viernes, 22 de mayo de 2020

$$$ Bug Bounty $$$

What is Bug Bounty ?



A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards individuals for discovering and reporting software bugs. Bug bounty programs are often initiated to supplement internal code audits and penetration tests as part of an organization's vulnerability management strategy.




Many software vendors and websites run bug bounty programs, paying out cash rewards to software security researchers and white hat hackers who report software vulnerabilities that have the potential to be exploited. Bug reports must document enough information for for the organization offering the bounty to be able to reproduce the vulnerability. Typically, payment amounts are commensurate with the size of the organization, the difficulty in hacking the system and how much impact on users a bug might have.


Mozilla paid out a $3,000 flat rate bounty for bugs that fit its criteria, while Facebook has given out as much as $20,000 for a single bug report. Google paid Chrome operating system bug reporters a combined $700,000 in 2012 and Microsoft paid UK researcher James Forshaw $100,000 for an attack vulnerability in Windows 8.1.  In 2016, Apple announced rewards that max out at $200,000 for a flaw in the iOS secure boot firmware components and up to $50,000 for execution of arbitrary code with kernel privileges or unauthorized iCloud access.


While the use of ethical hackers to find bugs can be very effective, such programs can also be controversial. To limit potential risk, some organizations are offering closed bug bounty programs that require an invitation. Apple, for example, has limited bug bounty participation to few dozen researchers.

Related news


jueves, 21 de mayo de 2020

Lockdoor-Framework: A PenTesting Framework With Cyber Security Resources


About Lockdoor-Framework
    Author: SofianeHamlaoui
   Tested on: Kali Linux, Ubuntu, Arch Linux, Fedora, OpenSuse and Windows (Cygwin)

   LockDoor is a Framework aimed at helping penetration testers, bug bounty hunters And cyber security engineers. This tool is designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing. But containing the favorite and the most used tools by Pentesters. As pentesters, most of us has his personal ' /pentest/ ' directory so this Framework is helping you to build a perfect one. With all of that ! It automates the Pentesting process to help you do the job more quickly and easily.

Lockdoor-Framework installation:
   For now, Lockdoor-Framework supports Debian-based Linux distros (Kali Linux, ParrotSec, Ubuntu...), Arch Linux based distros (Manjaro, BlackArch, ArchStrike...), Fedora, OpenSuse, Cygwin on Windows.

   Open your Terminal and enter these commands:

You can watch detail here:

Lockdoor Tools contents 🛠️:
 * Information Gathering 🔎:
  • dirsearch: A Web path scanner
  • brut3k1t: security-oriented bruteforce framework
  • gobuster: DNS and VHost busting tool written in Go
  • Enyx: an SNMP IPv6 Enumeration Tool
  • Goohak: Launchs Google Hacking Queries Against A Target Domain
  • Nasnum: The NAS Enumerator
  • Sublist3r: Fast subdomains enumeration tool for penetration testers
  • wafw00f: identify and fingerprint Web Application Firewall
  • Photon: ncredibly fast crawler designed for OSINT.
  • Raccoon: offensive security tool for reconnaissance and vulnerability scanning
  • DnsRecon: DNS Enumeration Script
  • Nmap: The famous security Scanner, Port Scanner, & Network Exploration Tool
  • sherlock: Find usernames across social networks
  • snmpwn: An SNMPv3 User Enumerator and Attack tool
  • Striker: an offensive information and vulnerability scanner.
  • theHarvester: E-mails, subdomains and names Harvester
  • URLextractor: Information gathering & website reconnaissance
  • denumerator.py: Enumerates list of subdomains
  • other: other Information gathering,recon and Enumeration scripts I collected somewhere.
  • ReconDog: Reconnaissance Swiss Army Knife
  • RED_HAWK: All in one tool for Information Gathering, Vulnerability Scanning and Crawling
  • Dracnmap: Info Gathering Framework
 * Web Hacking 🌐:
  • Spaghetti: Spaghetti - Web Application Security Scanner
  • CMSmap: CMS scanner
  • BruteXSS: BruteXSS is a tool to find XSS vulnerabilities in web application
  • J-dorker: Website List grabber from Bing
  • droopescan: scanner, identify, CMSs, Drupal, Silverstripe.
  • Optiva: Web Application Scanner
  • V3n0M: Pentesting scanner in Python3.6 for SQLi/XSS/LFI/RFI and other Vulns
  • AtScan: Advanced dork Search & Mass Exploit Scanner
  • WPSeku: Wordpress Security Scanner
  • WPScan: A simple Wordpress scanner written in python
  • XSStrike: Most advanced XSS scanner.
  • SQLMap: automatic SQL injection and database takeover tool
  • WhatWeb: the Next generation web scanner
  • joomscan: Joomla Vulnerability Scanner Project
  • Dzjecter: Server checking Tool
 * Privilege Escalation ⚠️:
  • Linux 🐧:linux_checksec.sh
       linux_enum.sh
       linux_gather_files.sh
       linux_kernel_exploiter.pl
       linux_privesc.py
       linux_privesc.sh
       linux_security_test
       Linux_exploits folder
  • Windows Windows:   windows-privesc-check.py
       windows-privesc-check.exe
  • MySql:raptor_udf.c
       raptor_udf2.c
 * Reverse Engineering ⚡:
  • Radare2: unix-like reverse engineering framework
  • VirtusTotal: VirusTotal tools
  • Miasm: Reverse engineering framework
  • Mirror: reverses the bytes of a file
  • DnSpy: .NET debugger and assembly
  • AngrIo: A python framework for analyzing binaries (Suggested by @Hamz-a)
  • DLLRunner: a smart DLL execution script for malware analysis in sandbox systems.
  • Fuzzy Server: a Program That Uses Pre-Made Spike Scripts to Attack VulnServer.
  • yara: a tool aimed at helping malware researchers toidentify and classify malware samples
  • Spike: a protocol fuzzer creation kit + audits
  • other: other scripts collected somewhere
 * Exploitation ❗:
  • Findsploit: Find exploits in local and online databases instantly
  • Pompem: Exploit and Vulnerability Finder
  • rfix: Python tool that helps RFI exploitation.
  • InUrlBr: Advanced search in search engines
  • Burpsuite: Burp Suite for security testing & scanning.
  • linux-exploit-suggester2: Next-Generation Linux Kernel Exploit Suggester
  • other: other scripts I collected somewhere.
 * Shells 🐚:
  • WebShells: BlackArch's Webshells Collection
  • ShellSum: A defense tool - detect web shells in local directories
  • Weevely: Weaponized web shell
  • python-pty-shells: Python PTY backdoors
 * Password Attacks ✳️:
  • crunch : a wordlist generator
  • CeWL : a Custom Word List Generator
  • patator : a multi-purpose brute-forcer, with a modular design and a flexible usage
 * Encryption - Decryption 🛡️:
  • Codetective: a tool to determine the crypto/encoding algorithm used
  • findmyhash: Python script to crack hashes using online services
 * Social Engineering 🎭:
  • scythe: an accounts enumerator

Contributing:
  1. Fork Lockdoor-Framework:
    git clone https://github.com/SofianeHamlaoui/Lockdoor-Framework.git
  2. Create your feature branch
  3. Commit your changes
  4. Push to the branch
  5. Create a new Pull Request

Features 📙:
  • Pentesting Tools Selection 📙:
   Tools ?: Lockdoor doesn't contain all pentesting tools (Added value) , let's be honest ! Who ever used all the Tools you find on all those Penetration Testing distributions ? Lockdoor contains only the favorite (Added value) and the most used toolsby Pentesters (Added value).
   what Tools ?: the tools contains Lockdoor are a collection from the best tools (Added value) on Kali Linux, ParrotSec and BlackArch. Also some private tools (Added value) from some other hacking teams (Added value) like InurlBr, iran-cyber. Without forgeting some cool and amazing tools I found on Github made by some perfect human beigns (Added value).
   Easy customization: Easily add/remove tools. (Added value)
   Installation: You can install the tool automatically using the install.sh. Manually or on Docker [COMING SOON]
  • Resources and cheatsheets 📙 (Added value):
   Resources: That's what makes Lockdoor Added value, Lockdoor Doesn't contain only tools! Pentesing and Security Assessment Findings Reports templates (Added value), Pentesting walkthrough examples and tempales (Added value) and more.
   Cheatsheets: Everyone can forget something on processing or a tool use, or even some trciks. Here comes the Cheatsheets (Added value) role! there are cheatsheets about everything, every tool on the framework and any enumeration,exploitation and post-exploitation techniques.

Check the Wiki Pages to know more about the tool 📙:
Lockdoor-Framework's screenshots:
First Step
Lockdoor update
ROOT Menu
Information Gathering
Web Hacking
Exploitation
Reverse Engineering
Enc/Dec
Password Attacks
Shells
PrivEsc
Social Engineering
PSAFRT
Walkthroughs
About
Support the author:
   On Paypal: Sofiane Hamlaoui
   BTC Address: 

Read more


  1. Hacking Traduccion
  2. Que Significa Hat
  3. Curso Completo De Hacking Ético
  4. Blog Seguridad Informática
  5. Curso De Hacking Etico
  6. Hacking Linux Distro
  7. Hacking Health
  8. Como Empezar En El Hacking
  9. Como Convertirse En Hacker
  10. Quiero Ser Hacker
  11. Hacking Google Home Mini
  12. Hacking Course
  13. Hacking Prank
  14. Hacking Etico
  15. Hacking Roblox

How Cybersecurity Enables Government, Health, EduTech Cope With COVID-19

The advent of the Covid-19 pandemic and the impact on our society has resulted in many dramatic changes to how people are traveling, interacting with each other, and collaborating at work. There are several trends taking place as a consequence of the outbreak, which has only continued to heighten the need for the tightest possible cybersecurity. Tools for Collaboration There has been a

via The Hacker News
Related news

Android SSHControl V1.0 Relased!!!

Hoy sabado 15, he subido al Market de Android la versión 1.0 de SSHControl, con nuevas funcionalades y la esperada opción "Custom Commands".






Esta aplicación permite controlar tus servidores linux, bsd y unix con solo un dedo, mediante esta app Android.
Y soluciona las siguientes problemáticas:
- Manejar una shell desde el pequeño teclado de un móvil es engorroso.
- Leer todos los resultados de un comando en la pantalla del móvil, nos dejamos la vista.

Esta app permite interactuar con servidores remotos simplemente haciendo pulsaciones en la pantalla, mediante un explorador de ficheros, de conexiones, etc..

Las funcionalidades nuevas de esta versión 1.0 son:

- Administración del Firewall Iptables.
- Opción de Custom Commands, tal como había prometido.

Las funcionalidades ya presentes en la v0.8 son:

- escalada a root mediante su y sudo
- gestor de procesos
- explorador de ficheros, editor de ficheros, editor de permisos.
- monitorización y baneo de conexiones
- Visualizadores de logs
- administrador de drivers
- estadisticas de disco

Para la versión 2.0 preveo:

- Escuchar música remota
- Descarga de ficheros (wget)
- Transferencia segura de ficheros entre servidores (scp)
- Gestures, para administrar los sitemas en plan minority report :)

App disponible en el market para 861 tipos de dispositivos y pronto disponible en tablets.

https://market.android.com/details?id=net.ssh.SSHControl

Cualquier sugerencia de mejora: sha0 [4t] badchecksum [d0t] net

Related posts
  1. Que Es Growth Hacking
  2. Hacking Linux
  3. Hacking-Lab
  4. Libros De Hacking Pdf
  5. Drupal Hacking
  6. Hacking Software

miércoles, 20 de mayo de 2020

OWASP May Connector 2019

OWASP
Connector
May 2019

COMMUNICATIONS


Letter from the Vice Chairman:

Dear OWASP Community,

Since last month the foundation has been busy working towards enabling our project leaders and community members to utilize funds to work on nurturing and developing projects. So far there has been huge uptake on this initiative. It's great to see so many people passionate about collaborating at project summits. 
 
Our Global AppSec Tel-Aviv is nearly upon us, for members, there is an extra incentive for attending this conference, in the form of a significant discount. This and the sandy beaches and beautiful scenery, not to mention the great speakers and trainers we have lined up, is a great reason to attend. If you have not done so we would encourage you to attend this great conference - https://telaviv.appsecglobal.org.
 
One of the key things I've noticed in my Board of Director tenure is the passion our community emits, sometimes this passion aids in growing the foundation, but sometimes it also forces us to take a step back and look at how we do things within the foundation. With Mike, our ED and staff we have seen a lot of good change from an operations perspective, with more in the pipeline. Mike's appointment has allowed the Board of Directors to take a step back from operations and enable us to work on more strategic goals. To this end at a recent Board meeting we discussed each Board member taking up one of the following strategic goals, as set out at the start of the year:
 
1.Marketing the OWASP brand 
2.Membership benefits
3.Developer outreach

  • Improve benefits 
  • Decrease the possibility of OWASP losing relevance
  • Reaching out to management and Risk levels
  • Increase involvement in new tech/ ways of doing things – dev ops
 
4.Project focus 
  • Get Universities involved
  • Practicum sponsored ideas
  • Internships 

 
5.Improve finances
6.Improve OWAP/ Board of Directors Perception
7.Process improvement
8. Get consistent ED
9.Community empowerment
 
I would encourage the community to come forward if you have any ideas on the above and are happy to work with one of the 7 Board of Directors and community members on one of these initiatives. 
 
Thanks and best wishes, 
Owen Pendlebury
Vice Chair

OWASP FOUNDATION UPDATE FROM INTERIM EXECUTIVE DIRECTOR:

OWASP Foundation welcomes aboard Emily Berman as Events Director. Emily was most recently with the Scrum Alliance where she planned high-profile functions for upwards of 2,000 guests. Emily brings a fresh approach to events planning and her 12 years of experience planning and organizing large-scale events worldwide well in advance will greatly benefit our Global AppSecs.
Did you Register yet? 
Global AppSec DC September 9-13, 2019
submit to the Call for Papers and Call for Training
Check out Sponsorship Opportunities while they are still available.
Save the Date for Global AppSec Amsterdam Sept 23-27, 2019 
Sponsorship Opportunities are available

EVENTS 

You may also be interested in one of our other affiliated events:

REGIONAL AND LOCAL EVENTS

Event DateLocation
Latam Tour 2019 Starting April 4, 2019 Latin America
OWASP Portland Training Day September 25, 2019 Portland, OR
OWASP Italy Day Udine 2019 September 27,2019 Udine, Italy
OWASP Portland Day October 16,2019 Wroclaw, Poland
LASCON X October 24-25,2019 Austin, TX
OWASP AppSec Day 2019 Oct 30 - Nov 1, 2019 Melbourne, Australia

PARTNER AND PROMOTIONAL EVENTS
Event Date Location
Open Security Summit June 3-7,2019 Woburn Forest Center Parcs, Bedfordshire
Hack in Paris 2019 June 16-20, 2019 Paris
Cyber Security and Cloud Expo Europe June 19-20, 2019 Amsterdam
IoT Tech Expo Europe June 19-20, 2019 Amsterdam
BlackHat USA 2019 August 3-8,2019 Las Vegas, Nevada
DefCon 27 August 8-11,2019 Las Vegas, Nevada
it-sa-IT Security Expo and Congress October 8-10, 2019 Germany

PROJECTS

We have had the following projects added to the OWASP inventory.  Please congratulate these leaders and check out the work they have done:

Project Type Leader(s)
Risk Assessment Framework Documentation Ade Yoseman Putra, Rejah Rehim
QRLJacker Tool Mohammed Baset
Container Security Verification Standard Documentation Sven Vetsch
Find Security Bugs Code Philippe Arteau
Vulnerable Web Application Code Fatih Çelik
D4N155 Tool Julio Pedro de Lira Neto
Jupiter Tool Matt Stanchek
Top 10 Card Game Documentation Dennis Johnson
Samurai WTF Code Kevin Johnson
DevSecOps Maturity Model Documentation Timo Pagel

 


Also, we will have the following projects presenting at the Project Showcase Global AppSec Tel Aviv:

Final Schedule
Wednesday, May 29th Thursday, May 30th
Time Project Presenter(s) Confirmed Time Project Presenter(s) Confirmed
10:​4​5 a.m. Glue Tool Omer Levi Hevroni Yes 10:​30 ​ a.m. API Security Erez Yalon, Inon Shkedy Yes
  ​7    
               
11:5​5​ a.m. IoT & Embedded AppSec Aaron Guzman Yes 11:​50​ a.m. Mod Security Core Rule Set Tin Zaw Yes
        12:​25 ​p.m. Automated Threats Tin Zaw Yes
12:​30 ​p.m. Lunch Break   12:​55​ p.m. Lunch Break  
2:​35​ p.m. SAMM John DiLeo Yes        
​3:10​ p.m. Application Security Curriculum John DiLeo Yes ​3:10 p.m. ​Damned Vulnerable Serveless Application​ ​Tal Melamed​ ​Yes​
 

Finally, if you are able to help participate in the Project Reviews at the Conference, please send me an email at harold.blankenship@owasp.com.  We have a large line-up of projects to review this time around:

Project To Level Leader(s)
Snakes and Ladders Flagship Katy Anton, Colin Watson
Cheat Sheet Series Flagship Dominique Righetto, Jim Manico
Mobile Security Testing Guide Flagship Jeroen Willemsen, Sven Schleier
Amass Lab Jeff Foley
Attack Surface Detector Lab Ken Prole
SecureTea Lab Ade Yoseman Putra, Bambang Rahmadi K.P, Rejah Rehim.A.A
Serverless Goat Lab Ory Segal

Google Summer of Code Update:
We were allocated 13 students this year!  The current timeline is as follows:
Google Season of Docs:
We were accepted into the Google Season of Docs.  There will be a single technical writer resource.  The current timeline is as follows:

COMMUNITY

New OWASP Chapters
Riyadh, Saudi Arabia
Guayaquil, Equador
Lome, Togo
Natal, Brazil
Nashua, New Hampshire
Gwalior, India
Louisville, Kentucky
Nainital, India
Liverpool, United Kingdom
Syracuse, New York

MEMBERSHIP

 
We would like to welcome the following Premier and Contributor Corporate Members.

Premier Corporate Members

Contributor Corporate Members
Join us
Donate
Our mailing address is:
OWASP Foundation 
1200-C Agora Drive, # 232
Bel Air, MD 21014  
Contact Us
Unsubscribe






This email was sent to *|EMAIL|*
why did I get this?    unsubscribe from this list    update subscription preferences
*|LIST:ADDRESSLINE|*