[INFO] Welcome BSidesWarsaw2017

From 13 to 15 October 2017 I will have great pleasure to be on conference BSidesWarsaw2017 in Warsaw/Poland.
If you want attend on BSW2017 and pick up free pass, please let me know. I still have 2 free pass.
If you need know about Bsides (Security Bsides) please read here.
Video stream from BSidesWarsaw2016 day1 | day2 | day3
I heartily recommend presentation from BSidesWarsaw2016: Cyfrowa twierdza - poradnik rebelianta by Jakub Mrugalski.
Agenda for Warsaw edition Bsides2017 is here.
#bsideswarsaw2017 #security #event #hacking #conference

[ART] Basic Linux privilage escalation, how do it?

If you have access to Linux server as a user without root privileges, good idea is privilege escalation.
What does it mean? The answer is simple, youmust collect as much as possible information about your victim, search for errors in configuration, backdoors and every opportunity to get full access to server.
Very basic and short information where and how check information about configuration Linux --> Basic Linux privilege escalation
Of course remeber that is not all, you must find more interesting information about your victim, how? So it is very hard question, but I can give you a one tip: meddle.
Soon coming I will prepare my script to privilege escalation (get 'interesting' information about system).
#linux #escalation #privilege_escalation #hacking

[INFO] Anniversary 1 year!!

Today I celebrate anniversary, one year ago I wrote my first post "Hello guys" on my homepage ;)
What has changed in my life?
First I wrote many public/private scripts for sys/sec guys
Secondly I created a few small/medium projects --> myprojects
Thirdly really a lot of new knowledge from in the area of security like: DVWA; OWASP Bricks; OWASP Mutillidae; OWASP bWAPP; Peruggia; Hackthebox.eu; Offensive Security training PWK etc.
My plans for futher?
- finish my open projects (section: TODO)
- start my 'secret' project for security enthusiasts, details soon
- improving my website (tunning website)
#1_year #anniversary

[ART] How to prepare for OSCP certification?

Briefly: practice, practice and again pratice and more knowledge :)
Below I write in my opinion the best two pages which has a many tips how prepare to exam, contain many links to others pages and advice how do it.
- http://www.abatchy.com
- http://niiconsulting.com
From my side I may suggest below materials:
- Cybrary Intro to Ethical Hacking
- Cybrary Web Application Pen-Testing
- Cybrary Advanced Penetration Testing
- Kioptrix VMs
- Cybrary Python for Security Professionals
#hackthebox #OSCP #traning #prepare #certification

[INFO] My first article - "Building Strong Random Passwords: Length vs. Complexity"

Hello friends. I am very happy because my first public article has been published. The article is about basics for creating secure passwords with example script to generate strong random passwords.
Certainly is not my last article on the cybrary.it, currently I am working on next articles.
My article: Building Strong Random Passwords: Length vs. Complexity.
The page https://cybrary.it is a online cyber security traning, it is very good resource of security knowledge for everyone who want know more.
Why I recommend Cybrary?
- cyber security micro courses
- cyber security skill certifications (pdf)
- cyber security certifications (pdf)
- badges
- 0P3N
- over 1 million members
- over 80 cyber security courses
#article #passwords #cybrary #free_learning #courses

[INFO] Added mission solutions for http://hackthebox.eu

Guys today I added my solutions for mission from http://hackthebox.eu.
If you have doubts with tasks or you need suggestions how resolve task here you have file with answers.
Remember that only solved tasks on my own give you true learn. I hope that you understand my bro.
Have a good time and 'hack them all :)
#hackthebox #OSCP #hacking #solution

[SCRIPT] Oath (event/time token) on Linux

If you know what is the yubikey, for sure you know that yubikey have a good functionality: OATH-TOTP and OATH-HOTP.
If you don't have yubikey or another hardware key with support OATH you may use the script to generate it.
Below I prepared next easy and clean script, this time I have for you script to generate:
- Event Token (OATH-TOTP)
- Time Token (OATH-HOTP)
- Secret key
Default settings for event token is create a 10 tokens, for time token is change token always after 60 seconds.
Script is here --> oath_token.sh
If you need more information how it works or you are geek, I suggest look on:
- RFC 6238 - TOTP: Time-Based One-Time Password Algorithm
- RFC 4226 - HOTP: HMAC-Based One-Time Password Algorithm
#oauth #hoth #toth #event_token #time_token #token #security #hardware_token

[ART] PHP webshells - how to find on my server

The easiest way is to find keywords typical php shells for example:
system, curl_exec, passthru, base64_decode, shell_exec, exec, eval, create_function, passthru, edoced_46esab, proc_open, curl_multi_exec,parse_ini_file, show_source.
If you have access to server you can use find and grep commands on Linux like:
find /var/www/ -name "*.php" -type f -exec grep -nHoE 'system| curl_exec| passthru| base64_decode| shell_exec| exec| eval| create_function| passthru| edoced_46esab| proc_open| curl_multi_exec| parse_ini_file| show_source' {} \; 2>/dev/null
UPDATE [2017/08/02; 04:47]:
I addedd my script, it checksif you have phpshell on your webserver. phpshell_detect.sh
If you cant access to server you can use software: Web Shell Detector, maldet, rkhunte.
#hacking #hack #php #shell_php #shell #script #bash

[SCRIPT] Script to generate random passwords

Today I have for you my authorship easy and effective script to generate random passwords.
I use the script to generate password for personal and professional use for example: login page/password to OS/etc.
Below the example passwords:
2B%c80By}|Tg ?to7O
dcJX:"c`ymXk >y~gA
- portable code may works on Linux/Cygwin [tested on Centos/Ubuntu/Cygwin]
- using: cat | /dev/urandom | tr | head
- clear code
- you can generate passwords of any length and any quantity
#script #password #random_password #linux

[ART] Two good lists of Sec talks/videos

If you are interested in security and want be 'up-to-date', great I have for you two good pages with links to talks and videos about security.
These pages are kept up to date, have archival videos and a lot of sources.
So let start guys ;)
#video #list #security #hacking #learning #links

[ART] Hashcat - Parsing Hashes: 0/1 (0.00%)...No hashes loaded - why?

Recently during testing the website I had small problem with cracking passwords.
Below details:
userkali@kali-test-1:~/Desktop/directory$ hashcat -m 300 --force uuu.hash rockyou.txt
hashcat (pull/1273/head) starting...
OpenCL Platform #1: The pocl project
* Device #1: pthread-Intel(R) Xeon(R) CPU E5-2695 v2 @ 2.40GHz, 10031/10031 MB allocatable, 2MCU
Hashfile 'uuu.hash' on line 1 ($P$BgrNqqCM54GCFYkbsk4MIZ/cXoj8nU1): Line-length exception
Parsing Hashes: 0/1 (0.00%)...No hashes loaded.
Started: Wed Jul 5 07:01:42 2017
Stopped: Wed Jul 5 07:01:42 2017s

Where was the problem?
I choose the wrong hash type ;)
My suggestion first check and make sure that use correct hash type. If you are not sure you can use tool called: hash-identifier or check manually on Hash types - Hashcat (hardcore geek way ;))).

If you need more knowledge about cryptographic hash functions I recommend to:
Comparison of cryptographic hash functions
Hash function security summary
Cipher security summary
List of hash functions
#hacking #kali #cracking #cathash

[ART] List of honeypots

Do you need honeypot but you don't know where to start search? Or maybe just looking for good list of honeypots to compare with others?.
I have for you 2 pages with list of honeypots (really great lists).
First link here and second link here
If you don't know what is honeypot - read here
#hacking #honeypot #list_of #kippo #honeywall #kojoney

[INFO] My solution tasks for: DVWA, Bricks, Mutillidae, bWAPP, Peruggia and others

If you are interested security and you want develop your security skills for sure you know what it is: Damn Vulnerable Web Application, OWASP Bricks, OWASP Mutillidae and others pages from my list .
At the moment I finished DVWA and OWASP Bricks and currently I am working on: OWASP Mutillidae, OWASP bWAPP as for 29.06.2017.
Current status is here below Achievement.
#solution #dvwa #bricks #owasp #hacking #learning

[ART] A pack of security addons for Firefox

It is short post for everyone who want install additional security addons for Firefox, but have a doubts. The list created by Jeremy Druin, author the OWASP Mutillidae 2 Project
List of security addons for Firefox
#firefox #security #pack #addons #web_security

[ART] Upsss OWASP Mutillidae 2 doesn't work on CentOS?

First check your error log for apache (in my case /var/www/httpd/error.log) if you see error like:
Call to undefined function mb_convert_encoding()
you should install yum install -y php-mbstring.x86_64, restart your apache and reload you webpage.
If you get error like:
"The database server at localhost appears to be offline"
on homepage, I suggest check again configuration file MySQLHandler.php, maybe problem is with login/password to database or you should change database hostname. In my case I must edit my config in location /var/www/mutillidae/classes/MySQLHandler.php and replace row: static public $mMySQLDatabaseHost = ""; on static public $mMySQLDatabaseHost = "localhost";
#centos #problem #Mutillidae #solve

[ART] Hub with hacking/cracking/CTF

Short post about place where you can try your hacking/cracking skills.
- frequently update tasks (wonderfully ;))
- community
- variety tasks, areas, goals (get flag / get access root / get a shell / vulnerable web / stenography / other)
- variety difficulty
- interesting ideas (CTF/vulnerable web collections on VM)

#hack_me #secure #hacking #education #ctf #vulnerable #wargames #hack

[INFO] Updated list of CTF/hack/wargames/vulnerable webpages

Guys today I have for you updated list of CTF/hack/wargames/vulnerable webpages, it means that you may have more fun and more areas to improve your hacking skills ;)
I added 21 a new websites also in this “ExploitMe Mobile Android“, yes, yes, yes this is a environment to hacking Android, surprise ;)
Full updated list
#hack_me #secure #hacking #education #ctf #vulnerable #wargames #hack

[ART] Bugbounty list - legal hacking

Do you want test you technical skills/knowledge on live systems and get:
Thanks ; Gifts ; HoF ; Rewards from "victims*"?
If yes, I below put a main resources:
- Bugcrowd.com
- Vulnerability-lab
- Hackerone
- Firebounty
- Bugbounty
Have a fun and good luck my security buddy ;)
* - company who shared program bugbounty
#bugbounty #hack #hacking #ethicalhacker #list

[INFO] List tools from Kali

Today I have for you updated list of security tools from Kali with description
Tools from Kali

#kali #list_of_security #hack #hacking #linux_kali

[ART] DVWA (Damn Vulnerable Web Application) - problem with install on Centos

Today I have for you two tips to help you install DVWA on Linux (tested on CentOS).
First read install guide
First tip:
I can't install DVWA on Linux because I see error: Could not connect to the database - please check the config file
If your settings in file: config.inc.php are correct check again server_name in line: $_DVWA[ 'db_server' ] = ''; and correct db_server from to localhost
Second tip:
I get error that my folder uploads is no writable: Writable folder /var/www/dvwa/hackable/uploads/: No
I am sure that you set correct permission for folder uploads, set access for web user, but still problem. I suggest change folder name from uploads to uploads_BAC and again change folder name from uploads_BAC to uploads.
Again set correct access and permission, after this operations your DVWA should works ;)
BTW.: Default security level is: "impossible", I suggest change it on "low" or "medium".
#dvwa #centos #security #vulnerable #tools

[ART] Burp Suite error "burpsuite handshake alert: unrecognized_name"

If you have problem with open website when you use Burp and you get error: burpsuite handshake alert: unrecognized_name" you should close Burp and open again with option: -Djsse.enableSNIExtension=false
java -Djsse.enableSNIExtension=false -jar burpsuite[YOUR_VERSION].jar
The problem is with Java from an update in Java 7 where Server Name Indication (SNI) support was enabled by default
If you know more please read this
#burp #proxy #java #burp_suite

[ART] List of attacks - OWASP

This is a list of common attacks in one place, types of attacks, how to protect yourself and how to test. Below "Pages in category "Attack"" you see links to description of attacks.
List of attacks
#attack #list #hacking #prevent #owasp #xss #hijacking #csrf

[ART] My favorite youtube channels list about security

Hi. It is next post about useful list that may be helpful for you. This is my subjective list youtube channels for everyone who likes and love security.
My list includes two groups, channels for people who know polish (with mark PL) and people who know english (mark EN).
If you want be 'up-date' in future you can see here, this is the file where I will update my favorite channels, if you want suggest 'good' source, please let me know.
English Youtube channels:
Adrian Crenshaw [EN]
Security BSides London [EN]
Virus Bulletin [EN]
GynvaelColdwind [EN]
Polish Youtube channels:
Akademickie Stowarzyszenie Informatyczne [PL]
CERT Polska [PL]
GynvaelColdwind [PL]
Bsides Warsaw
#security #videos #hacking #pentest

[INFO] Basic Security Checklist Update

I updated basic security checklist, I added a some records which I consider that important for security. I will update this checklist in the future.
security checklist update
#checklist #security #linux #hardering

[ART] Basic Security Checklist

I have prepared for you prelude to security your Linux as concise checklist. security checklist
#checklist #security #linux #hardering

[INFO] A new content on the page

From today I have the pleasure to inform you that I am starting with a new content on the page. First I will put my content with tag [ART], [INFO], [SCRIPT].
My next post will be about basic security checklist, short prelude to security. Have a fun and safe play ;)
#info #update #tag

[ART] Security/OpenSource/News RSS

Hello amigo, today I have great pleasure give you a list of the best rss channel about security/opensource/news from the Internet. Pluse point is that in one place where you can read short description and link to the webistes and read more. RSS channels.
#info #rss #security #open_source #news

[SCRIPT] Added a new script "Compare SSL keys"

Next useful script compare_ssl_keys.sh use to check that your keys are consistent. Below a short presentation how it works.
[bolek@babol check_ssl]$ ./compare_ssl_keys.sh
*.crt: cert.crt
*.key: private.key

*.crt: 4d72cbd0e029b2147b1ac05adedea7a5
*.key: 4d72cbd0e029b2147b1ac05adedea7a5
*.csr: error
#script #ssl #compare #tool #testing #info

[INFO] Updated my script "Check propagation DNS"

Today I updated my check_propagation_dns.sh to checking propagation DNS records. I added a new DNS servers. Below a short presentation how it script works.
[bolek@babol propagation]$ ./check_propagation_dns.sh chojnowski.it
SERVER DNS FROM:Saint_Petersburg_RUS
#info #update #dns #script #tool

[INFO] Finally welcome on my website https://chojnowski.it

Hell yeah! Yes it is true from today my website https://chojnowski.it has a SSL certificate.
#info #update #https

[SCRIPT] Check propagation DNS records all over the world - script

Today I put on my website, simple and quick check_propagation_dns.sh test where your DNS records are available.
Titbit: do you know that my domain chojnowski.it aren't available in: Mexico_City (Mexico), Tirana (Albania), Johannesburg (South Africa), New South Wales (Australia) - very interesting ;)
Remember: sometimes your domain may be not available in diferrent countries, don't worry ;)
#script #dns #propagation #testing #tool

[ART] List of CTF/hack/wargames/vulnerable webpages (primarily practice)

Today I have for you list websites where you can test your knowledge/technical skill of security. Most of websites are "OFFLINE" I mean you have to use virtual machine on your computer.
ONLINE - you can start fun on the website (online challenge)
OFFLINE - you have to download software to your computer
WEB - type of vulnerability
VM - virtual machine
CODE - software is code and you have to install on your virtual machine
LOGIN - Website require create account
NO LOGIN - Website not require create account

(ONLINE / LOGIN) https://www.hack.me/
(ONLINE / LOGIN) https://www.hackthis.co.uk
(ONLINE / LOGIN) http://Enigmagroup.org/
(ONLINE / LOGIN) https://lab.pentestit.ru/
(ONLINE / NO LOGIN) http://overthewire.org
(ONLINE / NO LOGIN) http://smashthestack.org
(ONLINE / NO LOGIN) http://ctf.infosecinstitute.com
(ONLINE / LOGIN) https://ctf365.com/
(ONLINE / LOGIN) https://www.root-me.org
(OFFLINE / VM) https://exploit-exercises.com/
(OFFLINE / VM) http://www.cis.syr.edu
(ONLINE / LOGIN) http://www.wechall.net
(OFFLINE / WEB / VM) OWASP_Broken_Web_Applications_Project
(OFFLINE / WEB / CODE) OWASP_Mutillidae_2_Project
(OFFLINE / WEB / VM) hackxor
(OFFLINE / WEB / VM / CODE) vuln-web-app
(OFFLINE / WEB / VM) lampsecurity
(OFFLINE / WEB / VM) virtualhacking
(OFFLINE / WEB / VM) metasploitable
(OFFLINE / WEB / CODE) exploitcoilvuln
(OFFLINE / WEB / CODE) OWASP_WebGoat_Project
#hack_me #secure #hacking #education #ctf #vulnerable

[ART] Interesting links from OWASP Project

Below the best projects, materials about website/application security from OWASP Project.
- Testing Guide - OWASP Testing Project
- List of the 10 Most Critical Web Application Security Risks - OWASP Top Ten Project 2013. Version 2016 should be this year or early next year.
- Fundamentals of testing web application technical security controls and secure development.OWASP Application Security Verification Standard Project (OWASP ASVS)
- Cheat sheets provide collection of information on specific web application security topics - OWASP Cheat Sheet Series
- Describe the most important control and control categories in your projects (for all architects and developers) - OWASP Proactive Controls
- Utility checks publicly disclosed, vulnerabilities in your software (Java, .NET) - OWASP Dependency Check
#owasp #projects #top_ten #guide #education #security #tips #tricks

[ART] Metasploit Unleashed - Free Ethical Hacking Course + video

If you reflect how is first step to learn ethical hacking, you should consider free course about how tool Metasploit Unleashed.
Official free ethical hacking is available here
Minimum hardware requirements (on VM):
- HDD: 10 GB
- RAM: 512 MB
- CPU: 500 Mhz
farther you can take a look on free video materials
Have fun! ;)
#metasploit #security #hacking #course #video #education #ethical_hacker #hacking

[INFO] FreeIPA, problem with your IP address server?

If you have a problem during installing FreeIPA on virtual machine and get below error message:
invalid ip address for ipa.example.com: cannot use ip network address
you should change mask from /32 to /24 (or some other network mask)
Problem is visible in line inet when you enter command:
[admin@ipa1 ~]$ ip addr | grep
inet brd scope global eth0
#linux #free_ipa #tips #trick

[ART] Hardering RedHat Enterprise 7 (Security Guide)

Security friends, below I would like to present security guide for Red Hat Enterprise ver. 7=>, it is very clear and easy way to learn how hardering Linux (Red Hat, Centos, Fedora and other distro which is based on Red Hat). By the way I recommend other materials from http://www.redhat.com/.
Security Guide here
All documents for Red Hat Enterprise Linux here
#linux #red_hat #hardering #secure #guide

[ART] List tools for pentester

It is list over 235 tools for pentester/ethical hacker/security expert with description from my distro: Kali Linux. The list can you help quick find proper tool for your expectation.
Below example:
hping3 +++ Active Network Smashing Tool
p0f +++ Passive OS fingerprinting tool
sslstrip +++ SSL/TLS man-in-the-middle attack tool
Download here.
If you want see all basic tools from official website click here.
#kali #security #backtrack #pentester #hacking #ethical_hacking #security

[INFO] Hello guys

It is my first post on my page. Section "Home" will be use to post a short and very very short information, tips and links about security, open source and everything what is interesting. Sometimes I may post information about update homepage or information about me.
If you want know more about me please click here
If you want know about me projects please click here
#hello #first_post