Sunday, January 28, 2024

How Do I Get Started With Bug Bounty ?

How do I get started with bug bounty hunting? How do I improve my skills?



These are some simple steps that every bug bounty hunter can use to get started and improve their skills:

Learn to make it; then break it!
A major chunk of the hacker's mindset consists of wanting to learn more. In order to really exploit issues and discover further potential vulnerabilities, hackers are encouraged to learn to build what they are targeting. By doing this, there is a greater likelihood that hacker will understand the component being targeted and where most issues appear. For example, when people ask me how to take over a sub-domain, I make sure they understand the Domain Name System (DNS) first and let them set up their own website to play around attempting to "claim" that domain.

Read books. Lots of books.
One way to get better is by reading fellow hunters' and hackers' write-ups. Follow /r/netsec and Twitter for fantastic write-ups ranging from a variety of security-related topics that will not only motivate you but help you improve. For a list of good books to read, please refer to "What books should I read?".

Join discussions and ask questions.
As you may be aware, the information security community is full of interesting discussions ranging from breaches to surveillance, and further. The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do. There are two very popular bug bounty forums: Bug Bounty Forum and Bug Bounty World.

Participate in open source projects; learn to code.
Go to https://github.com/explore or https://gitlab.com/explore/projects and pick a project to contribute to. By doing so you will improve your general coding and communication skills. On top of that, read https://learnpythonthehardway.org/ and https://linuxjourney.com/.

Help others. If you can teach it, you have mastered it.
Once you discover something new and believe others would benefit from learning about your discovery, publish a write-up about it. Not only will you help others, you will learn to really master the topic because you can actually explain it properly.

Smile when you get feedback and use it to your advantage.
The bug bounty community is full of people wanting to help others so do not be surprised if someone gives you some constructive feedback about your work. Learn from your mistakes and in doing so use it to your advantage. I have a little physical notebook where I keep track of the little things that I learnt during the day and the feedback that people gave me.


Learn to approach a target.
The first step when approaching a target is always going to be reconnaissance — preliminary gathering of information about the target. If the target is a web application, start by browsing around like a normal user and get to know the website's purpose. Then you can start enumerating endpoints such as sub-domains, ports and web paths.

A woodsman was once asked, "What would you do if you had just five minutes to chop down a tree?" He answered, "I would spend the first two and a half minutes sharpening my axe."
As you progress, you will start to notice patterns and find yourself refining your hunting methodology. You will probably also start automating a lot of the repetitive tasks.

More information


Posted by at No comments:

Malware Arsenal Used By Ember Bear (Aka UAC-0056,Saint Bear, UNC2589, Lorec53, TA471, Nodaria, Nascent Ursa, LorecBear, Bleeding Bear, And DEV-0586) In Attacks Targeting Ukraine (Samples)

Posted by at No comments:

DMitry: Deepmagic Information Gathering Tool


"DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line Application coded in C. DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more." read more...


Download: http://packetstormsecurity.org/UNIX/misc/DMitry-1.2a.tar.gz

Related links


Posted by at No comments:

Saturday, January 27, 2024

Reversing Pascal String Object

There are many goodware and malware developed in pascal, and we will see that the binary generated by the pascal compilers is fascinating, not only because the small and clean generated binaries, or the  clarity of the pascal code, but also the good performance. In Linux we have Lazarus which is a good free IDE like Delphi and Kylix the free pascal IDE for windows.

The program:

program strtest;

 var
  cstr:  array[0..10] of char;
  s, s2:  ShortString;

 begin
  cstr := 'hello world';
  s  := cstr;
  s2 := 'test';
  
  WriteLn(cstr + ' ' + s + ' ' + s2);
end.


We are going to compile it with freepascal and lazarus, and just the binary size differs a lot:

lazarus          242,176 btytes  845 functions
freepascal       32,256 bytes   233 functions
turbopascal      2,928 bytes     80 functions  (wow)

And surprisingly turbopascal binaries are extremely light.
Lets start with lazarus:




Logically it imports from user32.dll some display functions, it also import the kernel32.dll functions and suspiciously the string operations of oleaut32.dll 


And our starting point is a function called entry that calls the console initialization and retrieve some console configurations, and then start a labyrinth of function calls.



On functions 10000e8e0 there is the function that calls the main function.

I named execute_param2 because the second param is a function pointer that is gonna be executed without parameters, it sounds like main calling typical strategy.
And here we are, it's clearly the user code pascal main function.


What it seems is that function 100001800 returns an string object, then is called its constructor to initialize the string, then the string is passed to other functions that prints it to the screen.

This function executes the method 0x1c0 of the object until the byte 0x89 is a null byte.
What the hell is doing here?
First of all let's create the function main:


Simply right button create function:

After a bit of work on Ghidra here we have the main:


Note that the struct member so high like 0x1b0 are not created by default, we should import a .h file with an struct or class definition, and locate the constructor just on that position.

The mysterious function was printing byte a byte until null byte, the algorithm the compiler implemented in asm is not as optimized as turbopascal's.

In Windbg we can see the string object in eax after being created but before being initialized:












Just before executing the print function, the RCX parameter is the string object and it still identical:


Let's see the constructor code.
The constructor address can be guessed on static walking the reverse-cross-references to main, but I located it in debugging it in dynamic analysis.


The constructor reads only a pointer stored on the string object on the position 0x98.

And we have that the pointer at 0x98 is compared with the address of the literal, so now we know that this pointer points to the string.
The sentence *string_x98 = literal confirms it, and there is not memory copy, it only points reusing the literal.



Freepascal

The starting labyrinth is bigger than Lazarus so I had to begin the maze from the end, searching the string "hello world" and then finding the string references:


There are two ways to follow the references in Ghidra, one is [ctrl] + [shift] + F  but there is other trick which is simply clicking the green references texts on the disassembly.

At the beginning I doubted and put the name possible_main, but it's clearly the pascal user code main function.




The char array initialization Is converted by freepascal compiler to an runtime initialization using mov instructions.

Reducing the coverage on dynamic we arrive to the writeln function:


EAX helds  a pointer to a struct, and the member 0x24 performs the printing. In this cases the function can be tracked easily in dynamic executing the sample.

And lands at 0x004059b0 where we see the WriteFile, the stdout descriptor, the text and the size supplied by parameter.


there is an interesting logic of what happens if WriteFile() couldn't write all the bytes, but this is other scope.
Lets see how this functions is called  and how text and size are supplied to figure out the string object.



EBX helds the string object and there are two pointers, a pointer to the string on 0x18 and the length in 0x18, lets verify it on windbg.


And here we have the string object, 0x0000001e is the length, and 0x001de8a68 is the pointer.


Thanks @capi_x for the pascal samples.

Related articles


  1. Best Pentesting Tools 2018
  2. Pentest Tools Website
  3. Hacker Techniques Tools And Incident Handling
  4. Hacking Tools Free Download
  5. Hacker Tools For Ios
  6. Hacking Tools For Mac
  7. What Are Hacking Tools
  8. Hacking Tools Github
  9. Hack Tools Online
  10. Hacker Tools Online
  11. Pentest Tools Bluekeep
  12. Easy Hack Tools
  13. Pentest Tools For Mac
  14. Pentest Tools Free
  15. Hacking Tools For Kali Linux
  16. New Hacker Tools
  17. Pentest Reporting Tools
  18. Hacking Tools Online
  19. Top Pentest Tools
  20. Hack Tool Apk No Root
  21. Hacker Tools Github
  22. How To Hack
  23. Hacking Tools Mac
  24. Hacking Tools Github
  25. Nsa Hack Tools
  26. Physical Pentest Tools
  27. Hacker Tools Hardware
  28. Pentest Tools Bluekeep
  29. Game Hacking
  30. Hacking Tools Github
  31. Pentest Tools For Ubuntu
  32. Pentest Tools For Windows
  33. What Are Hacking Tools
  34. Hacker Tools Apk
  35. Computer Hacker
  36. Wifi Hacker Tools For Windows
  37. Hacking Tools For Pc
  38. Hack Tools For Ubuntu
  39. Hacking Tools For Mac
  40. Hacking Tools Free Download
  41. Hacker Tools Github
  42. Hacking Tools For Pc
  43. Hacking App
  44. Physical Pentest Tools
  45. Usb Pentest Tools
  46. Pentest Tools Open Source
  47. Tools Used For Hacking
  48. Tools For Hacker
  49. Hacker Tools 2019
  50. Pentest Tools For Ubuntu
  51. Pentest Tools For Windows
  52. Hack Rom Tools
  53. Hacker Tools Windows
  54. Hacking Tools For Windows 7
  55. Hacking Tools Mac
  56. Pentest Tools For Windows
  57. Hacker
  58. Hacker Tools Online
  59. Best Hacking Tools 2019
  60. Pentest Automation Tools
Posted by at No comments:

Mojo Vs Rust, Basic Test And Binary Perspective.

Hello, In first place I'm not going to do an algorithmic benchmark, just a simple loop + print test and some checks on the generated binaries.

The system is a Debian12 Linux and the architecture is: x86 64bits.



Rust

Mojo


Mojo don't allow .py extension it has to be .mojo so no default nvim highlighting ...


$ mojo build mojo_benchmark.mojo

$ time ./mojo_benchmark

...

real 0m0.342s

user 0m0.080s

sys 0m0.252s



$ rustc rust_benchmark.rs

$ time ./rust_benchmark

...

real 0m0.107s

user 0m0.012s

sys 0m0.049s


I noticed a speed increase using fish shell instead of bash but could be the environment variable stack overload.


So in this specific test rust is much faster. And also the compiler suggests using _ instead i, that mojo compiler doesn't.

The rust binary is bigger, but is because the allocator is embedded:

-rwxr-xr-x 1 sha0 sha0 1063352 Jan 10 08:55 mojo_benchmark

-rwxr-xr-x 1 sha0 sha0 4632872 Jan 10 08:57 rust_benchmark


But Look this, mojo uses libstdc++ and libc  and rust only uses libc.

$ ldd -d mojo_benchmark

linux-vdso.so.1 (0x00007ffd94917000)

libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 (0x00007fe899cb1000)

libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fe899a00000)

libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fe899921000)

libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fe899c91000)

libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe899740000)

/lib64/ld-linux-x86-64.so.2 (0x00007fe899d2c000)


$ ldd -d rust_benchmark

linux-vdso.so.1 (0x00007ffde67b7000)

libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f8b3881b000)

libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8b3863a000)

/lib64/ld-linux-x86-64.so.2 (0x00007f8b388ae000)



Lets check the binary.
All the python non used built-ins are written to the binary, so does rust in this case.

mojo

rust




Steps until libc write:

Mojo



Rust


Ok wait, rustc like cargo by default is on debug-mode which is the slower version, the way to do cargo --release which is much faster is  rustc -O rust_benchmark.rs

real 0m0.107s
user 0m0.005s
sys 0m0.056s


This simple program don't make profit of the optimizations.


Rust


We reduced from 30 calls to 27.
I'm not going to criticize the number of calls because rust does his magic and result faster.

Mojo only 7 calls but runtime seems slower.

Regarding memory operations, seems that is rust like compiler-time borrow checked.

https://docs.modular.com/mojo/programming-manual.html#behavior-of-destructors


Rust decompiled


Rust disassembled





Mojo decompiled





Mojo disassembled



So we have two things: the crafted assembly speed, and specially the runtime speed.

Looking the Rust assembly, it's writing the string pointer to stack on every iteration which is same pointer in every iteration.

However Mojo loop is more optimized, param and address to call are pre-calculated before the loop.


So Mojo is generating optimized code, but its c++ API seems slower, at least the print() 

Regards.


















Related word
  1. Pentest Tools Github
  2. Hacking Tools Free Download
  3. Ethical Hacker Tools
  4. Free Pentest Tools For Windows
  5. Black Hat Hacker Tools
  6. New Hack Tools
  7. Hacker Tools Github
  8. Pentest Tools For Windows
  9. Pentest Recon Tools
  10. Pentest Tools Website Vulnerability
  11. Growth Hacker Tools
  12. Pentest Tools Linux
  13. Github Hacking Tools
  14. Underground Hacker Sites
  15. Blackhat Hacker Tools
  16. Hacker Tools Apk
  17. Hack Tools Online
  18. Hacking App
  19. Hacker Tools Mac
  20. Kik Hack Tools
  21. Hack Tools For Games
  22. Wifi Hacker Tools For Windows
  23. Hack Tools For Games
  24. Hacking Tools And Software
  25. Pentest Tools For Ubuntu
  26. Pentest Tools Free
  27. Hacker Tools Free
  28. Pentest Tools Subdomain
  29. Hack Tools Github
  30. Hacking Tools For Windows
  31. Pentest Tools Open Source
  32. Hacker Tools For Windows
  33. Hacker Tools For Pc
  34. Nsa Hacker Tools
  35. Hacking Tools For Beginners
  36. Hacker Tools Free
  37. Hack Tools Pc
  38. Hacking Tools For Games
  39. Pentest Tools Android
  40. Hacking Tools Windows 10
  41. Tools For Hacker
  42. Hacker Techniques Tools And Incident Handling
  43. Tools For Hacker
  44. Hack Tools For Games
  45. Hacker Techniques Tools And Incident Handling
  46. Hacking Tools
  47. Hacking Tools For Windows 7
  48. Hacking Tools Name
  49. Hacking Tools Mac
  50. Hacker Tools Apk Download
  51. Pentest Tools Android
  52. Hack Tools 2019
  53. Nsa Hack Tools Download
  54. Game Hacking
  55. Growth Hacker Tools
  56. Pentest Tools Tcp Port Scanner
  57. Hacking Tools 2019
  58. Hacking App
  59. Hack Tools 2019
  60. Hack Tools 2019
  61. Tools For Hacker
  62. Hacker Tools Software
  63. Wifi Hacker Tools For Windows
  64. Tools 4 Hack
  65. Pentest Tools Subdomain
  66. Best Hacking Tools 2020
  67. Hacking Tools Mac
  68. Beginner Hacker Tools
  69. Hacker Tools For Ios
  70. Hack Tools For Windows
  71. Hacking Tools Download
  72. Hacker Techniques Tools And Incident Handling
  73. Pentest Tools Alternative
  74. Computer Hacker
  75. Hackrf Tools
  76. Hack Tools For Ubuntu
  77. Hack App
  78. Pentest Recon Tools
  79. Pentest Tools Windows
  80. Hak5 Tools
  81. Hack Tools For Windows
  82. Hack Tools For Games
  83. Hack Tools
  84. Pentest Tools Open Source
  85. Hack Tools 2019
  86. Pentest Tools
  87. Underground Hacker Sites
  88. Hacking Tools Online
  89. Hacker Search Tools
  90. Blackhat Hacker Tools
  91. Hacker Tools Linux
  92. Tools Used For Hacking
  93. Nsa Hack Tools
  94. Install Pentest Tools Ubuntu
  95. Usb Pentest Tools
  96. Pentest Tools Windows
  97. Growth Hacker Tools
  98. Hacking Tools 2020
  99. Pentest Tools For Ubuntu
  100. Pentest Tools Android
  101. Hacking Tools For Pc
  102. Android Hack Tools Github
  103. Top Pentest Tools
  104. Hacking Tools Download
  105. Pentest Recon Tools
  106. Hacking Tools Kit
  107. Hack Tool Apk
  108. Hack Rom Tools
  109. Wifi Hacker Tools For Windows
  110. Pentest Tools Url Fuzzer
  111. Pentest Tools Github
  112. Beginner Hacker Tools
  113. Game Hacking
  114. Tools For Hacker
  115. Hack And Tools
  116. Usb Pentest Tools
  117. Hacker Tools Linux
  118. Hackers Toolbox
  119. Tools 4 Hack
  120. Hacking Tools For Windows
  121. Hacking Tools 2020
  122. Pentest Tools
  123. Hacking App
  124. Pentest Tools Apk
  125. Black Hat Hacker Tools
  126. Hacking Tools For Windows Free Download
  127. Hacker Search Tools
  128. Pentest Tools Android
Posted by at No comments:
Subscribe to: Posts (Atom)
Related Posts with Thumbnails