Post Explotation Backdooring III

This is the third post on the post-exploitation method based on code caves. In the first part I showed you how to create a basic code cave in an executable to introduce a shell. In the second part I improved its detection rate using natural code caves and hiding the jump to the cave between the instructions of the program. In this part I'm going to show you how to avoid that antivirus detect the shell of the code cave through encryption and decryption at runtime. Thanks again to OscarAkaElvis, who taught me these techniques. Cipher natural code caves This method is based on the previous method. Some antivirus…

0 Comments

Post Explotation Backdooring II

This is the second part of the set of posts about Post Explotation Backdooring. If you haven't read the previous post, I recommend you do so to understand this post. Again I want to thank OscarAkaElvis, who taught me these PE Backdooring techniques.In the previous post we saw how to introduce the code of a reverse shell in a program, creating a Trojan. However, in real life this technique is more than known by antivirus, and it will not work.First of all, because it is very rare for a program to have a JMP as its first instruction.On the other hand, it is easy to verify that the size…

1 Comment

Post Explotation Backdooring I

A few months ago I was in a post-exploitation course taught by my ex colleagueOscarAkaElvis (creator of the tool to audit Airgeddon, which I recommend you try).I also want to warn that this is an advanced technique and you need to have basic knowledge of assembler and reversing. If you don't have them, I recommend the Pentester Academy courses "x86 Assembly Language and Shellcoding on Linux" and "Reverse Engineering Win32 Applications".In this post I'm going to show you how to turn an exe into a Trojan, modifying its code to run a remote terminal. To do this we will start with the simplest way to do it, but also…

1 Comment

Cross-Site Scripting II: Advanced

This post is the continuation of another one I published a few months ago. If you haven't read it yet, I recommend you take a look at it. You already know that it is a Cross-Site Scripting, you know what types there are, what payloads to test, in which fields to look when you are analyzing a web, how to avoid the filters of the WAFs... Now I'm going to show you how to really take advantage of this injection. BeEF I'll start with a tool called BeEF. It is already integrated in the main hacking distributions (Kali Linux, Parrot Security), just run it with ./beef-xss and enter the…

0 Comments

Zip Bombs III: Overlapping Bombs

In this last post of the zip bombs series, I'm going to tell you about a new method that has emerged in the last month: overlapping bombs. With this type of bombs has come to achieve the highest rate of decompression of all time: from 46 MB to 4.5 Petabytes. The idea This kind of bomb that has been created by David Fifield has something very different from those of the previous posts: it does not use recursiveness. Instead, it uses file overlapping. This means that after the first decompression it expands completely, so you can't stop with the security measures taken by antivirus and operating systems with the…

0 Comments

Zip Bombs II: Quine Bombs

In last week's post I introduced the zip bombs and explained how to create a zip bomb using the recursion technique. I recommend that you take a look at it if you haven't already done so.  In this new entry I'm going to introduce the Quine Bombs.  Quine Programs In computing, a "quine" program is a program that replicates itself. In other words, a program whose source code generates its own source code as output. This is not easy to achieve. Let's see an example. If we execute print(1) in python, the output would be 1. We need the output to be the same as the input, in this case…

1 Comment

Zip Bomb I: Nested bombs

When a file is compressed, its size is reduced. It's based on a simple principle: if you have a file with the text "aaaaaabbb", which is 9 characters long, you could reduce the size by saving it as "6a3b". Using this rudimentary algorithm, you can decompress the compressed file by multiplying the character that follows it by the number of times the digit indicates.That's why two files that are the same size are compressed at a different compression rate. Following the previous example, the file "aaaaaabbb" would become "6a3b", which means a compression ratio of 4:9, i.e. it is reduced by 66%. However, the file "aaabbaaab" would become "3a2b3a1b",…

4 Comments

DLL Hijacking

Recently I am doing some very interesting Pentester Academy courses. Thanks to them I am learning a lot, since they deal with very particular topics with clear examples.  Today I am going to show you what I have learned about DLL Hijacking. A DLL is a library of dynamic links. There are two types of DLLs: the system DLLs, which provide Windows itself, and the application DLLs, where the application developer divides its functionality into different DLLs. The executables use these DLLs because it involves a modular design of the code and allows the code to be reused. In this way, dependencies are created, and depending on the importance…

0 Comments

Cross-Site Scripting: XSS Injection

After the posts about SQL Injection and NoSQL Injection, today I bring you the XSS Injection. This attack consists of injecting malicious code into benign web pages. The attacker injects code from the client side, so that for a bad configuration of the website, this code is shown to other users. This type of attack usually occurs when the browser uses a user input field to generate an output field without previously validating it. To try to get a Cross-Site Scripting injection, you have to try to find areas of a web page where a value you enter is reflected. An example would be to find a web page…

1 Comment

noSQL Injection

In previous posts I have talked about SQL injections. It is usually the first example of computer security that is given to a student: " ´ or 1 = 1 -- a " However, this is only useful for servers that use relational databases, such as MySQL, MSSQL, Oracle. In the last decade another type of database has appeared: non-relational databases, such as Couch or MongoDB. This type of database is used to store a large amount of unrelated data, data that do not fit into the typical tabular model of SQL databases, such as images, videos, social media, and so on. The queries that are made to this type…

1 Comment