willis vandevanter

SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP

SSRF protocol smuggling involves an attacker injecting one TCP protocol into a dissimilar TCP protocol. A classic example is using gopher (i.e. the first protocol) to smuggle SMTP (i.e. the second protocol): gopher://127.0.0.1:25/%0D%0AHELO%20localhost%0D%0AMAIL%20FROM%3Abadguy@evil.com%0D%

automation

odle ruby gem: piping security data

I recently (May 2018) published odle which is a Ruby gem and binary that takes XML data from various security tools and outputs their JSON equivalent. The goal is to be (1) simple, (2) fast, and (3) work on many platforms with only one dependency – nokogiri. Quick Example of Piping

automation

Exploiting CVE-2016-4264 With OXML_XXE

Recently ColdFusion was shown vulnerable to XXE based attacks in OXML documents; CVE-2016-4264. The blog post linked gives an example building the file using python; cool! It’s easy to backdoor files in a similar fashion with OXML XXE. The fastest way to do this is using the “Overwrite File

automation

Finding Hosts Using SSL Certificate Organization And Censys

Finding hosts or domain names associated with a company where the domain name does not include the name of the company can sometimes be difficult. There are common ways to do it such as ASN or scope information (e.g. bug bounty ToE or IP block). One technique that I

conferences

Exploiting XXE In File Upload Functionality

Just wanted to post some details from my BH USA 2015 briefing “Exploiting XXE In File Upload Functionality”. https://www.youtube.com/watch?v=LZUlw8hHp44 I also gave an updated version of the presentation in November for the Blackhat Webcast Series. It included more file types; PDF, JPG, and GIF.

automation

Cloud Metadata URL List

I landed the SSRF Cloud Metadata technique in a few different scenarios recently. If you haven’t seen the talk BHUSA 2014 - Bringing a Machete to the Amazon I recommend it. To make life a little easier created a living URL list for Metadata broken down by cloud. There

cheatsheet

XML Entity Cheatsheet - Updated

An XML Entity testing cheatsheet. This is an updated version with nokogiri tests removed, just (X)XE notes. XML Declaration(s): 1 2 <?xml version="1.0" standalone="no"?> <?xml version="1.0" standalone="yes"?>Vanilla entity test: 1 <!DOCTYPE root [<!ENTITY post "1"

conferences

Blackhat 2015 Arsenal

Last month at Blackhat Arsenal 2015, Pete and I presented on Serpico. This was our second time at Arsenal. Yet again, awesome people, great venue, and overall a highlight for me of BH/DC/LV. We got some excellent feedback on the project, so thank you to anyone who stopped

cheatsheet

Simple Ruby Exec with Open and Pipe

I was researching something else and thought this was a cool way to execute a command through the open method in ruby: 1 open("|[CMD]")The key is starting the open with pipe. For example, 1 open("|ls")Or to exec and print the result in one line: 1 open(

notes

Exploiting XXE Vulnerabilities in OXML Documents - Part 1

OXML is a common document format; think docx (Microsoft Word Document), pptx (Microsoft Powerpoint), xlsx (Excel Spreadsheet), etc. An OXML document is a zip file containing XML files and any media files. When the document is rendered, the rendering library unzips the document and then parses the containing XML files.

notes

ldapsearch notes

I seem to find open LDAP servers on the Internet more often than I should. Here are some notes on using ldapsearch Installing ldapsearch on Ubuntu1 apt-get install ldap-utilsRoot-DSE objectnmap includes a script to gather info from a LDAP root-dse object (http://nmap.org/nsedoc/scripts/ldap-rootdse.html). We can

notes

Search all Github Repositories for an Organization

gumbler is a script I wrote to search through git commits and introduced in the blog post “Searching Through Git Commits”. Recently I wanted to run Gumbler across all repositories for an organization, the steps are discussed below. First, we need to grab a list of repositories for the ORG.

notes

Searching Through Git Commits

gumbler is a script I wrote to search through git commits. Examples from github are discussed below. .gitignoreA gitignore file is used to specify files that should not be tracked by git (source gitignore). In the default case, gumbler will read the gitignore file for the project and search every

cheatsheet

XML Entity Cheatsheet

An XML Entity testing cheatsheet. Testing was done using an older vulnerable version of nokogiri. In IRB you can require previous versions of gems. Certain techniques (e.g. XInclude) may require additional settings in Nokogiri. XML Headers: 1 2 <?xml version="1.0" standalone="no"?> <?xml version=

notes

IPv6 DNS Guessing Notes

A hostname with an IPv6 address is stored as a AAAA resource record in DNS (see AAAA record). There are many DNS hostname bruteforcing tools, personally I like Fierce. Suppose we have already run our hostname bruteforcing tool against a target domain (e.g. facebook.com). Below we use dig

conferences

Blackhat 2014 Arsenal Experience

Last week at Blackhat Arsenal 2014, Pete and I (@will_is) presented on Serpico. Arsenal was a great experience and I would highly recommend to anyone as an attendee or presenter. We got some great feedback on the project, so thank you to anyone who stopped by. Here were the