PenTesting / Scanning Cached/Load Balanced Targets

PenTesting / Scanning Cached/Load Balanced Targets

 

As part of the PCI Certification process, external facing application that are in scope of the PCI environment require a PCI ASV scan. If these external facing applications are using load balancing and/or caching, please be aware of the following; (Examples of Load Balancers include; F5 LTM, AWS Elastic Load Balancer/ AWS CloudFront.)

Any load balancer using a full proxy architecture will establish a TCP connection to the virtual load balanced IP or VIP and the load balancer will proxy your scans and connection requests to a pool of backend applications servers. The rules on your load balancer determine which member of the pool gets that second connection. This means that you have no way of knowing which pool member you have scanned. The IP of the backend server will not be returned to the initial host, the one from which you established the initial TCP connection (to the VIP). To allow a PCI ASV scan, please add scanning origin to temporarily allow direct scans of your servers.

Please consider the following when determining the number of IP address required for External Scan;

  1. There are no load balancers in front of any in-scope servers:
    • External IP address / URL counted as individual IPs.
  2. All servers behind load balancers are identical and synchronized:
    • The external facing VIP or load balanced URL/IP is counted as an individual IP  (Allow scanning origin to temporarily allow direct scans of your servers.)
  3. Servers behind load balancers not identical and not synchronized:
    • Need to scan each individual IP instead of the VIP. (Allow scanning origin to temporarily allow direct scans of all servers.)

Mailware analysis

Mailware analysis

DDoS for Research Only

DOS Attacks and Free DOS Attacking Tools

DDoS for Research Only

“In order to protect one must understand how to exploit” – me just now

Disclaimer: Most countries have very stick Telecommunications and Computer Abuse laws. Just running these commands against anyone could put you in jail for 99 years. These tools are easily detected.

Cyber Security

Cyber Security

 

Running a WebSite is a PAIN

Running a WebSite is a PAIN

Just some things, i am doing to optimise my website and stop it getting DDOS.


RewriteCond %{HTTP_USER_AGENT} ^.*(Ahrefs|Baidu|BlogScope|Butterfly|DCPbot|discoverybot|domain|Ezooms|ImageSearcherFree).*$ [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^.*(ips-agent|linkdex|MJ12|Netcraft|NextGenSearchBot|SISTRIX|Sogou|soso|TweetmemeBot|Unwind|Yandex).*$ [NC]

RewriteRule ^/?.*$ "http\:\/\/127\.0\.0\.1" [R,L]

  • Install ZBBock
  • Country Block rouge nations that are not your customers. (Ukraine,etc.)
  • Reduce Crawl rate for known bots

User-agent: msnbot
Crawl-delay: 1

No crawl delay set – Normal
1 – Slow
5 – Very Slow
10 – Extremely Slow
  • Sent Rouge Bots back home

RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} (bot|crawl|robot)
RewriteCond %{HTTP_USER_AGENT} !(bing|Google|msn|MSR|Twitter) [NC]
RewriteRule ^/?.*$ "http\:\/\/127\.0\.0\.1" [R,L]


<Limit GET HEAD POST>
order deny,allow
deny from all

allow from 103.51.61.0/24

</Limit>

  • Disable Joomla User registration
<p class="p1"></p>
<p class="p1"><span class="s1">administrator/index2.php?option=com_users&task=view&limit=1000</span></p>
<p class="p3"><span class="s1">DELETE FROM `sgj_users` WHERE </span><span class="s2"><b>WHERE</b></span> <span class="s4">`name`</span><span class="s3"> <a href="https://secure290.sgcpanel.com:2083/cpsess2361581801/3rdparty/phpMyAdmin/url.php?url=http%3A%2F%2Fdev.mysql.com%2Fdoc%2Frefman%2F5.6%2Fen%2Fstring-comparison-functions.html%23operator_not-like&token=ef685e82a572e349ffa84ebb4a973a89"><span class="s2"><b>NOT</b></span> <span class="s2"><b>LIKE</b></span></a> </span><span class="s4">'Administrator'</span></p>

Exploiting Unicode Character RTL ‘RIGHT-TO-LEFT OVERRIDE’ (U+202E)

Exploiting Unicode Character ‘RIGHT-TO-LEFT OVERRIDE’ (U+202E)

 

This is one of the easiest exploits to implement in a Microsoft Windows systems. Yet, its impossible to meditate against. This exploit can be used for domain names as well. :- http://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing

 

 

Obfuscating Executables

 

Examples

  • CORP_INVOICE_08.14.2011_Pr.phyldoc.exe, was made to display as CORP_INVOICE_08.14.2011_Pr.phylexe.doc by placing the unicode command for right to left override just before the “d” in “doc”.
  • SexyAlexe.ppt – > SexyAl\xe2\x80\xaetpp.exe
  • SexyAl\xe2\x80\xaetpp.exe
  • SexyAl\u202Etpp.exe
  • \xe2\x80\xaecod.yrammus_evituc\xe2\x80\xad2011.exe
  • \u202Ecod.yrammus_evituc\u202D2011.exe
  • \xe2\x80\xaetpp.stohsnee\xe2\x80\xadfunny.scr
  • \u202Etpp.stohsnee\u202Dfunny.scr