UHC - Jarmis

Name: UHC - Jarmis
Uploaded: 2021-09-27T01:34:23Z
Channel: IppSec
Description: 00:00 - Intro going over the attack chain, SSRF to Protocol Smuggling to OMIGod 01:17 - Using nmap and then checking out the website and adding the DNS ...

IppSec · Intermediate ·🔐 Cybersecurity ·4y ago

00:00 - Intro going over the attack chain, SSRF to Protocol Smuggling to OMIGod 01:17 - Using nmap and then checking out the website and adding the DNS Names to our host file 04:20 - Running GoBuster to discover the /docs directory, which is swagger documentation 06:00 - Reading the documentation and explaining JARM Signatures 09:45 - Explaining the front-end which just makes accessing the backend pretty 10:15 - Using Shodan to search JARM Hashes, which would be useful if you're looking for specific attack servers or collisions 11:55 - Dumping all the JARMS by abusing sequential ID's with a fo…

Watch on YouTube ↗ (saves to browser)

Chapters (24)

Intro going over the attack chain, SSRF to Protocol Smuggling to OMIGod

1:17 Using nmap and then checking out the website and adding the DNS Names to our h

4:20 Running GoBuster to discover the /docs directory, which is swagger documentati

6:00 Reading the documentation and explaining JARM Signatures

9:45 Explaining the front-end which just makes accessing the backend pretty

10:15 Using Shodan to search JARM Hashes, which would be useful if you're looking fo

11:55 Dumping all the JARMS by abusing sequential ID's with a for loop and curl

14:04 Whoops... Copied the wrong JARM, this was not cobalt strike lol.

15:50 Running ncat with ssl, and checking if it is malicious... It's not malicious b

16:50 Using metasploit to show it would detect it as malicious

18:40 Using IPTables to change the port on every 11th request with iptables -I PRERO

21:50 Showing Gopher connecting to our ncat

23:25 Finding a way to enumerate ports listening on localhost and discovering 5985 a

26:05 Using wfuzz to bruteforce all ports (1-65535)

29:20 Downloading the OMIGod Exploit to grab the payload which we will use later

33:00 Using openssl to generate private certificates for our python webserver.

33:25 Creating a python webserver that listens on https

35:50 Testing adding a Gopher HTTP Redirect on our custom python webserver

39:50 Explaining that Gopher adds two bytes to the end of the Smuggled Request

41:50 Using burpsuite to build the payload for us and convert it all to URL Encoding

44:00 Updating our payload to have the correct URL for our gopher request

45:00 Showing how to reset the iptables counter

46:40 Showing how to do this exploit with Metasploit by coding a listener

52:40 Debugging the MSF Module we creat

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →