine that’s inside of the restricted zone.Example sending dataOutside machineecho test12345 | python main.py -f- -d out -t-Inside machinepython main.py -f- -d in -t TOKEN_THE_FIRST_COMMAND_GAVE_YOUExample receiving dataOutside machinepython main.py -f- -d in -t-Inside machineecho test12345 | python main.py -f- -d out -t TOKEN_THE_FIRST_COMMAND_GAVE_YOUDownload DNSBin

Link: http://feedproxy.google.com/~r/PentestTools/~3/8_LkVpF4sSM/dnsbin-tool-to-test-data-exfiltration.html

Detecting Cloned Cards at the ATM, Register

Much of the fraud involving counterfeit credit, ATM debit and retail gift cards relies on the ability of thieves to use cheap, widely available hardware to encode stolen data onto any card’s magnetic stripe. But new research suggests retailers and ATM operators could reliably detect counterfeit cards using a simple technology that flags cards which appear to have been altered by such tools.

Link: https://krebsonsecurity.com/2018/05/detecting-cloned-cards-at-the-atm-register/