Learn Penetration Testing And Ethical Hacking Online.


  • Facebook
  • Popular Posts

    Showing posts with label Pentest. Show all posts
    Showing posts with label Pentest. Show all posts
    How to make a fronting from AWS to another hosting

    Broadly speaking, we can say that the fronting technique consists of obfuscating the data source of a site. 
    This is something that has existed for a long time, but lately it has recovered its relevance due to the barriers that have been raised on the internet to censor, filter and prevent access to certain content, generally for political or ideological interests.
    Fronting works in the application layer and allows users to access content that has been blocked by the most common techniques: IP blocking, DNS filtering and even packet inspection, since the header of these is that of a Authorized origin, and only the actual content is revealed once the connection has been authorized and established. It should be noted that the fronting only works on HTTPS protocol. 
    There are many tutorials on the internet about how to use CDN (Content Delivery Network) in Amazon Web Services to provide content from different sources in case one of them is offline. However, we have not found explanations on how to do this when the data source does not come from a site hosted on AWS, that's why we decided to create this guide.

    In our example we will use the following names: 

    subdomain.domain.com : Our subdomain with which we will do the obfuscation 
    www.otrodominio.com/routa/al/subdominio : The origin of the data that we will show in sub.domain.com 

    The first thing that we must do is enable the fronting in the hosting of another domain.com , since in most it is disabled by default to avoid phishing. (Later we will make a guide to know if your domain is vulnerable to fronting by malicious users.) 
    I can not tell you in detail how to enable fronting in your hosting, as it is different in each one. In any case, you can always check with the provider's support team.

    Then we must go to AWS and create a CNAME for sub.domain.com . For now it does not matter where you point, since we 
    'll change it later. We go to Route53, select our zone and create a new record with "Create Record Set":

    Here we select as CNAME type, we put our subdomain as a name and as a source anything, for example, www.google.com :

    Then we go to Cloudfront and create a new distribution:

    We select the Web option and place the domain of the data source and the route, if there is one.
    We place the alternative name that we chose for the data source and select the type of certificate. In this case, we chose a public one generated by Amazon for our domain:

    We accept and while this is done, which will take about 20 minutes, we select the name of the cloudfront generated by this distribution. It is a name of type a1b2c3d4c5.cloudfront.net. 
    We copy it and go back to the CNAME that we created before and replace whatever we have put (in this example it was www.google.com ) for this new domain. 

    Finally, we connect by ssh to the AWS hosting with the method that we have configured (pem file of certificate, user and password, etc.) and, depending on the version of apache that we have installed, navigate to / etc / apache2 / and edit apache2. conf or go to / etc / apache2 / sites-available / and edit domain.com.conf (the name will be that of your domain) and add the following lines: 
    <VirtualHost *: 80> 
            ServerName subdomain.domain.com 
            ServerAlias http://subdomain.domain.com
            ProxyPass / https://www.otrodomain.com/route/al/subdomain
            ProxyPassReverse / https://www.otrodomain.com / path / to / subdomain
    </ VirtualHost> 
    <VirtualHost *: 80> 
            ServerName subdomain.domain.com 
            ServerAlias https://subdomain.domain.com
            ProxyPass / https://www.otrodominio.com/ruta/al/subdominio
            ProxyPassReverse / https://www.otrodominio.com/ruta/al/subdominio
    </ VirtualHost>
    with this we make sure that whatever you enter the user request to subdomain.domain.com, arrive by https to anotherdomain.com/path/al/subdomain . 

    Finally, once the CloudFront has finished creating the distribution (the status will change to deployed and it will no longer say in progress ), we can try the fronting by typing subdomain.domain.com/index.php or a path that is only found in www. .otherdomain.com / route / to / subdomain / , for example www.otrodomain.com/ruta/al/subdominio/otra/ruta/test.php . We put subdomain.domain.com/otra/ruta/test.php and voila!there is our content from anotherdomain.com and the URL that the browser shows us is subdomain.domain.com ! 
    Continue Reading

    For several days, many people had been contacting me to ask me about how to recover the files infected by the Ransomware, so I decided to make this post to explain how to perform the process and recover your files. First of all clarify that I have not had any experience with this type of virus, this post is a compilation of the best post, these are taken from recognized sites and will be in italics , the original links will be in the heading of each section. Texts and personal opinions will be in this source.
    What is Ransomware?  Ransomware is a malicious software that by infecting our computer gives the cybercriminal the ability to block the PC from a remote location and encrypt our files, taking control of all information and stored data. To unlock it the virus launches a pop-up window asking us to pay a ransom.
    Example image of a PC infected by Ransonware:
    How does Ransomware work? 
      1) It is camouflaged within another file or desirable program for the user that invites to click: attachments in emails, videos of pages of doubtful origin or even in systems updates and programs in principle reliable as Windows or Adobe Flash.
     2) Once it has penetrated into the computer, the malware activates and causes the entire operating system to be blocked and sends the warning message with the threat and the amount of the "ransom" that has to be paid to recover all the information . The message may vary depending on the type of ransomware we face: pirated content, pornography, fake virus ...
      3) To enhance the uncertainty and fear of the victim, sometimes include in the threat the IP address, the Internet provider and even a photograph captured from the webcam.
     How to avoid Ransomware? The practices to avoid being infected by this malware are common to those that we must follow to avoid other viruses.
    - Keep our operating system updated to avoid security flaws.
    - Have a good antivirus product installed and always keep it updated.
    - Do not open emails or files with unknown senders.
    - Avoid browsing unsafe pages or with unverified content.

    Ransomware in Windows.

    This guide provides instructions and a link to download and use the latest Trend Micro Ransomware File Decryptor tool  to try to decrypt files encrypted by certain types of ransomware. As an important reminder, the best protection against ransomware is preventing it from ever reaching your system. While Trend Micro is constantly working to update our tools, ransomware programmers are also constantly changing their methods and tactics, which can make older versions of tools like this obsolete over time. Customers are recommended to follow the following safety practices: 
    1) Make sure you have regular backups of the most important and critical data offline or in the cloud.
    2) Make sure that you are always applying the latest critical updates and patches for your operating system and other key system software (eg browsers).
    3) Install the latest versions of configurations and apply the best security tools such as Trend Micro to provide mutli-layer security.
      Types of Ransomware supported.
    The following table shows the ransomware versions supported by this tool.
    Extension of the encrypted file
    1. Click the Download button to get the latest version of Trend Micro Ransomware File Decryptor tool. Uncompress (unzip) and then run RansomwareFileDecryptor.exe or TeslacryptDecryptor.exe Download RansomwareFileDecryptor 
      Download TeslacryptDecryptor
    2. After executing it, he accepts the license to proceed.
    3. After accepting the license, follow step by step what the tool tells you.


    Due to the advanced encryption of this particular Crypto-ransomware, only partial data decryption is possible at present in the files affected by CryptXXX V3.
    The tool will try to solve certain file formats after the decryption attempt, including DOC, DOCX, XLS, XLSX, PPT and PPTX (common Microsoft Office).
    The fixed file will have the same name as the original file with "_fixed" added to the file name and will be placed in the same place. When you open the fixed file with Microsoft Office, you can present a message to try to repair the file again, and this process may be able to recover the document.
    Keep in mind that due to the different versions of particular behaviors of Microsoft Office files, it is not guaranteed that by this method the document will be completely recovered. However, for other files after partial data decryption, users may have to use a third-party corrupted file recovery tool (such as the JPEGsnoop open source program ) to try to recover the entire file.
    An example of this would be a photo or an image file that was partially recovered may show parts of the image, but not the entire image. A user can then determine if the file is important enough to use a third-party tool or request the assistance of a third-party professional file recovery service.
    Image before being infected:

    Image after recovery:

    Linux Ransomware

    Windows is the most used operating system of the entire network, so most developers, like hackers, usually launch their applications for this system. However, little by little the market share of Linux, especially in professional environments and servers, continues to grow, which increasingly calls the attention of these in order to take advantage of this operating system.
    Ransomware is one of the most dangerous types of malware of recent times. When this malware infects a user it automatically begins to encrypt all of its data so that the only way to recover it is by paying a "ransom", without the guarantee that, even if we pay these pirates, we will receive the decryption key.
    Until now, this type of malware only affected Windows users, who also had a difficult enough time to defend themselves against this threat since it is difficult to identify and eliminate even the main antivirus signatures, however, it is possible that users of Windows is no longer the only ones affected by this.
    Doctor Web, an important Russian security company, has detected the first ransomware threat for Linux users, especially focused on infecting and hijacking all the servers used to host web pages. This threat, called by the security company as Linux.Encoder.1, is written in C language and uses the PolarSSL library to establish secure connections that are impossible to capture and then install as a service, or daemon, of the system before starting its dreaded function.
    How does this Ransomware work?
     Once operating in the system, this new malware analyzes the file system in search of all the directories used mainly for the development and hosting of web pages. Once detected, it begins to encrypt all the files that are hosted there, along with all the documents, personal files and multimedia files that are found on the computer or server. For encryption uses an AES-CBC-128 algorithm.
    When it finishes its task it creates a text file with the necessary instructions to recover the files, as well as the address of payment and the amount to enter that, in this case, is 1 Bitcoin.
    Reach this Ransomware.
    Home users are also at risk from this ransomware
    Although the main objectives of this ransomware are the servers of web pages, the users are not free from danger. According to security experts, this malware can easily be ported to infect and attack all types of equipment, for example, NAS devices that are increasingly common in domestic environments as a server or network mass storage system.
    Luckily, not everything is as simple as it seems. Thanks to the Linux permissions system, to run this malware on a Linux server or computer, it is necessary to do it with root permissions, so if we control the superuser account, it is easier for us to not be affected by this malware. , unless you take advantage of a privilege escalation vulnerability or run it manually with those permissions.
    How to recover my files in Linux?
    Bitdefender is the first security provider to release a decryption tool that automatically restores the affected files to their original state. The tool determines the IV and the encryption key by just analyzing the file, then performs decryption, followed by permission fixation. If you can boot the compromised operating system, download the script and run the program under the root user. 
    To download the tool and know how to execute it, we invite you to read this BitDefender post .
    We must clarify that after your system has been infected by the Ransomware, it is convenient to take a backup of your data and format it to be sure that the virus is no longer in our PC. After restoring your data to the new system, it is recommended to examine them with your antivirus software.


    1) Try to create restore points and backup copies of your files at least twice a week.
    2) Be cautious when executing a program or script, only do it if the site of origin is reliable.
    3) Use good Antivirus software (if you are a Windows user), such as Kaspersky , EsetNod Smart Security and Clamav (RECOMMENDED) since the latter is also available for GNU / Linux and is open source.
    4) Use Firefox and follow the navigation techniques of these post: How to navigate anonymously without being tracked and Privacy and security in the network .
    5) In addition to the aforementioned tools we can use these other tools that also have the same purpose in case the previous one does not give us the expected results.
    6) Use GNU / Linux as the operating system.
    Continue Reading