Blog

Penetration Testing Wiki

WordPress XML-RPC Cyberattack in REAL TIME

Quick video showing a successful attack doing a Denial of Service against a website using WordPress. To be protected against this cyberattack, do not forget to restrict access to /xmlrpc.php resource only from your IP address (1.2.3.4 in the example below). For Apache, edit /.htaccess file to add:

How to resolve an IP address in Windows

It is very easy to resolve any domain in Microsoft Windows natively using the command nslookup: By default our system will query to our predefined DNS server. If we want to query an specific DNS server, we can specify it as a second argument. In this case we ask the IP address of the domain…
Read more

Calculators for CISOs

Offline CVSS Calculator https://github.com/BitSentinel/CVSS2-Calculator.git OWASP Risk Assessment Calculator https://security-net.biz/files/owaspriskcalc.html

Other useful tools

http://getgreenshot.org/ Greenshot: Screenshots for reports in Windows https://mobaxterm.mobatek.net/ MobaXterm: All-in-one terminal for Windows https://www.tracewrangler.com/ TraceWrangler: Easy sanitization and anonymization of PCAP and PCAPng files https://github.com/novnc/noVNC noVNC: VNC client using HTML5 (Web Sockets, Canvas) with encryption (wss://) support https://github.com/paradoxxxzero/butterfly butterfly: A web terminal based on websocket and tornado https://github.com/cure53/XSSChallengeWiki https://mosh.org/ Mosh: Mosh (mobile shell) https://ngrok.com/ Ngrok:…
Read more

Gadgets for Penetration Testing

Hardware gadgets http://syncstop.com/ SyncStop prevents accidental data exchange when your device is plugged into someone else’s computer or a public charging station https://usbninja.com/ USBninja

Faradaysec 3.0

Faradaysec

Faradaysec is a penetration testing IDE. How to run Faraday < 2.7 To run the server: Check: To run the client: How to run Faraday v3.0 First run server: Second, run client: Check: How to access the UI: http://127.0.0.1:5985/_ui/ For more info go to https://github.com/infobyte/faraday/wiki and https://faradaysec.com/ Next section, to customize your shell: ZSH

ZSH

Useful frameworks to beautify your zsh shell: https://ohmyz.sh/ https://github.com/robbyrussell/oh-my-zsh Manual installation of oh-my-zsh: >> ZSH_THEME=”random” Cool themes: mortalscumbag To know more about how to use zsh shell and oh-my-zsh integrated within Faradaysec.

RCE

RCE stands for Remote Code Execution. It is the most critical type of vulnerabilities as it means that an attacker can execute arbitrary code and take ownership of a remote account or machine.

exploit kit

An exploit kit or exploit pack is a type of toolkit cybercriminals use to attack vulnerabilities in systems so they can distribute malware or perform other malicious activities. Some known exploit kits are mpack, neutrino, angler, magnitude, RIG, nuclear, phoenix or crimepack. Usually are sold in the dark market using a subscription model (i.e. 500…
Read more

exploit

An exploit is a program or system designed to take advantage of a particular error or security vulnerability in computers or networks. Look also exploit kit.