Auditing SOAP Web Services with Burpsuite without using SoapUI

2 Comments



Yes you heard it right ! We can audit SOAP web services without using SOAP UI.

Introduction:- 

WSDL (Web Services Description Language) files are XML formatted descriptions about the operations of web services between clients and servers. They contain possible requests along with the parameters an application uses to communicate with a web service.  This is great for penetration testers because we can test and manipulate web services using the information from WSDL files. 

BurpSuite is one of the best tool used for intercepting HTTP/HTTPS requests and responses. We can intercept the SOAP Web services directly in burp. 

General Format While Auditing/Testing WebService 

1] SoapUI to parse the webservice WSDL file and generate all the SOAP requests supported by the web service in the SOAP UI tool itself. Then we can redirect the requests to Burpsuite or other proxy in order to modify them as in a typical web pentest.

2] Another options is to use WSDL extensions in Burpsuite (https://github.com/NetSPI/Wsdler) to import and generate the SOAP requests in Burpsuite without using SoapUI.

So let's check how this second method works. 

How WSDL burp plugin works :- 

Burp takes a WSDL request and parses out the operations that are associated with the targeted web service and creates SOAP requests which can then be sent to a web service.

The Wsdler plugin along with all the source is located at the Github repository here: https://github.com/NetSPI/Wsdler.

Requirement :- 

1] BurpSuite
2] Wsdler Parser extension for Burp


Step by step process to install WSDL in your burp and how to use:- 


Step 1 :-  In Burp navigate to Extender tab and then go to BApp Store 




Step 2:- Download  Wsdler Extension from the Burp App store and install as shown below in the screenshot. 



Below screenshot represent that we have successfully installed Wsdler extension in burp suite




Step 3:-   Capturing the WSDL

For Testing purpose we can use below WSDL:-
http://www.webservicex.com/globalweather.asmx?wsdl



Step 4:- Once WSDL url has been intercepted, right click on the request and select Parse WSDL option.






Step 5:- The Wsdler tab will populate with the SOAP Request 




Now you are all good to go and you can play around with SOAP Web services with burp suite




I hope this article will be a value add to your SOAP Web Service Testing methodology.  

Do not Celebrate Before You Win

Add Comment


If we go back in time then try to remember India vs Bangladesh match. (23rd March 2016)

India vs Bangladesh, ICC World 20-20 2016: India win by 1 run against Bangladesh. India pulled off a thrilling one run win over Bangladesh in a Super 10 match in Bangalore in World T20.

Well its not just a match but it reflects the sunshine of #NeverGiveUp

So What we learnt from that match ? 

Three things to learn from India vs Bangladesh - 23rd March 2016 


1] NeverGiveUp Till your last breath. 


2] Don't Celebrate before you WIN 




3] Remember we do have a choice 


Putting this all together:- 

Success (y) 


Video :- 
A perfect example of "Don't celebrate before you win" Can be seen in this video


A perfect example "Don't celebrate before you win" #India #NeverGiveUp Share if you recollect that match ..Love for #India <3
Posted by Never Give Up Thoughts on Sunday, May 21, 2017

Video Credit :- NeverGiveUpThoughts


Moral Of the Story:-

This is not about cricket match its about day to day problems which we face in our life and how to tackle those problems and learn from that. #NeverGiveUp 

All You Need to Know About WannaCry / Wcry / WannaCrypt Ransomware Attack

Add Comment


On 12 May 2017, WannaCrypt made the news about ransomware, this is the date when WannaCry  ransomware began affecting computers worldwide. The initial infection might have been either through vulnerability in the network defenses or a very well-crafted spear phishing attack.

The WannaCry incident is both new and scary. The ransomware uses a vulnerability first revealed to the public as part of a leaked stash of NSA-related documents in order to infect Windows PCs and encrypt their contents, before demanding payments of hundreds of dollars for the key to decrypt files.
This attack had managed to infect large numbers of computers across the health service less than six hours after it was first noticed by security researchers, in part due to its ability to spread within networks from PC to PC.

Here's what I know and what the masses out there need to understand about this and indeed about ransomware in general. But before that here are some basics about ransomware.

What is ransomware?
Ransomware is a particularly nasty type of malware that blocks access to a computer or its data and demands money to release it.

How does it work?
When a computer is infected, the ransomware typically contacts a central server for the information it needs to activate, and then begins encrypting files on the infected computer with that information. Once all the files are encrypted, it posts a message asking for payment to decrypt the files – and threatens to destroy the information if it doesn’t get paid, often with a timer attached to ramp up the pressure.

How does it spread?
Most ransomware is spread hidden within Word documents, PDFs and other files normally sent via email, or through a secondary infection on computers already affected by viruses that offer a back door for further attacks.





Now let’s come back to WannaCry

What is WannaCry?
This malware is a scary type of trojan virus called “ransomware.” As the name suggests, the virus in effect holds the infected computer hostage and demands that the victim pay a ransom in order to regain access to the files on his or her computer.

What exactly does WannaCry do?
RansomWare like WannaCry works by encrypting most or even all of the files on a user’s computer. Then, the software demands that a ransom be paid in order to have the files decrypted. In the case of WannaCry specifically, the software demands that the victim pays a ransom of $300 in bitcoins at the time of infection. If the user doesn’t pay the ransom without three days, the amount doubles to $600. After seven days without payment, WannaCry will delete all of the encrypted files and all data will be lost.

How much are they asking for?
WannaCry is asking for $300 worth of the cryptocurrency Bitcoin to unlock the contents of the computers.

Will paying the ransom really unlock the files?
Sometimes paying the ransom will work, but sometimes it won’t. For the Cryptolocker ransomware that hit a few years ago, some users reported that they really did get their data back after paying the ransom, which was typically around £300. But there’s no guarantee paying will work, because cybercriminals aren’t exactly the most trustworthy group of people.

There are also a collection of viruses that go out of their way to look like ransomware such as Cryptolocker, but which won’t hand back the data if victims pay. Plus, there’s the ethical issue: paying the ransom funds more crime.

How was WannaCry created?
The creators of this piece of ransomware are still unknown, but WannaCry is their second attempt at cyber-extortion. An earlier version, named WeCry, was discovered back in February this year: it asked users for 0.1 bitcoin (currently worth $177, but with a fluctuating value) to unlock files and programs.

How can I protect myself from WannaCry?
CVE-2017-0143 (patched in MS17-010), 2017-0016 (patched in MS17-012), or a similar SMB vulnerability. We recommend applying the associated Microsoft patches, disabling SMB v1, and blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139 for all boundary devices.  Also you can find customer-guidance-for-wannacrypt-attacks here.

OR

                                                         Imagesource




Deep Dive into WannaCry :-
The ransomware WannaCry 2.0 uses the .WNCRY file extension and is reported to be a new version of the WannaCry, also known as WCry family of ransomware viruses. According to reports, this ransomware was used to encrypt the machine files of the initial victim and then leverage a remote command execution vulnerability through SMB, to distribute the ransomware to other Windows machines on the same network. Files are encrypted with the .WNCRY file extension added to them. In addition to this a ransom note is added, named @Please_Read_Me@.txt. Also adds a lockscreen, named “WanaCrypt0r 2.0”.

The ransom is $300 and you've got 3 days to pay before it doubles to $600. If you don't pay within a week then the ransomware threatens to delete the files altogether. Note the social engineering aspect here too: a sense of urgency is created to prompt people into action. A sense of hope is granted by virtue of the ability to decrypt a sample selection of the files. (Note the "Wana Decrypt0r" title on the window above: the three terms WannaCry, Wcry and WannaCrypt are all referring to the same piece of malware, they're merely various representations of the same name.)
The malware spread via SMB, that is the Server Message Block protocol typically used by Windows machines to communicate with file systems over a network. An infected machine would then propagate the infection to other at-risk boxes.

Execution Flow :-






More details about WannaCry ransomware

CVE Numbers:
  • CVE-2017-0143
  • CVE-2017-0144
  • CVE-2017-0145
  • CVE-2017-0146
  • CVE-2017-0147 
  • CVE-2017-0148

Platform: 
Windows

Affected Version: 
  • Microsoft Windows Vista SP2
  • Windows Server 2008 R2 SP1 and SP2
  • Windows XP 
  • Windows 7
  • Windows 8.1
  • Windows RT 8.1
  • Windows Server 2012 R2 and
  • Windows 10
  • Windows Server 2016

NOTE:-
  • As usual Mac remains unaffected by this Ransomware

Is this the NSA's fault?
This is where it gets a bit political: the SMB vulnerability Microsoft patched was known by the NSA. We know this because the Shadow Brokers leak last month referred to it specifically as "ETERNALBLUE", an SMBv2 exploit.
And sure enough, the vulnerability was quickly exploited which is not at all surprising given the way in which it had now been publicly disclosed.

MITIGATION AND PREVENTION
Organizations looking to mitigate the risk of becoming compromised should follow the following recommendations:
  • Ensure all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied.
  • In accordance with known best practices, any organization who has SMB publically accessible via the internet (ports 139, 445) should immediately block inbound traffic.

Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR traffic on network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks.

In addition to the mitigation's listed above, Talos strongly encourages organizations take the following industry-standard recommended best practices to prevent attacks and campaigns like this and similar ones.
  • Ensure your organization is running an actively supported operating system that receives security updates.
  • Have effective patch management that deploys security updates to endpoints and other critical parts of your infrastructure in a timely manner.
  • Run anti-malware software on your system and ensure you regularly receive malware signature updates.
  • Implement a disaster recovery plan that includes backing up and restoring data from devices that are kept offline. Adversaries frequently target backup mechanisms to limit the possibilities a user may be able to restore their files without paying the ransom.

References

How to uninstall program using command prompt (cmd)

Add Comment


Hello Friends,

Long time after i came here and thinking of write something useful for you guys. Ok! Today we will learn how we can uninstall any software by using command prompt or cmd.

You must be thinking that i can easily do it by going in to control panel but what if your control panel it self not opening. I came across such senarios and thought to write this blog post.

So lets start

Step 1: Open you command prompt

To open cmd:
click on Start -> Run --> type cmd and hit enter


Step 2: In windows to go to c drive we type cd.. as shown below


Step 3: Now we have to go in system 32 directory so the command will be
cd directory name
so in our case it will be
First cd Windows and then cd System 32 as shown below




Step 4: After we are in System32 directory below commands we will run

1) Now type wmic
wmic will use for uninstalling the program

2) product get name
Above command  will display all the software which are installed on your machine



Step 5: Now above figure output will give you all the software which are installed in your machine
Select the software which you wanted to uninstall in my case i want to uninstall java version 8

So my command will be
product where name="Software_name_which_you_want_to_uninstall" call uninstall

i.e
product where name="Java SE Development Kit 8 (64-bit)" call uninstall

And hit enter



After hitting enter it will confirm you wheather you want to unstall or not

Execute (\\PC_NAME\ROOT\CIMV2:Win32_Product.IdentifyingNumber="{64A3A4F4-B792-11D6-A78A-00B0D0180000}",Name="Java SE Development Kit 8 (64-bit)",Version="8.0.0")->Uninstall() (Y/N/?)?


Well i want to uninstall so i say Y,you can select according to your requirement.


Below figure states we have successfully uninstalled java version 8.
Similarly you can uninstall any software which you may not able to uninstall via control panel.

I hope this helps you.

Cheers (y)